package io.confluent.kafka.multitenant.authorizer;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.multitenant.audit.DefaultTenantSanitizer;
import io.confluent.kafka.multitenant.schema.TenantContext;
import io.confluent.kafka.multitenant.utils.AuthUtils;
import io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer;
import io.confluent.kafka.server.plugins.auth.DefaultUserMetaDataStore;
import io.confluent.security.authorizer.RequestContext;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import io.confluent.security.authorizer.provider.GroupProvider;
import io.confluent.security.authorizer.provider.MetadataProvider;
import io.confluent.security.roledefinitions.Operation;
import io.confluent.security.roledefinitions.ResourceType;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AccessControlEntry;
import org.apache.kafka.common.acl.AccessControlEntryFilter;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclState;
import org.apache.kafka.common.errors.ApiException;
import org.apache.kafka.common.errors.InvalidRequestException;
import org.apache.kafka.common.internals.Topic;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.metrics.Sensor;
import org.apache.kafka.common.metrics.stats.Rate;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.server.audit.AuditLogProvider;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.AuthorizerConfig;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;

/* loaded from: input_file:io/confluent/kafka/multitenant/authorizer/MultiTenantAuthorizer.class */
public class MultiTenantAuthorizer extends ConfluentServerAuthorizer {
    public static final String MAX_ACLS_PER_TENANT_PROP = "confluent.max.acls.per.tenant";
    private static final int DEFAULT_MAX_ACLS_PER_TENANT_PROP = 1000;
    private static final int ACLS_DISABLED = 0;
    public static final String RESOURCE_ID = "resource-id";
    public static final String INTEGER_ID = "integer-id";
    private boolean authorizationDisabled;
    private boolean auditLogEnabled;
    private boolean oauthSuperUserDisable;
    private boolean enableDataplaneRbacForPKC;
    private TenantAuthorizerMetrics mtAuthorizerMetrics;
    private boolean supportUserResourceId;
    private DefaultUserMetaDataStore userMetaDataStore;
    private Map<String, ?> configs;
    private final AuthorizerConfig config = new AuthorizerConfig();

    /* loaded from: input_file:io/confluent/kafka/multitenant/authorizer/MultiTenantAuthorizer$TenantAuthorizerMetrics.class */
    public static class TenantAuthorizerMetrics {
        private static final String AUTHORIZER_AUTHORIZATION_DENIED_SENSOR = "user-account-request-authorization-denied";
        private static final String USER_ID_TO_RESOURCE_ID_MAPPING_MISSING_SENSOR = "user-id-to-resource-id-mapping-missing";
        public static final String USER_ACCOUNT_REQUEST_DENIED_RATE_PER_MINUTE = "user-account-request-denied-rate-per-minute";
        public static final String USER_ID_TO_RESOURCE_ID_MAPPING_MISSING_RATE_PER_MINUTE = "user-id-to-resource-id-mapping-missing-rate-per-minute";
        public static final String CREATE_ACL_REQUEST_SENSOR = "create-acl-request-";
        public static final String DESCRIBE_ACL_REQUEST_SENSOR = "describe-acl-request-";
        public static final String DELETE_ACL_REQUEST_SENSOR = "delete-acl-request-";
        public static final String CREATE_ACL_REQUEST_RATE = "create-acl-request-rate";
        public static final String DESCRIBE_ACL_REQUEST_RATE = "describe-acl-request-rate";
        public static final String DELETE_ACL_REQUEST_RATE = "delete-acl-request-rate";
        private final Time time;
        private final Metrics metrics;
        private Sensor authorizationUserAccountRequestDeniedSensor;
        private Sensor userIdToResourceIdMappingMissingSensor;
        private Map<String, Sensor> createAclSensor = new HashMap();
        private Map<String, Sensor> describeAclSensor = new HashMap();
        private Map<String, Sensor> deleteAclSensor = new HashMap();

