package io.confluent.kafkarest.auth;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.kafka.server.plugins.auth.MultiTenantSaslConfigEntry;
import io.confluent.kafka.server.plugins.auth.MultiTenantSaslSecrets;
import io.confluent.kafka.server.plugins.auth.MultiTenantSaslSecretsStore;
import io.confluent.kafkarest.CeKafkaRestConfig;
import io.confluent.kafkarest.KafkaRestConfig;
import io.confluent.kafkarest.auth.AuthorizationHeader;
import io.confluent.rest.entities.ErrorMessage;
import java.io.IOException;
import java.net.URI;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import org.apache.kafka.common.network.SslTransportLayer;
import org.glassfish.jersey.server.ContainerRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(1000)
/* loaded from: input_file:io/confluent/kafkarest/auth/CloudExtensionsAuthFilter.class */
public final class CloudExtensionsAuthFilter implements ContainerRequestFilter {
    private static final String API_KEY_CLUSTER_MISMATCH_TMPL = "API key '%s' is not allowed to access provided cluster ID '%s'";
    public static final String REQUIRE_SECRETS_STORE_VALIDATION_CONFIG = "secrets.store.validation.required";
    public static final String VALIDATE_CLUSTER_ID_IN_URL_CONFIG = "validate.cluster.id.in.url";
    private final boolean requireSecretsStoreValidation;
    private final MultiTenantSaslSecretsStore secretsStore;
    private final boolean validateClusterIdInUrl;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CloudExtensionsAuthFilter.class);
    private static final Pattern CLUSTER_ID_PATTERN = Pattern.compile("^lkc-[a-z0-9]+");

    @Inject
    public CloudExtensionsAuthFilter(Provider<KafkaRestConfig> provider, Provider<MultiTenantSaslSecretsStore> provider2) {
        KafkaRestConfig kafkaRestConfig = (KafkaRestConfig) Objects.requireNonNull(provider.get());
        this.requireSecretsStoreValidation = CeKafkaRestConfig.getBooleanOrDefault(kafkaRestConfig, REQUIRE_SECRETS_STORE_VALIDATION_CONFIG, true);
        this.secretsStore = provider2.get();
        if (this.secretsStore == null && this.requireSecretsStoreValidation) {
            log.error("Credentials store not available; validation for API key credentials cannot be performed!");
        }
        this.validateClusterIdInUrl = CeKafkaRestConfig.getBooleanOrDefault(kafkaRestConfig, VALIDATE_CLUSTER_ID_IN_URL_CONFIG, false);
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        try {
            CloudPrincipal extractCredentials = extractCredentials((String) Objects.requireNonNull(containerRequestContext.getUriInfo().getPathParameters(true).getFirst("clusterId")), containerRequestContext);
            if (extractCredentials == null) {
                containerRequestContext.abortWith(errorResponseWithEntity(Response.Status.UNAUTHORIZED.getStatusCode(), "Authentication failed."));
                return;
            }
            if (this.validateClusterIdInUrl) {
                try {
                    Optional<String> extractClusterIdFromUriHost = extractClusterIdFromUriHost(containerRequestContext.getUriInfo().getBaseUri());
                    if (extractClusterIdFromUriHost.isPresent() && !extractCredentials.getClusterId().equals(extractClusterIdFromUriHost.get())) {
                        containerRequestContext.abortWith(errorResponseWithEntity(Response.Status.BAD_REQUEST.getStatusCode(), "Cluster id mismatched between host and path parameter"));
                        return;
                    }
                } catch (IllegalArgumentException e) {
                    log.debug("Could not extract cluster id from request URI", (Throwable) e);
                    containerRequestContext.abortWith(errorResponseWithEntity(Response.Status.BAD_REQUEST.getStatusCode(), "Invalid request url"));
                    return;
                }
            }
            Response validateCredentials = validateCredentials(extractCredentials);
            if (validateCredentials != null) {
                containerRequestContext.abortWith(validateCredentials);
            } else {
                setSecurityContext(extractCredentials, containerRequestContext);
            }
        } catch (Exception e2) {
            log.debug("Received exception while extracting cluster id from path params.", (Throwable) e2);
            containerRequestContext.abortWith(errorResponseWithEntity(Response.Status.BAD_REQUEST.getStatusCode(), "Malformed url, undefined cluster id in request path."));
        }
    }

    @VisibleForTesting
    static Optional<String> extractClusterIdFromUriHost(URI uri) throws IllegalArgumentException {
        String host = uri.getHost();
        if (host == null) {
            throw new IllegalArgumentException("Host is null in request URI");
        }
        if (!host.startsWith(SslTransportLayer.LKC_PREFIX)) {
            return Optional.empty();
        }
        Matcher matcher = CLUSTER_ID_PATTERN.matcher(host);
        if (matcher.find()) {
            return Optional.of(matcher.group());
        }
        throw new IllegalArgumentException("Invalid cluster id in host: " + host);
    }

    private static Response errorResponseWithEntity(int i, String str) {
        return Response.status(i).entity(new ErrorMessage(i, str)).build();
    }

    private static CloudPrincipal extractCredentials(String str, ContainerRequestContext containerRequestContext) {
        try {
            return CloudPrincipal.create(str, AuthorizationHeader.parse(containerRequestContext.getHeaders().getFirst("Authorization")), containerRequestContext.getHeaders().getFirst("Confluent-Identity-Pool-Id") == null ? Optional.empty() : Optional.of(IdentityPoolIdHeader.parse(((ContainerRequest) containerRequestContext.getRequest()).getHeaderString("Confluent-Identity-Pool-Id"))));
        } catch (Exception e) {
            log.debug("Received exception while extracting credentials from request.", (Throwable) e);
            return null;
        }
    }

    private Response validateCredentials(CloudPrincipal cloudPrincipal) {
        if (!AuthorizationHeader.Scheme.BASIC.equals(cloudPrincipal.getScheme())) {
            log.debug("Validation for non-API key credentials will be handled as part of authentication.");
            return null;
        }
        if (this.secretsStore == null) {
            log.error("Credentials store not available; validation for API key credentials cannot be performed!");
            if (this.requireSecretsStoreValidation) {
                return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
            }
            return null;
        }
        MultiTenantSaslSecrets load = this.secretsStore.load();
        if (load == null) {
            log.error("Credential store still unavailable after server initialization!");
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
        }
        String name = cloudPrincipal.getName();
        MultiTenantSaslConfigEntry multiTenantSaslConfigEntry = load.entries().get(name);
        if (multiTenantSaslConfigEntry == null) {
            return Response.status(Response.Status.UNAUTHORIZED.toEnum().getStatusCode(), "API-key based authentication failed.").build();
        }
        String clusterId = cloudPrincipal.getClusterId();
        String logicalClusterId = multiTenantSaslConfigEntry.logicalClusterId();
        if (clusterId != null && clusterId.equals(logicalClusterId)) {
            return null;
        }
        String format = String.format(API_KEY_CLUSTER_MISMATCH_TMPL, name, clusterId);
        log.debug(format);
        return Response.status(Response.Status.FORBIDDEN).entity(new ErrorMessage(Response.Status.FORBIDDEN.getStatusCode(), format)).build();
    }

    private static void setSecurityContext(CloudPrincipal cloudPrincipal, ContainerRequestContext containerRequestContext) {
        containerRequestContext.setSecurityContext(new CloudSecurityContext(cloudPrincipal, containerRequestContext.getUriInfo().getRequestUri().toString().startsWith("https")));
    }
}
