package io.confluent.rbacdb.kafka;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import io.confluent.rbacdb.config.DbAuthStoreConfig;
import io.confluent.rbacdb.exception.DbAuthStoreException;
import io.confluent.rbacdb.orm.RbacOrmService;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.auth.store.cache.DefaultAuthCache;
import io.confluent.security.auth.store.data.AuthKey;
import io.confluent.security.auth.store.data.AuthValue;
import io.confluent.security.auth.store.data.RoleBindingKey;
import io.confluent.security.auth.store.data.RoleBindingValue;
import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.ResourceAuthorizeRules;
import io.confluent.security.authorizer.utils.ThreadUtils;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.RoleBinding;
import io.confluent.security.rbac.RoleBindingFilter;
import io.confluent.security.rbac.UserMetadata;
import java.io.Closeable;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.function.Predicate;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rbacdb/kafka/DbAuthCache.class */
public class DbAuthCache implements AuthCache, Closeable {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DbAuthCache.class);
    private final RbacOrmService rbacDBService;
    private final Scope rootScope;
    private final DbAuthCacheMetrics metrics;
    private final int readTimeoutSecs;
    private final RbacRoles rbacRoles;
    private final LoadingCache<KafkaPrincipal, DefaultAuthCache> perUserAuthCache;
    private final ThreadPoolExecutor executor;

    public DbAuthCache(Scope scope, DbAuthStoreConfig dbAuthStoreConfig, RbacOrmService rbacOrmService, Metrics metrics) {
        this(RbacRoles.loadDefaultPolicy(true), scope, dbAuthStoreConfig, rbacOrmService, metrics);
    }

    public DbAuthCache(RbacRoles rbacRoles, Scope scope, DbAuthStoreConfig dbAuthStoreConfig, RbacOrmService rbacOrmService, Metrics metrics) {
        this.rbacRoles = rbacRoles;
        this.rootScope = scope;
        this.rbacDBService = rbacOrmService;
        this.executor = new ThreadPoolExecutor(dbAuthStoreConfig.getInt(DbAuthStoreConfig.NUM_READER_POOL_THREADS_CONFIG).intValue(), dbAuthStoreConfig.getInt(DbAuthStoreConfig.NUM_READER_POOL_THREADS_CONFIG).intValue(), 30L, TimeUnit.SECONDS, new LinkedBlockingQueue(), ThreadUtils.createThreadFactory("mds-db-authcache-%d", true));
        this.readTimeoutSecs = dbAuthStoreConfig.getInt(DbAuthStoreConfig.DB_READ_TIMEOUT_SEC_CONFIG).intValue();
        this.perUserAuthCache = CacheBuilder.newBuilder().maximumSize(dbAuthStoreConfig.getInt(DbAuthStoreConfig.DB_AUTH_CACHE_MAX_SIZE_CONFIG).intValue()).expireAfterWrite(dbAuthStoreConfig.getInt(DbAuthStoreConfig.DB_AUTH_CACHE_TTL_MS_CONFIG).intValue(), TimeUnit.MILLISECONDS).recordStats().build(new CacheLoader<KafkaPrincipal, DefaultAuthCache>() { // from class: io.confluent.rbacdb.kafka.DbAuthCache.1
            @Override // com.google.common.cache.CacheLoader
            public DefaultAuthCache load(KafkaPrincipal kafkaPrincipal) {
                return DbAuthCache.this.loadPerUserAuthCache(kafkaPrincipal);
            }
        });
        this.metrics = new DbAuthCacheMetrics(metrics, "mds-db-authcache", this.executor, this.perUserAuthCache, rbacOrmService);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public DefaultAuthCache loadPerUserAuthCache(KafkaPrincipal kafkaPrincipal) {
        Set<RoleBinding> rbacRoleBindings = rbacRoleBindings(kafkaPrincipal);
        DefaultAuthCache defaultAuthCache = new DefaultAuthCache(this.rbacRoles, this.rootScope);
        for (RoleBinding roleBinding : rbacRoleBindings) {
            defaultAuthCache.put((AuthKey) new RoleBindingKey(roleBinding.principal(), roleBinding.role(), roleBinding.scope()), (AuthValue) new RoleBindingValue(roleBinding.resources()));
        }
        return defaultAuthCache;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public RbacRoles rbacRoles() {
        return this.rbacRoles;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(Scope scope) {
        return rbacRoleBindings(Collections.singleton(scope));
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(Set<Scope> set) {
        this.metrics.request().record();
        return handleFuture(CompletableFuture.supplyAsync(() -> {
            return this.rbacDBService.rbacRoleBindings((Set<Scope>) set);
        }, this.executor));
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(KafkaPrincipal kafkaPrincipal) {
        this.metrics.request().record();
        return handleFuture(CompletableFuture.supplyAsync(() -> {
            return this.rbacDBService.rbacRoleBindings(kafkaPrincipal);
        }, this.executor));
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(KafkaPrincipal kafkaPrincipal, Set<Scope> set) {
        this.metrics.request().record();
        return handleFuture(CompletableFuture.supplyAsync(() -> {
            return this.rbacDBService.rbacRoleBindings(kafkaPrincipal, set);
        }, this.executor));
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<RoleBinding> rbacRoleBindings(RoleBindingFilter roleBindingFilter) {
        this.metrics.request().record();
        return handleFuture(CompletableFuture.supplyAsync(() -> {
            return this.rbacDBService.rbacRoleBindings(roleBindingFilter);
        }, this.executor));
    }

