package io.confluent.rbacapi.resources.v2;

import io.confluent.cloud.rbac.CloudRoleBinding;
import io.confluent.cloud.rbac.CloudScope;
import io.confluent.cloud.rbac.V2CloudRbacStorageService;
import io.confluent.crn.ConfluentCloudCrnAuthority;
import io.confluent.crn.ConfluentServerCrnAuthority;
import io.confluent.crn.CrnSyntaxException;
import io.confluent.crn.ScopedResourcePattern;
import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.entities.V2ListRoleBindingResponse;
import io.confluent.rbacapi.entities.V2RoleBinding;
import io.confluent.rbacapi.entities.V2SingleRoleBindingResponse;
import io.confluent.rbacapi.exceptions.DeletedNonexistentResourceException;
import io.confluent.rbacapi.services.FeatureConfigurationService;
import io.confluent.rbacapi.utils.ScopeUtils;
import io.confluent.rbacapi.validation.base.ValidationUtil;
import io.confluent.rbacapi.validation.v2.V2ValidPrincipalFilter;
import io.confluent.rbacapi.validation.v2.V2ValidRoleBindingId;
import io.confluent.rbacapi.validation.v2.V2ValidRoleFilter;
import io.confluent.rbacapi.validation.v2.V2ValidationUtil;
import io.confluent.rest.annotations.PerformanceMetric;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.auth.utils.AuthWriterUtils;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RbacRoles;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.errors.AuthorizationException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Path("/v2")
/* loaded from: input_file:io/confluent/rbacapi/resources/v2/V2CloudRbacRoleBindingResource.class */
public class V2CloudRbacRoleBindingResource {
    private static final String API_VERSION = "iam/v2";
    private static final String KIND_ROLEBINDING = "RoleBinding";
    private static final String KIND_ROLEBINDING_LIST = "RoleBindingList";
    private final ConfluentCloudCrnAuthority authority;
    private final SecurityMetadataAuthorizer metadataAuthorizer;
    private final Set<String> resourceRoles;
    private final ValidationUtil validationUtil = new V2ValidationUtil();
    private final V2CloudRbacStorageService storageService;
    private final RbacRoles rbacRoles;
    private final FeatureConfigurationService featureConfigurationService;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) V2CloudRbacRoleBindingResource.class);
    private static final Set<String> scopeResourceTypes = Utils.mkSet(ConfluentServerCrnAuthority.ORGANIZATION_RESOURCE_TYPE, ConfluentServerCrnAuthority.ENVIRONMENT_RESOURCE_TYPE, ConfluentServerCrnAuthority.CLOUD_CLUSTER_RESOURCE_TYPE);
    private static final Set<String> clusterResourceTypes = Utils.mkSet(ConfluentServerCrnAuthority.KAFKA_CLUSTER_RESOURCE_TYPE, ConfluentServerCrnAuthority.KSQL_CLUSTER_RESOURCE_TYPE, ConfluentServerCrnAuthority.CONNECT_CLUSTER_RESOURCE_TYPE, ConfluentServerCrnAuthority.SCHEMA_REGISTRY_RESOURCE_TYPE);
    private static final String ERR_GENERAL_UNAUTHORIZED = "Either unauthorized to access role binding or role binding does not exist";

    public V2CloudRbacRoleBindingResource(AuthStore authStore, V2CloudRbacStorageService v2CloudRbacStorageService, SecurityMetadataAuthorizer securityMetadataAuthorizer, ConfluentCloudCrnAuthority confluentCloudCrnAuthority, FeatureConfigurationService featureConfigurationService) {
        this.storageService = v2CloudRbacStorageService;
        this.metadataAuthorizer = securityMetadataAuthorizer;
        this.rbacRoles = authStore.authCache().rbacRoles();
        this.authority = confluentCloudCrnAuthority;
        this.featureConfigurationService = featureConfigurationService;
        this.resourceRoles = (Set) authStore.authCache().rbacRoles().roles().stream().filter((v0) -> {
            return v0.bindWithResource();
        }).map((v0) -> {
            return v0.name();
        }).collect(Collectors.toSet());
    }

