package io.hops.kafka;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.sql.SQLException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.javatuples.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/hops/kafka/HopsAclAuthorizer.class */
public class HopsAclAuthorizer implements Authorizer {
    private static final Logger LOGGER = LoggerFactory.getLogger("kafka.authorizer.logger");
    private Set<KafkaPrincipal> superUsers = new HashSet();
    private boolean consumerOffsetsAccessAllowed = false;
    private DbConnection dbConnection;
    private LoadingCache<String, Integer> topicProject;
    private LoadingCache<String, Pair<Integer, String>> userProject;
    private LoadingCache<Pair<Integer, Integer>, String> projectShare;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.hops.kafka.HopsAclAuthorizer$4, reason: invalid class name */
    /* loaded from: input_file:io/hops/kafka/HopsAclAuthorizer$4.class */
    public static /* synthetic */ class AnonymousClass4 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$acl$AclOperation = new int[AclOperation.values().length];

        static {
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.WRITE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.CREATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.READ.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.DESCRIBE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public HopsAclAuthorizer() {
    }

    protected HopsAclAuthorizer(LoadingCache<String, Integer> loadingCache, LoadingCache<String, Pair<Integer, String>> loadingCache2, LoadingCache<Pair<Integer, Integer>, String> loadingCache3) {
        this.topicProject = loadingCache;
        this.userProject = loadingCache2;
        this.projectShare = loadingCache3;
    }

    public void configure(Map<String, ?> map) {
        Object obj = map.get(Consts.SUPERUSERS_PROP);
        if (obj != null) {
            for (String str : ((String) obj).split(Consts.SEMI_COLON)) {
                String[] split = str.split(Consts.COLON_SEPARATOR);
                this.superUsers.add(new KafkaPrincipal(split[0], split[1]));
            }
        }
        Object obj2 = map.get(Consts.CONSUMER_OFFSETS_ACCESS_ALLOWED);
        if (obj2 != null) {
            this.consumerOffsetsAccessAllowed = Boolean.parseBoolean((String) obj2);
        }
        this.dbConnection = new DbConnection(map.get(Consts.DATABASE_URL).toString(), map.get(Consts.DATABASE_USERNAME).toString(), map.get(Consts.DATABASE_PASSWORD).toString(), Integer.parseInt(map.get(Consts.DATABASE_MAX_POOL_SIZE).toString()), map.get(Consts.DATABASE_CACHE_PREPSTMTS).toString(), map.get(Consts.DATABASE_PREPSTMT_CACHE_SIZE).toString(), map.get(Consts.DATABASE_PREPSTMT_CACHE_SQL_LIMIT).toString());
        long parseLong = Long.parseLong(String.valueOf(map.get(Consts.DATABASE_ACL_POLLING_FREQUENCY_MS)));
        this.topicProject = CacheBuilder.newBuilder().maximumSize(Long.parseLong(String.valueOf(map.get(Consts.CACHE_MAX_SIZE)))).build(new CacheLoader<String, Integer>() { // from class: io.hops.kafka.HopsAclAuthorizer.1
            @Override // com.google.common.cache.CacheLoader
            public Integer load(String str2) throws SQLException {
                HopsAclAuthorizer.LOGGER.info("Getting topics project. topicName: {}", str2);
                return HopsAclAuthorizer.this.dbConnection.getTopicProject(str2);
            }
        });
        this.userProject = CacheBuilder.newBuilder().expireAfterWrite(parseLong, TimeUnit.MILLISECONDS).build(new CacheLoader<String, Pair<Integer, String>>() { // from class: io.hops.kafka.HopsAclAuthorizer.2
            @Override // com.google.common.cache.CacheLoader
            public Pair<Integer, String> load(String str2) throws SQLException {
                String[] split2 = str2.split(Consts.PROJECT_USER_DELIMITER);
                String str3 = split2[0];
                String str4 = split2[1];
                HopsAclAuthorizer.LOGGER.info("Getting users project role. projectName: {}, username: {}", str3, str4);
                return HopsAclAuthorizer.this.dbConnection.getProjectRole(str3, str4);
            }
        });
        this.projectShare = CacheBuilder.newBuilder().expireAfterWrite(parseLong, TimeUnit.MILLISECONDS).build(new CacheLoader<Pair<Integer, Integer>, String>() { // from class: io.hops.kafka.HopsAclAuthorizer.3
            @Override // com.google.common.cache.CacheLoader
            public String load(Pair<Integer, Integer> pair) throws SQLException {
                int intValue = pair.getValue0().intValue();
                int intValue2 = pair.getValue1().intValue();
                HopsAclAuthorizer.LOGGER.info("Getting project share permission. topicProjectId: {}, userProjectId: {}", Integer.valueOf(intValue), Integer.valueOf(intValue2));
                return HopsAclAuthorizer.this.dbConnection.getSharedProject(intValue2, intValue);
            }
        });
    }

    public Map<Endpoint, ? extends CompletionStage<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        return new HashMap();
    }

