package io.confluent.controlcenter.data;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.controlcenter.data.PermissionsService;
import io.confluent.controlcenter.rest.Credential;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeoutException;
import org.apache.kafka.common.acl.AclOperation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/controlcenter/data/RbacPermissionsService.class */
public class RbacPermissionsService extends AbstractPermissionsService {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) RbacPermissionsService.class);
    private static final PermissionsService.ResourceTypeOperation BROKER_METRICS = new PermissionsService.ResourceTypeOperation(new ResourceType("ControlCenterBrokerMetrics"), new Operation("Read"));
    private static final PermissionsService.ResourceTypeOperation ALERTS = new PermissionsService.ResourceTypeOperation(new ResourceType("ControlCenterAlerts"), new Operation("Write"));
    private static final PermissionsService.ResourceTypeOperation LICENSE_MANAGEMENT = new PermissionsService.ResourceTypeOperation(new ResourceType("License"), new Operation("Alter"));
    private final KafkaMetadataDao kafkaMetadataDao;
    private final MetadataServiceClient mdsClient;

    public RbacPermissionsService(ClusterMetadataDao clusterMetadataDao, KafkaMetadataDao kafkaMetadataDao, MetadataServiceClient metadataServiceClient) {
        super(clusterMetadataDao);
        this.kafkaMetadataDao = kafkaMetadataDao;
        this.mdsClient = metadataServiceClient;
    }

    @Override // io.confluent.controlcenter.data.AbstractPermissionsService, io.confluent.controlcenter.data.PermissionsService
    public boolean hasViewAccess(JwtPrincipal jwtPrincipal, String str) {
        return this.mdsClient.isKafkaClusterVisible(jwtPrincipal.getName(), jwtPrincipal.getJwt(), str);
    }

    @Override // io.confluent.controlcenter.data.AbstractPermissionsService, io.confluent.controlcenter.data.PermissionsService
    public Set<PermissionsService.ControlCenterOperation> getAllScopedOperations(JwtPrincipal jwtPrincipal, String str) throws InterruptedException, ExecutionException, TimeoutException {
        ImmutableSet.Builder addAll = new ImmutableSet.Builder().addAll((Iterable) getScopedControlCenterOperations(jwtPrincipal, str));
        Set<PermissionsService.ControlCenterOperation> scopedKafkaOperations = getScopedKafkaOperations(jwtPrincipal, str);
        if (scopedKafkaOperations == null) {
            log.warn("cluster not configured for management: {}", str);
        } else {
            addAll.addAll((Iterable) scopedKafkaOperations);
        }
        return addAll.build();
    }

    @Override // io.confluent.controlcenter.data.AbstractPermissionsService, io.confluent.controlcenter.data.PermissionsService
    public Set<PermissionsService.ControlCenterOperation> getAllGlobalOperations(JwtPrincipal jwtPrincipal) {
        return new ImmutableSet.Builder().addAll((Iterable) getLicenseManagement(jwtPrincipal)).build();
    }

    @Override // io.confluent.controlcenter.data.AbstractPermissionsService, io.confluent.controlcenter.data.PermissionsService
    public Set<PermissionsService.ControlCenterOperation> getScopedControlCenterOperations(JwtPrincipal jwtPrincipal, String str) {
        Map<PermissionsService.ControlCenterOperation, Boolean> authorize = this.mdsClient.authorize(jwtPrincipal.getName(), jwtPrincipal.getJwt(), Scope.kafkaClusterScope(str), ImmutableMap.of(PermissionsService.ControlCenterOperation.VIEW_BROKER_METRICS, BROKER_METRICS, PermissionsService.ControlCenterOperation.VIEW_ALERTS, ALERTS));
        HashSet hashSet = new HashSet();
        for (Map.Entry<PermissionsService.ControlCenterOperation, Boolean> entry : authorize.entrySet()) {
            if (entry.getValue().booleanValue()) {
                hashSet.add(entry.getKey());
            }
        }
        return hashSet;
    }

    @Override // io.confluent.controlcenter.data.AbstractPermissionsService, io.confluent.controlcenter.data.PermissionsService
    public Set<PermissionsService.ControlCenterOperation> getScopedKafkaOperations(JwtPrincipal jwtPrincipal, String str) throws InterruptedException, ExecutionException, TimeoutException {
        Set<AclOperation> authorizedOperations = this.kafkaMetadataDao.getAuthorizedOperations(Credential.makeCredentialFromJwtOrNullPrincipal(str, jwtPrincipal));
        if (authorizedOperations != null) {
            return authorizedOperations.contains(AclOperation.ALTER_CONFIGS) ? ImmutableSet.of(PermissionsService.ControlCenterOperation.VIEW_CLUSTER_SETTINGS) : ImmutableSet.of();
        }
        return null;
    }

    private Set<PermissionsService.ControlCenterOperation> getLicenseManagement(JwtPrincipal jwtPrincipal) {
        return this.mdsClient.authorize(jwtPrincipal.getName(), jwtPrincipal.getJwt(), Scope.kafkaClusterScope(this.mdsClient.getMetadataServiceKafkaId(jwtPrincipal.getJwt())), ImmutableMap.of(PermissionsService.ControlCenterOperation.VIEW_LICENSE_MANAGEMENT, LICENSE_MANAGEMENT)).getOrDefault(PermissionsService.ControlCenterOperation.VIEW_LICENSE_MANAGEMENT, false).booleanValue() ? ImmutableSet.of(PermissionsService.ControlCenterOperation.VIEW_LICENSE_MANAGEMENT) : ImmutableSet.of();
    }
}
