package io.confluent.security.authorizer;

import io.confluent.security.authorizer.AuthorizePolicy;
import io.confluent.security.authorizer.ConfluentAuthorizerConfig;
import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.Auditable;
import io.confluent.security.authorizer.provider.AuthorizeRule;
import io.confluent.security.authorizer.provider.ConfluentAuthorizationEvent;
import io.confluent.security.authorizer.provider.GroupProvider;
import io.confluent.security.authorizer.provider.InvalidScopeException;
import io.confluent.security.authorizer.provider.MetadataProvider;
import io.confluent.security.authorizer.provider.Provider;
import io.confluent.security.authorizer.provider.ProviderFailedException;
import io.confluent.security.authorizer.provider.ResourceAuthorizeRules;
import io.confluent.security.authorizer.provider.SharedProvider;
import io.confluent.security.authorizer.utils.ThreadUtils;
import io.confluent.security.roledefinitions.Operation;
import io.confluent.security.roledefinitions.ResourceType;
import java.time.Duration;
import java.util.Collections;
import java.util.EnumMap;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiConsumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.kafka.common.MetricName;
import org.apache.kafka.common.errors.AuthorizerNotReadyException;
import org.apache.kafka.common.errors.TimeoutException;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.metrics.Sensor;
import org.apache.kafka.common.metrics.stats.Percentile;
import org.apache.kafka.common.metrics.stats.Percentiles;
import org.apache.kafka.common.metrics.stats.Rate;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.server.audit.AuditLogProvider;
import org.apache.kafka.server.audit.NoOpAuditLogProvider;
import org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo;
import org.apache.kafka.server.config.KRaftConfigs;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/authorizer/EmbeddedAuthorizer.class */
public class EmbeddedAuthorizer implements Authorizer {
    private GroupProvider groupProvider;
    protected List<AccessRuleProvider> accessRuleProviders;
    private AuditLogProvider auditLogProvider;
    protected ConfluentAuthorizerConfig authorizerConfig;
    private MetadataProvider metadataProvider;
    protected boolean allowEveryoneIfNoAcl;
    protected String interBrokerListener;
    protected Duration initTimeout;
    protected volatile boolean ready;
    protected volatile String clusterId;
    protected AuthorizerMetrics authorizerMetrics;
    private volatile boolean isKraft;
    private String physicalClusterId;
    protected static final Logger log = LoggerFactory.getLogger("kafka.authorizer.logger");
    private static final Map<String, Set<Provider>> AUTHORIZER_PROVIDERS_MAP = new HashMap();
    private static final Object AUTHORIZER_PROVIDERS_MAP_LOCK = new Object();
    private String sessionUuid = null;
    protected final Set<Provider> providersCreated = new HashSet();
    private Set<KafkaPrincipal> superUsers = Collections.emptySet();
    protected Set<KafkaPrincipal> brokerUsers = Collections.emptySet();
    protected volatile Scope scope = Scope.ROOT_SCOPE;
    protected volatile Scope auditLogScope = Scope.ROOT_SCOPE;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:io/confluent/security/authorizer/EmbeddedAuthorizer$AuthorizationContext.class */
    public static class AuthorizationContext {
        protected final KafkaPrincipal sessionPrincipal;
        protected final Set<KafkaPrincipal> groupPrincipals;
        protected final String host;
        protected final Action action;

        AuthorizationContext(KafkaPrincipal kafkaPrincipal, Set<KafkaPrincipal> set, String str, Action action) {
            this.sessionPrincipal = kafkaPrincipal;
            this.groupPrincipals = set;
            this.host = str;
            this.action = action;
        }
    }

