package io.hops.kafka;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.sql.SQLException;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import kafka.network.RequestChannel;
import kafka.security.auth.Acl;
import kafka.security.auth.Authorizer;
import kafka.security.auth.Operation;
import kafka.security.auth.Resource;
import kafka.security.auth.ResourceType$;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.log4j.Logger;
import org.javatuples.Pair;

/* loaded from: input_file:io/hops/kafka/HopsAclAuthorizer.class */
public class HopsAclAuthorizer implements Authorizer {
    private static final Logger LOG = Logger.getLogger("kafka.authorizer.logger");
    private Set<KafkaPrincipal> superUsers = new HashSet();
    private boolean consumerOffsetsAccessAllowed = false;
    private DbConnection dbConnection;
    private LoadingCache<String, Integer> topicProject;
    private LoadingCache<String, Pair<Integer, String>> userProject;
    private LoadingCache<Pair<Integer, Integer>, String> projectShare;

    public HopsAclAuthorizer() {
    }

    protected HopsAclAuthorizer(LoadingCache<String, Integer> loadingCache, LoadingCache<String, Pair<Integer, String>> loadingCache2, LoadingCache<Pair<Integer, Integer>, String> loadingCache3) {
        this.topicProject = loadingCache;
        this.userProject = loadingCache2;
        this.projectShare = loadingCache3;
    }

    public void configure(Map<String, ?> map) {
        Object obj = map.get(Consts.SUPERUSERS_PROP);
        if (obj != null) {
            for (String str : ((String) obj).split(Consts.SEMI_COLON)) {
                this.superUsers.add(KafkaPrincipal.fromString(str.trim()));
            }
        }
        Object obj2 = map.get(Consts.CONSUMER_OFFSETS_ACCESS_ALLOWED);
        if (obj2 != null) {
            this.consumerOffsetsAccessAllowed = Boolean.parseBoolean((String) obj2);
        }
        this.dbConnection = new DbConnection(map.get(Consts.DATABASE_URL).toString(), map.get(Consts.DATABASE_USERNAME).toString(), map.get(Consts.DATABASE_PASSWORD).toString(), Integer.parseInt(map.get(Consts.DATABASE_MAX_POOL_SIZE).toString()), map.get(Consts.DATABASE_CACHE_PREPSTMTS).toString(), map.get(Consts.DATABASE_PREPSTMT_CACHE_SIZE).toString(), map.get(Consts.DATABASE_PREPSTMT_CACHE_SQL_LIMIT).toString());
        long parseLong = Long.parseLong(String.valueOf(map.get(Consts.DATABASE_ACL_POLLING_FREQUENCY_MS)));
        this.topicProject = CacheBuilder.newBuilder().maximumSize(Long.parseLong(String.valueOf(map.get(Consts.CACHE_MAX_SIZE)))).build(new CacheLoader<String, Integer>() { // from class: io.hops.kafka.HopsAclAuthorizer.1
            @Override // com.google.common.cache.CacheLoader
            public Integer load(String str2) throws SQLException {
                HopsAclAuthorizer.LOG.info(String.format("Getting topics project. topicName: %s", str2));
                return HopsAclAuthorizer.this.dbConnection.getTopicProject(str2);
            }
        });
        this.userProject = CacheBuilder.newBuilder().expireAfterWrite(parseLong, TimeUnit.MILLISECONDS).build(new CacheLoader<String, Pair<Integer, String>>() { // from class: io.hops.kafka.HopsAclAuthorizer.2
            @Override // com.google.common.cache.CacheLoader
            public Pair<Integer, String> load(String str2) throws SQLException {
                String[] split = str2.split(Consts.PROJECT_USER_DELIMITER);
                String str3 = split[0];
                String str4 = split[1];
                HopsAclAuthorizer.LOG.info(String.format("Getting users project role. projectName: %s, username: %s", str3, str4));
                return HopsAclAuthorizer.this.dbConnection.getProjectRole(str3, str4);
            }
        });
        this.projectShare = CacheBuilder.newBuilder().expireAfterWrite(parseLong, TimeUnit.MILLISECONDS).build(new CacheLoader<Pair<Integer, Integer>, String>() { // from class: io.hops.kafka.HopsAclAuthorizer.3
            @Override // com.google.common.cache.CacheLoader
            public String load(Pair<Integer, Integer> pair) throws SQLException {
                int intValue = pair.getValue0().intValue();
                int intValue2 = pair.getValue1().intValue();
                HopsAclAuthorizer.LOG.info(String.format("Getting project share permission. topicProjectId: %s, userProjectId: %s", Integer.valueOf(intValue), Integer.valueOf(intValue2)));
                return HopsAclAuthorizer.this.dbConnection.getSharedProject(intValue2, intValue);
            }
        });
    }

