package io.confluent.rbacapi.app;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.auditlog.emitter.auditlogger.AuditLogger;
import io.confluent.auditlog.emitter.auditlogger.InitParams;
import io.confluent.auditlog.emitter.telemetry.NoOpTelemetry;
import io.confluent.auditlog.emitter.telemetry.OpenTelemetry;
import io.confluent.auditlog.emitter.transport.KafkaTransport;
import io.confluent.auditlog.emitter.transport.KafkaTransportOptions;
import io.confluent.auditlog.emitter.transport.NoOpTransport;
import io.confluent.auditlog.emitter.utils.AuditLoggerUtils;
import io.confluent.auditlog.emitter.utils.IdentityParams;
import io.confluent.rbacapi.services.CloudFeatureConfigurationService;
import io.confluent.rbacapi.services.FeatureConfigurationService;
import io.confluent.rbacdb.provider.ControlPlaneDBProvider;
import io.confluent.security.audit.router.AuditLogRouterJsonConfig;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.auth.provider.ldap.LdapAuthenticateCallbackHandler;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.EmbeddedAuthorizer;
import io.confluent.tokenapi.jwt.JwtProvider;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.logging.LogManager;
import java.util.stream.Collectors;
import org.apache.kafka.clients.admin.ConfluentAdmin;
import org.apache.kafka.common.ClusterResource;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.metrics.JmxReporter;
import org.apache.kafka.common.metrics.KafkaMetricsContext;
import org.apache.kafka.common.metrics.MetricConfig;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.server.audit.AuditLogProvider;
import org.apache.kafka.server.audit.AuditLogProviderFactory;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.bridge.SLF4JBridgeHandler;

/* loaded from: input_file:io/confluent/rbacapi/app/CCRbac.class */
public class CCRbac {
    private static final Logger log = LoggerFactory.getLogger(CCRbac.class);
    private final AtomicInteger lifecycleState;
    public static final int RUNNING = 2;
    private static final int CLOSING = 1;
    private static final int CLOSED = 0;
    private static final long CLOSE_GRACE_PERIOD_MS = 15000;
    private volatile RbacApiApplication app;
    public EmbeddedAuthorizer embeddedAuthorizer;
    private FeatureConfigurationService featureConfigurationService;
    private Metrics ccRbacMetrics;
    private AppFactory appFactory;

    /* loaded from: input_file:io/confluent/rbacapi/app/CCRbac$AppFactory.class */
    public static class AppFactory {
        public RbacApiApplication getApp(RbacApiAppConfig rbacApiAppConfig, Authorizer authorizer, AuthStore authStore, JwtProvider jwtProvider, AuthenticateCallbackHandler authenticateCallbackHandler, String str, ConfluentAdmin confluentAdmin, FeatureConfigurationService featureConfigurationService, AuditLogger auditLogger) {
            return new RbacApiApplication(rbacApiAppConfig, authorizer, authStore, jwtProvider, authenticateCallbackHandler, str, confluentAdmin, featureConfigurationService, auditLogger);
        }
    }

    public boolean isRunning() {
        return this.lifecycleState.get() == 2;
    }

    private static ConfluentAuthorizerServerInfo makeServerInfo(Map<String, Object> map, final Metrics metrics, final List<String> list) {
        final AuditLogProvider create = AuditLogProviderFactory.create(map, CCRbacConfig.LAUNCHDARKLY_SDK_KEY_DEFAULT);
        create.setMetrics(metrics);
        final Endpoint endpoint = new Endpoint("PLAINTEXT", SecurityProtocol.PLAINTEXT, "127.0.0.1", 9092);
        return new ConfluentAuthorizerServerInfo() { // from class: io.confluent.rbacapi.app.CCRbac.1
            public ClusterResource clusterResource() {
                return new ClusterResource("not_a_kafka_cluster");
            }

            public int brokerId() {
                return 0;
            }

            public Collection<Endpoint> endpoints() {
                return Collections.singleton(endpoint);
            }

            public Endpoint interBrokerEndpoint() {
                return endpoint;
            }

            public Collection<String> earlyStartListeners() {
                return Collections.emptyList();
            }

            public Metrics metrics() {
                return metrics;
            }

            public AuditLogProvider auditLogProvider() {
                return create;
            }

            public List<String> additionalRoleDefFiles() {
                return list;
            }
        };
    }

    private void setupMetrics() {
        JmxReporter jmxReporter = new JmxReporter();
        this.ccRbacMetrics = new Metrics(new MetricConfig(), Collections.singletonList(jmxReporter), Time.SYSTEM, new KafkaMetricsContext("cc-rbac", Collections.emptyMap()));
    }

    public CCRbac() {
        this(null, null);
    }

    @VisibleForTesting
    public CCRbac(AppFactory appFactory) {
        this(null, appFactory);
    }

