package io.confluent.rbacapi.resources.v2;

import io.confluent.cloud.security.client.AuthorizerAction;
import io.confluent.cloud.security.client.AuthorizerRequest;
import io.confluent.cloud.security.client.AuthorizerResponse;
import io.confluent.crn.ConfluentCloudCrnAuthority;
import io.confluent.crn.ConfluentResourceName;
import io.confluent.crn.CrnSyntaxException;
import io.confluent.crn.ScopedResourcePattern;
import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.entities.AuthorizeRequest;
import io.confluent.rbacapi.validation.base.ValidationUtil;
import io.confluent.rbacapi.validation.v2.V2ValidationUtil;
import io.confluent.rest.annotations.PerformanceMetric;
import io.confluent.security.audit.router.AuditLogRouterUtils;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import java.util.ArrayList;
import java.util.List;
import javax.validation.ValidationException;
import javax.ws.rs.Consumes;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Produces({"application/json"})
@Path("/v2/")
/* loaded from: input_file:io/confluent/rbacapi/resources/v2/V2CloudAuthorizeResource.class */
public class V2CloudAuthorizeResource {
    private final Authorizer authorizer;
    private final SecurityMetadataAuthorizer metadataAuthorizer;
    private final ConfluentCloudCrnAuthority crnAuthority;
    private final ValidationUtil validationUtil = new V2ValidationUtil();
    private static final Logger log = LoggerFactory.getLogger((Class<?>) V2CloudAuthorizeResource.class);

    public V2CloudAuthorizeResource(Authorizer authorizer, SecurityMetadataAuthorizer securityMetadataAuthorizer, ConfluentCloudCrnAuthority confluentCloudCrnAuthority) {
        this.authorizer = authorizer;
        this.metadataAuthorizer = securityMetadataAuthorizer;
        this.crnAuthority = confluentCloudCrnAuthority;
    }

    @Path(AuditLogRouterUtils.AUTHORIZE_CATEGORY)
    @Consumes({"application/json"})
    @Produces({"application/json"})
    @PUT
    @PerformanceMetric("v2.cloud.authorize")
    public List<AuthorizerResponse> authorize(@Context SecurityContext securityContext, @HeaderParam("X-Request-Id") String str, AuthorizerRequest authorizerRequest) throws CrnSyntaxException {
        if (authorizerRequest.getActions().size() == 0) {
            throw new ValidationException("No Authorizer action specified");
        }
        ArrayList arrayList = new ArrayList(authorizerRequest.getActions().size());
        ArrayList arrayList2 = new ArrayList(authorizerRequest.getActions().size());
        for (AuthorizerAction authorizerAction : authorizerRequest.getActions()) {
            try {
                ConfluentResourceName canonicalCrn = this.crnAuthority.canonicalCrn(authorizerAction.resourceName);
                ScopedResourcePattern resolveScopePattern = this.crnAuthority.resolveScopePattern(canonicalCrn);
                arrayList2.add(resolveScopePattern.resourcePattern() != null ? new Action(resolveScopePattern.scope(), resolveScopePattern.resourcePattern().resourceType(), resolveScopePattern.resourcePattern().name(), new Operation(authorizerAction.getOperation())) : new Action(resolveScopePattern.scope(), new ResourceType(canonicalCrn.resourceType()), canonicalCrn.lastResourceElement().encodedResourceName(), new Operation(authorizerAction.getOperation())));
            } catch (CrnSyntaxException e) {
                throw new CrnSyntaxException(e.getInput(), "Invalid CRN in authorize resource_name:" + authorizerAction.resourceName + " operation:" + authorizerAction.operation);
            }
        }
        AuthorizeRequest authorizeRequest = new AuthorizeRequest(authorizerRequest.getPrincipal(), arrayList2);
        KafkaPrincipal parseKafkaPrincipal = !StringUtils.isBlank(authorizerRequest.principal) ? SecurityUtils.parseKafkaPrincipal(authorizerRequest.principal) : new KafkaPrincipal(KafkaPrincipal.USER_TYPE, securityContext.getUserPrincipal().getName());
        this.metadataAuthorizer.authorizeAuthorizeRequest(securityContext, parseKafkaPrincipal, authorizeRequest.actions);
        this.validationUtil.verifyOperation(authorizeRequest);
        this.validationUtil.verifyResourceType(authorizeRequest);
        List<AuthorizeResult> authorize = this.authorizer.authorize(parseKafkaPrincipal, null, authorizeRequest.actions);
        for (int i = 0; i < authorizerRequest.getActions().size(); i++) {
            arrayList.add(new AuthorizerResponse(authorize.get(i), authorizerRequest.getActions().get(i).resourceName, authorizerRequest.getActions().get(i).operation));
        }
        return arrayList;
    }
}
