package io.confluent.kafka.multitenant.authorizer;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.multitenant.audit.DefaultTenantSanitizer;
import io.confluent.kafka.multitenant.utils.AuthUtils;
import io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer;
import io.confluent.kafka.server.plugins.auth.DefaultUserMetaDataStore;
import io.confluent.security.authorizer.ConfluentAuthorizerConfig;
import io.confluent.security.authorizer.EmbeddedAuthorizer;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.RequestContext;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import io.confluent.security.authorizer.provider.GroupProvider;
import io.confluent.security.authorizer.provider.MetadataProvider;
import io.confluent.shaded.com.google.common.annotations.VisibleForTesting;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AccessControlEntryFilter;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclState;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.errors.InvalidRequestException;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.metrics.Sensor;
import org.apache.kafka.common.metrics.stats.Rate;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.server.audit.AuditLogProvider;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;

/* loaded from: input_file:io/confluent/kafka/multitenant/authorizer/MultiTenantAuthorizer.class */
public class MultiTenantAuthorizer extends ConfluentServerAuthorizer {
    public static final String MAX_ACLS_PER_TENANT_PROP = "confluent.max.acls.per.tenant";
    private static final int DEFAULT_MAX_ACLS_PER_TENANT_PROP = 1000;
    private static final int ACLS_DISABLED = 0;
    private int maxAclsPerTenant;
    private boolean authorizationDisabled;
    private boolean auditLogEnabled;
    private boolean oauthSuperUserDisable;
    private boolean enableDataplaneRbacForPKC;
    private TenantAuthorizerMetrics mtAuthorizerMetrics;
    private boolean supportUserResourceId;
    private DefaultUserMetaDataStore userMetaDataStore;
    private Map<String, ?> configs;

    /* loaded from: input_file:io/confluent/kafka/multitenant/authorizer/MultiTenantAuthorizer$TenantAuthorizerMetrics.class */
    public static class TenantAuthorizerMetrics {
        private static final String AUTHORIZER_AUTHORIZATION_DENIED_SENSOR = "user-account-request-authorization-denied";
        private static final String USER_ID_TO_RESOURCE_ID_MAPPING_MISSING_SENSOR = "user-id-to-resource-id-mapping-missing";
        public static final String USER_ACCOUNT_REQUEST_DENIED_RATE_PER_MINUTE = "user-account-request-denied-rate-per-minute";
        public static final String USER_ID_TO_RESOURCE_ID_MAPPING_MISSING_RATE_PER_MINUTE = "user-id-to-resource-id-mapping-missing-rate-per-minute";
        public static final String CREATE_ACL_REQUEST_SENSOR = "create-acl-request-";
        public static final String DESCRIBE_ACL_REQUEST_SENSOR = "describe-acl-request-";
        public static final String DELETE_ACL_REQUEST_SENSOR = "delete-acl-request-";
        public static final String CREATE_ACL_REQUEST_RATE = "create-acl-request-rate";
        public static final String DESCRIBE_ACL_REQUEST_RATE = "describe-acl-request-rate";
        public static final String DELETE_ACL_REQUEST_RATE = "delete-acl-request-rate";
        public static final String RESOURCE_ID = "resource-id";
        public static final String INTEGER_ID = "integer-id";
        private final Time time;
        private final Metrics metrics;
        private Sensor authorizationUserAccountRequestDeniedSensor;
        private Sensor userIdToResourceIdMappingMissingSensor;
        private Map<String, Sensor> createAclSensor = new HashMap();
        private Map<String, Sensor> describeAclSensor = new HashMap();
        private Map<String, Sensor> deleteAclSensor = new HashMap();