    @Path("role-bindings")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v2.role-bindings.post")
    public V2SingleRoleBindingResponse createRoleBinding(@Context SecurityContext securityContext, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @Valid V2RoleBinding v2RoleBinding) throws CrnSyntaxException {
        KafkaPrincipal userPrincipal = SecurityMetadataAuthorizer.userPrincipal(securityContext);
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(v2RoleBinding.getPrincipal());
        ScopedResourcePattern resolveScopePattern = this.authority.resolveScopePattern(this.authority.canonicalCrn(v2RoleBinding.getCrnPattern()));
        Scope scope = resolveScopePattern.scope();
        if (resolveScopePattern.resourcePattern() == null) {
            this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.ALTER);
        } else {
            this.metadataAuthorizer.authorizeResourceAccess(securityContext, scope, Arrays.asList(resolveScopePattern.resourcePattern()), SecurityMetadataAuthorizer.ALTER_ACCESS);
        }
        String organizationResourceId = CloudScope.organizationResourceId(scope);
        if (this.storageService.countOrganizationCloudRoleBindings(organizationResourceId) >= this.featureConfigurationService.organizationRoleBindingLimit(organizationResourceId)) {
            throw new ClientErrorException("Too many role bindings in organization.", 402);
        }
        CloudRoleBinding addRoleBindingForResourcePattern = addRoleBindingForResourcePattern(userPrincipal, parseKafkaPrincipal, v2RoleBinding.getRoleName(), resolveScopePattern.scope(), resolveScopePattern.resourcePattern(), null);
        String stringBuffer = httpServletRequest.getRequestURL().append("/").append(addRoleBindingForResourcePattern.getResourceId()).toString();
        httpServletResponse.setHeader("Location", stringBuffer);
        httpServletResponse.setStatus(201);
        try {
            httpServletResponse.flushBuffer();
        } catch (Exception e) {
            log.error("Error returning 201 in create endpoint");
        }
        return new V2SingleRoleBindingResponse(API_VERSION, addRoleBindingForResourcePattern, stringBuffer, this.authority);
    }

    @Path("role-bindings")
    @Consumes({"application/json"})
    @DELETE
    @Produces({"application/json"})
    @PerformanceMetric("v2.role-bindings.delete")
    public V2SingleRoleBindingResponse deleteRoleBinding(@Context SecurityContext securityContext, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @Valid V2RoleBinding v2RoleBinding) throws CrnSyntaxException {
        KafkaPrincipal userPrincipal = SecurityMetadataAuthorizer.userPrincipal(securityContext);
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(v2RoleBinding.getPrincipal());
        ScopedResourcePattern resolveScopePattern = this.authority.resolveScopePattern(this.authority.canonicalCrn(v2RoleBinding.getCrnPattern()));
        if (resolveScopePattern.resourcePattern() == null) {
            this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, resolveScopePattern.scope(), SecurityMetadataAuthorizer.ALTER);
        } else {
            this.metadataAuthorizer.authorizeResourceAccess(securityContext, resolveScopePattern.scope(), Arrays.asList(resolveScopePattern.resourcePattern()), SecurityMetadataAuthorizer.ALTER_ACCESS);
        }
        Optional<CloudRoleBinding> removeRoleBindingForResourcePattern = removeRoleBindingForResourcePattern(userPrincipal, parseKafkaPrincipal, v2RoleBinding.getRoleName(), resolveScopePattern.scope(), resolveScopePattern.resourcePattern(), null);
        if (!removeRoleBindingForResourcePattern.isPresent()) {
            throw new DeletedNonexistentResourceException("RoleBinding", v2RoleBinding.getCrnPattern());
        }
        String stringBuffer = httpServletRequest.getRequestURL().append("/").append(removeRoleBindingForResourcePattern.get().getResourceId()).toString();
        httpServletResponse.setHeader("Location", stringBuffer);
        return new V2SingleRoleBindingResponse(API_VERSION, removeRoleBindingForResourcePattern.get(), stringBuffer, this.authority);
    }

