package io.confluent.rbacapi.resources.v2;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.confluent.cloud.rbac.CloudScope;
import io.confluent.cloud.rbac.V2CloudRbacStorageService;
import io.confluent.crn.ConfluentServerCrnAuthority;
import io.confluent.crn.CrnSyntaxException;
import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ResourcesRequest;
import io.confluent.rbacapi.resources.base.PrincipalsResource;
import io.confluent.rbacapi.services.ClusterRegistryService;
import io.confluent.rbacapi.services.FeatureConfigurationService;
import io.confluent.rbacapi.validation.common.ValidPrincipal;
import io.confluent.rbacapi.validation.common.ValidRole;
import io.confluent.rbacapi.validation.v2.V2ValidMdsScope;
import io.confluent.rbacapi.validation.v2.V2ValidationUtil;
import io.confluent.rest.annotations.PerformanceMetric;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.authorizer.ResourcePattern;
import java.util.List;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeoutException;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.utils.SecurityUtils;
import utils.ConfluentCloudRoles;

@Path("/v2alpha1/principals")
/* loaded from: input_file:io/confluent/rbacapi/resources/v2/V2PrincipalsResource.class */
public class V2PrincipalsResource {
    private final PrincipalsResource delegate;
    private final V2CloudRbacStorageService storageService;
    private final FeatureConfigurationService featureConfigurationService;

    public V2PrincipalsResource(AuthStore authStore, SecurityMetadataAuthorizer securityMetadataAuthorizer, long j, ClusterRegistryService clusterRegistryService, ConfluentServerCrnAuthority confluentServerCrnAuthority, ObjectMapper objectMapper, V2CloudRbacStorageService v2CloudRbacStorageService, FeatureConfigurationService featureConfigurationService) {
        this.delegate = new PrincipalsResource(authStore, securityMetadataAuthorizer, j, clusterRegistryService, new V2ValidationUtil(), confluentServerCrnAuthority, objectMapper);
        this.storageService = v2CloudRbacStorageService;
        this.featureConfigurationService = featureConfigurationService;
    }

    @Path("{principal:.*}/roles/{roleName}")
    @Consumes({"application/json"})
    @POST
    @PerformanceMetric("v2.add.cluster.role.for.principal")
    public void addClusterRoleForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, @V2ValidMdsScope MdsScope mdsScope) throws InterruptedException, ExecutionException, TimeoutException {
        if (this.storageService != null) {
            String organizationResourceId = CloudScope.organizationResourceId(mdsScope.scope());
            if (this.storageService.countOrganizationCloudRoleBindings(organizationResourceId) >= this.featureConfigurationService.organizationRoleBindingLimit(organizationResourceId)) {
                throw new ClientErrorException("Too many role bindings in organization.", 402);
            }
        }
        this.delegate.addClusterRoleForPrincipal(securityContext, str, str2, mdsScope);
    }

    @Path("{principal:.*}/roles/{roleName}")
    @Consumes({"application/json"})
    @DELETE
    @PerformanceMetric("v2.delete.role.for.principal")
    public void deleteRoleForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, @V2ValidMdsScope MdsScope mdsScope) throws InterruptedException, ExecutionException, TimeoutException {
        if (SecurityMetadataAuthorizer.userPrincipal(securityContext).equals(SecurityUtils.parseKafkaPrincipal(str)) && ConfluentCloudRoles.ROLE_ORG_ADMIN.equals(str2)) {
            throw new ClientErrorException("Cannot remove your own OrganizationAdmin role.", 400);
        }
        this.delegate.deleteRoleForPrincipal(securityContext, str, str2, mdsScope);
    }

    @Path("{principal:.*}/roles")
    @Consumes({"application/json"})
    @DELETE
    @PerformanceMetric("v2.delete.all.roles.for.principal")
    public void deleteAllRolesForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @V2ValidMdsScope MdsScope mdsScope, @QueryParam("transactionId") String str2) throws InterruptedException, ExecutionException, TimeoutException, CrnSyntaxException, JsonProcessingException {
        this.delegate.deleteAllRolesForPrincipal(securityContext, str, mdsScope, str2);
    }

    @Path("{principal:.*}/roles/{roleName}/resources")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v2.get.role.resources.for.principal")
    public List<ResourcePattern> getRoleResourcesForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, @V2ValidMdsScope MdsScope mdsScope) {
        return this.delegate.getRoleResourcesForPrincipal(securityContext, str, str2, mdsScope);
    }

    @Path("{principal:.*}/roles/{roleName}/bindings")
    @Consumes({"application/json"})
    @POST
    @PerformanceMetric("v2.add.role.resources.for.principal")
    public void addRoleResourcesForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, ResourcesRequest resourcesRequest) throws InterruptedException, ExecutionException, TimeoutException {
        if (this.storageService != null) {
            String organizationResourceId = CloudScope.organizationResourceId(resourcesRequest.mdsScope.scope());
            if (this.storageService.countOrganizationCloudRoleBindings(organizationResourceId) + resourcesRequest.resourcePatterns.size() > this.featureConfigurationService.organizationRoleBindingLimit(organizationResourceId)) {
                throw new ClientErrorException("Too many role bindings in organization.", 402);
            }
        }
        this.delegate.addRoleResourcesForPrincipal(securityContext, str, str2, resourcesRequest);
    }

    @Path("{principal:.*}/roles/{roleName}/bindings")
    @Consumes({"application/json"})
    @DELETE
    @PerformanceMetric("v2.delete.role.resources.for.principal")
    public void deleteRoleResourcesForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @ValidRole @PathParam("roleName") String str2, ResourcesRequest resourcesRequest) throws InterruptedException, ExecutionException, TimeoutException {
        this.delegate.deleteRoleResourcesForPrincipal(securityContext, str, str2, resourcesRequest);
    }
}
