package io.confluent.kafkarest.auth;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.kafka.server.plugins.auth.MultiTenantSaslConfigEntry;
import io.confluent.kafka.server.plugins.auth.MultiTenantSaslSecrets;
import io.confluent.kafka.server.plugins.auth.MultiTenantSaslSecretsStore;
import io.confluent.kafkarest.KafkaRestConfig;
import io.confluent.kafkarest.auth.AuthorizationHeader;
import io.confluent.rest.entities.ErrorMessage;
import java.io.IOException;
import java.util.Optional;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(1000)
/* loaded from: input_file:io/confluent/kafkarest/auth/CloudExtensionsAuthFilter.class */
public final class CloudExtensionsAuthFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(CloudExtensionsAuthFilter.class);
    private static final String API_KEY_CLUSTER_MISMATCH_TMPL = "API key '%s' is not allowed to access provided cluster ID '%s'";
    public static final String REQUIRE_SECRETS_STORE_VALIDATION_CONFIG = "secrets.store.validation.required";
    private final boolean requireSecretsStoreValidation;
    private final MultiTenantSaslSecretsStore secretsStore;

    @Inject
    public CloudExtensionsAuthFilter(Provider<KafkaRestConfig> provider, Provider<MultiTenantSaslSecretsStore> provider2) {
        this.requireSecretsStoreValidation = requireSecretsStoreValidation((KafkaRestConfig) provider.get());
        this.secretsStore = (MultiTenantSaslSecretsStore) provider2.get();
        if (this.secretsStore == null && this.requireSecretsStoreValidation) {
            log.error("Credentials store not available; validation for API key credentials cannot be performed!");
        }
    }

    @VisibleForTesting
    static boolean requireSecretsStoreValidation(KafkaRestConfig kafkaRestConfig) {
        boolean z = true;
        if (kafkaRestConfig != null) {
            Object obj = kafkaRestConfig.getOriginalProperties().get(REQUIRE_SECRETS_STORE_VALIDATION_CONFIG);
            if (obj instanceof Boolean) {
                z = ((Boolean) obj).booleanValue();
            } else if (obj instanceof String) {
                z = Boolean.parseBoolean((String) obj);
            }
        }
        return z;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        CloudPrincipal extractCredentials = extractCredentials(containerRequestContext);
        if (extractCredentials == null) {
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
            return;
        }
        Response validateCredentials = validateCredentials(extractCredentials);
        if (validateCredentials != null) {
            containerRequestContext.abortWith(validateCredentials);
        } else {
            setSecurityContext(extractCredentials, containerRequestContext);
        }
    }

    private static CloudPrincipal extractCredentials(ContainerRequestContext containerRequestContext) {
        try {
            return CloudPrincipal.create((String) containerRequestContext.getUriInfo().getPathParameters(true).getFirst("clusterId"), AuthorizationHeader.parse((String) containerRequestContext.getHeaders().getFirst("Authorization")), ((String) containerRequestContext.getHeaders().getFirst("Confluent-Identity-Pool-Id")) == null ? Optional.empty() : Optional.of(IdentityPoolIdHeader.parse(containerRequestContext.getRequest().getHeaderString("Confluent-Identity-Pool-Id"))));
        } catch (Exception e) {
            log.debug("Failed to extract credentials from request.");
            return null;
        }
    }

    private Response validateCredentials(CloudPrincipal cloudPrincipal) {
        if (!AuthorizationHeader.Scheme.BASIC.equals(cloudPrincipal.getScheme())) {
            log.debug("Validation for non-API key credentials will be handled as part of authentication.");
            return null;
        }
        if (this.secretsStore == null) {
            log.error("Credentials store not available; validation for API key credentials cannot be performed!");
            if (this.requireSecretsStoreValidation) {
                return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
            }
            return null;
        }
        MultiTenantSaslSecrets load = this.secretsStore.load();
        if (load == null) {
            log.error("Credential store still unavailable after server initialization!");
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
        }
        String name = cloudPrincipal.getName();
        MultiTenantSaslConfigEntry multiTenantSaslConfigEntry = (MultiTenantSaslConfigEntry) load.entries().get(name);
        if (multiTenantSaslConfigEntry == null) {
            log.debug("API key '{}' cannot be not found in the credential store", name);
            return Response.status(Response.Status.UNAUTHORIZED).build();
        }
        String clusterId = cloudPrincipal.getClusterId();
        String logicalClusterId = multiTenantSaslConfigEntry.logicalClusterId();
        if (clusterId != null && clusterId.equals(logicalClusterId)) {
            return null;
        }
        String format = String.format(API_KEY_CLUSTER_MISMATCH_TMPL, name, clusterId);
        log.info(format);
        return Response.status(Response.Status.FORBIDDEN).entity(new ErrorMessage(Response.Status.FORBIDDEN.getStatusCode(), format)).build();
    }

    private static void setSecurityContext(CloudPrincipal cloudPrincipal, ContainerRequestContext containerRequestContext) {
        containerRequestContext.setSecurityContext(new CloudSecurityContext(cloudPrincipal, containerRequestContext.getUriInfo().getRequestUri().toString().startsWith("https")));
    }
}
