package org.apache.kafka.common.requests;

import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.config.AbstractConfig;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.message.FetchRequestData;
import org.apache.kafka.common.message.ProduceRequestData;
import org.apache.kafka.common.network.ProduceConsumeAuditLogTracker;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.kafka.common.utils.LogAction;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kafka/common/requests/DetailedRequestAuditLogFilter.class */
public class DetailedRequestAuditLogFilter implements RequestLogFilter {
    public static final String ENABLE_DETAILED_AUDIT_LOGGING = "confluent.security.event.logger.enable.detailed.audit.logs";
    public static final String ENABLE_PRODUCE_CONSUME_AUDIT_LOGGING = "confluent.security.event.logger.enable.produce.consume.audit.logs";
    public static final String DISABLED_APIS_FOR_AUDIT_LOGS = "confluent.security.event.logger.detailed.audit.logs.disabled.apis";
    private volatile boolean enableDetailedAuditLogs = true;
    private volatile boolean enableProduceConsumeAuditLogs = true;
    private volatile Set<ApiKeys> disabledAPIs = new HashSet();
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) DetailedRequestAuditLogFilter.class);
    public static final EnumSet<ApiKeys> SUPPORTED_APIS_MGMT_OPERATIONS = EnumSet.of(ApiKeys.CREATE_TOPICS, ApiKeys.DELETE_TOPICS, ApiKeys.CREATE_PARTITIONS, ApiKeys.CREATE_ACLS, ApiKeys.DELETE_ACLS, ApiKeys.CREATE_CLUSTER_LINKS, ApiKeys.DELETE_CLUSTER_LINKS, ApiKeys.DELETE_GROUPS, ApiKeys.ALTER_CONFIGS, ApiKeys.INCREMENTAL_ALTER_CONFIGS, ApiKeys.ALTER_MIRRORS);
    public static final EnumSet<ApiKeys> SUPPORTED_APIS_PRODUCE_CONSUME = EnumSet.of(ApiKeys.PRODUCE, ApiKeys.FETCH);
    private static final Set<String> RECONFIGURABLE_CONFIGS = new HashSet();

    /* loaded from: input_file:org/apache/kafka/common/requests/DetailedRequestAuditLogFilter$Config.class */
    public static class Config extends AbstractConfig {
        public static final String ENABLE_DETAILED_AUDIT_LOGGING_CONFIG = "confluent.security.event.logger.enable.detailed.audit.logs";
        public static final String ENABLE_PRODUCE_CONSUME_AUDIT_LOGGING_CONFIG = "confluent.security.event.logger.enable.produce.consume.audit.logs";
        public static final String DISABLED_APIS_FOR_AUDIT_LOGS_CONFIG = "confluent.security.event.logger.detailed.audit.logs.disabled.apis";
        public static final String ENABLE_DETAILED_AUDIT_LOGGING_DOC = "config to enable detailed audit logs.This is disabled by default. Note that logging for a specific API can be disabled by `confluent.security.event.logger.detailed.audit.logs.disabled.apis` config.";
        public static final String ENABLE_PRODUCE_CONSUME_AUDIT_LOGGING_DOC = "config to enable produce/consume audit logs.This is disabled by default. Note that logging for a specific API can be disabled by `confluent.security.event.logger.detailed.audit.logs.disabled.apis` config.";
        public static final String DISABLED_APIS_FOR_AUDIT_LOGS_DOC = "config to disable selected APIs. For example, using `CreateTopics,DeleteTopics` will disable audit events for `CreateTopics` and DeleteTopics` APIs.";
        private static final ConfigDef CONFIG = new ConfigDef().define("confluent.security.event.logger.enable.detailed.audit.logs", ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW, ENABLE_DETAILED_AUDIT_LOGGING_DOC).define("confluent.security.event.logger.enable.produce.consume.audit.logs", ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW, ENABLE_PRODUCE_CONSUME_AUDIT_LOGGING_DOC).define("confluent.security.event.logger.detailed.audit.logs.disabled.apis", ConfigDef.Type.STRING, "", DisabledAPIsConfigValidator.INSTANCE, ConfigDef.Importance.LOW, DISABLED_APIS_FOR_AUDIT_LOGS_DOC);

        /* loaded from: input_file:org/apache/kafka/common/requests/DetailedRequestAuditLogFilter$Config$DisabledAPIsConfigValidator.class */
        private static class DisabledAPIsConfigValidator implements ConfigDef.Validator {
            private static final DisabledAPIsConfigValidator INSTANCE = new DisabledAPIsConfigValidator();

            private DisabledAPIsConfigValidator() {
            }

            @Override // org.apache.kafka.common.config.ConfigDef.Validator
            public void ensureValid(String str, Object obj) {
                if (!(obj instanceof String)) {
                    throw new ConfigException("Invalid value `" + obj + "` found for " + str + " (should be a string)");
                }
                Config.parseDisabledAPIsConfig((String) obj);
            }
        }

        public Config(Map<?, ?> map) {
            super(CONFIG, map, true);
        }

        public boolean enableDetailedAuditLogging() {
            return getBoolean("confluent.security.event.logger.enable.detailed.audit.logs").booleanValue();
        }

