package io.confluent.controlcenter.data;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import io.confluent.controlcenter.ControlCenterRbacConfig;
import io.confluent.controlcenter.httpclient.BasicHttpCredential;
import io.confluent.controlcenter.httpclient.BearerTokenHttpCredential;
import io.confluent.controlcenter.httpclient.Client;
import io.confluent.controlcenter.servicehealthcheck.ServiceHealthCheckModule;
import io.confluent.controlcenter.servicehealthcheck.SingleServiceHealthCheck;
import io.confluent.controlcenter.util.ScopeUtils;
import io.confluent.rbacapi.entities.AuthorizeRequest;
import io.confluent.rbacapi.entities.VisibilityRequest;
import io.confluent.rbacapi.entities.VisibilityResponse;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.Scope;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import javax.validation.constraints.NotNull;
import javax.ws.rs.InternalServerErrorException;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.http.MimeTypes;
import org.eclipse.jetty.util.URIUtil;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/controlcenter/data/MetadataServiceClient.class */
public class MetadataServiceClient {
    protected static final String ALLOWED = "ALLOWED";
    private static final long MDS_TIMEOUT_SEC = 15;
    private final ControlCenterRbacConfig rbacConfig;
    private final ObjectMapper objectMapper;
    private SingleServiceHealthCheck mdsHealthCheck;
    private static final Logger log = LoggerFactory.getLogger(MetadataServiceClient.class);
    private static int MDS_RETRIES_EACH = 2;
    private static String MDS_ERROR_MESSAGE = "failed to connect to any MDS server";
    private SslContextFactory sslContextFactory = null;
    private Client client = null;

    public MetadataServiceClient(ControlCenterRbacConfig controlCenterRbacConfig, ObjectMapper objectMapper, @ServiceHealthCheckModule.MetadataServiceHealthCheck SingleServiceHealthCheck singleServiceHealthCheck) {
        this.rbacConfig = controlCenterRbacConfig;
        this.objectMapper = objectMapper;
        this.mdsHealthCheck = singleServiceHealthCheck;
    }

    private synchronized void initClient() {
        if (this.client != null) {
            return;
        }
        this.client = new Client(this.sslContextFactory, this.objectMapper, 15L);
    }

    private Client getClient() {
        if (this.client == null) {
            initClient();
        }
        return this.client;
    }

    public void setSslContextFactory(@NotNull SslContextFactory sslContextFactory) {
        if (this.client != null) {
            throw new IllegalStateException("trying to set SslContextFactory but Client is already built!");
        }
        Preconditions.checkNotNull(sslContextFactory);
        this.sslContextFactory = sslContextFactory;
        initClient();
    }

    public String getMetadataServiceKafkaId() {
        return (String) makeRequestWithRetries(str -> {
            return (String) getClient().makeRequestNoBody(str + "/security/1.0/metadataClusterId", HttpMethod.GET, new BasicHttpCredential(this.rbacConfig.getControlCenterUsername(), this.rbacConfig.getControlCenterPassword()), new TypeReference<String>() { // from class: io.confluent.controlcenter.data.MetadataServiceClient.1
            });
        });
    }

