package io.confluent.security.auth.store.cache;

import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.auth.store.data.AclBindingKey;
import io.confluent.security.auth.store.data.AclBindingValue;
import io.confluent.security.auth.store.data.AuthEntryType;
import io.confluent.security.auth.store.data.AuthKey;
import io.confluent.security.auth.store.data.AuthValue;
import io.confluent.security.auth.store.data.IdentityPoolKey;
import io.confluent.security.auth.store.data.IdentityPoolValue;
import io.confluent.security.auth.store.data.JwtIssuerKey;
import io.confluent.security.auth.store.data.JwtIssuerValue;
import io.confluent.security.auth.store.data.RoleBindingKey;
import io.confluent.security.auth.store.data.RoleBindingValue;
import io.confluent.security.auth.store.data.StatusKey;
import io.confluent.security.auth.store.data.StatusValue;
import io.confluent.security.auth.store.data.UserKey;
import io.confluent.security.auth.store.data.UserValue;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.AclAccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizePolicy;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.PermissionType;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.acl.AclRule;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.InvalidScopeException;
import io.confluent.security.authorizer.provider.ResourceAuthorizeRules;
import io.confluent.security.rbac.AccessPolicy;
import io.confluent.security.rbac.InvalidRoleBindingException;
import io.confluent.security.rbac.RbacAccessRule;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.Role;
import io.confluent.security.rbac.RoleBinding;
import io.confluent.security.rbac.RoleBindingFilter;
import io.confluent.security.rbac.UserMetadata;
import io.confluent.security.store.KeyValueStore;
import io.confluent.security.store.MetadataStoreException;
import io.confluent.security.store.MetadataStoreStatus;
import io.confluent.security.trustservice.store.TrustCache;
import io.confluent.security.trustservice.store.data.IdentityPool;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.NavigableMap;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentSkipListMap;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.errors.CorruptRecordException;
import org.apache.kafka.common.errors.InvalidRequestException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.jose4j.jwk.JsonWebKeySet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/auth/store/cache/DefaultAuthCache.class */
public class DefaultAuthCache implements AuthCache, TrustCache, KeyValueStore<AuthKey, AuthValue> {
    private static final String WILDCARD_HOST = "*";
    private final RbacRoles rbacRoles;
    protected final Scope rootScope;
    private final Map<KafkaPrincipal, UserMetadata> users = new ConcurrentHashMap();
    private final Map<RoleBindingKey, RoleBindingValue> roleBindings = new ConcurrentHashMap();
    private final Map<String, JsonWebKeySet> jsonWebKeys = new ConcurrentHashMap();
    private final Map<String, IdentityPool> identityPools = new ConcurrentHashMap();
    protected final Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> rbacAccessRules = new ConcurrentHashMap();
    private final Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> aclAccessRules = new ConcurrentHashMap();
    private final Map<Integer, StatusValue> partitionStatus = new ConcurrentHashMap();
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultAuthCache.class);
    private static final NavigableMap<ResourcePattern, Set<AccessRule>> NO_RULES = Collections.emptyNavigableMap();

