package io.confluent.rbacapi.resources.v1;

import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.comparators.ScopeComparator;
import io.confluent.rbacapi.converters.MdsScopeConverter;
import io.confluent.rbacapi.converters.V1MdsScopeConverter;
import io.confluent.rbacapi.entities.ClusterAccessInfo;
import io.confluent.rbacapi.entities.ManagedRoleBindings;
import io.confluent.rbacapi.entities.MdsScope;
import io.confluent.rbacapi.entities.ScopeRoleBindingMapping;
import io.confluent.rbacapi.entities.VisibilityRequest;
import io.confluent.rbacapi.entities.VisibilityResponse;
import io.confluent.rbacapi.resources.base.LookupResource;
import io.confluent.rbacapi.services.ClusterAccessProcessor;
import io.confluent.rbacapi.services.ClusterRegistryService;
import io.confluent.rbacapi.services.ManagedRoleBindingsBuilder;
import io.confluent.rbacapi.utils.ClusterType;
import io.confluent.rbacapi.utils.RoleAccessUtils;
import io.confluent.rbacapi.utils.RoleUtils;
import io.confluent.rbacapi.utils.ScopeUtils;
import io.confluent.rbacapi.validation.common.ValidPrincipal;
import io.confluent.rbacapi.validation.common.ValidResourceType;
import io.confluent.rbacapi.validation.common.ValidRole;
import io.confluent.rbacapi.validation.v1.V1ValidMdsScope;
import io.confluent.rbacapi.validation.v1.V1ValidationUtil;
import io.confluent.rest.annotations.PerformanceMetric;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RoleBinding;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;

@Produces({"application/json"})
@Path("/1.0/lookup")
/* loaded from: input_file:io/confluent/rbacapi/resources/v1/V1LookupResource.class */
public class V1LookupResource {
    private final LookupResource delegate;
    private final ClusterAccessProcessor clusterAccessProcessor;
    private final MdsScopeConverter mdsScopeConverter;
    private final SecurityMetadataAuthorizer metadataAuthorizer;
    private final AuthCache authCache;

    public V1LookupResource(AuthCache authCache, SecurityMetadataAuthorizer securityMetadataAuthorizer, ClusterRegistryService clusterRegistryService) {
        this.clusterAccessProcessor = new ClusterAccessProcessor(authCache);
        this.mdsScopeConverter = new V1MdsScopeConverter(clusterRegistryService, new V1ValidationUtil());
        this.metadataAuthorizer = securityMetadataAuthorizer;
        this.authCache = authCache;
        this.delegate = new LookupResource(authCache, securityMetadataAuthorizer, this.mdsScopeConverter);
    }

    @Path("role/{roleName}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v1.lookup.principals.with.role")
    public List<String> lookupPrincipalsWithRole(@Context SecurityContext securityContext, @PathParam("roleName") String str, @V1ValidMdsScope MdsScope mdsScope) {
        return this.delegate.lookupPrincipalsWithRole(securityContext, str, mdsScope);
    }

    @Path("role/{roleName}/resource/{resourceType}/name/{resourceName}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v1.lookup.principals.with.role.on.resource")
    public List<String> lookupPrincipalsWithRoleOnResource(@Context SecurityContext securityContext, @ValidRole @PathParam("roleName") String str, @PathParam("resourceType") @ValidResourceType String str2, @PathParam("resourceName") String str3, @V1ValidMdsScope MdsScope mdsScope) {
        return this.delegate.lookupPrincipalsWithRoleOnResource(securityContext, str, str2, str3, mdsScope);
    }

    @Path("principals/{principal:.*}/roleNames")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v1.get.scoped.role.names")
    public List<String> getScopedRoleNames(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @V1ValidMdsScope MdsScope mdsScope) {
        return this.delegate.getScopedRoleNames(securityContext, getTargetPrincipal(securityContext, str), mdsScope);
    }

    @Path("principals/{principal:.*}/visibility")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v1.get.user.visibility")
    public List<VisibilityResponse> getUserVisibility(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, List<VisibilityRequest> list) {
        return getUserVisibilityHelper(securityContext, str, list);
    }

    @Path("principal/{principal:.*}/resources")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v1.lookup.resources.for.principal")
    public Map<String, Map<String, List<ResourcePattern>>> lookupResourcesForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @V1ValidMdsScope MdsScope mdsScope) {
        return this.delegate.lookupResourcesForPrincipal(securityContext, getTargetPrincipal(securityContext, str), mdsScope);
    }

    @GET
    @Path("rolebindings/principal/{principal:.*}")
    @Consumes({"application/json"})
    @Produces({"application/json"})
    @PerformanceMetric("v1.role.bindings.for.all.known.clusters")
    public List<ScopeRoleBindingMapping> rolebindingsForAllKnownClusters(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @QueryParam("clusterType") ClusterType clusterType) {
        return this.delegate.rolebindingsForAllKnownClusters(securityContext, getTargetPrincipal(securityContext, str), clusterType);
    }

