package io.confluent.controlcenter.data;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import com.google.common.collect.FluentIterable;
import com.google.common.collect.ImmutableList;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.connect.security.permissions.entities.Permissions;
import io.confluent.controlcenter.rest.res.ConnectCluster;
import io.confluent.controlcenter.rest.res.KsqlCluster;
import io.confluent.controlcenter.rest.res.KsqlServerInfo;
import io.confluent.controlcenter.rest.res.SchemaRegistryCluster;
import io.confluent.rbacapi.entities.VisibilityRequest;
import io.confluent.rbacapi.entities.VisibilityResponse;
import io.confluent.security.authorizer.Scope;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import javax.annotation.Nullable;
import javax.validation.constraints.NotNull;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.glassfish.jersey.client.ClientConfig;
import org.glassfish.jersey.jackson.internal.jackson.jaxrs.json.JacksonJaxbJsonProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/controlcenter/data/ServiceVisibilityFilter.class */
public class ServiceVisibilityFilter {
    private static final Logger log = LoggerFactory.getLogger(ServiceVisibilityFilter.class);
    private static final String KAFKA_CLUSTER = "kafka-cluster";
    private static final String SR_CLUSTER = "schema-registry-cluster";
    private static final String CONNECT_CLUSTER = "connect-cluster";
    private static final long SERVICE_CONNECT_TIMEOUT_SEC = 15;
    private static final long SERVICE_READ_TIMEOUT_SEC = 15;
    private final ClientBuilder clientBuilder;
    private final MetadataServiceClient metadataServiceClient;
    private Client client;

    /* loaded from: input_file:io/confluent/controlcenter/data/ServiceVisibilityFilter$VisibilityRequestCluster.class */
    public static class VisibilityRequestCluster<T> {
        public final VisibilityRequest visibilityRequest;
        public final T cluster;

        public VisibilityRequestCluster(VisibilityRequest visibilityRequest, T t) {
            this.visibilityRequest = visibilityRequest;
            this.cluster = t;
        }
    }

    public ServiceVisibilityFilter(ObjectMapper objectMapper, @Nullable MetadataServiceClient metadataServiceClient) {
        JacksonJaxbJsonProvider jacksonJaxbJsonProvider = new JacksonJaxbJsonProvider();
        jacksonJaxbJsonProvider.setMapper(objectMapper);
        this.clientBuilder = ClientBuilder.newBuilder().withConfig(new ClientConfig(new Object[]{jacksonJaxbJsonProvider})).connectTimeout(15L, TimeUnit.SECONDS).readTimeout(15L, TimeUnit.SECONDS);
        this.metadataServiceClient = metadataServiceClient;
    }

    public void setSslContextFactory(@NotNull SslContextFactory sslContextFactory) {
        if (this.client != null) {
            throw new IllegalStateException("trying to set SslContextFactory but Client is already built!");
        }
        Preconditions.checkNotNull(sslContextFactory);
        if (sslContextFactory.getSslContext() != null) {
            this.clientBuilder.sslContext(sslContextFactory.getSslContext());
        }
    }

    public List<KsqlCluster> filterKsqlClusters(List<KsqlCluster> list, JwtPrincipal jwtPrincipal) {
        return this.metadataServiceClient == null ? list : getFilteredClusters(list, jwtPrincipal, ksqlCluster -> {
            return getKsqlVisibilityRequest(ksqlCluster, jwtPrincipal.getJwt());
        }, visibilityResponse -> {
            return visibilityResponse.ksqlClusters;
        });
    }

    public List<ConnectCluster> filterConnectClusters(List<ConnectCluster> list, JwtPrincipal jwtPrincipal) {
        return this.metadataServiceClient == null ? list : getFilteredClusters(list, jwtPrincipal, connectCluster -> {
            return getConnectVisibilityRequest(connectCluster, jwtPrincipal.getJwt());
        }, visibilityResponse -> {
            return visibilityResponse.connectClusters;
        });
    }

    public List<SchemaRegistryCluster> filterSchemaRegistryClusters(List<SchemaRegistryCluster> list, JwtPrincipal jwtPrincipal) {
        return this.metadataServiceClient == null ? list : getFilteredClusters(list, jwtPrincipal, schemaRegistryCluster -> {
            return getSchemaRegistryVisibilityRequest(schemaRegistryCluster, jwtPrincipal.getJwt());
        }, visibilityResponse -> {
            return visibilityResponse.schemaRegistryClusters;
        });
    }

