package io.confluent.rbacapi.authorizer;

import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourcePatternFilter;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.errors.AuthorizationException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;

/* loaded from: input_file:io/confluent/rbacapi/authorizer/SecurityMetadataAuthorizer.class */
public class SecurityMetadataAuthorizer {
    public static final Operation DESCRIBE_ACCESS = new Operation("DescribeAccess");
    public static final Operation ALTER_ACCESS = new Operation("AlterAccess");
    public static final Operation DESCRIBE = new Operation("Describe");
    public static final Operation ALTER = new Operation("Alter");
    private static final ResourceType SECURITY_METADATA_TYPE = new ResourceType("SecurityMetadata");
    private static final ResourcePattern SECURITY_METADATA = new ResourcePattern(SECURITY_METADATA_TYPE, "security-metadata", PatternType.LITERAL);
    private static final Set<Operation> SECURITY_METADATA_OPS = Utils.mkSet(DESCRIBE, ALTER);
    private static final Set<Operation> RESOURCE_ACCESS_OPS = Utils.mkSet(DESCRIBE_ACCESS, ALTER_ACCESS);
    private final Authorizer authorizer;
    private final Scope metadataClusterScope;

    public SecurityMetadataAuthorizer(Authorizer authorizer, Scope scope) {
        this.authorizer = (Authorizer) Objects.requireNonNull(authorizer, "authorizer");
        this.metadataClusterScope = (Scope) Objects.requireNonNull(scope);
    }

    public void authorizeSecurityMetadataAccess(SecurityContext securityContext, Scope scope, Operation operation) {
        ensureValidOp(operation, SECURITY_METADATA_OPS, SECURITY_METADATA.name());
        authorize(userPrincipal(securityContext), new Action(scope, SECURITY_METADATA, operation));
    }

    public void authorizeSecurityMetadataAccess(SecurityContext securityContext, Operation operation) {
        authorizeSecurityMetadataAccess(securityContext, this.metadataClusterScope, operation);
    }

    public void authorizeSecurityMetadataAccessAllowDescribeSelf(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, Operation operation) {
        if (operation.equals(DESCRIBE) && userPrincipal(securityContext).equals(kafkaPrincipal)) {
            return;
        }
        authorizeSecurityMetadataAccess(securityContext, operation);
    }

    public void authorizeSecurityMetadataAccessAllowDescribeSelf(SecurityContext securityContext, Scope scope, KafkaPrincipal kafkaPrincipal, Operation operation) {
        if (operation.equals(DESCRIBE) && userPrincipal(securityContext).equals(kafkaPrincipal)) {
            return;
        }
        authorizeSecurityMetadataAccess(securityContext, scope, operation);
    }

    public void authorizeResourceAccess(SecurityContext securityContext, Scope scope, Collection<ResourcePattern> collection, Operation operation) {
        ensureValidOp(operation, RESOURCE_ACCESS_OPS, "resource access");
        KafkaPrincipal userPrincipal = userPrincipal(securityContext);
        collection.forEach(resourcePattern -> {
            authorize(userPrincipal, new Action(scope, resourcePattern, operation));
        });
    }

    public void authorizeFilteredAccess(SecurityContext securityContext, Scope scope, Collection<ResourcePatternFilter> collection, Operation operation) {
        ensureValidOp(operation, RESOURCE_ACCESS_OPS, "resource access");
        KafkaPrincipal userPrincipal = userPrincipal(securityContext);
        boolean z = false;
        for (ResourcePatternFilter resourcePatternFilter : collection) {
            if (resourcePatternFilter.name() != null) {
                authorize(userPrincipal, new Action(scope, new ResourcePattern(resourcePatternFilter.resourceType(), resourcePatternFilter.name(), resourcePatternFilter.patternType()), operation));
            } else {
                z = true;
            }
        }
        if (z) {
            authorizeSecurityMetadataAccess(securityContext, scope, operation == ALTER_ACCESS ? ALTER : DESCRIBE);
        }
    }

    public void authorizeAuthorizeRequest(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, List<Action> list) {
        KafkaPrincipal userPrincipal = userPrincipal(securityContext);
        if (userPrincipal.equals(kafkaPrincipal)) {
            return;
        }
        list.stream().map(action -> {
            return action.resourcePattern().patternType();
        }).forEach(patternType -> {
            if (patternType != PatternType.LITERAL) {
                throw new IllegalArgumentException("Only literal resources are supported. Got: " + patternType);
            }
        });
        Stream<AuthorizeResult> stream = this.authorizer.authorize(userPrincipal, "", (List) list.stream().map(action2 -> {
            return new Action(action2.scope(), action2.resourcePattern(), DESCRIBE_ACCESS);
        }).collect(Collectors.toList())).stream();
        AuthorizeResult authorizeResult = AuthorizeResult.ALLOWED;
        authorizeResult.getClass();
        if (!stream.allMatch((v1) -> {
            return r1.equals(v1);
        })) {
            throw new AuthorizationException("Authorization request for principal " + kafkaPrincipal + " is not permitted for requestor principal " + userPrincipal);
        }
    }

    private void authorize(KafkaPrincipal kafkaPrincipal, Action action) {
        if (this.authorizer.authorize(kafkaPrincipal, "", Collections.singletonList(action)).get(0) != AuthorizeResult.ALLOWED) {
            throw new AuthorizationException(action + " not permitted for " + kafkaPrincipal);
        }
    }

    private void ensureValidOp(Operation operation, Set<Operation> set, String str) {
        if (!set.contains(operation)) {
            throw new IllegalArgumentException(String.format("Unsupported operation %s for %s, supported ops are %s", operation, str, set));
        }
    }

    private KafkaPrincipal userPrincipal(SecurityContext securityContext) {
        Principal userPrincipal = securityContext.getUserPrincipal();
        return userPrincipal == null ? KafkaPrincipal.ANONYMOUS : new KafkaPrincipal(KafkaPrincipal.USER_TYPE, userPrincipal.getName());
    }
}
