package org.apache.kafka.metadata.authorizer;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.SortedMap;
import java.util.SortedSet;
import java.util.stream.Collectors;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.metadata.authorizer.StandardAuthorizerData;
import org.apache.kafka.server.immutable.ImmutableMap;
import org.apache.kafka.server.immutable.ImmutableNavigableMap;
import org.apache.kafka.server.immutable.ImmutableNavigableSet;

/* loaded from: input_file:org/apache/kafka/metadata/authorizer/AclCache.class */
public class AclCache {
    private final ImmutableNavigableMap<StandardAcl, StandardAuthorizerData.AclLinks> aclsByResource;
    private final ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> denyAclsByPrincipal;
    private final ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> allowAclsByPrincipal;
    private final ImmutableMap<Uuid, ConfluentStandardAcl> aclsById;

    public AclCache() {
        this(ImmutableNavigableMap.empty(), ImmutableMap.empty(), ImmutableMap.empty(), ImmutableMap.empty());
    }

    public AclCache(ImmutableNavigableMap<StandardAcl, StandardAuthorizerData.AclLinks> immutableNavigableMap, ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> immutableMap, ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> immutableMap2, ImmutableMap<Uuid, ConfluentStandardAcl> immutableMap3) {
        this.aclsByResource = immutableNavigableMap;
        this.denyAclsByPrincipal = immutableMap;
        this.allowAclsByPrincipal = immutableMap2;
        this.aclsById = immutableMap3;
    }

    public SortedMap<StandardAcl, StandardAuthorizerData.AclLinks> aclsByResource() {
        return this.aclsByResource;
    }

    public SortedSet<StandardAcl> denyAclsByPrincipal(KafkaPrincipal kafkaPrincipal) {
        return this.denyAclsByPrincipal.getOrDefault(kafkaPrincipal, ImmutableNavigableSet.empty());
    }

    public SortedSet<StandardAcl> allowAclsByPrincipal(KafkaPrincipal kafkaPrincipal) {
        return this.allowAclsByPrincipal.getOrDefault(kafkaPrincipal, ImmutableNavigableSet.empty());
    }

    public Map<Uuid, ConfluentStandardAcl> aclsById() {
        return this.aclsById;
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        ArrayList arrayList = new ArrayList();
        this.aclsByResource.forEach((standardAcl, aclLinks) -> {
            AclBinding binding = standardAcl.toBinding(aclLinks.aclBindingLinksIds());
            if (aclBindingFilter.matches(binding)) {
                arrayList.add(binding);
            }
        });
        return arrayList;
    }

    public SortedSet<StandardAcl> allAcls() {
        return this.aclsByResource.navigableKeySet();
    }

    public AclCache clear() {
        return new AclCache();
    }

    public int count() {
        return this.aclsById.size();
    }

    public ConfluentStandardAcl getAcl(Uuid uuid) {
        return this.aclsById.get(uuid);
    }

    public AclCache addAcl(Uuid uuid, ConfluentStandardAcl confluentStandardAcl) {
        ImmutableNavigableMap<StandardAcl, StandardAuthorizerData.AclLinks> immutableNavigableMap = this.aclsByResource;
        ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> immutableMap = this.allowAclsByPrincipal;
        ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> immutableMap2 = this.denyAclsByPrincipal;
        ImmutableMap<Uuid, ConfluentStandardAcl> immutableMap3 = this.aclsById;
        StandardAcl standardAcl = confluentStandardAcl.standardAcl();
        Optional<Uuid> clusterLinkId = confluentStandardAcl.clusterLinkId();
        ImmutableMap<Uuid, ConfluentStandardAcl> updated = immutableMap3.updated(uuid, confluentStandardAcl);
        StandardAuthorizerData.AclLinks aclLinks = (StandardAuthorizerData.AclLinks) immutableNavigableMap.get(standardAcl);
        ImmutableNavigableMap<StandardAcl, StandardAuthorizerData.AclLinks> updated2 = immutableNavigableMap.updated((ImmutableNavigableMap<StandardAcl, StandardAuthorizerData.AclLinks>) standardAcl, (StandardAcl) (aclLinks == null ? new StandardAuthorizerData.AclLinks(standardAcl, Collections.singleton(clusterLinkId.orElse(Uuid.ZERO_UUID))) : aclLinks.copyAndAddLinkId(clusterLinkId)));
        if (standardAcl.permissionType().equals(AclPermissionType.ALLOW)) {
            immutableMap = immutableMap.updated(standardAcl.kafkaPrincipal(), immutableMap.getOrDefault(standardAcl.kafkaPrincipal(), ImmutableNavigableSet.empty()).added((ImmutableNavigableSet<StandardAcl>) standardAcl));
        }
        if (standardAcl.permissionType().equals(AclPermissionType.DENY)) {
            immutableMap2 = immutableMap2.updated(standardAcl.kafkaPrincipal(), immutableMap2.getOrDefault(standardAcl.kafkaPrincipal(), ImmutableNavigableSet.empty()).added((ImmutableNavigableSet<StandardAcl>) standardAcl));
        }
        return new AclCache(updated2, immutableMap2, immutableMap, updated);
    }