    VisibilityRequest getKsqlVisibilityRequest(KsqlCluster ksqlCluster, String str) {
        try {
            KsqlServerInfo ksqlServerInfo = (KsqlServerInfo) getClient().target(getRandomEndpoint(ksqlCluster.getEndpoints())).path("info").request().header("Authorization", "Bearer " + str).get().readEntity(KsqlServerInfo.class);
            Preconditions.checkNotNull(ksqlServerInfo.getKafkaClusterId());
            Preconditions.checkNotNull(ksqlServerInfo.getKsqlServiceId());
            return new VisibilityRequest(ksqlServerInfo.getKafkaClusterId(), (List) null, (List) null, ImmutableList.of(ksqlServerInfo.getKsqlServiceId()));
        } catch (Exception e) {
            log.info("exception trying to request id from ksql-cluster({}): {}", ksqlCluster.getDisplayName(), e.getMessage());
            return null;
        }
    }

    VisibilityRequest getConnectVisibilityRequest(ConnectCluster connectCluster, String str) {
        try {
            Scope scope = ((Permissions) getClient().target(getRandomEndpoint(connectCluster.urls)).path("permissions").request().header("Authorization", "Bearer " + str).get().readEntity(Permissions.class)).getScope();
            String str2 = (String) scope.clusters().get(KAFKA_CLUSTER);
            String str3 = (String) scope.clusters().get(CONNECT_CLUSTER);
            Preconditions.checkNotNull(str2);
            Preconditions.checkNotNull(str3);
            return new VisibilityRequest(str2, ImmutableList.of(str3), (List) null, (List) null);
        } catch (Exception e) {
            log.info("exception trying to request id from connect-cluster({}): {}", connectCluster.displayName, e.getMessage());
            return null;
        }
    }

    VisibilityRequest getSchemaRegistryVisibilityRequest(SchemaRegistryCluster schemaRegistryCluster, String str) {
        try {
            Scope scope = ((io.confluent.kafka.schemaregistry.security.permissions.entities.Permissions) getClient().target(getRandomEndpoint(schemaRegistryCluster.servers)).path("permissions").request().header("Authorization", "Bearer " + str).get().readEntity(io.confluent.kafka.schemaregistry.security.permissions.entities.Permissions.class)).getScope();
            String str2 = (String) scope.clusters().get(KAFKA_CLUSTER);
            String str3 = (String) scope.clusters().get(SR_CLUSTER);
            Preconditions.checkNotNull(str2);
            Preconditions.checkNotNull(str3);
            return new VisibilityRequest(str2, (List) null, ImmutableList.of(str3), (List) null);
        } catch (Exception e) {
            log.info("exception trying to request id from schema-registry-cluster({}): {}", schemaRegistryCluster.displayName, e.getMessage());
            return null;
        }
    }

    private Client getClient() {
        if (this.client == null) {
            this.client = this.clientBuilder.build();
        }
        return this.client;
    }

    private static String getRandomEndpoint(List<String> list) {
        Preconditions.checkArgument(list.size() > 0);
        return list.get(ThreadLocalRandom.current().nextInt(list.size()));
    }

    private <T> List<T> getFilteredClusters(List<T> list, JwtPrincipal jwtPrincipal, Function<T, VisibilityRequest> function, Function<VisibilityResponse, List<VisibilityResponse.ClusterVisibility>> function2) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (T t : list) {
            VisibilityRequest apply = function.apply(t);
            if (apply != null) {
                arrayList2.add(new VisibilityRequestCluster(apply, t));
            }
        }
        if (arrayList2.size() == 0) {
            return ImmutableList.of();
        }
        int i = 0;
        Iterator<VisibilityResponse> it = this.metadataServiceClient.visibility(jwtPrincipal.getName(), jwtPrincipal.getJwt(), FluentIterable.from(arrayList2).transform(new com.google.common.base.Function<VisibilityRequestCluster<T>, VisibilityRequest>() { // from class: io.confluent.controlcenter.data.ServiceVisibilityFilter.1
            @Nullable
            public VisibilityRequest apply(@Nullable VisibilityRequestCluster<T> visibilityRequestCluster) {
                return visibilityRequestCluster.visibilityRequest;
            }
        }).toList()).iterator();
        while (it.hasNext()) {
            if (function2.apply(it.next()).get(0).visible) {
                arrayList.add(((VisibilityRequestCluster) arrayList2.get(i)).cluster);
            }
            i++;
        }
        return ImmutableList.copyOf(arrayList);
    }
}
