package io.confluent.kafka.multitenant.utils;

import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.security.audit.event.ConfluentAuthenticationEvent;
import io.confluent.security.authorizer.AclAccessRule;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizePolicy;
import io.confluent.security.authorizer.RequestContext;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.ConfluentAuthorizationEvent;
import java.net.InetAddress;
import java.util.List;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.server.audit.AuditEvent;
import org.apache.kafka.server.audit.AuditEventType;
import org.apache.kafka.server.audit.DefaultAuthenticationEvent;

/* loaded from: input_file:io/confluent/kafka/multitenant/utils/TenantSanitizer.class */
public class TenantSanitizer {

    /* loaded from: input_file:io/confluent/kafka/multitenant/utils/TenantSanitizer$NotTenantPrefixedException.class */
    public static class NotTenantPrefixedException extends RuntimeException {
        public NotTenantPrefixedException(String str) {
            super(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static KafkaPrincipal tenantPrincipal(MultiTenantPrincipal multiTenantPrincipal) {
        return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, multiTenantPrincipal.user());
    }

    private static KafkaPrincipal tenantPrincipal(KafkaPrincipal kafkaPrincipal) {
        int indexOf;
        if (!MultiTenantPrincipal.TENANT_USER_TYPE.equals(kafkaPrincipal.getPrincipalType()) || (indexOf = kafkaPrincipal.getName().indexOf("_")) <= 0) {
            throw new NotTenantPrefixedException("Expected a multi-tenant principal: " + kafkaPrincipal);
        }
        return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, kafkaPrincipal.getName().substring(indexOf + 1));
    }

    private static Scope tenantScope(Scope scope, String str) {
        Scope.Builder builder = new Scope.Builder(new String[0]);
        List<String> path = scope.path();
        builder.getClass();
        path.forEach(builder::addPath);
        scope.clusters().forEach((str2, str3) -> {
            if (str2.equals("kafka-cluster")) {
                builder.withKafkaCluster(str);
            } else {
                builder.withCluster(str2, str3);
            }
        });
        return builder.build();
    }

    private static ResourcePattern tenantResourcePattern(ResourcePattern resourcePattern, String str) {
        if (resourcePattern.name().startsWith(str)) {
            return new ResourcePattern(resourcePattern.resourceType(), resourcePattern.name().substring(str.length()), resourcePattern.patternType());
        }
        throw new NotTenantPrefixedException("Expected a multi-tenant prefix: " + resourcePattern.name());
    }

    private static RequestContext tenantRequestContext(final RequestContext requestContext) {
        return new RequestContext() { // from class: io.confluent.kafka.multitenant.utils.TenantSanitizer.1
            @Override // org.apache.kafka.server.authorizer.AuthorizableRequestContext
            public KafkaPrincipal principal() {
                return TenantSanitizer.tenantPrincipal((MultiTenantPrincipal) RequestContext.this.principal());
            }

            @Override // io.confluent.security.authorizer.RequestContext
            public String requestSource() {
                return RequestContext.this.requestSource();
            }

            @Override // org.apache.kafka.server.authorizer.AuthorizableRequestContext
            public String listenerName() {
                return RequestContext.this.listenerName();
            }

            @Override // org.apache.kafka.server.authorizer.AuthorizableRequestContext
            public SecurityProtocol securityProtocol() {
                return RequestContext.this.securityProtocol();
            }

            @Override // org.apache.kafka.server.authorizer.AuthorizableRequestContext
            public InetAddress clientAddress() {
                return RequestContext.this.clientAddress();
            }

            @Override // org.apache.kafka.server.authorizer.AuthorizableRequestContext
            public int requestType() {
                return RequestContext.this.requestType();
            }

            @Override // org.apache.kafka.server.authorizer.AuthorizableRequestContext
            public int requestVersion() {
                return RequestContext.this.requestVersion();
            }

            @Override // org.apache.kafka.server.authorizer.AuthorizableRequestContext
            public String clientId() {
                return RequestContext.this.clientId();
            }

            @Override // org.apache.kafka.server.authorizer.AuthorizableRequestContext
            public int correlationId() {
                return RequestContext.this.correlationId();
            }
        };
    }

    private static AccessControlEntry tenantAccessControlEntry(AccessControlEntry accessControlEntry) {
        return new AccessControlEntry(tenantPrincipal(SecurityUtils.parseKafkaPrincipal(accessControlEntry.principal())).toString(), accessControlEntry.host(), accessControlEntry.operation(), accessControlEntry.permissionType(), accessControlEntry.clusterLinkIds());
    }

