package io.confluent.controlcenter.data;

import com.google.common.base.Preconditions;
import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.util.concurrent.UncheckedExecutionException;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.controlcenter.data.PermissionsService;
import io.confluent.controlcenter.rest.Credential;
import io.confluent.controlcenter.rest.res.AllPermissionsResponse;
import io.confluent.controlcenter.rest.res.KafkaCluster;
import io.confluent.controlcenter.util.ScopeUtils;
import io.confluent.rbacapi.utils.RbacOperations;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.ws.rs.InternalServerErrorException;
import org.apache.kafka.common.acl.AclOperation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/controlcenter/data/RbacPermissionsService.class */
public class RbacPermissionsService extends AbstractPermissionsService {
    private static final String C3_BROKER_METRICS = "ControlCenterBrokerMetrics";
    private static final String C3_ALERTS = "ControlCenterAlerts";
    private static final long MDS_CLUSTER_ID_EXPIRE_MS = 600000;
    private static final long USER_CACHE_MAX_SIZE = 30;
    private static final long USER_CACHE_EXPIRE_TIME_MS = 1000;
    private final ClusterMetadataDao clusterMetadataDao;
    private final KafkaMetadataDao kafkaMetadataDao;
    private final MetadataServiceClient mdsClient;
    private final Supplier<String> mdsClusterIdSupplier;
    private final LoadingCache<JwtPrincipal, AllPermissionsResponse> principalOperationsCache;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) RbacPermissionsService.class);
    protected static final Function<Scope, List<Action>> BROKER_METRICS = scope -> {
        return ImmutableList.of(new Action(scope, new ResourceType(C3_BROKER_METRICS), C3_BROKER_METRICS, new Operation("Read")));
    };
    protected static final Function<Scope, List<Action>> ALERTS = scope -> {
        return ImmutableList.of(new Action(scope, new ResourceType(C3_ALERTS), C3_ALERTS, new Operation("Write")));
    };
    protected static final Function<Scope, List<Action>> LICENSE_MANAGEMENT = scope -> {
        return ImmutableList.of(new Action(scope, new ResourceType(RbacOperations.ALL), RbacOperations.ALL, new Operation(RbacOperations.ALL)));
    };
    protected static final Map<PermissionsService.ControlCenterOperation, Function<Scope, List<Action>>> ALL_SCOPED_OPERATIONS = ImmutableMap.of(PermissionsService.ControlCenterOperation.VIEW_BROKER_METRICS, BROKER_METRICS, PermissionsService.ControlCenterOperation.CLUSTER_ALERTS, ALERTS);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/controlcenter/data/RbacPermissionsService$ClusterControlCenterOperation.class */
    public static class ClusterControlCenterOperation {
        public final String clusterId;
        public final PermissionsService.ControlCenterOperation operation;

        public ClusterControlCenterOperation(String str, PermissionsService.ControlCenterOperation controlCenterOperation) {
            this.clusterId = str;
            this.operation = controlCenterOperation;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            ClusterControlCenterOperation clusterControlCenterOperation = (ClusterControlCenterOperation) obj;
            return Objects.equals(this.clusterId, clusterControlCenterOperation.clusterId) && this.operation == clusterControlCenterOperation.operation;
        }

        public int hashCode() {
            return Objects.hash(this.clusterId, this.operation);
        }
    }

    /* JADX WARN: 'this' call moved to the top of the method (can break code semantics) */
    public RbacPermissionsService(ClusterMetadataDao clusterMetadataDao, KafkaMetadataDao kafkaMetadataDao, MetadataServiceClient metadataServiceClient) {
        this(clusterMetadataDao, kafkaMetadataDao, metadataServiceClient, Suppliers.memoizeWithExpiration(metadataServiceClient::getMetadataServiceKafkaId, 600000L, TimeUnit.MILLISECONDS), CacheBuilder.newBuilder().maximumSize(USER_CACHE_MAX_SIZE).expireAfterWrite(1000L, TimeUnit.MILLISECONDS));
        metadataServiceClient.getClass();
    }

    public RbacPermissionsService(ClusterMetadataDao clusterMetadataDao, KafkaMetadataDao kafkaMetadataDao, MetadataServiceClient metadataServiceClient, Supplier<String> supplier, CacheBuilder<Object, Object> cacheBuilder) {
        this.clusterMetadataDao = clusterMetadataDao;
        this.kafkaMetadataDao = kafkaMetadataDao;
        this.mdsClient = metadataServiceClient;
        this.mdsClusterIdSupplier = supplier;
        this.principalOperationsCache = cacheBuilder.build(new CacheLoader<JwtPrincipal, AllPermissionsResponse>() { // from class: io.confluent.controlcenter.data.RbacPermissionsService.1
            @Override // com.google.common.cache.CacheLoader
            public AllPermissionsResponse load(@Nonnull JwtPrincipal jwtPrincipal) throws InterruptedException, ExecutionException, TimeoutException {
                return RbacPermissionsService.this.getAllOperationsInternal(jwtPrincipal);
            }
        });
    }

