package io.confluent.security.authorizer;

import io.confluent.rbacdb.orm.RbacOrmService;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.auth.store.cache.DefaultAuthCache;
import io.confluent.security.auth.store.data.RoleBindingKey;
import io.confluent.security.auth.store.data.RoleBindingValue;
import io.confluent.security.authorizer.AuthorizePolicy;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.InvalidScopeException;
import io.confluent.security.authorizer.provider.ProviderFailedException;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.RoleBinding;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/authorizer/StubDBAuthorizer.class */
public class StubDBAuthorizer implements Authorizer {
    public static final String MDS_SUPER_USER = "User:mds";
    private static final Logger log = LoggerFactory.getLogger(StubDBAuthorizer.class);
    private static RbacRoles rbacRoles = RbacRoles.loadDefaultPolicy(true);
    private RbacOrmService rbacOrmService;

    public StubDBAuthorizer(RbacOrmService rbacOrmService) {
        this.rbacOrmService = rbacOrmService;
    }

    public List<AuthorizeResult> authorize(RequestContext requestContext, List<Action> list) {
        Set<RoleBinding> rbacRoleBindings = this.rbacOrmService.rbacRoleBindings(requestContext.principal());
        DefaultAuthCache defaultAuthCache = new DefaultAuthCache(rbacRoles, Scope.ROOT_SCOPE);
        for (RoleBinding roleBinding : rbacRoleBindings) {
            defaultAuthCache.put(new RoleBindingKey(roleBinding.principal(), roleBinding.role(), roleBinding.scope()), new RoleBindingValue(roleBinding.resources()));
        }
        return (List) list.stream().map(action -> {
            return doAuthorize(defaultAuthCache, requestContext, action);
        }).collect(Collectors.toList());
    }

    private AuthorizeResult doAuthorize(AuthCache authCache, RequestContext requestContext, Action action) {
        AuthorizePolicy.SuperUser superUser;
        try {
            KafkaPrincipal principal = requestContext.principal();
            String hostAddress = requestContext.clientAddress().getHostAddress();
            if (MDS_SUPER_USER.equals(principal.toString())) {
                log.debug("principal = {} is a super user, allowing operation without checking any providers.", principal);
                superUser = new AuthorizePolicy.SuperUser(AuthorizePolicy.PolicyType.SUPER_USER, principal);
            } else {
                AuthorizeRule findRule = authCache.findRule(principal, Collections.emptySet(), hostAddress, action);
                superUser = findRule.allowRule().isPresent() ? (AuthorizePolicy) findRule.allowRule().get() : AuthorizePolicy.NO_MATCHING_RULE;
            }
            return superUser.policyType().accessGranted() ? AuthorizeResult.ALLOWED : AuthorizeResult.DENIED;
        } catch (InvalidScopeException e) {
            log.error("Authorizer failed with unknown scope: {}", action.scope(), e);
            return AuthorizeResult.UNKNOWN_SCOPE;
        } catch (ProviderFailedException e2) {
            log.error("Authorization provider has failed", e2);
            return AuthorizeResult.AUTHORIZER_FAILED;
        } catch (Throwable th) {
            log.error("Authorization failed with unexpected exception", th);
            return AuthorizeResult.UNKNOWN_ERROR;
        }
    }

    public void close() {
    }

    public void configure(Map<String, ?> map) {
    }
}
