package io.confluent.kafka.schemaregistry.security.authorizer.schemaregistryacl;

import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.kafka.schemaregistry.storage.exceptions.StoreException;
import io.confluent.kafka.schemaregistry.storage.exceptions.StoreInitializationException;
import io.confluent.kafka.schemaregistry.utils.QualifiedSubject;
import io.confluent.rest.Application;
import java.net.URI;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.NotImplementedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/schemaregistryacl/SchemaRegistryAclAuthorizer.class */
public class SchemaRegistryAclAuthorizer extends AbstractSchemaRegistryAuthorizer {
    private SchemaRegistryAclReaderThread aclReaderThread;
    private NoopKey noopKey;
    private int initTimeout;
    private String topic;
    private AclMessageSerializer aclMessageSerializer;
    private Map<String, Map<String, Set<SchemaRegistryResourceOperation>>> subjectAllowedOperations;
    private Map<String, Set<SchemaRegistryResourceOperation>> globalAllowedOperations;
    private static final String ANY_USER = "*";
    private static final String ANY_SUBJECT = "*";
    private String bootStrapBrokers;
    private SchemaRegistryAclAuthorizerUtils aclAuthorizerUtils;
    private static final Logger log = LoggerFactory.getLogger(SchemaRegistryAclAuthorizer.class);
    private static final Map<String, Set<SchemaRegistryResourceOperation>> EMPTY_MAP = new HashMap();
    private static final Set<SchemaRegistryResourceOperation> EMPTY_SET = EnumSet.noneOf(SchemaRegistryResourceOperation.class);

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer, io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer
    public void configure(SchemaRegistryConfig schemaRegistryConfig, SchemaRegistry schemaRegistry) throws AuthorizerException {
        super.configure(schemaRegistryConfig, schemaRegistry);
        this.initTimeout = schemaRegistryConfig.getInt("kafkastore.init.timeout.ms").intValue();
        this.topic = ((SecureSchemaRegistryConfig) schemaRegistryConfig).aclTopic();
        this.noopKey = new NoopKey();
        this.aclMessageSerializer = new AclMessageSerializer();
        this.bootStrapBrokers = schemaRegistryConfig.bootstrapBrokers();
        this.aclAuthorizerUtils = new SchemaRegistryAclAuthorizerUtils(schemaRegistryConfig, this.topic, this.initTimeout, this.bootStrapBrokers, this.aclMessageSerializer, this.noopKey);
        try {
            this.aclAuthorizerUtils.createOrVerifySchemaTopic();
            this.subjectAllowedOperations = new ConcurrentHashMap();
            this.globalAllowedOperations = new ConcurrentHashMap();
            this.aclReaderThread = new SchemaRegistryAclReaderThread(schemaRegistryConfig, this.bootStrapBrokers, this.topic, this.noopKey, this.aclMessageSerializer, String.format("schema-registry-acl-%s-%d", schemaRegistryConfig.getString("host.name"), Integer.valueOf(getPortForIdentity(schemaRegistryConfig.getInt("port").intValue(), schemaRegistryConfig.getList("listeners")))), this.subjectAllowedOperations, this.globalAllowedOperations);
            this.aclReaderThread.start();
            try {
                waitUntilKafkaReaderReachesLastOffset(this.initTimeout);
                log.info("Initialized Acl Authorizer");
            } catch (StoreException e) {
                throw new AuthorizerException("Couldn't find last offset", e);
            }
        } catch (StoreInitializationException e2) {
            throw new AuthorizerException("Couldn't create or verify the ACL topic", e2);
        }
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeGlobalOperation(String str, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        return globalOperationFound(str, schemaRegistryResourceOperation) || globalOperationFound("*", schemaRegistryResourceOperation);
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeSubjectOperation(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        boolean z = subjectOperationFound(str, str2, schemaRegistryResourceOperation) || subjectOperationFound(str, "*", schemaRegistryResourceOperation) || subjectOperationFound("*", str2, schemaRegistryResourceOperation) || subjectOperationFound("*", "*", schemaRegistryResourceOperation) || subjectPatternOperationFound(str, str2, schemaRegistryResourceOperation);
        String context = QualifiedSubject.create(schemaRegistry().tenant(), str2).getContext();
        if (".".equals(context)) {
            return z;
        }
        String normalizeContext = QualifiedSubject.normalizeContext(context);
        return z || subjectOperationFound(str, normalizeContext, schemaRegistryResourceOperation) || subjectOperationFound("*", normalizeContext, schemaRegistryResourceOperation);
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeKekOperation(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        throw new NotImplementedException();
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer, io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer
    public void shutdown() {
        this.aclReaderThread.shutdown();
        this.aclAuthorizerUtils.shutdown();
    }

