package io.confluent.security.auth.store.cache;

import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.auth.store.data.AuthEntryType;
import io.confluent.security.auth.store.data.AuthKey;
import io.confluent.security.auth.store.data.AuthValue;
import io.confluent.security.auth.store.data.RoleBindingKey;
import io.confluent.security.auth.store.data.RoleBindingValue;
import io.confluent.security.auth.store.data.StatusKey;
import io.confluent.security.auth.store.data.StatusValue;
import io.confluent.security.auth.store.data.UserKey;
import io.confluent.security.auth.store.data.UserValue;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.PermissionType;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.InvalidScopeException;
import io.confluent.security.rbac.AccessPolicy;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.Role;
import io.confluent.security.rbac.RoleBinding;
import io.confluent.security.rbac.RoleBindingFilter;
import io.confluent.security.rbac.UserMetadata;
import io.confluent.security.store.KeyValueStore;
import io.confluent.security.store.MetadataStoreException;
import io.confluent.security.store.MetadataStoreStatus;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.NavigableMap;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentSkipListMap;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.kafka.common.record.InvalidRecordException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/auth/store/cache/DefaultAuthCache.class */
public class DefaultAuthCache implements AuthCache, KeyValueStore<AuthKey, AuthValue> {
    private static final String WILDCARD_HOST = "*";
    private final RbacRoles rbacRoles;
    private final Scope rootScope;
    private final Map<KafkaPrincipal, UserMetadata> users = new ConcurrentHashMap();
    private final Map<RoleBindingKey, RoleBindingValue> roleBindings = new ConcurrentHashMap();
    private final Map<Scope, NavigableMap<ResourcePattern, Set<AccessRule>>> rbacAccessRules = new ConcurrentHashMap();
    private final Map<Integer, StatusValue> partitionStatus = new ConcurrentHashMap();
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultAuthCache.class);
    private static final NavigableMap<ResourcePattern, Set<AccessRule>> NO_RULES = Collections.emptyNavigableMap();

    public DefaultAuthCache(RbacRoles rbacRoles, Scope scope) {
        this.rbacRoles = rbacRoles;
        this.rootScope = scope;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<KafkaPrincipal> groups(KafkaPrincipal kafkaPrincipal) {
        ensureNotFailed();
        UserMetadata userMetadata = this.users.get(kafkaPrincipal);
        return userMetadata == null ? Collections.emptySet() : userMetadata.groups();
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<AccessRule> rbacRules(Scope scope, ResourcePattern resourcePattern, KafkaPrincipal kafkaPrincipal, Collection<KafkaPrincipal> collection) {
        ensureNotFailed();
        if (!this.rootScope.containsScope(scope)) {
            throw new InvalidScopeException("This authorization cache does not contain scope " + scope);
        }
        Set<KafkaPrincipal> matchingPrincipals = matchingPrincipals(kafkaPrincipal, collection);
        HashSet hashSet = new HashSet();
        Scope scope2 = scope;
        while (true) {
            Scope scope3 = scope2;
            if (scope3 == null) {
                return hashSet;
            }
            NavigableMap<ResourcePattern, Set<AccessRule>> rbacRules = rbacRules(scope3);
            if (rbacRules != null) {
                String name = resourcePattern.name();
                ResourceType resourceType = resourcePattern.resourceType();
                addMatchingRules((Collection) rbacRules.get(resourcePattern), hashSet, matchingPrincipals);
                addMatchingRules((Collection) rbacRules.get(ResourcePattern.all(resourceType)), hashSet, matchingPrincipals);
                addMatchingRules((Collection) rbacRules.get(ResourcePattern.ALL), hashSet, matchingPrincipals);
                addMatchingRules((Collection) rbacRules.get(new ResourcePattern(ResourceType.ALL, name, PatternType.LITERAL)), hashSet, matchingPrincipals);
                if (!name.isEmpty()) {
                    rbacRules.subMap(new ResourcePattern(resourceType.name(), name, PatternType.PREFIXED), true, new ResourcePattern(resourceType.name(), name.substring(0, 1), PatternType.PREFIXED), true).entrySet().stream().filter(entry -> {
                        return name.startsWith(((ResourcePattern) entry.getKey()).name());
                    }).forEach(entry2 -> {
                        addMatchingRules((Collection) entry2.getValue(), hashSet, matchingPrincipals);
                    });
                }
            }
            scope2 = scope3.parent();
        }
    }

