package io.confluent.security.auth.provider.rbac;

import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.auth.metadata.MetadataServer;
import io.confluent.security.auth.metadata.MetadataServiceConfig;
import io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler;
import io.confluent.security.auth.provider.ldap.LdapConfig;
import io.confluent.security.auth.store.kafka.KafkaAuthStore;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.ConfluentAuthorizerConfig;
import io.confluent.security.authorizer.EmbeddedAuthorizer;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import io.confluent.security.authorizer.provider.GroupProvider;
import io.confluent.security.authorizer.provider.MetadataProvider;
import io.confluent.security.store.kafka.KafkaStoreConfig;
import java.io.IOException;
import java.net.URL;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.ServiceLoader;
import java.util.Set;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.kafka.common.ClusterResource;
import org.apache.kafka.common.ClusterResourceListener;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.plain.internals.PlainSaslServer;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/auth/provider/rbac/RbacProvider.class */
public class RbacProvider implements AccessRuleProvider, GroupProvider, MetadataProvider, ClusterResourceListener {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) RbacProvider.class);
    static final ResourceType SECURITY_METADATA = new ResourceType("SecurityMetadata");
    private static final Set<ResourceType> METADATA_RESOURCE_TYPES = Utils.mkSet(SECURITY_METADATA);
    private static final Set<Operation> METADATA_OPS = Utils.mkSet(new Operation("DescribeAccess"), new Operation("AlterAccess"));
    private Map<String, ?> configs;
    private LdapAuthenticateCallbackHandler authenticateCallbackHandler;
    private Scope authScope = Scope.ROOT_SCOPE;
    private Scope authStoreScope;
    private AuthStore authStore;
    private AuthCache authCache;
    private String clusterId;
    private MetadataServer metadataServer;
    private Collection<URL> metadataServerUrls;
    private Set<KafkaPrincipal> configuredSuperUsers;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/security/auth/provider/rbac/RbacProvider$DummyMetadataServer.class */
    public static class DummyMetadataServer implements MetadataServer {
        private DummyMetadataServer() {
        }

        @Override // io.confluent.security.auth.metadata.MetadataServer
        public void start(Authorizer authorizer, AuthStore authStore, AuthenticateCallbackHandler authenticateCallbackHandler) {
        }

        @Override // org.apache.kafka.common.Configurable
        public void configure(Map<String, ?> map) {
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/security/auth/provider/rbac/RbacProvider$RbacAuthorizer.class */
    public class RbacAuthorizer extends EmbeddedAuthorizer {
        RbacAuthorizer() {
            configureProviders(Collections.singletonList(RbacProvider.this), RbacProvider.this, null);
        }

        @Override // io.confluent.security.authorizer.EmbeddedAuthorizer
        protected boolean isSuperUser(KafkaPrincipal kafkaPrincipal, Action action) {
            return RbacProvider.this.configuredSuperUsers.contains(kafkaPrincipal) && (RbacProvider.METADATA_RESOURCE_TYPES.contains(action.resourceType()) || RbacProvider.METADATA_OPS.contains(action.operation()));
        }
    }

    @Override // org.apache.kafka.common.ClusterResourceListener
    public void onUpdate(ClusterResource clusterResource) {
        this.clusterId = clusterResource.clusterId();
        this.authScope = Scope.kafkaClusterScope(this.clusterId);
        this.authScope.validate(false);
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.configs = map;
        if (this.clusterId == null) {
            throw new IllegalStateException("Kafka cluster id not known");
        }
        this.authStoreScope = (Scope) Objects.requireNonNull(this.authScope, "authScope");
        if (map.containsKey(MetadataServiceConfig.METADATA_SERVER_LISTENERS_PROP)) {
            MetadataServiceConfig metadataServiceConfig = new MetadataServiceConfig(map);
            this.metadataServer = createMetadataServer(metadataServiceConfig);
            this.metadataServerUrls = metadataServiceConfig.metadataServerUrls;
            Scope scope = metadataServiceConfig.scope;
            if (!scope.containsScope(this.authScope) && !Scope.ROOT_SCOPE.equals(this.authScope)) {
                throw new ConfigException(String.format("Metadata service scope %s does not contain broker scope %s", scope, this.authScope));
            }
            this.authStoreScope = scope;
        }
        this.configuredSuperUsers = ConfluentAuthorizerConfig.parseSuperUsers((String) map.get(ConfluentAuthorizerConfig.SUPER_USERS_PROP));
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public String providerName() {
        return ConfluentBuiltInProviders.AccessRuleProviders.RBAC.name();
    }