    @Path("role-bindings/{id}")
    @DELETE
    @Produces({"application/json"})
    @PerformanceMetric("v2.role-bindings.delete.id")
    public V2SingleRoleBindingResponse deleteRoleBindingById(@Context SecurityContext securityContext, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @V2ValidRoleBindingId @NotNull @PathParam("id") String str) throws CrnSyntaxException {
        KafkaPrincipal userPrincipal = SecurityMetadataAuthorizer.userPrincipal(securityContext);
        Optional<CloudRoleBinding> rbacCloudRoleBinding = this.storageService.rbacCloudRoleBinding(str);
        if (!rbacCloudRoleBinding.isPresent()) {
            throw new AuthorizationException(ERR_GENERAL_UNAUTHORIZED);
        }
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(rbacCloudRoleBinding.get().getPrincipal().toString());
        ScopedResourcePattern resolveScopePattern = this.authority.resolveScopePattern(this.authority.canonicalCrn(this.authority.canonicalCrn(rbacCloudRoleBinding.get().getScope(), rbacCloudRoleBinding.get().getResourcePattern()).toString()));
        try {
            if (resolveScopePattern.resourcePattern() == null) {
                this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, resolveScopePattern.scope(), SecurityMetadataAuthorizer.ALTER);
            } else {
                this.metadataAuthorizer.authorizeResourceAccess(securityContext, resolveScopePattern.scope(), Arrays.asList(resolveScopePattern.resourcePattern()), SecurityMetadataAuthorizer.ALTER_ACCESS);
            }
            Optional<CloudRoleBinding> removeRoleBindingForResourcePattern = removeRoleBindingForResourcePattern(userPrincipal, parseKafkaPrincipal, rbacCloudRoleBinding.get().getRole(), resolveScopePattern.scope(), resolveScopePattern.resourcePattern(), null);
            if (!removeRoleBindingForResourcePattern.isPresent()) {
                log.error("Trying to delete an already deleted role binding in deleteRoleBindingById");
                throw new AuthorizationException(ERR_GENERAL_UNAUTHORIZED);
            }
            String stringBuffer = httpServletRequest.getRequestURL().toString();
            httpServletResponse.setHeader("Location", stringBuffer);
            return new V2SingleRoleBindingResponse(API_VERSION, removeRoleBindingForResourcePattern.get(), stringBuffer, this.authority);
        } catch (AuthorizationException e) {
            throw new AuthorizationException(ERR_GENERAL_UNAUTHORIZED);
        }
    }

    @GET
    @Path("role-bindings")
    @Produces({"application/json"})
    @PerformanceMetric("v2.role-bindings.get")
    public V2ListRoleBindingResponse listRoleBindings(@Context SecurityContext securityContext, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @V2ValidPrincipalFilter @QueryParam("principal") String str, @V2ValidRoleFilter @QueryParam("role_name") String str2, @NotNull @QueryParam("crn_pattern") String str3, @QueryParam("page_size") int i, @QueryParam("page_token") String str4) throws CrnSyntaxException {
        KafkaPrincipal userPrincipal = SecurityMetadataAuthorizer.userPrincipal(securityContext);
        KafkaPrincipal parseKafkaPrincipal = str != null ? SecurityUtils.parseKafkaPrincipal(str) : null;
        boolean endsWith = str3.endsWith("/*");
        ScopedResourcePattern resolveScopePattern = this.authority.resolveScopePattern(this.authority.canonicalCrn(endsWith ? str3.substring(0, str3.lastIndexOf("/*")) : str3));
        List<CloudRoleBinding> listRoleBindingsAtScopes = listRoleBindingsAtScopes(securityContext, userPrincipal, parseKafkaPrincipal, str2, resolveScopePattern.scope(), resolveScopePattern.resourcePattern(), endsWith);
        ArrayList arrayList = new ArrayList();
        for (CloudRoleBinding cloudRoleBinding : listRoleBindingsAtScopes) {
            arrayList.add(new V2SingleRoleBindingResponse(API_VERSION, cloudRoleBinding, httpServletRequest.getRequestURL().append("/").append(cloudRoleBinding.getResourceId()).toString(), this.authority));
        }
        return new V2ListRoleBindingResponse(API_VERSION, KIND_ROLEBINDING_LIST, null, arrayList);
    }

