package io.confluent.controlcenter.data;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.connect.security.permissions.entities.Permissions;
import io.confluent.controlcenter.httpclient.BearerTokenHttpCredential;
import io.confluent.controlcenter.httpclient.Client;
import io.confluent.controlcenter.rest.res.ConnectCluster;
import io.confluent.controlcenter.rest.res.KafkaCluster;
import io.confluent.controlcenter.rest.res.KsqlCluster;
import io.confluent.controlcenter.rest.res.KsqlServerInfo;
import io.confluent.controlcenter.rest.res.SchemaRegistryCluster;
import io.confluent.controlcenter.util.ScopeUtils;
import io.confluent.security.authorizer.Scope;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.validation.constraints.NotNull;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/controlcenter/data/RbacServiceVisibilityFilter.class */
public class RbacServiceVisibilityFilter implements ServiceVisibilityFilter {
    private static final long SERVICE_TIMEOUT_SEC = 15;
    private final ObjectMapper objectMapper;
    private final PermissionsService permissionsService;
    private SslContextFactory sslContextFactory = null;
    private Client client = null;
    private static final Logger log = LoggerFactory.getLogger(RbacServiceVisibilityFilter.class);
    private static int SERVICE_RETRIES_EACH = 2;

    public RbacServiceVisibilityFilter(ObjectMapper objectMapper, PermissionsService permissionsService) {
        this.objectMapper = objectMapper;
        this.permissionsService = permissionsService;
    }

    private synchronized void initClient() {
        if (this.client != null) {
            return;
        }
        this.client = new Client(this.sslContextFactory, this.objectMapper, 15L);
    }

    private Client getClient() {
        if (this.client == null) {
            initClient();
        }
        return this.client;
    }

    @Override // io.confluent.controlcenter.data.ServiceVisibilityFilter
    public void setSslContextFactory(@NotNull SslContextFactory sslContextFactory) {
        if (this.client != null) {
            throw new IllegalStateException("trying to set SslContextFactory but Client is already built!");
        }
        Preconditions.checkNotNull(sslContextFactory);
        this.sslContextFactory = sslContextFactory;
        initClient();
    }

    @Override // io.confluent.controlcenter.data.ServiceVisibilityFilter
    public List<KafkaCluster> filterKafkaClusters(List<KafkaCluster> list, JwtPrincipal jwtPrincipal) {
        return getFilteredClusters(list, jwtPrincipal, kafkaCluster -> {
            return ScopeUtils.buildKafkaScope(kafkaCluster.clusterId);
        });
    }

    @Override // io.confluent.controlcenter.data.ServiceVisibilityFilter
    public List<KsqlCluster> filterKsqlClusters(List<KsqlCluster> list, JwtPrincipal jwtPrincipal) {
        return getFilteredClusters(list, jwtPrincipal, ksqlCluster -> {
            return getKsqlScope(ksqlCluster, jwtPrincipal.getJwt());
        });
    }

    @Override // io.confluent.controlcenter.data.ServiceVisibilityFilter
    public List<ConnectCluster> filterConnectClusters(List<ConnectCluster> list, JwtPrincipal jwtPrincipal) {
        return getFilteredClusters(list, jwtPrincipal, connectCluster -> {
            return getConnectScope(connectCluster, jwtPrincipal.getJwt());
        });
    }

    @Override // io.confluent.controlcenter.data.ServiceVisibilityFilter
    public List<SchemaRegistryCluster> filterSchemaRegistryClusters(List<SchemaRegistryCluster> list, JwtPrincipal jwtPrincipal) {
        return getFilteredClusters(list, jwtPrincipal, schemaRegistryCluster -> {
            return getSchemaRegistryScope(schemaRegistryCluster, jwtPrincipal.getJwt());
        });
    }

    Scope getKsqlScope(KsqlCluster ksqlCluster, String str) {
        try {
            KsqlServerInfo ksqlServerInfo = (KsqlServerInfo) makeRequestWithRetries(str2 -> {
                return (KsqlServerInfo) getClient().makeRequestNoBody(str2 + "/info", HttpMethod.GET, new BearerTokenHttpCredential(str), new TypeReference<KsqlServerInfo>() { // from class: io.confluent.controlcenter.data.RbacServiceVisibilityFilter.1
                });
            }, ksqlCluster.getEndpoints(), "failed to connect to any KSQl nodes");
            Preconditions.checkNotNull(ksqlServerInfo.getKafkaClusterId());
            Preconditions.checkNotNull(ksqlServerInfo.getKsqlServiceId());
            return ScopeUtils.buildKsqlScope(ksqlServerInfo.getKafkaClusterId(), ksqlServerInfo.getKsqlServiceId());
        } catch (Exception e) {
            log.info("exception trying to request id from ksql-cluster({}): {}", ksqlCluster.getDisplayName(), e.getMessage());
            return null;
        }
    }

    Scope getConnectScope(ConnectCluster connectCluster, String str) {
        try {
            return ((Permissions) makeRequestWithRetries(str2 -> {
                return (Permissions) getClient().makeRequestNoBody(str2 + "/permissions", HttpMethod.GET, new BearerTokenHttpCredential(str), new TypeReference<Permissions>() { // from class: io.confluent.controlcenter.data.RbacServiceVisibilityFilter.2
                });
            }, connectCluster.urls, "failed to connect to any Connect nodes")).getScope();
        } catch (Exception e) {
            log.info("exception trying to request id from connect-cluster({}): {}", connectCluster.displayName, e.getMessage());
            return null;
        }
    }

    Scope getSchemaRegistryScope(SchemaRegistryCluster schemaRegistryCluster, String str) {
        try {
            return ((io.confluent.kafka.schemaregistry.security.permissions.entities.Permissions) makeRequestWithRetries(str2 -> {
                return (io.confluent.kafka.schemaregistry.security.permissions.entities.Permissions) getClient().makeRequestNoBody(str2 + "/permissions", HttpMethod.GET, new BearerTokenHttpCredential(str), new TypeReference<io.confluent.kafka.schemaregistry.security.permissions.entities.Permissions>() { // from class: io.confluent.controlcenter.data.RbacServiceVisibilityFilter.3
                });
            }, schemaRegistryCluster.servers, "failed to connect to any SchemaRegistry nodes")).getScope();
        } catch (Exception e) {
            log.info("exception trying to request id from schema-registry-cluster({}): {}", schemaRegistryCluster.displayName, e.getMessage());
            return null;
        }
    }

    protected <T> T makeRequestWithRetries(Function<String, T> function, List<String> list, String str) {
        return (T) Client.makeRequestWithRetries(function, list, SERVICE_RETRIES_EACH, str);
    }

    private <T> List<T> getFilteredClusters(List<T> list, JwtPrincipal jwtPrincipal, Function<T, Scope> function) {
        Map<T, Scope> map = (Map) ((HashMap) list.stream().collect(HashMap::new, (hashMap, obj) -> {
        }, (v0, v1) -> {
            v0.putAll(v1);
        })).entrySet().stream().filter(entry -> {
            return entry.getValue() != null;
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        return map.size() == 0 ? ImmutableList.of() : ImmutableList.copyOf(this.permissionsService.getAllVisible(jwtPrincipal, map));
    }
}
