package io.confluent.security.auth.provider.ldap;

import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.auth.store.data.UserKey;
import io.confluent.security.auth.store.data.UserValue;
import io.confluent.security.auth.store.external.ExternalStore;
import io.confluent.security.auth.store.external.ExternalStoreListener;
import io.confluent.security.auth.store.kafka.KafkaAuthWriter;
import io.confluent.security.rbac.UserMetadata;
import io.confluent.security.store.MetadataStoreStatus;
import java.util.Map;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Time;

/* loaded from: input_file:io/confluent/security/auth/provider/ldap/LdapStore.class */
public class LdapStore implements ExternalStore {
    private final Time time;
    private final UserStoreListener listener;
    private LdapConfig config;
    private LdapGroupManager ldapGroupManager;

    /* loaded from: input_file:io/confluent/security/auth/provider/ldap/LdapStore$UserStoreListener.class */
    private static class UserStoreListener implements ExternalStoreListener<UserKey, UserValue> {
        private final AuthCache authCache;
        private final KafkaAuthWriter writer;
        private volatile int generationId;
        private volatile boolean active;

        UserStoreListener(AuthCache authCache, KafkaAuthWriter kafkaAuthWriter) {
            this.authCache = authCache;
            this.writer = kafkaAuthWriter;
        }

        void start() {
            this.active = true;
        }

        void stop() {
            this.active = false;
        }

        @Override // io.confluent.security.auth.store.external.ExternalStoreListener
        public void initialize(Map<UserKey, UserValue> map) {
            Map<KafkaPrincipal, UserMetadata> users = this.authCache.users();
            users.forEach((kafkaPrincipal, userMetadata) -> {
                UserKey userKey = new UserKey(kafkaPrincipal);
                UserValue userValue = (UserValue) map.get(userKey);
                if (userValue == null) {
                    delete(userKey);
                } else {
                    if (userValue.groups().equals(userMetadata.groups())) {
                        return;
                    }
                    update(userKey, userValue);
                }
            });
            map.entrySet().stream().filter(entry -> {
                return !users.containsKey(((UserKey) entry.getKey()).principal());
            }).forEach(entry2 -> {
                update((UserKey) entry2.getKey(), (UserValue) entry2.getValue());
            });
        }

        @Override // io.confluent.security.auth.store.external.ExternalStoreListener
        public void update(UserKey userKey, UserValue userValue) {
            if (this.active) {
                this.writer.writeExternalEntry(userKey, userValue, this.generationId);
            }
        }

        @Override // io.confluent.security.auth.store.external.ExternalStoreListener
        public void delete(UserKey userKey) {
            if (this.active) {
                this.writer.writeExternalEntry(userKey, null, this.generationId);
            }
        }

        @Override // io.confluent.security.auth.store.external.ExternalStoreListener
        public void fail(String str) {
            if (this.active) {
                this.writer.writeExternalStatus(MetadataStoreStatus.FAILED, str, this.generationId);
            }
        }

        @Override // io.confluent.security.auth.store.external.ExternalStoreListener
        public void resetFailure() {
            if (this.active) {
                this.writer.writeExternalStatus(MetadataStoreStatus.INITIALIZED, null, this.generationId);
            }
        }
    }

    public LdapStore(AuthCache authCache, KafkaAuthWriter kafkaAuthWriter, Time time) {
        this.time = time;
        this.listener = new UserStoreListener(authCache, kafkaAuthWriter);
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.config = new LdapConfig(map);
    }

    @Override // io.confluent.security.auth.store.external.ExternalStore
    public void start(int i) {
        if (this.ldapGroupManager != null) {
            throw new IllegalStateException("LDAP group manager for generation " + this.listener.generationId + " is still active");
        }
        this.listener.generationId = i;
        this.ldapGroupManager = createLdapGroupManager(this.listener);
        this.listener.start();
        this.ldapGroupManager.start();
    }

    @Override // io.confluent.security.auth.store.external.ExternalStore
    public void stop(Integer num) {
        this.listener.stop();
        if (this.ldapGroupManager != null) {
            this.ldapGroupManager.close();
            this.ldapGroupManager = null;
        }
        this.listener.generationId = -1;
    }

    @Override // io.confluent.security.auth.store.external.ExternalStore
    public boolean failed() {
        LdapGroupManager ldapGroupManager = this.ldapGroupManager;
        return ldapGroupManager != null && ldapGroupManager.failed();
    }

    protected LdapGroupManager createLdapGroupManager(ExternalStoreListener<UserKey, UserValue> externalStoreListener) {
        return new LdapGroupManager(this.config, this.time, externalStoreListener);
    }
}
