package io.confluent.rbacapi.app;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.jaxrs.base.JsonParseExceptionMapper;
import com.google.common.annotations.VisibleForTesting;
import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.JwtWithFallbackLoginService;
import io.confluent.common.security.jetty.OAuthOrBasicAuthenticator;
import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.errormappers.ConstraintViolationExceptionMapper;
import io.confluent.rbacapi.errormappers.KafkaApiExceptionMapper;
import io.confluent.rbacapi.errormappers.KafkaExecutionExceptionMapper;
import io.confluent.rbacapi.errormappers.Mds400ExceptionMapper;
import io.confluent.rbacapi.errormappers.MdsJacksonBindingErrorMapper;
import io.confluent.rbacapi.errormappers.MdsJacksonParseErrorMapper;
import io.confluent.rbacapi.errormappers.MdsJacksonProcessingErrorMapper;
import io.confluent.rbacapi.errormappers.MdsUncaughtExceptionMapper;
import io.confluent.rbacapi.errormappers.MdsValidationExceptionMapper;
import io.confluent.rbacapi.errormappers.TimeoutExceptionMapper;
import io.confluent.rbacapi.jackson.MdsJacksonMessageBodyProvider;
import io.confluent.rbacapi.jackson.MdsJacksonModule;
import io.confluent.rbacapi.login.MdsLoginService;
import io.confluent.rbacapi.resources.AuthorizeResource;
import io.confluent.rbacapi.resources.LookupResource;
import io.confluent.rbacapi.resources.MetadataServiceResource;
import io.confluent.rbacapi.resources.PrincipalsResource;
import io.confluent.rbacapi.resources.RolesResource;
import io.confluent.rbacapi.rest.LeaderAwareApplication;
import io.confluent.rbacapi.rest.MdsWriterProxyServlet;
import io.confluent.rbacapi.rest.MdsWritesFilter;
import io.confluent.rest.Application;
import io.confluent.rest.RestConfig;
import io.confluent.rest.auth.AuthUtil;
import io.confluent.security.auth.common.TokenUtils;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.Scope;
import io.confluent.tokenapi.errormappers.AuthenticationTokenExceptionMapper;
import io.confluent.tokenapi.jwt.JwtProvider;
import io.confluent.tokenapi.resources.TokenResource;
import java.io.File;
import java.io.FileInputStream;
import java.net.URL;
import java.util.Collection;
import java.util.EnumSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.DispatcherType;
import javax.ws.rs.core.Configurable;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.security.authentication.BasicAuthenticator;
import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rbacapi/app/RbacApiApplication.class */
public class RbacApiApplication extends Application<RbacApiAppConfig> implements LeaderAwareApplication {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) RbacApiApplication.class);
    private final ObjectMapper objectMapper;
    private final RbacApiAppConfig config;
    private final Authorizer authorizer;
    private final AuthStore authStore;
    private final JwtProvider jwtProvider;
    private final AuthenticateCallbackHandler authenticateCallbackHandler;
    private final MdsWriterProxyServlet proxyWriter;
    private final String metadataClusterId;
    private final Scope metadataClusterScope;

    public RbacApiApplication(RbacApiAppConfig rbacApiAppConfig, Authorizer authorizer, AuthStore authStore, JwtProvider jwtProvider, AuthenticateCallbackHandler authenticateCallbackHandler, String str) {
        super(rbacApiAppConfig);
        this.objectMapper = new ObjectMapper();
        this.objectMapper.registerModule(new MdsJacksonModule());
        this.config = rbacApiAppConfig;
        this.authorizer = authorizer;
        this.authStore = authStore;
        this.jwtProvider = jwtProvider;
        this.authenticateCallbackHandler = authenticateCallbackHandler;
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Metadata cluster id must be non-empty");
        }
        this.metadataClusterId = str;
        this.metadataClusterScope = Scope.kafkaClusterScope(str);
        this.proxyWriter = new MdsWriterProxyServlet(this);
    }

    @Override // io.confluent.rbacapi.rest.LeaderAwareApplication
    public boolean isLeader() {
        return this.authStore.isMasterWriter();
    }

