package io.confluent.security.audit.router;

import io.confluent.crn.ConfluentResourceName;
import io.confluent.crn.CrnSyntaxException;
import io.confluent.security.audit.AuditLogEntry;
import io.confluent.security.audit.AuditLogUtils;
import io.confluent.security.audit.AuthenticationInfo;
import java.util.HashMap;
import java.util.NoSuchElementException;
import java.util.Optional;
import org.apache.kafka.server.audit.AuditEventStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/audit/router/AuditLogCategoryResultRouter.class */
public class AuditLogCategoryResultRouter implements Router {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuditLogCategoryResultRouter.class);
    private final HashMap<String, HashMap<AuditLogRouterResult, String>> routes = new HashMap<>();

    public AuditLogCategoryResultRouter setRoute(String str, AuditLogRouterResult auditLogRouterResult, String str2) {
        this.routes.computeIfAbsent(str, str3 -> {
            return new HashMap();
        }).put(auditLogRouterResult, str2);
        return this;
    }

    public Optional<String> route(String str, AuditLogRouterResult auditLogRouterResult) {
        return Optional.ofNullable(this.routes.get(str).get(auditLogRouterResult));
    }

    private AuditLogRouterResult auditLogRouterResult(AuditLogEntry auditLogEntry) {
        if (AuditLogUtils.AUTHENTICATION_EVENT_NAME.equals(auditLogEntry.getMethodName())) {
            return AuditEventStatus.SUCCESS == AuditEventStatus.valueOf(auditLogEntry.getResult().getStatus()) ? AuditLogRouterResult.ALLOWED : AuditLogRouterResult.DENIED;
        }
        return auditLogEntry.getAuthorizationInfo().getGranted() ? AuditLogRouterResult.ALLOWED : AuditLogRouterResult.DENIED;
    }

    @Override // io.confluent.security.audit.router.Router
    public Optional<String> topic(AuditLogEntry auditLogEntry) {
        try {
            String category = AuditLogRouterUtils.category(auditLogEntry);
            if (!this.routes.containsKey(category)) {
                return Optional.empty();
            }
            Optional<String> ofNullable = Optional.ofNullable(this.routes.get(category).get(auditLogRouterResult(auditLogEntry)));
            if (ofNullable.isPresent() && !ofNullable.get().isEmpty() && (AuditLogRouterUtils.CONSUME_CATEGORY.equals(category) || AuditLogRouterUtils.PRODUCE_CATEGORY.equals(category))) {
                ConfluentResourceName.Element resourceNameElement = AuditLogUtils.resourceNameElement(auditLogEntry);
                if (resourceNameElement.resourceType().equals("topic") && resourceNameElement.encodedResourceName().equals(ofNullable.get())) {
                    AuthenticationInfo authenticationInfo = auditLogEntry.getAuthenticationInfo();
                    log.error("Audit log event for {} event on audit log topic {} was routed to same topic. This indicates that there may be a feedback loop. Principal {} should be excluded from audit logging or this event should be routed to a different topic.", auditLogEntry.getMethodName(), ofNullable.get(), authenticationInfo == null ? "Unknown" : authenticationInfo.getPrincipal());
                    return Optional.of("");
                }
            }
            return ofNullable;
        } catch (CrnSyntaxException | NoSuchElementException e) {
            log.debug("Attempted to route a invalid AuditLogEntry", e);
            return Optional.empty();
        }
    }

    public String toString() {
        return "AuditLogCategoryResultRouter(" + this.routes + ")";
    }
}
