package io.confluent.controlcenter.rest;

import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.util.Collection;
import java.util.Set;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.SecurityContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/controlcenter/rest/ReadOnlyRolesFilter.class */
public class ReadOnlyRolesFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(ReadOnlyRolesFilter.class);
    public static final Set<String> READ_METHODS = ImmutableSet.of("GET", "HEAD", "OPTIONS");
    private final Collection<String> roles;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ReadOnlyRolesFilter(Collection<String> collection) {
        this.roles = collection;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (READ_METHODS.contains(containerRequestContext.getMethod())) {
            return;
        }
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        for (String str : this.roles) {
            if (securityContext.isUserInRole(str)) {
                log.trace("user={} in role={}", securityContext.getUserPrincipal(), str);
                throw new NotAuthorizedException(securityContext.getUserPrincipal() + " only has read access", new Object[0]);
            }
        }
    }
}