    private void addMatchingRules(Collection<AccessRule> collection, Collection<AccessRule> collection2, Set<KafkaPrincipal> set) {
        if (collection != null) {
            Stream<AccessRule> filter = collection.stream().filter(accessRule -> {
                return set.contains(accessRule.principal());
            });
            collection2.getClass();
            filter.forEach((v1) -> {
                r1.add(v1);
            });
        }
    }

    private Set<KafkaPrincipal> matchingPrincipals(KafkaPrincipal kafkaPrincipal, Collection<KafkaPrincipal> collection) {
        HashSet hashSet = new HashSet(collection.size() + 1);
        hashSet.addAll(collection);
        hashSet.add(kafkaPrincipal);
        return hashSet;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(Scope scope) {
        ensureNotFailed();
        HashSet hashSet = new HashSet();
        this.roleBindings.entrySet().stream().filter(entry -> {
            return scope.equals(((RoleBindingKey) entry.getKey()).scope());
        }).forEach(entry2 -> {
            hashSet.add(roleBinding((RoleBindingKey) entry2.getKey(), (RoleBindingValue) entry2.getValue()));
        });
        return hashSet;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(RoleBindingFilter roleBindingFilter) {
        ensureNotFailed();
        HashSet hashSet = new HashSet();
        this.roleBindings.entrySet().stream().map(entry -> {
            return roleBinding((RoleBindingKey) entry.getKey(), (RoleBindingValue) entry.getValue());
        }).forEach(roleBinding -> {
            RoleBinding matchingBinding = roleBindingFilter.matchingBinding(roleBinding, this.rbacRoles.role(roleBinding.role()).hasResourceScope());
            if (matchingBinding != null) {
                hashSet.add(matchingBinding);
            }
        });
        return hashSet;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public UserMetadata userMetadata(KafkaPrincipal kafkaPrincipal) {
        return this.users.get(kafkaPrincipal);
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Map<KafkaPrincipal, UserMetadata> users() {
        return Collections.unmodifiableMap(this.users);
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Scope rootScope() {
        return this.rootScope;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public RbacRoles rbacRoles() {
        return this.rbacRoles;
    }

    @Override // io.confluent.security.store.KeyValueStore
    public AuthValue get(AuthKey authKey) {
        switch (authKey.entryType()) {
            case ROLE_BINDING:
                return this.roleBindings.get((RoleBindingKey) authKey);
            case USER:
                UserMetadata userMetadata = this.users.get(((UserKey) authKey).principal());
                if (userMetadata == null) {
                    return null;
                }
                return new UserValue(userMetadata.groups());
            case STATUS:
                return this.partitionStatus.get(Integer.valueOf(((StatusKey) authKey).partition()));
            default:
                throw new IllegalArgumentException("Unknown key type " + authKey.entryType());
        }
    }

    @Override // io.confluent.security.store.KeyValueStore
    public AuthValue put(AuthKey authKey, AuthValue authValue) {
        if (authValue == null) {
            throw new IllegalArgumentException("Value must not be null");
        }
        if (authKey.entryType() != authValue.entryType()) {
            throw new InvalidRecordException("Invalid record with key=" + authKey + ", value=" + authValue);
        }
        switch (authKey.entryType()) {
            case ROLE_BINDING:
                return updateRoleBinding((RoleBindingKey) authKey, (RoleBindingValue) authValue);
            case USER:
                return updateUser((UserKey) authKey, (UserValue) authValue);
            case STATUS:
                StatusValue statusValue = (StatusValue) authValue;
                if (statusValue.status() == MetadataStoreStatus.FAILED) {
                    log.error("Received failed status with key {} value {}", authKey, authValue);
                } else {
                    log.debug("Processing status with key {} value {}", authKey, authValue);
                }
                return this.partitionStatus.put(Integer.valueOf(((StatusKey) authKey).partition()), statusValue);
            default:
                throw new IllegalArgumentException("Unknown key type " + authKey.entryType());
        }
    }