    /* loaded from: input_file:io/confluent/security/authorizer/EmbeddedAuthorizer$AuthorizerMetrics.class */
    public static class AuthorizerMetrics {
        public static final String GROUP_NAME = "confluent-authorizer-metrics";
        public static final String AUTHORIZATION_REQUEST_RATE_MINUTE = "authorization-request-rate-per-minute";
        public static final String AUTHORIZATION_ALLOWED_RATE_MINUTE = "authorization-allowed-rate-per-minute";
        public static final String AUTHORIZATION_DENIED_RATE_MINUTE = "authorization-denied-rate-per-minute";
        public static final String AUTHORIZATION_REQUEST_DENIED_RATE_MINUTE = "authorization-request-denied-rate-per-minute";
        public static final String AUTHORIZER_RESOURCE_FILTER_RATE_MINUTE = "authorizer-resource-filter-rate-per-minute";
        public static final String AUTHORIZER_ERROR_RATE_MINUTE = "authorizer-error-rate-per-minute";
        public static final String AUTHORIZER_AUTHORIZATION_LATENCY_METRIC_P90 = "authorizer-authorization-latency-p90";
        public static final String AUTHORIZER_AUTHORIZATION_LATENCY_METRIC_P99 = "authorizer-authorization-latency-p99";
        private static final String AUTHORIZER_AUTHORIZATION_ALLOWED_SENSOR = "authorizer-authorization-allowed";
        private static final String AUTHORIZER_AUTHORIZATION_DENIED_SENSOR = "authorizer-authorization-denied";
        private static final String AUTHORIZER_AUTHORIZATION_REQUEST_DENIED_SENSOR = "authorizer-authorization-request-denied";
        private static final String AUTHORIZER_RESOURCE_FILTER_SENSOR = "authorizer-resource-filter";
        private static final String AUTHORIZER_AUTHORIZATION_REQUEST_SENSOR = "authorizer-authorization-request";
        private static final String AUTHORIZER_AUTHORIZATION_LATENCY_SENSOR = "authorizer-authorization-latency";
        private static final String AUTHORIZER_AUTHORIZATION_FAILED_SENSOR = "authorizer-authorization-failed";
        private static final Map<AuthorizeResult, String> FAILED_AUTH_MAP = Collections.unmodifiableMap(new EnumMap<AuthorizeResult, String>(AuthorizeResult.class) { // from class: io.confluent.security.authorizer.EmbeddedAuthorizer.AuthorizerMetrics.1
            {
                put((AnonymousClass1) AuthorizeResult.AUTHORIZER_FAILED, (AuthorizeResult) "authorizer-failed");
                put((AnonymousClass1) AuthorizeResult.UNKNOWN_SCOPE, (AuthorizeResult) "unknown-scope");
                put((AnonymousClass1) AuthorizeResult.UNKNOWN_ERROR, (AuthorizeResult) "unknown-error");
            }
        });
        private final Time time;
        private final Metrics metrics;
        private final Sensor authorizationAllowedSensor;
        private final Sensor authorizationDeniedSensor;
        private final Sensor authorizationRequestDeniedSensor;
        private final Sensor authorizerResourceFilterSensor;
        private final Sensor authorizationRequestSensor;
        private final Map<AuthorizeResult, Sensor> failedSensors;
        private final Sensor authorizationLatencySensor;

