package io.confluent.security.audit;

import com.google.protobuf.Struct;
import com.google.protobuf.Value;
import io.confluent.crn.ConfluentResourceName;
import io.confluent.crn.ConfluentServerCrnAuthority;
import io.confluent.crn.CrnSyntaxException;
import io.confluent.kafka.schemaregistry.utils.QualifiedSubject;
import io.confluent.kafka.security.audit.event.ConfluentAuthenticationEvent;
import io.confluent.kafka.server.plugins.auth.PlainSaslServer;
import io.confluent.security.audit.AuditLogEntry;
import io.confluent.security.audit.AuthenticationInfo;
import io.confluent.security.audit.AuthenticationMetadata;
import io.confluent.security.audit.AuthorizationInfo;
import io.confluent.security.audit.Result;
import io.confluent.security.audit.router.AuditLogRouterUtils;
import io.confluent.security.authorizer.AclAccessRule;
import io.confluent.security.authorizer.AuthorizePolicy;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.RequestContext;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.ConfluentAuthorizationEvent;
import io.confluent.security.rbac.RbacAccessRule;
import java.util.Optional;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.kafka.common.security.auth.AuthenticationContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.PlaintextAuthenticationContext;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.auth.SslAuthenticationContext;
import org.apache.kafka.connect.runtime.tracing.TraceRecordBuilderImpl;
import org.apache.kafka.server.audit.AuditEventStatus;
import org.apache.kafka.server.audit.AuthenticationEvent;

/* loaded from: input_file:io/confluent/security/audit/AuditLogUtils.class */
public class AuditLogUtils {
    public static final String AUTHENTICATION_FAILED_EVENT_USER = "None:UNKNOWN_USER";
    public static final String AUTHENTICATION_EVENT_NAME = "kafka.Authentication";

    private static void addAuthorizationInfo(AuthorizationInfo.Builder builder, AuthorizePolicy authorizePolicy) {
        switch (authorizePolicy.policyType()) {
            case NO_MATCHING_RULE:
            case DENY_ON_NO_RULE:
            case ALLOW_ON_NO_RULE:
            default:
                return;
            case SUPER_USER:
            case SUPER_GROUP:
                builder.setSuperUserAuthorization(true);
                return;
            case ALLOW_ACL:
            case DENY_ACL:
                AccessControlEntry entry = ((AclAccessRule) authorizePolicy).aclBinding().entry();
                builder.setAclAuthorization(AclAuthorizationInfo.newBuilder().setHost(entry.host()).setPermissionType(entry.permissionType().toString()));
                return;
            case ALLOW_ROLE:
                Scope scope = ((RbacAccessRule) authorizePolicy).scope();
                builder.setRbacAuthorization(RbacAuthorizationInfo.newBuilder().setRole(((RbacAccessRule) authorizePolicy).role()).setScope(AuthorizationScope.newBuilder().addAllOuterScope(scope.path()).putAllClusters(scope.clusters())));
                return;
        }
    }

    public static AuditLogEntry authorizationEvent(ConfluentAuthorizationEvent confluentAuthorizationEvent, ConfluentServerCrnAuthority confluentServerCrnAuthority) throws CrnSyntaxException {
        return authorizationEvent(confluentAuthorizationEvent, confluentServerCrnAuthority, false);
    }

