package io.confluent.rbacapi.services;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.rbacapi.entities.ManagedRoleBindings;
import io.confluent.rbacapi.utils.RoleAccessUtils;
import io.confluent.rbacapi.utils.RoleUtils;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.Role;
import io.confluent.security.rbac.RoleBinding;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/rbacapi/services/ManagedRoleBindingsBuilder.class */
public class ManagedRoleBindingsBuilder {
    private final AuthCache authCache;
    private final ClusterPermissionsBuilder clusterPermissionsBuilder;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/rbacapi/services/ManagedRoleBindingsBuilder$ScopedClusterPermissions.class */
    public class ScopedClusterPermissions {
        private boolean clusterRoleDescribeAccess;
        private boolean clusterRoleAlterAccess;
        private List<ClusterPermissions> clusterPermissionsHierarchy;

        private ScopedClusterPermissions(Set<Scope> set, KafkaPrincipal kafkaPrincipal, ResourceType resourceType, Map<String, Role> map, Set<RoleBinding> set2) {
            this.clusterPermissionsHierarchy = new ArrayList();
            Map map2 = (Map) set2.stream().collect(Collectors.groupingBy((v0) -> {
                return v0.scope();
            }, Collectors.mapping(Function.identity(), Collectors.toSet())));
            Map<String, Role> mapRolesByName = RoleUtils.mapRolesByName(map.values(), RoleAccessUtils.filterByDescribeAccess());
            set.forEach(scope -> {
                if (map2.get(scope) == null || ((Set) map2.get(scope)).isEmpty()) {
                    return;
                }
                ClusterPermissions build = ManagedRoleBindingsBuilder.this.clusterPermissionsBuilder.build(mapRolesByName, ManagedRoleBindingsBuilder.this.getPrincipalAndGroups(kafkaPrincipal), scope, resourceType, (Collection) map2.get(scope));
                this.clusterPermissionsHierarchy.add(build);
                this.clusterRoleDescribeAccess = this.clusterRoleDescribeAccess || build.canDescribeAccess(ResourceType.ALL);
                this.clusterRoleAlterAccess = this.clusterRoleAlterAccess || build.canAlterAccess(ResourceType.ALL);
            });
        }

        public boolean isClusterRoleDescribeAccess() {
            return this.clusterRoleDescribeAccess;
        }

        public boolean isClusterRoleAlterAccess() {
            return this.clusterRoleAlterAccess;
        }

        public boolean canDescribeAccess(ResourcePattern resourcePattern) {
            return this.clusterPermissionsHierarchy.stream().anyMatch(clusterPermissions -> {
                return clusterPermissions.canDescribeAccess(resourcePattern);
            });
        }

        public boolean canAlterAccess(ResourcePattern resourcePattern) {
            return this.clusterPermissionsHierarchy.stream().anyMatch(clusterPermissions -> {
                return clusterPermissions.canAlterAccess(resourcePattern);
            });
        }
    }

    public ManagedRoleBindingsBuilder(AuthCache authCache) {
        this(authCache, new ClusterPermissionsBuilder());
    }

    @VisibleForTesting
    ManagedRoleBindingsBuilder(AuthCache authCache, ClusterPermissionsBuilder clusterPermissionsBuilder) {
        this.authCache = authCache;
        this.clusterPermissionsBuilder = clusterPermissionsBuilder;
    }

    public ManagedRoleBindings build(Scope scope, KafkaPrincipal kafkaPrincipal, ResourceType resourceType) {
        ManagedRoleBindings managedRoleBindings = new ManagedRoleBindings(scope);
        Map<String, Role> mapRolesByName = RoleUtils.mapRolesByName(this.authCache.rbacRoles().roles());
        Set<Scope> scopeHierarchy = scopeHierarchy(scope);
        Set<RoleBinding> rbacRoleBindings = this.authCache.rbacRoleBindings(scopeHierarchy);
        if (rbacRoleBindings == null || rbacRoleBindings.isEmpty()) {
            return managedRoleBindings;
        }
        ScopedClusterPermissions scopedClusterPermissions = new ScopedClusterPermissions(scopeHierarchy, kafkaPrincipal, resourceType, mapRolesByName, rbacRoleBindings);
        for (RoleBinding roleBinding : rbacRoleBindings) {
            Role role = mapRolesByName.get(roleBinding.role());
            if (role != null) {
                if (role.bindWithResource()) {
                    roleBinding.resources().stream().filter(byResourceType(resourceType)).filter(resourcePattern -> {
                        return scopedClusterPermissions.canDescribeAccess(resourcePattern);
                    }).map(resourcePattern2 -> {
                        return new ManagedRoleBindings.ManagedResourceBinding(role.displayName(), resourcePattern2, scopedClusterPermissions.canAlterAccess(resourcePattern2));
                    }).forEach(managedResourceBinding -> {
                        managedRoleBindings.add(roleBinding.principal(), managedResourceBinding);
                    });
                } else if (scopedClusterPermissions.isClusterRoleDescribeAccess()) {
                    managedRoleBindings.add(roleBinding.principal(), new ManagedRoleBindings.ManagedClusterBinding(role.displayName(), scopedClusterPermissions.isClusterRoleAlterAccess()));
                }
            }
        }
        return managedRoleBindings;
    }

    private static Predicate<ResourcePattern> byResourceType(ResourceType resourceType) {
        return resourcePattern -> {
            return resourceType.equals(ResourceType.ALL) || resourcePattern.resourceType().equals(resourceType);
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<KafkaPrincipal> getPrincipalAndGroups(KafkaPrincipal kafkaPrincipal) {
        HashSet hashSet = new HashSet();
        hashSet.add(kafkaPrincipal);
        if (StringUtils.equals(KafkaPrincipal.USER_TYPE, kafkaPrincipal.getPrincipalType())) {
            hashSet.addAll(this.authCache.groups(kafkaPrincipal));
        }
        return hashSet;
    }

    private boolean hasParentScope(Scope scope) {
        return (scope.parent() == null || scope.parent().equals(Scope.ROOT_SCOPE)) ? false : true;
    }

    private Set<Scope> scopeHierarchy(Scope scope) {
        HashSet hashSet = new HashSet();
        hashSet.add(scope);
        while (hasParentScope(scope)) {
            scope = scope.parent();
            hashSet.add(scope);
        }
        return hashSet;
    }
}