        TenantAuthorizerMetrics(Metrics metrics) {
            this.authorizationUserAccountRequestDeniedSensor = null;
            this.userIdToResourceIdMappingMissingSensor = null;
            this.authorizationUserAccountRequestDeniedSensor = metrics.sensor(AUTHORIZER_AUTHORIZATION_DENIED_SENSOR);
            this.authorizationUserAccountRequestDeniedSensor.add(metrics.metricName(USER_ACCOUNT_REQUEST_DENIED_RATE_PER_MINUTE, EmbeddedAuthorizer.AuthorizerMetrics.GROUP_NAME, "The number of authorization denied per minute for user accounts requests"), new Rate(TimeUnit.MINUTES));
            this.userIdToResourceIdMappingMissingSensor = metrics.sensor(USER_ID_TO_RESOURCE_ID_MAPPING_MISSING_SENSOR);
            this.userIdToResourceIdMappingMissingSensor.add(metrics.metricName(USER_ID_TO_RESOURCE_ID_MAPPING_MISSING_RATE_PER_MINUTE, EmbeddedAuthorizer.AuthorizerMetrics.GROUP_NAME, "The number missing mapping of userId to resourceId per minute for acl operation requests"), new Rate(TimeUnit.MINUTES));
            for (String str : new String[]{INTEGER_ID, RESOURCE_ID}) {
                this.createAclSensor.put(str, metrics.sensor(CREATE_ACL_REQUEST_SENSOR + str));
                this.createAclSensor.get(str).add(metrics.metricName(CREATE_ACL_REQUEST_RATE, EmbeddedAuthorizer.AuthorizerMetrics.GROUP_NAME, "Number of create ACL requests per second.", "principal-type", str), new Rate());
                this.describeAclSensor.put(str, metrics.sensor(DESCRIBE_ACL_REQUEST_SENSOR + str));
                this.describeAclSensor.get(str).add(metrics.metricName(DESCRIBE_ACL_REQUEST_RATE, EmbeddedAuthorizer.AuthorizerMetrics.GROUP_NAME, "Number of describe ACL requests per second.", "principal-type", str), new Rate());
                this.deleteAclSensor.put(str, metrics.sensor(DELETE_ACL_REQUEST_SENSOR + str));
                this.deleteAclSensor.get(str).add(metrics.metricName(DELETE_ACL_REQUEST_RATE, EmbeddedAuthorizer.AuthorizerMetrics.GROUP_NAME, "Number of delete ACL requests per second.", "principal-type", str), new Rate());
            }
            this.time = Time.SYSTEM;
            this.metrics = metrics;
        }

        public void recordAuthorizationDeniedMetric(AuthorizableRequestContext authorizableRequestContext, List<AuthorizationResult> list, List<Action> list2) {
            try {
                if (authorizableRequestContext.principal() instanceof MultiTenantPrincipal) {
                    if (((MultiTenantPrincipal) authorizableRequestContext.principal()).tenantMetadata().isServiceAccount) {
                        return;
                    }
                    int i = 0;
                    for (int i2 = 0; i2 < list.size(); i2++) {
                        if (list.get(i2) != AuthorizationResult.ALLOWED && list2.get(i2).logIfDenied()) {
                            i++;
                        }
                    }
                    if (i > 0) {
                        this.authorizationUserAccountRequestDeniedSensor.record(i, this.time.milliseconds(), false);
                    }
                }
            } catch (Exception e) {
                MultiTenantAuthorizer.log.error("Error while recording multi-tenant authorizer metrics", (Throwable) e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void recordMissingMappingMetric() {
            this.userIdToResourceIdMappingMissingSensor.record(1.0d, this.time.milliseconds(), false);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Metrics metrics() {
            return this.metrics;
        }
    }

