package io.confluent.rbacapi.services;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.rbacapi.entities.ManagedRoleBindings;
import io.confluent.rbacapi.utils.RoleAccessUtils;
import io.confluent.rbacapi.utils.RoleUtils;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.Role;
import io.confluent.security.rbac.RoleBinding;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/rbacapi/services/ManagedRoleBindingsBuilder.class */
public class ManagedRoleBindingsBuilder {
    private final AuthCache authCache;
    private final ClusterPermissionsBuilder clusterPermissionsBuilder;

    public ManagedRoleBindingsBuilder(AuthCache authCache) {
        this(authCache, new ClusterPermissionsBuilder());
    }

    @VisibleForTesting
    ManagedRoleBindingsBuilder(AuthCache authCache, ClusterPermissionsBuilder clusterPermissionsBuilder) {
        this.authCache = authCache;
        this.clusterPermissionsBuilder = clusterPermissionsBuilder;
    }

    public ManagedRoleBindings build(Scope scope, KafkaPrincipal kafkaPrincipal, ResourceType resourceType) {
        ManagedRoleBindings managedRoleBindings = new ManagedRoleBindings(scope);
        Set<RoleBinding> rbacRoleBindings = this.authCache.rbacRoleBindings(scope);
        if (rbacRoleBindings.isEmpty()) {
            return managedRoleBindings;
        }
        Map<String, Role> mapRolesByName = RoleUtils.mapRolesByName(this.authCache.rbacRoles().roles());
        ClusterPermissions build = this.clusterPermissionsBuilder.build(RoleUtils.mapRolesByName(mapRolesByName.values(), RoleAccessUtils.filterByDescribeAccess()), getPrincipalAndGroups(kafkaPrincipal), scope, resourceType, rbacRoleBindings);
        boolean canDescribeAccess = build.canDescribeAccess(ResourceType.ALL);
        boolean canAlterAccess = build.canAlterAccess(ResourceType.ALL);
        for (RoleBinding roleBinding : rbacRoleBindings) {
            Role role = mapRolesByName.get(roleBinding.role());
            if (role != null) {
                if (role.hasResourceScope()) {
                    roleBinding.resources().stream().filter(byResourceType(resourceType)).filter(resourcePattern -> {
                        return build.canDescribeAccess(resourcePattern);
                    }).map(resourcePattern2 -> {
                        return new ManagedRoleBindings.ManagedResourceBinding(role.name(), resourcePattern2, build.canAlterAccess(resourcePattern2));
                    }).forEach(managedResourceBinding -> {
                        managedRoleBindings.add(roleBinding.principal(), managedResourceBinding);
                    });
                } else if (canDescribeAccess) {
                    managedRoleBindings.add(roleBinding.principal(), new ManagedRoleBindings.ManagedClusterBinding(role.name(), canAlterAccess));
                }
            }
        }
        return managedRoleBindings;
    }

    private static Predicate<ResourcePattern> byResourceType(ResourceType resourceType) {
        return resourcePattern -> {
            return resourceType.equals(ResourceType.ALL) || resourcePattern.resourceType().equals(resourceType);
        };
    }

    private Set<KafkaPrincipal> getPrincipalAndGroups(KafkaPrincipal kafkaPrincipal) {
        HashSet hashSet = new HashSet();
        hashSet.add(kafkaPrincipal);
        if (StringUtils.equals(KafkaPrincipal.USER_TYPE, kafkaPrincipal.getPrincipalType())) {
            hashSet.addAll(this.authCache.groups(kafkaPrincipal));
        }
        return hashSet;
    }
}