    public DefaultAuthCache(RbacRoles rbacRoles, Scope scope) {
        this.rbacRoles = rbacRoles;
        this.rootScope = scope;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<KafkaPrincipal> groups(KafkaPrincipal kafkaPrincipal) {
        ensureNotFailed();
        UserMetadata userMetadata = this.users.get(kafkaPrincipal);
        return userMetadata == null ? Collections.emptySet() : userMetadata.groups();
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(Scope scope) {
        ensureNotFailed();
        HashSet hashSet = new HashSet();
        this.roleBindings.entrySet().stream().filter(entry -> {
            return scope.equals(((RoleBindingKey) entry.getKey()).scope());
        }).forEach(entry2 -> {
            hashSet.add(roleBinding((RoleBindingKey) entry2.getKey(), (RoleBindingValue) entry2.getValue()));
        });
        return hashSet;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(Set<Scope> set) {
        ensureNotFailed();
        HashSet hashSet = new HashSet();
        this.roleBindings.entrySet().stream().filter(entry -> {
            return set.contains(((RoleBindingKey) entry.getKey()).scope());
        }).forEach(entry2 -> {
            hashSet.add(roleBinding((RoleBindingKey) entry2.getKey(), (RoleBindingValue) entry2.getValue()));
        });
        return hashSet;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(RoleBindingFilter roleBindingFilter) {
        ensureNotFailed();
        HashSet hashSet = new HashSet();
        this.roleBindings.entrySet().stream().map(entry -> {
            return roleBinding((RoleBindingKey) entry.getKey(), (RoleBindingValue) entry.getValue());
        }).forEach(roleBinding -> {
            RoleBinding matchingBinding = roleBindingFilter.matchingBinding(roleBinding, this.rbacRoles.role(roleBinding.role()).bindWithResource());
            if (matchingBinding != null) {
                hashSet.add(matchingBinding);
            }
        });
        return hashSet;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(KafkaPrincipal kafkaPrincipal) {
        ensureNotFailed();
        Set<KafkaPrincipal> groups = groups(kafkaPrincipal);
        return (Set) this.roleBindings.entrySet().stream().filter(entry -> {
            return kafkaPrincipal.equals(((RoleBindingKey) entry.getKey()).principal()) || groups.contains(((RoleBindingKey) entry.getKey()).principal());
        }).map(entry2 -> {
            return roleBinding((RoleBindingKey) entry2.getKey(), (RoleBindingValue) entry2.getValue());
        }).collect(Collectors.toSet());
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(KafkaPrincipal kafkaPrincipal, Set<Scope> set) {
        ensureNotFailed();
        Set<KafkaPrincipal> groups = groups(kafkaPrincipal);
        return (Set) this.roleBindings.entrySet().stream().filter(entry -> {
            return set.contains(((RoleBindingKey) entry.getKey()).scope());
        }).filter(entry2 -> {
            return kafkaPrincipal.equals(((RoleBindingKey) entry2.getKey()).principal()) || groups.contains(((RoleBindingKey) entry2.getKey()).principal());
        }).map(entry3 -> {
            return roleBinding((RoleBindingKey) entry3.getKey(), (RoleBindingValue) entry3.getValue());
        }).collect(Collectors.toSet());
    }

    @Override // io.confluent.security.trustservice.store.TrustCache
    public Map<String, JsonWebKeySet> jsonWebKeySets() {
        return Collections.unmodifiableMap(this.jsonWebKeys);
    }

    @Override // io.confluent.security.trustservice.store.TrustCache
    public JsonWebKeySet jsonWebKeySet(String str) {
        return this.jsonWebKeys.get(str);
    }

    @Override // io.confluent.security.trustservice.store.TrustCache
    public IdentityPool identityPool(String str) {
        return this.identityPools.get(str);
    }

