package io.confluent.kafka.security.authorizer;

import io.confluent.kafka.multitenant.authorizer.MultiTenantAuthorizer;
import io.confluent.kafka.security.authorizer.acl.AclMapper;
import io.confluent.security.authorizer.AclMigrationAware;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.ConfluentAuthorizerConfig;
import io.confluent.security.authorizer.EmbeddedAuthorizer;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import io.confluent.security.authorizer.provider.Provider;
import io.confluent.security.authorizer.utils.AuthorizerUtils;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import kafka.security.authorizer.AclAuthorizer;
import kafka.server.KafkaConfig;
import kafka.server.KafkaConfig$;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.Reconfigurable;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.acl.AclState;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.errors.InvalidRequestException;
import org.apache.kafka.common.internals.AuthorizerCompletableFuture;
import org.apache.kafka.common.network.ListenerName;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.metadata.authorizer.AclMutator;
import org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer;
import org.apache.kafka.metadata.authorizer.ConfluentStandardAcl;
import org.apache.kafka.metadata.authorizer.StandardAuthorizer;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;

/* loaded from: input_file:io/confluent/kafka/security/authorizer/ConfluentServerAuthorizer.class */
public class ConfluentServerAuthorizer extends EmbeddedAuthorizer implements Authorizer, Reconfigurable, ClusterMetadataAuthorizer {
    private static final Set<String> UNSCOPED_PROVIDERS = Utils.mkSet(ConfluentBuiltInProviders.AccessRuleProviders.ZK_ACL.name(), ConfluentBuiltInProviders.AccessRuleProviders.KRAFT_ACL.name(), ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name());
    private AclUpdater aclUpdater;
    private Boolean iskraft;
    private List<String> multitenantListenerNames = Collections.emptyList();
    private Boolean waitForAuthorizer = true;
    private Boolean onlyCentralizedProvider = null;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:io/confluent/kafka/security/authorizer/ConfluentServerAuthorizer$AclAuthorizers.class */
    public static class AclAuthorizers {
        private final AtomicReference<Authorizer> zkAuthorizer = new AtomicReference<>();
        private final AtomicReference<Authorizer> kraftAuthorizer = new AtomicReference<>();
        private final AtomicReference<Authorizer> centralAuthorizer = new AtomicReference<>();

        protected AclAuthorizers() {
        }

        static AclAuthorizers fromAclProviders(List<AccessRuleProvider> list) {
            AclAuthorizers aclAuthorizers = new AclAuthorizers();
            Iterator<AccessRuleProvider> it = list.iterator();
            while (it.hasNext()) {
                Optional<Authorizer> asAuthorizer = it.next().asAuthorizer();
                if (asAuthorizer.isPresent()) {
                    Authorizer authorizer = asAuthorizer.get();
                    if (authorizer instanceof AclAuthorizer) {
                        aclAuthorizers.setZkAuthorizer(authorizer);
                    } else if (authorizer instanceof StandardAuthorizer) {
                        aclAuthorizers.setKraftAuthorizer(authorizer);
                    } else {
                        aclAuthorizers.setCentralAuthorizer(authorizer);
                    }
                }
            }
            return aclAuthorizers;
        }

        void setZkAuthorizer(Authorizer authorizer) {
            if (!this.zkAuthorizer.compareAndSet(null, authorizer)) {
                throw new IllegalStateException("Only one zk-based authorizer is permitted, but found both " + authorizer.getClass().getName() + " and " + this.zkAuthorizer.get().getClass().getName());
            }
        }

        void setKraftAuthorizer(Authorizer authorizer) {
            if (!this.kraftAuthorizer.compareAndSet(null, authorizer)) {
                throw new IllegalStateException("Only one kraft authorizer is permitted, but found both " + authorizer.getClass().getName() + " and " + this.kraftAuthorizer.get().getClass().getName());
            }
        }

        void setCentralAuthorizer(Authorizer authorizer) {
            if (!this.centralAuthorizer.compareAndSet(null, authorizer)) {
                throw new IllegalStateException("Only one central authorizer is permitted, but found both " + authorizer.getClass().getName() + " and " + this.centralAuthorizer.get().getClass().getName());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/kafka/security/authorizer/ConfluentServerAuthorizer$AclUpdater.class */
    public static class AclUpdater {
        private static final InvalidRequestException ACLS_DISABLED = new InvalidRequestException("ACL-based authorization is disabled");
        private static final InvalidRequestException CENTRALIZED_ACLS_DISABED = new InvalidRequestException("Centralized ACL-based authorization is disabled");
        private final Optional<Authorizer> clusterAclAuthorizer;
        private final Optional<Authorizer> centralizedAclAuthorizer;
        private final boolean migrateFromZk;

