package io.confluent.rbacapi.utils;

import io.confluent.cloud.rbac.CloudScope;
import io.confluent.cloud.rbac.V2CloudRbacStorageService;
import io.confluent.rbacapi.services.FeatureConfigurationService;
import io.confluent.security.authorizer.Scope;
import javax.ws.rs.ClientErrorException;

/* loaded from: input_file:io/confluent/rbacapi/utils/RBACQuotaEnforcer.class */
public class RBACQuotaEnforcer {
    final FeatureConfigurationService featureConfigurationService;
    final V2CloudRbacStorageService storageService;

    public RBACQuotaEnforcer(FeatureConfigurationService featureConfigurationService, V2CloudRbacStorageService v2CloudRbacStorageService) {
        this.featureConfigurationService = featureConfigurationService;
        this.storageService = v2CloudRbacStorageService;
    }

    public void enforceRbacQuotaOnScope(Scope scope, int i) {
        String organizationResourceId = CloudScope.organizationResourceId(scope);
        String environmentResourceId = CloudScope.environmentResourceId(scope);
        String cloudClusterResourceId = CloudScope.cloudClusterResourceId(scope);
        if (!this.featureConfigurationService.isRbacLimitsEnable(organizationResourceId)) {
            if (this.storageService.countOrganizationCloudRoleBindings(organizationResourceId) + i > this.featureConfigurationService.organizationRoleBindingLimit(organizationResourceId)) {
                throw new ClientErrorException("Too many role bindings in organization.", 402);
            }
        } else if (cloudClusterResourceId == null) {
            if (this.storageService.countOrgEnvCloudRoleBindings(organizationResourceId) + i > Math.min(this.featureConfigurationService.orgEnvRoleBindingLimits(organizationResourceId), 4000)) {
                throw new ClientErrorException("Too many role bindings in organization and environment scope.", 402);
            }
        } else {
            if (this.storageService.countOrgEnvCloudClusterCloudRoleBindings(organizationResourceId, environmentResourceId, cloudClusterResourceId) + i > Math.min(this.featureConfigurationService.cloudClusterRoleBindingLimits(cloudClusterResourceId), 1000)) {
                throw new ClientErrorException("Too many role bindings in CloudCluster: " + cloudClusterResourceId, 402);
            }
        }
    }
}