    @Override // io.confluent.security.trustservice.store.TrustCache
    public Map<String, IdentityPool> identityPools() {
        return Collections.unmodifiableMap(this.identityPools);
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public UserMetadata userMetadata(KafkaPrincipal kafkaPrincipal) {
        return this.users.get(kafkaPrincipal);
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Map<KafkaPrincipal, UserMetadata> users() {
        return Collections.unmodifiableMap(this.users);
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<Scope> knownScopes() {
        ensureNotFailed();
        return new HashSet(this.rbacAccessRules.keySet());
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Scope rootScope() {
        return this.rootScope;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public RbacRoles rbacRoles() {
        return this.rbacRoles;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Map<ResourcePattern, Set<AccessRule>> aclRules(Scope scope) {
        ensureNotFailed();
        return Collections.unmodifiableMap(scopeRules(scope, this.aclAccessRules));
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Collection<AclBinding> aclBindings(Scope scope, AclBindingFilter aclBindingFilter, Predicate<ResourcePattern> predicate) {
        ensureNotFailed();
        if (!this.rootScope.containsScope(scope)) {
            throw new InvalidScopeException("This authorization cache does not contain scope " + scope);
        }
        if (aclBindingFilter.isUnknown()) {
            throw new InvalidRequestException("The AclBindingFilter must not contain UNKNOWN elements.");
        }
        HashSet hashSet = new HashSet();
        Scope scope2 = scope;
        while (true) {
            Scope scope3 = scope2;
            if (scope3 == null) {
                return hashSet;
            }
            NavigableMap<ResourcePattern, Set<AccessRule>> scopeRules = scopeRules(scope3, this.aclAccessRules);
            if (scopeRules != null) {
                for (Map.Entry<ResourcePattern, Set<AccessRule>> entry : scopeRules.entrySet()) {
                    ResourcePattern key = entry.getKey();
                    if (predicate.test(key)) {
                        Iterator<AccessRule> it = entry.getValue().iterator();
                        while (it.hasNext()) {
                            AclBinding aclBinding = new AclBinding(ResourcePattern.to(key), AclRule.accessControlEntry(it.next()));
                            if (aclBindingFilter.matches(aclBinding)) {
                                hashSet.add(aclBinding);
                            }
                        }
                    }
                }
            }
            scope2 = scope3.parent();
        }
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public AuthorizeRule findRule(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
        AuthorizeRule findMatchingRule = findMatchingRule(AccessRule.matchingPrincipals(kafkaPrincipal, set, AccessRule.WILDCARD_USER_PRINCIPAL, AccessRule.WILDCARD_GROUP_PRINCIPAL), str, action, this.aclAccessRules);
        if (!findMatchingRule.deny()) {
            findMatchingRule.add(findMatchingRule(AccessRule.matchingPrincipals(kafkaPrincipal, set, null, null), str, action, this.rbacAccessRules));
        }
        return findMatchingRule;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public void addMatchingRules(ResourceAuthorizeRules resourceAuthorizeRules, KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Operation operation, Scope scope, ResourceType resourceType) {
        ensureNotFailed();
        if (!this.rootScope.containsScope(scope)) {
            throw new InvalidScopeException("This authorization cache does not contain scope " + scope);
        }
        Set<KafkaPrincipal> matchingPrincipals = AccessRule.matchingPrincipals(kafkaPrincipal, set, AccessRule.WILDCARD_USER_PRINCIPAL, AccessRule.WILDCARD_GROUP_PRINCIPAL);
        addMatchingRules(resourceAuthorizeRules, scope, this.aclAccessRules, matchingPrincipals, str, operation, resourceType);
        addMatchingRules(resourceAuthorizeRules, scope, this.rbacAccessRules, matchingPrincipals, str, operation, resourceType);
    }

    private void addMatchingRules(ResourceAuthorizeRules resourceAuthorizeRules, Scope scope, Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> map, Set<KafkaPrincipal> set, String str, Operation operation, ResourceType resourceType) {
        Scope scope2 = scope;
        while (true) {
            Scope scope3 = scope2;
            if (scope3 == null) {
                return;
            }
            Iterator<KafkaPrincipal> it = set.iterator();
            while (it.hasNext()) {
                NavigableMap<ResourcePattern, Set<AccessRule>> principalRules = principalRules(scope3, map, it.next());
                if (!principalRules.isEmpty()) {
                    for (Map.Entry<ResourcePattern, Set<AccessRule>> entry : principalRules.entrySet()) {
                        if (resourceType.equals(entry.getKey().resourceType())) {
                            for (AccessRule accessRule : entry.getValue()) {
                                if (accessRule.matches(str, operation, PermissionType.DENY) || accessRule.matches(str, operation, PermissionType.ALLOW)) {
                                    resourceAuthorizeRules.addRuleIfNotExist(accessRule);
                                }
                            }
                        }
                    }
                }
            }
            scope2 = scope3.parent();
        }
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public AuthCache.Result healthcheck() {
        try {
            ensureNotFailed();
            return AuthCache.Result.healthy();
        } catch (Exception e) {
            return AuthCache.Result.unhealthy(e.getMessage());
        }
    }

