package org.apache.kafka.controller;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.Function;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclPermissionType;
import org.apache.kafka.common.acl.AclState;
import org.apache.kafka.common.errors.ApiException;
import org.apache.kafka.common.errors.InvalidRequestException;
import org.apache.kafka.common.errors.UnknownServerException;
import org.apache.kafka.common.metadata.AccessControlEntryRecord;
import org.apache.kafka.common.metadata.RemoveAccessControlEntryRecord;
import org.apache.kafka.common.requests.ApiError;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.metadata.authorizer.ConfluentStandardAcl;
import org.apache.kafka.metadata.authorizer.StandardAclWithId;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.common.ApiMessageAndVersion;
import org.apache.kafka.server.mutable.BoundedList;
import org.apache.kafka.server.mutable.BoundedListTooLongException;
import org.apache.kafka.timeline.SnapshotRegistry;
import org.apache.kafka.timeline.TimelineHashMap;
import org.apache.kafka.timeline.TimelineHashSet;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/kafka/controller/AclControlManager.class */
public class AclControlManager {
    private final Logger log;
    private final TimelineHashMap<Uuid, ConfluentStandardAcl> idToAcl;
    private final TimelineHashSet<ConfluentStandardAcl> existingAcls;
    private final TimelineHashMap<Uuid, TimelineHashSet<Uuid>> linkIdToAcls;
    private final Function<Uuid, Boolean> isValidClusterLink;
    private final SnapshotRegistry snapshotRegistry;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.kafka.controller.AclControlManager$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/kafka/controller/AclControlManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$resource$ResourceType;
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$resource$PatternType;
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$acl$AclOperation;
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$acl$AclPermissionType;
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$acl$AclState = new int[AclState.values().length];

        static {
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclState[AclState.UNKNOWN.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclState[AclState.ANY.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$org$apache$kafka$common$acl$AclPermissionType = new int[AclPermissionType.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclPermissionType[AclPermissionType.DENY.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclPermissionType[AclPermissionType.ALLOW.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$org$apache$kafka$common$acl$AclOperation = new int[AclOperation.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.UNKNOWN.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$acl$AclOperation[AclOperation.ANY.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            $SwitchMap$org$apache$kafka$common$resource$PatternType = new int[PatternType.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$resource$PatternType[PatternType.LITERAL.ordinal()] = 1;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$PatternType[PatternType.PREFIXED.ordinal()] = 2;
            } catch (NoSuchFieldError e8) {
            }
            $SwitchMap$org$apache$kafka$common$resource$ResourceType = new int[ResourceType.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.UNKNOWN.ordinal()] = 1;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.ANY.ordinal()] = 2;
            } catch (NoSuchFieldError e10) {
            }
        }
    }

    /* loaded from: input_file:org/apache/kafka/controller/AclControlManager$Builder.class */
    static class Builder {
        private LogContext logContext = null;
        private SnapshotRegistry snapshotRegistry = null;
        private Function<Uuid, Boolean> validLinkIdChecker = uuid -> {
            return true;
        };

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setLogContext(LogContext logContext) {
            this.logContext = logContext;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setSnapshotRegistry(SnapshotRegistry snapshotRegistry) {
            this.snapshotRegistry = snapshotRegistry;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setValidLinkIdChecker(Function<Uuid, Boolean> function) {
            this.validLinkIdChecker = function;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public AclControlManager build() {
            if (this.logContext == null) {
                this.logContext = new LogContext();
            }
            if (this.snapshotRegistry == null) {
                this.snapshotRegistry = new SnapshotRegistry(this.logContext);
            }
            return new AclControlManager(this.logContext, this.snapshotRegistry, this.validLinkIdChecker, null);
        }
    }

    private AclControlManager(LogContext logContext, SnapshotRegistry snapshotRegistry, Function<Uuid, Boolean> function) {
        this.log = logContext.logger(AclControlManager.class);
        this.idToAcl = new TimelineHashMap<>(snapshotRegistry, 0);
        this.existingAcls = new TimelineHashSet<>(snapshotRegistry, 0);
        this.linkIdToAcls = new TimelineHashMap<>(snapshotRegistry, 0);
        this.isValidClusterLink = function;
        this.snapshotRegistry = snapshotRegistry;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ControllerResult<List<AclCreateResult>> createAcls(List<AclBinding> list) {
        return createAcls(list, AclState.ACTIVE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ControllerResult<List<AclCreateResult>> createAcls(List<AclBinding> list, AclState aclState) {
        ArrayList arrayList = new ArrayList(list.size());
        BoundedList newArrayBacked = BoundedList.newArrayBacked(10000);
        for (AclBinding aclBinding : list) {
            try {
                validateNewAcl(aclBinding);
                validateAclStateForCreate(aclState);
                for (Uuid uuid : aclBinding.entry().clusterLinkIds()) {
                    if (uuid.equals(Uuid.ZERO_UUID)) {
                        throw new InvalidRequestException("Invalid link ID " + uuid + " provided to create the ACL. Provide a valid link id or create an ACL without one.");
                    }
                    if (!this.isValidClusterLink.apply(uuid).booleanValue()) {
                        throw new InvalidRequestException("Unknown link ID " + uuid + " provided to create ACL");
                    }
                }
                for (ConfluentStandardAcl confluentStandardAcl : ConfluentStandardAcl.fromAclBindingWithAclState(aclBinding, aclState)) {
                    if (this.existingAcls.add(confluentStandardAcl)) {
                        StandardAclWithId standardAclWithId = new StandardAclWithId(newAclId(), confluentStandardAcl);
                        this.idToAcl.put(standardAclWithId.id(), confluentStandardAcl);
                        newArrayBacked.add(new ApiMessageAndVersion(standardAclWithId.toRecord(), (short) 0));
                    }
                }
                arrayList.add(AclCreateResult.SUCCESS);
            } catch (Throwable th) {
                arrayList.add(new AclCreateResult(th instanceof ApiException ? th : new UnknownServerException("Unknown error while trying to create ACL", th)));
            }
        }
        return new ControllerResult<>(newArrayBacked, arrayList, true);
    }

