package io.confluent.security.auth.utils;

import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.InvalidScopeException;
import io.confluent.security.rbac.InvalidRoleBindingException;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.Role;
import java.util.Collection;
import org.apache.kafka.common.errors.InvalidRequestException;

/* loaded from: input_file:io/confluent/security/auth/utils/AuthWriterUtils.class */
public class AuthWriterUtils {
    public static void validateRoleBindingUpdate(String str, Scope scope, Collection<?> collection, boolean z, Scope scope2, RbacRoles rbacRoles) {
        validateScope(scope, scope2);
        Role role = rbacRoles.role(str);
        if (role == null) {
            throw new InvalidRoleBindingException("Role not found " + str);
        }
        if (role.bindWithResource()) {
            if (z && collection.isEmpty()) {
                throw new InvalidRequestException("Resources must be specified for role " + str);
            }
            return;
        }
        String mostSpecificBindingScope = role.mostSpecificBindingScope();
        if (!collection.isEmpty()) {
            throw new InvalidRequestException("Resources must not be specified for role " + str);
        }
        if (!mostSpecificBindingScope.equals(scope.bindingScope())) {
            throw new InvalidRequestException("Role " + str + " must be bound at scope " + mostSpecificBindingScope + ", but was bound at " + scope.bindingScope());
        }
        for (String str2 : role.bindingScopes()) {
            if (scope.ancestorWithBindingScope(str2) == null) {
                throw new InvalidRequestException("Role " + str + " must be bound in a scope with an enclosing scope of " + str2);
            }
        }
    }

    public static void validateRoleResources(Collection<ResourcePattern> collection) {
        collection.forEach(resourcePattern -> {
            if (resourcePattern.name() == null || resourcePattern.name().isEmpty()) {
                throw new InvalidRequestException("Resource name for role binding must be non-empty");
            }
            if (resourcePattern.resourceType() == null || resourcePattern.resourceType().name() == null || resourcePattern.resourceType().name().isEmpty()) {
                throw new InvalidRequestException("Resource type for role binding must be non-empty");
            }
            if (resourcePattern.patternType() == null || !resourcePattern.patternType().isSpecific()) {
                throw new InvalidRequestException("Resource pattern type for role binding must be LITERAL or PREFIXED, got " + resourcePattern);
            }
        });
    }

    public static void validateScope(Scope scope, Scope scope2) {
        scope.validate();
        if (!scope2.containsScope(scope)) {
            throw new InvalidScopeException("This writer does not contain binding scope " + scope);
        }
    }
}
