package org.apache.kafka.controller;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.errors.ApiException;
import org.apache.kafka.common.errors.InvalidRequestException;
import org.apache.kafka.common.errors.UnknownServerException;
import org.apache.kafka.common.metadata.AccessControlEntryRecord;
import org.apache.kafka.common.metadata.BrokerRegistrationChangeRecord;
import org.apache.kafka.common.metadata.RemoveAccessControlEntryRecord;
import org.apache.kafka.common.requests.ApiError;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer;
import org.apache.kafka.metadata.authorizer.StandardAcl;
import org.apache.kafka.metadata.authorizer.StandardAclWithId;
import org.apache.kafka.raft.OffsetAndEpoch;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.common.ApiMessageAndVersion;
import org.apache.kafka.timeline.SnapshotRegistry;
import org.apache.kafka.timeline.TimelineHashMap;
import org.apache.kafka.timeline.TimelineHashSet;

/* loaded from: input_file:org/apache/kafka/controller/AclControlManager.class */
public class AclControlManager {
    private final TimelineHashMap<Uuid, StandardAcl> idToAcl;
    private final TimelineHashSet<StandardAcl> existingAcls;
    private final Optional<ClusterMetadataAuthorizer> authorizer;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.kafka.controller.AclControlManager$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/kafka/controller/AclControlManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$resource$ResourceType;
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$resource$PatternType;
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$acl$AclOperation;
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$acl$AclPermissionType = new int[AclPermissionType.values().length];

        static {
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclPermissionType[AclPermissionType.DENY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclPermissionType[AclPermissionType.ALLOW.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$org$apache$kafka$common$acl$AclOperation = new int[AclOperation.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.UNKNOWN.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.ANY.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$org$apache$kafka$common$resource$PatternType = new int[PatternType.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$resource$PatternType[PatternType.LITERAL.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$PatternType[PatternType.PREFIXED.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            $SwitchMap$org$apache$kafka$common$resource$ResourceType = new int[ResourceType.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.UNKNOWN.ordinal()] = 1;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.ANY.ordinal()] = 2;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AclControlManager(SnapshotRegistry snapshotRegistry, Optional<ClusterMetadataAuthorizer> optional) {
        this.idToAcl = new TimelineHashMap<>(snapshotRegistry, 0);
        this.existingAcls = new TimelineHashSet<>(snapshotRegistry, 0);
        this.authorizer = optional;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ControllerResult<List<AclCreateResult>> createAcls(List<AclBinding> list) {
        ArrayList arrayList = new ArrayList(list.size());
        ArrayList arrayList2 = new ArrayList(list.size());
        for (AclBinding aclBinding : list) {
            try {
                validateNewAcl(aclBinding);
                StandardAcl fromAclBinding = StandardAcl.fromAclBinding(aclBinding);
                if (this.existingAcls.add(fromAclBinding)) {
                    StandardAclWithId standardAclWithId = new StandardAclWithId(newAclId(), fromAclBinding);
                    this.idToAcl.put(standardAclWithId.id(), fromAclBinding);
                    arrayList2.add(new ApiMessageAndVersion(standardAclWithId.toRecord(), (short) 0));
                }
                arrayList.add(AclCreateResult.SUCCESS);
            } catch (Throwable th) {
                arrayList.add(new AclCreateResult(th instanceof ApiException ? th : new UnknownServerException("Unknown error while trying to create ACL", th)));
            }
        }
        return new ControllerResult<>(arrayList2, arrayList, true);
    }

    Uuid newAclId() {
        Uuid randomUuid;
        do {
            randomUuid = Uuid.randomUuid();
        } while (this.idToAcl.containsKey(randomUuid));
        return randomUuid;
    }