    @VisibleForTesting
    public void configureAccessRuleProviders(Map<String, Object> map) {
        Object obj = map.get(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP);
        if (!(obj instanceof String) || Arrays.stream(((String) obj).split(",")).noneMatch(str -> {
            return ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name().equals(str);
        })) {
            map.put(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP, ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name());
        }
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, io.confluent.security.authorizer.EmbeddedAuthorizer
    public void configureServerInfo(ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo) {
        this.mtAuthorizerMetrics = new TenantAuthorizerMetrics(confluentAuthorizerServerInfo.metrics());
        super.configureServerInfo(confluentAuthorizerServerInfo);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, io.confluent.security.authorizer.EmbeddedAuthorizer, org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.configs = map;
        HashMap hashMap = new HashMap(map);
        String str = (String) map.get(MAX_ACLS_PER_TENANT_PROP);
        this.maxAclsPerTenant = str != null ? Integer.parseInt(str) : 1000;
        this.authorizationDisabled = this.maxAclsPerTenant == 0;
        configureAccessRuleProviders(hashMap);
        this.auditLogEnabled = new MultiTenantAuditLogConfig(map).getBoolean(MultiTenantAuditLogConfig.MULTI_TENANT_AUDIT_LOGGER_ENABLE_CONFIG).booleanValue();
        this.oauthSuperUserDisable = false;
        if (map.containsKey(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE)) {
            this.oauthSuperUserDisable = Boolean.parseBoolean((String) map.get(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE));
        }
        this.enableDataplaneRbacForPKC = false;
        if (map.containsKey(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC)) {
            this.enableDataplaneRbacForPKC = Boolean.parseBoolean((String) map.get(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC));
        }
        this.supportUserResourceId = false;
        if (map.containsKey(ConfluentConfigs.SUPPORT_USER_RESOURCE_ID_IN_ACL)) {
            this.supportUserResourceId = Boolean.parseBoolean((String) map.get(ConfluentConfigs.SUPPORT_USER_RESOURCE_ID_IN_ACL));
        }
        super.configure(hashMap);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.common.Reconfigurable
    public Set<String> reconfigurableConfigs() {
        Set<String> reconfigurableConfigs = super.reconfigurableConfigs();
        reconfigurableConfigs.add(ConfluentConfigs.SUPPORT_USER_RESOURCE_ID_IN_ACL);
        return reconfigurableConfigs;
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.common.Reconfigurable
    public void reconfigure(Map<String, ?> map) {
        if (map.containsKey(ConfluentConfigs.SUPPORT_USER_RESOURCE_ID_IN_ACL)) {
            this.supportUserResourceId = ((Boolean) map.get(ConfluentConfigs.SUPPORT_USER_RESOURCE_ID_IN_ACL)).booleanValue();
        }
        super.reconfigure(map);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer
    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        List<AuthorizationResult> authorize = super.authorize(authorizableRequestContext, list);
        if (this.mtAuthorizerMetrics != null) {
            this.mtAuthorizerMetrics.recordAuthorizationDeniedMetric(authorizableRequestContext, authorize, list);
        }
        return authorize;
    }

    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer
    protected boolean isSuperUser(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, io.confluent.security.authorizer.Action action) {
        if (super.isSuperUser(kafkaPrincipal, kafkaPrincipal2, action)) {
            return true;
        }
        if (kafkaPrincipal instanceof MultiTenantPrincipal) {
            return isSuperUser((MultiTenantPrincipal) kafkaPrincipal, action, this.authorizationDisabled, this.enableDataplaneRbacForPKC, this.oauthSuperUserDisable);
        }
        return false;
    }

    public static boolean isSuperUser(MultiTenantPrincipal multiTenantPrincipal, io.confluent.security.authorizer.Action action, boolean z, boolean z2, boolean z3) {
        return (z || multiTenantPrincipal.isSuperUser(z2, z3)) && action.resourceName().startsWith(multiTenantPrincipal.tenantMetadata().tenantPrefix());
    }