        AclUpdater(Optional<Authorizer> optional, Optional<Authorizer> optional2, boolean z) {
            this.clusterAclAuthorizer = optional;
            this.centralizedAclAuthorizer = optional2;
            this.migrateFromZk = z;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public StandardAuthorizer kraftAuthorizerOrThrow() {
            if (!this.clusterAclAuthorizer.isPresent()) {
                throw new IllegalStateException("KRaft authorizer is not configured, expected it to be present.");
            }
            Authorizer authorizer = this.clusterAclAuthorizer.get();
            if (authorizer instanceof StandardAuthorizer) {
                return (StandardAuthorizer) authorizer;
            }
            throw new IllegalStateException("KRaft authorizer is not configured, expecting StandardAuthorizer got " + authorizer.getClass());
        }

        public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list, Optional<String> optional) {
            List<? extends CompletionStage<AclCreateResult>> list2 = null;
            ensureAclsEnabled(optional.isPresent());
            if (this.clusterAclAuthorizer.isPresent() && !optional.isPresent()) {
                list2 = this.clusterAclAuthorizer.get().createAcls(authorizableRequestContext, list);
            }
            if (!this.migrateFromZk && this.clusterAclAuthorizer.isPresent() && !optional.isPresent()) {
                return list2;
            }
            if (list2 != null) {
                try {
                    Iterator<? extends CompletionStage<AclCreateResult>> it = list2.iterator();
                    while (it.hasNext()) {
                        if (it.next().toCompletableFuture().get().exception().isPresent()) {
                            return list2;
                        }
                    }
                } catch (Exception e) {
                    return list2;
                }
            }
            return list2 == null ? this.centralizedAclAuthorizer.get().createAcls(authorizableRequestContext, list, optional) : list2;
        }

        public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list, Optional<String> optional, AclState aclState) {
            List list2 = null;
            ensureAclsEnabled(optional.isPresent());
            if (this.clusterAclAuthorizer.isPresent() && !optional.isPresent()) {
                list2 = this.clusterAclAuthorizer.get().deleteAcls(authorizableRequestContext, list, Optional.empty(), aclState);
            }
            if (!this.migrateFromZk && this.clusterAclAuthorizer.isPresent() && !optional.isPresent()) {
                return list2;
            }
            if (list2 != null) {
                try {
                    Iterator<? extends CompletionStage<AclDeleteResult>> it = list2.iterator();
                    while (it.hasNext()) {
                        if (it.next().toCompletableFuture().get().exception().isPresent()) {
                            return list2;
                        }
                    }
                } catch (Exception e) {
                    return list2;
                }
            }
            return list2 == null ? this.centralizedAclAuthorizer.get().deleteAcls(authorizableRequestContext, list, optional, AclState.ACTIVE) : list2;
        }

        public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter, AclState aclState) {
            if (this.clusterAclAuthorizer.isPresent()) {
                return this.clusterAclAuthorizer.get().acls(aclBindingFilter, aclState);
            }
            if (this.centralizedAclAuthorizer.isPresent()) {
                return this.centralizedAclAuthorizer.get().acls(aclBindingFilter, aclState);
            }
            throw ACLS_DISABLED;
        }

        public int aclCount() {
            return ((Integer) this.clusterAclAuthorizer.map((v0) -> {
                return v0.aclCount();
            }).orElse(-1)).intValue();
        }

        private void ensureAclsEnabled(boolean z) {
            if (!this.clusterAclAuthorizer.isPresent() && !this.centralizedAclAuthorizer.isPresent()) {
                throw ACLS_DISABLED;
            }
            if (z && !this.centralizedAclAuthorizer.isPresent()) {
                throw CENTRALIZED_ACLS_DISABED;
            }
        }

        void completeInitialLoad() {
            this.clusterAclAuthorizer.ifPresent(authorizer -> {
                maybeCompleteInitialLoad(authorizer, null);
            });
            this.centralizedAclAuthorizer.ifPresent(authorizer2 -> {
                maybeCompleteInitialLoad(authorizer2, null);
            });
        }

        void completeInitialLoad(Exception exc) {
            this.clusterAclAuthorizer.ifPresent(authorizer -> {
                maybeCompleteInitialLoad(authorizer, exc);
            });
            this.centralizedAclAuthorizer.ifPresent(authorizer2 -> {
                maybeCompleteInitialLoad(authorizer2, exc);
            });
        }

        private void maybeCompleteInitialLoad(Authorizer authorizer, Exception exc) {
            if (authorizer instanceof ClusterMetadataAuthorizer) {
                ClusterMetadataAuthorizer clusterMetadataAuthorizer = (ClusterMetadataAuthorizer) authorizer;
                if (exc != null) {
                    clusterMetadataAuthorizer.completeInitialLoad(exc);
                } else {
                    clusterMetadataAuthorizer.completeInitialLoad();
                }
            }
        }
    }

