package io.confluent.rbacapi.resources;

import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.validation.V1ValidScope;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourcePatternFilter;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RoleBindingFilter;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Produces({"application/json"})
@Path("/security/1.0/lookup")
/* loaded from: input_file:io/confluent/rbacapi/resources/LookupResource.class */
public class LookupResource {
    private final AuthCache authCache;
    private final SecurityMetadataAuthorizer metadataAuthorizer;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) LookupResource.class);

    public LookupResource(AuthCache authCache, SecurityMetadataAuthorizer securityMetadataAuthorizer) {
        this.authCache = authCache;
        this.metadataAuthorizer = securityMetadataAuthorizer;
    }

    @Path("role/{roleName}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public List<String> lookupPrincipalsWithRole(@Context SecurityContext securityContext, @PathParam("roleName") String str, @V1ValidScope Scope scope) {
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.DESCRIBE);
        return principals(new RoleBindingFilter(null, str, scope, null));
    }

    @Path("role/{roleName}/resource/{resourceType}/name/{resourceName}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public List<String> lookupPrincipalsWithRoleOnResource(@Context SecurityContext securityContext, @PathParam("roleName") String str, @PathParam("resourceType") String str2, @PathParam("resourceName") String str3, @V1ValidScope Scope scope) {
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.DESCRIBE);
        return principals(new RoleBindingFilter(null, str, scope, new ResourcePatternFilter(new ResourceType(str2), str3, PatternType.MATCH)));
    }

    private List<String> principals(RoleBindingFilter roleBindingFilter) {
        return (List) this.authCache.rbacRoleBindings(roleBindingFilter).stream().map(roleBinding -> {
            return roleBinding.principal().toString();
        }).distinct().sorted().collect(Collectors.toList());
    }

    @Path("principal/{principal:.*}/resources")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public Map<String, Map<String, List<ResourcePattern>>> lookupResourcesForPrincipal(@Context SecurityContext securityContext, @PathParam("principal") String str, @V1ValidScope Scope scope) {
        Set singleton;
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        String principalType = parseKafkaPrincipal.getPrincipalType();
        if (KafkaPrincipal.USER_TYPE.equals(principalType)) {
            this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, scope, parseKafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
            singleton = new HashSet(this.authCache.groups(parseKafkaPrincipal));
            singleton.add(parseKafkaPrincipal);
        } else {
            if (!AccessRule.GROUP_PRINCIPAL_TYPE.equals(principalType)) {
                throw new RuntimeException("Invalid principal type. Should be 'User' or 'Group'");
            }
            this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.DESCRIBE);
            singleton = Collections.singleton(parseKafkaPrincipal);
        }
        Set set = singleton;
        return (Map) this.authCache.rbacRoleBindings(scope).stream().filter(roleBinding -> {
            return set.contains(roleBinding.principal());
        }).collect(Collectors.toMap(roleBinding2 -> {
            return roleBinding2.principal().toString();
        }, roleBinding3 -> {
            HashMap hashMap = new HashMap();
            hashMap.put(roleBinding3.role(), new ArrayList(roleBinding3.resources()));
            return hashMap;
        }, (map, map2) -> {
            map.putAll(map2);
            return map;
        }));
    }
}
