package io.confluent.kafkarest.security.filter;

import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.kafkarest.KafkaRestContext;
import io.confluent.kafkarest.extension.KafkaRestContextProvider;
import io.confluent.kafkarest.resources.v2.ConsumersResource;
import io.confluent.kafkarest.security.config.ConfluentSecureKafkaRestConfig;
import io.confluent.kafkarest.security.context.KafkaRestContextProviderFactory;
import io.confluent.rest.RestConfigException;
import java.io.IOException;
import java.security.Principal;
import java.util.Optional;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(5000)
/* loaded from: input_file:io/confluent/kafkarest/security/filter/KafkaRestContextFilter.class */
public final class KafkaRestContextFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(KafkaRestContextFilter.class);
    private final ConfluentSecureKafkaRestConfig secureKafkaRestConfig;

    @Context
    ResourceInfo resourceInfo;

    public KafkaRestContextFilter(ConfluentSecureKafkaRestConfig confluentSecureKafkaRestConfig) {
        this.secureKafkaRestConfig = confluentSecureKafkaRestConfig;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (containerRequestContext.getSecurityContext() != null) {
            KafkaRestContextProvider.setCurrentContext(getKafkaRestContext(getResourceType(containerRequestContext), containerRequestContext.getSecurityContext().getUserPrincipal()));
        } else {
            log.error("Couldn't find a valid security context. Can't proceed with the request in an unauthenticated context ");
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("User cannot access the resource.").build());
        }
    }

    private KafkaRestContext getKafkaRestContext(String str, Principal principal) throws IOException {
        KafkaRestContext context;
        if (principal instanceof JwtPrincipal) {
            try {
                context = KafkaRestContextProviderFactory.getInstance().getContext(principal, new ConfluentSecureKafkaRestConfig(this.secureKafkaRestConfig.getOriginalProperties(), Optional.of(((JwtPrincipal) principal).getJwt())), str, true);
            } catch (RestConfigException e) {
                throw new IOException((Throwable) e);
            }
        } else {
            context = KafkaRestContextProviderFactory.getInstance().getContext(principal, this.secureKafkaRestConfig, str, false);
        }
        return context;
    }

    private String getResourceType(ContainerRequestContext containerRequestContext) {
        return (ConsumersResource.class.equals(this.resourceInfo.getResourceClass()) || io.confluent.kafkarest.resources.v1.ConsumersResource.class.equals(this.resourceInfo.getResourceClass())) ? "consumer".intern() : containerRequestContext.getMethod().equals("POST") ? "producer".intern() : "admin".intern();
    }
}