    @Override // io.confluent.security.store.KeyValueStore
    public AuthValue get(AuthKey authKey) {
        Set<AccessRule> set;
        switch (authKey.entryType()) {
            case ROLE_BINDING:
                return this.roleBindings.get((RoleBindingKey) authKey);
            case USER:
                UserMetadata userMetadata = this.users.get(((UserKey) authKey).principal());
                if (userMetadata == null) {
                    return null;
                }
                return new UserValue(userMetadata.groups());
            case STATUS:
                return this.partitionStatus.get(Integer.valueOf(((StatusKey) authKey).partition()));
            case ACL_BINDING:
                AclBindingKey aclBindingKey = (AclBindingKey) authKey;
                NavigableMap<ResourcePattern, Set<AccessRule>> scopeRules = scopeRules(aclBindingKey.scope(), this.aclAccessRules);
                if (scopeRules == null || (set = (Set) scopeRules.get(aclBindingKey.resourcePattern())) == null) {
                    return null;
                }
                return aclBindingValue(set);
            case JWT_ISSUER:
                JsonWebKeySet jsonWebKeySet = this.jsonWebKeys.get(((JwtIssuerKey) authKey).issuer());
                if (jsonWebKeySet == null) {
                    return null;
                }
                return new JwtIssuerValue(jsonWebKeySet);
            case IDENTITY_POOL:
                IdentityPool identityPool = this.identityPools.get(((IdentityPoolKey) authKey).poolId());
                if (identityPool == null) {
                    return null;
                }
                return new IdentityPoolValue(identityPool);
            default:
                throw new IllegalArgumentException("Unknown key type " + authKey.entryType());
        }
    }

    @Override // io.confluent.security.store.KeyValueStore
    public AuthValue put(AuthKey authKey, AuthValue authValue) {
        if (authValue == null) {
            throw new IllegalArgumentException("Value must not be null");
        }
        if (authKey.entryType() != authValue.entryType()) {
            throw new CorruptRecordException("Invalid record with key=" + authKey + ", value=" + authValue);
        }
        switch (authKey.entryType()) {
            case ROLE_BINDING:
                return updateRoleBinding((RoleBindingKey) authKey, (RoleBindingValue) authValue);
            case USER:
                return updateUser((UserKey) authKey, (UserValue) authValue);
            case STATUS:
                StatusValue statusValue = (StatusValue) authValue;
                if (statusValue.status() == MetadataStoreStatus.FAILED) {
                    log.error("Received failed status with key {} value {}", authKey, authValue);
                } else {
                    log.debug("Processing status with key {} value {}", authKey, authValue);
                }
                return this.partitionStatus.put(Integer.valueOf(((StatusKey) authKey).partition()), statusValue);
            case ACL_BINDING:
                return updateAclBinding((AclBindingKey) authKey, (AclBindingValue) authValue);
            case JWT_ISSUER:
                return updateJwtIssuer((JwtIssuerKey) authKey, (JwtIssuerValue) authValue);
            case IDENTITY_POOL:
                return updateIdentityPool((IdentityPoolKey) authKey, (IdentityPoolValue) authValue);
            default:
                throw new IllegalArgumentException("Unknown key type " + authKey.entryType());
        }
    }

    @Override // io.confluent.security.store.KeyValueStore
    public AuthValue remove(AuthKey authKey) {
        switch (authKey.entryType()) {
            case ROLE_BINDING:
                return removeRoleBinding((RoleBindingKey) authKey);
            case USER:
                UserMetadata remove = this.users.remove(((UserKey) authKey).principal());
                if (remove == null) {
                    return null;
                }
                return new UserValue(remove.groups());
            case STATUS:
                return this.partitionStatus.remove(Integer.valueOf(((StatusKey) authKey).partition()));
            case ACL_BINDING:
                return removeAclBinding((AclBindingKey) authKey);
            case JWT_ISSUER:
                JsonWebKeySet remove2 = this.jsonWebKeys.remove(((JwtIssuerKey) authKey).issuer());
                if (remove2 == null) {
                    return null;
                }
                return new JwtIssuerValue(remove2);
            case IDENTITY_POOL:
                IdentityPool remove3 = this.identityPools.remove(((IdentityPoolKey) authKey).poolId());
                if (remove3 == null) {
                    return null;
                }
                return new IdentityPoolValue(remove3);
            default:
                throw new IllegalArgumentException("Unknown key type " + authKey.entryType());
        }
    }

    @Override // io.confluent.security.store.KeyValueStore
    public Map<? extends AuthKey, ? extends AuthValue> map(String str) {
        AuthEntryType valueOf = AuthEntryType.valueOf(str);
        switch (valueOf) {
            case ROLE_BINDING:
                return Collections.unmodifiableMap(this.roleBindings);
            case USER:
                return (Map) this.users.entrySet().stream().collect(Collectors.toMap(entry -> {
                    return new UserKey((KafkaPrincipal) entry.getKey());
                }, entry2 -> {
                    return new UserValue(((UserMetadata) entry2.getValue()).groups());
                }));
            case STATUS:
                return (Map) this.partitionStatus.entrySet().stream().collect(Collectors.toMap(entry3 -> {
                    return new StatusKey(((Integer) entry3.getKey()).intValue());
                }, (v0) -> {
                    return v0.getValue();
                }));
            default:
                throw new IllegalArgumentException("Unknown key type " + valueOf);
        }
    }