    private Set<RoleBinding> handleFuture(CompletableFuture<Set<RoleBinding>> completableFuture) {
        try {
            return completableFuture.get(this.readTimeoutSecs, TimeUnit.SECONDS);
        } catch (InterruptedException | ExecutionException e) {
            this.metrics.requestError().record();
            log.error("Exception while RbacOrmService.rbacRoleBindings() call.", e);
            throw new DbAuthStoreException("RbacOrmService.rbacRoleBindings() call failed.", e);
        } catch (TimeoutException e2) {
            this.metrics.requestError().record();
            log.error("Timeout while RbacOrmService.rbacRoleBindings() call.", (Throwable) e2);
            throw new DbAuthStoreException("RbacOrmService.rbacRoleBindings() call failed becauseof a timeout in future.get().", e2);
        }
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<Scope> knownScopes() {
        this.metrics.request().record();
        RbacOrmService rbacOrmService = this.rbacDBService;
        rbacOrmService.getClass();
        try {
            return (Set) CompletableFuture.supplyAsync(rbacOrmService::knownScopes, this.executor).get(this.readTimeoutSecs, TimeUnit.SECONDS);
        } catch (InterruptedException | ExecutionException e) {
            this.metrics.requestError().record();
            log.error("Exception while RbacOrmService.knownScopes() call.", e);
            throw new DbAuthStoreException("RbacOrmService.knownScopes() call failed.", e);
        } catch (TimeoutException e2) {
            this.metrics.requestError().record();
            log.error("Timeout while RbacOrmService.knownScopes() call.", (Throwable) e2);
            throw new DbAuthStoreException("RbacOrmService.knownScopes() call failed becauseof a timeout in future.get().", e2);
        }
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Scope rootScope() {
        return this.rootScope;
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Set<KafkaPrincipal> groups(KafkaPrincipal kafkaPrincipal) {
        return Collections.emptySet();
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public UserMetadata userMetadata(KafkaPrincipal kafkaPrincipal) {
        throw new UnsupportedOperationException();
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Map<KafkaPrincipal, UserMetadata> users() {
        throw new UnsupportedOperationException();
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public AuthorizeRule findRule(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
        try {
            this.metrics.findRuleInvocation().record();
            return this.perUserAuthCache.get(kafkaPrincipal).findRule(kafkaPrincipal, set, str, action);
        } catch (ExecutionException e) {
            log.warn("Failure while getting perUserAuthCache.", (Throwable) e);
            return new AuthorizeRule();
        }
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public void addMatchingRules(ResourceAuthorizeRules resourceAuthorizeRules, KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Operation operation, Scope scope, ResourceType resourceType) {
        throw new UnsupportedOperationException();
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public AuthCache.Result healthcheck() {
        try {
            this.rbacDBService.healthcheck();
            return AuthCache.Result.healthy();
        } catch (Exception e) {
            return AuthCache.Result.unhealthy(e.getMessage());
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.executor.shutdown();
        this.metrics.close();
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Collection<AclBinding> aclBindings(Scope scope, AclBindingFilter aclBindingFilter, Predicate<ResourcePattern> predicate) {
        throw new UnsupportedOperationException();
    }

    @Override // io.confluent.security.auth.metadata.AuthCache
    public Map<ResourcePattern, Set<AccessRule>> aclRules(Scope scope) {
        throw new UnsupportedOperationException();
    }
}
