package io.confluent.rbacapi.services;

import io.confluent.rbacapi.entities.ClusterAccessInfo;
import io.confluent.rbacapi.entities.ClusterAccessInfoBuilder;
import io.confluent.rbacapi.entities.ResourceTypes;
import io.confluent.rbacapi.utils.ClusterType;
import io.confluent.rbacapi.utils.RoleAccessUtils;
import io.confluent.rbacapi.utils.V1RoleAdminCheatUtil;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.Scope;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/rbacapi/services/ClusterAccessProcessor.class */
public class ClusterAccessProcessor {
    private final AuthCache authCache;
    private final Set<String> managementRoleNames;
    private final Set<String> clusterRoleNames;
    private final Map<String, Set<String>> clusterRoleAccessDefinitions = V1RoleAdminCheatUtil.CLUSTER_ROLE_ACCESS;
    private final Map<String, Set<String>> resourceRoleAccessDefinitions = V1RoleAdminCheatUtil.RESOURCE_ROLE_ACCESS;

    public ClusterAccessProcessor(AuthCache authCache) {
        this.authCache = authCache;
        this.managementRoleNames = (Set) authCache.rbacRoles().roles().stream().filter(RoleAccessUtils.filterByDescribeOrAlterAccess()).map((v0) -> {
            return v0.name();
        }).collect(Collectors.toSet());
        this.clusterRoleNames = (Set) authCache.rbacRoles().roles().stream().filter(role -> {
            return !role.bindWithResource();
        }).map((v0) -> {
            return v0.name();
        }).collect(Collectors.toSet());
    }

    public ClusterAccessInfo process(KafkaPrincipal kafkaPrincipal, Scope scope) {
        Set<String> resourceTypes = ResourceTypes.getResourceTypes(ClusterType.of(scope));
        ClusterAccessInfoBuilder clusterAccessInfoBuilder = new ClusterAccessInfoBuilder(resourceTypes);
        Set rbacRoleBindings = this.authCache.rbacRoleBindings(kafkaPrincipal, Collections.singleton(scope));
        if (rbacRoleBindings.isEmpty()) {
            return clusterAccessInfoBuilder.build();
        }
        rbacRoleBindings.stream().filter(roleBinding -> {
            return this.managementRoleNames.contains(roleBinding.role());
        }).forEach(roleBinding2 -> {
            String role = roleBinding2.role();
            if (this.clusterRoleNames.contains(role)) {
                clusterAccessInfoBuilder.addClusterAccess(this.clusterRoleAccessDefinitions.getOrDefault(role, Collections.emptySet()));
                return;
            }
            Stream map = roleBinding2.resources().stream().map(resourcePattern -> {
                return resourcePattern.resourceType().toString();
            });
            resourceTypes.getClass();
            map.filter((v1) -> {
                return r1.contains(v1);
            }).forEach(str -> {
                clusterAccessInfoBuilder.addResourceAccess(str, this.resourceRoleAccessDefinitions.getOrDefault(role + "-" + str, Collections.emptySet()));
            });
        });
        return clusterAccessInfoBuilder.build();
    }
}