        public AuthorizerMetrics(Metrics metrics, Time time) {
            this.failedSensors = new EnumMap(AuthorizeResult.class);
            this.time = time;
            this.metrics = metrics;
            this.authorizationAllowedSensor = metrics.sensor(AUTHORIZER_AUTHORIZATION_ALLOWED_SENSOR);
            this.authorizationAllowedSensor.add(metrics.metricName(AUTHORIZATION_ALLOWED_RATE_MINUTE, GROUP_NAME, "The number of authorization allowed per minute"), new Rate(TimeUnit.MINUTES));
            this.authorizationDeniedSensor = metrics.sensor(AUTHORIZER_AUTHORIZATION_DENIED_SENSOR);
            this.authorizationDeniedSensor.add(metrics.metricName(AUTHORIZATION_DENIED_RATE_MINUTE, GROUP_NAME, "The number of authorization denied per minute (includes denials from metadata/list topic requests)"), new Rate(TimeUnit.MINUTES));
            this.authorizationRequestDeniedSensor = metrics.sensor(AUTHORIZER_AUTHORIZATION_REQUEST_DENIED_SENSOR);
            this.authorizationRequestDeniedSensor.add(metrics.metricName(AUTHORIZATION_REQUEST_DENIED_RATE_MINUTE, GROUP_NAME, "The number of request authorization denials per minute"), new Rate(TimeUnit.MINUTES));
            this.authorizerResourceFilterSensor = metrics.sensor(AUTHORIZER_RESOURCE_FILTER_SENSOR);
            this.authorizerResourceFilterSensor.add(metrics.metricName(AUTHORIZER_RESOURCE_FILTER_RATE_MINUTE, GROUP_NAME, "The number of request authorizer resource filter per minute"), new Rate(TimeUnit.MINUTES));
            this.authorizationRequestSensor = metrics.sensor(AUTHORIZER_AUTHORIZATION_REQUEST_SENSOR);
            this.authorizationRequestSensor.add(metrics.metricName(AUTHORIZATION_REQUEST_RATE_MINUTE, GROUP_NAME, "The number of authorization request per minute"), new Rate(TimeUnit.MINUTES));
            addAuthFailureMetrics();
            this.authorizationLatencySensor = metrics.sensor(AUTHORIZER_AUTHORIZATION_LATENCY_SENSOR);
            addAuthLatencyMetrics();
        }

        final void addAuthFailureMetrics() {
            for (AuthorizeResult authorizeResult : FAILED_AUTH_MAP.keySet()) {
                this.failedSensors.put(authorizeResult, this.metrics.sensor("authorizer-authorization-failed-" + FAILED_AUTH_MAP.get(authorizeResult)));
                this.failedSensors.get(authorizeResult).add(this.metrics.metricName(AUTHORIZER_ERROR_RATE_MINUTE, GROUP_NAME, "Authorization failed count", "error-type", FAILED_AUTH_MAP.get(authorizeResult)), new Rate(TimeUnit.MINUTES));
            }
        }

        final void addAuthLatencyMetrics() {
            MetricName metricName = this.metrics.metricName(AUTHORIZER_AUTHORIZATION_LATENCY_METRIC_P90, GROUP_NAME, "Authorizer Authorization latency ms p90", Collections.emptyMap());
            MetricName metricName2 = this.metrics.metricName(AUTHORIZER_AUTHORIZATION_LATENCY_METRIC_P99, GROUP_NAME, "Authorizer Authorization latency ms p99", Collections.emptyMap());
            this.authorizationLatencySensor.add(new Percentiles(((int) 30000.0d) * 4, 30000.0d, Percentiles.BucketSizing.CONSTANT, new Percentile(metricName, 90.0d), new Percentile(metricName2, 99.0d)));
        }

        AuthorizerMetrics(Time time) {
            this(new Metrics(time), time);
        }

        void recordAuthorizerMetrics(List<AuthorizeResult> list, List<Action> list2, long j) {
            long milliseconds = this.time.milliseconds();
            int size = list.size();
            this.authorizationLatencySensor.record(milliseconds - j, milliseconds, false);
            this.authorizationRequestSensor.record(size, milliseconds, false);
            long count = list.stream().filter(authorizeResult -> {
                return authorizeResult == AuthorizeResult.ALLOWED;
            }).count();
            if (count > 0) {
                this.authorizationAllowedSensor.record(count, milliseconds, false);
            }
            long j2 = size - count;
            if (j2 > 0) {
                this.authorizationDeniedSensor.record(j2, milliseconds, false);
            }
            int i = 0;
            for (int i2 = 0; i2 < list.size(); i2++) {
                if (list.get(i2) != AuthorizeResult.ALLOWED && list2.get(i2).logIfDenied()) {
                    i++;
                }
            }
            if (i > 0) {
                this.authorizationRequestDeniedSensor.record(i, milliseconds, false);
            }
            int i3 = 0;
            for (int i4 = 0; i4 < list.size(); i4++) {
                if (list.get(i4) == AuthorizeResult.DENIED && !list2.get(i4).logIfDenied()) {
                    i3++;
                }
            }
            if (i3 > 0) {
                this.authorizerResourceFilterSensor.record(i3, milliseconds, false);
            }
            EnumMap enumMap = new EnumMap(AuthorizeResult.class);
            for (AuthorizeResult authorizeResult2 : list) {
                if (FAILED_AUTH_MAP.containsKey(authorizeResult2)) {
                    if (!enumMap.containsKey(authorizeResult2)) {
                        enumMap.put((EnumMap) authorizeResult2, (AuthorizeResult) 0);
                    }
                    enumMap.put((EnumMap) authorizeResult2, (AuthorizeResult) Integer.valueOf(((Integer) enumMap.get(authorizeResult2)).intValue() + 1));
                }
            }
            Iterator it = enumMap.keySet().iterator();
            while (it.hasNext()) {
                this.failedSensors.get((AuthorizeResult) it.next()).record(((Integer) enumMap.get(r0)).intValue(), milliseconds, false);
            }
        }

