package io.confluent.security.auth.store.cache;

import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.PermissionType;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.ResourceAuthorizeRules;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.NavigableMap;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentSkipListMap;
import java.util.stream.Collectors;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/security/auth/store/cache/ScopePrincipalAccessRuleStore.class */
public class ScopePrincipalAccessRuleStore implements AccessRuleStore {
    private static final NavigableMap<ResourcePattern, Set<AccessRule>> NO_RULES = Collections.emptyNavigableMap();
    private final Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> accessRules;

    public ScopePrincipalAccessRuleStore() {
        this(new ConcurrentHashMap());
    }

    public ScopePrincipalAccessRuleStore(Map<Scope, Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> map) {
        this.accessRules = map;
    }

    @Override // io.confluent.security.auth.store.cache.AccessRuleStore
    public Set<Scope> knownScopes() {
        return this.accessRules.keySet();
    }

    @Override // io.confluent.security.auth.store.cache.AccessRuleStore
    public NavigableMap<ResourcePattern, Set<AccessRule>> get(Scope scope) {
        Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>> map = this.accessRules.get(scope);
        if (map == null) {
            return NO_RULES;
        }
        ConcurrentSkipListMap concurrentSkipListMap = new ConcurrentSkipListMap();
        map.entrySet().stream().flatMap(entry -> {
            return ((NavigableMap) entry.getValue()).entrySet().stream();
        }).forEach(entry2 -> {
            ((Set) concurrentSkipListMap.computeIfAbsent(entry2.getKey(), resourcePattern -> {
                return ConcurrentHashMap.newKeySet();
            })).addAll((Collection) entry2.getValue());
        });
        return concurrentSkipListMap;
    }

    private NavigableMap<ResourcePattern, Set<AccessRule>> getPrincipalRules(Scope scope, KafkaPrincipal kafkaPrincipal) {
        Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>> map = this.accessRules.get(scope);
        return map == null ? NO_RULES : map.getOrDefault(kafkaPrincipal, NO_RULES);
    }

    @Override // io.confluent.security.auth.store.cache.AccessRuleStore
    public void add(Scope scope, KafkaPrincipal kafkaPrincipal, Map<ResourcePattern, Set<AccessRule>> map) {
        NavigableMap<ResourcePattern, Set<AccessRule>> computeIfAbsent = this.accessRules.computeIfAbsent(scope, scope2 -> {
            return new ConcurrentHashMap();
        }).computeIfAbsent(kafkaPrincipal, kafkaPrincipal2 -> {
            return new ConcurrentSkipListMap();
        });
        map.forEach((resourcePattern, set) -> {
            ((Set) computeIfAbsent.computeIfAbsent(resourcePattern, resourcePattern -> {
                return ConcurrentHashMap.newKeySet();
            })).addAll(set);
        });
    }

    @Override // io.confluent.security.auth.store.cache.AccessRuleStore
    public void update(Scope scope, ResourcePattern resourcePattern, Set<AccessRule> set) {
        Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>> computeIfAbsent = this.accessRules.computeIfAbsent(scope, scope2 -> {
            return new ConcurrentHashMap();
        });
        computeIfAbsent.values().stream().map(navigableMap -> {
            return (Set) navigableMap.get(resourcePattern);
        }).forEach((v0) -> {
            v0.clear();
        });
        ((Map) set.stream().collect(Collectors.groupingBy((v0) -> {
            return v0.principal();
        }))).forEach((kafkaPrincipal, list) -> {
            Set set2 = (Set) ((NavigableMap) computeIfAbsent.computeIfAbsent(kafkaPrincipal, kafkaPrincipal -> {
                return new ConcurrentSkipListMap();
            })).computeIfAbsent(resourcePattern, resourcePattern2 -> {
                return ConcurrentHashMap.newKeySet();
            });
            set2.clear();
            set2.addAll(list);
        });
    }

    @Override // io.confluent.security.auth.store.cache.AccessRuleStore
    public Set<AccessRule> remove(Scope scope, ResourcePattern resourcePattern) {
        Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>> map = this.accessRules.get(scope);
        HashSet hashSet = null;
        if (map != null) {
            hashSet = new HashSet();
            for (Map.Entry<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>> entry : map.entrySet()) {
                Set set = (Set) entry.getValue().get(resourcePattern);
                if (set != null) {
                    hashSet.addAll(set);
                    entry.getValue().remove(resourcePattern);
                }
            }
            if (hashSet.isEmpty()) {
                return null;
            }
        }
        return hashSet;
    }