    @GET
    @Path("role-bindings/{id}")
    @Produces({"application/json"})
    @PerformanceMetric("v2.role-bindings.get.id")
    public V2SingleRoleBindingResponse getRoleBinding(@Context SecurityContext securityContext, @Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse, @V2ValidRoleBindingId @NotNull @PathParam("id") String str) throws CrnSyntaxException {
        KafkaPrincipal userPrincipal = SecurityMetadataAuthorizer.userPrincipal(securityContext);
        Optional<CloudRoleBinding> rbacCloudRoleBinding = this.storageService.rbacCloudRoleBinding(str);
        if (!rbacCloudRoleBinding.isPresent()) {
            throw new AuthorizationException(ERR_GENERAL_UNAUTHORIZED);
        }
        KafkaPrincipal parseKafkaPrincipal = rbacCloudRoleBinding.get().getPrincipal().toString() != null ? SecurityUtils.parseKafkaPrincipal(rbacCloudRoleBinding.get().getPrincipal().toString()) : null;
        ScopedResourcePattern resolveScopePattern = this.authority.resolveScopePattern(this.authority.canonicalCrn(this.authority.canonicalCrn(rbacCloudRoleBinding.get().getScope(), rbacCloudRoleBinding.get().getResourcePattern()).toString()));
        try {
            Optional<CloudRoleBinding> findAny = listRoleBindingsAtScopes(securityContext, userPrincipal, parseKafkaPrincipal, rbacCloudRoleBinding.get().getRole(), resolveScopePattern.scope(), resolveScopePattern.resourcePattern(), false).stream().filter(cloudRoleBinding -> {
                return cloudRoleBinding.getResourceId().equals(str);
            }).findAny();
            if (findAny.isPresent()) {
                return new V2SingleRoleBindingResponse(API_VERSION, findAny.get(), httpServletRequest.getRequestURL().toString(), this.authority);
            }
            throw new AuthorizationException(ERR_GENERAL_UNAUTHORIZED);
        } catch (AuthorizationException e) {
            throw new AuthorizationException(ERR_GENERAL_UNAUTHORIZED);
        }
    }

    private CloudRoleBinding addRoleBindingForResourcePattern(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, ResourcePattern resourcePattern, String str2) {
        log.debug("addRoleBindingForResourcePattern callingPrincipal={} targetPrincipal={} role={} scope={} reason={} resourcePattern={}", kafkaPrincipal, kafkaPrincipal2, str, scope, str2, resourcePattern);
        validateRoleBindingUpdate(str, scope, resourcePattern);
        return this.storageService.addRoleBindingForResourcePattern(kafkaPrincipal, kafkaPrincipal2, str, scope, resourcePattern, str2);
    }

    private Optional<CloudRoleBinding> removeRoleBindingForResourcePattern(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, ResourcePattern resourcePattern, String str2) {
        log.debug("removeRoleBindingForResourcePattern callingPrincipal={} targetPrincipal={} role={} scope={} reason={} resourcePattern={}", kafkaPrincipal, kafkaPrincipal2, str, scope, str2, resourcePattern);
        validateRoleBindingUpdate(str, scope, resourcePattern);
        return this.storageService.removeRoleBindingForResourcePattern(kafkaPrincipal, kafkaPrincipal2, str, scope, resourcePattern, str2);
    }

    private void validateResourceScopedRole(String str) {
        if (!this.resourceRoles.contains(str)) {
            throw new ClientErrorException(String.format("Cannot bind role %s with resources.", str), 400);
        }
    }

    private void validateRoleBindingUpdate(String str, Scope scope, ResourcePattern resourcePattern) {
        if (scopeResourceTypes.contains(resourcePattern.resourceType().name())) {
            AuthWriterUtils.validateRoleBindingUpdate(str, scope, Collections.emptyList(), true, Scope.ROOT_SCOPE, this.rbacRoles);
            return;
        }
        validateResourceScopedRole(str);
        this.validationUtil.verifyRoleResourceType(str, resourcePattern);
        List asList = Arrays.asList(resourcePattern);
        AuthWriterUtils.validateRoleResources(asList);
        AuthWriterUtils.validateRoleBindingUpdate(str, scope, asList, true, Scope.ROOT_SCOPE, this.rbacRoles);
    }