        public Metrics metrics() {
            return this.metrics;
        }

        Time metricsTime() {
            return this.time;
        }
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        String str = (String) map.get(KRaftConfigs.PROCESS_ROLES_CONFIG);
        this.isKraft = (str == null || str.isEmpty()) ? false : true;
        this.authorizerConfig = new ConfluentAuthorizerConfig(map);
        this.allowEveryoneIfNoAcl = this.authorizerConfig.allowEveryoneIfNoAcl;
        this.superUsers = this.authorizerConfig.superUsers;
        this.brokerUsers = this.authorizerConfig.brokerUsers;
        if (map.get("broker.session.uuid") != null) {
            this.sessionUuid = map.get("broker.session.uuid").toString();
        }
        if (map.get("confluent.security.event.logger.physical.cluster.id") != null) {
            this.physicalClusterId = map.get("confluent.security.event.logger.physical.cluster.id").toString();
        }
    }

    public void configureServerInfo(ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo) {
        Set<Provider> orDefault;
        this.clusterId = confluentAuthorizerServerInfo.clusterResource().clusterId();
        log.debug("Configuring scope for Kafka cluster with cluster id {}", this.clusterId);
        this.scope = Scope.kafkaClusterScope(this.clusterId);
        if (this.physicalClusterId == null || this.physicalClusterId.isEmpty()) {
            this.auditLogScope = this.scope;
        } else {
            this.auditLogScope = Scope.kafkaClusterScope(this.physicalClusterId);
        }
        this.interBrokerListener = confluentAuthorizerServerInfo.interBrokerEndpoint().listenerName().get();
        this.authorizerMetrics = new AuthorizerMetrics(confluentAuthorizerServerInfo.metrics(), Time.SYSTEM);
        synchronized (AUTHORIZER_PROVIDERS_MAP_LOCK) {
            orDefault = this.sessionUuid != null ? AUTHORIZER_PROVIDERS_MAP.getOrDefault(this.sessionUuid, new HashSet()) : Collections.emptySet();
        }
        ConfluentAuthorizerConfig.Providers createProviders = this.authorizerConfig.createProviders(this.clusterId, orDefault);
        this.providersCreated.addAll(createProviders.accessRuleProviders);
        if (createProviders.groupProvider != null) {
            this.providersCreated.add(createProviders.groupProvider);
        }
        if (createProviders.metadataProvider != null) {
            this.providersCreated.add(createProviders.metadataProvider);
        }
        this.providersCreated.stream().filter(provider -> {
            return provider instanceof Auditable;
        }).forEach(provider2 -> {
            ((Auditable) provider2).auditLogProvider(confluentAuthorizerServerInfo.auditLogProvider());
        });
        configureProviders(createProviders.accessRuleProviders, createProviders.groupProvider, createProviders.metadataProvider, confluentAuthorizerServerInfo.auditLogProvider());
    }