    @Override // io.confluent.rbacapi.rest.LeaderAwareApplication
    public URL getLeader(String str) {
        return this.authStore.masterWriterUrl(str);
    }

    @Override // io.confluent.rbacapi.rest.LeaderAwareApplication
    public Collection<URL> getNodes(String str) {
        return this.authStore.activeNodeUrls(str);
    }

    @Override // io.confluent.rest.Application
    protected void configurePreResourceHandling(ServletContextHandler servletContextHandler) {
        servletContextHandler.addFilter(new FilterHolder(new MdsWritesFilter(this)), "/*", (EnumSet<DispatcherType>) null);
        servletContextHandler.addServlet(new ServletHolder(this.proxyWriter), "/leader/*");
        if (getSslContextFactory() != null) {
            this.proxyWriter.setSslContextFactory(getSslContextFactory());
        }
    }

    /* renamed from: setupResources, reason: avoid collision after fix types in other method */
    public void setupResources2(Configurable<?> configurable, RbacApiAppConfig rbacApiAppConfig) {
        if (rbacApiAppConfig.getBoolean(RbacApiAppConfig.METADATA_SERVER_JWT_AUTH_ENABLE_PROP).booleanValue()) {
            this.jwtProvider.configure(rbacApiAppConfig.originals());
            configurable.register2(new TokenResource(this.jwtProvider));
        }
        Long configuredTimeoutNanos = getConfiguredTimeoutNanos(rbacApiAppConfig);
        SecurityMetadataAuthorizer securityMetadataAuthorizer = new SecurityMetadataAuthorizer(this.authorizer, this.metadataClusterScope);
        configurable.register2(new AuthorizeResource(this.authorizer, securityMetadataAuthorizer));
        configurable.register2(new RolesResource(this.authStore.authCache().rbacRoles()));
        configurable.register2(new PrincipalsResource(this.authStore, securityMetadataAuthorizer, configuredTimeoutNanos.longValue()));
        configurable.register2(new MetadataServiceResource(this.authStore, this.metadataClusterId));
        configurable.register2(new LookupResource(this.authStore.authCache(), securityMetadataAuthorizer));
    }

    @VisibleForTesting
    protected Long getConfiguredTimeoutNanos(RbacApiAppConfig rbacApiAppConfig) {
        return Long.valueOf(rbacApiAppConfig.getLong(RestConfig.IDLE_TIMEOUT_MS_CONFIG).longValue() * 1000000);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.confluent.rest.Application
    public ObjectMapper getJsonMapper() {
        return this.objectMapper;
    }

    /* renamed from: registerJsonProvider, reason: avoid collision after fix types in other method */
    protected void registerJsonProvider2(Configurable<?> configurable, RbacApiAppConfig rbacApiAppConfig, boolean z) {
        configurable.register2(new MdsJacksonMessageBodyProvider(this.objectMapper));
        if (z) {
            configurable.register(JsonParseExceptionMapper.class);
        }
    }

    /* renamed from: registerExceptionMappers, reason: avoid collision after fix types in other method */
    protected void registerExceptionMappers2(Configurable<?> configurable, RbacApiAppConfig rbacApiAppConfig) {
        MdsUncaughtExceptionMapper mdsUncaughtExceptionMapper = new MdsUncaughtExceptionMapper();
        configurable.register2(mdsUncaughtExceptionMapper);
        configurable.register2(new MdsJacksonProcessingErrorMapper());
        configurable.register2(new MdsJacksonParseErrorMapper());
        configurable.register2(new MdsJacksonBindingErrorMapper());
        configurable.register2(new Mds400ExceptionMapper());
        configurable.register2(new MdsValidationExceptionMapper());
        configurable.register2(new ConstraintViolationExceptionMapper());
        configurable.register2(new AuthenticationTokenExceptionMapper(mdsUncaughtExceptionMapper));
        configurable.register2(new TimeoutExceptionMapper());
        configurable.register2(new KafkaApiExceptionMapper(rbacApiAppConfig));
        configurable.register2(new KafkaExecutionExceptionMapper(rbacApiAppConfig, mdsUncaughtExceptionMapper));
    }