    static void validateNewAcl(AclBinding aclBinding) {
        switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$resource$ResourceType[aclBinding.pattern().resourceType().ordinal()]) {
            case BrokerRegistrationChangeRecord.HIGHEST_SUPPORTED_VERSION /* 1 */:
            case 2:
                throw new InvalidRequestException("Invalid resourceType " + aclBinding.pattern().resourceType());
            default:
                switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$resource$PatternType[aclBinding.pattern().patternType().ordinal()]) {
                    case BrokerRegistrationChangeRecord.HIGHEST_SUPPORTED_VERSION /* 1 */:
                    case 2:
                        switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$acl$AclOperation[aclBinding.entry().operation().ordinal()]) {
                            case BrokerRegistrationChangeRecord.HIGHEST_SUPPORTED_VERSION /* 1 */:
                            case 2:
                                throw new InvalidRequestException("Invalid operation " + aclBinding.entry().operation());
                            default:
                                switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$acl$AclPermissionType[aclBinding.entry().permissionType().ordinal()]) {
                                    case BrokerRegistrationChangeRecord.HIGHEST_SUPPORTED_VERSION /* 1 */:
                                    case 2:
                                        if (aclBinding.pattern().name() == null || aclBinding.pattern().name().isEmpty()) {
                                            throw new InvalidRequestException("Resource name should not be empty");
                                        }
                                        return;
                                    default:
                                        throw new InvalidRequestException("Invalid permissionType " + aclBinding.entry().permissionType());
                                }
                        }
                    default:
                        throw new InvalidRequestException("Invalid patternType " + aclBinding.pattern().patternType());
                }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ControllerResult<List<AclDeleteResult>> deleteAcls(List<AclBindingFilter> list) {
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        for (AclBindingFilter aclBindingFilter : list) {
            try {
                validateFilter(aclBindingFilter);
                arrayList.add(deleteAclsForFilter(aclBindingFilter, hashSet));
            } catch (Throwable th) {
                arrayList.add(new AclDeleteResult(ApiError.fromThrowable(th).exception()));
            }
        }
        return ControllerResult.atomicOf((List) hashSet.stream().collect(Collectors.toList()), arrayList);
    }

    AclDeleteResult deleteAclsForFilter(AclBindingFilter aclBindingFilter, Set<ApiMessageAndVersion> set) {
        ArrayList arrayList = new ArrayList();
        for (Map.Entry entry : this.idToAcl.entrySet()) {
            Uuid uuid = (Uuid) entry.getKey();
            AclBinding binding = ((StandardAcl) entry.getValue()).toBinding();
            if (aclBindingFilter.matches(binding)) {
                arrayList.add(new AclDeleteResult.AclBindingDeleteResult(binding));
                set.add(new ApiMessageAndVersion(new RemoveAccessControlEntryRecord().setId(uuid), (short) 0));
            }
        }
        return new AclDeleteResult(arrayList);
    }

    static void validateFilter(AclBindingFilter aclBindingFilter) {
        if (aclBindingFilter.patternFilter().isUnknown()) {
            throw new InvalidRequestException("Unknown patternFilter.");
        }
        if (aclBindingFilter.entryFilter().isUnknown()) {
            throw new InvalidRequestException("Unknown entryFilter.");
        }
    }

    public void replay(AccessControlEntryRecord accessControlEntryRecord, Optional<OffsetAndEpoch> optional) {
        StandardAclWithId fromRecord = StandardAclWithId.fromRecord(accessControlEntryRecord);
        this.idToAcl.put(fromRecord.id(), fromRecord.acl());
        this.existingAcls.add(fromRecord.acl());
        if (optional.isPresent()) {
            return;
        }
        this.authorizer.ifPresent(clusterMetadataAuthorizer -> {
            clusterMetadataAuthorizer.addAcl(fromRecord.id(), fromRecord.acl());
        });
    }

    public void replay(RemoveAccessControlEntryRecord removeAccessControlEntryRecord, Optional<OffsetAndEpoch> optional) {
        StandardAcl standardAcl = (StandardAcl) this.idToAcl.remove(removeAccessControlEntryRecord.id());
        if (standardAcl == null) {
            throw new RuntimeException("Unable to replay " + removeAccessControlEntryRecord + ": no acl with that ID found.");
        }
        if (!this.existingAcls.remove(standardAcl)) {
            throw new RuntimeException("Unable to replay " + removeAccessControlEntryRecord + " for " + standardAcl + ": acl not found in existingAcls.");
        }
        if (optional.isPresent()) {
            return;
        }
        this.authorizer.ifPresent(clusterMetadataAuthorizer -> {
            clusterMetadataAuthorizer.removeAcl(removeAccessControlEntryRecord.id());
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<Uuid, StandardAcl> idToAcl() {
        return Collections.unmodifiableMap(this.idToAcl);
    }
}
