package io.confluent.kafka.schemaregistry.security;

import io.confluent.common.security.auth.AuthenticationCleanupFilter;
import io.confluent.common.security.auth.AuthenticationFilter;
import io.confluent.common.security.license.LicenseValidatorFilter;
import io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryException;
import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.rest.extensions.SchemaRegistryResourceExtension;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.security.filter.AuthorizationFilter;
import io.confluent.kafka.schemaregistry.security.permissions.PermissionsResource;
import io.confluent.kafka.schemaregistry.security.permissions.ScopeResource;
import io.confluent.kafka.schemaregistry.storage.KafkaStore;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.rest.RestConfigException;
import io.confluent.security.authorizer.Scope;
import java.util.Optional;
import java.util.Properties;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.ws.rs.core.Configurable;
import org.apache.kafka.clients.admin.AdminClient;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/SchemaRegistrySecurityResourceExtension.class */
public class SchemaRegistrySecurityResourceExtension implements SchemaRegistryResourceExtension {
    public static final String SCHEMA_REGISTRY_CLUSTER_TYPE = "schema-registry-cluster";
    private static final long CLUSTER_ID_TIMEOUT_MS = 10000;
    private AuthorizationFilter authorizationFilter;

    public void register(Configurable<?> configurable, SchemaRegistryConfig schemaRegistryConfig, SchemaRegistry schemaRegistry) throws SchemaRegistryException {
        try {
            try {
                registerResources(configurable, new SecureSchemaRegistryConfig(schemaRegistryConfig.originalProperties()), schemaRegistry, determineScope(schemaRegistry));
            } catch (AuthorizerException e) {
                throw new SchemaRegistryException("Failed to determine RBAC scope", e);
            }
        } catch (RestConfigException e2) {
            throw new SchemaRegistryException(e2);
        }
    }

    public void close() {
        this.authorizationFilter.shutdown();
    }

    void registerResources(Configurable<?> configurable, SecureSchemaRegistryConfig secureSchemaRegistryConfig, SchemaRegistry schemaRegistry, Scope scope) {
        String string = secureSchemaRegistryConfig.getString(SecureSchemaRegistryConfig.CONFLUENT_AUTH_MECHANISM_CONFIG);
        String string2 = secureSchemaRegistryConfig.getString(SecureSchemaRegistryConfig.CONFLUENT_SSL_PRINCIPAL_MAPPING_RULES_CONFIG);
        Optional empty = Optional.empty();
        if (string2 != null) {
            empty = Optional.of(SslPrincipalMapper.fromRules(string2));
        }
        configurable.register(AuthenticationCleanupFilter.class);
        configurable.register2(new AuthenticationFilter(string, empty, secureSchemaRegistryConfig.getBoolean(SecureSchemaRegistryConfig.CONFLUENT_ANONYMOUS_PRINCIPAL_CONFIG).booleanValue()));
        this.authorizationFilter = new AuthorizationFilter(secureSchemaRegistryConfig, schemaRegistry);
        configurable.register2(this.authorizationFilter);
        configurable.register2(new LicenseValidatorFilter(secureSchemaRegistryConfig.licenseTopic(), secureSchemaRegistryConfig.licenseProducerConfigs(), secureSchemaRegistryConfig.licenseConsumerConfigs(), secureSchemaRegistryConfig.licenseAdminConfigs(), secureSchemaRegistryConfig.licenseString()));
        configurable.register2(new PermissionsResource(scope, schemaRegistry, this.authorizationFilter.authorizer()));
        configurable.register2(new ScopeResource(scope));
    }

    public static Scope determineScope(SchemaRegistry schemaRegistry) throws AuthorizerException {
        SchemaRegistryConfig config = schemaRegistry.config();
        Properties properties = new Properties();
        KafkaStore.addSchemaRegistryConfigsToClientProperties(config, properties);
        properties.put("bootstrap.servers", config.bootstrapBrokers());
        try {
            AdminClient create = AdminClient.create(properties);
            Throwable th = null;
            try {
                try {
                    String str = create.describeCluster().clusterId().get(10000L, TimeUnit.MILLISECONDS);
                    if (create != null) {
                        if (0 != 0) {
                            try {
                                create.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            create.close();
                        }
                    }
                    return new Scope.Builder(new String[0]).withKafkaCluster(str).withCluster("schema-registry-cluster", config.getString("schema.registry.group.id")).build();
                } finally {
                }
            } finally {
            }
        } catch (InterruptedException | ExecutionException | TimeoutException e) {
            throw new AuthorizerException("Failed to determine Kafka cluster ID", e);
        }
    }
}
