package io.confluent.security.audit.router;

import io.confluent.crn.CachedCrnStringPatternMatcher;
import io.confluent.crn.CrnSyntaxException;
import io.confluent.security.audit.AuditLogEntry;
import io.confluent.security.audit.AuditLogUtils;
import io.confluent.security.authorizer.provider.ConfluentAuthorizationEvent;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/audit/router/AuditLogRouter.class */
public class AuditLogRouter implements Router {
    private final Logger log = LoggerFactory.getLogger((Class<?>) AuditLogRouter.class);
    public static final String SUPPRESSED = "";
    private AuditLogCategoryResultRouter defaultTopicRouter;
    private final Set<KafkaPrincipal> excludedPrincipals;
    private final CachedCrnStringPatternMatcher<AuditLogCategoryResultRouter> crnRouters;
    private final Set<String> routableMethodCategories;

    private void setDefaultTopicRouter(AuditLogRouterJsonConfig auditLogRouterJsonConfig) {
        this.defaultTopicRouter = new AuditLogCategoryResultRouter();
        for (String str : AuditLogRouterUtils.CATEGORIES) {
            if (AuditLogRouterUtils.DEFAULT_ENABLED_CATEGORIES.contains(str)) {
                this.defaultTopicRouter.setRoute(str, AuditLogRouterResult.ALLOWED, auditLogRouterJsonConfig.defaultTopics.allowed).setRoute(str, AuditLogRouterResult.DENIED, auditLogRouterJsonConfig.defaultTopics.denied);
                this.routableMethodCategories.add(str);
            } else {
                this.defaultTopicRouter.setRoute(str, AuditLogRouterResult.ALLOWED, "").setRoute(str, AuditLogRouterResult.DENIED, "");
            }
        }
    }

    public AuditLogRouter(AuditLogRouterJsonConfig auditLogRouterJsonConfig, int i) {
        try {
            this.routableMethodCategories = new HashSet();
            setDefaultTopicRouter(auditLogRouterJsonConfig);
            this.excludedPrincipals = (Set) auditLogRouterJsonConfig.excludedPrincipals.stream().map(SecurityUtils::parseKafkaPrincipal).collect(Collectors.toSet());
            CachedCrnStringPatternMatcher.Builder capacity = CachedCrnStringPatternMatcher.builder().capacity(i);
            for (String str : auditLogRouterJsonConfig.routes.keySet()) {
                AuditLogCategoryResultRouter auditLogCategoryResultRouter = new AuditLogCategoryResultRouter();
                for (Map.Entry<String, Map<String, String>> entry : auditLogRouterJsonConfig.routes.get(str).entrySet()) {
                    for (Map.Entry<String, String> entry2 : entry.getValue().entrySet()) {
                        String key = entry.getKey();
                        AuditLogRouterResult result = AuditLogRouterJsonConfig.result(entry2.getKey());
                        String value = entry2.getValue();
                        auditLogCategoryResultRouter.setRoute(key, result, value);
                        if (value != null && !value.isEmpty()) {
                            this.routableMethodCategories.add(key);
                        }
                    }
                }
                capacity.setPattern(str, auditLogCategoryResultRouter);
            }
            this.crnRouters = capacity.build();
        } catch (CrnSyntaxException e) {
            throw new ConfigException("Invalid CRN in config", e);
        }
    }

    @Override // io.confluent.security.audit.router.Router
    public Optional<String> topic(AuditLogEntry auditLogEntry) {
        if (auditLogEntry.getAuthenticationInfo().getPrincipal().isEmpty()) {
            this.log.warn("Tried to route invalid event. No principal found. {}", auditLogEntry);
            return Optional.empty();
        }
        if (this.excludedPrincipals.contains(SecurityUtils.parseKafkaPrincipal(auditLogEntry.getAuthenticationInfo().getPrincipal()))) {
            return Optional.of("");
        }
        if (auditLogEntry.getResourceName().isEmpty()) {
            this.log.warn("Tried to route invalid event. No resource name found. {}", auditLogEntry);
            return Optional.empty();
        }
        AuditLogCategoryResultRouter match = this.crnRouters.match(auditLogEntry.getResourceName());
        if (match != null) {
            Optional<String> optional = match.topic(auditLogEntry);
            if (optional.isPresent()) {
                return optional;
            }
        }
        return this.defaultTopicRouter.topic(auditLogEntry);
    }

    public boolean isEventRoutable(ConfluentAuthorizationEvent confluentAuthorizationEvent) {
        return this.routableMethodCategories.contains(AuditLogRouterUtils.category(AuditLogUtils.methodName(confluentAuthorizationEvent)));
    }

    public Optional<String> defaultRoute(String str, AuditLogRouterResult auditLogRouterResult) {
        return this.defaultTopicRouter.route(str, auditLogRouterResult);
    }

    public String toString() {
        return "AuditLogRouter(default=" + this.defaultTopicRouter + ",routes=" + this.crnRouters + ")";
    }
}
