package io.confluent.rbacapi.resources.base;

import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.comparators.MdsResourcePatternComparator;
import io.confluent.rbacapi.comparators.ScopeComparator;
import io.confluent.rbacapi.converters.MdsScopeConverter;
import io.confluent.rbacapi.entities.ClusterAccessInfo;
import io.confluent.rbacapi.entities.ManagedRoleBinding;
import io.confluent.rbacapi.entities.ManagedRoleBindings;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ScopeRoleBindingMapping;
import io.confluent.rbacapi.entities.VisibilityRequest;
import io.confluent.rbacapi.entities.VisibilityResponse;
import io.confluent.rbacapi.services.ClusterAccessProcessor;
import io.confluent.rbacapi.services.ClusterRegistryService;
import io.confluent.rbacapi.services.ManagedRoleBindingsBuilder;
import io.confluent.rbacapi.utils.ClusterType;
import io.confluent.rbacapi.utils.RoleAccessUtils;
import io.confluent.rbacapi.utils.RoleUtils;
import io.confluent.rbacapi.utils.ScopeUtils;
import io.confluent.rbacapi.validation.base.ValidationUtil;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourcePatternFilter;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RoleBinding;
import io.confluent.security.rbac.RoleBindingFilter;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.core.SecurityContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.errors.AuthorizationException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Utils;

/* loaded from: input_file:io/confluent/rbacapi/resources/base/LookupResource.class */
public class LookupResource {
    private final AuthCache authCache;
    private final SecurityMetadataAuthorizer metadataAuthorizer;
    private final ClusterAccessProcessor clusterAccessProcessor;
    private final ClusterRegistryService clusterRegistryService;
    private final MdsScopeConverter mdsScopeConverter;
    private final ValidationUtil validationUtil;

    public LookupResource(AuthCache authCache, SecurityMetadataAuthorizer securityMetadataAuthorizer, ClusterRegistryService clusterRegistryService, ValidationUtil validationUtil) {
        this.authCache = authCache;
        this.metadataAuthorizer = securityMetadataAuthorizer;
        this.clusterAccessProcessor = new ClusterAccessProcessor(authCache);
        this.clusterRegistryService = clusterRegistryService;
        this.validationUtil = validationUtil;
        this.mdsScopeConverter = new MdsScopeConverter(this.clusterRegistryService, this.validationUtil);
    }

    public List<String> lookupPrincipalsWithRole(SecurityContext securityContext, String str, MdsScope mdsScope) {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.DESCRIBE);
        return (List) this.authCache.rbacRoleBindings(scope).stream().filter(roleBinding -> {
            return roleBinding.role().equals(str);
        }).map(roleBinding2 -> {
            return roleBinding2.principal().toString();
        }).distinct().sorted().collect(Collectors.toList());
    }

    public List<String> lookupPrincipalsWithRoleOnResource(SecurityContext securityContext, String str, String str2, String str3, MdsScope mdsScope) {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        try {
            this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.DESCRIBE, false);
        } catch (AuthorizationException e) {
            this.metadataAuthorizer.authorizeResourceAccess(securityContext, scope, Collections.singleton(new ResourcePattern(str2, str3, PatternType.LITERAL)), SecurityMetadataAuthorizer.DESCRIBE_ACCESS);
        }
        return principals(new RoleBindingFilter((KafkaPrincipal) null, str, scope, new ResourcePatternFilter(new ResourceType(str2), str3, PatternType.MATCH)));
    }

    private List<String> principals(RoleBindingFilter roleBindingFilter) {
        return (List) this.authCache.rbacRoleBindings(roleBindingFilter).stream().map(roleBinding -> {
            return roleBinding.principal().toString();
        }).distinct().sorted().collect(Collectors.toList());
    }