    @Override // io.confluent.security.store.KeyValueStore
    public AuthValue remove(AuthKey authKey) {
        switch (authKey.entryType()) {
            case ROLE_BINDING:
                return removeRoleBinding((RoleBindingKey) authKey);
            case USER:
                UserMetadata remove = this.users.remove(((UserKey) authKey).principal());
                if (remove == null) {
                    return null;
                }
                return new UserValue(remove.groups());
            case STATUS:
                return this.partitionStatus.remove(Integer.valueOf(((StatusKey) authKey).partition()));
            default:
                throw new IllegalArgumentException("Unknown key type " + authKey.entryType());
        }
    }

    @Override // io.confluent.security.store.KeyValueStore
    public Map<? extends AuthKey, ? extends AuthValue> map(String str) {
        AuthEntryType valueOf = AuthEntryType.valueOf(str);
        switch (valueOf) {
            case ROLE_BINDING:
                return Collections.unmodifiableMap(this.roleBindings);
            case USER:
                return (Map) this.users.entrySet().stream().collect(Collectors.toMap(entry -> {
                    return new UserKey((KafkaPrincipal) entry.getKey());
                }, entry2 -> {
                    return new UserValue(((UserMetadata) entry2.getValue()).groups());
                }));
            case STATUS:
                return (Map) this.partitionStatus.entrySet().stream().collect(Collectors.toMap(entry3 -> {
                    return new StatusKey(((Integer) entry3.getKey()).intValue());
                }, (v0) -> {
                    return v0.getValue();
                }));
            default:
                throw new IllegalArgumentException("Unknown key type " + valueOf);
        }
    }

    @Override // io.confluent.security.store.KeyValueStore
    public void fail(int i, String str) {
        this.partitionStatus.put(Integer.valueOf(i), new StatusValue(MetadataStoreStatus.FAILED, -1, str));
    }

    @Override // io.confluent.security.store.KeyValueStore
    public MetadataStoreStatus status(int i) {
        StatusValue statusValue = this.partitionStatus.get(Integer.valueOf(i));
        return statusValue != null ? statusValue.status() : MetadataStoreStatus.UNKNOWN;
    }

    private RoleBindingValue updateRoleBinding(RoleBindingKey roleBindingKey, RoleBindingValue roleBindingValue) {
        Scope scope = roleBindingKey.scope();
        if (!this.rootScope.containsScope(scope) || accessPolicy(roleBindingKey) == null) {
            return null;
        }
        KafkaPrincipal principal = roleBindingKey.principal();
        RoleBindingValue put = this.roleBindings.put(roleBindingKey, roleBindingValue);
        NavigableMap<ResourcePattern, Set<AccessRule>> computeIfAbsent = this.rbacAccessRules.computeIfAbsent(scope, scope2 -> {
            return new ConcurrentSkipListMap();
        });
        accessRules(roleBindingKey, roleBindingValue).forEach((resourcePattern, set) -> {
            ((Set) computeIfAbsent.computeIfAbsent(resourcePattern, resourcePattern -> {
                return ConcurrentHashMap.newKeySet();
            })).addAll(set);
        });
        removeDeletedAccessPolicies(principal, scope);
        return put;
    }

    private RoleBindingValue removeRoleBinding(RoleBindingKey roleBindingKey) {
        RoleBindingValue remove;
        Scope scope = roleBindingKey.scope();
        if (!this.rootScope.containsScope(scope) || (remove = this.roleBindings.remove(roleBindingKey)) == null) {
            return null;
        }
        removeDeletedAccessPolicies(roleBindingKey.principal(), scope);
        return remove;
    }

    private UserValue updateUser(UserKey userKey, UserValue userValue) {
        UserMetadata put = this.users.put(userKey.principal(), new UserMetadata(userValue.groups()));
        if (put == null) {
            return null;
        }
        return new UserValue(put.groups());
    }

