package io.confluent.kafka.server.plugins.policy;

import io.confluent.kafka.multitenant.MultiTenantConfigRestrictions;
import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.shaded.io.netty.handler.ssl.Ciphers;
import io.confluent.shaded.org.slf4j.Logger;
import io.confluent.shaded.org.slf4j.LoggerFactory;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import kafka.server.KafkaConfig;
import kafka.server.link.ClusterLinkAlterConfigPolicy;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.errors.PolicyViolationException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.server.policy.AlterConfigPolicy;

/* loaded from: input_file:io/confluent/kafka/server/plugins/policy/AlterConfigPolicy.class */
public class AlterConfigPolicy implements ClusterLinkAlterConfigPolicy {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AlterConfigPolicy.class);
    private ClusterPolicyConfig clusterPolicyConfig;
    private TopicPolicyConfig topicPolicyConfig;
    private ClusterLinkPolicyConfig clusterLinkPolicyConfig;

    /* loaded from: input_file:io/confluent/kafka/server/plugins/policy/AlterConfigPolicy$ClusterPolicyConfig.class */
    public static class ClusterPolicyConfig extends AbstractPolicyConfig {
        public static final int DEFAULT_NUM_PARTITIONS_MIN = 1;
        public static final int DEFAULT_NUM_PARTITIONS_MAX = 100;
        public static final long DEFAULT_RETENTION_MS_MAX = Long.MAX_VALUE;
        private final boolean alterConfigsEnabled;
        private final Set<String> allowedCipherSuites;
        public static final List<String> DEFAULT_SSL_CIPHER_SUITES_ALLOWED = Arrays.asList(Ciphers.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Ciphers.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384);
        public static final String CONFIG_PREFIX = "confluent.alter.cluster.configs.";
        public static final String NUM_PARTITIONS_MIN_CONFIG = CONFIG_PREFIX + KafkaConfig.NumPartitionsProp() + ".min";
        public static final String NUM_PARTITIONS_MAX_CONFIG = CONFIG_PREFIX + KafkaConfig.NumPartitionsProp() + ".max";
        public static final String RETENTION_MS_MIN_CONFIG = CONFIG_PREFIX + KafkaConfig.LogRetentionTimeMillisProp() + ".min";
        public static final long DEFAULT_RETENTION_MS_MIN = TimeUnit.HOURS.toMillis(1);
        public static final String RETENTION_MS_MAX_CONFIG = CONFIG_PREFIX + KafkaConfig.LogRetentionTimeMillisProp() + ".max";
        public static final String MAX_COMPACTION_LAG_MS_MIN_CONFIG = CONFIG_PREFIX + KafkaConfig.LogCleanerMaxCompactionLagMsProp() + ".min";
        public static final long DEFAULT_MAX_COMPACTION_LAG_MS_MIN = TopicPolicyConfig.DEFAULT_MAX_COMPACTION_LAG_MS_MIN;
        static final String EXTERNAL_LISTENER_SSL_CIPHER_SUITES_CONFIG = MultiTenantConfigRestrictions.EXTERNAL_LISTENER_PREFIX + SslConfigs.SSL_CIPHER_SUITES_CONFIG;
        public static final String ALTER_ENABLE_CONFIG = "confluent.alter.cluster.configs.enable";
        public static final String SSL_CIPHER_SUITES_ALLOWED_CONFIG = "confluent.alter.cluster.configs.ssl.cipher.suites.allowed";
        private static final String SSL_CIPHER_SUITES_ALLOWED_DOC = "List of allowed cipher suites for TLS.";
        private static final String NUM_PARTITIONS_MIN_DOC = "The minimum value allowed for the default number of partitions.";
        private static final String NUM_PARTITIONS_MAX_DOC = "The maximum value allowed for the default number of partitions.";
        private static final String RETENTION_MS_MIN_DOC = "The minimum value allowed for retention.ms.";
        private static final String RETENTION_MS_MAX_DOC = "The maximum value allowed for retention.ms.";
        private static final String MAX_COMPACTION_LAG_MS_MIN_DOC = "The minimum value allowed for max.compaction.lag.ms.";
        private static final ConfigDef CONFIG_DEF = new ConfigDef().define(ALTER_ENABLE_CONFIG, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.MEDIUM, "Allow AlterConfigs for Broker configs from all listeners").define(SSL_CIPHER_SUITES_ALLOWED_CONFIG, ConfigDef.Type.LIST, DEFAULT_SSL_CIPHER_SUITES_ALLOWED, ConfigDef.Importance.MEDIUM, SSL_CIPHER_SUITES_ALLOWED_DOC).define(NUM_PARTITIONS_MIN_CONFIG, ConfigDef.Type.LONG, 1, ConfigDef.Importance.MEDIUM, NUM_PARTITIONS_MIN_DOC).define(NUM_PARTITIONS_MAX_CONFIG, ConfigDef.Type.LONG, 100, ConfigDef.Importance.MEDIUM, NUM_PARTITIONS_MAX_DOC).define(RETENTION_MS_MIN_CONFIG, ConfigDef.Type.LONG, Long.valueOf(DEFAULT_RETENTION_MS_MIN), ConfigDef.Importance.MEDIUM, RETENTION_MS_MIN_DOC).define(RETENTION_MS_MAX_CONFIG, ConfigDef.Type.LONG, Long.MAX_VALUE, ConfigDef.Importance.MEDIUM, RETENTION_MS_MAX_DOC).define(MAX_COMPACTION_LAG_MS_MIN_CONFIG, ConfigDef.Type.LONG, Long.valueOf(DEFAULT_MAX_COMPACTION_LAG_MS_MIN), ConfigDef.Importance.MEDIUM, MAX_COMPACTION_LAG_MS_MIN_DOC);

