package io.confluent.ksql.api.server;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import io.confluent.ksql.api.auth.AuthenticationPlugin;
import io.confluent.ksql.api.auth.AuthenticationPluginHandler;
import io.confluent.ksql.api.auth.JaasAuthProvider;
import io.confluent.ksql.api.auth.KsqlAuthorizationProviderHandler;
import io.confluent.ksql.api.auth.RoleBasedAuthZHandler;
import io.confluent.ksql.api.auth.SystemAuthenticationHandler;
import io.confluent.ksql.rest.Errors;
import io.confluent.ksql.rest.server.KsqlRestConfig;
import io.confluent.ksql.security.KsqlSecurityExtension;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.vertx.core.Handler;
import io.vertx.core.http.ClientAuth;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.BasicAuthHandler;
import java.net.URI;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Pattern;

/* loaded from: input_file:io/confluent/ksql/api/server/AuthHandlers.class */
public final class AuthHandlers {
    private static final Set<String> KSQL_AUTHENTICATION_SKIP_PATHS = ImmutableSet.of("/v1/metadata", "/v1/metadata/id", "/healthcheck");
    private static final String PROVIDER_KEY = "provider";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/ksql/api/server/AuthHandlers$Provider.class */
    public enum Provider {
        SYSTEM,
        JAAS,
        PLUGIN,
        SKIP
    }

    private AuthHandlers() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void setupAuthHandlers(Server server, Router router, boolean z) {
        Optional<BasicAuthHandler> jaasAuthHandler = getJaasAuthHandler(server);
        KsqlSecurityExtension securityExtension = server.getSecurityExtension();
        Optional<AuthenticationPlugin> authenticationPlugin = server.getAuthenticationPlugin();
        Optional<U> map = authenticationPlugin.map(authenticationPlugin2 -> {
            return new AuthenticationPluginHandler(server, authenticationPlugin2);
        });
        getSystemAuthenticationHandler(server, z).ifPresent(systemAuthenticationHandler -> {
            registerAuthHandler(router, systemAuthenticationHandler);
        });
        if (jaasAuthHandler.isPresent() || authenticationPlugin.isPresent()) {
            Pattern authenticationSkipPathPattern = getAuthenticationSkipPathPattern(server.getConfig().getList(KsqlRestConfig.AUTHENTICATION_SKIP_PATHS_CONFIG));
            registerAuthHandler(router, routingContext -> {
                selectHandler(routingContext, authenticationSkipPathPattern, jaasAuthHandler.isPresent(), map.isPresent());
            });
            jaasAuthHandler.ifPresent(basicAuthHandler -> {
                Provider provider = Provider.JAAS;
                Objects.requireNonNull(provider);
                registerAuthHandler(router, selectiveHandler(basicAuthHandler, (v1) -> {
                    return r2.equals(v1);
                }));
            });
            RoleBasedAuthZHandler roleBasedAuthZHandler = new RoleBasedAuthZHandler(server.getConfig().getList(KsqlRestConfig.AUTHENTICATION_ROLES_CONFIG));
            Provider provider = Provider.JAAS;
            Objects.requireNonNull(provider);
            registerAuthHandler(router, selectiveHandler(roleBasedAuthZHandler, (v1) -> {
                return r2.equals(v1);
            }));
            map.ifPresent(handler -> {
                Provider provider2 = Provider.PLUGIN;
                Objects.requireNonNull(provider2);
                registerAuthHandler(router, selectiveHandler(handler, (v1) -> {
                    return r2.equals(v1);
                }));
            });
            securityExtension.getAuthorizationProvider().ifPresent(ksqlAuthorizationProvider -> {
                registerAuthHandler(router, selectiveHandler(new KsqlAuthorizationProviderHandler(server, ksqlAuthorizationProvider), provider2 -> {
                    return provider2 == Provider.JAAS || provider2 == Provider.PLUGIN;
                }));
            });
            router.route().handler(AuthHandlers::resumeHandler);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void registerAuthHandler(Router router, Handler<RoutingContext> handler) {
        router.route().handler(AuthHandlers::pauseHandler);
        router.route().handler(handler);
    }