    private void ensureNotFailed() {
        Map map = (Map) this.partitionStatus.entrySet().stream().filter(entry -> {
            return ((StatusValue) entry.getValue()).status() == MetadataStoreStatus.FAILED;
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry2 -> {
            return ((StatusValue) entry2.getValue()).errorMessage();
        }));
        if (!map.isEmpty()) {
            throw new MetadataStoreException("Some partitions have failed: " + map);
        }
    }

    private AccessPolicy accessPolicy(RoleBindingKey roleBindingKey) {
        Role role = this.rbacRoles.role(roleBindingKey.role());
        if (role != null) {
            return role.accessPolicy();
        }
        log.error("Unknown role, ignoring role binding {}", roleBindingKey);
        return null;
    }

    NavigableMap<ResourcePattern, Set<AccessRule>> rbacRules(Scope scope) {
        return this.rbacAccessRules.getOrDefault(scope, NO_RULES);
    }

    private Map<ResourcePattern, Set<AccessRule>> accessRules(RoleBindingKey roleBindingKey, RoleBindingValue roleBindingValue) {
        HashMap hashMap = new HashMap();
        KafkaPrincipal principal = roleBindingKey.principal();
        AccessPolicy accessPolicy = accessPolicy(roleBindingKey);
        if (accessPolicy != null) {
            for (ResourcePattern resourcePattern : !accessPolicy.hasResourceScope() ? (Collection) accessPolicy.allowedOperations().stream().map(resourceOperations -> {
                return ResourcePattern.all(new ResourceType(resourceOperations.resourceType()));
            }).collect(Collectors.toSet()) : roleBindingValue.resources().isEmpty() ? Collections.emptySet() : roleBindingValue.resources()) {
                HashSet hashSet = new HashSet();
                Iterator<Operation> it = accessPolicy.allowedOperations(resourcePattern.resourceType()).iterator();
                while (it.hasNext()) {
                    hashSet.add(new AccessRule(principal, PermissionType.ALLOW, "*", it.next(), String.valueOf(roleBindingKey)));
                }
                hashMap.put(resourcePattern, hashSet);
            }
        }
        return hashMap;
    }

    private void removeDeletedAccessPolicies(KafkaPrincipal kafkaPrincipal, Scope scope) {
        NavigableMap<ResourcePattern, Set<AccessRule>> rbacRules = rbacRules(scope);
        if (rbacRules != null) {
            HashMap hashMap = new HashMap();
            rbacRules.forEach((resourcePattern, set) -> {
                hashMap.put(resourcePattern, (Set) set.stream().filter(accessRule -> {
                    return accessRule.principal().equals(kafkaPrincipal);
                }).collect(Collectors.toSet()));
            });
            this.roleBindings.entrySet().stream().filter(entry -> {
                return ((RoleBindingKey) entry.getKey()).principal().equals(kafkaPrincipal) && ((RoleBindingKey) entry.getKey()).scope().equals(scope);
            }).flatMap(entry2 -> {
                return accessRules((RoleBindingKey) entry2.getKey(), (RoleBindingValue) entry2.getValue()).entrySet().stream();
            }).forEach(entry3 -> {
                Set set2 = (Set) hashMap.get(entry3.getKey());
                if (set2 != null) {
                    set2.removeAll((Collection) entry3.getValue());
                }
            });
            hashMap.forEach((resourcePattern2, set2) -> {
                Set set2 = (Set) rbacRules.get(resourcePattern2);
                if (set2 != null) {
                    set2.removeAll(set2);
                    if (set2.isEmpty()) {
                        rbacRules.remove(resourcePattern2);
                    }
                }
            });
        }
    }

    private RoleBinding roleBinding(RoleBindingKey roleBindingKey, RoleBindingValue roleBindingValue) {
        return new RoleBinding(roleBindingKey.principal(), roleBindingKey.role(), roleBindingKey.scope(), roleBindingValue.resources());
    }
}
