package io.confluent.controlcenter.client;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import io.confluent.controlcenter.ControlCenterConfig;
import io.confluent.controlcenter.MetadataServiceConfig;
import io.confluent.controlcenter.httpclient.BasicHttpCredential;
import io.confluent.controlcenter.httpclient.BearerTokenHttpCredential;
import io.confluent.controlcenter.httpclient.Client;
import io.confluent.controlcenter.servicehealthcheck.ServiceHealthCheckModule;
import io.confluent.controlcenter.servicehealthcheck.SingleServiceHealthCheck;
import io.confluent.rbacapi.entities.AuthorizeRequest;
import io.confluent.rbacapi.entities.FeaturesInfo;
import io.confluent.rbacapi.entities.VisibilityRequest;
import io.confluent.rbacapi.entities.VisibilityResponse;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Scope;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import javax.validation.constraints.NotNull;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.WebApplicationException;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.util.URIUtil;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/controlcenter/client/MetadataServiceClient.class */
public class MetadataServiceClient implements ConfigurableClient {
    protected static final String ALLOWED = "ALLOWED";
    public static final String RBAC_VISIBILITY_FEATURE_KEY = "rbac.visibility.api.1.enabled";
    private static final long MDS_TIMEOUT_SEC = 15;
    private final ControlCenterConfig controlCenterConfig;
    private final MetadataServiceConfig serviceConfig;
    private final ObjectMapper objectMapper;
    private SingleServiceHealthCheck mdsHealthCheck;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) MetadataServiceClient.class);
    private static int MDS_RETRIES_EACH = 2;
    private static String MDS_ERROR_MESSAGE = "failed to connect to any MDS server";
    private SslContextFactory sslContextFactory = null;
    private Client client = null;

    public MetadataServiceClient(ControlCenterConfig controlCenterConfig, MetadataServiceConfig metadataServiceConfig, ObjectMapper objectMapper, @ServiceHealthCheckModule.MetadataServiceHealthCheck SingleServiceHealthCheck singleServiceHealthCheck) {
        this.controlCenterConfig = controlCenterConfig;
        this.serviceConfig = metadataServiceConfig;
        this.objectMapper = objectMapper;
        this.mdsHealthCheck = singleServiceHealthCheck;
    }

    private synchronized void initClient() {
        if (this.client != null) {
            return;
        }
        this.client = new Client(this.sslContextFactory, this.objectMapper, 15L, this.controlCenterConfig);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Client getClient() {
        if (this.client == null) {
            initClient();
        }
        return this.client;
    }

    @Override // io.confluent.controlcenter.client.ConfigurableClient
    public void setSslContextFactory(@NotNull SslContextFactory sslContextFactory) {
        if (this.client != null) {
            throw new IllegalStateException("trying to set SslContextFactory but Client is already built!");
        }
        Preconditions.checkNotNull(sslContextFactory);
        this.sslContextFactory = sslContextFactory;
        initClient();
    }

    public String getMetadataServiceKafkaId() {
        return (String) makeRequestWithRetries(str -> {
            return (String) getClient().makeRequestNoBody(str + "/security/1.0/metadataClusterId", HttpMethod.GET, new BasicHttpCredential(this.serviceConfig.getControlCenterUsername(), this.serviceConfig.getControlCenterPassword()), new TypeReference<String>() { // from class: io.confluent.controlcenter.client.MetadataServiceClient.1
            });
        });
    }

    public <T> Set<T> authorize(String str, String str2, Map<T, List<Action>> map) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        map.forEach((obj, list) -> {
            arrayList.add(obj);
            Preconditions.checkArgument(list.size() > 0);
            arrayList2.addAll(list);
        });
        List list2 = (List) makeRequestWithRetries(str3 -> {
            return (List) getClient().makeRequestWithContent(str3 + "/security/1.0/authorize", HttpMethod.PUT, new BearerTokenHttpCredential(str2), MimeTypes.Type.APPLICATION_JSON, new AuthorizeRequest("User:" + str, arrayList2), new TypeReference<List<String>>() { // from class: io.confluent.controlcenter.client.MetadataServiceClient.2
            });
        });
        if (list2.size() != arrayList2.size()) {
            log.error("expected list size {}, actual, {}", Integer.valueOf(arrayList2.size()), Integer.valueOf(list2.size()));
            throw new InternalServerErrorException();
        }
        HashMap hashMap = new HashMap();
        int i = 0;
        for (Object obj2 : arrayList) {
            ArrayList arrayList3 = new ArrayList();
            for (int i2 = 0; i2 < map.get(obj2).size(); i2++) {
                int i3 = i;
                i++;
                arrayList3.add(Boolean.valueOf(((String) list2.get(i3)).equals(ALLOWED)));
            }
            hashMap.put(obj2, arrayList3);
        }
        HashSet hashSet = new HashSet();
        hashMap.forEach((obj3, list3) -> {
            if (list3.stream().allMatch(bool -> {
                return bool.booleanValue();
            })) {
                hashSet.add(obj3);
            }
        });
        return hashSet;
    }