    @Override // io.confluent.security.auth.store.cache.AccessRuleStore
    public AuthorizeRule findMatchingRule(Set<KafkaPrincipal> set, String str, Action action) {
        Scope scope = action.scope();
        ResourcePattern resourcePattern = action.resourcePattern();
        AuthorizeRule authorizeRule = new AuthorizeRule();
        authorizeRule.noResourceAcls(false);
        Scope scope2 = scope;
        while (true) {
            Scope scope3 = scope2;
            if (scope3 == null) {
                return authorizeRule;
            }
            Iterator<KafkaPrincipal> it = set.iterator();
            while (it.hasNext()) {
                NavigableMap<ResourcePattern, Set<AccessRule>> principalRules = getPrincipalRules(scope3, it.next());
                if (!principalRules.isEmpty()) {
                    String name = resourcePattern.name();
                    ResourceType resourceType = resourcePattern.resourceType();
                    if (!updateAuthorizeRule((Collection) principalRules.get(resourcePattern), str, action, authorizeRule) && !updateAuthorizeRule((Collection) principalRules.get(ResourcePattern.all(resourceType)), str, action, authorizeRule) && !updateAuthorizeRule((Collection) principalRules.get(ResourcePattern.ALL), str, action, authorizeRule) && !updateAuthorizeRule((Collection) principalRules.get(new ResourcePattern(ResourceType.ALL, name, PatternType.LITERAL)), str, action, authorizeRule)) {
                        if (!name.isEmpty() && principalRules.subMap(new ResourcePattern(resourceType.name(), name, PatternType.PREFIXED), true, new ResourcePattern(resourceType.name(), name.substring(0, 1), PatternType.PREFIXED), true).entrySet().stream().filter(entry -> {
                            return name.startsWith(((ResourcePattern) entry.getKey()).name());
                        }).anyMatch(entry2 -> {
                            return updateAuthorizeRule((Collection) entry2.getValue(), str, action, authorizeRule);
                        })) {
                            return authorizeRule;
                        }
                    }
                    return authorizeRule;
                }
            }
            scope2 = scope3.parent();
        }
    }

    @Override // io.confluent.security.auth.store.cache.AccessRuleStore
    public void addMatchingRules(ResourceAuthorizeRules resourceAuthorizeRules, Scope scope, Set<KafkaPrincipal> set, String str, Operation operation, ResourceType resourceType) {
        Scope scope2 = scope;
        while (true) {
            Scope scope3 = scope2;
            if (scope3 == null) {
                return;
            }
            Iterator<KafkaPrincipal> it = set.iterator();
            while (it.hasNext()) {
                NavigableMap<ResourcePattern, Set<AccessRule>> principalRules = getPrincipalRules(scope3, it.next());
                if (!principalRules.isEmpty()) {
                    for (Map.Entry<ResourcePattern, Set<AccessRule>> entry : principalRules.entrySet()) {
                        if (resourceType.equals(entry.getKey().resourceType())) {
                            for (AccessRule accessRule : entry.getValue()) {
                                if (accessRule.matches(str, operation, PermissionType.DENY) || accessRule.matches(str, operation, PermissionType.ALLOW)) {
                                    resourceAuthorizeRules.addRuleIfNotExist(accessRule);
                                }
                            }
                        }
                    }
                }
            }
            scope2 = scope3.parent();
        }
    }

    @Override // io.confluent.security.auth.store.cache.AccessRuleStore
    public long ruleCount() {
        int i = 0;
        Iterator<Map<KafkaPrincipal, NavigableMap<ResourcePattern, Set<AccessRule>>>> it = this.accessRules.values().iterator();
        while (it.hasNext()) {
            Iterator<NavigableMap<ResourcePattern, Set<AccessRule>>> it2 = it.next().values().iterator();
            while (it2.hasNext()) {
                Iterator<Set<AccessRule>> it3 = it2.next().values().iterator();
                while (it3.hasNext()) {
                    i += it3.next().size();
                }
            }
        }
        return i;
    }

    @Override // io.confluent.security.auth.store.cache.AccessRuleStore
    public void removeDeletedAccessRules(Scope scope, KafkaPrincipal kafkaPrincipal, Map<ResourcePattern, Set<AccessRule>> map) {
        NavigableMap<ResourcePattern, Set<AccessRule>> principalRules = getPrincipalRules(scope, kafkaPrincipal);
        if (principalRules.isEmpty()) {
            return;
        }
        HashMap hashMap = new HashMap();
        principalRules.forEach((resourcePattern, set) -> {
            hashMap.put(resourcePattern, new HashSet(set));
        });
        map.forEach((resourcePattern2, set2) -> {
            Set set2 = (Set) hashMap.get(resourcePattern2);
            if (set2 != null) {
                set2.removeAll(set2);
            }
        });
        hashMap.forEach((resourcePattern3, set3) -> {
            Set set3 = (Set) principalRules.get(resourcePattern3);
            if (set3 != null) {
                set3.removeAll(set3);
                if (set3.isEmpty()) {
                    principalRules.remove(resourcePattern3);
                }
            }
        });
    }

    private boolean updateAuthorizeRule(Collection<AccessRule> collection, String str, Action action, AuthorizeRule authorizeRule) {
        if (collection == null) {
            return false;
        }
        for (AccessRule accessRule : collection) {
            if (accessRule.matches(str, action.operation(), PermissionType.ALLOW)) {
                authorizeRule.addRuleIfNotExist(accessRule);
                return true;
            }
        }
        return false;
    }
}
