package io.confluent.catalog.web.filters;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.netflix.governator.LifecycleInjector;
import io.confluent.catalog.client.autthorizer.CatalogAuthorizerClient;
import io.confluent.catalog.metrics.MetricsManager;
import io.confluent.catalog.web.graphql.resources.GraphQLResource;
import io.confluent.catalog.web.rest.resources.CatalogResource;
import io.confluent.catalog.web.rest.resources.EntityResource;
import io.confluent.catalog.web.rest.resources.SchemaRegistryResource;
import io.confluent.catalog.web.rest.resources.SearchResource;
import io.confluent.catalog.web.rest.resources.TypesResource;
import io.confluent.kafka.schemaregistry.rest.resources.DocumentedName;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.rest.entities.ErrorMessage;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Method;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Component
@Order(1)
/* loaded from: input_file:io/confluent/catalog/web/filters/CatalogRequestFilter.class */
public class CatalogRequestFilter implements ContainerRequestFilter, ContainerResponseFilter {
    private static final Logger LOG = LoggerFactory.getLogger(CatalogRequestFilter.class);
    private final CatalogAuthorizerClient authorizerRestClient;
    private final MetricsManager metricsManager;
    private final SchemaRegistry schemaRegistry;
    private final LifecycleInjector injector;
    private static final int OPERATION_FORBIDDEN_ERROR_CODE = 40301;
    private final Set<Class<? extends SchemaRegistryResource>> requestRbacEnabledResourceSet = new HashSet();
    private final Set<Class<? extends SchemaRegistryResource>> responseRbacEnabledResourceSet = new HashSet();

    @Context
    protected ResourceInfo resourceInfo;

    @Context
    protected HttpServletRequest httpServletRequest;

    public CatalogRequestFilter(SchemaRegistry schemaRegistry, LifecycleInjector lifecycleInjector, CatalogAuthorizerClient catalogAuthorizerClient) {
        this.schemaRegistry = schemaRegistry;
        this.injector = lifecycleInjector;
        this.authorizerRestClient = catalogAuthorizerClient;
        this.metricsManager = (MetricsManager) lifecycleInjector.getInstance(MetricsManager.class);
        if (this.metricsManager == null) {
            LOG.warn("MetricsManager is null");
        }
        this.requestRbacEnabledResourceSet.add(TypesResource.class);
        this.requestRbacEnabledResourceSet.add(EntityResource.class);
        this.requestRbacEnabledResourceSet.add(CatalogResource.class);
        this.responseRbacEnabledResourceSet.add(TypesResource.class);
        this.responseRbacEnabledResourceSet.add(EntityResource.class);
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        String headerString = containerRequestContext.getHeaderString("Authorization");
        SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(headerString, (Object) null));
        containerRequestContext.setProperty(CatalogAuthorizerClient.API_METHOD_NAME_HEADER, getDocumentName());
        containerRequestContext.setProperty(CatalogAuthorizerClient.CLIENT_IP, this.httpServletRequest.getRemoteAddr());
        containerRequestContext.setProperty(CatalogAuthorizerClient.PORT_NUMBER, this.httpServletRequest.getRemoteHost());
        CatalogRequestContextHolder.setRequestContext(containerRequestContext);
        Class resourceClass = this.resourceInfo.getResourceClass();
        String tenant = this.schemaRegistry.tenant();
        if (tenant != null && !tenant.isEmpty() && this.metricsManager != null) {
            try {
                if (SearchResource.class == resourceClass) {
                    this.metricsManager.recordRestfulSearch(tenant);
                } else if (GraphQLResource.class == resourceClass) {
                    this.metricsManager.recordGraphQLSearch(tenant);
                }
            } catch (Exception e) {
                LOG.error("Failed to record search request", e);
            }
        }
        if (this.requestRbacEnabledResourceSet.contains(resourceClass)) {
            checkRequestRbacPermissions(resourceClass, containerRequestContext, headerString);
        }
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
        Class resourceClass = this.resourceInfo.getResourceClass();
        if (this.requestRbacEnabledResourceSet.contains(resourceClass)) {
            checkResponseRbacPermissions(resourceClass, containerRequestContext, containerResponseContext, containerRequestContext.getHeaderString("Authorization"));
        }
    }

