package io.confluent.rbacapi.services;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.common.annotations.VisibleForTesting;
import com.googlecode.concurrenttrees.radix.node.concrete.DefaultCharArrayNodeFactory;
import com.googlecode.concurrenttrees.radixinverted.ConcurrentInvertedRadixTree;
import com.googlecode.concurrenttrees.radixinverted.InvertedRadixTree;
import io.confluent.rbacapi.app.CCRbacConfig;
import io.confluent.rbacapi.comparators.MdsResourcePatternComparator;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/rbacapi/services/RoleBindingProcessing.class */
public class RoleBindingProcessing {
    private final Authorizer authorizer;
    private final AuthCache authCache;

    /* loaded from: input_file:io/confluent/rbacapi/services/RoleBindingProcessing$OperationGuidelines.class */
    public static class OperationGuidelines {

        @JsonProperty
        public final OperationsResult operationsResult;

        @JsonProperty
        public final List<ResourcePattern> resourcePatterns;

        @JsonCreator
        public OperationGuidelines(@JsonProperty("result") OperationsResult operationsResult, @JsonProperty("resourcePatterns") List<ResourcePattern> list) {
            this.operationsResult = operationsResult;
            this.resourcePatterns = list;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            OperationGuidelines operationGuidelines = (OperationGuidelines) obj;
            return this.operationsResult == operationGuidelines.operationsResult && Objects.equals(this.resourcePatterns, operationGuidelines.resourcePatterns);
        }

        public int hashCode() {
            return Objects.hash(this.operationsResult, this.resourcePatterns);
        }
    }

    /* loaded from: input_file:io/confluent/rbacapi/services/RoleBindingProcessing$OperationsResult.class */
    public enum OperationsResult {
        ANY,
        SOME,
        NONE
    }

    public RoleBindingProcessing(Authorizer authorizer, AuthCache authCache) {
        this.authorizer = authorizer;
        this.authCache = authCache;
    }

    public OperationGuidelines guidelines(KafkaPrincipal kafkaPrincipal, ResourceType resourceType, Scope scope, Operation operation) {
        if (((AuthorizeResult) this.authorizer.authorize(kafkaPrincipal, CCRbacConfig.LAUNCHDARKLY_SDK_KEY_DEFAULT, Collections.singletonList(new Action(scope, resourceType, "*", operation))).get(0)) == AuthorizeResult.ALLOWED) {
            return new OperationGuidelines(OperationsResult.ANY, Collections.emptyList());
        }
        HashSet hashSet = new HashSet();
        hashSet.add(kafkaPrincipal);
        if (StringUtils.equals("User", kafkaPrincipal.getPrincipalType())) {
            hashSet.addAll(this.authCache.groups(kafkaPrincipal));
        }
        Set set = (Set) this.authCache.rbacRoles().roles().stream().filter(role -> {
            return role.flatAccessPolicies().stream().anyMatch(accessPolicy -> {
                return accessPolicy.bindWithResource() && accessPolicy.allowedOperations(resourceType).contains(operation);
            });
        }).map((v0) -> {
            return v0.name();
        }).collect(Collectors.toSet());
        List list = (List) this.authCache.rbacRoleBindings(scope).stream().filter(roleBinding -> {
            return set.contains(roleBinding.role());
        }).filter(roleBinding2 -> {
            return hashSet.contains(roleBinding2.principal());
        }).flatMap(roleBinding3 -> {
            return roleBinding3.resources().stream();
        }).filter(resourcePattern -> {
            return resourceType.equals(resourcePattern.resourceType());
        }).distinct().collect(Collectors.toList());
        if (list.size() == 0) {
            return new OperationGuidelines(OperationsResult.NONE, Collections.emptyList());
        }
        List<ResourcePattern> squashPatterns = squashPatterns(list);
        squashPatterns.sort(MdsResourcePatternComparator.getInstance());
        return new OperationGuidelines(OperationsResult.SOME, squashPatterns);
    }

    @VisibleForTesting
    public static List<ResourcePattern> squashPatterns(List<ResourcePattern> list) {
        if (list.size() <= 1) {
            return list;
        }
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (ResourcePattern resourcePattern : list) {
            if (PatternType.LITERAL.equals(resourcePattern.patternType())) {
                arrayList2.add(resourcePattern);
            } else if (PatternType.PREFIXED.equals(resourcePattern.patternType())) {
                arrayList.add(resourcePattern);
            }
        }
        if (arrayList2.size() == 0 || arrayList.size() == 0) {
            return list;
        }
        ConcurrentInvertedRadixTree concurrentInvertedRadixTree = new ConcurrentInvertedRadixTree(new DefaultCharArrayNodeFactory());
        arrayList.forEach(resourcePattern2 -> {
        });
        List<ResourcePattern> squashPrefixes = squashPrefixes(concurrentInvertedRadixTree, arrayList);
        squashPrefixes.addAll(squashLiterals(concurrentInvertedRadixTree, arrayList2));
        return squashPrefixes;
    }

    private static List<ResourcePattern> squashPrefixes(InvertedRadixTree<ResourcePattern> invertedRadixTree, List<ResourcePattern> list) {
        return (List) list.stream().filter(resourcePattern -> {
            return findPattern(invertedRadixTree, resourcePattern);
        }).collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean findPattern(InvertedRadixTree<ResourcePattern> invertedRadixTree, ResourcePattern resourcePattern) {
        Iterator it = invertedRadixTree.getValuesForKeysPrefixing(resourcePattern.name()).iterator();
        if (it.hasNext()) {
            return !it.hasNext() && resourcePattern.equals((ResourcePattern) it.next());
        }
        return false;
    }

    private static List<ResourcePattern> squashLiterals(InvertedRadixTree<ResourcePattern> invertedRadixTree, List<ResourcePattern> list) {
        return (List) list.stream().filter(resourcePattern -> {
            return !invertedRadixTree.getKeysPrefixing(resourcePattern.name()).iterator().hasNext();
        }).collect(Collectors.toList());
    }
}
