package io.confluent.kafka.security.authorizer.acl;

import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import io.confluent.security.authorizer.provider.ResourceAuthorizeRules;
import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.metadata.authorizer.StandardAcl;
import org.apache.kafka.metadata.authorizer.StandardAuthorizer;
import org.apache.kafka.metadata.authorizer.StandardAuthorizerData;
import org.apache.kafka.server.authorizer.Authorizer;

/* loaded from: input_file:io/confluent/kafka/security/authorizer/acl/StandardAclProvider.class */
public class StandardAclProvider implements ExtendedAccessRuleProvider {
    private StandardAuthorizer authorizer;

    public StandardAclProvider() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public StandardAclProvider(StandardAuthorizer standardAuthorizer) {
        this.authorizer = standardAuthorizer;
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.authorizer = new StandardAuthorizer();
        this.authorizer.configure(map);
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public String providerName() {
        return ConfluentBuiltInProviders.AccessRuleProviders.KRAFT_ACL.name();
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean mayDeny() {
        return true;
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public boolean usesMetadataFromThisKafkaCluster() {
        return true;
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean isSuperUser(KafkaPrincipal kafkaPrincipal, Scope scope) {
        return false;
    }

    @Override // io.confluent.kafka.security.authorizer.acl.ExtendedAccessRuleProvider
    public AuthorizeRule findRule(Set<KafkaPrincipal> set, String str, Action action) {
        StandardAuthorizerData.MatchingAclRule findRule = this.authorizer.findRule(set, str, new org.apache.kafka.server.authorizer.Action(AclMapper.aclOperation(action.operation()), ResourcePattern.to(action.resourcePattern()), action.resourceReferenceCount(), action.logIfAllowed(), action.logIfDenied()));
        AuthorizeRule authorizeRule = new AuthorizeRule();
        if (findRule != null) {
            authorizeRule.addRuleIfNotExist(AclMapper.accessRule(findRule.acl()));
        }
        return authorizeRule;
    }

    @Override // io.confluent.kafka.security.authorizer.acl.ExtendedAccessRuleProvider
    public void addMatchingRules(ResourceAuthorizeRules resourceAuthorizeRules, Set<KafkaPrincipal> set, String str, Operation operation, Scope scope, ResourceType resourceType) {
        Iterator<StandardAcl> it = this.authorizer.findRulesByResourceType(SecurityUtils.resourceType(resourceType.name()), SecurityUtils.operation(operation.name()), set, str).iterator();
        while (it.hasNext()) {
            resourceAuthorizeRules.addRuleIfNotExist(AclMapper.accessRule(it.next()));
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        this.authorizer.close();
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public Optional<Authorizer> asAuthorizer() {
        return Optional.of(this.authorizer);
    }
}
