package io.confluent.ksql.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Ticker;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import io.confluent.ksql.exception.KsqlSchemaAuthorizationException;
import io.confluent.ksql.exception.KsqlTopicAuthorizationException;
import io.confluent.ksql.util.KsqlConfig;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.annotation.concurrent.ThreadSafe;
import org.apache.kafka.common.acl.AclOperation;

@ThreadSafe
/* loaded from: input_file:io/confluent/ksql/security/KsqlCacheAccessValidator.class */
public class KsqlCacheAccessValidator implements KsqlAccessValidator {
    private static final boolean ALLOW_ACCESS = true;
    private final LoadingCache<CacheKey, CacheValue> cache;
    private final KsqlAccessValidator backendValidator;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.confluent.ksql.security.KsqlCacheAccessValidator$2, reason: invalid class name */
    /* loaded from: input_file:io/confluent/ksql/security/KsqlCacheAccessValidator$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$io$confluent$ksql$security$AuthObjectType = new int[AuthObjectType.values().length];

        static {
            try {
                $SwitchMap$io$confluent$ksql$security$AuthObjectType[AuthObjectType.TOPIC.ordinal()] = KsqlCacheAccessValidator.ALLOW_ACCESS;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$confluent$ksql$security$AuthObjectType[AuthObjectType.SUBJECT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/ksql/security/KsqlCacheAccessValidator$CacheKey.class */
    public static class CacheKey {
        private static final String UNKNOWN_USER = "";
        private final KsqlSecurityContext securityContext;
        private final AuthObjectType authObjectType;
        private final String objectName;
        private final AclOperation operation;

        CacheKey(KsqlSecurityContext ksqlSecurityContext, AuthObjectType authObjectType, String str, AclOperation aclOperation) {
            this.securityContext = ksqlSecurityContext;
            this.authObjectType = authObjectType;
            this.objectName = str;
            this.operation = aclOperation;
        }

        public boolean equals(Object obj) {
            if (obj == null || !(obj instanceof CacheKey)) {
                return false;
            }
            CacheKey cacheKey = (CacheKey) obj;
            return getUserName(this.securityContext).equals(getUserName(cacheKey.securityContext)) && this.authObjectType.equals(cacheKey.authObjectType) && this.objectName.equals(cacheKey.objectName) && this.operation.code() == cacheKey.operation.code();
        }

        public int hashCode() {
            return Objects.hash(getUserName(this.securityContext), this.authObjectType, this.objectName, Byte.valueOf(this.operation.code()));
        }

        private String getUserName(KsqlSecurityContext ksqlSecurityContext) {
            return ksqlSecurityContext.getUserPrincipal().isPresent() ? ksqlSecurityContext.getUserPrincipal().get().getName() : UNKNOWN_USER;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/ksql/security/KsqlCacheAccessValidator$CacheValue.class */
    public static class CacheValue {
        private final boolean allowAccess;
        private final Optional<RuntimeException> denialReason;

        CacheValue(boolean z, Optional<RuntimeException> optional) {
            this.allowAccess = z;
            this.denialReason = optional;
        }
    }

    public KsqlCacheAccessValidator(KsqlConfig ksqlConfig, KsqlAccessValidator ksqlAccessValidator) {
        this(ksqlConfig, ksqlAccessValidator, Ticker.systemTicker());
    }

    @VisibleForTesting
    KsqlCacheAccessValidator(KsqlConfig ksqlConfig, KsqlAccessValidator ksqlAccessValidator, Ticker ticker) {
        this.backendValidator = ksqlAccessValidator;
        long longValue = ksqlConfig.getLong("ksql.authorization.cache.expiry.time.secs").longValue();
        this.cache = CacheBuilder.newBuilder().expireAfterWrite(longValue, TimeUnit.SECONDS).maximumSize(ksqlConfig.getLong("ksql.authorization.cache.max.entries").longValue()).ticker(ticker).build(buildCacheLoader());
    }

    private CacheLoader<CacheKey, CacheValue> buildCacheLoader() {
        return new CacheLoader<CacheKey, CacheValue>() { // from class: io.confluent.ksql.security.KsqlCacheAccessValidator.1
            public CacheValue load(CacheKey cacheKey) {
                switch (AnonymousClass2.$SwitchMap$io$confluent$ksql$security$AuthObjectType[cacheKey.authObjectType.ordinal()]) {
                    case KsqlCacheAccessValidator.ALLOW_ACCESS /* 1 */:
                        return KsqlCacheAccessValidator.this.internalTopicAccessValidator(cacheKey);
                    case 2:
                        return KsqlCacheAccessValidator.this.internalSubjectAccessValidator(cacheKey);
                    default:
                        throw new IllegalStateException("Unknown access validator type: " + cacheKey.authObjectType);
                }
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public CacheValue internalTopicAccessValidator(CacheKey cacheKey) {
        try {
            this.backendValidator.checkTopicAccess(cacheKey.securityContext, cacheKey.objectName, cacheKey.operation);
            return new CacheValue(true, Optional.empty());
        } catch (KsqlTopicAuthorizationException e) {
            return new CacheValue(false, Optional.of(e));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public CacheValue internalSubjectAccessValidator(CacheKey cacheKey) {
        try {
            this.backendValidator.checkSubjectAccess(cacheKey.securityContext, cacheKey.objectName, cacheKey.operation);
            return new CacheValue(true, Optional.empty());
        } catch (KsqlSchemaAuthorizationException e) {
            return new CacheValue(false, Optional.of(e));
        }
    }

    private void checkAccess(CacheKey cacheKey) {
        CacheValue cacheValue = (CacheValue) this.cache.getUnchecked(cacheKey);
        if (!cacheValue.allowAccess) {
            throw ((RuntimeException) cacheValue.denialReason.get());
        }
    }

    @Override // io.confluent.ksql.security.KsqlAccessValidator
    public void checkTopicAccess(KsqlSecurityContext ksqlSecurityContext, String str, AclOperation aclOperation) {
        checkAccess(new CacheKey(ksqlSecurityContext, AuthObjectType.TOPIC, str, aclOperation));
    }

    @Override // io.confluent.ksql.security.KsqlAccessValidator
    public void checkSubjectAccess(KsqlSecurityContext ksqlSecurityContext, String str, AclOperation aclOperation) {
        checkAccess(new CacheKey(ksqlSecurityContext, AuthObjectType.SUBJECT, str, aclOperation));
    }
}
