package io.confluent.connect.secretregistry;

import io.confluent.connect.secretregistry.rbac.SecretRegistryActions;
import io.confluent.connect.secretregistry.rbac.SecretRegistryOperations;
import io.confluent.connect.security.util.ConnectRestUtils;
import io.confluent.kafka.secretregistry.rest.resources.PathResource;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Scope;
import java.io.IOException;
import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import java.util.stream.Stream;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.connect.errors.ConnectException;
import org.apache.kafka.connect.health.ConnectClusterState;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/connect/secretregistry/ConnectSecretRegistryFilter.class */
public class ConnectSecretRegistryFilter implements ContainerRequestFilter, ContainerResponseFilter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ConnectSecretRegistryFilter.class);
    static final Method LIST_PATHS_METHOD;

    @Context
    private ResourceInfo resourceInfo;
    private final Scope scope;
    private final SecretRegistryActions actions;
    private final RestAuthorizer restAuthorizer;

    public ConnectSecretRegistryFilter(Scope scope, RestAuthorizer restAuthorizer, ConnectClusterState connectClusterState) {
        this(scope, SecretRegistryActions.build(scope, connectClusterState), restAuthorizer, null);
    }

    ConnectSecretRegistryFilter(Scope scope, SecretRegistryActions secretRegistryActions, RestAuthorizer restAuthorizer, ResourceInfo resourceInfo) {
        this.scope = scope;
        this.restAuthorizer = restAuthorizer;
        this.actions = secretRegistryActions;
        this.resourceInfo = resourceInfo;
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (this.restAuthorizer == null) {
            log.warn("Rest authorizer not active");
            return;
        }
        Method resourceMethod = this.resourceInfo.getResourceMethod();
        if (LIST_PATHS_METHOD.equals(resourceMethod)) {
            return;
        }
        List<Action> actions = this.actions.actions(resourceMethod, containerRequestContext);
        if (actions.isEmpty()) {
            return;
        }
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        if (userPrincipal == null) {
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(ConnectRestUtils.UNAUTHENTICATED_USER).build());
            return;
        }
        KafkaPrincipal kafkaPrincipalFor = kafkaPrincipalFor(userPrincipal);
        log.debug("Authorizing request for principal {}. Actions: {}", kafkaPrincipalFor, actions);
        Stream<AuthorizeResult> stream = this.restAuthorizer.authorize(kafkaPrincipalFor, null, actions).stream();
        AuthorizeResult authorizeResult = AuthorizeResult.ALLOWED;
        authorizeResult.getClass();
        if (stream.allMatch((v1) -> {
            return r1.equals(v1);
        })) {
            return;
        }
        containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity(ConnectRestUtils.UNAUTHORIZED_OPERATION).build());
    }

    @Override // javax.ws.rs.container.ContainerResponseFilter
    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        if (this.restAuthorizer == null) {
            log.warn("Rest authorizer not active");
            return;
        }
        Method resourceMethod = this.resourceInfo.getResourceMethod();
        if (containerResponseContext.getStatus() == Response.Status.OK.getStatusCode() && LIST_PATHS_METHOD.equals(resourceMethod)) {
            Collection collection = (Collection) responseEntity(containerResponseContext);
            if (collection.isEmpty()) {
                return;
            }
            List<Action> list = (List) collection.stream().flatMap(str -> {
                return SecretRegistryOperations.ALL.stream().map(operation -> {
                    return new Action(this.scope, SecretRegistryActions.SECRET_RESOURCE, str, operation);
                });
            }).collect(Collectors.toList());
            containerResponseContext.setEntity((Collection) zip(this.restAuthorizer.authorize(kafkaPrincipalFor(containerRequestContext.getSecurityContext().getUserPrincipal()), null, list), list).filter(pair -> {
                return AuthorizeResult.ALLOWED.equals(pair.getLeft());
            }).map((v0) -> {
                return v0.getRight();
            }).map((v0) -> {
                return v0.resourceName();
            }).collect(Collectors.toSet()));
        }
    }

    private static <T> T responseEntity(ContainerResponseContext containerResponseContext) {
        return (T) containerResponseContext.getEntity();
    }

    public static KafkaPrincipal kafkaPrincipalFor(Principal principal) {
        Objects.requireNonNull(principal, "Principal may not be null");
        return new KafkaPrincipal("User", principal.getName());
    }

    public static <L, R> Stream<Pair<L, R>> zip(List<L> list, List<R> list2) {
        return IntStream.range(0, Math.min(list.size(), list2.size())).mapToObj(i -> {
            return Pair.of(list.get(i), list2.get(i));
        });
    }

    static {
        try {
            LIST_PATHS_METHOD = PathResource.class.getMethod("list", SecurityContext.class);
        } catch (NoSuchMethodException e) {
            throw new ConnectException("Failed to initialize Secret Registry RBAC filter", e);
        }
    }
}