    private String getDocumentName() {
        String value;
        if (this.resourceInfo.getResourceMethod().getAnnotation(DocumentedName.class) == null) {
            LOG.warn("Documented Name Annotation does not exist for from class " + this.resourceInfo.getResourceMethod().getClass() + " and Method Name " + this.resourceInfo.getResourceMethod().getName());
            value = this.resourceInfo.getResourceMethod().getName();
        } else {
            value = this.resourceInfo.getResourceMethod().getAnnotation(DocumentedName.class).value();
        }
        return value;
    }

    private void checkRequestRbacPermissions(Class cls, ContainerRequestContext containerRequestContext, String str) {
        try {
            SchemaRegistryResource.RbacPermissionEntity requestRbacPermissionEntity = ((SchemaRegistryResource) this.injector.getInstance(cls)).getRequestRbacPermissionEntity(containerRequestContext);
            if (requestRbacPermissionEntity == null) {
                return;
            }
            if (!authorize(containerRequestContext, requestRbacPermissionEntity, str)) {
                LOG.info("Operation denied on resource {} for HTTP Method {}", containerRequestContext.getUriInfo().getPath(), containerRequestContext.getMethod());
                containerRequestContext.abortWith(accessDenied(String.format("User is denied operation %s on resource %s", containerRequestContext.getMethod(), containerRequestContext.getUriInfo().getPath())));
            }
        } catch (JsonProcessingException e) {
            LOG.error("Exception during RBAC check", e);
            containerRequestContext.abortWith(Response.status(Response.Status.BAD_REQUEST).entity(new ErrorMessage(Response.Status.BAD_REQUEST.getStatusCode(), String.format("Request failed with exception : %s", e.getMessage()))).build());
        } catch (CatalogAuthorizerClient.CatalogAuthorizerRestClientException e2) {
            LOG.error("Exception during authorization {}", e2.getMessage());
            containerRequestContext.abortWith(getServiceUnavailableErrorResponse(String.format("Failed to check authorization for operation %s on resource %s", containerRequestContext.getMethod(), containerRequestContext.getUriInfo().getPath())));
        } catch (UnsupportedEncodingException e3) {
            LOG.error("Exception during request authorization with resource encoding {}", e3.getMessage());
            containerRequestContext.abortWith(getServiceUnavailableErrorResponse(String.format("Failed to encode resource %s for operation %s", containerRequestContext.getUriInfo().getPath(), containerRequestContext.getMethod())));
        } catch (Exception e4) {
            LOG.error("Exception during request authorization with resource encoding {}", e4.getMessage());
            containerRequestContext.abortWith(accessDenied(String.format("User is denied operation %s on resource %s", containerRequestContext.getMethod(), containerRequestContext.getUriInfo().getPath())));
        }
    }

    private void checkResponseRbacPermissions(Class cls, ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext, String str) throws IOException {
        Method resourceMethod = this.resourceInfo.getResourceMethod();
        try {
            SchemaRegistryResource.RbacPermissionEntity responseRbacPermissionEntity = ((SchemaRegistryResource) this.injector.getInstance(cls)).getResponseRbacPermissionEntity(containerRequestContext, containerResponseContext, resourceMethod != null ? resourceMethod.getName() : null);
            if (responseRbacPermissionEntity == null) {
                return;
            }
            if (!authorize(containerRequestContext, responseRbacPermissionEntity, str)) {
                LOG.info("Operation denied on resource {} for HTTP Method {}", containerRequestContext.getUriInfo().getPath(), containerRequestContext.getMethod());
                containerResponseContext.setStatus(Response.Status.FORBIDDEN.getStatusCode());
                containerResponseContext.setEntity(getDeniedErrorMessage(String.format("User is denied operation %s on resource %s", containerRequestContext.getMethod(), containerRequestContext.getUriInfo().getPath())));
            }
        } catch (CatalogAuthorizerClient.CatalogAuthorizerRestClientException e) {
            LOG.error("Exception during authorization {}", e.getMessage());
            containerResponseContext.setStatus(Response.Status.SERVICE_UNAVAILABLE.getStatusCode());
            containerResponseContext.setEntity(getServiceUnavailableErrorMessage(String.format("Failed to check authorization for operation %s on resource %s", containerRequestContext.getMethod(), containerRequestContext.getUriInfo().getPath())));
        } catch (UnsupportedEncodingException e2) {
            LOG.error("Exception during response authorization with resource encoding {}", e2.getMessage());
            containerResponseContext.setStatus(Response.Status.NOT_ACCEPTABLE.getStatusCode());
            containerResponseContext.setEntity(getServiceUnavailableErrorMessage(String.format("Failed to encode resource %s for operation %s", containerRequestContext.getUriInfo().getPath(), containerRequestContext.getMethod())));
        } catch (Exception e3) {
            LOG.error("Exception during response authorization with resource encoding {}", e3.getMessage());
            containerResponseContext.setStatus(Response.Status.FORBIDDEN.getStatusCode());
            containerResponseContext.setEntity(getDeniedErrorMessage(String.format("User is denied operation %s on resource %s", containerRequestContext.getMethod(), containerRequestContext.getUriInfo().getPath())));
        }
    }

