package io.confluent.kafka.multitenant.authorizer;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.security.authorizer.acl.AclProvider;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import java.util.Set;
import kafka.security.authorizer.AclEntry;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;

/* loaded from: input_file:io/confluent/kafka/multitenant/authorizer/TenantAclProvider.class */
public class TenantAclProvider extends AclProvider {
    @Override // io.confluent.kafka.security.authorizer.acl.AclProvider, io.confluent.security.authorizer.provider.Provider
    public String providerName() {
        return ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name();
    }

    @Override // io.confluent.kafka.security.authorizer.acl.AclProvider
    protected Set<KafkaPrincipal> matchingPrincipals(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set) {
        if (!set.isEmpty()) {
            throw new UnsupportedOperationException("Groups are not supported for TenantAclProvider");
        }
        String tenantPrefix = kafkaPrincipal instanceof MultiTenantPrincipal ? ((MultiTenantPrincipal) kafkaPrincipal).tenantMetadata().tenantPrefix() : "";
        return Utils.mkSet(userPrincipal(kafkaPrincipal), tenantPrefix.isEmpty() ? AclEntry.WildcardPrincipal() : new KafkaPrincipal(MultiTenantPrincipal.TENANT_WILDCARD_USER_TYPE, tenantPrefix));
    }

    @Override // io.confluent.kafka.security.authorizer.acl.AclProvider, io.confluent.security.authorizer.provider.AccessRuleProvider
    public boolean mayDeny() {
        return true;
    }

    @Override // io.confluent.kafka.security.authorizer.acl.AclProvider, io.confluent.security.authorizer.provider.Provider
    public boolean usesMetadataFromThisKafkaCluster() {
        return false;
    }
}