    Uuid newAclId() {
        Uuid randomUuid;
        do {
            randomUuid = Uuid.randomUuid();
        } while (this.idToAcl.containsKey(randomUuid));
        return randomUuid;
    }

    static void validateNewAcl(AclBinding aclBinding) {
        switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$resource$ResourceType[aclBinding.pattern().resourceType().ordinal()]) {
            case 1:
            case 2:
                throw new InvalidRequestException("Invalid resourceType " + aclBinding.pattern().resourceType());
            default:
                switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$resource$PatternType[aclBinding.pattern().patternType().ordinal()]) {
                    case 1:
                    case 2:
                        switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$acl$AclOperation[aclBinding.entry().operation().ordinal()]) {
                            case 1:
                            case 2:
                                throw new InvalidRequestException("Invalid operation " + aclBinding.entry().operation());
                            default:
                                switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$acl$AclPermissionType[aclBinding.entry().permissionType().ordinal()]) {
                                    case 1:
                                    case 2:
                                        if (aclBinding.pattern().name() == null || aclBinding.pattern().name().isEmpty()) {
                                            throw new InvalidRequestException("Resource name should not be empty");
                                        }
                                        if (aclBinding.entry().principal().indexOf(":") == -1) {
                                            throw new InvalidRequestException("Could not parse principal from `" + aclBinding.entry().principal() + "` (no colon is present separating the principal type from the principal name)");
                                        }
                                        return;
                                    default:
                                        throw new InvalidRequestException("Invalid permissionType " + aclBinding.entry().permissionType());
                                }
                        }
                    default:
                        throw new InvalidRequestException("Invalid patternType " + aclBinding.pattern().patternType());
                }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ControllerResult<List<AclDeleteResult>> deleteAcls(List<AclBindingFilter> list) {
        return deleteAcls(list, AclState.ANY);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ControllerResult<List<AclDeleteResult>> deleteAcls(List<AclBindingFilter> list, AclState aclState) {
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        for (AclBindingFilter aclBindingFilter : list) {
            try {
                validateFilter(aclBindingFilter);
                validateAclStateForDelete(aclState);
                arrayList.add(deleteAclsForFilter(aclBindingFilter, hashSet, aclState));
            } catch (Throwable th) {
                arrayList.add(new AclDeleteResult(ApiError.fromThrowable(th).exception()));
            }
        }
        return ControllerResult.atomicOf(new ArrayList(hashSet), arrayList);
    }

    AclDeleteResult deleteAclsForFilter(AclBindingFilter aclBindingFilter, Set<ApiMessageAndVersion> set, AclState aclState) {
        ArrayList arrayList = new ArrayList();
        for (Map.Entry entry : this.idToAcl.entrySet()) {
            Uuid uuid = (Uuid) entry.getKey();
            ConfluentStandardAcl confluentStandardAcl = (ConfluentStandardAcl) entry.getValue();
            AclBinding binding = confluentStandardAcl.toBinding();
            if (aclBindingFilter.matches(binding) && (confluentStandardAcl.aclState() == aclState || aclState == AclState.ANY)) {
                if (aclState != AclState.ANY || confluentStandardAcl.aclState() != AclState.DELETED) {
                    arrayList.add(new AclDeleteResult.AclBindingDeleteResult(binding));
                }
                set.add(new ApiMessageAndVersion(new RemoveAccessControlEntryRecord().setId(uuid), (short) 0));
                if (set.size() > 10000) {
                    throw new BoundedListTooLongException("Cannot remove more than 10000 acls in a single delete operation.");
                }
            }
        }
        return new AclDeleteResult(arrayList);
    }

    static void validateAclStateForCreate(AclState aclState) {
        switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$acl$AclState[aclState.ordinal()]) {
            case 1:
            case 2:
                throw new InvalidRequestException("Invalid AclState " + aclState);
            default:
                return;
        }
    }

