package io.confluent.rbacapi.resources.base;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.MoreObjects;
import io.confluent.auditlogapi.authorizer.AuditLogConfigAuthorizer;
import io.confluent.auditlogapi.credentials.CredentialExtractor;
import io.confluent.auditlogapi.entities.AuditLogConfigDefaultTopics;
import io.confluent.auditlogapi.entities.AuditLogConfigListRoutesResponse;
import io.confluent.auditlogapi.entities.AuditLogConfigResolveResourceRouteResponse;
import io.confluent.auditlogapi.entities.AuditLogConfigRouteCategories;
import io.confluent.auditlogapi.entities.AuditLogConfigRouteCategoryTopics;
import io.confluent.auditlogapi.entities.AuditLogConfigSpec;
import io.confluent.auditlogapi.entities.Conversions;
import io.confluent.auditlogapi.store.AuditLogConfigConcurrentModificationException;
import io.confluent.auditlogapi.store.AuditLogConfigStore;
import io.confluent.auditlogapi.store.TopicRetentionLookup;
import io.confluent.auditlogapi.store.TopicRetentionUpdateCallback;
import io.confluent.crn.ConfluentResourceName;
import io.confluent.crn.CrnSyntaxException;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.annotation.Nonnull;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.errors.InvalidRequestException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rbacapi/resources/base/AuditLogConfigResource.class */
public class AuditLogConfigResource {
    private static final Logger log = LoggerFactory.getLogger(AuditLogConfigResource.class);

    @Nonnull
    private final AuditLogConfigAuthorizer authorizer;

    @Nonnull
    private final AuditLogConfigStore store;

    @Nonnull
    private final CredentialExtractor credentialExtractor;

    @Nonnull
    private final TopicRetentionLookup currentRetentionLookup;

    @Nonnull
    private final TopicRetentionUpdateCallback retentionUpdateCallback;
    private final long backendTimeoutNanos;

    public AuditLogConfigResource(AuditLogConfigAuthorizer auditLogConfigAuthorizer, AuditLogConfigStore auditLogConfigStore, CredentialExtractor credentialExtractor, TopicRetentionLookup topicRetentionLookup, TopicRetentionUpdateCallback topicRetentionUpdateCallback, long j) {
        this.authorizer = (AuditLogConfigAuthorizer) Objects.requireNonNull(auditLogConfigAuthorizer);
        this.store = (AuditLogConfigStore) Objects.requireNonNull(auditLogConfigStore);
        this.credentialExtractor = (CredentialExtractor) Objects.requireNonNull(credentialExtractor);
        this.currentRetentionLookup = (TopicRetentionLookup) Objects.requireNonNull(topicRetentionLookup);
        this.retentionUpdateCallback = (TopicRetentionUpdateCallback) Objects.requireNonNull(topicRetentionUpdateCallback);
        this.backendTimeoutNanos = j;
    }

    public AuditLogConfigSpec getConfig(SecurityContext securityContext) {
        this.authorizer.authorizeAuditLogConfigAccess(securityContext, AuditLogConfigAuthorizer.DESCRIBE);
        return this.store.getLiveConfig(this.currentRetentionLookup);
    }

    public Response putConfig(HttpServletRequest httpServletRequest, SecurityContext securityContext, AuditLogConfigSpec auditLogConfigSpec) throws InterruptedException, ExecutionException, TimeoutException {
        this.authorizer.authorizeAuditLogConfigAccess(securityContext, AuditLogConfigAuthorizer.ALTER);
        try {
            return Response.ok(this.store.putConfig(this.credentialExtractor.extractCredentials(httpServletRequest), auditLogConfigSpec, this.currentRetentionLookup, this.retentionUpdateCallback).toCompletableFuture().get(this.backendTimeoutNanos, TimeUnit.NANOSECONDS)).build();
        } catch (ExecutionException e) {
            if (!(e.getCause() instanceof AuditLogConfigConcurrentModificationException)) {
                return Response.status(Response.Status.NOT_MODIFIED).entity(auditLogConfigSpec).build();
            }
            return Response.status(Response.Status.CONFLICT).entity(((AuditLogConfigConcurrentModificationException) e.getCause()).getSpec()).build();
        }
    }