    @Override // io.confluent.security.store.KeyValueStore
    public void fail(int i, String str) {
        this.partitionStatus.put(Integer.valueOf(i), new StatusValue(MetadataStoreStatus.FAILED, -1, null, str));
    }

    @Override // io.confluent.security.store.KeyValueStore
    public MetadataStoreStatus status(int i) {
        StatusValue statusValue = this.partitionStatus.get(Integer.valueOf(i));
        return statusValue != null ? statusValue.status() : MetadataStoreStatus.UNKNOWN;
    }

    public int totalRoleBindings() {
        return this.roleBindings.size();
    }

    public long totalRbacAccessRules() {
        return accessRuleCount(this.rbacAccessRules);
    }

    public long totalAclAccessRules() {
        return accessRuleCount(this.aclAccessRules);
    }

    private long accessRuleCount(Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> map) {
        int i = 0;
        Iterator<Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> it = map.values().iterator();
        while (it.hasNext()) {
            Iterator<NavigableMap<ResourcePattern, Set<AccessRule>>> it2 = it.next().values().iterator();
            while (it2.hasNext()) {
                Iterator<Set<AccessRule>> it3 = it2.next().values().iterator();
                while (it3.hasNext()) {
                    i += it3.next().size();
                }
            }
        }
        return i;
    }

    public int totalJwtIssuers() {
        return this.jsonWebKeys.size();
    }

    public long totalIdentityPools() {
        return this.identityPools.size();
    }

    private AuthorizeRule findMatchingRule(Set<KafkaPrincipal> set, String str, Action action, Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> map) {
        ensureNotFailed();
        Scope scope = action.scope();
        ResourcePattern resourcePattern = action.resourcePattern();
        if (!this.rootScope.containsScope(scope)) {
            throw new InvalidScopeException("This authorization cache does not contain scope " + scope);
        }
        AuthorizeRule authorizeRule = new AuthorizeRule();
        Scope scope2 = scope;
        while (true) {
            Scope scope3 = scope2;
            if (scope3 == null) {
                return authorizeRule;
            }
            NavigableMap<ResourcePattern, Set<AccessRule>> scopeRules = scopeRules(scope3, map);
            if (!scopeRules.isEmpty()) {
                String name = resourcePattern.name();
                ResourceType resourceType = resourcePattern.resourceType();
                if (!updateAuthorizeRule((Collection) scopeRules.get(resourcePattern), set, str, action, authorizeRule) && !updateAuthorizeRule((Collection) scopeRules.get(ResourcePattern.all(resourceType)), set, str, action, authorizeRule) && !updateAuthorizeRule((Collection) scopeRules.get(ResourcePattern.ALL), set, str, action, authorizeRule) && !updateAuthorizeRule((Collection) scopeRules.get(new ResourcePattern(ResourceType.ALL, name, PatternType.LITERAL)), set, str, action, authorizeRule)) {
                    if (!name.isEmpty() && scopeRules.subMap(new ResourcePattern(resourceType.name(), name, PatternType.PREFIXED), true, new ResourcePattern(resourceType.name(), name.substring(0, 1), PatternType.PREFIXED), true).entrySet().stream().filter(entry -> {
                        return name.startsWith(((ResourcePattern) entry.getKey()).name());
                    }).anyMatch(entry2 -> {
                        return updateAuthorizeRule((Collection) entry2.getValue(), set, str, action, authorizeRule);
                    })) {
                        return authorizeRule;
                    }
                }
                return authorizeRule;
            }
            scope2 = scope3.parent();
        }
    }

