package io.confluent.rbacapi.resources.base;

import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.converters.MdsScopeConverter;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.services.ClusterRegistryService;
import io.confluent.rbacapi.utils.RoleAccessUtils;
import io.confluent.rbacapi.utils.RoleUtils;
import io.confluent.rbacapi.validation.base.ValidationUtil;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RoleBinding;
import io.confluent.security.rbac.UserMetadata;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.testng.reporters.XMLReporterConfig;

/* loaded from: input_file:io/confluent/rbacapi/resources/base/UserGroupResource.class */
public class UserGroupResource {
    private final AuthCache authCache;
    private final ClusterRegistryService clusterRegistryService;
    private final MdsScopeConverter mdsScopeConverter;
    private final ValidationUtil validationUtil;

    public UserGroupResource(AuthCache authCache, ClusterRegistryService clusterRegistryService, ValidationUtil validationUtil) {
        this.authCache = authCache;
        this.clusterRegistryService = clusterRegistryService;
        this.validationUtil = validationUtil;
        this.mdsScopeConverter = new MdsScopeConverter(this.clusterRegistryService, validationUtil);
    }

    public List<String> getUserGroupList(SecurityContext securityContext, String str, MdsScope mdsScope) {
        checkIfRoleBindingAdminOnScope(securityContext, this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext)));
        return getList(StringUtils.isBlank(str) ? "both" : str);
    }

    private void checkIfRoleBindingAdminOnScope(SecurityContext securityContext, Scope scope) {
        Set<RoleBinding> rbacRoleBindings = this.authCache.rbacRoleBindings(new KafkaPrincipal(KafkaPrincipal.USER_TYPE, securityContext.getUserPrincipal().getName()), Collections.singleton(scope));
        Set<String> keySet = RoleUtils.mapRolesByName(this.authCache.rbacRoles().roles(), RoleAccessUtils.filterByDescribeAccess()).keySet();
        if (!rbacRoleBindings.stream().anyMatch(roleBinding -> {
            return keySet.contains(roleBinding.role());
        })) {
            throw new ForbiddenException();
        }
    }

    private List<String> getList(String str) {
        Map<KafkaPrincipal, UserMetadata> users = this.authCache.users();
        boolean z = -1;
        switch (str.hashCode()) {
            case 3029889:
                if (str.equals("both")) {
                    z = 2;
                    break;
                }
                break;
            case 3599307:
                if (str.equals("user")) {
                    z = false;
                    break;
                }
                break;
            case 98629247:
                if (str.equals(XMLReporterConfig.TAG_GROUP)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return getUserListFromMap(users);
            case true:
                return getGroupListFromMap(users);
            case true:
            default:
                return (List) Stream.concat(getGroupListFromMap(users).stream(), getUserListFromMap(users).stream()).collect(Collectors.toList());
        }
    }

    private static List<String> getUserListFromMap(Map<KafkaPrincipal, UserMetadata> map) {
        return (List) map.keySet().stream().map(kafkaPrincipal -> {
            return kafkaPrincipal.toString();
        }).filter(str -> {
            return !str.equals("User:");
        }).sorted().collect(Collectors.toList());
    }

    private static List<String> getGroupListFromMap(Map<KafkaPrincipal, UserMetadata> map) {
        return (List) map.values().stream().flatMap(userMetadata -> {
            return userMetadata.groups().stream();
        }).map(kafkaPrincipal -> {
            return kafkaPrincipal.toString();
        }).distinct().sorted().collect(Collectors.toList());
    }
}
