package io.confluent.ksql.api.auth;

import com.google.common.collect.ImmutableSet;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import io.confluent.ksql.api.server.KsqlApiException;
import io.confluent.ksql.api.server.Server;
import io.confluent.ksql.api.server.ServerUtils;
import io.confluent.ksql.rest.Errors;
import io.confluent.ksql.rest.server.KsqlRestConfig;
import io.confluent.ksql.security.DefaultKsqlPrincipal;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.vertx.core.AsyncResult;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.AuthProvider;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.authorization.Authorization;
import io.vertx.ext.web.RoutingContext;
import java.security.Principal;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Pattern;

/* loaded from: input_file:io/confluent/ksql/api/auth/AuthenticationPluginHandler.class */
public class AuthenticationPluginHandler implements Handler<RoutingContext> {
    private static final Set<String> KSQL_AUTHENTICATION_SKIP_PATHS = ImmutableSet.of("/v1/metadata", "/v1/metadata/id", "/healthcheck");
    private final Server server;
    private final AuthenticationPlugin securityHandlerPlugin;
    private final Pattern unauthedPathsPattern;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/ksql/api/auth/AuthenticationPluginHandler$AuthPluginUser.class */
    public static class AuthPluginUser implements ApiUser {
        private final DefaultKsqlPrincipal principal;

        AuthPluginUser(Principal principal) {
            Objects.requireNonNull(principal);
            this.principal = new DefaultKsqlPrincipal(principal);
        }

        public JsonObject attributes() {
            throw new UnsupportedOperationException();
        }

        public User isAuthorized(Authorization authorization, Handler<AsyncResult<Boolean>> handler) {
            throw new UnsupportedOperationException();
        }

        public User isAuthorized(String str, Handler<AsyncResult<Boolean>> handler) {
            throw new UnsupportedOperationException();
        }

        public User clearCache() {
            throw new UnsupportedOperationException();
        }

        public JsonObject principal() {
            throw new UnsupportedOperationException();
        }

        public void setAuthProvider(AuthProvider authProvider) {
            throw new UnsupportedOperationException();
        }

        public User merge(User user) {
            throw new UnsupportedOperationException();
        }

        @Override // io.confluent.ksql.api.auth.ApiUser
        public DefaultKsqlPrincipal getPrincipal() {
            return this.principal;
        }
    }

    @SuppressFBWarnings({"EI_EXPOSE_REP2"})
    public AuthenticationPluginHandler(Server server, AuthenticationPlugin authenticationPlugin) {
        this.server = (Server) Objects.requireNonNull(server);
        this.securityHandlerPlugin = (AuthenticationPlugin) Objects.requireNonNull(authenticationPlugin);
        this.unauthedPathsPattern = getAuthorizationSkipPaths(server.getConfig().getList(KsqlRestConfig.AUTHENTICATION_SKIP_PATHS_CONFIG));
    }

    public void handle(RoutingContext routingContext) {
        if (this.unauthedPathsPattern.matcher(routingContext.normalizedPath()).matches()) {
            routingContext.next();
        } else if (SystemAuthenticationHandler.isAuthenticatedAsSystemUser(routingContext)) {
            routingContext.next();
        } else {
            this.securityHandlerPlugin.handleAuth(routingContext, this.server.getWorkerExecutor()).thenAccept(principal -> {
                if (principal == null) {
                    routingContext.fail(HttpResponseStatus.UNAUTHORIZED.code(), new KsqlApiException("Failed authentication", Errors.ERROR_CODE_UNAUTHORIZED));
                } else {
                    routingContext.setUser(new AuthPluginUser(principal));
                    routingContext.next();
                }
            }).exceptionally(th -> {
                routingContext.fail(th);
                return null;
            });
        }
    }

    public static Pattern getAuthorizationSkipPaths(List<String> list) {
        HashSet hashSet = new HashSet(KSQL_AUTHENTICATION_SKIP_PATHS);
        hashSet.addAll(list);
        return Pattern.compile(ServerUtils.convertCommaSeparatedWilcardsToRegex(String.join(",", hashSet)));
    }
}