    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer
    protected io.confluent.security.authorizer.Action actionForAuthorizeByResourceType(RequestContext requestContext, Operation operation, ResourceType resourceType) {
        return requestContext.principal() instanceof MultiTenantPrincipal ? new io.confluent.security.authorizer.Action(((MultiTenantPrincipal) requestContext.principal()).tenantMetadata().scope(), new ResourcePattern(resourceType, "", PatternType.ANY), operation, 1, true, true) : super.actionForAuthorizeByResourceType(requestContext, operation, resourceType);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public io.confluent.security.authorizer.Action buildAction(Action action, org.apache.kafka.common.resource.ResourcePattern resourcePattern, KafkaPrincipal kafkaPrincipal, Scope scope) {
        Scope scope2 = scope;
        org.apache.kafka.common.resource.ResourcePattern resourcePattern2 = resourcePattern;
        if (kafkaPrincipal instanceof MultiTenantPrincipal) {
            TenantMetadata tenantMetadata = ((MultiTenantPrincipal) kafkaPrincipal).tenantMetadata();
            scope2 = tenantMetadata.scope();
            org.apache.kafka.common.resource.ResourcePattern resourcePattern3 = action.resourcePattern();
            if (resourcePattern3.resourceType() == org.apache.kafka.common.resource.ResourceType.CLUSTER) {
                resourcePattern2 = new org.apache.kafka.common.resource.ResourcePattern(org.apache.kafka.common.resource.ResourceType.CLUSTER, tenantMetadata.tenantPrefix() + resourcePattern3.name(), resourcePattern3.patternType());
            }
        }
        return super.buildAction(action, resourcePattern2, kafkaPrincipal, scope2);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer, org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        return createAclsInternal(authorizableRequestContext, list);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer
    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list, Optional<String> optional) {
        return createAclsInternal(authorizableRequestContext, list);
    }

    private List<? extends CompletionStage<AclCreateResult>> createAclsInternal(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        checkAclsEnabled();
        if (list.isEmpty()) {
            return Collections.emptyList();
        }
        validateAclBindingsCreateAclsRequest(list, authorizableRequestContext);
        recordCreateAclMetric(list.get(0).entry().principal());
        return super.createAcls(authorizableRequestContext, list);
    }

    private void validateAclBindingsCreateAclsRequest(List<AclBinding> list, AuthorizableRequestContext authorizableRequestContext) {
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(list.get(0).entry().principal());
        boolean z = MultiTenantPrincipal.isTenantPrincipal(parseKafkaPrincipal) || (authorizableRequestContext.principal() instanceof MultiTenantPrincipal);
        String tenantPrefix = z ? tenantPrefix(parseKafkaPrincipal.getName()) : null;
        if (list.stream().anyMatch(aclBinding -> {
            return !inScope(aclBinding.entry().principal(), tenantPrefix);
        })) {
            log.error("ACL requests contain invalid tenant principal {}", list);
            throw new InvalidRequestException("Internal error: Could not create ACLs because all principals are not in the same scope " + list);
        }
        if (z) {
            if (list.stream().anyMatch(aclBinding2 -> {
                return !aclBinding2.pattern().name().startsWith(tenantPrefix);
            })) {
                log.error("Unexpected ACL request for resources {} without tenant prefix {}", list, tenantPrefix);
                throw new InvalidRequestException("Internal error: Could not create ACLs because tenant prefixes are not the same " + list);
            }
            if (exceedsAclLimit(tenantPrefix, list, this.maxAclsPerTenant)) {
                throw new InvalidRequestException("ACLs not created since it will exceed the limit " + this.maxAclsPerTenant);
            }
        }
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer
    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list, Optional<String> optional, AclState aclState) {
        if (list.isEmpty()) {
            return Collections.emptyList();
        }
        checkAclsEnabled();
        if (!this.supportUserResourceId) {
            return super.deleteAcls(authorizableRequestContext, list, optional, aclState);
        }
        recordDeleteAclMetric(list.get(0).entryFilter().principal());
        return deleteAclsWithResourceIdSupport(authorizableRequestContext, list, optional, aclState);
    }

    private List<? extends CompletionStage<AclDeleteResult>> deleteAclsWithResourceIdSupport(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list, Optional<String> optional, AclState aclState) {
        return combineAclDeleteResults(list, super.deleteAcls(authorizableRequestContext, list, optional, aclState), super.deleteAcls(authorizableRequestContext, convertAclFilters(list), optional, aclState));
    }