        TenantAuthorizerMetrics(Metrics metrics) {
            this.authorizationUserAccountRequestDeniedSensor = null;
            this.userIdToResourceIdMappingMissingSensor = null;
            this.authorizationUserAccountRequestDeniedSensor = metrics.sensor(AUTHORIZER_AUTHORIZATION_DENIED_SENSOR);
            this.authorizationUserAccountRequestDeniedSensor.add(metrics.metricName(USER_ACCOUNT_REQUEST_DENIED_RATE_PER_MINUTE, "confluent-authorizer-metrics", "The number of authorization denied per minute for user accounts requests"), new Rate(TimeUnit.MINUTES));
            this.userIdToResourceIdMappingMissingSensor = metrics.sensor(USER_ID_TO_RESOURCE_ID_MAPPING_MISSING_SENSOR);
            this.userIdToResourceIdMappingMissingSensor.add(metrics.metricName(USER_ID_TO_RESOURCE_ID_MAPPING_MISSING_RATE_PER_MINUTE, "confluent-authorizer-metrics", "The number missing mapping of userId to resourceId per minute for acl operation requests"), new Rate(TimeUnit.MINUTES));
            for (String str : new String[]{MultiTenantAuthorizer.INTEGER_ID, MultiTenantAuthorizer.RESOURCE_ID}) {
                this.createAclSensor.put(str, metrics.sensor("create-acl-request-" + str));
                this.createAclSensor.get(str).add(metrics.metricName(CREATE_ACL_REQUEST_RATE, "confluent-authorizer-metrics", "Number of create ACL requests per second.", new String[]{"principal-type", str}), new Rate());
                this.describeAclSensor.put(str, metrics.sensor("describe-acl-request-" + str));
                this.describeAclSensor.get(str).add(metrics.metricName(DESCRIBE_ACL_REQUEST_RATE, "confluent-authorizer-metrics", "Number of describe ACL requests per second.", new String[]{"principal-type", str}), new Rate());
                this.deleteAclSensor.put(str, metrics.sensor("delete-acl-request-" + str));
                this.deleteAclSensor.get(str).add(metrics.metricName(DELETE_ACL_REQUEST_RATE, "confluent-authorizer-metrics", "Number of delete ACL requests per second.", new String[]{"principal-type", str}), new Rate());
            }
            this.time = Time.SYSTEM;
            this.metrics = metrics;
        }

        public void recordAuthorizationDeniedMetric(AuthorizableRequestContext authorizableRequestContext, List<AuthorizationResult> list, List<Action> list2) {
            try {
                if (authorizableRequestContext.principal() instanceof MultiTenantPrincipal) {
                    if (authorizableRequestContext.principal().tenantMetadata().isServiceAccount) {
                        return;
                    }
                    int i = 0;
                    for (int i2 = 0; i2 < list.size(); i2++) {
                        if (list.get(i2) != AuthorizationResult.ALLOWED && list2.get(i2).logIfDenied()) {
                            i++;
                        }
                    }
                    if (i > 0) {
                        this.authorizationUserAccountRequestDeniedSensor.record(i, this.time.milliseconds(), false);
                    }
                }
            } catch (Exception e) {
                MultiTenantAuthorizer.log.error("Error while recording multi-tenant authorizer metrics", e);
            }
        }

        private void recordMissingMappingMetric() {
            this.userIdToResourceIdMappingMissingSensor.record(1.0d, this.time.milliseconds(), false);
        }

        private Metrics metrics() {
            return this.metrics;
        }
    }

    @VisibleForTesting
    public void configureAccessRuleProviders(Map<String, Object> map) {
        Object obj = map.get("confluent.authorizer.access.rule.providers");
        if (!(obj instanceof String) || Arrays.stream(((String) obj).split(",")).noneMatch(str -> {
            return ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name().equals(str);
        })) {
            map.put("confluent.authorizer.access.rule.providers", ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name());
        }
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public void configureServerInfo(ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo) {
        this.mtAuthorizerMetrics = new TenantAuthorizerMetrics(confluentAuthorizerServerInfo.metrics());
        super.configureServerInfo(confluentAuthorizerServerInfo);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public void configure(Map<String, ?> map) {
        this.configs = map;
        HashMap hashMap = new HashMap(map);
        String str = (String) map.get(MAX_ACLS_PER_TENANT_PROP);
        this.config.setDefaultMaxAcls(str == null ? null : Integer.valueOf(Integer.parseInt(str)));
        this.authorizationDisabled = this.config.defaultMaxAcls() == 0;
        configureAccessRuleProviders(hashMap);
        this.auditLogEnabled = new MultiTenantAuditLogConfig(map).getBoolean(MultiTenantAuditLogConfig.MULTI_TENANT_AUDIT_LOGGER_ENABLE_CONFIG).booleanValue();
        this.oauthSuperUserDisable = true;
        if (map.containsKey("multitenant.oauth.superuser.disable")) {
            this.oauthSuperUserDisable = Boolean.parseBoolean((String) map.get("multitenant.oauth.superuser.disable"));
        }
        this.enableDataplaneRbacForPKC = false;
        if (map.containsKey("confluent.metadata.kafka.enable.dataplane.rbac")) {
            this.enableDataplaneRbacForPKC = Boolean.parseBoolean((String) map.get("confluent.metadata.kafka.enable.dataplane.rbac"));
        }
        this.supportUserResourceId = false;
        if (map.containsKey("multitenant.authorizer.support.resource.ids")) {
            this.supportUserResourceId = Boolean.parseBoolean((String) map.get("multitenant.authorizer.support.resource.ids"));
        }
        super.configure(hashMap);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public Set<String> reconfigurableConfigs() {
        Set<String> reconfigurableConfigs = super.reconfigurableConfigs();
        reconfigurableConfigs.add("multitenant.authorizer.support.resource.ids");
        return reconfigurableConfigs;
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public void reconfigure(Map<String, ?> map) {
        if (map.containsKey("multitenant.authorizer.support.resource.ids")) {
            this.supportUserResourceId = ((Boolean) map.get("multitenant.authorizer.support.resource.ids")).booleanValue();
        }
        super.reconfigure(map);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        List<AuthorizationResult> authorize = super.authorize(authorizableRequestContext, list);
        if (this.mtAuthorizerMetrics != null) {
            this.mtAuthorizerMetrics.recordAuthorizationDeniedMetric(authorizableRequestContext, authorize, list);
        }
        return authorize;
    }

