package io.confluent.security.auth.provider;

import io.confluent.security.auth.dataplane.AuthnzAuthStore;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.ResourceAuthorizeRules;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/auth/provider/AuthnzProvider.class */
public class AuthnzProvider implements AccessRuleProvider, Authorizer {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuthnzProvider.class);
    public static final String PROVIDER_NAME = "CC_DATAPLANE_PLANE_AUTHNZ";
    private Map<String, ?> configs;
    private Scope authStoreScope;
    private AuthStore authStore;
    private AuthCache authCache;
    private Metrics kafkaMetrics = null;
    private Scope authScope = Scope.ROOT_SCOPE;

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.configs = map;
        this.authStoreScope = authStoreScope();
    }

    public Scope authStoreScope() {
        return Scope.ROOT_SCOPE;
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public String providerName() {
        return PROVIDER_NAME;
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public boolean usesMetadataFromThisKafkaCluster() {
        return false;
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public CompletionStage<Void> start(ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo, Map<String, ?> map) {
        HashMap hashMap = new HashMap(this.configs);
        hashMap.putAll(map);
        this.authStore = createAuthStore(this.authStoreScope, confluentAuthorizerServerInfo, hashMap);
        this.authCache = this.authStore.authCache();
        this.kafkaMetrics = confluentAuthorizerServerInfo.metrics();
        return this.authStore.startReader();
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean mayDeny() {
        return false;
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean isSuperUser(KafkaPrincipal kafkaPrincipal, Scope scope) {
        return false;
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public AuthorizeRule findRule(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
        return this.authCache.findRule(userPrincipal(kafkaPrincipal), set, str, action);
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public void addMatchingRules(ResourceAuthorizeRules resourceAuthorizeRules, KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Operation operation, Scope scope, ResourceType resourceType) {
        this.authCache.addMatchingRules(resourceAuthorizeRules, userPrincipal(kafkaPrincipal), set, str, operation, scope, resourceType);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        log.debug("Closing authnz provider");
        AtomicReference atomicReference = new AtomicReference();
        Utils.closeQuietly(this.authStore, "authStore", atomicReference);
        Throwable th = (Throwable) atomicReference.getAndSet(null);
        if (th != null) {
            throw new KafkaException("ConfluentProvider could not be closed cleanly", th);
        }
    }

    private KafkaPrincipal userPrincipal(KafkaPrincipal kafkaPrincipal) {
        return kafkaPrincipal.getClass() != KafkaPrincipal.class ? new KafkaPrincipal(kafkaPrincipal.getPrincipalType(), kafkaPrincipal.getName()) : kafkaPrincipal;
    }

    public AuthStore authStore() {
        return this.authStore;
    }

    protected AuthStore createAuthStore(Scope scope, ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo, Map<String, ?> map) {
        AuthnzAuthStore authnzAuthStore = new AuthnzAuthStore(scope, confluentAuthorizerServerInfo.metrics());
        authnzAuthStore.configure(map);
        return authnzAuthStore;
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer
    public Map<Endpoint, ? extends CompletionStage<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        return Collections.emptyMap();
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer
    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<org.apache.kafka.server.authorizer.Action> list) {
        throw new IllegalStateException("This provider should be used for authorization only using the AccessRuleProvider interface");
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer, org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        return createAcls(authorizableRequestContext, list, Optional.empty());
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer
    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list, Optional<String> optional) {
        throw new IllegalStateException("This provider should be used for RBAC authorization only");
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer, org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        return deleteAcls(authorizableRequestContext, list, Optional.empty());
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer
    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list, Optional<String> optional) {
        throw new IllegalStateException("This provider should be used for RBAC authorization only");
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer
    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        throw new IllegalStateException("This provider should be used for RBAC authorization only");
    }

    public void setKafkaMetrics(Metrics metrics) {
        this.kafkaMetrics = metrics;
    }
}