        public boolean enableProduceConsumeAuditLogging() {
            return getBoolean("confluent.security.event.logger.enable.produce.consume.audit.logs").booleanValue();
        }

        public Set<ApiKeys> disabledAPIs() {
            return parseDisabledAPIsConfig(getString("confluent.security.event.logger.detailed.audit.logs.disabled.apis"));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static Set<ApiKeys> parseDisabledAPIsConfig(String str) {
            HashSet hashSet = new HashSet();
            if (str == null || str.isEmpty()) {
                return hashSet;
            }
            for (String str2 : str.split(",")) {
                ApiKeys findByName = ApiKeys.findByName(str2);
                if (findByName == null) {
                    throw new ConfigException("Invalid value `" + str2 + "` found in confluent.security.event.logger.detailed.audit.logs.disabled.apis=`" + str + "`");
                }
                hashSet.add(findByName);
            }
            return hashSet;
        }
    }

    @Override // org.apache.kafka.common.requests.RequestLogFilter
    public LogAction processRequest(RequestContext requestContext, AbstractRequest abstractRequest, long j) {
        try {
        } catch (Exception e) {
            LOG.error("Error occurred while deciding log action", (Throwable) e);
        }
        if (this.enableDetailedAuditLogs && SUPPORTED_APIS_MGMT_OPERATIONS.contains(requestContext.apiKey()) && !this.disabledAPIs.contains(requestContext.apiKey())) {
            return LogAction.LOGGED;
        }
        if (this.enableProduceConsumeAuditLogs && SUPPORTED_APIS_PRODUCE_CONSUME.contains(requestContext.apiKey()) && !this.disabledAPIs.contains(requestContext.apiKey()) && !requestContext.fromPrivilegedListener) {
            if (requestContext.apiKey().equals(ApiKeys.PRODUCE)) {
                return processProduceRequest(requestContext, abstractRequest);
            }
            if (requestContext.apiKey().equals(ApiKeys.FETCH)) {
                return processFetchRequest(requestContext, abstractRequest);
            }
        }
        return LogAction.NOT_LOGGED;
    }

    private LogAction processProduceRequest(RequestContext requestContext, AbstractRequest abstractRequest) {
        Iterator<E> it = ((ProduceRequest) abstractRequest).data().topicData().iterator();
        while (it.hasNext()) {
            ProduceConsumeAuditLogTracker.TopicDetails topicDetails = new ProduceConsumeAuditLogTracker.TopicDetails(Uuid.ZERO_UUID, ((ProduceRequestData.TopicProduceData) it.next()).name());
            if (!requestContext.produceConsumeAuditLogTracker.hasProduceTopicWithSuccess(topicDetails).booleanValue()) {
                LOG.debug("processProduceRequest topicDetails : {}, produceConsumeAuditLogTracker: {}", topicDetails, requestContext.produceConsumeAuditLogTracker);
                return LogAction.LOGGED;
            }
        }
        return LogAction.NOT_LOGGED;
    }

    private LogAction processFetchRequest(RequestContext requestContext, AbstractRequest abstractRequest) {
        for (FetchRequestData.FetchTopic fetchTopic : ((FetchRequest) abstractRequest).data().topics()) {
            ProduceConsumeAuditLogTracker.TopicDetails topicDetails = new ProduceConsumeAuditLogTracker.TopicDetails(fetchTopic.topicId(), fetchTopic.topic());
            if (!requestContext.produceConsumeAuditLogTracker.hasConsumeTopicWithSuccess(topicDetails).booleanValue()) {
                LOG.debug("processFetchRequest topicDetails : {}, produceConsumeAuditLogTracker: {}", topicDetails, requestContext.produceConsumeAuditLogTracker);
                return LogAction.LOGGED;
            }
        }
        return LogAction.NOT_LOGGED;
    }

    @Override // org.apache.kafka.common.requests.RequestLogFilter, org.apache.kafka.common.Reconfigurable
    public Set<String> reconfigurableConfigs() {
        return RECONFIGURABLE_CONFIGS;
    }

    @Override // org.apache.kafka.common.requests.RequestLogFilter, org.apache.kafka.common.Reconfigurable
    public void reconfigure(Map<String, ?> map) {
        LOG.info("Calling reconfigure...");
        configure(map);
    }

    @Override // org.apache.kafka.common.requests.RequestLogFilter, org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        Config config = new Config(map);
        this.enableDetailedAuditLogs = config.enableDetailedAuditLogging();
        this.enableProduceConsumeAuditLogs = config.enableProduceConsumeAuditLogging();
        this.disabledAPIs = config.disabledAPIs();
    }

    @Override // org.apache.kafka.common.requests.RequestLogFilter, org.apache.kafka.common.Reconfigurable
    public void validateReconfiguration(Map<String, ?> map) throws ConfigException {
        new Config(map);
    }

    static {
        RECONFIGURABLE_CONFIGS.add("confluent.security.event.logger.enable.detailed.audit.logs");
        RECONFIGURABLE_CONFIGS.add("confluent.security.event.logger.detailed.audit.logs.disabled.apis");
        RECONFIGURABLE_CONFIGS.add("confluent.security.event.logger.enable.produce.consume.audit.logs");
    }
}
