package io.confluent.kafka.multitenant.authorizer;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.security.authorizer.acl.AclProvider;
import io.confluent.kafka.security.authorizer.acl.ExtendedAccessRuleProvider;
import io.confluent.kafka.security.authorizer.acl.StandardAclProvider;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import io.confluent.security.authorizer.provider.ResourceAuthorizeRules;
import java.io.IOException;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletionStage;
import kafka.security.authorizer.AclEntry;
import kafka.server.KafkaConfig;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.server.authorizer.Authorizer;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;

/* loaded from: input_file:io/confluent/kafka/multitenant/authorizer/TenantAclProvider.class */
public class TenantAclProvider implements AccessRuleProvider {
    private ExtendedAccessRuleProvider underlying;
    private boolean supportUserResourceId;

    public TenantAclProvider() {
    }

    TenantAclProvider(ExtendedAccessRuleProvider extendedAccessRuleProvider) {
        this.underlying = extendedAccessRuleProvider;
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.supportUserResourceId = false;
        if (map.containsKey(ConfluentConfigs.SUPPORT_USER_RESOURCE_ID_IN_ACL)) {
            this.supportUserResourceId = Boolean.parseBoolean((String) map.get(ConfluentConfigs.SUPPORT_USER_RESOURCE_ID_IN_ACL));
        }
        if (this.underlying == null) {
            String str = (String) map.get(KafkaConfig.ProcessRolesProp());
            if (str == null || str.isEmpty()) {
                this.underlying = new AclProvider();
            } else {
                this.underlying = new StandardAclProvider();
            }
        }
        this.underlying.configure(map);
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public CompletionStage<Void> start(ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo, Map<String, ?> map) {
        return this.underlying.start(confluentAuthorizerServerInfo, map);
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public String providerName() {
        return ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name();
    }

    private Set<KafkaPrincipal> matchingPrincipals(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set) {
        String str;
        if (!set.isEmpty()) {
            throw new UnsupportedOperationException("Groups are not supported for TenantAclProvider");
        }
        String tenantPrefix = kafkaPrincipal instanceof MultiTenantPrincipal ? ((MultiTenantPrincipal) kafkaPrincipal).tenantMetadata().tenantPrefix() : "";
        Set<KafkaPrincipal> mkSet = Utils.mkSet(AccessRule.asBaseKafkaPrincipal(kafkaPrincipal), tenantPrefix.isEmpty() ? AclEntry.WildcardPrincipal() : new KafkaPrincipal(MultiTenantPrincipal.TENANT_WILDCARD_USER_TYPE, tenantPrefix));
        if (this.supportUserResourceId && (kafkaPrincipal instanceof MultiTenantPrincipal) && (str = ((MultiTenantPrincipal) kafkaPrincipal).tenantMetadata().userResourceId) != null) {
            mkSet.add(new KafkaPrincipal(kafkaPrincipal.getPrincipalType(), ((MultiTenantPrincipal) kafkaPrincipal).tenantMetadata().tenantPrefix() + str));
        }
        return mkSet;
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean isSuperUser(KafkaPrincipal kafkaPrincipal, Scope scope) {
        return this.underlying.isSuperUser(kafkaPrincipal, scope);
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public AuthorizeRule findRule(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
        return this.underlying.findRule(matchingPrincipals(kafkaPrincipal, set), str, action);
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public void addMatchingRules(ResourceAuthorizeRules resourceAuthorizeRules, KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Operation operation, Scope scope, ResourceType resourceType) {
        this.underlying.addMatchingRules(resourceAuthorizeRules, matchingPrincipals(kafkaPrincipal, set), str, operation, scope, resourceType);
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean mayDeny() {
        return true;
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public boolean usesMetadataFromThisKafkaCluster() {
        return this.underlying.usesMetadataFromThisKafkaCluster();
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public Optional<Authorizer> asAuthorizer() {
        return this.underlying.asAuthorizer();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        this.underlying.close();
        this.underlying = null;
    }
}
