package io.confluent.kafka.schemaregistry.security.authorizer.rbac;

import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension;
import io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.kafka.schemaregistry.utils.QualifiedSubject;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Scope;
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/rbac/RbacAuthorizer.class */
public class RbacAuthorizer extends AbstractSchemaRegistryAuthorizer {
    private static final Logger log = LoggerFactory.getLogger(RbacAuthorizer.class);
    private RestAuthorizer restAuthorizer;
    private SchemaRegistryActions schemaRegistryActions;

    public RbacAuthorizer() {
    }

    RbacAuthorizer(SchemaRegistry schemaRegistry, RestAuthorizer restAuthorizer, SchemaRegistryActions schemaRegistryActions) throws AuthorizerException {
        super.configure(null, schemaRegistry);
        this.restAuthorizer = restAuthorizer;
        this.schemaRegistryActions = schemaRegistryActions;
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer, io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer
    public void configure(SchemaRegistryConfig schemaRegistryConfig, SchemaRegistry schemaRegistry) throws AuthorizerException {
        super.configure(schemaRegistryConfig, schemaRegistry);
        this.restAuthorizer = new RestAuthorizer();
        this.restAuthorizer.configure(schemaRegistryConfig.originals());
        Scope determineScope = SchemaRegistrySecurityResourceExtension.determineScope(schemaRegistry);
        this.schemaRegistryActions = new SchemaRegistryActions(determineScope);
        log.info("Initialized RBAC authorizer on cluster with scope of '{}'", determineScope);
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeGlobalOperation(String str, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        if (SchemaRegistryResourceOperation.GLOBAL_READ.equals(schemaRegistryResourceOperation)) {
            return true;
        }
        return authorizeRequest(str, this.schemaRegistryActions.globalAction(schemaRegistryResourceOperation));
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeSubjectOperation(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.schemaRegistryActions.subjectAction(schemaRegistryResourceOperation, str2));
        String context = QualifiedSubject.create(schemaRegistry().tenant(), str2).getContext();
        if (!".".equals(context)) {
            arrayList.add(this.schemaRegistryActions.subjectAction(schemaRegistryResourceOperation, QualifiedSubject.normalizeContext(context)));
        }
        return authorizeActions(str, arrayList).stream().anyMatch(bool -> {
            return bool.booleanValue();
        });
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeKekOperation(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.schemaRegistryActions.kekAction(schemaRegistryResourceOperation, str2));
        return authorizeActions(str, arrayList).stream().anyMatch(bool -> {
            return bool.booleanValue();
        });
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer
    public List<Boolean> bulkAuthorize(Principal principal, List<AuthorizeRequest> list) {
        if (list.isEmpty()) {
            return Collections.singletonList(false);
        }
        Stream<AuthorizeRequest> stream = list.stream();
        SchemaRegistryActions schemaRegistryActions = this.schemaRegistryActions;
        schemaRegistryActions.getClass();
        return authorizeActions(principal.getName(), (List) stream.map(schemaRegistryActions::action).collect(Collectors.toList()));
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer, io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer
    public void shutdown() {
        if (this.restAuthorizer != null) {
            try {
                this.restAuthorizer.close();
            } catch (IOException e) {
                log.error("Error while closing REST authorizer", e);
            } finally {
                this.restAuthorizer = null;
            }
        }
    }

    protected boolean authorizeRequest(String str, Action action) {
        return authorizeActions(str, Collections.singletonList(action)).stream().allMatch(bool -> {
            return bool.booleanValue();
        });
    }

    protected List<Boolean> authorizeActions(String str, List<Action> list) {
        log.info("Authorizing actions {} with principal {}", list, str);
        Stream stream = this.restAuthorizer.authorize(kafkaPrincipalFor(str), (String) null, list).stream();
        AuthorizeResult authorizeResult = AuthorizeResult.ALLOWED;
        authorizeResult.getClass();
        return (List) stream.map((v1) -> {
            return r1.equals(v1);
        }).collect(Collectors.toList());
    }

    public static KafkaPrincipal kafkaPrincipalFor(String str) {
        return new KafkaPrincipal("User", str);
    }
}
