package io.confluent.kafka.multitenant.authorizer;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.utils.TenantSanitizer;
import io.confluent.kafka.multitenant.utils.TenantUtils;
import io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer;
import io.confluent.kafka.security.authorizer.acl.AclMapper;
import io.confluent.security.authorizer.ConfluentAuthorizerConfig;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.RequestContext;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import io.confluent.security.authorizer.provider.GroupProvider;
import io.confluent.security.authorizer.provider.MetadataProvider;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CompletionStage;
import java.util.stream.Collectors;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.errors.InvalidRequestException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.server.audit.AuditLogProvider;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;

/* loaded from: input_file:io/confluent/kafka/multitenant/authorizer/MultiTenantAuthorizer.class */
public class MultiTenantAuthorizer extends ConfluentServerAuthorizer {
    public static final String MAX_ACLS_PER_TENANT_PROP = "confluent.max.acls.per.tenant";
    private static final int DEFAULT_MAX_ACLS_PER_TENANT_PROP = 1000;
    private static final int ACLS_DISABLED = 0;
    private int maxAclsPerTenant;
    private boolean authorizationDisabled;
    private boolean auditLogEnabled;

    @VisibleForTesting
    public void configureAccessRuleProviders(Map<String, Object> map) {
        Object obj = map.get(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP);
        if (!(obj instanceof String) || Arrays.stream(((String) obj).split(",")).noneMatch(str -> {
            return ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name().equals(str);
        })) {
            map.put(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP, ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name());
        }
    }

