package io.confluent.security.auth.cloud;

import io.confluent.security.auth.store.cache.DefaultAuthCache;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.PermissionType;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.InvalidScopeException;
import io.confluent.security.rbac.RbacRoles;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import java.util.NavigableMap;
import java.util.Set;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/security/auth/cloud/CloudAuthCache.class */
public class CloudAuthCache extends DefaultAuthCache {
    public CloudAuthCache(RbacRoles rbacRoles, Scope scope) {
        super(rbacRoles, scope);
    }

    @Override // io.confluent.security.auth.store.cache.DefaultAuthCache, io.confluent.security.auth.metadata.AuthCache
    public AuthorizeRule findRule(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
        return findMatchingRule(AccessRule.matchingPrincipals(kafkaPrincipal, set, null, null), str, action, this.rbacAccessRules);
    }

    private AuthorizeRule findMatchingRule(Set<KafkaPrincipal> set, String str, Action action, Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> map) {
        ensureNotFailed();
        Scope scope = action.scope();
        ResourcePattern resourcePattern = action.resourcePattern();
        if (!this.rootScope.containsScope(scope)) {
            throw new InvalidScopeException("This authorization cache does not contain scope " + scope);
        }
        AuthorizeRule authorizeRule = new AuthorizeRule();
        authorizeRule.noResourceAcls(false);
        Scope scope2 = scope;
        while (true) {
            Scope scope3 = scope2;
            if (scope3 == null) {
                return authorizeRule;
            }
            Iterator<KafkaPrincipal> it = set.iterator();
            while (it.hasNext()) {
                NavigableMap<ResourcePattern, Set<AccessRule>> principalRules = principalRules(scope3, map, it.next());
                if (!principalRules.isEmpty()) {
                    String name = resourcePattern.name();
                    ResourceType resourceType = resourcePattern.resourceType();
                    if (!updateAuthorizeRule((Collection) principalRules.get(resourcePattern), str, action, authorizeRule) && !updateAuthorizeRule((Collection) principalRules.get(ResourcePattern.all(resourceType)), str, action, authorizeRule) && !updateAuthorizeRule((Collection) principalRules.get(ResourcePattern.ALL), str, action, authorizeRule) && !updateAuthorizeRule((Collection) principalRules.get(new ResourcePattern(ResourceType.ALL, name, PatternType.LITERAL)), str, action, authorizeRule)) {
                        if (!name.isEmpty() && principalRules.subMap(new ResourcePattern(resourceType.name(), name, PatternType.PREFIXED), true, new ResourcePattern(resourceType.name(), name.substring(0, 1), PatternType.PREFIXED), true).entrySet().stream().filter(entry -> {
                            return name.startsWith(((ResourcePattern) entry.getKey()).name());
                        }).anyMatch(entry2 -> {
                            return updateAuthorizeRule((Collection) entry2.getValue(), str, action, authorizeRule);
                        })) {
                            return authorizeRule;
                        }
                    }
                    return authorizeRule;
                }
            }
            scope2 = scope3.parent();
        }
    }

    private boolean updateAuthorizeRule(Collection<AccessRule> collection, String str, Action action, AuthorizeRule authorizeRule) {
        if (collection == null) {
            return false;
        }
        for (AccessRule accessRule : collection) {
            if (accessRule.matches(str, action.operation(), PermissionType.ALLOW)) {
                authorizeRule.addRuleIfNotExist(accessRule);
                return true;
            }
        }
        return false;
    }
}