    @VisibleForTesting
    public CCRbac(FeatureConfigurationService featureConfigurationService) {
        this(featureConfigurationService, null);
    }

    @VisibleForTesting
    public CCRbac(FeatureConfigurationService featureConfigurationService, AppFactory appFactory) {
        this.lifecycleState = new AtomicInteger(0);
        this.featureConfigurationService = null;
        this.featureConfigurationService = featureConfigurationService;
        this.appFactory = appFactory == null ? new AppFactory() : appFactory;
    }

    @VisibleForTesting
    public static List<String> validateFiles(List<String> list) {
        return (List) list.stream().filter(CCRbac::isFile).collect(Collectors.toList());
    }

    @VisibleForTesting
    public static boolean isFile(String str) {
        if (CCRbac.class.getClassLoader().getResource(str) != null) {
            return true;
        }
        log.warn("Specified additional role file " + str + " does not exist.");
        return false;
    }

    public void run(CCRbacConfig cCRbacConfig) throws Exception {
        setupMetrics();
        AuthenticateCallbackHandler authenticateCallbackHandler = null;
        Map<String, Object> ldapProps = cCRbacConfig.getLdapProps();
        if (cCRbacConfig.getUserStore().equals(RbacApiAppConfig.MDS_USER_STORE_LDAP)) {
            authenticateCallbackHandler = new LdapAuthenticateCallbackHandler();
            authenticateCallbackHandler.configure(ldapProps, "PLAIN", Collections.emptyList());
        }
        this.embeddedAuthorizer = new EmbeddedAuthorizer();
        FeatureConfigurationService cloudFeatureConfigurationService = this.featureConfigurationService == null ? new CloudFeatureConfigurationService(cCRbacConfig, this.ccRbacMetrics) : this.featureConfigurationService;
        List<String> validateFiles = validateFiles(cloudFeatureConfigurationService.additionalRoleDefFiles());
        if (!validateFiles.isEmpty()) {
            log.info("Booting cc-rbac with these additional RoleDef files : " + validateFiles);
        }
        Map<String, Object> mdsProps = cCRbacConfig.getMdsProps();
        ConfluentAuthorizerServerInfo makeServerInfo = makeServerInfo(mdsProps, this.ccRbacMetrics, validateFiles);
        this.embeddedAuthorizer.configure(mdsProps);
        this.embeddedAuthorizer.configureServerInfo(makeServerInfo);
        this.embeddedAuthorizer.start(makeServerInfo, mdsProps, () -> {
        }).join();
        AuditLogger auditLogger = setupAuditLogger(cCRbacConfig);
        ControlPlaneDBProvider accessRuleProvider = this.embeddedAuthorizer.accessRuleProvider("NO_KAFKA_MDS_DB");
        this.app = this.appFactory.getApp(new RbacApiAppConfig(mdsProps), accessRuleProvider.createRbacAuthorizer(), accessRuleProvider.authStore(), new JwtProvider(), authenticateCallbackHandler, "no_kafka_cluster_id", null, cloudFeatureConfigurationService, auditLogger);
        this.app.start();
        log.info("Started CC RBAC");
        synchronized (this.lifecycleState) {
            this.lifecycleState.set(2);
            while (this.lifecycleState.get() == 2) {
                this.lifecycleState.wait();
            }
        }
        log.info("Starting graceful shutdown...");
        try {
            this.app.stop();
            if (this.embeddedAuthorizer != null) {
                this.embeddedAuthorizer.close();
            }
            synchronized (this.lifecycleState) {
                this.lifecycleState.set(0);
                this.lifecycleState.notifyAll();
            }
            log.info("Completed graceful shutdown.");
        } catch (Throwable th) {
            if (this.embeddedAuthorizer != null) {
                this.embeddedAuthorizer.close();
            }
            throw th;
        }
    }

