package io.confluent.rbacapi.resources.v2;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.confluent.auditlog.emitter.auditlogger.AuditLogger;
import io.confluent.auditlog.emitter.utils.LogOptions;
import io.confluent.cloud.rbac.V2CloudRbacStorageService;
import io.confluent.crn.ConfluentServerCrnAuthority;
import io.confluent.crn.CrnSyntaxException;
import io.confluent.protobuf.events.auditlog.v2.AuditLog;
import io.confluent.protobuf.events.auditlog.v2.Result;
import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ResourcesRequest;
import io.confluent.rbacapi.resources.base.PrincipalsResource;
import io.confluent.rbacapi.services.ClusterRegistryService;
import io.confluent.rbacapi.services.FeatureConfigurationService;
import io.confluent.rbacapi.utils.CloudRoleUtils;
import io.confluent.rbacapi.utils.RBACQuotaEnforcer;
import io.confluent.rbacapi.validation.common.ValidPrincipal;
import io.confluent.rbacapi.validation.common.ValidRole;
import io.confluent.rbacapi.validation.v2.V2ValidMdsScope;
import io.confluent.rbacapi.validation.v2.V2ValidationUtil;
import io.confluent.rest.annotations.PerformanceMetric;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.authorizer.ResourcePattern;
import java.util.List;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeoutException;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import utils.AuditLogUtils;
import utils.ConfluentCloudRoles;

@Path("/v2alpha1/principals")
@Deprecated
/* loaded from: input_file:io/confluent/rbacapi/resources/v2/V2PrincipalsResource.class */
public class V2PrincipalsResource {
    private final PrincipalsResource delegate;
    private final V2CloudRbacStorageService storageService;
    private final FeatureConfigurationService featureConfigurationService;
    private final RBACQuotaEnforcer rbacQuotaEnforcer;
    private final AuditLogger auditLogger;
    private static final String API_VERSION = "1.9";
    private static final String API_PREFIX = "principals";
    private static final LogOptions auditLoggingOptions = LogOptions.builder().allowEmptyIpAddress(true).allowEmptyPrincipal(false).build();

    public V2PrincipalsResource(AuthStore authStore, SecurityMetadataAuthorizer securityMetadataAuthorizer, long j, ClusterRegistryService clusterRegistryService, ConfluentServerCrnAuthority confluentServerCrnAuthority, ObjectMapper objectMapper, V2CloudRbacStorageService v2CloudRbacStorageService, FeatureConfigurationService featureConfigurationService, AuditLogger auditLogger) {
        this.delegate = new PrincipalsResource(authStore, securityMetadataAuthorizer, j, clusterRegistryService, new V2ValidationUtil(), confluentServerCrnAuthority, objectMapper, new CloudRoleUtils());
        this.storageService = v2CloudRbacStorageService;
        this.featureConfigurationService = featureConfigurationService;
        this.rbacQuotaEnforcer = new RBACQuotaEnforcer(featureConfigurationService, v2CloudRbacStorageService);
        this.auditLogger = auditLogger;
    }

    private void auditLog(AuditLog.Builder builder, Result.Status status) {
        builder.setResult(AuditLogUtils.getResult(status));
        try {
            this.auditLogger.logWithOptions(builder.build(), auditLoggingOptions);
        } catch (Exception e) {
        }
    }

    @Path("{principal:.*}/roles/{roleName}")
    @Consumes({"application/json"})
    @POST
    @PerformanceMetric("v2.add.cluster.role.for.principal")
    public void addClusterRoleForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, @HeaderParam("X-B3-Traceid") String str3, @HeaderParam("X-Real-IP") String str4, @V2ValidMdsScope MdsScope mdsScope) throws InterruptedException, ExecutionException, TimeoutException {
        AuditLog.Builder auditLogBuilder = AuditLogUtils.auditLogBuilder("BindRoleForPrincipal", SecurityMetadataAuthorizer.userPrincipal(securityContext).getName(), mdsScope.scope(), str3, str4, API_VERSION, API_PREFIX, str, str2, null);
        if (this.storageService != null) {
            this.rbacQuotaEnforcer.enforceRbacQuotaOnScope(mdsScope.scope(), 1);
        }
        try {
            this.delegate.addClusterRoleForPrincipal(securityContext, str, str2, mdsScope);
            auditLog(auditLogBuilder, Result.Status.SUCCESS);
        } catch (Exception e) {
            auditLog(auditLogBuilder, Result.Status.FAILURE);
            throw e;
        }
    }

    @Path("{principal:.*}/roles/{roleName}")
    @Consumes({"application/json"})
    @DELETE
    @PerformanceMetric("v2.delete.role.for.principal")
    public void deleteRoleForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, @HeaderParam("X-B3-Traceid") String str3, @HeaderParam("X-Real-IP") String str4, @V2ValidMdsScope MdsScope mdsScope) throws InterruptedException, ExecutionException, TimeoutException {
        KafkaPrincipal userPrincipal = SecurityMetadataAuthorizer.userPrincipal(securityContext);
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        AuditLog.Builder auditLogBuilder = AuditLogUtils.auditLogBuilder("UnbindRoleForPrincipal", userPrincipal.getName(), mdsScope.scope(), str3, str4, API_VERSION, API_PREFIX, str, str2, null);
        if (userPrincipal.equals(parseKafkaPrincipal) && str2.equals(ConfluentCloudRoles.ROLE_ORG_ADMIN)) {
            auditLogBuilder.setResult(AuditLogUtils.getResult(Result.Status.FAILURE));
            this.auditLogger.logWithOptions(auditLogBuilder.build(), auditLoggingOptions);
            throw new ClientErrorException("Cannot remove your own OrganizationAdmin role.", 400);
        }
        try {
            this.delegate.deleteRoleForPrincipal(securityContext, str, str2, mdsScope);
            auditLog(auditLogBuilder, Result.Status.SUCCESS);
        } catch (Exception e) {
            auditLog(auditLogBuilder, Result.Status.FAILURE);
            throw e;
        }
    }