    protected boolean isSuperUser(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, io.confluent.security.authorizer.Action action) {
        if (super.isSuperUser(kafkaPrincipal, kafkaPrincipal2, action)) {
            return true;
        }
        if (kafkaPrincipal instanceof MultiTenantPrincipal) {
            return isSuperUser((MultiTenantPrincipal) kafkaPrincipal, action, this.authorizationDisabled, this.enableDataplaneRbacForPKC, this.oauthSuperUserDisable);
        }
        return false;
    }

    public static boolean isSuperUser(MultiTenantPrincipal multiTenantPrincipal, io.confluent.security.authorizer.Action action, boolean z, boolean z2, boolean z3) {
        return (z || multiTenantPrincipal.isSuperUser(z2, z3)) && action.resourceName().startsWith(multiTenantPrincipal.tenantMetadata().tenantPrefix());
    }

    protected io.confluent.security.authorizer.Action actionForAuthorizeByResourceType(RequestContext requestContext, Operation operation, ResourceType resourceType) {
        return requestContext.principal() instanceof MultiTenantPrincipal ? new io.confluent.security.authorizer.Action(requestContext.principal().tenantMetadata().scope(), new ResourcePattern(resourceType, "", PatternType.ANY), operation, 1, true, true) : super.actionForAuthorizeByResourceType(requestContext, operation, resourceType);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public io.confluent.security.authorizer.Action buildAction(Action action, org.apache.kafka.common.resource.ResourcePattern resourcePattern, KafkaPrincipal kafkaPrincipal, Scope scope) {
        Scope scope2 = scope;
        org.apache.kafka.common.resource.ResourcePattern resourcePattern2 = resourcePattern;
        if (kafkaPrincipal instanceof MultiTenantPrincipal) {
            TenantMetadata tenantMetadata = ((MultiTenantPrincipal) kafkaPrincipal).tenantMetadata();
            scope2 = tenantMetadata.scope();
            org.apache.kafka.common.resource.ResourcePattern resourcePattern3 = action.resourcePattern();
            if (resourcePattern3.resourceType() == org.apache.kafka.common.resource.ResourceType.CLUSTER) {
                resourcePattern2 = new org.apache.kafka.common.resource.ResourcePattern(org.apache.kafka.common.resource.ResourceType.CLUSTER, tenantMetadata.tenantPrefix() + resourcePattern3.name(), resourcePattern3.patternType());
            }
        }
        return super.buildAction(action, resourcePattern2, kafkaPrincipal, scope2);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        return createAclsInternal(authorizableRequestContext, list);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list, Optional<String> optional) {
        return createAclsInternal(authorizableRequestContext, list);
    }

    private List<? extends CompletionStage<AclCreateResult>> createAclsInternal(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        checkAclsEnabled();
        if (list.isEmpty()) {
            return Collections.emptyList();
        }
        validateAclBindingsCreateAclsRequest(list, authorizableRequestContext);
        recordCreateAclMetric(list.get(0).entry().principal());
        return this.supportUserResourceId ? createAclsInternalWithResourceId(authorizableRequestContext, list) : super.createAcls(authorizableRequestContext, list);
    }

    private List<? extends CompletionStage<AclCreateResult>> createAclsInternalWithResourceId(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        Set<AclBinding> tenantAclBinding = tenantAclBinding(multiTenantPrincipalTenantPrefix(list.get(0).entry().principal(), authorizableRequestContext));
        ArrayList arrayList = new ArrayList();
        for (AclBinding aclBinding : list) {
            boolean equals = principalIdType(aclBinding.entry().principal()).equals(RESOURCE_ID);
            AclBinding convertAclBinding = convertAclBinding(aclBinding, !equals);
            if (equals || !tenantAclBinding.contains(convertAclBinding)) {
                arrayList.add(aclBinding);
            } else {
                arrayList.add(convertAclBinding);
            }
        }
        List<? extends CompletionStage<AclCreateResult>> createAcls = super.createAcls(authorizableRequestContext, arrayList);
        deleteIntegerIdBasedAcls(authorizableRequestContext, arrayList, createAcls, tenantAclBinding);
        return createAcls;
    }

    private void deleteIntegerIdBasedAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list, List<? extends CompletionStage<AclCreateResult>> list2, Set<AclBinding> set) {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < list.size(); i++) {
            Boolean valueOf = Boolean.valueOf(principalIdType(list.get(i).entry().principal()).equals(RESOURCE_ID));
            AclBinding convertAclBinding = convertAclBinding(list.get(i), !valueOf.booleanValue());
            try {
                if (valueOf.booleanValue() && !list2.get(i).toCompletableFuture().get().exception().isPresent() && !convertAclBinding.equals(list.get(i)) && set.contains(convertAclBinding)) {
                    arrayList.add(convertAclBinding.toFilter());
                }
            } catch (Exception e) {
                log.warn("Got an exception while creating the AclBinding: {}, exception {}", list.get(i), e);
                throw new RuntimeException(e);
            }
        }
        if (arrayList.isEmpty()) {
            return;
        }
        List<? extends CompletionStage<AclDeleteResult>> deleteAcls = super.deleteAcls(authorizableRequestContext, arrayList, Optional.empty(), AclState.ANY);
        for (int i2 = 0; i2 < arrayList.size(); i2++) {
            AclBindingFilter aclBindingFilter = arrayList.get(i2);
            try {
                if (deleteAcls.get(i2).toCompletableFuture().get().exception().isPresent()) {
                    log.warn("Delete ACls failed while deleting integerId based ACLs for filter: {}, exception: {}", aclBindingFilter, deleteAcls.get(i2).toCompletableFuture().get().exception().get());
                }
            } catch (Exception e2) {
                log.warn("Got an exception while deleting integerId based ACLs for filter: {}, exception: {}", aclBindingFilter, e2);
            }
        }
    }

    private void validateAclBindingsCreateAclsRequest(List<AclBinding> list, AuthorizableRequestContext authorizableRequestContext) {
        String multiTenantPrincipalTenantPrefix = multiTenantPrincipalTenantPrefix(list.get(0).entry().principal(), authorizableRequestContext);
        if (list.stream().anyMatch(aclBinding -> {
            return !inScope(aclBinding.entry().principal(), multiTenantPrincipalTenantPrefix);
        })) {
            log.error("ACL requests contain invalid tenant principal {}", list);
            throw new InvalidRequestException("Internal error: Could not create ACLs because all principals are not in the same scope " + String.valueOf(list));
        }
        if (multiTenantPrincipalTenantPrefix != null) {
            if (list.stream().anyMatch(aclBinding2 -> {
                return !aclBinding2.pattern().name().startsWith(multiTenantPrincipalTenantPrefix);
            })) {
                log.error("Unexpected ACL request for resources {} without tenant prefix {}", list, multiTenantPrincipalTenantPrefix);
                throw new InvalidRequestException("Internal error: Could not create ACLs because tenant prefixes are not the same " + String.valueOf(list));
            }
            int maxAcls = this.config.maxAcls(multiTenantPrincipalTenantPrefix.substring(0, multiTenantPrincipalTenantPrefix.length() - 1));
            if (exceedsAclLimit(multiTenantPrincipalTenantPrefix, list, maxAcls)) {
                throw new InvalidRequestException("ACLs not created since it will exceed the limit " + maxAcls);
            }
            List<AclBinding> list2 = (List) list.stream().filter(aclBinding3 -> {
                return !validResourceName(aclBinding3);
            }).collect(Collectors.toList());
            if (list2.isEmpty()) {
                return;
            }
            String resourceNames = resourceNames(list2, multiTenantPrincipalTenantPrefix);
            log.warn("Invalid Resource name for given Resource type and Pattern Type : {}", resourceNames);
            throw new InvalidRequestException("Internal error: Could not create ACLs because following resource names are invalid : " + resourceNames);
        }
    }

    private boolean validResourceName(AclBinding aclBinding) {
        if (aclBinding.pattern().resourceType() == org.apache.kafka.common.resource.ResourceType.TOPIC) {
            return Topic.isValid(aclBinding.pattern().name());
        }
        return true;
    }

    private String resourceNames(List<AclBinding> list, String str) {
        return ((List) list.stream().map(aclBinding -> {
            return aclBinding.pattern().name().substring(str.length());
        }).collect(Collectors.toList())).toString();
    }

    private String multiTenantPrincipalTenantPrefix(String str, AuthorizableRequestContext authorizableRequestContext) {
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        if (MultiTenantPrincipal.isTenantPrincipal(parseKafkaPrincipal) || (authorizableRequestContext.principal() instanceof MultiTenantPrincipal)) {
            return tenantPrefix(parseKafkaPrincipal.getName());
        }
        return null;
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list, Optional<String> optional, AclState aclState) {
        if (list.isEmpty()) {
            return Collections.emptyList();
        }
        checkAclsEnabled();
        if (!this.supportUserResourceId) {
            return super.deleteAcls(authorizableRequestContext, (List) list.stream().map(this::convertUserV2Filter).collect(Collectors.toList()), optional, aclState);
        }
        recordDeleteAclMetric(list.get(0).entryFilter().principal());
        return deleteAclsWithResourceIdSupport(authorizableRequestContext, list, optional, aclState);
    }