    private AuditLogger setupAuditLogger(CCRbacConfig cCRbacConfig) {
        AuditLogger auditLogger;
        String string = cCRbacConfig.getString(CCRbacConfig.V2_EVENT_LOGGER_USER);
        String value = cCRbacConfig.getPassword(CCRbacConfig.V2_EVENT_LOGGER_PASS).value();
        String str = null;
        try {
            str = AuditLogRouterJsonConfig.load(cCRbacConfig.getString("confluent.security.event.router.config")).bootstrapServers();
        } catch (Exception e) {
            log.debug("Unable to parse auditLogs routing configuration.", e);
        }
        Boolean bool = cCRbacConfig.getBoolean("confluent.security.event.logger.enable");
        IdentityParams build = IdentityParams.builder().serviceName("cc-rbac").build();
        if (!bool.booleanValue() || str == null || string == null || value == null) {
            log.info("Proceeding with NoOpTransport AuditLogger object due to missing parameters.");
            auditLogger = new AuditLogger(new InitParams(build, new NoOpTransport(), new NoOpTelemetry()));
        } else {
            Map minimalKafkaConfig = AuditLoggerUtils.minimalKafkaConfig(str, string, value);
            String string2 = cCRbacConfig.getString(CCRbacConfig.EVENT_LOGGER_PROTOCOL);
            String string3 = cCRbacConfig.getString(CCRbacConfig.EVENT_LOGGER_SASL_MECHANISM);
            if (string2 != null && !string2.isEmpty() && string3 != null && !string3.isEmpty()) {
                minimalKafkaConfig.put("producer.security.protocol", string2);
                minimalKafkaConfig.put("producer.sasl.mechanism", string3);
            }
            auditLogger = new AuditLogger(new InitParams(build, new KafkaTransport(new KafkaTransportOptions(minimalKafkaConfig)), new OpenTelemetry()));
            log.info("AuditLogger object successfully initialized.");
        }
        return auditLogger;
    }

    @VisibleForTesting
    public int getCCRbacPort() {
        if (this.app == null) {
            return -1;
        }
        return this.app.getActualMdsPort();
    }

    @VisibleForTesting
    public boolean isServerStarted() {
        if (this.app == null) {
            return false;
        }
        return this.app.isServerStarted();
    }

    @VisibleForTesting
    public RbacApiApplication getRbacApiApplication() {
        return this.app;
    }

    public void close() {
        log.info("Closing CC RBAC...");
        synchronized (this.lifecycleState) {
            if (this.lifecycleState.compareAndSet(2, 1)) {
                this.lifecycleState.notifyAll();
            }
        }
        try {
            synchronized (this.lifecycleState) {
                long currentTimeMillis = System.currentTimeMillis() + CLOSE_GRACE_PERIOD_MS;
                while (System.currentTimeMillis() < currentTimeMillis && this.lifecycleState.get() != 0) {
                    this.lifecycleState.wait(currentTimeMillis - System.currentTimeMillis());
                }
            }
            if (this.lifecycleState.get() != 0) {
                log.error("CCRbac didn't close after {} seconds.", 15L);
            }
        } catch (InterruptedException e) {
            log.info("Interrupted while waiting for shutdown. Stopping immediately.");
        }
    }

    public static void main(String[] strArr) throws Exception {
        if (strArr.length >= 2) {
            System.err.printf("CC RBAC takes at most one argument, the properties file", new Object[0]);
            System.exit(1);
        }
        String str = CCRbacConfig.LAUNCHDARKLY_SDK_KEY_DEFAULT;
        if (strArr.length == 1) {
            str = strArr[0];
        }
        CCRbacConfig loadFromFileAndEnvironment = CCRbacConfig.loadFromFileAndEnvironment(str);
        CCRbac cCRbac = new CCRbac();
        Runtime runtime = Runtime.getRuntime();
        cCRbac.getClass();
        runtime.addShutdownHook(new Thread(cCRbac::close));
        cCRbac.run(loadFromFileAndEnvironment);
    }

    static {
        LogManager.getLogManager().reset();
        SLF4JBridgeHandler.install();
    }
}
