package io.confluent.rbacapi.services;

import com.google.common.collect.ImmutableSet;
import io.confluent.rbacapi.services.ResourceTypePermissions;
import io.confluent.rbacapi.utils.ClusterType;
import io.confluent.rbacapi.utils.RoleAccessUtils;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.Role;
import io.confluent.security.rbac.RoleBinding;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/rbacapi/services/ClusterPermissionsBuilder.class */
public class ClusterPermissionsBuilder {
    private static final String ALL = "All";
    private static final String DESCRIBE_ACCESS = "DescribeAccess";
    private static final String ALTER_ACCESS = "AlterAccess";
    private static final Set<String> FILTER_OPERATIONS = ImmutableSet.of("All", "DescribeAccess", "AlterAccess");
    private static final ResourcePattern KAFKA_CLUSTER_RESOURCE = new ResourcePattern(new ResourceType("Cluster"), "kafka-cluster", PatternType.LITERAL);

    public ClusterPermissions build(Map<String, Role> map, Collection<KafkaPrincipal> collection, Scope scope, ResourceType resourceType, Collection<RoleBinding> collection2) {
        HashMap hashMap = new HashMap();
        for (RoleBinding roleBinding : collection2) {
            if (roleBinding.scope().equals(scope) && collection.contains(roleBinding.principal()) && map.containsKey(roleBinding.role())) {
                Role role = map.get(roleBinding.role());
                if (role.bindWithResource()) {
                    for (ResourcePattern resourcePattern : roleBinding.resources()) {
                        if (resourceType.equals(ResourceType.ALL) || resourcePattern.resourceType().equals(resourceType)) {
                            if (RoleAccessUtils.hasDescribeAccess(role, resourcePattern.resourceType())) {
                                hashMap.computeIfAbsent(resourcePattern.resourceType(), resourceType2 -> {
                                    return ResourceTypePermissions.builder(resourceType2);
                                });
                                boolean hasAlterAccess = RoleAccessUtils.hasAlterAccess(role, resourcePattern.resourceType());
                                HashSet hashSet = new HashSet((Collection) ImmutableSet.of("DescribeAccess"));
                                if (hasAlterAccess) {
                                    hashSet.add("AlterAccess");
                                }
                                ((ResourceTypePermissions.Builder) hashMap.get(resourcePattern.resourceType())).putResourceOperations(resourcePattern.name(), resourcePattern.patternType(), hashSet);
                            }
                        }
                    }
                } else {
                    addAllRoleOperations(role, hashMap);
                }
            }
        }
        return new ClusterPermissions(buildResourceTypePermissions(hashMap));
    }

    private static void addAllRoleOperations(Role role, Map<ResourceType, ResourceTypePermissions.Builder> map) {
        role.flatAccessPolicies().stream().flatMap(accessPolicy -> {
            return accessPolicy.allowedOperations().stream();
        }).filter(resourceOperations -> {
            return FILTER_OPERATIONS.stream().anyMatch(str -> {
                return resourceOperations.operations().contains(str);
            });
        }).forEach(resourceOperations2 -> {
            ResourceType resourceType = new ResourceType(resourceOperations2.resourceType());
            map.computeIfAbsent(resourceType, resourceType2 -> {
                return ResourceTypePermissions.builder(resourceType2);
            });
            ((ResourceTypePermissions.Builder) map.get(resourceType)).addClusterOperations(resourceOperations2.operations());
        });
    }

    private static boolean isKafkaCluster(Scope scope) {
        return ClusterType.filterScopeBy(ClusterType.KAFKA_CLUSTER).test(scope);
    }

    private static Map<ResourceType, ResourceTypePermissions> buildResourceTypePermissions(Map<ResourceType, ResourceTypePermissions.Builder> map) {
        return (Map) map.values().stream().map(builder -> {
            return builder.build();
        }).collect(Collectors.toMap(resourceTypePermissions -> {
            return resourceTypePermissions.getResourceType();
        }, resourceTypePermissions2 -> {
            return resourceTypePermissions2;
        }));
    }
}