    static void validateAclStateForDelete(AclState aclState) {
        if (aclState == AclState.UNKNOWN) {
            throw new InvalidRequestException("Invalid AclState " + aclState);
        }
    }

    static void validateFilter(AclBindingFilter aclBindingFilter) {
        if (aclBindingFilter.patternFilter().isUnknown()) {
            throw new InvalidRequestException("Unknown patternFilter.");
        }
        if (aclBindingFilter.entryFilter().isUnknown()) {
            throw new InvalidRequestException("Unknown entryFilter.");
        }
    }

    public void replay(AccessControlEntryRecord accessControlEntryRecord) {
        StandardAclWithId fromRecord = StandardAclWithId.fromRecord(accessControlEntryRecord);
        this.idToAcl.put(fromRecord.id(), fromRecord.acl());
        this.existingAcls.add(fromRecord.acl());
        if (fromRecord.acl().hasLinkId()) {
            ((TimelineHashSet) this.linkIdToAcls.computeIfAbsent(fromRecord.acl().clusterLinkId().get(), uuid -> {
                return new TimelineHashSet(this.snapshotRegistry, 0);
            })).add(fromRecord.id());
        }
        this.log.info("Replayed AccessControlEntryRecord for {}, setting {}", accessControlEntryRecord.id(), fromRecord.acl());
    }

    public void replay(RemoveAccessControlEntryRecord removeAccessControlEntryRecord) {
        ConfluentStandardAcl confluentStandardAcl = (ConfluentStandardAcl) this.idToAcl.remove(removeAccessControlEntryRecord.id());
        if (confluentStandardAcl == null) {
            throw new RuntimeException("Unable to replay " + removeAccessControlEntryRecord + ": no acl with that ID found.");
        }
        if (!this.existingAcls.remove(confluentStandardAcl)) {
            throw new RuntimeException("Unable to replay " + removeAccessControlEntryRecord + " for " + confluentStandardAcl + ": acl not found in existingAcls.");
        }
        Uuid uuid = null;
        if (confluentStandardAcl.hasLinkId()) {
            uuid = confluentStandardAcl.clusterLinkId().get();
            this.linkIdToAcls.compute(uuid, (uuid2, timelineHashSet) -> {
                if (timelineHashSet == null || !timelineHashSet.remove(removeAccessControlEntryRecord.id())) {
                    throw new RuntimeException("Unable to replay " + removeAccessControlEntryRecord + " for " + confluentStandardAcl + ": acl not found in ACLs with link id");
                }
                if (timelineHashSet.isEmpty()) {
                    return null;
                }
                return timelineHashSet;
            });
        }
        Logger logger = this.log;
        Object[] objArr = new Object[4];
        objArr[0] = removeAccessControlEntryRecord.id();
        objArr[1] = confluentStandardAcl;
        objArr[2] = uuid == null ? "" : ", and updating the ACLs associated with the cluster link {}";
        objArr[3] = uuid;
        logger.info("Replayed RemoveAccessControlEntryRecord for {}, removing {}{}", objArr);
    }

    Map<Uuid, ConfluentStandardAcl> idToAcl() {
        return Collections.unmodifiableMap(this.idToAcl);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void unlinkAcls(Uuid uuid) {
        if (uuid.equals(Uuid.ZERO_UUID)) {
            throw new IllegalStateException("Trying to unlink ACLs for invalid link id");
        }
        Set set = (Set) this.linkIdToAcls.remove(uuid);
        if (set == null) {
            return;
        }
        HashMap hashMap = new HashMap();
        AtomicInteger atomicInteger = new AtomicInteger();
        set.forEach(uuid2 -> {
            ConfluentStandardAcl confluentStandardAcl = (ConfluentStandardAcl) this.idToAcl.remove(uuid2);
            if (confluentStandardAcl == null || !this.existingAcls.remove(confluentStandardAcl)) {
                this.log.error("Found non-existent ACL trying to clear link ID " + uuid);
                return;
            }
            ConfluentStandardAcl localAcl = confluentStandardAcl.toLocalAcl();
            if (!this.existingAcls.add(localAcl)) {
                hashMap.put(uuid2, Optional.empty());
                return;
            }
            this.idToAcl.put(uuid2, localAcl);
            hashMap.put(uuid2, Optional.of(localAcl));
            atomicInteger.getAndIncrement();
        });
        this.log.info("Removed " + (hashMap.size() - atomicInteger.get()) + "acls and added " + atomicInteger.get() + "local acls after unlinking cluster link " + uuid);
    }

    boolean validateAclsInCache(Set<ConfluentStandardAcl> set) {
        if (this.idToAcl.size() != this.existingAcls.size()) {
            return false;
        }
        return this.existingAcls.equals(set);
    }

    /* synthetic */ AclControlManager(LogContext logContext, SnapshotRegistry snapshotRegistry, Function function, AnonymousClass1 anonymousClass1) {
        this(logContext, snapshotRegistry, function);
    }
}
