package io.confluent.security.authorizer;

import io.confluent.security.authorizer.AuthorizePolicy;
import io.confluent.security.authorizer.ConfluentAuthorizerConfig;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.AuditLogProvider;
import io.confluent.security.authorizer.provider.AuthorizationLogData;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.DefaultAuditLogProvider;
import io.confluent.security.authorizer.provider.GroupProvider;
import io.confluent.security.authorizer.provider.InvalidScopeException;
import io.confluent.security.authorizer.provider.MetadataProvider;
import io.confluent.security.authorizer.provider.Provider;
import io.confluent.security.authorizer.provider.ProviderFailedException;
import io.confluent.security.authorizer.utils.ThreadUtils;
import java.time.Duration;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiConsumer;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.kafka.common.errors.TimeoutException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/authorizer/EmbeddedAuthorizer.class */
public class EmbeddedAuthorizer implements Authorizer {
    protected static final Logger log = LoggerFactory.getLogger("kafka.authorizer.logger");
    private GroupProvider groupProvider;
    private List<AccessRuleProvider> accessRuleProviders;
    private AuditLogProvider auditLogProvider;
    protected ConfluentAuthorizerConfig authorizerConfig;
    private MetadataProvider metadataProvider;
    private boolean allowEveryoneIfNoAcl;
    protected String interBrokerListener;
    private Duration initTimeout;
    private volatile boolean ready;
    private volatile String clusterId;
    protected final Set<Provider> providersCreated = new HashSet();
    private Set<KafkaPrincipal> superUsers = Collections.emptySet();
    protected Set<KafkaPrincipal> brokerUsers = Collections.emptySet();
    private volatile Scope scope = Scope.ROOT_SCOPE;

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.authorizerConfig = new ConfluentAuthorizerConfig(map);
        this.allowEveryoneIfNoAcl = this.authorizerConfig.allowEveryoneIfNoAcl;
        this.superUsers = this.authorizerConfig.superUsers;
        this.brokerUsers = this.authorizerConfig.brokerUsers;
    }

    public void configureServerInfo(AuthorizerServerInfo authorizerServerInfo) {
        this.clusterId = authorizerServerInfo.clusterResource().clusterId();
        log.debug("Configuring scope for Kafka cluster with cluster id {}", this.clusterId);
        this.scope = Scope.kafkaClusterScope(this.clusterId);
        this.interBrokerListener = authorizerServerInfo.interBrokerEndpoint().listenerName().get();
        ConfluentAuthorizerConfig.Providers createProviders = this.authorizerConfig.createProviders(this.clusterId);
        this.providersCreated.addAll(createProviders.accessRuleProviders);
        if (createProviders.groupProvider != null) {
            this.providersCreated.add(createProviders.groupProvider);
        }
        if (createProviders.metadataProvider != null) {
            this.providersCreated.add(createProviders.metadataProvider);
        }
        if (createProviders.auditLogProvider != null) {
            this.providersCreated.add(createProviders.auditLogProvider);
        }
        configureProviders(createProviders.accessRuleProviders, createProviders.groupProvider, createProviders.metadataProvider, createProviders.auditLogProvider);
    }

    @Override // io.confluent.security.authorizer.Authorizer
    public List<AuthorizeResult> authorize(RequestContext requestContext, List<Action> list) {
        return (List) list.stream().map(action -> {
            return authorize(requestContext, action);
        }).collect(Collectors.toList());
    }

    public GroupProvider groupProvider() {
        return this.groupProvider;
    }

    public AccessRuleProvider accessRuleProvider(String str) {
        Optional<AccessRuleProvider> findFirst = this.accessRuleProviders.stream().filter(accessRuleProvider -> {
            return accessRuleProvider.providerName().equals(str);
        }).findFirst();
        if (findFirst.isPresent()) {
            return findFirst.get();
        }
        throw new IllegalArgumentException("Access rule provider not found: " + str);
    }

    public MetadataProvider metadataProvider() {
        return this.metadataProvider;
    }

    protected List<AccessRuleProvider> accessRuleProviders() {
        return this.accessRuleProviders;
    }

    public AuditLogProvider auditLogProvider() {
        return this.auditLogProvider;
    }