    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer, org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.multitenantListenerNames = ConfluentConfigs.multitenantListenerNames(map, (ListenerName) null);
        String str = (String) map.get(KafkaConfig.ProcessRolesProp());
        this.iskraft = Boolean.valueOf((str == null || str.isEmpty()) ? false : true);
        HashMap hashMap = new HashMap(map);
        String str2 = (String) hashMap.get(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP);
        if (str2 == null || str2.isEmpty()) {
            if (this.iskraft.booleanValue()) {
                log.debug("KRaft mode detected, setting ACL provider as KRAFT_ACL.");
                hashMap.put(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP, ConfluentBuiltInProviders.AccessRuleProviders.KRAFT_ACL.name());
            } else {
                log.debug("Non-KRaft mode detected, setting ACL provider as ZK_ACL.");
                hashMap.put(ConfluentAuthorizerConfig.ACCESS_RULE_PROVIDERS_PROP, ConfluentBuiltInProviders.AccessRuleProviders.ZK_ACL.name());
            }
        }
        super.configure(hashMap);
        if (hashMap.containsKey("confluent.wait.for.authorizer.startup")) {
            this.waitForAuthorizer = Boolean.valueOf(Boolean.parseBoolean((String) hashMap.get("confluent.wait.for.authorizer.startup")));
        }
        if (this.authorizerConfig.authProviderNames().contains(ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name()) && !(this instanceof MultiTenantAuthorizer)) {
            throw new ConfigException("The MULTI_TENANT provider can only be used with " + MultiTenantAuthorizer.class.getName());
        }
    }

    public Set<String> reconfigurableConfigs() {
        HashSet hashSet = new HashSet();
        for (Provider provider : this.providersCreated) {
            if (provider instanceof Reconfigurable) {
                hashSet.addAll(((Reconfigurable) provider).reconfigurableConfigs());
            }
        }
        return hashSet;
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public void validateReconfiguration(Map<String, ?> map) throws ConfigException {
        for (Provider provider : this.providersCreated) {
            if (provider instanceof Reconfigurable) {
                ((Reconfigurable) provider).validateReconfiguration(map);
            }
        }
    }

    public void reconfigure(Map<String, ?> map) {
        for (Provider provider : this.providersCreated) {
            if (provider instanceof Reconfigurable) {
                ((Reconfigurable) provider).reconfigure(map);
            }
        }
    }

    @Override // io.confluent.security.authorizer.EmbeddedAuthorizer
    public void configureServerInfo(ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo) {
        super.configureServerInfo(confluentAuthorizerServerInfo);
        initializeAclUpdater();
        if (scope().clusters().isEmpty()) {
            Set set = (Set) accessRuleProviders().stream().map((v0) -> {
                return v0.providerName();
            }).filter(str -> {
                return !UNSCOPED_PROVIDERS.contains(str);
            }).collect(Collectors.toSet());
            if (!set.isEmpty()) {
                throw new ConfigException("Scope not provided for broker providers: " + set);
            }
        }
    }

    private void initializeAclUpdater() {
        AclAuthorizers collectAuthorizers = collectAuthorizers();
        Optional ofNullable = Optional.ofNullable(collectAuthorizers.kraftAuthorizer.get());
        Optional ofNullable2 = Optional.ofNullable(collectAuthorizers.zkAuthorizer.get());
        Optional ofNullable3 = Optional.ofNullable(collectAuthorizers.centralAuthorizer.get());
        if (!this.authorizerConfig.migrateAclsFromCluster) {
            if (!ofNullable.isPresent()) {
                this.aclUpdater = new AclUpdater(ofNullable2, ofNullable3, false);
                return;
            } else {
                if (ofNullable2.isPresent()) {
                    throw new IllegalArgumentException("The ZK and KRaft rule providers must not both be configured");
                }
                this.aclUpdater = new AclUpdater(ofNullable, ofNullable3, false);
                return;
            }
        }
        if (!ofNullable2.isPresent() && !ofNullable.isPresent()) {
            throw new IllegalArgumentException("Acl migration from ZK/KRAFT to metadata service is enabled, but AclProvider is not enabled.");
        }
        if (!ofNullable3.isPresent()) {
            throw new IllegalArgumentException("Acl migration from ZK/KRAFT to metadata service is enabled, but centralized authorizer/RbacProvider is not enabled.");
        }
        if (!(ofNullable3.get() instanceof AclMigrationAware)) {
            throw new IllegalArgumentException("Acl migration from ZK/KRAFT to metadata service is enabled, but centralized authorizer is not Acl migration aware");
        }
        if (ofNullable.isPresent()) {
            this.aclUpdater = new AclUpdater(ofNullable, ofNullable3, true);
        } else {
            this.aclUpdater = new AclUpdater(ofNullable2, ofNullable3, true);
        }
    }