    public boolean authorize(RequestChannel.Session session, Operation operation, Resource resource) {
        KafkaPrincipal principal = session.principal();
        String hostAddress = session.clientAddress().getHostAddress();
        String name = resource.name();
        String name2 = principal.getName();
        LOG.debug("authorize :: session:" + session);
        LOG.debug("authorize :: principal.name:" + name2);
        LOG.debug("authorize :: principal.type:" + principal.getPrincipalType());
        LOG.debug("authorize :: operation:" + operation);
        LOG.debug("authorize :: host:" + hostAddress);
        LOG.debug("authorize :: resource:" + resource);
        LOG.debug("authorize :: topicName:" + name);
        if (name2.equalsIgnoreCase(Consts.ANONYMOUS)) {
            LOG.info("No Acl found for cluster authorization, user:" + name2);
            return false;
        }
        if (isSuperUser(principal)) {
            return true;
        }
        if ("__consumer_offsets".equals(name)) {
            LOG.debug("topic = " + name + " access allowed: " + this.consumerOffsetsAccessAllowed);
            return this.consumerOffsetsAccessAllowed;
        }
        if (resource.resourceType().equals(ResourceType$.MODULE$.fromString(Consts.CLUSTER))) {
            LOG.info("This is cluster authorization for broker: " + name2);
            return false;
        }
        if (!resource.resourceType().equals(ResourceType$.MODULE$.fromString(Consts.GROUP))) {
            return authorizeProjectUser(name, name2, operation);
        }
        String str = name2.split(Consts.PROJECT_USER_DELIMITER)[0];
        if (resource.name().contains(Consts.PROJECT_USER_DELIMITER)) {
            String str2 = resource.name().split(Consts.PROJECT_USER_DELIMITER)[0];
            LOG.debug("Consumer group :: projectCN:" + str);
            LOG.debug("Consumer group :: projectConsumerGroup:" + str2);
            if (!str.equals(str2)) {
                LOG.info("Principal:" + name2 + " is not allowed to access group:" + resource.name());
                return false;
            }
        }
        LOG.info("Principal:" + name2 + " is allowed to access group:" + resource.name());
        return true;
    }

    private boolean authorizeProjectUser(String str, String str2, Operation operation) {
        int i = 2;
        while (i > 0) {
            try {
                int intValue = this.topicProject.get(str).intValue();
                Pair<Integer, String> pair = this.userProject.get(str2);
                int intValue2 = pair.getValue0().intValue();
                return intValue == intValue2 ? authorizeOperation(operation, pair.getValue1()) : authorizePermission(operation, this.projectShare.get(new Pair<>(Integer.valueOf(intValue), Integer.valueOf(intValue2))));
            } catch (CacheLoader.InvalidCacheLoadException e) {
                return false;
            } catch (ExecutionException e2) {
                i--;
                LOG.error(String.format("Failed to authorize user '%s' to perform '%s' on topic '%s', retries left: %s", str2, operation.toString(), str, Integer.valueOf(i)), e2.getCause());
            }
        }
        return false;
    }

    protected boolean authorizePermission(Operation operation, String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1909924252:
                if (str.equals(Consts.EDITABLE)) {
                    z = 2;
                    break;
                }
                break;
            case -1545815827:
                if (str.equals(Consts.EDITABLE_BY_OWNERS)) {
                    z = true;
                    break;
                }
                break;
            case 1702562997:
                if (str.equals(Consts.READ_ONLY)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return authorizeOperation(operation, Consts.DATA_SCIENTIST);
            case true:
            case true:
            default:
                return false;
        }
    }

    protected boolean authorizeOperation(Operation operation, String str) {
        String obj = operation.toString();
        boolean z = -1;
        switch (obj.hashCode()) {
            case 2543030:
                if (obj.equals(Consts.READ)) {
                    z = 2;
                    break;
                }
                break;
            case 83847103:
                if (obj.equals(Consts.WRITE)) {
                    z = false;
                    break;
                }
                break;
            case 1082858219:
                if (obj.equals(Consts.DESCRIBE)) {
                    z = 3;
                    break;
                }
                break;
            case 2026540316:
                if (obj.equals(Consts.CREATE)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                return Consts.DATA_OWNER.equals(str);
            case true:
            case true:
                return true;
            default:
                return false;
        }
    }

    private boolean isSuperUser(KafkaPrincipal kafkaPrincipal) {
        if (this.superUsers.contains(kafkaPrincipal)) {
            LOG.debug("principal = " + kafkaPrincipal + " is a super user, allowing operation without checking acls.");
            return true;
        }
        LOG.debug("principal = " + kafkaPrincipal + " is not a super user.");
        return false;
    }

    public void addAcls(scala.collection.immutable.Set<Acl> set, Resource resource) {
    }

    public boolean removeAcls(scala.collection.immutable.Set<Acl> set, Resource resource) {
        return false;
    }

    public boolean removeAcls(Resource resource) {
        return false;
    }

    public scala.collection.immutable.Set<Acl> getAcls(Resource resource) {
        return null;
    }

    public scala.collection.immutable.Map<Resource, scala.collection.immutable.Set<Acl>> getAcls(KafkaPrincipal kafkaPrincipal) {
        return null;
    }

    public scala.collection.immutable.Map<Resource, scala.collection.immutable.Set<Acl>> getAcls() {
        return null;
    }

    public void close() {
        this.dbConnection.close();
    }

    public void setSuperUsers(Set<KafkaPrincipal> set) {
        this.superUsers = set;
    }

    public void setDbConnection(DbConnection dbConnection) {
        this.dbConnection = dbConnection;
    }
}
