package io.confluent.kafka.schemaregistry.filter;

import io.confluent.kafka.schemaregistry.rest.exceptions.AuthorizationException;
import io.confluent.kafka.schemaregistry.util.ByteConsumerPool;
import io.confluent.kafka.schemaregistry.util.ByteProducerPool;
import io.confluent.rest.auth.MaprAuthenticationUtils;
import io.confluent.rest.impersonation.ImpersonationUtils;
import java.util.concurrent.ExecutionException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.kafka.clients.producer.ProducerRecord;
import org.apache.kafka.common.KafkaException;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/filter/AuthorizationFilter.class */
public class AuthorizationFilter implements ContainerRequestFilter {
    private ByteConsumerPool consumerPool;
    private ByteProducerPool producerPool;
    private final String internalTopic;

    @Context
    protected ResourceInfo resourceInfo;

    public AuthorizationFilter(ByteConsumerPool byteConsumerPool, ByteProducerPool byteProducerPool, String str) {
        this.internalTopic = str;
        this.consumerPool = byteConsumerPool;
        this.producerPool = byteProducerPool;
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        try {
            ImpersonationUtils.executor().runAs(MaprAuthenticationUtils.getUserNameFromRequestContext(containerRequestContext), () -> {
                checkPermissions();
                return null;
            });
        } catch (Exception e) {
            containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity(e.getMessage()).build());
        }
    }

    public void initialize() {
        try {
            checkWritingPermissions();
        } catch (InterruptedException | ExecutionException e) {
            throw new KafkaException(e);
        }
    }

    private void checkPermissions() {
        try {
            switch (Permission.at(this.resourceInfo.getResourceClass(), this.resourceInfo.getResourceMethod())) {
                case READ:
                    checkReadingPermissions();
                    break;
                case MODIFY:
                    checkWritingPermissions();
                    break;
            }
        } catch (InterruptedException | ExecutionException e) {
            throw new AuthorizationException("Access denied. This operation is not permitted for current user\n");
        }
    }

    private void checkWritingPermissions() throws ExecutionException, InterruptedException {
        this.producerPool.send(new ProducerRecord<>(this.internalTopic, new byte[0])).get();
    }

    private void checkReadingPermissions() {
        if (this.consumerPool.poll(this.internalTopic).count() < 1) {
            throw new AuthorizationException("Access denied. This operation is not permitted for current user\n");
        }
    }
}