        ClusterPolicyConfig(Map<String, ?> map) {
            super(CONFIG_DEF, map);
            this.allowedCipherSuites = new HashSet();
            this.alterConfigsEnabled = getBoolean(ALTER_ENABLE_CONFIG).booleanValue();
            this.allowedCipherSuites.addAll(getList(SSL_CIPHER_SUITES_ALLOWED_CONFIG));
        }

        public void validateBrokerConfigs(AlterConfigPolicy.RequestMetadata requestMetadata) {
            if (!this.alterConfigsEnabled) {
                throw AlterConfigPolicy.configUpdateNotAllowed(requestMetadata);
            }
            if (!requestMetadata.resource().name().isEmpty()) {
                AlterConfigPolicy.log.debug("Not allowing update of BROKER configs for broker {}, we only support config updates for all brokers.", requestMetadata.resource().name());
                throw new PolicyViolationException("`ConfigResource.name` must be empty when updating broker configs in order to update the configuration of all brokers consistently.");
            }
            Map<String, String> configs = requestMetadata.configs();
            PolicyUtils.validateConfigsAreUpdatable(configs, str -> {
                return MultiTenantConfigRestrictions.UPDATABLE_BROKER_CONFIGS.contains(str);
            });
            if (configs.containsKey(KafkaConfig.LogRetentionTimeMillisProp()) && Long.parseLong(configs.get(KafkaConfig.LogRetentionTimeMillisProp())) != -1) {
                checkPolicyMin(configs, RETENTION_MS_MIN_CONFIG, KafkaConfig.LogRetentionTimeMillisProp());
                checkPolicyMax(configs, RETENTION_MS_MAX_CONFIG, KafkaConfig.LogRetentionTimeMillisProp());
            }
            checkPolicyMin(configs, NUM_PARTITIONS_MIN_CONFIG, KafkaConfig.NumPartitionsProp());
            checkPolicyMax(configs, NUM_PARTITIONS_MAX_CONFIG, KafkaConfig.NumPartitionsProp());
            checkSslCiphers(configs);
            checkPolicyMin(configs, MAX_COMPACTION_LAG_MS_MIN_CONFIG, KafkaConfig.LogCleanerMaxCompactionLagMsProp());
        }

        private void checkSslCiphers(Map<String, String> map) {
            List<String> parseList = parseList(map, EXTERNAL_LISTENER_SSL_CIPHER_SUITES_CONFIG);
            if (parseList != null && parseList.stream().anyMatch(str -> {
                return !this.allowedCipherSuites.contains(str.toUpperCase(Locale.ROOT));
            })) {
                throw new PolicyViolationException(invalidCipherSuiteMessage(this.allowedCipherSuites, map.get(EXTERNAL_LISTENER_SSL_CIPHER_SUITES_CONFIG)));
            }
        }

        public static String invalidCipherSuiteMessage(Collection<String> collection, String str) {
            return EXTERNAL_LISTENER_SSL_CIPHER_SUITES_CONFIG + "=" + str + " contains one or more invalid cipher suites. Allowed cipher suites: " + collection;
        }
    }

    public void configure(Map<String, ?> map) {
        this.clusterPolicyConfig = new ClusterPolicyConfig(map);
        this.topicPolicyConfig = new TopicPolicyConfig(map);
        this.clusterLinkPolicyConfig = new ClusterLinkPolicyConfig(map);
    }

    public void validate(AlterConfigPolicy.RequestMetadata requestMetadata) throws PolicyViolationException {
        KafkaPrincipal principal = requestMetadata.principal();
        if (principal == null) {
            throw new IllegalArgumentException("Request principal not provided to validate alter policy");
        }
        if (!(principal instanceof MultiTenantPrincipal)) {
            log.info("Allowing update of configs using principal {}", principal);
            return;
        }
        switch (requestMetadata.resource().type()) {
            case TOPIC:
                log.trace("Validating request to update configs using principal {}", principal);
                this.topicPolicyConfig.validateTopicConfigs(requestMetadata.configs());
                return;
            case BROKER:
                this.clusterPolicyConfig.validateBrokerConfigs(requestMetadata);
                return;
            case CLUSTER_LINK:
                this.clusterLinkPolicyConfig.validateClusterLinkConfigs(requestMetadata.configs());
                return;
            default:
                throw configUpdateNotAllowed(requestMetadata);
        }
    }

    public void clusterLinkValidateTopicConfigs(Map<String, String> map) {
        this.topicPolicyConfig.validateTopicConfigs(map);
    }

    public Map<String, String> clusterLinkRestrictTopicConfigs(Map<String, String> map) {
        return this.topicPolicyConfig.restrictTopicConfigs(map);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static PolicyViolationException configUpdateNotAllowed(AlterConfigPolicy.RequestMetadata requestMetadata) {
        log.debug("Not allowing update of {} configs using principal {}", requestMetadata.resource().type(), requestMetadata.principal());
        return new PolicyViolationException("Altering resources of type " + requestMetadata.resource().type() + " is not permitted");
    }

    public void close() {
    }
}
