package io.confluent.security.authorizer.provider;

import io.confluent.rbacapi.app.RbacApiAppConfig;
import io.confluent.security.authorizer.ConfluentAuthorizerConfig;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.ServiceLoader;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;

/* loaded from: input_file:io/confluent/security/authorizer/provider/ConfluentBuiltInProviders.class */
public class ConfluentBuiltInProviders {
    private static final Map<String, String> OLD_PROVIDER_NAMES = Utils.mkMap(Utils.mkEntry("ACL", AccessRuleProviders.ZK_ACL.name()), Utils.mkEntry("RBAC", AccessRuleProviders.CONFLUENT.name()));

    /* loaded from: input_file:io/confluent/security/authorizer/provider/ConfluentBuiltInProviders$AccessRuleProviders.class */
    public enum AccessRuleProviders {
        ZK_ACL,
        KRAFT_ACL,
        MULTI_TENANT,
        CONFLUENT
    }

    /* loaded from: input_file:io/confluent/security/authorizer/provider/ConfluentBuiltInProviders$EmptyGroupProvider.class */
    private static class EmptyGroupProvider implements GroupProvider {
        private EmptyGroupProvider() {
        }

        @Override // org.apache.kafka.common.Configurable
        public void configure(Map<String, ?> map) {
        }

        @Override // io.confluent.security.authorizer.provider.GroupProvider
        public Set<KafkaPrincipal> groups(KafkaPrincipal kafkaPrincipal) {
            return Collections.emptySet();
        }

        @Override // io.confluent.security.authorizer.provider.Provider
        public boolean usesMetadataFromThisKafkaCluster() {
            return false;
        }

        @Override // io.confluent.security.authorizer.provider.Provider
        public String providerName() {
            return GroupProviders.NONE.name();
        }

        @Override // io.confluent.security.authorizer.provider.GroupProvider, io.confluent.security.authorizer.provider.MetadataProvider
        public boolean providerConfigured(Map<String, ?> map) {
            return true;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() {
        }
    }

    /* loaded from: input_file:io/confluent/security/authorizer/provider/ConfluentBuiltInProviders$EmptyMetadataProvider.class */
    private static class EmptyMetadataProvider implements MetadataProvider {
        private EmptyMetadataProvider() {
        }

        @Override // org.apache.kafka.common.Configurable
        public void configure(Map<String, ?> map) {
        }

        @Override // io.confluent.security.authorizer.provider.Provider
        public String providerName() {
            return MetadataProviders.NONE.name();
        }

        @Override // io.confluent.security.authorizer.provider.Provider
        public boolean usesMetadataFromThisKafkaCluster() {
            return false;
        }

        @Override // io.confluent.security.authorizer.provider.MetadataProvider
        public boolean providerConfigured(Map<String, ?> map) {
            return true;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() {
        }
    }

    /* loaded from: input_file:io/confluent/security/authorizer/provider/ConfluentBuiltInProviders$GroupProviders.class */
    public enum GroupProviders {
        LDAP,
        CONFLUENT,
        NONE
    }

    /* loaded from: input_file:io/confluent/security/authorizer/provider/ConfluentBuiltInProviders$MetadataProviders.class */
    public enum MetadataProviders {
        CONFLUENT,
        NONE
    }

    public static Set<String> builtInAccessRuleProviders() {
        return (Set) Utils.mkSet(AccessRuleProviders.values()).stream().map((v0) -> {
            return v0.name();
        }).collect(Collectors.toSet());
    }

    public static List<AccessRuleProvider> loadAccessRuleProviders(List<String> list) {
        HashMap hashMap = new HashMap(list.size());
        Iterator it = ServiceLoader.load(AccessRuleProvider.class).iterator();
        while (it.hasNext()) {
            AccessRuleProvider accessRuleProvider = (AccessRuleProvider) it.next();
            String providerName = accessRuleProvider.providerName();
            if (list.contains(providerName)) {
                hashMap.putIfAbsent(providerName, accessRuleProvider);
            }
            if (hashMap.size() == list.size()) {
                break;
            }
        }
        if (hashMap.size() == list.size()) {
            Stream<String> stream = list.stream();
            hashMap.getClass();
            return (List) stream.map((v1) -> {
                return r1.get(v1);
            }).collect(Collectors.toList());
        }
        HashSet hashSet = new HashSet(list);
        hashSet.removeAll(hashMap.keySet());
        if (!OLD_PROVIDER_NAMES.keySet().containsAll(hashSet)) {
            throw new ConfigException("Access rule provider not found for " + hashSet);
        }
        StringBuilder sb = new StringBuilder();
        hashSet.forEach(str -> {
            sb.append(str);
            sb.append(" is supported by the provider named ");
            sb.append(OLD_PROVIDER_NAMES.get(str));
            sb.append(", ");
        });
        sb.append("you should configure '");
        sb.append(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP);
        sb.append('=');
        Stream<String> stream2 = list.stream();
        Map<String, String> map = OLD_PROVIDER_NAMES;
        map.getClass();
        sb.append(Utils.join((Collection) stream2.map((v1) -> {
            return r1.get(v1);
        }).collect(Collectors.toSet()), ","));
        sb.append("'");
        throw new ConfigException(sb.toString());
    }

    public static GroupProvider loadGroupProvider(Map<String, ?> map) {
        Iterator it = ServiceLoader.load(GroupProvider.class).iterator();
        while (it.hasNext()) {
            GroupProvider groupProvider = (GroupProvider) it.next();
            if (providerEnabled(groupProvider, map) && groupProvider.providerConfigured(map)) {
                return groupProvider;
            }
        }
        return new EmptyGroupProvider();
    }

    public static MetadataProvider loadMetadataProvider(Map<String, ?> map) {
        Iterator it = ServiceLoader.load(MetadataProvider.class).iterator();
        while (it.hasNext()) {
            MetadataProvider metadataProvider = (MetadataProvider) it.next();
            if (providerEnabled(metadataProvider, map) && metadataProvider.providerConfigured(map)) {
                return metadataProvider;
            }
        }
        return new EmptyMetadataProvider();
    }

    private static boolean providerEnabled(Provider provider, Map<String, ?> map) {
        String providerName = provider.providerName();
        Object obj = map.get(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP);
        if (provider.providerName().equals(RbacApiAppConfig.MDS_USER_STORE_LDAP)) {
            return String.valueOf(map.get("authorizer.class.name")).endsWith(".LdapAuthorizer");
        }
        if (obj == null) {
            return false;
        }
        if (obj instanceof String) {
            Stream stream = Arrays.stream(((String) obj).split(","));
            providerName.getClass();
            return stream.anyMatch((v1) -> {
                return r1.equals(v1);
            });
        }
        if (!(obj instanceof List)) {
            return false;
        }
        Stream stream2 = ((List) obj).stream();
        providerName.getClass();
        return stream2.anyMatch(providerName::equals);
    }
}