    public CompletableFuture<Void> start(AuthorizerServerInfo authorizerServerInfo, Map<String, ?> map, Runnable runnable) {
        this.initTimeout = this.authorizerConfig.initTimeout;
        HashSet hashSet = new HashSet();
        if (this.groupProvider != null) {
            hashSet.add(this.groupProvider);
        }
        hashSet.addAll(this.accessRuleProviders);
        if (this.metadataProvider != null) {
            hashSet.add(this.metadataProvider);
        }
        List list = (List) hashSet.stream().map(provider -> {
            return provider.start(authorizerServerInfo, map);
        }).map((v0) -> {
            return v0.toCompletableFuture();
        }).collect(Collectors.toList());
        CompletableFuture<Void> futureOrTimeout = futureOrTimeout(CompletableFuture.allOf((CompletableFuture[]) list.toArray(new CompletableFuture[list.size()])).thenAccept(r4 -> {
            this.ready = true;
        }).thenRunAsync(runnable).thenAccept(r7 -> {
            this.auditLogProvider.start(authorizerServerInfo, map);
        }), this.initTimeout);
        if (!((this.groupProvider != null && this.groupProvider.usesMetadataFromThisKafkaCluster()) || (this.metadataProvider != null && this.metadataProvider.usesMetadataFromThisKafkaCluster()) || this.accessRuleProviders.stream().anyMatch((v0) -> {
            return v0.usesMetadataFromThisKafkaCluster();
        }) || this.auditLogProvider.usesMetadataFromThisKafkaCluster())) {
            futureOrTimeout.join();
        }
        return futureOrTimeout;
    }

    protected void configureProviders(List<AccessRuleProvider> list, GroupProvider groupProvider, MetadataProvider metadataProvider, AuditLogProvider auditLogProvider) {
        this.accessRuleProviders = list;
        this.groupProvider = groupProvider;
        this.metadataProvider = metadataProvider;
        this.auditLogProvider = auditLogProvider == null ? new DefaultAuditLogProvider() : auditLogProvider;
    }

    protected boolean ready() {
        return this.ready;
    }

    protected boolean isSuperUser(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, Action action) {
        return this.superUsers.contains(kafkaPrincipal2);
    }

    private AuthorizeResult authorize(RequestContext requestContext, Action action) {
        AuthorizePolicy authorize;
        try {
            KafkaPrincipal principal = requestContext.principal();
            String hostAddress = requestContext.clientAddress().getHostAddress();
            KafkaPrincipal userPrincipal = userPrincipal(principal);
            if (isSuperUser(principal, userPrincipal, action)) {
                log.debug("principal = {} is a super user, allowing operation without checking any providers.", userPrincipal);
                authorize = new AuthorizePolicy.SuperUser(AuthorizePolicy.PolicyType.SUPER_USER, userPrincipal);
            } else {
                Set<KafkaPrincipal> groups = this.groupProvider.groups(principal);
                Optional<KafkaPrincipal> findFirst = groups.stream().filter(kafkaPrincipal -> {
                    return isSuperUser(principal, kafkaPrincipal, action);
                }).findFirst();
                if (findFirst.isPresent()) {
                    log.debug("principal = {} belongs to super group {}, allowing operation without checking acls.", userPrincipal, findFirst.get());
                    authorize = new AuthorizePolicy.SuperUser(AuthorizePolicy.PolicyType.SUPER_GROUP, findFirst.get());
                } else {
                    authorize = authorize(principal, groups, hostAddress, action);
                }
            }
            AuthorizeResult authorizeResult = authorize.policyType().accessGranted() ? AuthorizeResult.ALLOWED : AuthorizeResult.DENIED;
            try {
                logAuditMessage(this.scope, requestContext, action, authorizeResult, authorize);
            } catch (Exception e) {
                log.error("Failed to log Audit message.\n  scope: {}\n  context: {}\n  principal: {}\n  action: {}\n  result: {}\n  policy: {}", this.scope, requestContext, requestContext.principal(), action, authorizeResult, authorize, e);
            }
            return authorizeResult;
        } catch (InvalidScopeException e2) {
            log.error("Authorizer failed with unknown scope: {}", action.scope(), e2);
            return AuthorizeResult.UNKNOWN_SCOPE;
        } catch (ProviderFailedException e3) {
            log.error("Authorization provider has failed", (Throwable) e3);
            return AuthorizeResult.AUTHORIZER_FAILED;
        } catch (Throwable th) {
            log.error("Authorization failed with unexpected exception", th);
            return AuthorizeResult.UNKNOWN_ERROR;
        }
    }