    public AclCache removeAcl(Uuid uuid) {
        ImmutableNavigableMap<StandardAcl, StandardAuthorizerData.AclLinks> removed;
        ImmutableMap<Uuid, ConfluentStandardAcl> immutableMap = this.aclsById;
        ImmutableNavigableMap<StandardAcl, StandardAuthorizerData.AclLinks> immutableNavigableMap = this.aclsByResource;
        ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> immutableMap2 = this.allowAclsByPrincipal;
        ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> immutableMap3 = this.denyAclsByPrincipal;
        ConfluentStandardAcl confluentStandardAcl = immutableMap.get(uuid);
        if (confluentStandardAcl == null) {
            throw new RuntimeException("ID " + uuid + " not found in aclsById.");
        }
        ImmutableMap<Uuid, ConfluentStandardAcl> removed2 = immutableMap.removed(uuid);
        StandardAcl standardAcl = confluentStandardAcl.standardAcl();
        StandardAuthorizerData.AclLinks aclLinks = (StandardAuthorizerData.AclLinks) immutableNavigableMap.get(standardAcl);
        if (aclLinks == null) {
            throw new RuntimeException("ACL  " + confluentStandardAcl + " not found in aclsByResource");
        }
        StandardAuthorizerData.AclLinks copyAndRemoveLinkId = aclLinks.copyAndRemoveLinkId(confluentStandardAcl.clusterLinkId());
        if (copyAndRemoveLinkId.isEmpty()) {
            removed = immutableNavigableMap.removed((ImmutableNavigableMap<StandardAcl, StandardAuthorizerData.AclLinks>) standardAcl);
            if (standardAcl.permissionType().equals(AclPermissionType.ALLOW)) {
                immutableMap2 = removeAclFromPrincipalAclCache(immutableMap2, standardAcl, uuid, true);
            }
            if (standardAcl.permissionType().equals(AclPermissionType.DENY)) {
                immutableMap3 = removeAclFromPrincipalAclCache(immutableMap3, standardAcl, uuid, false);
            }
        } else {
            removed = immutableNavigableMap.updated((ImmutableNavigableMap<StandardAcl, StandardAuthorizerData.AclLinks>) standardAcl, (StandardAcl) copyAndRemoveLinkId);
        }
        return new AclCache(removed, immutableMap3, immutableMap2, removed2);
    }

    public boolean validateAclCache() {
        final Set set = (Set) this.allowAclsByPrincipal.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet());
        final Set set2 = (Set) this.denyAclsByPrincipal.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet());
        if (!set.isEmpty() && !((Set) set.stream().filter(standardAcl -> {
            return standardAcl.permissionType() != AclPermissionType.ALLOW;
        }).collect(Collectors.toSet())).isEmpty()) {
            return false;
        }
        if (!set2.isEmpty() && !((Set) set2.stream().filter(standardAcl2 -> {
            return standardAcl2.permissionType() != AclPermissionType.DENY;
        }).collect(Collectors.toSet())).isEmpty()) {
            return false;
        }
        return new HashSet(this.aclsByResource.keySet()).equals(new HashSet<StandardAcl>() { // from class: org.apache.kafka.metadata.authorizer.AclCache.1
            {
                addAll(set);
                addAll(set2);
            }
        });
    }

    private ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> removeAclFromPrincipalAclCache(ImmutableMap<KafkaPrincipal, ImmutableNavigableSet<StandardAcl>> immutableMap, StandardAcl standardAcl, Uuid uuid, boolean z) {
        ImmutableNavigableSet<StandardAcl> immutableNavigableSet = immutableMap.get(standardAcl.kafkaPrincipal());
        if (immutableNavigableSet == null || !immutableNavigableSet.contains(standardAcl)) {
            throw new RuntimeException("Unable to remove the ACL with " + uuid + " from " + (z ? "allowAclsByPrincipal" : "denyAclsByPrincipal"));
        }
        ImmutableNavigableSet<StandardAcl> removed = immutableNavigableSet.removed((ImmutableNavigableSet<StandardAcl>) standardAcl);
        return removed.isEmpty() ? immutableMap.removed(standardAcl.kafkaPrincipal()) : immutableMap.updated(standardAcl.kafkaPrincipal(), removed);
    }
}
