package io.confluent.security.auth.store.cache;

import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.InvalidScopeException;
import io.confluent.security.rbac.RbacRoles;
import java.util.Set;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/security/auth/store/cache/DefaultAuthCache.class */
public class DefaultAuthCache extends AbstractAuthCache {
    public DefaultAuthCache(RbacRoles rbacRoles, Scope scope, ScopeAccessRuleStore scopeAccessRuleStore, ScopeAccessRuleStore scopeAccessRuleStore2) {
        super(rbacRoles, scope, scopeAccessRuleStore, scopeAccessRuleStore2);
    }

    public DefaultAuthCache(RbacRoles rbacRoles, Scope scope) {
        super(rbacRoles, scope, new ScopeAccessRuleStore(), new ScopeAccessRuleStore());
    }

    @Override // io.confluent.security.auth.store.cache.AbstractAuthCache, io.confluent.security.auth.metadata.AuthCache
    public AuthorizeRule findRule(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
        ensureNotFailed();
        if (!this.rootScope.containsScope(action.scope())) {
            throw new InvalidScopeException("This authorization cache does not contain scope " + action.scope());
        }
        AuthorizeRule findMatchingRule = this.aclAccessRuleStore.findMatchingRule(AccessRule.matchingPrincipals(kafkaPrincipal, set, AccessRule.WILDCARD_USER_PRINCIPAL, AccessRule.WILDCARD_GROUP_PRINCIPAL), str, action);
        if (!findMatchingRule.deny()) {
            findMatchingRule.add(this.rbacAccessRuleStore.findMatchingRule(AccessRule.matchingPrincipals(kafkaPrincipal, set, null, null), str, action));
        }
        return findMatchingRule;
    }
}