    private boolean updateAuthorizeRule(Collection<AccessRule> collection, Set<KafkaPrincipal> set, String str, Action action, AuthorizeRule authorizeRule) {
        boolean z = !authorizeRule.allowRule().isPresent();
        if (collection == null) {
            return false;
        }
        if (!collection.isEmpty()) {
            authorizeRule.noResourceAcls(false);
        }
        for (AccessRule accessRule : collection) {
            if (accessRule.matches(set, str, action.operation(), PermissionType.DENY)) {
                authorizeRule.addRuleIfNotExist(accessRule);
                return true;
            }
            if (z && accessRule.matches(set, str, action.operation(), PermissionType.ALLOW)) {
                authorizeRule.addRuleIfNotExist(accessRule);
                z = false;
            }
        }
        return false;
    }

    private RoleBindingValue updateRoleBinding(RoleBindingKey roleBindingKey, RoleBindingValue roleBindingValue) {
        if (!this.rootScope.containsScope(roleBindingKey.scope())) {
            return null;
        }
        Map<String, Collection<AccessPolicy>> accessPolicies = accessPolicies(roleBindingKey);
        if (accessPolicies.isEmpty()) {
            return null;
        }
        KafkaPrincipal principal = roleBindingKey.principal();
        String role = roleBindingKey.role();
        RoleBindingValue put = this.roleBindings.put(roleBindingKey, roleBindingValue);
        for (String str : accessPolicies.keySet()) {
            Scope ancestorWithBindingScope = roleBindingKey.scope().ancestorWithBindingScope(str);
            if (ancestorWithBindingScope == null) {
                throw new InvalidRoleBindingException("Binding at scope " + str + " is missing enclosing scope " + str);
            }
            RoleBindingKey roleBindingKey2 = new RoleBindingKey(principal, role, ancestorWithBindingScope);
            NavigableMap<ResourcePattern, Set<AccessRule>> computeIfAbsent = this.rbacAccessRules.computeIfAbsent(ancestorWithBindingScope, scope -> {
                return new ConcurrentHashMap();
            }).computeIfAbsent(principal, kafkaPrincipal -> {
                return new ConcurrentSkipListMap();
            });
            accessRules(roleBindingKey2, roleBindingValue).forEach((resourcePattern, set) -> {
                ((Set) computeIfAbsent.computeIfAbsent(resourcePattern, resourcePattern -> {
                    return ConcurrentHashMap.newKeySet();
                })).addAll(set);
            });
            removeDeletedAccessPolicies(principal, ancestorWithBindingScope);
        }
        return put;
    }

    private RoleBindingValue removeRoleBinding(RoleBindingKey roleBindingKey) {
        RoleBindingValue remove;
        Scope scope = roleBindingKey.scope();
        if (!this.rootScope.containsScope(scope) || (remove = this.roleBindings.remove(roleBindingKey)) == null) {
            return null;
        }
        Iterator<String> it = this.rbacRoles.role(roleBindingKey.role()).bindingScopes().iterator();
        while (it.hasNext()) {
            removeDeletedAccessPolicies(roleBindingKey.principal(), scope.ancestorWithBindingScope(it.next()));
        }
        return remove;
    }

    private JwtIssuerValue updateJwtIssuer(JwtIssuerKey jwtIssuerKey, JwtIssuerValue jwtIssuerValue) {
        JsonWebKeySet put = this.jsonWebKeys.put(jwtIssuerKey.issuer(), jwtIssuerValue.keys());
        if (put == null) {
            return null;
        }
        return new JwtIssuerValue(put);
    }

    private IdentityPoolValue updateIdentityPool(IdentityPoolKey identityPoolKey, IdentityPoolValue identityPoolValue) {
        IdentityPool put = this.identityPools.put(identityPoolKey.poolId(), new IdentityPool(identityPoolKey.poolId(), identityPoolValue.version(), identityPoolValue.issuer(), identityPoolValue.subjectClaim(), identityPoolValue.serviceAccount(), identityPoolValue.policy()));
        if (put == null) {
            return null;
        }
        return new IdentityPoolValue(put);
    }

    private UserValue updateUser(UserKey userKey, UserValue userValue) {
        UserMetadata put = this.users.put(userKey.principal(), new UserMetadata(userValue.groups()));
        if (put == null) {
            return null;
        }
        return new UserValue(put.groups());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void ensureNotFailed() {
        Map map = (Map) this.partitionStatus.entrySet().stream().filter(entry -> {
            return ((StatusValue) entry.getValue()).status() == MetadataStoreStatus.FAILED;
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry2 -> {
            return ((StatusValue) entry2.getValue()).errorMessage();
        }));
        if (!map.isEmpty()) {
            throw new MetadataStoreException("Some partitions have failed: " + map);
        }
    }

    private Map<String, Collection<AccessPolicy>> accessPolicies(RoleBindingKey roleBindingKey) {
        Role role = this.rbacRoles.role(roleBindingKey.role());
        if (role != null) {
            return role.accessPolicies();
        }
        log.error("Unknown role, ignoring role binding {}", roleBindingKey);
        return Collections.emptyMap();
    }