    public <T> Set<T> visibility(String str, String str2, Map<T, Scope> map) {
        Preconditions.checkArgument(isRbacVisibilityFeatureEnabled());
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        map.forEach((obj, scope) -> {
            Preconditions.checkNotNull(scope.clusters().get("kafka-cluster"));
            arrayList.add(obj);
            arrayList2.add(new VisibilityRequest(scope.clusters().get("kafka-cluster"), singletonListOrNull(r4 -> {
                return scope.clusters().get("connect-cluster");
            }), singletonListOrNull(r42 -> {
                return scope.clusters().get("schema-registry-cluster");
            }), singletonListOrNull(r43 -> {
                return scope.clusters().get("ksql-cluster");
            })));
        });
        List list = (List) makeRequestWithRetries(str3 -> {
            return (List) getClient().makeRequestWithContent(str3 + "/security/1.0/lookup/principals/User:" + URIUtil.encodePath(str) + "/visibility", HttpMethod.POST, new BearerTokenHttpCredential(str2), MimeTypes.Type.APPLICATION_JSON, arrayList2, new TypeReference<List<VisibilityResponse>>() { // from class: io.confluent.controlcenter.client.MetadataServiceClient.3
            });
        });
        if (list.size() != arrayList2.size()) {
            log.error("expected list size {}, actual, {}", Integer.valueOf(arrayList2.size()), Integer.valueOf(list.size()));
            throw new InternalServerErrorException();
        }
        HashSet hashSet = new HashSet();
        int i = 0;
        for (Object obj2 : arrayList) {
            int i2 = i;
            i++;
            VisibilityResponse visibilityResponse = (VisibilityResponse) list.get(i2);
            if (visibilityResponse.kafkaCluster.visible && isNullEmptyOrAllVisible(visibilityResponse.connectClusters) && isNullEmptyOrAllVisible(visibilityResponse.schemaRegistryClusters) && isNullEmptyOrAllVisible(visibilityResponse.ksqlClusters)) {
                hashSet.add(obj2);
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <T> T makeRequestWithRetries(Function<String, T> function) {
        return (T) Client.makeRequestWithRetries(function, this.mdsHealthCheck.getHealthyUrls(), MDS_RETRIES_EACH, MDS_ERROR_MESSAGE);
    }

    private static <T> List<T> singletonListOrNull(Function<Void, T> function) {
        T apply = function.apply(null);
        if (apply == null) {
            return null;
        }
        return Collections.singletonList(apply);
    }

    private static boolean isNullEmptyOrAllVisible(List<VisibilityResponse.ClusterVisibility> list) {
        if (list == null || list.isEmpty()) {
            return true;
        }
        Iterator<VisibilityResponse.ClusterVisibility> it = list.iterator();
        while (it.hasNext()) {
            if (!it.next().visible) {
                return false;
            }
        }
        return true;
    }

    public boolean isRbacVisibilityFeatureEnabled() {
        try {
            return getMetadataServiceFeatures().getFeatures().getOrDefault(RBAC_VISIBILITY_FEATURE_KEY, false).booleanValue();
        } catch (WebApplicationException e) {
            log.error("Cannot check if RBAC Visibility Feature enabled: failed to fetch MDS features. please check if MDS cluster is up and running properly");
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.error("Exception", (Throwable) e);
            return true;
        }
    }

    public FeaturesInfo getMetadataServiceFeatures() {
        return (FeaturesInfo) makeRequestWithRetries(str -> {
            return (FeaturesInfo) getClient().makeRequestNoBody(str + "/security/1.0/features", HttpMethod.GET, null, new TypeReference<FeaturesInfo>() { // from class: io.confluent.controlcenter.client.MetadataServiceClient.4
            });
        });
    }
}
