package io.confluent.controlcenter.rest;

import com.google.common.eventbus.Subscribe;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import io.confluent.controlcenter.ControlCenterConfig;
import io.confluent.controlcenter.data.PermissionsService;
import io.confluent.controlcenter.kafka.ClusterChangeEvent;
import io.confluent.controlcenter.util.ConfigUtils;
import io.confluent.controlcenter.util.PrincipalUtils;
import io.confluent.controlcenter.util.ScopeUtils;
import io.confluent.kafkarest.KafkaRestApplication;
import io.confluent.kafkarest.KafkaRestConfig;
import io.confluent.kafkarest.KafkaRestResourceExtension;
import io.confluent.rest.Application;
import io.confluent.rest.RestConfig;
import io.confluent.rest.auth.AuthUtil;
import java.io.IOException;
import java.util.EnumSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import javax.inject.Provider;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.core.Configurable;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.annotation.InterfaceStability;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.handler.HandlerCollection;
import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlet.ServletContextHandler;

@Singleton
@InterfaceStability.Evolving
/* loaded from: input_file:io/confluent/controlcenter/rest/KafkaRestApplications.class */
public class KafkaRestApplications extends Application<RestConfig> implements ApplicationBase {
    private final ControlCenterConfig controlCenterConfig;
    private final RestSecuritySetup restSecuritySetup;
    private final CustomHeaderFilter responseHeaderFilter;
    private final ReadOnlyRolesFilter readOnlyRolesFilter;
    private final ControlCenterKafkaRestModule controlCenterKafkaRestModule;
    private final PermissionsService permissionsService;
    private final RestConfig restConfig;
    private HandlerCollection handlers;
    private HandlerCollection wsHandlers;

    /* loaded from: input_file:io/confluent/controlcenter/rest/KafkaRestApplications$ClusterAccessFilter.class */
    public static final class ClusterAccessFilter implements Filter {
        private final PermissionsService permissionsService;

        @Context
        Provider<SecurityContext> securityContext;

        public ClusterAccessFilter(PermissionsService permissionsService) {
            this.permissionsService = permissionsService;
        }

        @Override // javax.servlet.Filter
        public void init(FilterConfig filterConfig) throws ServletException {
        }

        @Override // javax.servlet.Filter
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            String str = ((HttpServletRequest) servletRequest).getPathInfo().split("/")[3];
            if (!this.permissionsService.isVisible(PrincipalUtils.jwtPrincipalOrNull(((HttpServletRequest) servletRequest).getUserPrincipal()), ScopeUtils.buildKafkaScope(str))) {
                throw new ForbiddenException("must have cluster view access");
            }
            filterChain.doFilter(servletRequest, servletResponse);
        }

        @Override // javax.servlet.Filter
        public void destroy() {
        }
    }

    /* loaded from: input_file:io/confluent/controlcenter/rest/KafkaRestApplications$EmbeddedKafkaRestApplication.class */
    final class EmbeddedKafkaRestApplication extends KafkaRestApplication implements ApplicationBase {
        public EmbeddedKafkaRestApplication(KafkaRestConfig kafkaRestConfig, String str, String str2) {
            super(kafkaRestConfig, String.format(str + "api/kafka-rest/%s/kafka", str2));
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // io.confluent.kafkarest.KafkaRestApplication
        public void setupResources(Configurable<?> configurable, KafkaRestConfig kafkaRestConfig) {
            super.setupResources(configurable, kafkaRestConfig);
            configurable.register2(KafkaRestApplications.this.controlCenterKafkaRestModule);
        }

        @Override // io.confluent.kafkarest.KafkaRestApplication, io.confluent.rest.Application
        public void configurePreResourceHandling(ServletContextHandler servletContextHandler) {
            super.configurePreResourceHandling(servletContextHandler);
            servletContextHandler.addFilter(new FilterHolder(KafkaRestApplications.this.readOnlyRolesFilter), "/*", (EnumSet<DispatcherType>) null);
            servletContextHandler.addFilter(new FilterHolder(KafkaRestApplications.this.responseHeaderFilter), "/*", (EnumSet<DispatcherType>) null);
            servletContextHandler.addFilter(new FilterHolder(new ClusterAccessFilter(KafkaRestApplications.this.permissionsService)), "/*", (EnumSet<DispatcherType>) null);
        }