    private boolean onlyCentralizedAclProviderPresent() {
        if (this.onlyCentralizedProvider == null) {
            AclAuthorizers fromAclProviders = AclAuthorizers.fromAclProviders(accessRuleProviders());
            this.onlyCentralizedProvider = Boolean.valueOf(Optional.ofNullable(fromAclProviders.centralAuthorizer.get()).isPresent() && !Optional.ofNullable(fromAclProviders.kraftAuthorizer.get()).isPresent());
        }
        return this.onlyCentralizedProvider.booleanValue();
    }

    protected AclAuthorizers collectAuthorizers() {
        return AclAuthorizers.fromAclProviders(accessRuleProviders());
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer
    public Map<Endpoint, ? extends CompletionStage<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo = (ConfluentAuthorizerServerInfo) authorizerServerInfo;
        configureServerInfo(confluentAuthorizerServerInfo);
        CompletableFuture<Void> start = super.start(confluentAuthorizerServerInfo, createMigrationTask());
        HashMap hashMap = new HashMap(authorizerServerInfo.endpoints().size());
        Optional ofNullable = Optional.ofNullable((String) this.authorizerConfig.originals().get(KafkaConfig$.MODULE$.ControlPlaneListenerNameProp()));
        Collection collection = (Collection) authorizerServerInfo.earlyStartListeners().stream().map(str -> {
            return (String) Optional.of(str).map(ListenerName::normalised).map((v0) -> {
                return v0.value();
            }).orElse("");
        }).collect(Collectors.toList());
        authorizerServerInfo.endpoints().forEach(endpoint -> {
            Optional map = endpoint.listenerName().map(ListenerName::normalised).map((v0) -> {
                return v0.value();
            });
            if (this.multitenantListenerNames.isEmpty()) {
                if (this.iskraft.booleanValue()) {
                    collection.getClass();
                    if (((Boolean) map.map((v1) -> {
                        return r1.contains(v1);
                    }).orElse(false)).booleanValue()) {
                        hashMap.put(endpoint, new AuthorizerCompletableFuture(this.waitForAuthorizer.booleanValue() ? start : CompletableFuture.completedFuture(null), CompletableFuture.completedFuture(null)));
                        return;
                    }
                }
                if (endpoint.equals(authorizerServerInfo.interBrokerEndpoint()) || endpoint.listenerName().equals(ofNullable)) {
                    hashMap.put(endpoint, new AuthorizerCompletableFuture(CompletableFuture.completedFuture(null)));
                    return;
                } else {
                    hashMap.put(endpoint, new AuthorizerCompletableFuture(start));
                    return;
                }
            }
            if (this.iskraft.booleanValue()) {
                collection.getClass();
                if (((Boolean) map.map((v1) -> {
                    return r1.contains(v1);
                }).orElse(false)).booleanValue()) {
                    hashMap.put(endpoint, new AuthorizerCompletableFuture(this.waitForAuthorizer.booleanValue() ? start : CompletableFuture.completedFuture(null), CompletableFuture.completedFuture(null)));
                    return;
                }
            }
            List<String> list = this.multitenantListenerNames;
            list.getClass();
            if (((Boolean) map.map((v1) -> {
                return r1.contains(v1);
            }).orElse(false)).booleanValue()) {
                hashMap.put(endpoint, new AuthorizerCompletableFuture(start));
            } else {
                hashMap.put(endpoint, new AuthorizerCompletableFuture(CompletableFuture.completedFuture(null)));
            }
        });
        return hashMap;
    }

    private Runnable createMigrationTask() {
        return this.authorizerConfig.migrateAclsFromCluster ? ((AclMigrationAware) this.aclUpdater.centralizedAclAuthorizer.get()).migrationTask((Authorizer) this.aclUpdater.clusterAclAuthorizer.get()) : () -> {
        };
    }

