package io.confluent.kafka.security.authorizer.acl;

import io.confluent.security.authorizer.AccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.EmbeddedAuthorizer;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.PermissionType;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import io.confluent.security.authorizer.provider.ResourceAuthorizeRules;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import kafka.security.authorizer.AclAuthorizer;
import kafka.security.authorizer.AclEntry;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.metrics.Sensor;
import org.apache.kafka.common.metrics.stats.Meter;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;

/* loaded from: input_file:io/confluent/kafka/security/authorizer/acl/AclProvider.class */
public class AclProvider extends AclAuthorizer implements AccessRuleProvider {
    private Sensor aclsProcessedSensor;

    public String providerName() {
        return ConfluentBuiltInProviders.AccessRuleProviders.ZK_ACL.name();
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean isSuperUser(KafkaPrincipal kafkaPrincipal, Scope scope) {
        return false;
    }

    public boolean mayDeny() {
        return true;
    }

    public boolean usesMetadataFromThisKafkaCluster() {
        return false;
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public AuthorizeRule findRule(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
        ResourcePattern resourcePattern = action.resourcePattern();
        AclAuthorizer.AclSeqs matchingAcls = matchingAcls(SecurityUtils.resourceType(resourcePattern.resourceType().name()), resourcePattern.name());
        Set<KafkaPrincipal> matchingPrincipals = matchingPrincipals(kafkaPrincipal, set);
        AuthorizeRule authorizeRule = new AuthorizeRule();
        authorizeRule.noResourceAcls(matchingAcls.isEmpty());
        matchingAcls.find(aclEntry -> {
            return Boolean.valueOf(updateMatchingAcl(aclEntry, matchingPrincipals, str, action.operation(), authorizeRule));
        });
        return authorizeRule;
    }

    @Override // io.confluent.security.authorizer.provider.AccessRuleProvider
    public void addMatchingRules(ResourceAuthorizeRules resourceAuthorizeRules, KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Operation operation, Scope scope, ResourceType resourceType) {
        matchingAcls(matchingPrincipals(kafkaPrincipal, set), str, SecurityUtils.operation(operation.name()), SecurityUtils.resourceType(resourceType.name())).forEach(aclEntry -> {
            resourceAuthorizeRules.addRuleIfNotExist(AclMapper.accessRule(aclEntry));
        });
    }

    protected Set<KafkaPrincipal> matchingPrincipals(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set) {
        return AccessRule.matchingPrincipals(userPrincipal(kafkaPrincipal), set, AccessRule.WILDCARD_USER_PRINCIPAL, AccessRule.WILDCARD_GROUP_PRINCIPAL);
    }

    protected AuthorizeRule findRule(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, KafkaPrincipal kafkaPrincipal2, KafkaPrincipal kafkaPrincipal3, String str, Action action) {
        ResourcePattern resourcePattern = action.resourcePattern();
        org.apache.kafka.common.resource.ResourceType resourceType = SecurityUtils.resourceType(resourcePattern.resourceType().name());
        KafkaPrincipal userPrincipal = userPrincipal(kafkaPrincipal);
        AclAuthorizer.AclSeqs matchingAcls = matchingAcls(resourceType, resourcePattern.name());
        Set<KafkaPrincipal> matchingPrincipals = AccessRule.matchingPrincipals(userPrincipal, set, kafkaPrincipal2, kafkaPrincipal3);
        AuthorizeRule authorizeRule = new AuthorizeRule();
        authorizeRule.noResourceAcls(matchingAcls.isEmpty());
        matchingAcls.find(aclEntry -> {
            return Boolean.valueOf(updateMatchingAcl(aclEntry, matchingPrincipals, str, action.operation(), authorizeRule));
        });
        return authorizeRule;
    }

    @Override // io.confluent.security.authorizer.provider.Provider
    public CompletionStage<Void> start(ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo, Map<String, ?> map) {
        Metrics metrics = confluentAuthorizerServerInfo.metrics();
        this.aclsProcessedSensor = metrics.sensor("zk-acls-processed-count");
        this.aclsProcessedSensor.add(new Meter(metrics.metricName("zk-acls-processed-rate", EmbeddedAuthorizer.AuthorizerMetrics.GROUP_NAME, "The average number of ZooKeeper notifications processed per second by the ZK_ACL provider."), metrics.metricName("zk-acls-processed-total", EmbeddedAuthorizer.AuthorizerMetrics.GROUP_NAME, "The total number of ZooKeeper notifications processed per second by the ZK_ACL provider.")));
        return CompletableFuture.completedFuture(null);
    }

    public Map<Endpoint, CompletableFuture<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        return Collections.emptyMap();
    }

    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<org.apache.kafka.server.authorizer.Action> list) {
        throw new IllegalStateException("This provider should be used for authorization only using the AccessRuleProvider interface");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KafkaPrincipal userPrincipal(KafkaPrincipal kafkaPrincipal) {
        return kafkaPrincipal.getClass() != KafkaPrincipal.class ? new KafkaPrincipal(kafkaPrincipal.getPrincipalType(), kafkaPrincipal.getName()) : kafkaPrincipal;
    }

    private boolean updateMatchingAcl(AclEntry aclEntry, Set<KafkaPrincipal> set, String str, Operation operation, AuthorizeRule authorizeRule) {
        Operation operation2 = AclMapper.operation(aclEntry.operation());
        PermissionType permissionType = AclMapper.permissionType(aclEntry.permissionType());
        KafkaPrincipal kafkaPrincipal = aclEntry.kafkaPrincipal();
        String host = aclEntry.host();
        if (AccessRule.matches(kafkaPrincipal, host, operation2, permissionType, set, str, operation, PermissionType.DENY)) {
            authorizeRule.addRuleIfNotExist(AclMapper.accessRule(aclEntry));
            return true;
        }
        if (authorizeRule.allowRule().isPresent() || !AccessRule.matches(kafkaPrincipal, host, operation2, permissionType, set, str, operation, PermissionType.ALLOW)) {
            return false;
        }
        authorizeRule.addRuleIfNotExist(AclMapper.accessRule(aclEntry));
        return false;
    }

    public void updateCache(org.apache.kafka.common.resource.ResourcePattern resourcePattern, AclAuthorizer.VersionedAcls versionedAcls) {
        super.updateCache(resourcePattern, versionedAcls);
        if (this.aclsProcessedSensor != null) {
            this.aclsProcessedSensor.record();
        }
    }
}