        @Override // io.confluent.kafkarest.KafkaRestApplication, io.confluent.rest.Application
        public void configurePostResourceHandling(ServletContextHandler servletContextHandler) {
            long longValue = KafkaRestApplications.this.controlCenterConfig.getLong(ControlCenterConfig.CONTROL_CENTER_AUTH_SESSION_EXPIRATION_MS).longValue();
            if (longValue > 0) {
                servletContextHandler.getSessionHandler().setMaxInactiveInterval((int) TimeUnit.SECONDS.toSeconds(longValue));
            }
            configureErrorHandler(servletContextHandler);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // io.confluent.rest.Application
        public void configureSecurityHandler(ServletContextHandler servletContextHandler) {
            super.configureSecurityHandler(servletContextHandler);
            ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
            if (KafkaRestApplications.this.restSecuritySetup.getRealm() != null) {
                constraintSecurityHandler.addConstraintMapping(AuthUtil.createSecuredConstraint(KafkaRestApplications.this.restConfig, "/*"));
            }
            constraintSecurityHandler.setRealmName(KafkaRestApplications.this.restSecuritySetup.getRealm());
            constraintSecurityHandler.setAuthenticator(KafkaRestApplications.this.restSecuritySetup.getAuthenticator());
            constraintSecurityHandler.setLoginService(KafkaRestApplications.this.restSecuritySetup.getLoginService());
            constraintSecurityHandler.setIdentityService(KafkaRestApplications.this.restSecuritySetup.getIdentityService());
            List<ConstraintMapping> createUnsecuredConstraints = AuthUtil.createUnsecuredConstraints(KafkaRestApplications.this.restConfig);
            constraintSecurityHandler.getClass();
            createUnsecuredConstraints.forEach(constraintSecurityHandler::addConstraintMapping);
            servletContextHandler.setSecurityHandler(constraintSecurityHandler);
        }

        @Override // io.confluent.kafkarest.KafkaRestApplication, io.confluent.rest.Application
        public /* bridge */ /* synthetic */ void setupResources(Configurable configurable, KafkaRestConfig kafkaRestConfig) {
            setupResources((Configurable<?>) configurable, kafkaRestConfig);
        }
    }

    @Inject
    public KafkaRestApplications(RestConfig restConfig, ControlCenterConfig controlCenterConfig, CustomHeaderFilter customHeaderFilter, ReadOnlyRolesFilter readOnlyRolesFilter, RestSecuritySetup restSecuritySetup, ControlCenterKafkaRestModule controlCenterKafkaRestModule, PermissionsService permissionsService) {
        super(restConfig);
        this.handlers = new HandlerCollection(true, new Handler[0]);
        this.wsHandlers = new HandlerCollection(true, new Handler[0]);
        this.restConfig = restConfig;
        this.controlCenterConfig = controlCenterConfig;
        this.responseHeaderFilter = customHeaderFilter;
        this.readOnlyRolesFilter = readOnlyRolesFilter;
        this.restSecuritySetup = restSecuritySetup;
        this.controlCenterKafkaRestModule = (ControlCenterKafkaRestModule) Objects.requireNonNull(controlCenterKafkaRestModule);
        this.permissionsService = permissionsService;
    }

    @Subscribe
    public void registerCluster(ClusterChangeEvent clusterChangeEvent) throws Exception {
        EmbeddedKafkaRestApplication embeddedKafkaRestApplication = new EmbeddedKafkaRestApplication(getKafkaRestConfig(clusterChangeEvent.getConfig(), clusterChangeEvent.getClusterId()), this.controlCenterConfig.getString(ControlCenterConfig.UI_BASEPATH), clusterChangeEvent.getClusterId());
        addHandler(embeddedKafkaRestApplication.configureHandler(), this.handlers);
        addHandler(embeddedKafkaRestApplication.configureWebSocketHandler(), this.wsHandlers);
    }

    private void addHandler(Handler handler, HandlerCollection handlerCollection) throws Exception {
        handlerCollection.addHandler(handler);
        if (handlerCollection.isStarted()) {
            handler.start();
        }
    }

    KafkaRestConfig getKafkaRestConfig(Map<String, Object> map, String str) {
        Properties properties = new Properties();
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            properties.put(entry.getKey(), entry.getValue() instanceof List ? ConfigUtils.toString((List) entry.getValue()) : entry.getValue().toString());
        }
        properties.put(KafkaRestConfig.KAFKA_REST_RESOURCE_EXTENSION_CONFIG, KafkaRestResourceExtension.class.getName());
        properties.put(RestConfig.WEBSOCKET_PATH_PREFIX_CONFIG, String.format("/api/kafka-rest-ws/%s", str));
        return new KafkaRestConfig(properties);
    }

    @Override // io.confluent.rest.Application
    public Handler configureHandler() {
        return this.handlers;
    }

    @Override // io.confluent.rest.Application
    public Handler configureWebSocketHandler() {
        return this.wsHandlers;
    }

    @Override // io.confluent.rest.Application
    public void setupResources(Configurable<?> configurable, RestConfig restConfig) {
    }
}
