package io.confluent.security.auth.dataplane;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.auth.provider.ConfluentProvider;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.ResourceAuthorizeRules;
import java.net.URL;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;

/* loaded from: input_file:io/confluent/security/auth/dataplane/DataplaneProvider.class */
public class DataplaneProvider extends ConfluentProvider {
    public static final String PROVIDER_NAME = "CC_DATAPLANE_PLANE_MDS";

    @Override // io.confluent.security.auth.provider.ConfluentProvider, io.confluent.security.authorizer.provider.Provider
    public String providerName() {
        return PROVIDER_NAME;
    }

    @Override // io.confluent.security.auth.provider.ConfluentProvider, io.confluent.security.authorizer.provider.GroupProvider, io.confluent.security.authorizer.provider.MetadataProvider
    public boolean providerConfigured(Map<String, ?> map) {
        return true;
    }

    @Override // io.confluent.security.auth.provider.ConfluentProvider, io.confluent.security.authorizer.provider.Provider
    public boolean usesMetadataFromThisKafkaCluster() {
        return true;
    }

    @Override // io.confluent.security.auth.provider.ConfluentProvider
    protected AuthStore createAuthStore(Scope scope, ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo, Map<String, ?> map) {
        DataplaneAuthStore dataplaneAuthStore = new DataplaneAuthStore(scope, confluentAuthorizerServerInfo);
        dataplaneAuthStore.configure(map);
        return dataplaneAuthStore;
    }

    @Override // io.confluent.security.auth.provider.ConfluentProvider
    protected List<URL> metadataServerAdvertisedListeners() {
        return Collections.emptyList();
    }

    @Override // io.confluent.security.auth.provider.ConfluentProvider
    public Scope authStoreScope() {
        return Scope.ROOT_SCOPE;
    }

    @Override // io.confluent.security.auth.provider.ConfluentProvider, io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean mayDeny() {
        return false;
    }

    @Override // io.confluent.security.auth.provider.ConfluentProvider, io.confluent.security.authorizer.provider.AccessRuleProvider
    public AuthorizeRule findRule(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
        return kafkaPrincipal instanceof MultiTenantPrincipal ? super.findRule(kafkaPrincipal, set, str, removeTenantPrefixIfPresent(action, ((MultiTenantPrincipal) kafkaPrincipal).tenantMetadata().tenantPrefix())) : super.findRule(kafkaPrincipal, set, str, action);
    }

    private Action removeTenantPrefixIfPresent(Action action, String str) {
        return new Action(action.scope(), new ResourcePattern(action.resourceType(), action.resourceName().startsWith(str) ? action.resourceName().substring(str.length()) : action.resourceName(), action.resourcePattern().patternType()), action.operation(), action.resourceReferenceCount(), action.logIfAllowed(), action.logIfDenied());
    }

    @Override // io.confluent.security.auth.provider.ConfluentProvider, io.confluent.security.authorizer.provider.AccessRuleProvider
    public void addMatchingRules(ResourceAuthorizeRules resourceAuthorizeRules, KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Operation operation, Scope scope, ResourceType resourceType) {
        super.addMatchingRules(resourceAuthorizeRules, kafkaPrincipal, set, str, operation, scope, resourceType);
    }

    @Override // io.confluent.security.auth.provider.ConfluentProvider, io.confluent.security.authorizer.provider.GroupProvider
    public Set<KafkaPrincipal> groups(KafkaPrincipal kafkaPrincipal) {
        return Collections.emptySet();
    }
}
