package io.confluent.kafka.server.plugins.auth;

import java.util.Optional;
import java.util.function.Consumer;
import org.apache.kafka.server.multitenant.LogicalClusterMetadata;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/DefaultDataPolicyAuthenticator.class */
public class DefaultDataPolicyAuthenticator {
    private final DefaultDataPolicyValidationMode defaultDataPolicyValidationMode;
    private final boolean isOrgDenied;
    private final Optional<LogicalClusterMetadata> lkcMetadata;
    private final Consumer<String> errorHandler;

    public DefaultDataPolicyAuthenticator(DefaultDataPolicyValidationMode defaultDataPolicyValidationMode, boolean z, LogicalClusterMetadata logicalClusterMetadata, Consumer<String> consumer) {
        this.defaultDataPolicyValidationMode = defaultDataPolicyValidationMode;
        this.isOrgDenied = z;
        this.lkcMetadata = Optional.ofNullable(logicalClusterMetadata);
        this.errorHandler = consumer;
    }

    public boolean authenticate(DefaultDataPolicyContext defaultDataPolicyContext) {
        if (this.defaultDataPolicyValidationMode.trafficAllowed(this.isOrgDenied, this.lkcMetadata.map(logicalClusterMetadata -> {
            return logicalClusterMetadata.organizationId();
        }), defaultDataPolicyContext)) {
            return true;
        }
        this.errorHandler.accept(String.format("OrganizationId: %s, NetworkType: %s, HasPeerCertificate: %s isn't allowed to communicate to the cluster ID %s", defaultDataPolicyContext.organizationId.orElse("<not-provided>"), defaultDataPolicyContext.networkType.isPresent() ? defaultDataPolicyContext.networkType.get().name() : "<not-provided>", defaultDataPolicyContext.hasSslPeerCertificate.orElse(false), this.lkcMetadata.map(logicalClusterMetadata2 -> {
            return logicalClusterMetadata2.logicalClusterId();
        }).orElse("")));
        return false;
    }
}
