package io.confluent.ksql.security.authorizer;

import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.ksql.security.KsqlAuthorizationProvider;
import io.confluent.ksql.security.utils.KsqlSecurityUtils;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.HttpBearerCredentialProvider;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import java.security.Principal;
import java.util.Collections;
import java.util.List;
import org.apache.kafka.common.errors.AuthorizationException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/ksql/security/authorizer/KsqlRestAuthorizer.class */
public class KsqlRestAuthorizer implements KsqlAuthorizationProvider {
    private static final Logger log = LoggerFactory.getLogger(KsqlRestAuthorizer.class);
    private final RestAuthorizer restAuthorizer;
    private final ResourceActionsMapping resourceActionsMapping;

    public KsqlRestAuthorizer(RestAuthorizer restAuthorizer, ResourceActionsMapping resourceActionsMapping) {
        this.restAuthorizer = restAuthorizer;
        this.resourceActionsMapping = resourceActionsMapping;
    }

    public void checkEndpointAccess(Principal principal, String str, String str2) {
        JwtPrincipal jwtPrincipal = KsqlSecurityUtils.toJwtPrincipal(principal);
        if (isServerInfoEndpoint(str2)) {
            return;
        }
        Action action = this.resourceActionsMapping.get(str2);
        List authorize = this.restAuthorizer.authorize(toBearerCredentials(jwtPrincipal), toKafkaUserPrincipal(jwtPrincipal), (String) null, Collections.singletonList(action));
        if (authorize.size() != 1) {
            throw new IllegalStateException("Authorizer returned unexpected results. Expected 1, got " + authorize.size());
        }
        if (authorize.get(0) != AuthorizeResult.ALLOWED) {
            log.warn("User:{} is Denied operation = {} on endpoint = \"{} {}\"", new Object[]{jwtPrincipal.getName(), action.operation(), str, str2});
            throw new AuthorizationException("You are forbidden from using this cluster.");
        }
    }

    private boolean isServerInfoEndpoint(String str) {
        return str.equals("/info");
    }

    private static HttpBearerCredentialProvider toBearerCredentials(JwtPrincipal jwtPrincipal) {
        return new HttpBearerCredentialProvider(jwtPrincipal.getJwt());
    }

    private static KafkaPrincipal toKafkaUserPrincipal(JwtPrincipal jwtPrincipal) {
        return new KafkaPrincipal("User", jwtPrincipal.getName());
    }
}