    private static Handler<RoutingContext> selectiveHandler(Handler<RoutingContext> handler, Predicate<Provider> predicate) {
        return routingContext -> {
            if (predicate.test((Provider) routingContext.data().get(PROVIDER_KEY))) {
                handler.handle(routingContext);
            } else {
                routingContext.next();
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public static void selectHandler(RoutingContext routingContext, Pattern pattern, boolean z, boolean z2) {
        if (pattern.matcher(routingContext.normalizedPath()).matches()) {
            routingContext.data().put(PROVIDER_KEY, Provider.SKIP);
            routingContext.next();
            return;
        }
        if (SystemAuthenticationHandler.isAuthenticatedAsSystemUser(routingContext)) {
            routingContext.data().put(PROVIDER_KEY, Provider.SYSTEM);
            routingContext.next();
            return;
        }
        String header = routingContext.request().getHeader("Authorization");
        if (z && header != null && header.toLowerCase().startsWith("basic ")) {
            routingContext.data().put(PROVIDER_KEY, Provider.JAAS);
        } else if (z2) {
            routingContext.data().put(PROVIDER_KEY, Provider.PLUGIN);
        } else {
            routingContext.fail(HttpResponseStatus.UNAUTHORIZED.code(), new KsqlApiException("Unauthorized", Errors.ERROR_CODE_UNAUTHORIZED));
        }
        routingContext.next();
    }

    private static Optional<BasicAuthHandler> getJaasAuthHandler(Server server) {
        String string = server.getConfig().getString(KsqlRestConfig.AUTHENTICATION_METHOD_CONFIG);
        boolean z = -1;
        switch (string.hashCode()) {
            case 2402104:
                if (string.equals("NONE")) {
                    z = true;
                    break;
                }
                break;
            case 62970894:
                if (string.equals(KsqlRestConfig.AUTHENTICATION_METHOD_BASIC)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case KsqlRestConfig.KSQL_SERVER_SNI_CHECK_ENABLE_DEFAULT /* 0 */:
                return Optional.of(basicAuthHandler(server));
            case true:
                return Optional.empty();
            default:
                throw new IllegalStateException(String.format("Unexpected value for %s: %s", KsqlRestConfig.AUTHENTICATION_METHOD_CONFIG, string));
        }
    }

    private static BasicAuthHandler basicAuthHandler(Server server) {
        String string = server.getConfig().getString(KsqlRestConfig.AUTHENTICATION_REALM_CONFIG);
        return BasicAuthHandler.create(new JaasAuthProvider(server, string), string);
    }

    private static Optional<SystemAuthenticationHandler> getSystemAuthenticationHandler(Server server, boolean z) {
        String string = server.getConfig().getString(KsqlRestConfig.INTERNAL_LISTENER_CONFIG);
        if (string == null) {
            return Optional.empty();
        }
        return (server.getConfig().getClientAuthInternal() == ClientAuth.REQUIRED && "https".equalsIgnoreCase(URI.create(string).getScheme()) && z) ? Optional.of(new SystemAuthenticationHandler()) : Optional.empty();
    }

    private static void pauseHandler(RoutingContext routingContext) {
        routingContext.request().pause();
        routingContext.next();
    }

    private static void resumeHandler(RoutingContext routingContext) {
        routingContext.request().resume();
        routingContext.next();
    }

    static Pattern getAuthenticationSkipPathPattern(List<String> list) {
        HashSet hashSet = new HashSet(KSQL_AUTHENTICATION_SKIP_PATHS);
        hashSet.addAll(list);
        return Pattern.compile(ServerUtils.convertCommaSeparatedWilcardsToRegex(String.join(",", hashSet)));
    }
}