    @Path("{principal:.*}/roles")
    @Consumes({"application/json"})
    @DELETE
    @PerformanceMetric("v2.delete.all.roles.for.principal")
    public void deleteAllRolesForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @HeaderParam("X-B3-Traceid") String str2, @HeaderParam("X-Real-IP") String str3, @V2ValidMdsScope MdsScope mdsScope, @QueryParam("transactionId") String str4) throws InterruptedException, ExecutionException, TimeoutException, CrnSyntaxException, JsonProcessingException {
        AuditLog.Builder auditLogBuilder = AuditLogUtils.auditLogBuilder("UnbindAllRolesForPrincipal", SecurityMetadataAuthorizer.userPrincipal(securityContext).getName(), mdsScope.scope(), str2, str3, API_VERSION, API_PREFIX, str, null, null);
        try {
            this.delegate.deleteAllRolesForPrincipal(securityContext, str, mdsScope, str4);
            auditLog(auditLogBuilder, Result.Status.SUCCESS);
        } catch (Exception e) {
            auditLog(auditLogBuilder, Result.Status.FAILURE);
            throw e;
        }
    }

    @Path("{principal:.*}/roles/{roleName}/resources")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v2.get.role.resources.for.principal")
    public List<ResourcePattern> getRoleResourcesForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, @HeaderParam("X-B3-Traceid") String str3, @HeaderParam("X-Real-IP") String str4, @V2ValidMdsScope MdsScope mdsScope) {
        AuditLog.Builder auditLogBuilder = AuditLogUtils.auditLogBuilder("GetRoleResourcesForPrincipal", SecurityMetadataAuthorizer.userPrincipal(securityContext).getName(), mdsScope.scope(), str3, str4, API_VERSION, API_PREFIX, str, str2, null);
        try {
            List<ResourcePattern> roleResourcesForPrincipal = this.delegate.getRoleResourcesForPrincipal(securityContext, str, str2, mdsScope);
            auditLog(auditLogBuilder, Result.Status.SUCCESS);
            return roleResourcesForPrincipal;
        } catch (Exception e) {
            auditLog(auditLogBuilder, Result.Status.FAILURE);
            throw e;
        }
    }

    @Path("{principal:.*}/roles/{roleName}/bindings")
    @Consumes({"application/json"})
    @POST
    @PerformanceMetric("v2.add.role.resources.for.principal")
    public void addRoleResourcesForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, @HeaderParam("X-B3-Traceid") String str3, @HeaderParam("X-Real-IP") String str4, ResourcesRequest resourcesRequest) throws InterruptedException, ExecutionException, TimeoutException {
        AuditLog.Builder auditLogBuilder = AuditLogUtils.auditLogBuilder("GrantRoleResourcesForPrincipal", SecurityMetadataAuthorizer.userPrincipal(securityContext).getName(), resourcesRequest.mdsScope.scope(), str3, str4, API_VERSION, API_PREFIX, str, str2, resourcesRequest);
        if (this.storageService != null) {
            this.rbacQuotaEnforcer.enforceRbacQuotaOnScope(resourcesRequest.mdsScope.scope(), resourcesRequest.resourcePatterns.size());
        }
        try {
            this.delegate.addRoleResourcesForPrincipal(securityContext, str, str2, resourcesRequest);
            auditLog(auditLogBuilder, Result.Status.SUCCESS);
        } catch (Exception e) {
            auditLog(auditLogBuilder, Result.Status.FAILURE);
            throw e;
        }
    }

    @Path("{principal:.*}/roles/{roleName}/bindings")
    @Consumes({"application/json"})
    @DELETE
    @PerformanceMetric("v2.delete.role.resources.for.principal")
    public void deleteRoleResourcesForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, @HeaderParam("X-B3-Traceid") String str3, @HeaderParam("X-Real-IP") String str4, ResourcesRequest resourcesRequest) throws InterruptedException, ExecutionException, TimeoutException {
        AuditLog.Builder auditLogBuilder = AuditLogUtils.auditLogBuilder("RevokeRoleResourcesForPrincipal", SecurityMetadataAuthorizer.userPrincipal(securityContext).getName(), resourcesRequest.mdsScope.scope(), str3, str4, API_VERSION, API_PREFIX, str, str2, resourcesRequest);
        try {
            this.delegate.deleteRoleResourcesForPrincipal(securityContext, str, str2, resourcesRequest);
            auditLog(auditLogBuilder, Result.Status.SUCCESS);
        } catch (Exception e) {
            auditLog(auditLogBuilder, Result.Status.FAILURE);
            throw e;
        }
    }
}