    protected List<? extends CompletionStage<AclDeleteResult>> combineAclDeleteResults(List<AclBindingFilter> list, List<? extends CompletionStage<AclDeleteResult>> list2, List<? extends CompletionStage<AclDeleteResult>> list3) {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < list2.size(); i++) {
            boolean convertToUserResource = convertToUserResource(list.get(i));
            arrayList.add(list2.get(i).thenCombine(list3.get(i), (aclDeleteResult, aclDeleteResult2) -> {
                return aclDeleteResult.exception().isPresent() ? aclDeleteResult : aclDeleteResult2.exception().isPresent() ? aclDeleteResult2 : new AclDeleteResult(convertAclBindingDeleteResults((Collection) Stream.concat(aclDeleteResult.aclBindingDeleteResults().stream(), aclDeleteResult2.aclBindingDeleteResults().stream()).collect(Collectors.toList()), convertToUserResource));
            }));
        }
        return arrayList;
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer, org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        return deleteAcls(authorizableRequestContext, list, Optional.empty(), AclState.ANY);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer
    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        return acls(aclBindingFilter, AclState.ACTIVE);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer, org.apache.kafka.server.authorizer.Authorizer
    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter, AclState aclState) {
        checkAclsEnabled();
        if (!this.supportUserResourceId) {
            return super.acls(aclBindingFilter, aclState);
        }
        recordDescribeAclMetric(aclBindingFilter.entryFilter().principal());
        return describeAclsWithResourceIdSupport(aclBindingFilter, aclState);
    }

    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer
    protected void configureProviders(List<AccessRuleProvider> list, GroupProvider groupProvider, MetadataProvider metadataProvider, AuditLogProvider auditLogProvider) {
        if (!this.auditLogEnabled) {
            super.configureProviders(list, groupProvider, metadataProvider, null);
            return;
        }
        DefaultTenantSanitizer defaultTenantSanitizer = new DefaultTenantSanitizer();
        defaultTenantSanitizer.configure(this.configs);
        defaultTenantSanitizer.getClass();
        auditLogProvider.setSanitizer(defaultTenantSanitizer::tenantAuditEvent);
        super.configureProviders(list, groupProvider, metadataProvider, auditLogProvider);
    }

    private void initializeUserMetaDataStore() {
        if (this.userMetaDataStore == null) {
            this.userMetaDataStore = DefaultUserMetaDataStore.getInstance(AuthUtils.getBrokerSessionUuid(this.configs));
        }
    }

    protected void updateUserMetaDataStore(DefaultUserMetaDataStore defaultUserMetaDataStore) {
        this.userMetaDataStore = defaultUserMetaDataStore;
    }

    private boolean convertToUserResource(AclBindingFilter aclBindingFilter) {
        if (anyPrincipalWithOldFormat(aclBindingFilter.entryFilter())) {
            return false;
        }
        return SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal()).getPrincipalType().equals(MultiTenantPrincipal.TENANT_WILDCARD_USERV2_TYPE) || !unPrefixedPrincipal(SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal()).getName()).matches(MultiTenantPrincipal.REGEX_INTEGER_ID_PRINCIPAL);
    }

    private Collection<AclDeleteResult.AclBindingDeleteResult> convertAclBindingDeleteResults(Collection<AclDeleteResult.AclBindingDeleteResult> collection, boolean z) {
        if (collection.isEmpty()) {
            return collection;
        }
        ArrayList arrayList = new ArrayList();
        for (AclDeleteResult.AclBindingDeleteResult aclBindingDeleteResult : collection) {
            if (aclBindingDeleteResult.aclBinding() != null) {
                arrayList.add(new AclDeleteResult.AclBindingDeleteResult(convertAclBinding(aclBindingDeleteResult.aclBinding(), z), aclBindingDeleteResult.exception().orElse(null)));
            }
        }
        return arrayList;
    }