    private List<? extends CompletionStage<AclDeleteResult>> deleteAclsWithResourceIdSupport(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list, Optional<String> optional, AclState aclState) {
        return combineAclDeleteResults(list, super.deleteAcls(authorizableRequestContext, list, optional, aclState), super.deleteAcls(authorizableRequestContext, convertAclFilters(list), optional, aclState));
    }

    protected List<? extends CompletionStage<AclDeleteResult>> combineAclDeleteResults(List<AclBindingFilter> list, List<? extends CompletionStage<AclDeleteResult>> list2, List<? extends CompletionStage<AclDeleteResult>> list3) {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < list2.size(); i++) {
            boolean convertToUserResource = convertToUserResource(list.get(i));
            arrayList.add(list2.get(i).thenCombine(list3.get(i), (aclDeleteResult, aclDeleteResult2) -> {
                return aclDeleteResult.exception().isPresent() ? aclDeleteResult : aclDeleteResult2.exception().isPresent() ? aclDeleteResult2 : new AclDeleteResult(convertAclBindingDeleteResults((Collection) Stream.concat(aclDeleteResult.aclBindingDeleteResults().stream(), aclDeleteResult2.aclBindingDeleteResults().stream()).collect(Collectors.toList()), convertToUserResource));
            }));
        }
        return arrayList;
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        return deleteAcls(authorizableRequestContext, list, Optional.empty(), AclState.ANY);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        return acls(aclBindingFilter, AclState.ACTIVE);
    }

    @Override // io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter, AclState aclState) {
        checkAclsEnabled();
        if (!this.supportUserResourceId) {
            return super.acls(convertUserV2Filter(aclBindingFilter), aclState);
        }
        recordDescribeAclMetric(aclBindingFilter.entryFilter().principal());
        return describeAclsWithResourceIdSupport(aclBindingFilter, aclState);
    }

    protected void configureProviders(List<AccessRuleProvider> list, GroupProvider groupProvider, MetadataProvider metadataProvider, AuditLogProvider auditLogProvider) {
        if (!this.auditLogEnabled) {
            super.configureProviders(list, groupProvider, metadataProvider, null);
            return;
        }
        DefaultTenantSanitizer defaultTenantSanitizer = new DefaultTenantSanitizer();
        defaultTenantSanitizer.configure(this.configs);
        Objects.requireNonNull(defaultTenantSanitizer);
        auditLogProvider.setSanitizer(defaultTenantSanitizer::tenantAuditEvent);
        super.configureProviders(list, groupProvider, metadataProvider, auditLogProvider);
    }

    public Optional<AuthorizerConfig> config() {
        return Optional.of(this.config);
    }

    private AclBindingFilter convertUserV2Filter(AclBindingFilter aclBindingFilter) {
        if (aclBindingFilter.entryFilter().principal() != null && SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal()).getPrincipalType().equals("TenantUserV2*")) {
            return new AclBindingFilter(aclBindingFilter.patternFilter(), new AccessControlEntryFilter((String) null, aclBindingFilter.entryFilter().host(), aclBindingFilter.entryFilter().operation(), aclBindingFilter.entryFilter().permissionType(), aclBindingFilter.entryFilter().clusterLinkIds()));
        }
        return aclBindingFilter;
    }

    private void initializeUserMetaDataStore() {
        if (this.userMetaDataStore == null) {
            this.userMetaDataStore = DefaultUserMetaDataStore.getInstance(AuthUtils.getBrokerSessionUuid(this.configs));
        }
    }

    protected void updateUserMetaDataStore(DefaultUserMetaDataStore defaultUserMetaDataStore) {
        this.userMetaDataStore = defaultUserMetaDataStore;
    }

    private boolean convertToUserResource(AclBindingFilter aclBindingFilter) {
        if (anyPrincipalWithOldFormat(aclBindingFilter.entryFilter())) {
            return false;
        }
        return SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal()).getPrincipalType().equals("TenantUserV2*") || !unPrefixedPrincipal(SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal()).getName()).matches("[0-9]+");
    }

    private Collection<AclDeleteResult.AclBindingDeleteResult> convertAclBindingDeleteResults(Collection<AclDeleteResult.AclBindingDeleteResult> collection, boolean z) {
        if (collection.isEmpty()) {
            return collection;
        }
        ArrayList arrayList = new ArrayList();
        for (AclDeleteResult.AclBindingDeleteResult aclBindingDeleteResult : collection) {
            if (aclBindingDeleteResult.aclBinding() != null) {
                arrayList.add(new AclDeleteResult.AclBindingDeleteResult(convertAclBinding(aclBindingDeleteResult.aclBinding(), z), (ApiException) aclBindingDeleteResult.exception().orElse(null)));
            }
        }
        return arrayList;
    }