    public List<String> getScopedRoleNames(SecurityContext securityContext, String str, MdsScope mdsScope) {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.DESCRIBE);
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        Set rbacRoleBindings = this.authCache.rbacRoleBindings(scope);
        HashSet hashSet = new HashSet();
        hashSet.add(parseKafkaPrincipal);
        if (StringUtils.equals("User", parseKafkaPrincipal.getPrincipalType())) {
            hashSet.addAll(this.authCache.groups(parseKafkaPrincipal));
        }
        return (List) rbacRoleBindings.stream().filter(roleBinding -> {
            return hashSet.contains(roleBinding.principal());
        }).map((v0) -> {
            return v0.role();
        }).distinct().sorted().collect(Collectors.toList());
    }

    public List<VisibilityResponse> getUserVisibility(SecurityContext securityContext, String str, List<VisibilityRequest> list) {
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, parseKafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        Set set = (Set) this.authCache.rbacRoleBindings(parseKafkaPrincipal, (Set) list.stream().map(visibilityRequest -> {
            return visibilityRequestToScopeList(visibilityRequest);
        }).flatMap(list2 -> {
            return list2.stream();
        }).collect(Collectors.toSet())).stream().map(roleBinding -> {
            return roleBinding.scope();
        }).collect(Collectors.toSet());
        return (List) list.stream().map(visibilityRequest2 -> {
            return getVisibilityResponse(visibilityRequest2, set, parseKafkaPrincipal);
        }).collect(Collectors.toList());
    }

    private List<Scope> visibilityRequestToScopeList(VisibilityRequest visibilityRequest) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(Scope.kafkaClusterScope(visibilityRequest.kafkaClusterId));
        arrayList.addAll((Collection) visibilityRequest.connectClusterIds.stream().map(str -> {
            return new Scope.Builder(new String[0]).withKafkaCluster(visibilityRequest.kafkaClusterId).withCluster("connect-cluster", str).build();
        }).collect(Collectors.toList()));
        arrayList.addAll((Collection) visibilityRequest.schemaRegistryClusterIds.stream().map(str2 -> {
            return new Scope.Builder(new String[0]).withKafkaCluster(visibilityRequest.kafkaClusterId).withCluster("schema-registry-cluster", str2).build();
        }).collect(Collectors.toList()));
        arrayList.addAll((Collection) visibilityRequest.ksqlClusterIds.stream().map(str3 -> {
            return new Scope.Builder(new String[0]).withKafkaCluster(visibilityRequest.kafkaClusterId).withCluster("ksql-cluster", str3).build();
        }).collect(Collectors.toList()));
        return arrayList;
    }

    private VisibilityResponse getVisibilityResponse(VisibilityRequest visibilityRequest, Set<Scope> set, KafkaPrincipal kafkaPrincipal) {
        Scope kafkaClusterScope = Scope.kafkaClusterScope(visibilityRequest.kafkaClusterId);
        return new VisibilityResponse(new VisibilityResponse.ClusterVisibility(visibilityRequest.kafkaClusterId, set.contains(kafkaClusterScope), this.mdsScopeConverter.getClusterName(kafkaPrincipal, kafkaClusterScope)), subClusterVisibility("connect-cluster", visibilityRequest.connectClusterIds, visibilityRequest.kafkaClusterId, set, kafkaPrincipal), subClusterVisibility("schema-registry-cluster", visibilityRequest.schemaRegistryClusterIds, visibilityRequest.kafkaClusterId, set, kafkaPrincipal), subClusterVisibility("ksql-cluster", visibilityRequest.ksqlClusterIds, visibilityRequest.kafkaClusterId, set, kafkaPrincipal));
    }

    private List<VisibilityResponse.ClusterVisibility> subClusterVisibility(String str, List<String> list, String str2, Set<Scope> set, KafkaPrincipal kafkaPrincipal) {
        return (List) list.stream().map(str3 -> {
            return new VisibilityResponse.ClusterVisibility(str3, set.contains(new Scope.Builder(new String[0]).withKafkaCluster(str2).withCluster(str, str3).build()), this.mdsScopeConverter.getClusterName(kafkaPrincipal, new Scope.Builder(new String[0]).withKafkaCluster(str2).withCluster(str, str3).build()));
        }).collect(Collectors.toList());
    }