    private Iterable<AclBinding> describeAclsWithResourceIdSupport(AclBindingFilter aclBindingFilter, AclState aclState) {
        try {
            ArrayList arrayList = new ArrayList();
            boolean anyPrincipalWithOldFormat = anyPrincipalWithOldFormat(aclBindingFilter.entryFilter());
            boolean z = false;
            if (anyPrincipalWithOldFormat) {
                Iterable<AclBinding> acls = super.acls(aclBindingFilter, aclState);
                arrayList.getClass();
                acls.forEach((v1) -> {
                    r1.add(v1);
                });
            } else {
                z = SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal()).getPrincipalType().equals(MultiTenantPrincipal.TENANT_WILDCARD_USERV2_TYPE);
                if (z) {
                    Iterable<AclBinding> acls2 = super.acls(new AclBindingFilter(aclBindingFilter.patternFilter(), new AccessControlEntryFilter(null, aclBindingFilter.entryFilter().host(), aclBindingFilter.entryFilter().operation(), aclBindingFilter.entryFilter().permissionType(), aclBindingFilter.entryFilter().clusterLinkIds())), aclState);
                    arrayList.getClass();
                    acls2.forEach((v1) -> {
                        r1.add(v1);
                    });
                } else {
                    Iterable<AclBinding> acls3 = super.acls(aclBindingFilter, aclState);
                    arrayList.getClass();
                    acls3.forEach((v1) -> {
                        r1.add(v1);
                    });
                    convertAclFilter(aclBindingFilter).ifPresent(aclBindingFilter2 -> {
                        Iterable<AclBinding> acls4 = super.acls(aclBindingFilter2, aclState);
                        arrayList.getClass();
                        acls4.forEach((v1) -> {
                            r1.add(v1);
                        });
                    });
                }
            }
            if (anyPrincipalWithOldFormat) {
                return convertAclBindings(arrayList, false);
            }
            if (z) {
                return convertAclBindings(arrayList, true);
            }
            return convertAclBindings(arrayList, !unPrefixedPrincipal(SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal()).getName()).matches(MultiTenantPrincipal.REGEX_INTEGER_ID_PRINCIPAL));
        } catch (Exception e) {
            log.error("Error while calling describeAclsWithResourceIdSupport for filter {}", aclBindingFilter, e);
            return super.acls(aclBindingFilter, aclState);
        }
    }

    private boolean anyPrincipalWithOldFormat(AccessControlEntryFilter accessControlEntryFilter) {
        return accessControlEntryFilter.principal() == null;
    }

    private Iterable<AclBinding> convertAclBindings(Iterable<AclBinding> iterable, boolean z) {
        try {
            initializeUserMetaDataStore();
            if (this.userMetaDataStore == null) {
                log.warn("UserMetaDataStore could not be loaded. Returning original bindings.");
                return iterable;
            }
            ArrayList arrayList = new ArrayList();
            Iterator<AclBinding> it = iterable.iterator();
            while (it.hasNext()) {
                arrayList.add(convertAclBinding(it.next(), z));
            }
            return arrayList;
        } catch (Exception e) {
            log.error("Ran into an exception while converting bindings.", (Throwable) e);
            return iterable;
        }
    }

