package io.confluent.connect.security;

import io.confluent.common.security.util.StreamUtils;
import io.confluent.connect.security.config.manipulation.ConfigManipulator;
import io.confluent.connect.security.config.manipulation.ConfigManipulators;
import io.confluent.connect.security.config.manipulation.RbacBasicCredentialsManipulator;
import io.confluent.connect.security.rbac.ConnectActions;
import io.confluent.connect.security.rbac.ConnectorOperations;
import io.confluent.connect.security.util.ConnectRestApiMethods;
import io.confluent.connect.security.util.ConnectRestUtils;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Scope;
import java.io.IOException;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.connect.health.ConnectClusterState;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.netty.Metrics;

/* loaded from: input_file:io/confluent/connect/security/ConnectSecurityFilter.class */
public class ConnectSecurityFilter implements ContainerRequestFilter, ContainerResponseFilter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ConnectSecurityFilter.class);

    @Context
    private ResourceInfo resourceInfo;
    private final Scope scope;
    private final ConnectActions actions;
    private final RestAuthorizer restAuthorizer;
    private final ConfigManipulators configManipulators;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/connect/security/ConnectSecurityFilter$AuthorizedAction.class */
    public static class AuthorizedAction {
        final Action action;
        final AuthorizeResult authorizeResult;

        public AuthorizedAction(Action action, AuthorizeResult authorizeResult) {
            this.action = action;
            this.authorizeResult = authorizeResult;
        }
    }

    public ConnectSecurityFilter(ConnectSecurityExtensionConfig connectSecurityExtensionConfig, Scope scope, RestAuthorizer restAuthorizer, ConnectClusterState connectClusterState) {
        this(connectSecurityExtensionConfig, scope, ConnectActions.build(scope, connectClusterState), restAuthorizer, null);
    }

    ConnectSecurityFilter(ConnectSecurityExtensionConfig connectSecurityExtensionConfig, Scope scope, ConnectActions connectActions, RestAuthorizer restAuthorizer, ResourceInfo resourceInfo) {
        this.scope = scope;
        this.restAuthorizer = restAuthorizer;
        this.actions = connectActions;
        this.resourceInfo = resourceInfo;
        if (connectSecurityExtensionConfig.shouldInjectRbacCredentials()) {
            this.configManipulators = new ConfigManipulators(new RbacBasicCredentialsManipulator(connectSecurityExtensionConfig));
        } else {
            this.configManipulators = new ConfigManipulators(new ConfigManipulator[0]);
        }
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (authorizeRequest(containerRequestContext)) {
            this.configManipulators.transformRequest(this.resourceInfo, containerRequestContext);
        }
    }

    @Override // javax.ws.rs.container.ContainerResponseFilter
    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        int status = containerResponseContext.getStatus();
        if (status >= 300 || status < 200) {
            return;
        }
        if (ConnectRestApiMethods.LIST_CONNECTORS.equals(this.resourceInfo.getResourceMethod())) {
            filterListedConnectors(containerRequestContext, containerResponseContext);
        }
        this.configManipulators.transformResponse(this.resourceInfo, containerResponseContext);
    }

    boolean authorizeRequest(ContainerRequestContext containerRequestContext) throws IOException {
        List<Action> actions = this.actions.actions(this.resourceInfo.getResourceMethod(), containerRequestContext);
        if (actions.isEmpty()) {
            return true;
        }
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        if (userPrincipal == null) {
            ConnectRestUtils.abortRequest(containerRequestContext, Response.Status.UNAUTHORIZED, ConnectRestUtils.UNAUTHENTICATED_USER);
            return false;
        }
        KafkaPrincipal kafkaPrincipalFor = kafkaPrincipalFor(userPrincipal);
        log.debug("Authorizing request for principal {}. Actions: {}", kafkaPrincipalFor, actions);
        Stream<AuthorizeResult> stream = this.restAuthorizer.authorize(kafkaPrincipalFor, null, actions).stream();
        AuthorizeResult authorizeResult = AuthorizeResult.ALLOWED;
        authorizeResult.getClass();
        if (stream.allMatch((v1) -> {
            return r1.equals(v1);
        })) {
            return true;
        }
        ConnectRestUtils.abortRequest(containerRequestContext, Response.Status.FORBIDDEN, ConnectRestUtils.UNAUTHORIZED_OPERATION);
        return false;
    }

    private void filterListedConnectors(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        Object obj;
        Object obj2;
        Object responseEntity = ConnectRestUtils.responseEntity(containerResponseContext);
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        try {
            if (responseEntity instanceof Collection) {
                Collection<String> collection = (Collection) responseEntity;
                if (!collection.isEmpty()) {
                    containerResponseContext.setEntity((Collection) allActionsForConnectors(collection, userPrincipal).filter(authorizedAction -> {
                        return AuthorizeResult.ALLOWED.equals(authorizedAction.authorizeResult);
                    }).map(authorizedAction2 -> {
                        return authorizedAction2.action;
                    }).map((v0) -> {
                        return v0.resourceName();
                    }).collect(Collectors.toSet()));
                }
            } else if (responseEntity instanceof Map) {
                Map map = (Map) responseEntity;
                if (map.isEmpty()) {
                    return;
                }
                List<AuthorizedAction> list = (List) allActionsForConnectors(map.keySet(), userPrincipal).collect(Collectors.toList());
                HashMap hashMap = new HashMap();
                for (AuthorizedAction authorizedAction3 : list) {
                    if (AuthorizeResult.ALLOWED.equals(authorizedAction3.authorizeResult)) {
                        String resourceName = authorizedAction3.action.resourceName();
                        if (!hashMap.containsKey(resourceName)) {
                            hashMap.put(resourceName, new HashMap());
                        }
                        Map map2 = (Map) map.getOrDefault(resourceName, Collections.emptyMap());
                        if (ConnectorOperations.READ_STATUS.equals(authorizedAction3.action.operation()) && (obj2 = map2.get(Metrics.STATUS)) != null) {
                            ((Map) hashMap.get(resourceName)).put(Metrics.STATUS, obj2);
                        }
                        if (ConnectorOperations.READ_CONFIG.equals(authorizedAction3.action.operation()) && (obj = map2.get(SchemaConstants.INFO_AT)) != null) {
                            ((Map) hashMap.get(resourceName)).put(SchemaConstants.INFO_AT, obj);
                        }
                    }
                }
                containerResponseContext.setEntity(hashMap);
            }
        } catch (Exception e) {
            log.error("", (Throwable) e);
            ConnectRestUtils.abortRequest(containerRequestContext, Response.Status.INTERNAL_SERVER_ERROR, e.getMessage());
        }
    }

    private Stream<AuthorizedAction> allActionsForConnectors(Collection<String> collection, Principal principal) throws Exception {
        List<Action> list = (List) collection.stream().flatMap(str -> {
            return ConnectorOperations.ALL.stream().map(operation -> {
                return new Action(this.scope, ConnectActions.CONNECTOR_RESOURCE, str, operation);
            });
        }).collect(Collectors.toList());
        List<AuthorizeResult> authorize = this.restAuthorizer.authorize(kafkaPrincipalFor(principal), null, list);
        if (authorize.size() != list.size()) {
            throw new Exception("Invalid response size from authorization service");
        }
        return StreamUtils.zip(list, authorize).map(pair -> {
            return new AuthorizedAction((Action) pair.getLeft(), (AuthorizeResult) pair.getRight());
        });
    }

    public static KafkaPrincipal kafkaPrincipalFor(Principal principal) {
        Objects.requireNonNull(principal, "Principal may not be null");
        return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, principal.getName());
    }
}