    @Override // io.confluent.security.authorizer.Authorizer
    public List<AuthorizeResult> authorize(RequestContext requestContext, List<Action> list) {
        long milliseconds = this.authorizerMetrics.metricsTime().milliseconds();
        List<AuthorizeResult> list2 = (List) list.stream().map(action -> {
            return authorize(requestContext, action, this::authorize);
        }).collect(Collectors.toList());
        this.authorizerMetrics.recordAuthorizerMetrics(list2, list, milliseconds);
        return list2;
    }

    public GroupProvider groupProvider() {
        return this.groupProvider;
    }

    public AccessRuleProvider accessRuleProvider(String str) {
        Optional<AccessRuleProvider> findFirst = this.accessRuleProviders.stream().filter(accessRuleProvider -> {
            return accessRuleProvider.providerName().equals(str);
        }).findFirst();
        if (findFirst.isPresent()) {
            return findFirst.get();
        }
        throw new IllegalArgumentException("Access rule provider not found: " + str);
    }

    public MetadataProvider metadataProvider() {
        return this.metadataProvider;
    }

    public List<AccessRuleProvider> accessRuleProviders() {
        return this.accessRuleProviders;
    }

    public AuditLogProvider auditLogProvider() {
        return this.auditLogProvider;
    }

    public CompletableFuture<Void> start(ConfluentAuthorizerServerInfo confluentAuthorizerServerInfo, Runnable runnable) {
        this.initTimeout = this.authorizerConfig.initTimeout;
        if (this.authorizerMetrics == null) {
            this.authorizerMetrics = new AuthorizerMetrics(confluentAuthorizerServerInfo.metrics(), Time.SYSTEM);
        }
        HashSet hashSet = new HashSet();
        if (this.groupProvider != null) {
            hashSet.add(this.groupProvider);
        }
        hashSet.addAll(this.accessRuleProviders);
        if (this.metadataProvider != null) {
            hashSet.add(this.metadataProvider);
        }
        List list = (List) hashSet.stream().map(provider -> {
            return provider.start(confluentAuthorizerServerInfo);
        }).map((v0) -> {
            return v0.toCompletableFuture();
        }).collect(Collectors.toList());
        CompletableFuture<Void> futureOrTimeout = futureOrTimeout(CompletableFuture.allOf((CompletableFuture[]) list.toArray(new CompletableFuture[list.size()])).thenAccept(r4 -> {
            this.ready = true;
        }).thenRunAsync(runnable).thenAccept(r5 -> {
            this.auditLogProvider.start(confluentAuthorizerServerInfo.interBrokerClientConfig());
        }), this.initTimeout);
        if (!((this.groupProvider != null && this.groupProvider.usesMetadataFromThisKafkaCluster()) || (this.metadataProvider != null && this.metadataProvider.usesMetadataFromThisKafkaCluster()) || this.accessRuleProviders.stream().anyMatch((v0) -> {
            return v0.usesMetadataFromThisKafkaCluster();
        }) || this.auditLogProvider.usesMetadataFromThisKafkaCluster())) {
            futureOrTimeout.join();
        }
        return futureOrTimeout;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void configureProviders(List<AccessRuleProvider> list, GroupProvider groupProvider, MetadataProvider metadataProvider, AuditLogProvider auditLogProvider) {
        this.accessRuleProviders = list;
        this.groupProvider = groupProvider;
        this.metadataProvider = metadataProvider;
        this.auditLogProvider = auditLogProvider == null ? NoOpAuditLogProvider.INSTANCE : auditLogProvider;
        synchronized (AUTHORIZER_PROVIDERS_MAP_LOCK) {
            if (this.sessionUuid != null && !AUTHORIZER_PROVIDERS_MAP.containsKey(this.sessionUuid)) {
                for (AccessRuleProvider accessRuleProvider : list) {
                    if (accessRuleProvider instanceof SharedProvider) {
                        AUTHORIZER_PROVIDERS_MAP.putIfAbsent(this.sessionUuid, new HashSet());
                        AUTHORIZER_PROVIDERS_MAP.get(this.sessionUuid).add(accessRuleProvider);
                    }
                }
            }
        }
    }