    private static AclAccessRule tenantAclAccessRule(AclAccessRule aclAccessRule, String str) {
        AclBinding aclBinding = aclAccessRule.aclBinding();
        return new AclAccessRule(tenantResourcePattern(aclAccessRule.resourcePattern(), str), tenantPrincipal(aclAccessRule.principal()), aclAccessRule.permissionType(), aclAccessRule.host(), aclAccessRule.operation(), aclAccessRule.policyType(), new AclBinding(ResourcePattern.to(tenantResourcePattern(ResourcePattern.from(aclBinding.pattern()), str)), tenantAccessControlEntry(aclBinding.entry())));
    }

    private static AuthorizePolicy tenantAuthorizePolicy(AuthorizePolicy authorizePolicy, String str) {
        switch (authorizePolicy.policyType()) {
            case DENY_ACL:
            case ALLOW_ACL:
                return tenantAclAccessRule((AclAccessRule) authorizePolicy, str);
            case ALLOW_ROLE:
            default:
                return authorizePolicy;
        }
    }

    public static AuditEvent tenantAuditEvent(AuditEvent auditEvent, String str) {
        return auditEvent.type() == AuditEventType.AUTHORIZATION ? handleAuthorizationEvent((ConfluentAuthorizationEvent) auditEvent) : auditEvent.type() == AuditEventType.AUTHENTICATION ? handleAuthenticationEvent((ConfluentAuthenticationEvent) auditEvent, str) : auditEvent;
    }

    public static AuditEvent tenantAuditEvent(AuditEvent auditEvent) {
        return tenantAuditEvent(auditEvent, null);
    }

    private static AuditEvent handleAuthorizationEvent(ConfluentAuthorizationEvent confluentAuthorizationEvent) {
        if (!(confluentAuthorizationEvent.requestContext().principal() instanceof MultiTenantPrincipal)) {
            return confluentAuthorizationEvent;
        }
        TenantMetadata tenantMetadata = ((MultiTenantPrincipal) confluentAuthorizationEvent.requestContext().principal()).tenantMetadata();
        return new ConfluentAuthorizationEvent(confluentAuthorizationEvent.action().scope(), tenantRequestContext(confluentAuthorizationEvent.requestContext()), new Action(confluentAuthorizationEvent.action().scope(), tenantResourcePattern(confluentAuthorizationEvent.action().resourcePattern(), tenantMetadata.tenantPrefix()), confluentAuthorizationEvent.action().operation(), confluentAuthorizationEvent.action().resourceReferenceCount(), confluentAuthorizationEvent.action().logIfAllowed(), confluentAuthorizationEvent.action().logIfDenied()), confluentAuthorizationEvent.authorizeResult(), tenantAuthorizePolicy(confluentAuthorizationEvent.authorizePolicy(), tenantMetadata.tenantPrefix()), confluentAuthorizationEvent.timestamp());
    }

    private static AuditEvent handleAuthenticationEvent(ConfluentAuthenticationEvent confluentAuthenticationEvent, String str) {
        if (confluentAuthenticationEvent.principal().orElse(null) instanceof MultiTenantPrincipal) {
            MultiTenantPrincipal multiTenantPrincipal = (MultiTenantPrincipal) confluentAuthenticationEvent.principal().get();
            return new ConfluentAuthenticationEvent(new DefaultAuthenticationEvent(tenantPrincipal(multiTenantPrincipal), confluentAuthenticationEvent.authenticationContext(), confluentAuthenticationEvent.status(), confluentAuthenticationEvent.authenticationException().orElse(null), confluentAuthenticationEvent.timestamp()), TenantUtils.scope(multiTenantPrincipal));
        }
        if (confluentAuthenticationEvent.authenticationException().isPresent()) {
            String lKCIdFromException = getLKCIdFromException(confluentAuthenticationEvent.authenticationException().get());
            if (!lKCIdFromException.isEmpty()) {
                return new ConfluentAuthenticationEvent(new DefaultAuthenticationEvent(confluentAuthenticationEvent.principal().orElse(null), confluentAuthenticationEvent.authenticationContext(), confluentAuthenticationEvent.status(), confluentAuthenticationEvent.authenticationException().orElse(null), confluentAuthenticationEvent.timestamp()), tenantScope(confluentAuthenticationEvent.getScope(), lKCIdFromException));
            }
        }
        return str == null ? confluentAuthenticationEvent : new ConfluentAuthenticationEvent(new DefaultAuthenticationEvent(confluentAuthenticationEvent.principal().orElse(null), confluentAuthenticationEvent.authenticationContext(), confluentAuthenticationEvent.status(), confluentAuthenticationEvent.authenticationException().orElse(null), confluentAuthenticationEvent.timestamp()), tenantScope(confluentAuthenticationEvent.getScope(), str));
    }

    private static String getLKCIdFromException(AuthenticationException authenticationException) {
        String clusterId = authenticationException.errorInfo().clusterId();
        return !clusterId.isEmpty() ? clusterId : authenticationException.errorInfo().saslExtensions().getOrDefault(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, "");
    }
}