    public Map<String, Map<String, List<ResourcePattern>>> lookupResourcesForPrincipal(SecurityContext securityContext, String str, MdsScope mdsScope) {
        Set singleton;
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        String principalType = parseKafkaPrincipal.getPrincipalType();
        if ("User".equals(principalType)) {
            this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, scope, parseKafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
            singleton = new HashSet(this.authCache.groups(parseKafkaPrincipal));
            singleton.add(parseKafkaPrincipal);
        } else {
            if (!"Group".equals(principalType)) {
                throw new RuntimeException("Invalid principal type. Should be 'User' or 'Group'");
            }
            this.metadataAuthorizer.authorizeSecurityMetadataAccess(securityContext, scope, SecurityMetadataAuthorizer.DESCRIBE);
            singleton = Collections.singleton(parseKafkaPrincipal);
        }
        Set set = singleton;
        return (Map) this.authCache.rbacRoleBindings(scope).stream().filter(roleBinding -> {
            return set.contains(roleBinding.principal());
        }).collect(Collectors.toMap(roleBinding2 -> {
            return roleBinding2.principal().toString();
        }, roleBinding3 -> {
            HashMap hashMap = new HashMap();
            ArrayList arrayList = new ArrayList(roleBinding3.resources());
            arrayList.sort(MdsResourcePatternComparator.getInstance());
            hashMap.put(roleBinding3.role(), arrayList);
            return hashMap;
        }, (map, map2) -> {
            map.putAll(map2);
            return map;
        }));
    }

    public List<ScopeRoleBindingMapping> rolebindingsForAllKnownClusters(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, ClusterType clusterType) {
        Set<RoleBinding> rbacRoleBindings;
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, kafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        if (clusterType != null) {
            rbacRoleBindings = this.authCache.rbacRoleBindings(kafkaPrincipal, (Set) this.authCache.knownScopes().stream().filter(ClusterType.filterScopeBy(clusterType)).collect(Collectors.toSet()));
        } else {
            rbacRoleBindings = this.authCache.rbacRoleBindings(kafkaPrincipal);
        }
        return toScopesAndRolesBindingsMapping(rbacRoleBindings, kafkaPrincipal);
    }

    private ScopeRoleBindingMapping getNamedScopeRoleBindingMapping(Scope scope, KafkaPrincipal kafkaPrincipal) {
        return new ScopeRoleBindingMapping(this.mdsScopeConverter.getMdsScope(kafkaPrincipal, scope));
    }

    private List<ScopeRoleBindingMapping> toScopesAndRolesBindingsMapping(Set<RoleBinding> set, KafkaPrincipal kafkaPrincipal) {
        HashMap hashMap = new HashMap();
        for (RoleBinding roleBinding : set) {
            ScopeRoleBindingMapping scopeRoleBindingMapping = (ScopeRoleBindingMapping) hashMap.getOrDefault(roleBinding.scope(), getNamedScopeRoleBindingMapping(roleBinding.scope(), kafkaPrincipal));
            scopeRoleBindingMapping.addRoleBinding(roleBinding);
            hashMap.put(roleBinding.scope(), scopeRoleBindingMapping);
        }
        return (List) hashMap.values().stream().sorted().collect(Collectors.toList());
    }