    protected boolean ready() {
        return this.ready;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isSuperUser(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, Action action) {
        return this.superUsers.contains(kafkaPrincipal2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthorizeResult authorizeByResourceType(RequestContext requestContext, Operation operation, ResourceType resourceType) {
        return authorize(requestContext, actionForAuthorizeByResourceType(requestContext, operation, resourceType), this::authorizeByResourceType);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Action actionForAuthorizeByResourceType(RequestContext requestContext, Operation operation, ResourceType resourceType) {
        return new Action(scope(), new ResourcePattern(resourceType, "", PatternType.ANY), operation, 1, true, true);
    }

    private AuthorizeResult authorize(RequestContext requestContext, Action action, Function<AuthorizationContext, AuthorizePolicy> function) {
        AuthorizePolicy superUser;
        try {
            KafkaPrincipal principal = requestContext.principal();
            String hostAddress = requestContext.clientAddress().getHostAddress();
            KafkaPrincipal userPrincipal = userPrincipal(principal);
            if (isSuperUser(principal, userPrincipal, action)) {
                log.debug("principal = {} is a super user, allowing operation without checking any providers.", userPrincipal);
                superUser = new AuthorizePolicy.SuperUser(AuthorizePolicy.PolicyType.SUPER_USER, userPrincipal);
            } else if (isBrokerUserOnInterBrokerListener(requestContext)) {
                log.debug("principal = {} is a broker user, allowing operation without checking any providers.", userPrincipal);
                superUser = new AuthorizePolicy.BrokerUser(AuthorizePolicy.PolicyType.BROKER_USER, userPrincipal);
            } else {
                Scope scope = action.scope();
                Set<KafkaPrincipal> groups = this.groupProvider.groups(principal);
                Optional<KafkaPrincipal> findFirst = groups.stream().filter(kafkaPrincipal -> {
                    return isSuperUser(principal, kafkaPrincipal, action);
                }).findFirst();
                if (findFirst.isPresent()) {
                    log.debug("principal = {} belongs to super group {}, allowing operation without checking acls.", userPrincipal, findFirst.get());
                    superUser = new AuthorizePolicy.SuperUser(AuthorizePolicy.PolicyType.SUPER_GROUP, findFirst.get());
                } else if (this.accessRuleProviders.stream().anyMatch(accessRuleProvider -> {
                    return accessRuleProvider.isSuperUser(principal, scope);
                })) {
                    superUser = new AuthorizePolicy.SuperUser(AuthorizePolicy.PolicyType.SUPER_USER, principal);
                } else {
                    Optional<KafkaPrincipal> findAny = groups.stream().filter(kafkaPrincipal2 -> {
                        return this.accessRuleProviders.stream().anyMatch(accessRuleProvider2 -> {
                            return accessRuleProvider2.isSuperUser(kafkaPrincipal2, scope);
                        });
                    }).findAny();
                    superUser = findAny.isPresent() ? new AuthorizePolicy.SuperUser(AuthorizePolicy.PolicyType.SUPER_GROUP, findAny.get()) : function.apply(new AuthorizationContext(principal, groups, hostAddress, action));
                }
            }
            AuthorizeResult authorizeResult = superUser.policyType().accessGranted() ? AuthorizeResult.ALLOWED : AuthorizeResult.DENIED;
            try {
                logAuditMessage(this.auditLogScope, requestContext, action, authorizeResult, superUser);
            } catch (Exception e) {
                log.error("Failed to log Audit message.\n  scope: {}\n  context: {}\n  principal: {}\n  action: {}\n  result: {}\n  policy: {}", this.auditLogScope, requestContext, requestContext.principal(), action, authorizeResult, superUser, e);
            }
            return authorizeResult;
        } catch (InvalidScopeException e2) {
            log.error("Authorizer failed with unknown scope. principal {}, action: {}", requestContext.principal(), action, e2);
            return AuthorizeResult.UNKNOWN_SCOPE;
        } catch (ProviderFailedException e3) {
            log.error("Authorization provider has failed. principal {}, action: {}", requestContext.principal(), action, e3);
            return AuthorizeResult.AUTHORIZER_FAILED;
        } catch (Throwable th) {
            log.error("Authorization failed with unexpected exception. principal {}, action: {}", requestContext.principal(), action, th);
            return AuthorizeResult.UNKNOWN_ERROR;
        }
    }