    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        return (List) list.stream().map(action -> {
            return authorize(authorizableRequestContext, action);
        }).collect(Collectors.toList());
    }

    public AuthorizationResult authorize(AuthorizableRequestContext authorizableRequestContext, Action action) {
        KafkaPrincipal principal = authorizableRequestContext.principal();
        String hostAddress = authorizableRequestContext.clientAddress().getHostAddress();
        ResourceType resourceType = action.resourcePattern().resourceType();
        String name = action.resourcePattern().name();
        List<String> asList = Arrays.asList(principal.getName().split(Consts.SEMI_COLON));
        String principalName = getPrincipalName(asList);
        AclOperation operation = action.operation();
        LOGGER.debug("authorize :: session: {}", authorizableRequestContext);
        LOGGER.debug("authorize :: subjectNames: {}", asList);
        LOGGER.debug("authorize :: principal.name: {}", principalName);
        LOGGER.debug("authorize :: principal.type: {}", principal.getPrincipalType());
        LOGGER.debug("authorize :: operation: {}", operation);
        LOGGER.debug("authorize :: host: {}", hostAddress);
        LOGGER.debug("authorize :: resource: {}", resourceType);
        LOGGER.debug("authorize :: topicName: {}", name);
        if (principalName.equalsIgnoreCase(Consts.ANONYMOUS)) {
            LOGGER.info("No Acl found for cluster authorization, user: {}", principalName);
            return AuthorizationResult.DENIED;
        }
        if (isSuperUser(asList)) {
            return AuthorizationResult.ALLOWED;
        }
        if ("__consumer_offsets".equals(name)) {
            LOGGER.debug("topic = {} access allowed: {}", name, Boolean.valueOf(this.consumerOffsetsAccessAllowed));
            return this.consumerOffsetsAccessAllowed ? AuthorizationResult.ALLOWED : AuthorizationResult.DENIED;
        }
        if (resourceType.equals(ResourceType.CLUSTER)) {
            LOGGER.info("This is cluster authorization for broker: {}", principalName);
            return AuthorizationResult.DENIED;
        }
        if (!resourceType.equals(ResourceType.GROUP)) {
            return authorizeProjectUser(name, principalName, operation);
        }
        String str = principalName.split(Consts.PROJECT_USER_DELIMITER)[0];
        if (name.contains(Consts.PROJECT_USER_DELIMITER)) {
            String str2 = name.split(Consts.PROJECT_USER_DELIMITER)[0];
            LOGGER.debug("Consumer group :: projectCN: {}", str);
            LOGGER.debug("Consumer group :: projectConsumerGroup: {}", str2);
            if (!str.equals(str2)) {
                LOGGER.info("Principal: {} is not allowed to access group: {}", principalName, name);
                return AuthorizationResult.DENIED;
            }
        }
        LOGGER.info("Principal: {} is allowed to access group: {}", principalName, name);
        return AuthorizationResult.ALLOWED;
    }

    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        return null;
    }

    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        return null;
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        return null;
    }

    public AuthorizationResult authorizeByResourceType(AuthorizableRequestContext authorizableRequestContext, AclOperation aclOperation, ResourceType resourceType) {
        return AuthorizationResult.DENIED;
    }

    private AuthorizationResult authorizeProjectUser(String str, String str2, AclOperation aclOperation) {
        int i = 2;
        while (i > 0) {
            try {
                int intValue = this.topicProject.get(str).intValue();
                Pair<Integer, String> pair = this.userProject.get(str2);
                int intValue2 = pair.getValue0().intValue();
                return intValue == intValue2 ? authorizeOperation(aclOperation, pair.getValue1()) : authorizePermission(aclOperation, this.projectShare.get(new Pair<>(Integer.valueOf(intValue), Integer.valueOf(intValue2))));
            } catch (CacheLoader.InvalidCacheLoadException e) {
                return AuthorizationResult.DENIED;
            } catch (ExecutionException e2) {
                i--;
                LOGGER.error("Failed to authorize user '{}' to perform '{}' on topic '{}', retries left: {}", str2, aclOperation.toString(), str, Integer.valueOf(i), e2.getCause());
            }
        }
        return AuthorizationResult.DENIED;
    }

    protected AuthorizationResult authorizePermission(AclOperation aclOperation, String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1909924252:
                if (str.equals(Consts.EDITABLE)) {
                    z = 2;
                    break;
                }
                break;
            case -1545815827:
                if (str.equals(Consts.EDITABLE_BY_OWNERS)) {
                    z = true;
                    break;
                }
                break;
            case 1702562997:
                if (str.equals(Consts.READ_ONLY)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return authorizeOperation(aclOperation, Consts.DATA_SCIENTIST);
            case true:
            case true:
            default:
                return AuthorizationResult.DENIED;
        }
    }

    protected AuthorizationResult authorizeOperation(AclOperation aclOperation, String str) {
        switch (AnonymousClass4.$SwitchMap$org$apache$kafka$common$acl$AclOperation[aclOperation.ordinal()]) {
            case 1:
            case 2:
                return Consts.DATA_OWNER.equals(str) ? AuthorizationResult.ALLOWED : AuthorizationResult.DENIED;
            case 3:
            case 4:
                return AuthorizationResult.ALLOWED;
            default:
                return AuthorizationResult.DENIED;
        }
    }

    protected boolean isSuperUser(List<String> list) {
        if (this.superUsers.stream().anyMatch(kafkaPrincipal -> {
            return list.contains(kafkaPrincipal.getName());
        })) {
            LOGGER.debug("principal = {} is a super user, allowing operation without checking acls.", getPrincipalName(list));
            return true;
        }
        LOGGER.debug("principal = {} is not a super user.", getPrincipalName(list));
        return false;
    }

    private String getPrincipalName(List<String> list) {
        return list.get(0);
    }

    public void close() {
        this.dbConnection.close();
    }

    public void setSuperUsers(Set<KafkaPrincipal> set) {
        this.superUsers = set;
    }

    public void setDbConnection(DbConnection dbConnection) {
        this.dbConnection = dbConnection;
    }
}