    private AuthorizePolicy authorize(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
        Scope scope = action.scope();
        if (this.accessRuleProviders.stream().anyMatch(accessRuleProvider -> {
            return accessRuleProvider.isSuperUser(kafkaPrincipal, scope);
        })) {
            return new AuthorizePolicy.SuperUser(AuthorizePolicy.PolicyType.SUPER_USER, kafkaPrincipal);
        }
        Optional<KafkaPrincipal> findAny = set.stream().filter(kafkaPrincipal2 -> {
            return this.accessRuleProviders.stream().anyMatch(accessRuleProvider2 -> {
                return accessRuleProvider2.isSuperUser(kafkaPrincipal2, scope);
            });
        }).findAny();
        if (findAny.isPresent()) {
            return new AuthorizePolicy.SuperUser(AuthorizePolicy.PolicyType.SUPER_GROUP, findAny.get());
        }
        ResourcePattern resourcePattern = action.resourcePattern();
        Operation operation = action.operation();
        AuthorizeRule authorizeRule = new AuthorizeRule();
        this.accessRuleProviders.stream().filter((v0) -> {
            return v0.mayDeny();
        }).forEach(accessRuleProvider2 -> {
            authorizeRule.add(accessRuleProvider2.findRule(kafkaPrincipal, set, str, action));
        });
        Optional<AuthorizePolicy> aclMatch = aclMatch(operation, resourcePattern, str, PermissionType.DENY, authorizeRule);
        if (aclMatch.isPresent()) {
            return aclMatch.get();
        }
        this.accessRuleProviders.stream().filter(accessRuleProvider3 -> {
            return !accessRuleProvider3.mayDeny();
        }).forEach(accessRuleProvider4 -> {
            authorizeRule.add(accessRuleProvider4.findRule(kafkaPrincipal, set, str, action));
        });
        Optional<AuthorizePolicy> aclMatch2 = aclMatch(operation, resourcePattern, str, PermissionType.ALLOW, authorizeRule);
        return aclMatch2.isPresent() ? aclMatch2.get() : aclMatch2.orElse(authorizePolicyWithNoMatchingRule(resourcePattern, authorizeRule));
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        log.debug("Closing embedded authorizer");
        AtomicReference atomicReference = new AtomicReference();
        this.providersCreated.forEach(provider -> {
            Utils.closeQuietly(provider, provider.providerName(), atomicReference);
        });
        Throwable th = (Throwable) atomicReference.getAndSet(null);
        if (th != null) {
            log.error("Failed to close authorizer cleanly", th);
        }
    }

    protected Scope scope() {
        return this.scope;
    }

    private Optional<AuthorizePolicy> aclMatch(Operation operation, ResourcePattern resourcePattern, String str, PermissionType permissionType, AuthorizeRule authorizeRule) {
        Optional<AccessRule> denyRule = authorizeRule.denyRule().isPresent() ? authorizeRule.denyRule() : authorizeRule.allowRule();
        denyRule.ifPresent(accessRule -> {
            log.debug("operation = {} on resource = {} from host = {} is {} based on policy = {}", operation, resourcePattern, str, permissionType, accessRule);
        });
        return denyRule.map(Function.identity());
    }

    private AuthorizePolicy authorizePolicyWithNoMatchingRule(ResourcePattern resourcePattern, AuthorizeRule authorizeRule) {
        if (!authorizeRule.noResourceAcls()) {
            return AuthorizePolicy.NO_MATCHING_RULE;
        }
        log.debug("No acl found for resource {}, authorized = {}", resourcePattern, Boolean.valueOf(this.allowEveryoneIfNoAcl));
        return this.allowEveryoneIfNoAcl ? AuthorizePolicy.ALLOW_ON_NO_RULE : AuthorizePolicy.DENY_ON_NO_RULE;
    }

    private KafkaPrincipal userPrincipal(KafkaPrincipal kafkaPrincipal) {
        return kafkaPrincipal.getClass() != KafkaPrincipal.class ? new KafkaPrincipal(kafkaPrincipal.getPrincipalType(), kafkaPrincipal.getName()) : kafkaPrincipal;
    }

    protected void logAuditMessage(Scope scope, RequestContext requestContext, Action action, AuthorizeResult authorizeResult, AuthorizePolicy authorizePolicy) {
        this.auditLogProvider.logAuthorization(new AuthorizationLogData(scope, requestContext, action, authorizeResult, authorizePolicy));
    }

    CompletableFuture<Void> futureOrTimeout(CompletableFuture<Void> completableFuture, Duration duration) {
        if (completableFuture.isDone()) {
            return completableFuture;
        }
        CompletableFuture completableFuture2 = new CompletableFuture();
        ScheduledExecutorService newSingleThreadScheduledExecutor = Executors.newSingleThreadScheduledExecutor(ThreadUtils.createThreadFactory("authorizer-%d", true));
        newSingleThreadScheduledExecutor.schedule(() -> {
            completableFuture2.completeExceptionally(new TimeoutException("Authorizer did not start up within timeout " + duration.toMillis() + " ms."));
        }, duration.toMillis(), TimeUnit.MILLISECONDS);
        return CompletableFuture.anyOf(completableFuture, completableFuture2).thenApply(obj -> {
            return (Void) null;
        }).whenComplete((BiConsumer<? super U, ? super Throwable>) (r3, th) -> {
            newSingleThreadScheduledExecutor.shutdownNow();
        });
    }
}