    @Path("rolebindings/principal/{principal:.*}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v1.rolebindings.for.principal.in.scope")
    public ScopeRoleBindingMapping rolebindingsForPrincipalInScope(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @V1ValidMdsScope MdsScope mdsScope) {
        List<ScopeRoleBindingMapping> rolebindingsForPrincipalWithinScope = rolebindingsForPrincipalWithinScope(securityContext, getTargetPrincipal(securityContext, str), mdsScope);
        return rolebindingsForPrincipalWithinScope.isEmpty() ? new ScopeRoleBindingMapping(Scope.ROOT_SCOPE) : rolebindingsForPrincipalWithinScope.get(0);
    }

    @GET
    @Path("managed/clusters/principal/{principal:.*}")
    @Consumes({"application/json"})
    @Produces({"application/json"})
    @PerformanceMetric("v1.list.managed.clusters.for.principal.for.clustertype")
    public List<MdsScope> listManagedClustersForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @QueryParam("clusterType") ClusterType clusterType) {
        return listManagedClustersForPrincipalByClusterType(securityContext, getTargetPrincipal(securityContext, str), clusterType);
    }

    @Path("managed/clusters/principal/{principal:.*}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v1.list.managed.clusters.for.principal")
    public ClusterAccessInfo listManagedClustersForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @V1ValidMdsScope MdsScope mdsScope) {
        return listManagedClustersForPrincipalByMdsScope(securityContext, getTargetPrincipal(securityContext, str), mdsScope);
    }

    @Path("managed/rolebindings/principal/{principal:.*}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    @PerformanceMetric("v1.managed.rolebindings.for.principal")
    public ManagedRoleBindings managedRoleBindingsForPrincipal(@Context SecurityContext securityContext, @ValidPrincipal @PathParam("principal") String str, @QueryParam("resourceType") String str2, @V1ValidMdsScope MdsScope mdsScope) {
        return managedRoleBindingsForPrincipalHelper(securityContext, getTargetPrincipal(securityContext, str), str2, mdsScope);
    }

    public ClusterAccessInfo listManagedClustersForPrincipalByMdsScope(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, MdsScope mdsScope) {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, this.metadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, kafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        return this.clusterAccessProcessor.process(kafkaPrincipal, scope);
    }

    public List<MdsScope> listManagedClustersForPrincipalByClusterType(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, ClusterType clusterType) {
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, kafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        Set knownScopes = this.authCache.knownScopes();
        if (clusterType != null) {
            knownScopes = (Set) knownScopes.stream().filter(ClusterType.filterScopeBy(clusterType)).collect(Collectors.toSet());
        }
        Set rbacRoleBindings = this.authCache.rbacRoleBindings(kafkaPrincipal, knownScopes);
        if (rbacRoleBindings.isEmpty()) {
            return Collections.emptyList();
        }
        Set keySet = RoleUtils.mapRolesByName(this.authCache.rbacRoles().roles(), RoleAccessUtils.filterByDescribeAccess()).keySet();
        List list = (List) rbacRoleBindings.stream().filter(roleBinding -> {
            return keySet.contains(roleBinding.role());
        }).map((v0) -> {
            return v0.scope();
        }).distinct().sorted(ScopeComparator.getInstance()).collect(Collectors.toList());
        KafkaPrincipal userPrincipal = this.metadataAuthorizer.userPrincipal(securityContext);
        return (List) list.stream().map(scope -> {
            return this.mdsScopeConverter.getMdsScope(userPrincipal, scope);
        }).collect(Collectors.toList());
    }

    public List<VisibilityResponse> getUserVisibilityHelper(SecurityContext securityContext, String str, List<VisibilityRequest> list) {
        KafkaPrincipal targetPrincipal = getTargetPrincipal(securityContext, str);
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, targetPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        Set set = (Set) this.authCache.rbacRoleBindings(targetPrincipal, (Set) list.stream().map(visibilityRequest -> {
            return visibilityRequestToScopeList(visibilityRequest);
        }).flatMap(list2 -> {
            return list2.stream();
        }).collect(Collectors.toSet())).stream().map(roleBinding -> {
            return roleBinding.scope();
        }).collect(Collectors.toSet());
        return (List) list.stream().map(visibilityRequest2 -> {
            return getVisibilityResponse(visibilityRequest2, set, targetPrincipal);
        }).collect(Collectors.toList());
    }

    private KafkaPrincipal getTargetPrincipal(SecurityContext securityContext, String str) {
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        return this.metadataAuthorizer.isCallingPrincipalSameAsTargetPrincipal(securityContext.getUserPrincipal(), parseKafkaPrincipal) ? this.metadataAuthorizer.userPrincipal(securityContext) : parseKafkaPrincipal;
    }

