package io.confluent.rbacapi.utils;

import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.security.auth.metadata.AuthCache;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.Scope;
import java.util.Collections;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.errors.AuthorizationException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/rbacapi/utils/ScopeUtils.class */
public class ScopeUtils {
    public static Set<Scope> knownContainedScopes(Scope scope, AuthCache authCache) {
        Stream stream = authCache.knownScopes().stream();
        scope.getClass();
        Set<Scope> set = (Set) stream.filter(scope::containsScope).collect(Collectors.toSet());
        return set.size() == 0 ? Collections.singleton(scope) : set;
    }

    public static Set<Scope> securityMetadataAuthorizedScopesAllowDescribeSelf(Set<Scope> set, KafkaPrincipal kafkaPrincipal, SecurityContext securityContext, Operation operation, SecurityMetadataAuthorizer securityMetadataAuthorizer) {
        Set<Scope> set2 = (Set) set.stream().filter(scope -> {
            try {
                securityMetadataAuthorizer.authorizeSecurityMetadataAccessAllowDescribeSelf(securityContext, scope, kafkaPrincipal, operation);
                return true;
            } catch (AuthorizationException e) {
                return false;
            }
        }).collect(Collectors.toSet());
        if (set2.size() != 0) {
            return set2;
        }
        throw new AuthorizationException("No authorized scopes found for " + securityMetadataAuthorizer.userPrincipal(securityContext));
    }
}