    private boolean subjectOperationFound(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation) {
        boolean contains = ((Set) getOrDefault((Map) getOrDefault(this.subjectAllowedOperations, str, EMPTY_MAP), str2, EMPTY_SET)).contains(schemaRegistryResourceOperation);
        Logger logger = log;
        Object[] objArr = new Object[4];
        objArr[0] = schemaRegistryResourceOperation.toString();
        objArr[1] = contains ? "SUCCESSFUL" : "FAILED";
        objArr[2] = str != null ? str : "N/A";
        objArr[3] = str2 != null ? str2 : "N/A";
        logger.debug("Subject operation {} search {} for user {} and subject {}", objArr);
        return contains;
    }

    private boolean subjectPatternOperationFound(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation) {
        boolean z = false;
        Iterator it = ((Map) getOrDefault(this.subjectAllowedOperations, str, EMPTY_MAP)).entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry entry = (Map.Entry) it.next();
            String str3 = (String) entry.getKey();
            if (str3.contains("*") && str2.matches(str3.replaceAll(".", "[$0]").replace("[*]", ".*")) && ((Set) entry.getValue()).contains(schemaRegistryResourceOperation)) {
                z = true;
                break;
            }
        }
        Logger logger = log;
        Object[] objArr = new Object[4];
        objArr[0] = schemaRegistryResourceOperation.toString();
        objArr[1] = z ? "SUCCESSFUL" : "FAILED";
        objArr[2] = str != null ? str : "N/A";
        objArr[3] = str2 != null ? str2 : "N/A";
        logger.debug("Subject Pattern operation {} search {} for user {} and subject {}", objArr);
        return z;
    }

    private boolean globalOperationFound(String str, SchemaRegistryResourceOperation schemaRegistryResourceOperation) {
        boolean contains = ((Set) getOrDefault(this.globalAllowedOperations, str, EMPTY_SET)).contains(schemaRegistryResourceOperation);
        Logger logger = log;
        Object[] objArr = new Object[3];
        objArr[0] = schemaRegistryResourceOperation.toString();
        objArr[1] = contains ? "SUCCESSFUL" : "FAILED";
        objArr[2] = str != null ? str : "N/A";
        logger.debug("Global operation {} search {} for user {}", objArr);
        return contains;
    }

    private void waitUntilKafkaReaderReachesLastOffset(int i) throws StoreException {
        long latestOffset = this.aclAuthorizerUtils.getLatestOffset(i);
        log.info("Reading ACL information from Kafka (final offset: " + latestOffset + ")");
        this.aclReaderThread.waitUntilOffset(latestOffset, i, TimeUnit.MILLISECONDS);
        log.info("Finished reading ACL information");
    }

    private <T> T getOrDefault(Map<String, T> map, String str, T t) {
        return map.containsKey(str) ? map.get(str) : t;
    }

    private int getPortForIdentity(int i, List<String> list) {
        return ((URI) Application.parseListeners(list, i, Arrays.asList("http", "https"), "http").get(0)).getPort();
    }
}
