package io.confluent.rbacapi.resources;

import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.services.RoleBindingProcessing;
import io.confluent.rbacapi.validation.V1ValidOperation;
import io.confluent.rbacapi.validation.V1ValidPrincipal;
import io.confluent.rbacapi.validation.V1ValidResourceType;
import io.confluent.rbacapi.validation.V1ValidScope;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Produces({"application/json"})
@Path("/1.0/lookup")
/* loaded from: input_file:io/confluent/rbacapi/resources/OperationsResource.class */
public class OperationsResource {
    private final SecurityMetadataAuthorizer metadataAuthorizer;
    private final RoleBindingProcessing roleBindingProcessing;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OperationsResource.class);

    public OperationsResource(RoleBindingProcessing roleBindingProcessing, SecurityMetadataAuthorizer securityMetadataAuthorizer) {
        this.roleBindingProcessing = roleBindingProcessing;
        this.metadataAuthorizer = securityMetadataAuthorizer;
    }

    @Path("principal/{principal}/resource/{resourceType}/operation/{operation:Create|AlterAccess}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public RoleBindingProcessing.OperationGuidelines lookupPrincipalsWithRoleOnResource(@Context SecurityContext securityContext, @PathParam("resourceType") @V1ValidResourceType String str, @V1ValidPrincipal @PathParam("principal") String str2, @PathParam("operation") @V1ValidOperation String str3, @V1ValidScope Scope scope) {
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str2);
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, scope, parseKafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        if (str.equalsIgnoreCase(ResourceType.ALL.name())) {
            throw new RuntimeException("Invalid resource type: " + str);
        }
        return this.roleBindingProcessing.guidelines(parseKafkaPrincipal, new ResourceType(str), scope, new Operation(str3));
    }
}