    private Iterable<AclBinding> describeAclsWithResourceIdSupport(AclBindingFilter aclBindingFilter, AclState aclState) {
        try {
            AclBindingFilter aclFilterWithoutClusterLinkIds = aclFilterWithoutClusterLinkIds(aclBindingFilter);
            ArrayList arrayList = new ArrayList();
            boolean anyPrincipalWithOldFormat = anyPrincipalWithOldFormat(aclFilterWithoutClusterLinkIds.entryFilter());
            boolean z = false;
            if (anyPrincipalWithOldFormat) {
                Iterable<AclBinding> acls = super.acls(aclFilterWithoutClusterLinkIds, aclState);
                Objects.requireNonNull(arrayList);
                acls.forEach((v1) -> {
                    r1.add(v1);
                });
            } else {
                z = SecurityUtils.parseKafkaPrincipal(aclFilterWithoutClusterLinkIds.entryFilter().principal()).getPrincipalType().equals("TenantUserV2*");
                if (z) {
                    Iterable<AclBinding> acls2 = super.acls(new AclBindingFilter(aclFilterWithoutClusterLinkIds.patternFilter(), new AccessControlEntryFilter((String) null, aclFilterWithoutClusterLinkIds.entryFilter().host(), aclFilterWithoutClusterLinkIds.entryFilter().operation(), aclFilterWithoutClusterLinkIds.entryFilter().permissionType(), aclFilterWithoutClusterLinkIds.entryFilter().clusterLinkIds())), aclState);
                    Objects.requireNonNull(arrayList);
                    acls2.forEach((v1) -> {
                        r1.add(v1);
                    });
                } else {
                    Iterable<AclBinding> acls3 = super.acls(aclFilterWithoutClusterLinkIds, aclState);
                    Objects.requireNonNull(arrayList);
                    acls3.forEach((v1) -> {
                        r1.add(v1);
                    });
                    convertAclFilter(aclFilterWithoutClusterLinkIds).ifPresent(aclBindingFilter2 -> {
                        Iterable<AclBinding> acls4 = super.acls(aclBindingFilter2, aclState);
                        Objects.requireNonNull(arrayList);
                        acls4.forEach((v1) -> {
                            r1.add(v1);
                        });
                    });
                }
            }
            Set<AclBinding> hashSet = new HashSet<>();
            if (anyPrincipalWithOldFormat) {
                convertAclBindings(arrayList, false).forEach(aclBinding -> {
                    hashSet.add(aclBinding);
                });
            } else if (z) {
                convertAclBindings(arrayList, true).forEach(aclBinding2 -> {
                    hashSet.add(aclBinding2);
                });
            } else {
                convertAclBindings(arrayList, !unPrefixedPrincipal(SecurityUtils.parseKafkaPrincipal(aclFilterWithoutClusterLinkIds.entryFilter().principal()).getName()).matches("[0-9]+")).forEach(aclBinding3 -> {
                    hashSet.add(aclBinding3);
                });
            }
            return aggregateAclBindingByClusterLinkIds(hashSet, aclBindingFilter.entryFilter().clusterLinkIds());
        } catch (Exception e) {
            log.error("Error while calling describeAclsWithResourceIdSupport for filter {}", aclBindingFilter, e);
            return super.acls(aclBindingFilter, aclState);
        }
    }

    protected Iterable<AclBinding> aggregateAclBindingByClusterLinkIds(Set<AclBinding> set, Collection<Uuid> collection) {
        HashMap hashMap = new HashMap();
        for (AclBinding aclBinding : set) {
            AclBinding aclWithoutClusterLinkIds = aclWithoutClusterLinkIds(aclBinding);
            hashMap.putIfAbsent(aclWithoutClusterLinkIds, new HashSet());
            if (aclBinding.entry().clusterLinkIds().size() == 0) {
                ((Set) hashMap.get(aclWithoutClusterLinkIds)).add(Uuid.ZERO_UUID);
            } else {
                ((Set) hashMap.get(aclWithoutClusterLinkIds)).addAll(aclBinding.entry().clusterLinkIds());
            }
        }
        HashSet hashSet = new HashSet();
        for (Map.Entry entry : hashMap.entrySet()) {
            AclBinding aclBinding2 = (AclBinding) entry.getKey();
            Set<Uuid> set2 = (Set) entry.getValue();
            if (matchesLinkIds(collection, set2)) {
                if (set2.size() == 1 && set2.contains(Uuid.ZERO_UUID)) {
                    set2.clear();
                }
                hashSet.add(new AclBinding(aclBinding2.pattern(), new AccessControlEntry(aclBinding2.entry().principal(), aclBinding2.entry().host(), aclBinding2.entry().operation(), aclBinding2.entry().permissionType(), set2)));
            }
        }
        return hashSet;
    }

    private AclBindingFilter aclFilterWithoutClusterLinkIds(AclBindingFilter aclBindingFilter) {
        return new AclBindingFilter(aclBindingFilter.patternFilter(), new AccessControlEntryFilter(aclBindingFilter.entryFilter().principal(), aclBindingFilter.entryFilter().host(), aclBindingFilter.entryFilter().operation(), aclBindingFilter.entryFilter().permissionType()));
    }