    private AclBinding convertAclBinding(AclBinding aclBinding, boolean z) {
        initializeUserMetaDataStore();
        if (this.userMetaDataStore == null) {
            log.warn("UserMetaDataStore could not be loaded. Returning original binding.");
            return aclBinding;
        }
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(aclBinding.entry().principal());
        String unPrefixedPrincipal = unPrefixedPrincipal(parseKafkaPrincipal.getName());
        if (!unPrefixedPrincipal.isEmpty()) {
            if ((!unPrefixedPrincipal.matches(MultiTenantPrincipal.REGEX_INTEGER_ID_PRINCIPAL)) != z && !unPrefixedPrincipal.startsWith(MultiTenantPrincipal.POOL_ID_PREFIX)) {
                Optional<String> userIdToUserResourceId = z ? this.userMetaDataStore.userIdToUserResourceId(unPrefixedPrincipal) : this.userMetaDataStore.userResourceIdToUserId(unPrefixedPrincipal);
                if (userIdToUserResourceId.isPresent()) {
                    String kafkaPrincipal = new KafkaPrincipal(MultiTenantPrincipal.TENANT_USER_TYPE, tenantPrefix(parseKafkaPrincipal.getName()) + userIdToUserResourceId.get()).toString();
                    AccessControlEntry entry = aclBinding.entry();
                    return new AclBinding(aclBinding.pattern(), new AccessControlEntry(kafkaPrincipal, entry.host(), entry.operation(), entry.permissionType(), entry.clusterLinkIds()));
                }
                if (this.mtAuthorizerMetrics != null) {
                    this.mtAuthorizerMetrics.recordMissingMappingMetric();
                }
                log.warn("UserId <-> UserResourceID mapping for User : {} is missing while converting aclBinding", unPrefixedPrincipal);
                return aclBinding;
            }
        }
        log.debug("Returning original binding for principalName {}", unPrefixedPrincipal);
        return aclBinding;
    }

    private List<AclBindingFilter> convertAclFilters(List<AclBindingFilter> list) {
        try {
            initializeUserMetaDataStore();
            if (this.userMetaDataStore == null) {
                log.warn("UserMetaDataStore could not be loaded. Returning original filters.");
                return list;
            }
            ArrayList arrayList = new ArrayList();
            for (AclBindingFilter aclBindingFilter : list) {
                Optional<AclBindingFilter> convertAclFilter = convertAclFilter(aclBindingFilter);
                arrayList.add(convertAclFilter.isPresent() ? convertAclFilter.get() : aclBindingFilter);
            }
            return arrayList;
        } catch (Exception e) {
            log.error("Ran into an exception while converting filters.", (Throwable) e);
            return list;
        }
    }

    private Optional<AclBindingFilter> convertAclFilter(AclBindingFilter aclBindingFilter) {
        initializeUserMetaDataStore();
        if (this.userMetaDataStore == null) {
            log.warn("UserMetaDataStore could not be loaded. Returning no filter.");
            return Optional.empty();
        }
        if (anyPrincipalWithOldFormat(aclBindingFilter.entryFilter())) {
            return Optional.of(aclBindingFilter);
        }
        if (SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal()).getPrincipalType().equals(MultiTenantPrincipal.TENANT_WILDCARD_USERV2_TYPE)) {
            return Optional.of(new AclBindingFilter(aclBindingFilter.patternFilter(), new AccessControlEntryFilter(null, aclBindingFilter.entryFilter().host(), aclBindingFilter.entryFilter().operation(), aclBindingFilter.entryFilter().permissionType(), aclBindingFilter.entryFilter().clusterLinkIds())));
        }
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal());
        String unPrefixedPrincipal = unPrefixedPrincipal(parseKafkaPrincipal.getName());
        Optional<String> userIdToUserResourceId = unPrefixedPrincipal.matches(MultiTenantPrincipal.REGEX_INTEGER_ID_PRINCIPAL) ? this.userMetaDataStore.userIdToUserResourceId(unPrefixedPrincipal) : this.userMetaDataStore.userResourceIdToUserId(unPrefixedPrincipal);
        if (userIdToUserResourceId.isPresent()) {
            String kafkaPrincipal = new KafkaPrincipal(MultiTenantPrincipal.TENANT_USER_TYPE, tenantPrefix(parseKafkaPrincipal.getName()) + userIdToUserResourceId.get()).toString();
            AccessControlEntryFilter entryFilter = aclBindingFilter.entryFilter();
            return Optional.of(new AclBindingFilter(aclBindingFilter.patternFilter(), new AccessControlEntryFilter(kafkaPrincipal, entryFilter.host(), entryFilter.operation(), entryFilter.permissionType(), entryFilter.clusterLinkIds())));
        }
        if (this.mtAuthorizerMetrics != null) {
            this.mtAuthorizerMetrics.recordMissingMappingMetric();
        }
        log.warn("UserId <-> UserResourceID mapping for User : {} is missing while converting the filter", unPrefixedPrincipal);
        return Optional.empty();
    }