    public static AuditLogEntry authorizationEvent(ConfluentAuthorizationEvent confluentAuthorizationEvent, ConfluentServerCrnAuthority confluentServerCrnAuthority, boolean z) throws CrnSyntaxException {
        AuditLogEntry.Builder resourceName = AuditLogEntry.newBuilder().setServiceName(confluentServerCrnAuthority.canonicalCrn(confluentAuthorizationEvent.sourceScope()).toString()).setMethodName(methodName(confluentAuthorizationEvent)).setResourceName(confluentServerCrnAuthority.canonicalCrn(confluentAuthorizationEvent.action().scope(), confluentAuthorizationEvent.action().resourcePattern()).toString());
        resourceName.setAuthenticationInfo(AuthenticationInfo.newBuilder().setPrincipal(confluentAuthorizationEvent.requestContext().principal().getPrincipalType() + QualifiedSubject.CONTEXT_DELIMITER + confluentAuthorizationEvent.requestContext().principal().getName()));
        AuthorizationInfo.Builder patternType = AuthorizationInfo.newBuilder().setGranted(confluentAuthorizationEvent.authorizeResult() == AuthorizeResult.ALLOWED).setOperation(confluentAuthorizationEvent.action().operation().name()).setResourceType(confluentAuthorizationEvent.action().resourcePattern().resourceType().toString()).setResourceName(confluentAuthorizationEvent.action().resourcePattern().name()).setPatternType(confluentAuthorizationEvent.action().resourcePattern().patternType().toString());
        addAuthorizationInfo(patternType, confluentAuthorizationEvent.authorizePolicy());
        resourceName.setAuthorizationInfo(patternType);
        Struct.Builder putFields = Struct.newBuilder().putFields(TraceRecordBuilderImpl.CORRELATION_ID, Value.newBuilder().setStringValue(String.valueOf(confluentAuthorizationEvent.requestContext().correlationId())).build());
        if (confluentAuthorizationEvent.requestContext().clientId() != null) {
            putFields.putFields("client_id", Value.newBuilder().setStringValue(confluentAuthorizationEvent.requestContext().clientId()).build());
        }
        resourceName.setRequest(putFields.build());
        Struct.Builder newBuilder = Struct.newBuilder();
        if (!z && confluentAuthorizationEvent.requestContext().clientAddress() != null) {
            newBuilder.putFields("client_address", Value.newBuilder().setStringValue(confluentAuthorizationEvent.requestContext().clientAddress().toString()).build());
        }
        if (confluentAuthorizationEvent.requestContext().requestId() != null) {
            newBuilder.putFields("request_id", Value.newBuilder().setStringValue(confluentAuthorizationEvent.requestContext().requestId()).build());
        }
        resourceName.setRequestMetadata(newBuilder.build());
        return resourceName.build();
    }

    public static String methodName(ConfluentAuthorizationEvent confluentAuthorizationEvent) {
        String str;
        int requestType = confluentAuthorizationEvent.requestContext().requestType();
        if (requestType >= 0) {
            ApiKeys forId = ApiKeys.forId(requestType);
            str = forId == ApiKeys.FETCH ? "ClusterAction".equals(confluentAuthorizationEvent.action().operation().name()) ? AuditLogRouterUtils.RequestNameOverrides.KAFKA_FETCH_FOLLOWER.name : AuditLogRouterUtils.RequestNameOverrides.KAFKA_FETCH_CONSUMER.name : forId.name;
        } else {
            if (!RequestContext.MDS.equals(confluentAuthorizationEvent.requestContext().requestSource())) {
                throw new RuntimeException("Got unexpected requestType not from MDS: " + requestType);
            }
            str = AuditLogRouterUtils.RequestNameOverrides.MDS_AUTHORIZE.name;
        }
        return confluentAuthorizationEvent.requestContext().requestSource() + "." + str;
    }

    public static ConfluentResourceName.Element resourceNameElement(AuditLogEntry auditLogEntry) throws CrnSyntaxException {
        return ConfluentResourceName.fromString(auditLogEntry.getResourceName()).lastResourceElement();
    }

    public static AuditLogEntry authenticationEvent(ConfluentAuthenticationEvent confluentAuthenticationEvent, ConfluentServerCrnAuthority confluentServerCrnAuthority) throws CrnSyntaxException {
        return authenticationEvent(confluentAuthenticationEvent, confluentServerCrnAuthority, false);
    }