    public List<ManagedRoleBinding> managedNonResourceRoleBindingsAtScope(SecurityContext securityContext, MdsScope mdsScope) {
        KafkaPrincipal userPrincipal = SecurityMetadataAuthorizer.userPrincipal(securityContext);
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, userPrincipal);
        Set mkSet = Utils.mkSet(new KafkaPrincipal[]{userPrincipal});
        if (StringUtils.equals("User", userPrincipal.getPrincipalType())) {
            mkSet.addAll(this.authCache.groups(userPrincipal));
        }
        boolean hasSecurityMetadataAccess = this.metadataAuthorizer.hasSecurityMetadataAccess(userPrincipal, scope, SecurityMetadataAuthorizer.ALTER);
        return !(hasSecurityMetadataAccess || this.metadataAuthorizer.hasSecurityMetadataAccess(userPrincipal, scope, SecurityMetadataAuthorizer.DESCRIBE)) ? Collections.emptyList() : (List) this.authCache.rbacRoleBindings(scope).stream().map(roleBinding -> {
            return new ManagedRoleBinding(roleBinding, hasSecurityMetadataAccess);
        }).sorted((v0, v1) -> {
            return v0.compareTo(v1);
        }).collect(Collectors.toList());
    }

    public List<ScopeRoleBindingMapping> rolebindingsForPrincipalWithinScope(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, MdsScope mdsScope) {
        Set<RoleBinding> rbacRoleBindings = this.authCache.rbacRoleBindings(kafkaPrincipal, ScopeUtils.securityMetadataAuthorizedScopesAllowDescribeSelf(ScopeUtils.knownContainedScopes(this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext)), this.authCache), kafkaPrincipal, securityContext, SecurityMetadataAuthorizer.DESCRIBE, this.metadataAuthorizer));
        if (rbacRoleBindings.isEmpty()) {
            return Collections.emptyList();
        }
        HashMap hashMap = new HashMap();
        for (RoleBinding roleBinding : rbacRoleBindings) {
            ((ScopeRoleBindingMapping) hashMap.computeIfAbsent(roleBinding.scope(), ScopeRoleBindingMapping::new)).addRoleBinding(roleBinding);
        }
        return (List) hashMap.values().stream().sorted((scopeRoleBindingMapping, scopeRoleBindingMapping2) -> {
            return ScopeComparator.getInstance().compare(scopeRoleBindingMapping.scope().scope(), scopeRoleBindingMapping2.scope().scope());
        }).collect(Collectors.toList());
    }

    public List<MdsScope> listManagedClustersForPrincipal(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, ClusterType clusterType) {
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, kafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        Set knownScopes = this.authCache.knownScopes();
        if (clusterType != null) {
            knownScopes = (Set) knownScopes.stream().filter(ClusterType.filterScopeBy(clusterType)).collect(Collectors.toSet());
        }
        Set rbacRoleBindings = this.authCache.rbacRoleBindings(kafkaPrincipal, knownScopes);
        if (rbacRoleBindings.isEmpty()) {
            return Collections.emptyList();
        }
        Set<String> keySet = RoleUtils.mapRolesByName(this.authCache.rbacRoles().roles(), RoleAccessUtils.filterByDescribeAccess()).keySet();
        List list = (List) rbacRoleBindings.stream().filter(roleBinding -> {
            return keySet.contains(roleBinding.role());
        }).map((v0) -> {
            return v0.scope();
        }).distinct().sorted(ScopeComparator.getInstance()).collect(Collectors.toList());
        KafkaPrincipal userPrincipal = SecurityMetadataAuthorizer.userPrincipal(securityContext);
        return (List) list.stream().map(scope -> {
            return this.mdsScopeConverter.getMdsScope(userPrincipal, scope);
        }).collect(Collectors.toList());
    }

    public ClusterAccessInfo listManagedClustersForPrincipal(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, MdsScope mdsScope) {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, kafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        return this.clusterAccessProcessor.process(kafkaPrincipal, scope);
    }

    public ManagedRoleBindings managedRoleBindingsForPrincipal(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, String str, MdsScope mdsScope) {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, kafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        return new ManagedRoleBindingsBuilder(this.authCache).build(scope, kafkaPrincipal, str != null ? new ResourceType(str) : ResourceType.ALL);
    }
}
