package io.confluent.auditlogapi.authorizer;

import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.Scope;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Supplier;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.errors.AuthorizationException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/auditlogapi/authorizer/AuditLogConfigAuthorizer.class */
public class AuditLogConfigAuthorizer {
    private static final Logger log = LoggerFactory.getLogger(AuditLogConfigAuthorizer.class);
    public static final Operation DESCRIBE = new Operation("DescribeConfigs");
    public static final Operation ALTER = new Operation("AlterConfigs");
    public static final Set<Operation> CONFIG_OPS = Utils.mkSet(new Operation[]{DESCRIBE, ALTER});
    private static final ResourcePattern CLUSTER_RESOURCE_PATTERN = new ResourcePattern("Cluster", "kafka-cluster", PatternType.LITERAL);
    private final Authorizer authorizer;
    private final String metadataClusterId;
    private final Supplier<Iterable<String>> managedKafkaClusterIds;

    public AuditLogConfigAuthorizer(Authorizer authorizer, String str, Supplier<Iterable<String>> supplier) {
        this.authorizer = (Authorizer) Objects.requireNonNull(authorizer, "authorizer");
        this.metadataClusterId = (String) Objects.requireNonNull(str);
        this.managedKafkaClusterIds = (Supplier) Objects.requireNonNull(supplier);
    }

    public void authorizeAuditLogConfigAccess(SecurityContext securityContext, Operation operation) {
        if (!CONFIG_OPS.contains(operation)) {
            throw new IllegalArgumentException(String.format("Unsupported operation %s, supported ops are %s", operation, CONFIG_OPS));
        }
        HashSet hashSet = new HashSet();
        hashSet.add(this.metadataClusterId);
        Iterable<String> iterable = this.managedKafkaClusterIds.get();
        hashSet.getClass();
        iterable.forEach((v1) -> {
            r1.add(v1);
        });
        ArrayList arrayList = new ArrayList(hashSet.size());
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            arrayList.add(new Action(Scope.kafkaClusterScope((String) it.next()), CLUSTER_RESOURCE_PATTERN, operation));
        }
        KafkaPrincipal userPrincipal = userPrincipal(securityContext);
        List authorize = this.authorizer.authorize(userPrincipal, "", arrayList);
        int i = 0;
        HashSet hashSet2 = new HashSet();
        Iterator it2 = authorize.iterator();
        while (it2.hasNext()) {
            if (((AuthorizeResult) it2.next()) != AuthorizeResult.ALLOWED) {
                hashSet2.add(((Action) arrayList.get(i)).scope().clusters().get("kafka-cluster"));
            }
            i++;
        }
        if (!hashSet2.isEmpty()) {
            throw new AuthorizationException(userPrincipal + " not permitted to " + operation + " on one or more clusters.");
        }
    }

    private KafkaPrincipal userPrincipal(SecurityContext securityContext) {
        Principal userPrincipal = securityContext.getUserPrincipal();
        return userPrincipal == null ? KafkaPrincipal.ANONYMOUS : new KafkaPrincipal("User", userPrincipal.getName());
    }
}