    public static AuditLogEntry authenticationEvent(ConfluentAuthenticationEvent confluentAuthenticationEvent, ConfluentServerCrnAuthority confluentServerCrnAuthority, boolean z) throws CrnSyntaxException {
        String confluentResourceName = confluentServerCrnAuthority.canonicalCrn(confluentAuthenticationEvent.getScope()).toString();
        AuditLogEntry.Builder resourceName = AuditLogEntry.newBuilder().setServiceName(confluentResourceName).setMethodName(AUTHENTICATION_EVENT_NAME).setResourceName(confluentResourceName);
        AuthenticationInfo.Builder newBuilder = AuthenticationInfo.newBuilder();
        if (confluentAuthenticationEvent.principal().isPresent()) {
            KafkaPrincipal kafkaPrincipal = confluentAuthenticationEvent.principal().get();
            newBuilder.setPrincipal(kafkaPrincipal.getPrincipalType() + QualifiedSubject.CONTEXT_DELIMITER + kafkaPrincipal.getName());
        } else {
            newBuilder.setPrincipal(AUTHENTICATION_FAILED_EVENT_USER);
        }
        AuthenticationMetadata.Builder metadataBuilder = newBuilder.getMetadataBuilder();
        metadataBuilder.setIdentifier(getIdentifier(confluentAuthenticationEvent));
        metadataBuilder.setMechanism(getMechanism(confluentAuthenticationEvent.authenticationContext()));
        newBuilder.setMetadata(metadataBuilder.build());
        resourceName.setAuthenticationInfo(newBuilder);
        Result.Builder newBuilder2 = Result.newBuilder();
        newBuilder2.setStatus(confluentAuthenticationEvent.status().name());
        if (confluentAuthenticationEvent.status() != AuditEventStatus.SUCCESS) {
            confluentAuthenticationEvent.authenticationException().ifPresent(authenticationException -> {
                newBuilder2.setMessage(authenticationException.errorMessage());
            });
        }
        resourceName.setResult(newBuilder2.build());
        Struct.Builder newBuilder3 = Struct.newBuilder();
        if (!z && confluentAuthenticationEvent.authenticationContext().clientAddress() != null) {
            newBuilder3.putFields("client_address", Value.newBuilder().setStringValue(confluentAuthenticationEvent.authenticationContext().clientAddress().toString()).build());
        }
        resourceName.setRequestMetadata(newBuilder3.build());
        return resourceName.build();
    }

    private static String getMechanism(AuthenticationContext authenticationContext) {
        if ((authenticationContext instanceof PlaintextAuthenticationContext) || (authenticationContext instanceof SslAuthenticationContext)) {
            return authenticationContext.securityProtocol().name;
        }
        if (!(authenticationContext instanceof SaslAuthenticationContext)) {
            return "";
        }
        SaslServer server = ((SaslAuthenticationContext) authenticationContext).server();
        return server == null ? authenticationContext.securityProtocol().name : authenticationContext.securityProtocol().name + "/" + server.getMechanismName();
    }

    private static String getIdentifier(AuthenticationEvent authenticationEvent) {
        AuthenticationContext authenticationContext = authenticationEvent.authenticationContext();
        return authenticationContext instanceof SslAuthenticationContext ? sslPeerPrincipal((SslAuthenticationContext) authenticationContext) : authenticationContext instanceof SaslAuthenticationContext ? saslIdentifier(authenticationEvent) : "";
    }

    private static String saslIdentifier(AuthenticationEvent authenticationEvent) {
        SaslAuthenticationContext saslAuthenticationContext = (SaslAuthenticationContext) authenticationEvent.authenticationContext();
        Optional<AuthenticationException> authenticationException = authenticationEvent.authenticationException();
        if (authenticationException.isPresent()) {
            return authenticationException.get().errorInfo().identifier();
        }
        SaslServer server = saslAuthenticationContext.server();
        return server instanceof PlainSaslServer ? ((PlainSaslServer) server).userIdentifier() : server.getAuthorizationID();
    }

    private static String sslPeerPrincipal(SslAuthenticationContext sslAuthenticationContext) {
        try {
            return sslAuthenticationContext.session().getPeerPrincipal().getName();
        } catch (Exception e) {
            return "";
        }
    }
}
