package io.confluent.rbacapi.services;

import io.confluent.rbacapi.entities.ClusterInfo;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/rbacapi/services/ClusterRegistryGatekeeper.class */
public class ClusterRegistryGatekeeper {
    private static final Operation ALTER_OP = new Operation("Alter");
    private static final Operation DESCRIBE_OP = new Operation("Describe");
    private static final Operation BOOTSTRAP_CLUSTER_OP = new Operation("BootstrapCluster");
    private static final ResourcePattern CLUSTER_REG_RP = new ResourcePattern(new ResourceType("ClusterRegistry"), "cluster-registry", PatternType.LITERAL);
    private final Authorizer authorizer;
    private final AuthCache authCache;
    private final Scope mdsScope;

    public ClusterRegistryGatekeeper(Authorizer authorizer, AuthCache authCache, String str) {
        this.authorizer = authorizer;
        this.authCache = authCache;
        this.mdsScope = Scope.kafkaClusterScope(str);
    }

    public List<Boolean> canWrite(KafkaPrincipal kafkaPrincipal, List<Scope> list) {
        return hasBootstrapClusterAbility(kafkaPrincipal) ? new ArrayList(Collections.nCopies(list.size(), true)) : authorizeScopeOperation(kafkaPrincipal, ALTER_OP, list);
    }

    public boolean canWrite(KafkaPrincipal kafkaPrincipal, Scope scope) {
        return canWrite(kafkaPrincipal, Collections.singletonList(scope)).get(0).booleanValue();
    }

    public List<ClusterInfo> filterClusterInfosBasedOnReadAuthorization(KafkaPrincipal kafkaPrincipal, List<ClusterInfo> list) {
        ArrayList arrayList = new ArrayList(list.size());
        List<Boolean> canReadFullCluster = canReadFullCluster(kafkaPrincipal, list);
        ArrayList arrayList2 = new ArrayList(list.size());
        for (int i = 0; i < list.size(); i++) {
            if (canReadFullCluster.get(i).booleanValue()) {
                arrayList.add(list.get(i));
            } else {
                arrayList2.add(list.get(i));
            }
        }
        arrayList.addAll((List) filterClustersWithRole(kafkaPrincipal, arrayList2).stream().map((v0) -> {
            return v0.redact();
        }).collect(Collectors.toList()));
        return arrayList;
    }

    private List<Boolean> canReadFullCluster(KafkaPrincipal kafkaPrincipal, List<ClusterInfo> list) {
        if (hasBootstrapClusterAbility(kafkaPrincipal)) {
            return new ArrayList(Collections.nCopies(list.size(), true));
        }
        return authorizeScopeOperation(kafkaPrincipal, DESCRIBE_OP, (List) list.stream().map((v0) -> {
            return v0.getScope();
        }).collect(Collectors.toList()));
    }

    private List<ClusterInfo> filterClustersWithRole(KafkaPrincipal kafkaPrincipal, List<ClusterInfo> list) {
        Set set = (Set) this.authCache.rbacRoleBindings(kafkaPrincipal, new HashSet((List) list.stream().map((v0) -> {
            return v0.getScope();
        }).collect(Collectors.toList()))).stream().map((v0) -> {
            return v0.scope();
        }).collect(Collectors.toSet());
        return (List) list.stream().filter(clusterInfo -> {
            return set.contains(clusterInfo.getScope());
        }).collect(Collectors.toList());
    }

    private boolean hasBootstrapClusterAbility(KafkaPrincipal kafkaPrincipal) {
        return this.authorizer.authorize(kafkaPrincipal, "", Collections.singletonList(new Action(this.mdsScope, CLUSTER_REG_RP, BOOTSTRAP_CLUSTER_OP, 1, true, false))).get(0) == AuthorizeResult.ALLOWED;
    }

    private List<Boolean> authorizeScopeOperation(KafkaPrincipal kafkaPrincipal, Operation operation, List<Scope> list) {
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<Scope> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(new Action(it.next(), CLUSTER_REG_RP, operation));
        }
        return (List) this.authorizer.authorize(kafkaPrincipal, "", arrayList).stream().map(authorizeResult -> {
            return Boolean.valueOf(authorizeResult == AuthorizeResult.ALLOWED);
        }).collect(Collectors.toList());
    }
}