    private boolean matchesLinkIds(Collection<Uuid> collection, Set<Uuid> set) {
        return collection.isEmpty() || !Collections.disjoint(collection, set);
    }

    private boolean anyPrincipalWithOldFormat(AccessControlEntryFilter accessControlEntryFilter) {
        return accessControlEntryFilter.principal() == null;
    }

    private Iterable<AclBinding> convertAclBindings(Iterable<AclBinding> iterable, boolean z) {
        try {
            initializeUserMetaDataStore();
            if (this.userMetaDataStore == null) {
                log.warn("UserMetaDataStore could not be loaded. Returning original bindings.");
                return iterable;
            }
            ArrayList arrayList = new ArrayList();
            Iterator<AclBinding> it = iterable.iterator();
            while (it.hasNext()) {
                arrayList.add(convertAclBinding(it.next(), z));
            }
            return arrayList;
        } catch (Exception e) {
            log.error("Ran into an exception while converting bindings.", e);
            return iterable;
        }
    }

    private AclBinding convertAclBinding(AclBinding aclBinding, boolean z) {
        initializeUserMetaDataStore();
        if (this.userMetaDataStore == null) {
            log.warn("UserMetaDataStore could not be loaded. Returning original binding.");
            return aclBinding;
        }
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(aclBinding.entry().principal());
        String unPrefixedPrincipal = unPrefixedPrincipal(parseKafkaPrincipal.getName());
        if (!unPrefixedPrincipal.isEmpty()) {
            if ((!unPrefixedPrincipal.matches("[0-9]+")) != z && !unPrefixedPrincipal.startsWith("pool")) {
                Optional<String> userIdToUserResourceId = z ? this.userMetaDataStore.userIdToUserResourceId(unPrefixedPrincipal) : this.userMetaDataStore.userResourceIdToUserId(unPrefixedPrincipal);
                if (userIdToUserResourceId.isPresent()) {
                    String kafkaPrincipal = new KafkaPrincipal("TenantUser", tenantPrefix(parseKafkaPrincipal.getName()) + userIdToUserResourceId.get()).toString();
                    AccessControlEntry entry = aclBinding.entry();
                    return new AclBinding(aclBinding.pattern(), new AccessControlEntry(kafkaPrincipal, entry.host(), entry.operation(), entry.permissionType(), entry.clusterLinkIds()));
                }
                if (this.mtAuthorizerMetrics != null) {
                    this.mtAuthorizerMetrics.recordMissingMappingMetric();
                }
                log.warn("UserId <-> UserResourceID mapping for User : {} is missing while converting aclBinding", unPrefixedPrincipal);
                return aclBinding;
            }
        }
        log.debug("Returning original binding for principalName {}", unPrefixedPrincipal);
        return aclBinding;
    }

    private List<AclBindingFilter> convertAclFilters(List<AclBindingFilter> list) {
        try {
            initializeUserMetaDataStore();
            if (this.userMetaDataStore == null) {
                log.warn("UserMetaDataStore could not be loaded. Returning original filters.");
                return list;
            }
            ArrayList arrayList = new ArrayList();
            for (AclBindingFilter aclBindingFilter : list) {
                Optional<AclBindingFilter> convertAclFilter = convertAclFilter(aclBindingFilter);
                arrayList.add(convertAclFilter.isPresent() ? convertAclFilter.get() : aclBindingFilter);
            }
            return arrayList;
        } catch (Exception e) {
            log.error("Ran into an exception while converting filters.", e);
            return list;
        }
    }

    private Optional<AclBindingFilter> convertAclFilter(AclBindingFilter aclBindingFilter) {
        initializeUserMetaDataStore();
        if (this.userMetaDataStore == null) {
            log.warn("UserMetaDataStore could not be loaded. Returning no filter.");
            return Optional.empty();
        }
        if (anyPrincipalWithOldFormat(aclBindingFilter.entryFilter())) {
            return Optional.of(aclBindingFilter);
        }
        if (SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal()).getPrincipalType().equals("TenantUserV2*")) {
            return Optional.of(new AclBindingFilter(aclBindingFilter.patternFilter(), new AccessControlEntryFilter((String) null, aclBindingFilter.entryFilter().host(), aclBindingFilter.entryFilter().operation(), aclBindingFilter.entryFilter().permissionType(), aclBindingFilter.entryFilter().clusterLinkIds())));
        }
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(aclBindingFilter.entryFilter().principal());
        String unPrefixedPrincipal = unPrefixedPrincipal(parseKafkaPrincipal.getName());
        Optional<String> userIdToUserResourceId = unPrefixedPrincipal.matches("[0-9]+") ? this.userMetaDataStore.userIdToUserResourceId(unPrefixedPrincipal) : this.userMetaDataStore.userResourceIdToUserId(unPrefixedPrincipal);
        if (userIdToUserResourceId.isPresent()) {
            String kafkaPrincipal = new KafkaPrincipal("TenantUser", tenantPrefix(parseKafkaPrincipal.getName()) + userIdToUserResourceId.get()).toString();
            AccessControlEntryFilter entryFilter = aclBindingFilter.entryFilter();
            return Optional.of(new AclBindingFilter(aclBindingFilter.patternFilter(), new AccessControlEntryFilter(kafkaPrincipal, entryFilter.host(), entryFilter.operation(), entryFilter.permissionType(), entryFilter.clusterLinkIds())));
        }
        if (this.mtAuthorizerMetrics != null) {
            this.mtAuthorizerMetrics.recordMissingMappingMetric();
        }
        log.warn("UserId <-> UserResourceID mapping for User : {} is missing while converting the filter", unPrefixedPrincipal);
        return Optional.empty();
    }