    private boolean hasRoleBindingDescribeAccess(SecurityContext securityContext, Set<Scope> set, ResourcePattern resourcePattern, KafkaPrincipal kafkaPrincipal) {
        try {
            ScopeUtils.securityMetadataAuthorizedScopesAllowDescribeSelf(set, kafkaPrincipal, securityContext, SecurityMetadataAuthorizer.DESCRIBE, this.metadataAuthorizer);
            return true;
        } catch (AuthorizationException e) {
            KafkaPrincipal userPrincipal = SecurityMetadataAuthorizer.userPrincipal(securityContext);
            List<CloudRoleBinding> rbacCloudRoleBindings = this.storageService.rbacCloudRoleBindings(userPrincipal, null, resourcePattern, set, false);
            if (kafkaPrincipal == null) {
                return !rbacCloudRoleBindings.isEmpty();
            }
            Set set2 = (Set) rbacCloudRoleBindings.stream().map(cloudRoleBinding -> {
                return cloudRoleBinding.getResourcePattern();
            }).collect(Collectors.toSet());
            return !((Set) set.stream().flatMap(scope -> {
                return this.metadataAuthorizer.filterResourceAccess(userPrincipal, scope, set2, SecurityMetadataAuthorizer.DESCRIBE_ACCESS).stream();
            }).collect(Collectors.toSet())).isEmpty();
        }
    }

    private List<CloudRoleBinding> listRoleBindingsAtScopes(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, ResourcePattern resourcePattern, boolean z) {
        Set<Scope> emptySet;
        log.debug("listRoleBindingsAtScopes callingPrincipal={} targetPrincipal={} role={} targetScope={} resourcePattern={} inclusive={}", kafkaPrincipal, kafkaPrincipal2, str, scope, resourcePattern, Boolean.valueOf(z));
        Set<Scope> allKnownContainedScopes = z ? ScopeUtils.allKnownContainedScopes(scope, this.storageService) : Collections.singleton(scope);
        if (z && clusterResourceTypes.contains(resourcePattern.resourceType().name())) {
            resourcePattern = null;
        } else if (z && scopeResourceTypes.contains(resourcePattern.resourceType().name())) {
            resourcePattern = null;
        }
        if (!hasRoleBindingDescribeAccess(securityContext, allKnownContainedScopes, resourcePattern, kafkaPrincipal2)) {
            throw new AuthorizationException("Role access not permitted for " + kafkaPrincipal);
        }
        List<CloudRoleBinding> rbacCloudRoleBindings = this.storageService.rbacCloudRoleBindings(kafkaPrincipal2, str, resourcePattern, allKnownContainedScopes, false);
        Set<ResourcePattern> set = (Set) rbacCloudRoleBindings.stream().filter(cloudRoleBinding -> {
            return cloudRoleBinding.getResourcePattern() != null;
        }).map((v0) -> {
            return v0.getResourcePattern();
        }).collect(Collectors.toSet());
        try {
            emptySet = ScopeUtils.securityMetadataAuthorizedScopesAllowDescribeSelf(allKnownContainedScopes, kafkaPrincipal2, securityContext, SecurityMetadataAuthorizer.DESCRIBE, this.metadataAuthorizer);
        } catch (AuthorizationException e) {
            emptySet = Collections.emptySet();
        }
        HashMap hashMap = new HashMap();
        for (Scope scope2 : allKnownContainedScopes) {
            hashMap.put(scope2, this.metadataAuthorizer.hasSecurityMetadataAccess(kafkaPrincipal, scope2, SecurityMetadataAuthorizer.DESCRIBE) ? set : this.metadataAuthorizer.filterResourceAccess(kafkaPrincipal, scope2, set, SecurityMetadataAuthorizer.DESCRIBE_ACCESS));
        }
        ArrayList arrayList = new ArrayList();
        for (CloudRoleBinding cloudRoleBinding2 : rbacCloudRoleBindings) {
            if (!cloudRoleBinding2.getPrincipal().equals(kafkaPrincipal)) {
                if (cloudRoleBinding2.getResourcePattern() == null) {
                    if (!emptySet.contains(cloudRoleBinding2.getScope())) {
                    }
                } else if (!((Set) hashMap.get(cloudRoleBinding2.getScope())).contains(cloudRoleBinding2.getResourcePattern())) {
                }
            }
            arrayList.add(cloudRoleBinding2);
        }
        return arrayList;
    }
}
