package io.confluent.rbacapi.resources.base;

import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.comparators.MdsResourcePatternComparator;
import io.confluent.rbacapi.converters.MdsScopeConverter;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ResourcesRequest;
import io.confluent.rbacapi.services.ClusterRegistryService;
import io.confluent.rbacapi.validation.base.ValidationUtil;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.Scope;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.stream.Collectors;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rbacapi/resources/base/PrincipalsResource.class */
public class PrincipalsResource {
    private static final Logger log = LoggerFactory.getLogger(PrincipalsResource.class);
    private final AuthStore authStore;
    private final AuthCache authCache;
    private final SecurityMetadataAuthorizer metadataAuthorizer;
    private final Set<String> resourceRoles;
    private final ClusterRegistryService clusterRegistryService;
    private final MdsScopeConverter mdsScopeConverter;
    private final long backendTimeoutNanos;
    private final ValidationUtil validationUtil;

    public PrincipalsResource(AuthStore authStore, SecurityMetadataAuthorizer securityMetadataAuthorizer, long j, ClusterRegistryService clusterRegistryService, ValidationUtil validationUtil) {
        this.authStore = authStore;
        this.authCache = authStore.authCache();
        this.metadataAuthorizer = securityMetadataAuthorizer;
        this.backendTimeoutNanos = j;
        this.clusterRegistryService = clusterRegistryService;
        this.validationUtil = validationUtil;
        this.mdsScopeConverter = new MdsScopeConverter(this.clusterRegistryService, this.validationUtil);
        this.resourceRoles = (Set) this.authCache.rbacRoles().roles().stream().filter((v0) -> {
            return v0.hasResourceScope();
        }).map((v0) -> {
            return v0.name();
        }).collect(Collectors.toSet());
    }

    private boolean isLegitPrincipalType(KafkaPrincipal kafkaPrincipal) {
        String principalType = kafkaPrincipal.getPrincipalType();
        return StringUtils.equals("User", principalType) || StringUtils.equals("Group", principalType);
    }

    public void addClusterRoleForPrincipal(SecurityContext securityContext, String str, String str2, MdsScope mdsScope) throws InterruptedException, ExecutionException, TimeoutException {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.ALTER);
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        if (!isLegitPrincipalType(parseKafkaPrincipal)) {
            throw new RuntimeException("Invalid principal type. Should be 'User' or 'Group'");
        }
        this.authStore.writer().addClusterRoleBinding(parseKafkaPrincipal, str2, scope).toCompletableFuture().get(this.backendTimeoutNanos, TimeUnit.NANOSECONDS);
    }

    public void deleteRoleForPrincipal(SecurityContext securityContext, String str, String str2, MdsScope mdsScope) throws InterruptedException, ExecutionException, TimeoutException {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.ALTER);
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        if (!isLegitPrincipalType(parseKafkaPrincipal)) {
            throw new RuntimeException("Invalid principal type. Should be 'User' or 'Group'");
        }
        this.authStore.writer().removeRoleBinding(parseKafkaPrincipal, str2, scope).toCompletableFuture().get(this.backendTimeoutNanos, TimeUnit.NANOSECONDS);
    }

    public List<ResourcePattern> getRoleResourcesForPrincipal(SecurityContext securityContext, String str, String str2, MdsScope mdsScope) {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.DESCRIBE);
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        return (List) this.authCache.rbacRoleBindings(scope).stream().filter(roleBinding -> {
            return StringUtils.equals(str2, roleBinding.role());
        }).filter(roleBinding2 -> {
            return parseKafkaPrincipal.equals(roleBinding2.principal());
        }).flatMap(roleBinding3 -> {
            return roleBinding3.resources().stream();
        }).sorted(MdsResourcePatternComparator.getInstance()).collect(Collectors.toList());
    }

