package io.confluent.security.rbac;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.utils.JsonMapper;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;

/* loaded from: input_file:io/confluent/security/rbac/RbacRoles.class */
public class RbacRoles {
    private static final String DEFAULT_POLICY_FILE = "default_rbac_roles.json";
    private static final String CLOUD_POLICY_FILE = "cloud_rbac_roles.json";
    private final List<String> bindingScopes;
    private final Map<String, Role> roles;

    @JsonCreator
    public RbacRoles(@JsonProperty("roles") List<Role> list, @JsonProperty("bindingScopes") List<String> list2) {
        validateBindingScopes(list2);
        this.bindingScopes = Collections.unmodifiableList(list2);
        this.roles = new HashMap();
        list.forEach(this::addRole);
    }

    private void validateBindingScopes(List<String> list) {
        if (!Scope.CLUSTER_BINDING_SCOPE.equals(list.get(0))) {
            throw new InvalidRoleDefinitionException("first binding scope must be 'cluster'");
        }
        if (list.contains(Scope.ROOT_BINDING_SCOPE) && list.indexOf(Scope.ROOT_BINDING_SCOPE) != list.size() - 1) {
            throw new InvalidRoleDefinitionException("binding scope 'root' must be last");
        }
        HashSet hashSet = new HashSet();
        for (String str : list) {
            if (!Scope.SCOPE_TYPE_PATTERN.matcher(str).matches()) {
                throw new InvalidRoleDefinitionException("bindingScopes may only contain letters and '-': '" + str + "'");
            }
            if (hashSet.contains(str)) {
                throw new InvalidRoleDefinitionException("bindingScopes may not be repeated: '" + str + "'");
            }
            hashSet.add(str);
        }
    }

    public Role role(String str, String str2) {
        Role role = this.roles.get(str);
        if (role == null || !role.isInNamespace(str2)) {
            return null;
        }
        return role;
    }

    public Role role(String str) {
        return this.roles.get(str);
    }

    public Collection<Role> roles(String str) {
        return (Collection) this.roles.values().stream().filter(role -> {
            return role.isInNamespace(str);
        }).collect(Collectors.toList());
    }

    public Collection<Role> roles() {
        return (Collection) this.roles.values().stream().collect(Collectors.toList());
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj instanceof RbacRoles) {
            return Objects.equals(this.roles, ((RbacRoles) obj).roles);
        }
        return false;
    }

    public int hashCode() {
        return Objects.hash(this.roles);
    }

    void addRole(Role role) {
        Iterator<Collection<AccessPolicy>> it = role.accessPolicies().values().iterator();
        while (it.hasNext()) {
            for (AccessPolicy accessPolicy : it.next()) {
                if (!this.bindingScopes.contains(accessPolicy.bindingScope())) {
                    throw new InvalidRoleDefinitionException("Unknown binding scope '" + accessPolicy.bindingScope() + "' defined for " + role);
                }
                accessPolicy.allowedOperations().forEach(resourceOperations -> {
                    if (resourceOperations.resourceType() == null || resourceOperations.resourceType().isEmpty()) {
                        throw new InvalidRoleDefinitionException("Resource type not specified in role definition ops for " + role);
                    }
                    resourceOperations.operations().forEach(str -> {
                        if (str.isEmpty()) {
                            throw new InvalidRoleDefinitionException("Operation name not specified in role definition ops for " + role);
                        }
                    });
                });
            }
        }
        role.setMostSpecificBindingScope(mostSpecificBindingScope(role));
        this.roles.put(role.name(), role);
    }

    public static RbacRoles loadDefaultPolicy(boolean z) throws InvalidRoleDefinitionException {
        return z ? load(RbacRoles.class.getClassLoader(), CLOUD_POLICY_FILE) : load(RbacRoles.class.getClassLoader(), DEFAULT_POLICY_FILE);
    }

    public static RbacRoles load(ClassLoader classLoader, String str) throws InvalidRoleDefinitionException {
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(classLoader.getResourceAsStream(str)));
            Throwable th = null;
            try {
                try {
                    RbacRoles rbacRoles = (RbacRoles) JsonMapper.objectMapper().readValue(bufferedReader, RbacRoles.class);
                    if (bufferedReader != null) {
                        if (0 != 0) {
                            try {
                                bufferedReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            bufferedReader.close();
                        }
                    }
                    return rbacRoles;
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new InvalidRoleDefinitionException("RBAC policies could not be loaded from " + str, e);
        }
    }

    private String mostSpecificBindingScope(Role role) {
        Set<String> bindingScopes = role.bindingScopes();
        for (String str : this.bindingScopes) {
            if (bindingScopes.contains(str)) {
                return str;
            }
        }
        return null;
    }
}