    private String unPrefixedPrincipal(String str) {
        int indexOf = str.indexOf(TenantContext.DELIMITER);
        return indexOf == -1 ? str : str.substring(indexOf + 1);
    }

    private String tenantPrefix(String str) {
        int indexOf = str.indexOf(TenantContext.DELIMITER);
        if (indexOf == -1) {
            throw new InvalidRequestException("Invalid tenant principal in ACL: " + str);
        }
        return str.substring(0, indexOf + 1);
    }

    private boolean inScope(String str, String str2) {
        KafkaPrincipal parseKafkaPrincipal = SecurityUtils.parseKafkaPrincipal(str);
        return (str2 == null || str2.isEmpty()) ? !MultiTenantPrincipal.isTenantPrincipal(parseKafkaPrincipal) : MultiTenantPrincipal.isTenantPrincipal(parseKafkaPrincipal) && parseKafkaPrincipal.getName().startsWith(str2);
    }

    boolean exceedsAclLimit(String str, List<AclBinding> list, int i) {
        if (i == Integer.MAX_VALUE) {
            return false;
        }
        Iterable<AclBinding> acls = acls(AclBindingFilter.ANY);
        if (!StreamSupport.stream(acls.spliterator(), false).filter(aclBinding -> {
            return inScope(aclBinding.entry().principal(), str);
        }).skip(Math.max(0, i - list.size())).findAny().isPresent()) {
            return false;
        }
        HashSet hashSet = new HashSet();
        StreamSupport.stream(acls.spliterator(), false).filter(aclBinding2 -> {
            return inScope(aclBinding2.entry().principal(), str);
        }).forEach(aclBinding3 -> {
            hashSet.add(aclWithoutClusterLinkIds(aclBinding3));
        });
        int size = hashSet.size();
        list.forEach(aclBinding4 -> {
            AclBinding aclWithoutClusterLinkIds = aclWithoutClusterLinkIds(aclBinding4);
            if (principalIdType(aclBinding4.entry().principal()).contains(RESOURCE_ID) && this.supportUserResourceId) {
                hashSet.add(convertAclBinding(aclWithoutClusterLinkIds, false));
            } else {
                hashSet.add(aclWithoutClusterLinkIds);
            }
        });
        int size2 = hashSet.size();
        return size2 > i && size2 > size;
    }

    private Set<AclBinding> tenantAclBinding(String str) {
        HashSet hashSet = new HashSet();
        StreamSupport.stream(super.acls(AclBindingFilter.ANY).spliterator(), false).filter(aclBinding -> {
            return inScope(aclBinding.entry().principal(), str);
        }).forEach(aclBinding2 -> {
            hashSet.add(aclBinding2);
        });
        return hashSet;
    }

    private AclBinding aclWithoutClusterLinkIds(AclBinding aclBinding) {
        AccessControlEntry entry = aclBinding.entry();
        return entry.clusterLinkIds().isEmpty() ? aclBinding : new AclBinding(aclBinding.pattern(), new AccessControlEntry(entry.principal(), entry.host(), entry.operation(), entry.permissionType()));
    }

    private void checkAclsEnabled() {
        if (this.authorizationDisabled) {
            throw new InvalidRequestException("ACLs are not enabled on this broker");
        }
    }

    public boolean isAuditLogEnabled() {
        return this.auditLogEnabled;
    }

    protected Metrics metrics() {
        return this.mtAuthorizerMetrics.metrics();
    }

    protected void tenantAuthorizerMetrics() {
        this.mtAuthorizerMetrics = new TenantAuthorizerMetrics(new Metrics());
    }

    private String principalIdType(String str) {
        return (str == null || unPrefixedPrincipal(SecurityUtils.parseKafkaPrincipal(str).getName()).matches("[0-9]+")) ? INTEGER_ID : RESOURCE_ID;
    }

    protected void recordCreateAclMetric(String str) {
        this.mtAuthorizerMetrics.createAclSensor.get(principalIdType(str)).record();
    }

    protected void recordDescribeAclMetric(String str) {
        this.mtAuthorizerMetrics.describeAclSensor.get(principalIdType(str)).record();
    }

    protected void recordDeleteAclMetric(String str) {
        this.mtAuthorizerMetrics.deleteAclSensor.get(principalIdType(str)).record();
    }
}