    NavigableMap<ResourcePattern, Set<AccessRule>> rbacRules(Scope scope) {
        return scopeRules(scope, this.rbacAccessRules);
    }

    private NavigableMap<ResourcePattern, Set<AccessRule>> scopeRules(Scope scope, Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> map) {
        Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>> map2 = map.get(scope);
        if (map2 == null) {
            return NO_RULES;
        }
        ConcurrentSkipListMap concurrentSkipListMap = new ConcurrentSkipListMap();
        map2.entrySet().stream().flatMap(entry -> {
            return ((NavigableMap) entry.getValue()).entrySet().stream();
        }).forEach(entry2 -> {
            ((Set) concurrentSkipListMap.computeIfAbsent(entry2.getKey(), resourcePattern -> {
                return ConcurrentHashMap.newKeySet();
            })).addAll((Collection) entry2.getValue());
        });
        return concurrentSkipListMap;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public NavigableMap<ResourcePattern, Set<AccessRule>> principalRules(Scope scope, Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> map, KafkaPrincipal kafkaPrincipal) {
        Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>> map2 = map.get(scope);
        return map2 == null ? NO_RULES : map2.getOrDefault(kafkaPrincipal, NO_RULES);
    }

    private String bindingScope(RoleBindingKey roleBindingKey) {
        return roleBindingKey.scope().bindingScope();
    }

    private Map<ResourcePattern, Set<AccessRule>> accessRules(RoleBindingKey roleBindingKey, RoleBindingValue roleBindingValue) {
        HashMap hashMap = new HashMap();
        RoleBinding roleBinding = roleBinding(roleBindingKey, roleBindingValue);
        KafkaPrincipal principal = roleBindingKey.principal();
        Collection<AccessPolicy> collection = accessPolicies(roleBindingKey).get(bindingScope(roleBindingKey));
        if (collection == null) {
            return hashMap;
        }
        for (AccessPolicy accessPolicy : collection) {
            if (accessPolicy != null) {
                for (ResourcePattern resourcePattern : !accessPolicy.bindWithResource() ? accessPolicy.wildcardResourcePatterns() : roleBindingValue.resources().isEmpty() ? Collections.emptySet() : roleBindingValue.resources()) {
                    HashSet hashSet = new HashSet();
                    Iterator<Operation> it = accessPolicy.allowedOperations(resourcePattern.resourceType()).iterator();
                    while (it.hasNext()) {
                        hashSet.add(new RbacAccessRule(resourcePattern, principal, PermissionType.ALLOW, "*", it.next(), AuthorizePolicy.PolicyType.ALLOW_ROLE, roleBinding));
                    }
                    hashMap.put(resourcePattern, hashSet);
                }
            }
        }
        return hashMap;
    }

    private void removeDeletedAccessPolicies(KafkaPrincipal kafkaPrincipal, Scope scope) {
        NavigableMap<ResourcePattern, Set<AccessRule>> principalRules = principalRules(scope, this.rbacAccessRules, kafkaPrincipal);
        if (principalRules != null) {
            HashMap hashMap = new HashMap();
            principalRules.forEach((resourcePattern, set) -> {
                hashMap.put(resourcePattern, (Set) set.stream().filter(accessRule -> {
                    return accessRule.principal().equals(kafkaPrincipal);
                }).collect(Collectors.toSet()));
            });
            this.roleBindings.entrySet().stream().filter(entry -> {
                return ((RoleBindingKey) entry.getKey()).principal().equals(kafkaPrincipal) && scope.containsScope(((RoleBindingKey) entry.getKey()).scope());
            }).flatMap(entry2 -> {
                return accessRules(new RoleBindingKey(((RoleBindingKey) entry2.getKey()).principal(), ((RoleBindingKey) entry2.getKey()).role(), scope), (RoleBindingValue) entry2.getValue()).entrySet().stream();
            }).forEach(entry3 -> {
                Set set2 = (Set) hashMap.get(entry3.getKey());
                if (set2 != null) {
                    set2.removeAll((Collection) entry3.getValue());
                }
            });
            hashMap.forEach((resourcePattern2, set2) -> {
                Set set2 = (Set) principalRules.get(resourcePattern2);
                if (set2 != null) {
                    set2.removeAll(set2);
                    if (set2.isEmpty()) {
                        principalRules.remove(resourcePattern2);
                    }
                }
            });
        }
    }