    @Override // io.confluent.controlcenter.data.AbstractPermissionsService, io.confluent.controlcenter.data.PermissionsService
    public AllPermissionsResponse getAllOperations(JwtPrincipal jwtPrincipal) {
        Preconditions.checkArgument(jwtPrincipal != null);
        try {
            return this.principalOperationsCache.get(jwtPrincipal);
        } catch (UncheckedExecutionException | ExecutionException e) {
            log.error("Exception trying to fetch permissions for user {}. This will result in no access. Check that MDS is up and running.", jwtPrincipal.getName(), e.getCause());
            throw new InternalServerErrorException();
        }
    }

    @Override // io.confluent.controlcenter.data.PermissionsService
    public <T> Set<T> getAllVisible(JwtPrincipal jwtPrincipal, Map<T, Scope> map) {
        return this.mdsClient.visibility(jwtPrincipal.getName(), jwtPrincipal.getJwt(), map);
    }

    @Override // io.confluent.controlcenter.data.PermissionsService
    public <T> Set<T> authorizeAll(JwtPrincipal jwtPrincipal, Map<T, List<Action>> map) {
        return this.mdsClient.authorize(jwtPrincipal.getName(), jwtPrincipal.getJwt(), map);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AllPermissionsResponse getAllOperationsInternal(JwtPrincipal jwtPrincipal) {
        String str = this.mdsClusterIdSupplier.get();
        Set<KafkaCluster> allVisible = getAllVisible(jwtPrincipal, (Map) this.clusterMetadataDao.getKafkaClusters().stream().collect(Collectors.toMap(kafkaCluster -> {
            return kafkaCluster;
        }, kafkaCluster2 -> {
            return ScopeUtils.buildKafkaScope(kafkaCluster2.clusterId);
        })));
        HashMap hashMap = new HashMap();
        for (KafkaCluster kafkaCluster3 : allVisible) {
            for (Map.Entry<PermissionsService.ControlCenterOperation, Function<Scope, List<Action>>> entry : ALL_SCOPED_OPERATIONS.entrySet()) {
                hashMap.put(new ClusterControlCenterOperation(kafkaCluster3.clusterId, entry.getKey()), entry.getValue().apply(Scope.kafkaClusterScope(kafkaCluster3.clusterId)));
            }
        }
        hashMap.put(new ClusterControlCenterOperation(str, PermissionsService.ControlCenterOperation.VIEW_LICENSE_MANAGEMENT), LICENSE_MANAGEMENT.apply(ScopeUtils.buildKafkaScope(str)));
        Set<ClusterControlCenterOperation> authorizeAll = authorizeAll(jwtPrincipal, hashMap);
        HashMap hashMap2 = new HashMap();
        HashSet hashSet = new HashSet();
        for (ClusterControlCenterOperation clusterControlCenterOperation : authorizeAll) {
            if (clusterControlCenterOperation.operation.equals(PermissionsService.ControlCenterOperation.VIEW_LICENSE_MANAGEMENT) && clusterControlCenterOperation.clusterId.equals(str)) {
                hashSet.add(clusterControlCenterOperation.operation);
            } else {
                ((Set) hashMap2.computeIfAbsent(clusterControlCenterOperation.clusterId, str2 -> {
                    return new HashSet();
                })).add(clusterControlCenterOperation.operation);
            }
        }
        for (KafkaCluster kafkaCluster4 : allVisible) {
            Set set = (Set) hashMap2.computeIfAbsent(kafkaCluster4.clusterId, str3 -> {
                return new HashSet();
            });
            try {
                if (this.kafkaMetadataDao.getAuthorizedOperations(Credential.makeCredentialFromJwtOrNullPrincipal(kafkaCluster4.clusterId, jwtPrincipal)).contains(AclOperation.ALTER_CONFIGS)) {
                    set.add(PermissionsService.ControlCenterOperation.VIEW_CLUSTER_SETTINGS);
                }
            } catch (Exception e) {
                log.error("Could not get authorized operations for user {} from kafka-cluster {}. This may result in lowered access. Error type/message : \"{} : {}\"", jwtPrincipal.getName(), kafkaCluster4.clusterId, e.getClass().getName(), e.getMessage());
            }
        }
        return new AllPermissionsResponse(hashMap2, hashSet);
    }
}