    private boolean isBrokerUserOnInterBrokerListener(RequestContext requestContext) {
        return this.interBrokerListener != null && this.interBrokerListener.equals(requestContext.listenerName()) && this.brokerUsers.contains(requestContext.principal());
    }

    private AuthorizePolicy authorize(AuthorizationContext authorizationContext) {
        if (this.isKraft && !this.ready) {
            throw new AuthorizerNotReadyException();
        }
        KafkaPrincipal kafkaPrincipal = authorizationContext.sessionPrincipal;
        Set<KafkaPrincipal> set = authorizationContext.groupPrincipals;
        String str = authorizationContext.host;
        Action action = authorizationContext.action;
        ResourcePattern resourcePattern = action.resourcePattern();
        Operation operation = action.operation();
        AuthorizeRule authorizeRule = new AuthorizeRule();
        this.accessRuleProviders.stream().filter((v0) -> {
            return v0.mayDeny();
        }).forEach(accessRuleProvider -> {
            authorizeRule.add(accessRuleProvider.findRule(kafkaPrincipal, set, str, action));
        });
        Optional<AuthorizePolicy> authorizePolicy = authorizePolicy(operation, resourcePattern, str, authorizeRule);
        if (authorizePolicy.isPresent()) {
            return authorizePolicy.get();
        }
        this.accessRuleProviders.stream().filter(accessRuleProvider2 -> {
            return !accessRuleProvider2.mayDeny();
        }).forEach(accessRuleProvider3 -> {
            authorizeRule.add(accessRuleProvider3.findRule(kafkaPrincipal, set, str, action));
        });
        Optional<AuthorizePolicy> authorizePolicy2 = authorizePolicy(operation, resourcePattern, str, authorizeRule);
        return authorizePolicy2.isPresent() ? authorizePolicy2.get() : authorizePolicy2.orElse(authorizePolicyWithNoMatchingRule(resourcePattern, authorizeRule));
    }

    private AuthorizePolicy authorizeByResourceType(AuthorizationContext authorizationContext) {
        ResourceAuthorizeRules resourceAuthorizeRules = new ResourceAuthorizeRules();
        this.accessRuleProviders.forEach(accessRuleProvider -> {
            accessRuleProvider.addMatchingRules(resourceAuthorizeRules, authorizationContext.sessionPrincipal, authorizationContext.groupPrincipals, authorizationContext.host, authorizationContext.action.operation(), authorizationContext.action.scope(), authorizationContext.action.resourceType());
        });
        Set<String> keySet = resourceAuthorizeRules.denyLiteralRules().keySet();
        Set<String> keySet2 = resourceAuthorizeRules.denyPrefixedRules().keySet();
        Set<String> keySet3 = resourceAuthorizeRules.allowLiteralRules().keySet();
        Set<String> keySet4 = resourceAuthorizeRules.allowPrefixedRules().keySet();
        AuthorizePolicy authorizePolicy = null;
        if (keySet.contains("*")) {
            authorizePolicy = resourceAuthorizeRules.denyLiteralRules().get("*");
        } else if (keySet3.contains("*")) {
            authorizePolicy = resourceAuthorizeRules.allowLiteralRules().get("*");
        } else if (this.allowEveryoneIfNoAcl) {
            authorizePolicy = AuthorizePolicy.ALLOW_ON_NO_RULE;
        } else if (!keySet.isEmpty() || !keySet2.isEmpty()) {
            Iterator<String> it = keySet3.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                if (!keySet.contains(next) && !hasDominatedDeny(next, keySet2)) {
                    authorizePolicy = resourceAuthorizeRules.allowLiteralRules().get(next);
                    break;
                }
            }
            if (authorizePolicy == null) {
                Iterator<String> it2 = keySet4.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    String next2 = it2.next();
                    if (!hasDominatedDeny(next2, keySet2)) {
                        authorizePolicy = resourceAuthorizeRules.allowPrefixedRules().get(next2);
                        break;
                    }
                }
            }
        } else if (keySet3.isEmpty() && keySet4.isEmpty()) {
            authorizePolicy = AuthorizePolicy.DENY_ON_NO_RULE;
        } else {
            authorizePolicy = keySet4.isEmpty() ? resourceAuthorizeRules.allowLiteralRules().values().iterator().next() : resourceAuthorizeRules.allowPrefixedRules().values().iterator().next();
        }
        if (authorizePolicy == null) {
            authorizePolicy = keySet2.isEmpty() ? resourceAuthorizeRules.denyLiteralRules().values().iterator().next() : resourceAuthorizeRules.denyPrefixedRules().values().iterator().next();
        }
        return authorizePolicy;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        removeFromAuthorizerProvidersMap(this.sessionUuid);
        log.debug("Closing embedded authorizer");
        AtomicReference atomicReference = new AtomicReference();
        this.providersCreated.forEach(provider -> {
            Utils.closeQuietly(provider, provider.providerName(), (AtomicReference<Throwable>) atomicReference);
        });
        Throwable th = (Throwable) atomicReference.getAndSet(null);
        if (th != null) {
            log.error("Failed to close authorizer cleanly", th);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Scope scope() {
        return this.scope;
    }