    private List<Scope> visibilityRequestToScopeList(VisibilityRequest visibilityRequest) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(Scope.kafkaClusterScope(visibilityRequest.kafkaClusterId));
        arrayList.addAll((Collection) visibilityRequest.connectClusterIds.stream().map(str -> {
            return new Scope.Builder(new String[0]).withKafkaCluster(visibilityRequest.kafkaClusterId).withCluster("connect-cluster", str).build();
        }).collect(Collectors.toList()));
        arrayList.addAll((Collection) visibilityRequest.schemaRegistryClusterIds.stream().map(str2 -> {
            return new Scope.Builder(new String[0]).withKafkaCluster(visibilityRequest.kafkaClusterId).withCluster("schema-registry-cluster", str2).build();
        }).collect(Collectors.toList()));
        arrayList.addAll((Collection) visibilityRequest.ksqlClusterIds.stream().map(str3 -> {
            return new Scope.Builder(new String[0]).withKafkaCluster(visibilityRequest.kafkaClusterId).withCluster("ksql-cluster", str3).build();
        }).collect(Collectors.toList()));
        return arrayList;
    }

    private VisibilityResponse getVisibilityResponse(VisibilityRequest visibilityRequest, Set<Scope> set, KafkaPrincipal kafkaPrincipal) {
        Scope kafkaClusterScope = Scope.kafkaClusterScope(visibilityRequest.kafkaClusterId);
        return new VisibilityResponse(new VisibilityResponse.ClusterVisibility(visibilityRequest.kafkaClusterId, set.contains(kafkaClusterScope), this.mdsScopeConverter.getClusterName(kafkaPrincipal, kafkaClusterScope)), subClusterVisibility("connect-cluster", visibilityRequest.connectClusterIds, visibilityRequest.kafkaClusterId, set, kafkaPrincipal), subClusterVisibility("schema-registry-cluster", visibilityRequest.schemaRegistryClusterIds, visibilityRequest.kafkaClusterId, set, kafkaPrincipal), subClusterVisibility("ksql-cluster", visibilityRequest.ksqlClusterIds, visibilityRequest.kafkaClusterId, set, kafkaPrincipal));
    }

    private List<VisibilityResponse.ClusterVisibility> subClusterVisibility(String str, List<String> list, String str2, Set<Scope> set, KafkaPrincipal kafkaPrincipal) {
        return (List) list.stream().map(str3 -> {
            return new VisibilityResponse.ClusterVisibility(str3, set.contains(new Scope.Builder(new String[0]).withKafkaCluster(str2).withCluster(str, str3).build()), this.mdsScopeConverter.getClusterName(kafkaPrincipal, new Scope.Builder(new String[0]).withKafkaCluster(str2).withCluster(str, str3).build()));
        }).collect(Collectors.toList());
    }

    public List<ScopeRoleBindingMapping> rolebindingsForPrincipalWithinScope(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, MdsScope mdsScope) {
        Set<RoleBinding> rbacRoleBindings = this.authCache.rbacRoleBindings(kafkaPrincipal, ScopeUtils.securityMetadataAuthorizedScopesAllowDescribeSelf(ScopeUtils.knownContainedScopes(this.mdsScopeConverter.getScope(mdsScope, this.metadataAuthorizer.userPrincipal(securityContext)), this.authCache), kafkaPrincipal, securityContext, SecurityMetadataAuthorizer.DESCRIBE, this.metadataAuthorizer));
        if (rbacRoleBindings.isEmpty()) {
            return Collections.emptyList();
        }
        HashMap hashMap = new HashMap();
        for (RoleBinding roleBinding : rbacRoleBindings) {
            ((ScopeRoleBindingMapping) hashMap.computeIfAbsent(roleBinding.scope(), ScopeRoleBindingMapping::new)).addRoleBinding(roleBinding);
        }
        return (List) hashMap.values().stream().sorted((scopeRoleBindingMapping, scopeRoleBindingMapping2) -> {
            return ScopeComparator.getInstance().compare(scopeRoleBindingMapping.scope().scope(), scopeRoleBindingMapping2.scope().scope());
        }).collect(Collectors.toList());
    }

    private ManagedRoleBindings managedRoleBindingsForPrincipalHelper(SecurityContext securityContext, KafkaPrincipal kafkaPrincipal, String str, MdsScope mdsScope) {
        Scope scope = this.mdsScopeConverter.getScope(mdsScope, this.metadataAuthorizer.userPrincipal(securityContext));
        this.metadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, kafkaPrincipal, SecurityMetadataAuthorizer.DESCRIBE);
        return new ManagedRoleBindingsBuilder(this.authCache).build(scope, kafkaPrincipal, str != null ? new ResourceType(str) : ResourceType.ALL);
    }
}