    @Override // io.confluent.rest.Application
    public void onShutdown() {
    }

    @Override // io.confluent.rest.Application
    protected void configureSecurityHandler(ServletContextHandler servletContextHandler) {
        if (this.config.getString(RestConfig.AUTHENTICATION_METHOD_CONFIG).equalsIgnoreCase("NONE")) {
            return;
        }
        boolean booleanValue = this.config.getBoolean(RbacApiAppConfig.METADATA_SERVER_JWT_AUTH_ENABLE_PROP).booleanValue();
        String string = this.config.getString(RestConfig.AUTHENTICATION_REALM_CONFIG);
        SecurityHandler initializeSecurityHandler = initializeSecurityHandler(string);
        if (this.authenticateCallbackHandler != null) {
            log.trace("Confluent authenticate callback handler is enabled.");
            initializeSecurityHandler.setAuthenticator(new BasicAuthenticator());
            initializeSecurityHandler.setLoginService(new MdsLoginService(string, this.authStore.authCache(), this.authenticateCallbackHandler));
        }
        if (booleanValue) {
            initializeSecurityHandler.setAuthenticator(new OAuthOrBasicAuthenticator());
            String string2 = this.config.getString(RbacApiAppConfig.PUBLIC_KEY_PATH_PROP);
            if (!new File(string2).exists()) {
                throw new IllegalArgumentException(String.format("No file found for config:%s with path:%s", RbacApiAppConfig.PUBLIC_KEY_PATH_PROP, string2));
            }
            try {
                TokenUtils.loadPublicKey(new FileInputStream(string2));
                JwtLoginService jwtLoginService = new JwtLoginService(string, this.jwtProvider.issuer, string2, "");
                LoginService loginService = initializeSecurityHandler.getLoginService();
                if (loginService != null) {
                    initializeSecurityHandler.setLoginService(new JwtWithFallbackLoginService(jwtLoginService, loginService));
                } else {
                    initializeSecurityHandler.setLoginService(jwtLoginService);
                }
            } catch (Throwable th) {
                throw new IllegalArgumentException(String.format("Problem loading key for config:%s with path:%s", RbacApiAppConfig.PUBLIC_KEY_PATH_PROP, string2), th);
            }
        }
        servletContextHandler.setSecurityHandler(initializeSecurityHandler);
    }

    private ConstraintSecurityHandler initializeSecurityHandler(String str) {
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
        constraintSecurityHandler.addConstraintMapping(AuthUtil.createGlobalAuthConstraint(this.config));
        constraintSecurityHandler.setRealmName(str);
        constraintSecurityHandler.setRoles((Set) this.authStore.authCache().rbacRoles().roles().stream().map((v0) -> {
            return v0.name();
        }).collect(Collectors.toSet()));
        List<ConstraintMapping> createUnsecuredConstraints = AuthUtil.createUnsecuredConstraints(this.config);
        constraintSecurityHandler.getClass();
        createUnsecuredConstraints.forEach(constraintSecurityHandler::addConstraintMapping);
        return constraintSecurityHandler;
    }

    @Override // io.confluent.rest.Application
    protected /* bridge */ /* synthetic */ void registerExceptionMappers(Configurable configurable, RbacApiAppConfig rbacApiAppConfig) {
        registerExceptionMappers2((Configurable<?>) configurable, rbacApiAppConfig);
    }

    @Override // io.confluent.rest.Application
    protected /* bridge */ /* synthetic */ void registerJsonProvider(Configurable configurable, RbacApiAppConfig rbacApiAppConfig, boolean z) {
        registerJsonProvider2((Configurable<?>) configurable, rbacApiAppConfig, z);
    }

    @Override // io.confluent.rest.Application
    public /* bridge */ /* synthetic */ void setupResources(Configurable configurable, RbacApiAppConfig rbacApiAppConfig) {
        setupResources2((Configurable<?>) configurable, rbacApiAppConfig);
    }
}