    public <T> Set<T> authorize(String str, String str2, Map<T, List<Action>> map) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        map.forEach((obj, list) -> {
            arrayList.add(obj);
            Preconditions.checkArgument(list.size() > 0);
            arrayList2.addAll(list);
        });
        List list2 = (List) makeRequestWithRetries(str3 -> {
            return (List) getClient().makeRequestWithContent(str3 + "/security/1.0/authorize", HttpMethod.PUT, new BearerTokenHttpCredential(str2), MimeTypes.Type.APPLICATION_JSON, new AuthorizeRequest("User:" + str, arrayList2), new TypeReference<List<String>>() { // from class: io.confluent.controlcenter.data.MetadataServiceClient.2
            });
        });
        if (list2.size() != arrayList2.size()) {
            log.error("expected list size {}, actual, {}", Integer.valueOf(arrayList2.size()), Integer.valueOf(list2.size()));
            throw new InternalServerErrorException();
        }
        HashMap hashMap = new HashMap();
        int i = 0;
        for (Object obj2 : arrayList) {
            ArrayList arrayList3 = new ArrayList();
            for (int i2 = 0; i2 < map.get(obj2).size(); i2++) {
                int i3 = i;
                i++;
                arrayList3.add(Boolean.valueOf(((String) list2.get(i3)).equals(ALLOWED)));
            }
            hashMap.put(obj2, arrayList3);
        }
        HashSet hashSet = new HashSet();
        hashMap.forEach((obj3, list3) -> {
            if (list3.stream().allMatch(bool -> {
                return bool.booleanValue();
            })) {
                hashSet.add(obj3);
            }
        });
        return hashSet;
    }

    public <T> Set<T> visibility(String str, String str2, Map<T, Scope> map) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        map.forEach((obj, scope) -> {
            Preconditions.checkNotNull(scope.clusters().get(ScopeUtils.KAFKA_CLUSTER));
            arrayList.add(obj);
            arrayList2.add(new VisibilityRequest((String) scope.clusters().get(ScopeUtils.KAFKA_CLUSTER), singletonListOrNull(r4 -> {
                return (String) scope.clusters().get(ScopeUtils.CONNECT_CLUSTER);
            }), singletonListOrNull(r42 -> {
                return (String) scope.clusters().get(ScopeUtils.SR_CLUSTER);
            }), singletonListOrNull(r43 -> {
                return (String) scope.clusters().get(ScopeUtils.KSQL_CLUSTER);
            })));
        });
        List list = (List) makeRequestWithRetries(str3 -> {
            return (List) getClient().makeRequestWithContent(str3 + "/security/1.0/lookup/principals/User:" + URIUtil.encodePath(str) + "/visibility", HttpMethod.POST, new BearerTokenHttpCredential(str2), MimeTypes.Type.APPLICATION_JSON, arrayList2, new TypeReference<List<VisibilityResponse>>() { // from class: io.confluent.controlcenter.data.MetadataServiceClient.3
            });
        });
        if (list.size() != arrayList2.size()) {
            log.error("expected list size {}, actual, {}", Integer.valueOf(arrayList2.size()), Integer.valueOf(list.size()));
            throw new InternalServerErrorException();
        }
        HashSet hashSet = new HashSet();
        int i = 0;
        for (Object obj2 : arrayList) {
            int i2 = i;
            i++;
            VisibilityResponse visibilityResponse = (VisibilityResponse) list.get(i2);
            if (visibilityResponse.kafkaCluster.visible && isNullEmptyOrAllVisible(visibilityResponse.connectClusters) && isNullEmptyOrAllVisible(visibilityResponse.schemaRegistryClusters) && isNullEmptyOrAllVisible(visibilityResponse.ksqlClusters)) {
                hashSet.add(obj2);
            }
        }
        return hashSet;
    }

    protected <T> T makeRequestWithRetries(Function<String, T> function) {
        return (T) Client.makeRequestWithRetries(function, this.mdsHealthCheck.getHealthyUrls(), MDS_RETRIES_EACH, MDS_ERROR_MESSAGE);
    }

    private static <T> List<T> singletonListOrNull(Function<Void, T> function) {
        T apply = function.apply(null);
        if (apply == null) {
            return null;
        }
        return Collections.singletonList(apply);
    }

    private static boolean isNullEmptyOrAllVisible(List<VisibilityResponse.ClusterVisibility> list) {
        if (list == null || list.isEmpty()) {
            return true;
        }
        Iterator<VisibilityResponse.ClusterVisibility> it = list.iterator();
        while (it.hasNext()) {
            if (!it.next().visible) {
                return false;
            }
        }
        return true;
    }
}