    private RoleBinding roleBinding(RoleBindingKey roleBindingKey, RoleBindingValue roleBindingValue) {
        return new RoleBinding(roleBindingKey.principal(), roleBindingKey.role(), roleBindingKey.scope(), roleBindingValue.resources());
    }

    private AclBindingValue aclBindingValue(Set<AccessRule> set) {
        return new AclBindingValue((Collection) set.stream().map(AclRule::from).collect(Collectors.toSet()));
    }

    private AccessRule accessRule(ResourcePattern resourcePattern, AclRule aclRule) {
        AclBinding aclBinding = new AclBinding(ResourcePattern.to(resourcePattern), aclRule.toAccessControlEntry());
        return new AclAccessRule(resourcePattern, aclRule.principal(), aclRule.permissionType(), aclRule.host(), aclRule.operation(), aclRule.permissionType() == PermissionType.ALLOW ? AuthorizePolicy.PolicyType.ALLOW_ACL : AuthorizePolicy.PolicyType.DENY_ACL, aclBinding);
    }

    private AclBindingValue updateAclBinding(AclBindingKey aclBindingKey, AclBindingValue aclBindingValue) {
        Scope scope = aclBindingKey.scope();
        if (!this.rootScope.containsScope(scope)) {
            return null;
        }
        AclBindingValue aclBindingValue2 = (AclBindingValue) get((AuthKey) aclBindingKey);
        Map computeIfAbsent = this.aclAccessRules.computeIfAbsent(scope, scope2 -> {
            return new ConcurrentHashMap();
        });
        if (aclBindingValue2 != null) {
            aclBindingValue2.aclRules().stream().map((v0) -> {
                return v0.principal();
            }).forEach(kafkaPrincipal -> {
                NavigableMap<ResourcePattern, Set<AccessRule>> principalRules = principalRules(scope, this.aclAccessRules, kafkaPrincipal);
                if (principalRules != null) {
                    ((Set) principalRules.getOrDefault(aclBindingKey.resourcePattern(), new HashSet())).clear();
                }
            });
        }
        for (Map.Entry entry : ((Map) ((Set) aclBindingValue.aclRules().stream().map(aclRule -> {
            return accessRule(aclBindingKey.resourcePattern(), aclRule);
        }).collect(Collectors.toSet())).stream().collect(Collectors.groupingBy((v0) -> {
            return v0.principal();
        }))).entrySet()) {
            NavigableMap navigableMap = (NavigableMap) computeIfAbsent.computeIfAbsent(entry.getKey(), kafkaPrincipal2 -> {
                return new ConcurrentSkipListMap();
            });
            ((Set) navigableMap.computeIfAbsent(aclBindingKey.resourcePattern(), resourcePattern -> {
                return ConcurrentHashMap.newKeySet();
            })).clear();
            ((Set) navigableMap.get(aclBindingKey.resourcePattern())).addAll((Collection) entry.getValue());
        }
        return aclBindingValue2;
    }

    private AclBindingValue removeAclBinding(AclBindingKey aclBindingKey) {
        Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>> map;
        if (!this.rootScope.containsScope(aclBindingKey.scope()) || (map = this.aclAccessRules.get(aclBindingKey.scope())) == null) {
            return null;
        }
        HashSet hashSet = new HashSet();
        for (Map.Entry<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>> entry : map.entrySet()) {
            Set set = (Set) entry.getValue().get(aclBindingKey.resourcePattern());
            if (set != null) {
                hashSet.addAll(set);
                entry.getValue().remove(aclBindingKey.resourcePattern());
            }
        }
        if (hashSet.isEmpty()) {
            return null;
        }
        return aclBindingValue(hashSet);
    }
}