    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer, org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        HashMap hashMap = new HashMap(map);
        String str = (String) map.get(MAX_ACLS_PER_TENANT_PROP);
        this.maxAclsPerTenant = str != null ? Integer.parseInt(str) : 1000;
        this.authorizationDisabled = this.maxAclsPerTenant == 0;
        configureAccessRuleProviders(hashMap);
        this.auditLogEnabled = new MultiTenantAuditLogConfig(map).getBoolean(MultiTenantAuditLogConfig.MULTI_TENANT_AUDIT_LOGGER_ENABLE_CONFIG).booleanValue();
        super.configure(hashMap);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer
    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        List<Action> list2 = list;
        if (authorizableRequestContext.principal() instanceof MultiTenantPrincipal) {
            String tenantPrefix = ((MultiTenantPrincipal) authorizableRequestContext.principal()).tenantMetadata().tenantPrefix();
            list2 = (List) list.stream().map(action -> {
                ResourcePattern resourcePattern = action.resourcePattern();
                if (resourcePattern.resourceType() != ResourceType.CLUSTER) {
                    return action;
                }
                return new Action(action.operation(), new ResourcePattern(ResourceType.CLUSTER, tenantPrefix + resourcePattern.name(), resourcePattern.patternType()), action.resourceReferenceCount(), action.logIfAllowed(), action.logIfDenied());
            }).collect(Collectors.toList());
        }
        return super.authorize(authorizableRequestContext, list2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer
    public boolean isSuperUser(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, io.confluent.security.authorizer.Action action) {
        if (super.isSuperUser(kafkaPrincipal, kafkaPrincipal2, action)) {
            return true;
        }
        if (!(kafkaPrincipal instanceof MultiTenantPrincipal)) {
            return false;
        }
        MultiTenantPrincipal multiTenantPrincipal = (MultiTenantPrincipal) kafkaPrincipal;
        if (this.authorizationDisabled || multiTenantPrincipal.tenantMetadata().isSuperUser) {
            return action.resourceName().startsWith(multiTenantPrincipal.tenantMetadata().tenantPrefix());
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer
    public io.confluent.security.authorizer.Action actionForAuthorizeByResourceType(RequestContext requestContext, Operation operation, io.confluent.security.authorizer.ResourceType resourceType) {
        return requestContext.principal() instanceof MultiTenantPrincipal ? new io.confluent.security.authorizer.Action(TenantUtils.scope((MultiTenantPrincipal) requestContext.principal()), new io.confluent.security.authorizer.ResourcePattern(resourceType, "", PatternType.ANY), operation, 1, true, true) : super.actionForAuthorizeByResourceType(requestContext, operation, resourceType);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public io.confluent.security.authorizer.Action getAction(Action action, io.confluent.security.authorizer.ResourcePattern resourcePattern, KafkaPrincipal kafkaPrincipal) {
        return kafkaPrincipal instanceof MultiTenantPrincipal ? new io.confluent.security.authorizer.Action(TenantUtils.scope((MultiTenantPrincipal) kafkaPrincipal), resourcePattern, AclMapper.operation(action.operation()), action.resourceReferenceCount(), action.logIfAllowed(), action.logIfDenied()) : super.getAction(action, resourcePattern, kafkaPrincipal);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer
    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        checkAclsEnabled();
        if (list.isEmpty()) {
            return Collections.emptyList();
        }
        String str = null;
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(list.get(0).entry().principal());
        if (MultiTenantPrincipal.isTenantPrincipal(parseKafkaPrincipal)) {
            str = tenantPrefix(parseKafkaPrincipal.getName());
            if (this.maxAclsPerTenant != Integer.MAX_VALUE && list.size() + tenantAclCount(str) > this.maxAclsPerTenant) {
                throw new InvalidRequestException("ACLs not created since it will exceed the limit " + this.maxAclsPerTenant);
            }
        }
        String str2 = str;
        if (list.stream().anyMatch(aclBinding -> {
            return !inScope(aclBinding.entry().principal(), str2);
        })) {
            log.error("ACL requests contain invalid tenant principal {}", list);
            throw new IllegalStateException("Internal error: Could not create ACLs for " + list);
        }
        if (!list.stream().anyMatch(aclBinding2 -> {
            return !aclBinding2.pattern().name().startsWith(str2);
        })) {
            return super.createAcls(authorizableRequestContext, list);
        }
        log.error("Unexpected ACL request for resources {} without tenant prefix {}", list, str);
        throw new IllegalStateException("Internal error: Could not create ACLs for " + list);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer
    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        checkAclsEnabled();
        return super.deleteAcls(authorizableRequestContext, list);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer
    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        checkAclsEnabled();
        return super.acls(aclBindingFilter);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer
    public void configureProviders(List<AccessRuleProvider> list, GroupProvider groupProvider, MetadataProvider metadataProvider, AuditLogProvider auditLogProvider) {
        if (!this.auditLogEnabled) {
            super.configureProviders(list, groupProvider, metadataProvider, null);
        } else {
            auditLogProvider.setSanitizer(TenantSanitizer::tenantAuditEvent);
            super.configureProviders(list, groupProvider, metadataProvider, auditLogProvider);
        }
    }

    private String tenantPrefix(String str) {
        int indexOf = str.indexOf("_");
        if (indexOf == -1) {
            throw new InvalidRequestException("Invalid tenant principal in ACL: " + str);
        }
        return str.substring(0, indexOf + 1);
    }

    private boolean inScope(String str, String str2) {
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        return (str2 == null || str2.isEmpty()) ? !MultiTenantPrincipal.isTenantPrincipal(parseKafkaPrincipal) : MultiTenantPrincipal.isTenantPrincipal(parseKafkaPrincipal) && parseKafkaPrincipal.getName().startsWith(str2);
    }

    private long tenantAclCount(String str) {
        int i = 0;
        Iterator<AclBinding> it = acls(AclBindingFilter.ANY).iterator();
        while (it.hasNext()) {
            if (inScope(it.next().entry().principal(), str)) {
                i++;
            }
        }
        return i;
    }

    private void checkAclsEnabled() {
        if (this.authorizationDisabled) {
            throw new InvalidRequestException("ACLs are not enabled on this broker");
        }
    }

    public boolean isAuditLogEnabled() {
        return this.auditLogEnabled;
    }
}