    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        return (List) super.authorize(AuthorizerUtils.kafkaRequestContext(authorizableRequestContext), (List<io.confluent.security.authorizer.Action>) list.stream().map(action -> {
            return buildAction(action, action.resourcePattern(), authorizableRequestContext.principal(), scope());
        }).collect(Collectors.toList())).stream().map(authorizeResult -> {
            return authorizeResult == AuthorizeResult.ALLOWED ? AuthorizationResult.ALLOWED : AuthorizationResult.DENIED;
        }).collect(Collectors.toList());
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer
    public AuthorizationResult authorizeByResourceType(AuthorizableRequestContext authorizableRequestContext, AclOperation aclOperation, ResourceType resourceType) {
        SecurityUtils.authorizeByResourceTypeCheckArgs(aclOperation, resourceType);
        return authorizeByResourceType(AuthorizerUtils.kafkaRequestContext(authorizableRequestContext), AclMapper.operation(aclOperation), AclMapper.resourceType(resourceType)) == AuthorizeResult.ALLOWED ? AuthorizationResult.ALLOWED : AuthorizationResult.DENIED;
    }

    private List<? extends CompletionStage<AclCreateResult>> createAclsInternal(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list, Optional<String> optional) {
        try {
            return this.aclUpdater.createAcls(authorizableRequestContext, list, optional);
        } catch (Throwable th) {
            log.error("createAcls failed", th);
            throw th;
        }
    }

    @Override // org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public void setAclMutator(AclMutator aclMutator) {
        if (onlyCentralizedAclProviderPresent()) {
            log.warn("Only centralized authorizer found, skipping setting acl mutator.");
        } else {
            this.aclUpdater.kraftAuthorizerOrThrow().setAclMutator(aclMutator);
        }
    }

    @Override // org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public AclMutator aclMutatorOrException() {
        return this.aclUpdater.kraftAuthorizerOrThrow().aclMutatorOrException();
    }

    @Override // org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public void completeInitialLoad() {
        this.aclUpdater.completeInitialLoad();
    }

    @Override // org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public void completeInitialLoad(Exception exc) {
        this.aclUpdater.completeInitialLoad(exc);
    }

    @Override // org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public void loadAclSnapshot(Map<Uuid, ConfluentStandardAcl> map) {
        if (onlyCentralizedAclProviderPresent()) {
            log.warn("Only centralized authorizer found, skipping load snapshot.");
        } else {
            this.aclUpdater.kraftAuthorizerOrThrow().loadAclSnapshot(map);
        }
    }

    @Override // org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
    public void applyAclChanges(Map<Uuid, Optional<ConfluentStandardAcl>> map) {
        if (onlyCentralizedAclProviderPresent()) {
            log.warn("Only centralized authorizer found, skipping to apply acl changes.");
        } else {
            this.aclUpdater.kraftAuthorizerOrThrow().applyAclChanges(map);
        }
    }

    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        return createAclsInternal(authorizableRequestContext, list, Optional.empty());
    }

    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list, Optional<String> optional) {
        return createAclsInternal(authorizableRequestContext, list, optional);
    }

    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        return deleteAcls(authorizableRequestContext, list, Optional.empty(), AclState.ANY);
    }

    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list, Optional<String> optional, AclState aclState) {
        try {
            return this.aclUpdater.deleteAcls(authorizableRequestContext, list, optional, aclState);
        } catch (Throwable th) {
            log.error("deleteAcls with AclState failed", th);
            throw th;
        }
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        return this.aclUpdater.acls(aclBindingFilter, AclState.ACTIVE);
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter, AclState aclState) {
        return this.aclUpdater.acls(aclBindingFilter, aclState);
    }

    @Override // org.apache.kafka.server.authorizer.Authorizer
    public int aclCount() {
        return this.aclUpdater.aclCount();
    }

    public io.confluent.security.authorizer.Action buildAction(Action action, ResourcePattern resourcePattern, KafkaPrincipal kafkaPrincipal, Scope scope) {
        if (resourcePattern.patternType() != PatternType.LITERAL) {
            throw new IllegalArgumentException("Only literal resources are supported, got: " + resourcePattern.patternType());
        }
        return new io.confluent.security.authorizer.Action(scope, new io.confluent.security.authorizer.ResourcePattern(AclMapper.resourceType(resourcePattern.resourceType()), resourcePattern.name(), PatternType.LITERAL), AclMapper.operation(action.operation()), action.resourceReferenceCount(), action.logIfAllowed(), action.logIfDenied());
    }
}