    public AuditLogConfigListRoutesResponse listRoutes(SecurityContext securityContext, String str) {
        this.authorizer.authorizeAuditLogConfigAccess(securityContext, AuditLogConfigAuthorizer.DESCRIBE);
        if (str == null || str.isEmpty()) {
            throw new InvalidRequestException("missing query parameter");
        }
        if (str.contains("*")) {
            throw new InvalidRequestException("wild cards are not allowed in the query");
        }
        try {
            ConfluentResourceName fromString = ConfluentResourceName.fromString(str);
            AuditLogConfigSpec config = this.store.getConfig();
            AuditLogConfigListRoutesResponse.Builder builder = AuditLogConfigListRoutesResponse.builder();
            builder.defaultTopics(config.getDefaultTopics());
            config.getRoutes().forEach((str2, auditLogConfigRouteCategories) -> {
                try {
                    if (couldMatchResourceOrSubResource(ConfluentResourceName.fromString(str2), fromString)) {
                        builder.route(str2, auditLogConfigRouteCategories);
                    }
                } catch (CrnSyntaxException e) {
                    log.warn("Ignoring invalid route pattern: " + str2);
                }
            });
            return builder.build();
        } catch (CrnSyntaxException e) {
            throw new InvalidRequestException("invalid confluent resource name (CRN) format");
        }
    }

    private boolean couldMatchResourceOrSubResource(ConfluentResourceName confluentResourceName, ConfluentResourceName confluentResourceName2) {
        if (!Objects.equals(confluentResourceName.authority(), confluentResourceName2.authority())) {
            return false;
        }
        Iterator it = confluentResourceName.elements().iterator();
        Iterator it2 = confluentResourceName2.elements().iterator();
        while (it.hasNext()) {
            if (!it2.hasNext()) {
                return true;
            }
            if (!((ConfluentResourceName.Element) it.next()).matches((ConfluentResourceName.Element) it2.next())) {
                return false;
            }
        }
        return !it2.hasNext();
    }

    public AuditLogConfigResolveResourceRouteResponse resolveResourceRoute(SecurityContext securityContext, String str) {
        this.authorizer.authorizeAuditLogConfigAccess(securityContext, AuditLogConfigAuthorizer.DESCRIBE);
        if (str.contains("*")) {
            throw new InvalidRequestException("wild cards are not allowed in the query");
        }
        try {
            ConfluentResourceName fromString = ConfluentResourceName.fromString(str);
            AuditLogConfigSpec config = this.store.getConfig();
            Map.Entry matchEntry = config.getCalculatedRoutesMatcher().matchEntry(fromString);
            return matchEntry == null ? AuditLogConfigResolveResourceRouteResponse.builder().route("default").categories(coalesceWithDefaults(fromString, null, config.getDefaultTopics())).build() : AuditLogConfigResolveResourceRouteResponse.builder().route(((ConfluentResourceName) matchEntry.getKey()).toString()).categories(coalesceWithDefaults(fromString, (AuditLogConfigRouteCategories) matchEntry.getValue(), config.getDefaultTopics())).build();
        } catch (CrnSyntaxException e) {
            throw new InvalidRequestException("invalid confluent resource name (CRN) format");
        }
    }

    @VisibleForTesting
    static AuditLogConfigRouteCategories coalesceWithDefaults(ConfluentResourceName confluentResourceName, AuditLogConfigRouteCategories auditLogConfigRouteCategories, AuditLogConfigDefaultTopics auditLogConfigDefaultTopics) {
        AuditLogConfigRouteCategories convert = new AuditLogConfigRouteCategories.Canonicalizer().convert(auditLogConfigRouteCategories);
        AuditLogConfigRouteCategories.Builder builder = AuditLogConfigRouteCategories.builder();
        Conversions.withDefaultTopics(confluentResourceName, Conversions.convertRouteRules(convert)).forEach((str, map) -> {
            builder.put(str, AuditLogConfigRouteCategoryTopics.builder().allowed((String) MoreObjects.firstNonNull(map.get("allowed"), auditLogConfigDefaultTopics.getAllowed())).denied((String) MoreObjects.firstNonNull(map.get("denied"), auditLogConfigDefaultTopics.getDenied())).build());
        });
        return builder.build();
    }
}