    public void addRoleResourcesForPrincipal(SecurityContext securityContext, String str, String str2, ResourcesRequest resourcesRequest) throws InterruptedException, ExecutionException, TimeoutException {
        Scope scope = this.mdsScopeConverter.getScope(resourcesRequest.mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeResourceAccess(securityContext, scope, resourcesRequest.resourcePatterns, SecurityMetadataAuthorizer.ALTER_ACCESS);
        ResourcesRequest resourcesRequest2 = new ResourcesRequest(new MdsScope(scope), resourcesRequest.resourcePatterns);
        this.validationUtil.verifyScope(resourcesRequest2);
        verifyResourceScopedRole(str2);
        this.validationUtil.verifyResourceType(resourcesRequest2);
        this.validationUtil.verifyPatternType(resourcesRequest2);
        this.validationUtil.verifyRoleResourceType(str2, resourcesRequest2);
        this.validationUtil.verifyScopeResourceType(resourcesRequest2);
        this.validationUtil.verifyResourcePattern(resourcesRequest2);
        this.authStore.writer().addResourceRoleBinding(SecurityUtils.parseKafkaPrincipal(str), str2, scope, resourcesRequest2.resourcePatterns).toCompletableFuture().get(this.backendTimeoutNanos, TimeUnit.NANOSECONDS);
    }

    public void deleteRoleResourcesForPrincipal(SecurityContext securityContext, String str, String str2, ResourcesRequest resourcesRequest) throws InterruptedException, ExecutionException, TimeoutException {
        Scope scope = this.mdsScopeConverter.getScope(resourcesRequest.mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeResourceAccess(securityContext, scope, resourcesRequest.resourcePatterns, SecurityMetadataAuthorizer.ALTER_ACCESS);
        ResourcesRequest resourcesRequest2 = new ResourcesRequest(new MdsScope(scope), resourcesRequest.resourcePatterns);
        this.validationUtil.verifyScope(resourcesRequest2);
        verifyResourceScopedRole(str2);
        this.validationUtil.verifyResourceType(resourcesRequest2);
        this.validationUtil.verifyPatternType(resourcesRequest2);
        this.validationUtil.verifyRoleResourceType(str2, resourcesRequest2);
        this.validationUtil.verifyScopeResourceType(resourcesRequest2);
        this.validationUtil.verifyResourcePattern(resourcesRequest2);
        this.authStore.writer().removeResourceRoleBinding(SecurityUtils.parseKafkaPrincipal(str), str2, scope, (List) resourcesRequest2.resourcePatterns.stream().map((v0) -> {
            return v0.toFilter();
        }).collect(Collectors.toList())).toCompletableFuture().get(this.backendTimeoutNanos, TimeUnit.NANOSECONDS);
    }

    public void setRoleResourcesForPrincipal(SecurityContext securityContext, String str, String str2, ResourcesRequest resourcesRequest) throws InterruptedException, ExecutionException, TimeoutException {
        Scope scope = this.mdsScopeConverter.getScope(resourcesRequest.mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeResourceAccess(securityContext, scope, resourcesRequest.resourcePatterns, SecurityMetadataAuthorizer.ALTER_ACCESS);
        ResourcesRequest resourcesRequest2 = new ResourcesRequest(new MdsScope(scope), resourcesRequest.resourcePatterns);
        this.validationUtil.verifyScope(resourcesRequest2);
        verifyResourceScopedRole(str2);
        this.validationUtil.verifyResourceType(resourcesRequest2);
        this.validationUtil.verifyPatternType(resourcesRequest2);
        this.validationUtil.verifyRoleResourceType(str2, resourcesRequest2);
        this.validationUtil.verifyScopeResourceType(resourcesRequest2);
        this.validationUtil.verifyResourcePattern(resourcesRequest2);
        this.authStore.writer().replaceResourceRoleBinding(SecurityUtils.parseKafkaPrincipal(str), str2, scope, resourcesRequest.resourcePatterns).toCompletableFuture().get(this.backendTimeoutNanos, TimeUnit.NANOSECONDS);
    }

    private void verifyResourceScopedRole(String str) {
        if (!this.resourceRoles.contains(str)) {
            throw new ClientErrorException("Cannot grant resource role bindings to a cluster scoped role.", 400);
        }
    }
}