    private String unPrefixedPrincipal(String str) {
        int indexOf = str.indexOf("_");
        return indexOf == -1 ? str : str.substring(indexOf + 1);
    }

    private String tenantPrefix(String str) {
        int indexOf = str.indexOf("_");
        if (indexOf == -1) {
            throw new InvalidRequestException("Invalid tenant principal in ACL: " + str);
        }
        return str.substring(0, indexOf + 1);
    }

    private boolean inScope(String str, String str2) {
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        return (str2 == null || str2.isEmpty()) ? !MultiTenantPrincipal.isTenantPrincipal(parseKafkaPrincipal) : MultiTenantPrincipal.isTenantPrincipal(parseKafkaPrincipal) && parseKafkaPrincipal.getName().startsWith(str2);
    }

    boolean exceedsAclLimit(String str, List<AclBinding> list, int i) {
        if (i == Integer.MAX_VALUE) {
            return false;
        }
        Iterable<AclBinding> acls = acls(AclBindingFilter.ANY);
        if (!StreamSupport.stream(acls.spliterator(), false).filter(aclBinding -> {
            return inScope(aclBinding.entry().principal(), str);
        }).skip(Math.max(0, i - list.size())).findAny().isPresent()) {
            return false;
        }
        HashSet hashSet = new HashSet();
        StreamSupport.stream(acls.spliterator(), false).filter(aclBinding2 -> {
            return inScope(aclBinding2.entry().principal(), str);
        }).forEach(aclBinding3 -> {
            hashSet.add(aclWithoutClusterLinkIds(aclBinding3));
        });
        int size = hashSet.size();
        list.forEach(aclBinding4 -> {
            hashSet.add(aclWithoutClusterLinkIds(aclBinding4));
        });
        int size2 = hashSet.size();
        return size2 > i && size2 > size;
    }

    private AclBinding aclWithoutClusterLinkIds(AclBinding aclBinding) {
        AccessControlEntry entry = aclBinding.entry();
        return entry.clusterLinkIds().isEmpty() ? aclBinding : new AclBinding(aclBinding.pattern(), new AccessControlEntry(entry.principal(), entry.host(), entry.operation(), entry.permissionType()));
    }

    private void checkAclsEnabled() {
        if (this.authorizationDisabled) {
            throw new InvalidRequestException("ACLs are not enabled on this broker");
        }
    }

    public boolean isAuditLogEnabled() {
        return this.auditLogEnabled;
    }

    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer
    protected Metrics metrics() {
        return this.mtAuthorizerMetrics.metrics();
    }

    protected void tenantAuthorizerMetrics() {
        this.mtAuthorizerMetrics = new TenantAuthorizerMetrics(new Metrics());
    }

    private String principalIdType(String str) {
        if (str == null) {
            return TenantAuthorizerMetrics.INTEGER_ID;
        }
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        return (parseKafkaPrincipal.getPrincipalType().equals(MultiTenantPrincipal.TENANT_WILDCARD_USERV2_TYPE) || !unPrefixedPrincipal(parseKafkaPrincipal.getName()).matches(MultiTenantPrincipal.REGEX_INTEGER_ID_PRINCIPAL)) ? TenantAuthorizerMetrics.RESOURCE_ID : TenantAuthorizerMetrics.INTEGER_ID;
    }

    protected void recordCreateAclMetric(String str) {
        ((Sensor) this.mtAuthorizerMetrics.createAclSensor.get(principalIdType(str))).record();
    }

    protected void recordDescribeAclMetric(String str) {
        ((Sensor) this.mtAuthorizerMetrics.describeAclSensor.get(principalIdType(str))).record();
    }

    protected void recordDeleteAclMetric(String str) {
        ((Sensor) this.mtAuthorizerMetrics.deleteAclSensor.get(principalIdType(str))).record();
    }
}
