package io.confluent.rbacapi.resources.base;

import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.converters.MdsScopeConverter;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.services.ClusterRegistryService;
import io.confluent.rbacapi.services.RoleBindingProcessing;
import io.confluent.rbacapi.validation.base.ValidationUtil;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;

/* loaded from: input_file:io/confluent/rbacapi/resources/base/OperationsResource.class */
public class OperationsResource {
    private final SecurityMetadataAuthorizer metadataAuthorizer;
    private final RoleBindingProcessing roleBindingProcessing;
    private final ClusterRegistryService clusterRegistryService;
    private final MdsScopeConverter mdsScopeConverter;
    private final ValidationUtil validationUtil;

    public OperationsResource(RoleBindingProcessing roleBindingProcessing, SecurityMetadataAuthorizer securityMetadataAuthorizer, ClusterRegistryService clusterRegistryService, ValidationUtil validationUtil) {
        this.roleBindingProcessing = roleBindingProcessing;
        this.metadataAuthorizer = securityMetadataAuthorizer;
        this.clusterRegistryService = clusterRegistryService;
        this.validationUtil = validationUtil;
        this.mdsScopeConverter = new MdsScopeConverter(this.clusterRegistryService, this.validationUtil);
    }

    public RoleBindingProcessing.OperationGuidelines lookupPrincipalsWithRoleOnResource(SecurityContext securityContext, String str, String str2, String str3, MdsScope mdsScope) {
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str2);
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, SecurityMetadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, scope, parseKafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        if (str.equalsIgnoreCase(ResourceType.ALL.name())) {
            throw new RuntimeException("Invalid resource type: " + str);
        }
        return this.roleBindingProcessing.guidelines(parseKafkaPrincipal, new ResourceType(str), scope, new Operation(str3));
    }
}