    private Response accessDenied(String str) {
        return Response.status(Response.Status.FORBIDDEN).entity(getDeniedErrorMessage(str)).build();
    }

    private Object getDeniedErrorMessage(String str) {
        return new ErrorMessage(Response.Status.FORBIDDEN.getStatusCode(), str);
    }

    private Response getServiceUnavailableErrorResponse(String str) {
        return Response.status(Response.Status.SERVICE_UNAVAILABLE).entity(getServiceUnavailableErrorMessage(str)).build();
    }

    private Object getServiceUnavailableErrorMessage(String str) {
        return new ErrorMessage(Response.Status.SERVICE_UNAVAILABLE.getStatusCode(), str);
    }

    private boolean authorize(ContainerRequestContext containerRequestContext, SchemaRegistryResource.RbacPermissionEntity rbacPermissionEntity, String str) throws CatalogAuthorizerClient.CatalogAuthorizerRestClientException, UnsupportedEncodingException {
        if (rbacPermissionEntity.resourceList == null) {
            return false;
        }
        CatalogAuthorizerClient.CatalogAuthorizerRequest authorizeRequests = getAuthorizeRequests(rbacPermissionEntity);
        if (authorizeRequests.getActions().size() == 0) {
            return true;
        }
        for (CatalogAuthorizerClient.CatalogAuthorizerResponse catalogAuthorizerResponse : this.authorizerRestClient.authorize(containerRequestContext, str, authorizeRequests)) {
            if (catalogAuthorizerResponse.getResult() != CatalogAuthorizerClient.CatalogAuthorizeResult.ALLOWED) {
                LOG.info("Authorization not allowed for resource: {} operation: {}", catalogAuthorizerResponse.getResourceName(), catalogAuthorizerResponse.getOperation());
                return false;
            }
        }
        return true;
    }

    public static CatalogAuthorizerClient.CatalogAuthorizerRequest getAuthorizeRequests(SchemaRegistryResource.RbacPermissionEntity rbacPermissionEntity) throws UnsupportedEncodingException {
        LinkedList linkedList = new LinkedList();
        for (SchemaRegistryResource.RbacPermissionAction rbacPermissionAction : rbacPermissionEntity.resourceList) {
            if (rbacPermissionAction.resourceName == null || rbacPermissionAction.resourceName.isEmpty()) {
                LOG.info("Empty resource Name in cluster=" + rbacPermissionEntity.cluster + " for resourceType=" + rbacPermissionAction.resourceType);
            } else {
                linkedList.add(new CatalogAuthorizerClient.CatalogAuthorizerAction(URLEncoder.encode(rbacPermissionAction.resourceName, StandardCharsets.UTF_8.toString()), rbacPermissionAction.operation.name(), rbacPermissionAction.resourceType.getLabel()));
            }
        }
        return new CatalogAuthorizerClient.CatalogAuthorizerRequest("", linkedList);
    }
}