    @Override // io.confluent.security.authorizer.provider.GroupProvider
    public boolean providerConfigured(Map<String, ?> map) {
        return map.containsKey(MetadataServiceConfig.METADATA_SERVER_LISTENERS_PROP) || map.containsKey(KafkaStoreConfig.BOOTSTRAP_SERVERS_PROP);
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public CompletionStage<Void> start(Map<String, ?> map) {
        if (!providerConfigured(map)) {
            throw new ConfigException("Metadata bootstrap servers not specified for broker which does not host metadata service");
        }
        HashMap hashMap = new HashMap(this.configs);
        hashMap.putAll(map);
        this.authStore = createAuthStore(this.authStoreScope, hashMap);
        this.authCache = this.authStore.authCache();
        if (LdapConfig.ldapEnabled(this.configs)) {
            this.authenticateCallbackHandler = new LdapAuthenticateCallbackHandler();
            this.authenticateCallbackHandler.configure(this.configs, PlainSaslServer.PLAIN_MECHANISM, Collections.emptyList());
        }
        if (this.metadataServer != null) {
            this.authStore.startService(this.metadataServerUrls);
        }
        return this.authStore.startReader().thenApply(r6 -> {
            if (this.metadataServer == null) {
                return null;
            }
            this.metadataServer.start(createRbacAuthorizer(), this.authStore, this.authenticateCallbackHandler);
            return null;
        });
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean mayDeny() {
        return false;
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public boolean usesMetadataFromThisKafkaCluster() {
        return this.metadataServer != null;
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean isSuperUser(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, Scope scope) {
        return false;
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public Set<AccessRule> accessRules(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, Scope scope, ResourcePattern resourcePattern) {
        return this.authCache.rbacRules(scope, resourcePattern, userPrincipal(kafkaPrincipal), set);
    }

    @Override // io.confluent.security.authorizer.provider.GroupProvider
    public Set<KafkaPrincipal> groups(KafkaPrincipal kafkaPrincipal) {
        return this.authCache.groups(userPrincipal(kafkaPrincipal));
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        log.debug("Closing RBAC provider");
        AtomicReference atomicReference = new AtomicReference();
        Utils.closeQuietly(this.metadataServer, "metadataServer", atomicReference);
        Utils.closeQuietly(this.authStore, "authStore", atomicReference);
        if (this.authenticateCallbackHandler != null) {
            Utils.closeQuietly(this.authenticateCallbackHandler, "authenticateCallbackHandler", atomicReference);
        }
        Throwable th = (Throwable) atomicReference.getAndSet(null);
        if (th != null) {
            throw new KafkaException("RbacProvider could not be closed cleanly", th);
        }
    }

    private KafkaPrincipal userPrincipal(KafkaPrincipal kafkaPrincipal) {
        return kafkaPrincipal.getClass() != KafkaPrincipal.class ? new KafkaPrincipal(kafkaPrincipal.getPrincipalType(), kafkaPrincipal.getName()) : kafkaPrincipal;
    }

    public AuthStore authStore() {
        return this.authStore;
    }

    public MetadataServer metadataServer() {
        return this.metadataServer;
    }

    EmbeddedAuthorizer createRbacAuthorizer() {
        return new RbacAuthorizer();
    }

    protected AuthStore createAuthStore(Scope scope, Map<String, ?> map) {
        KafkaAuthStore kafkaAuthStore = new KafkaAuthStore(scope);
        kafkaAuthStore.configure(map);
        return kafkaAuthStore;
    }

    private MetadataServer createMetadataServer(MetadataServiceConfig metadataServiceConfig) {
        MetadataServer metadataServer = null;
        Iterator it = ServiceLoader.load(MetadataServer.class).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            MetadataServer metadataServer2 = (MetadataServer) it.next();
            if (metadataServer2.providerName().equals(providerName())) {
                metadataServer = metadataServer2;
                break;
            }
        }
        if (metadataServer == null) {
            metadataServer = new DummyMetadataServer();
        }
        if (metadataServer instanceof ClusterResourceListener) {
            ((ClusterResourceListener) metadataServer).onUpdate(new ClusterResource(this.clusterId));
        }
        metadataServer.configure(metadataServiceConfig.metadataServerConfigs());
        return metadataServer;
    }
}