    protected void setupAuthorizerMetrics(Metrics metrics) {
        this.authorizerMetrics = new AuthorizerMetrics(metrics, Time.SYSTEM);
    }

    private Optional<AuthorizePolicy> authorizePolicy(Operation operation, ResourcePattern resourcePattern, String str, AuthorizeRule authorizeRule) {
        Optional<AccessRule> denyRule = authorizeRule.denyRule().isPresent() ? authorizeRule.denyRule() : authorizeRule.allowRule();
        denyRule.ifPresent(accessRule -> {
            log.debug("operation = {} on resource = {} from host = {} is {} based on policy = {}", operation, resourcePattern, str, accessRule.permissionType(), accessRule);
        });
        return denyRule.map(Function.identity());
    }

    private AuthorizePolicy authorizePolicyWithNoMatchingRule(ResourcePattern resourcePattern, AuthorizeRule authorizeRule) {
        if (!authorizeRule.noResourceAcls()) {
            return AuthorizePolicy.NO_MATCHING_RULE;
        }
        log.debug("No acl found for resource {}, authorized = {}", resourcePattern, Boolean.valueOf(this.allowEveryoneIfNoAcl));
        return this.allowEveryoneIfNoAcl ? AuthorizePolicy.ALLOW_ON_NO_RULE : AuthorizePolicy.DENY_ON_NO_RULE;
    }

    private KafkaPrincipal userPrincipal(KafkaPrincipal kafkaPrincipal) {
        return kafkaPrincipal.getClass() != KafkaPrincipal.class ? new KafkaPrincipal(kafkaPrincipal.getPrincipalType(), kafkaPrincipal.getName()) : kafkaPrincipal;
    }

    private boolean hasDominatedDeny(String str, Set<String> set) {
        StringBuilder sb = new StringBuilder();
        for (char c : str.toCharArray()) {
            sb.append(c);
            if (set.contains(sb.toString())) {
                return true;
            }
        }
        return false;
    }

    protected void logAuditMessage(Scope scope, RequestContext requestContext, Action action, AuthorizeResult authorizeResult, AuthorizePolicy authorizePolicy) {
        ConfluentAuthorizationEvent confluentAuthorizationEvent = new ConfluentAuthorizationEvent(scope, requestContext, action, authorizeResult, authorizePolicy);
        logAuthorization(confluentAuthorizationEvent);
        this.auditLogProvider.logEvent(confluentAuthorizationEvent, requestContext.isProxyModeLocal());
    }

    private void logAuthorization(ConfluentAuthorizationEvent confluentAuthorizationEvent) {
        KafkaPrincipal principal = confluentAuthorizationEvent.m3726requestContext().principal();
        String name = confluentAuthorizationEvent.action().operation().name();
        Supplier supplier = () -> {
            return confluentAuthorizationEvent.m3726requestContext().clientAddress().getHostAddress();
        };
        Supplier supplier2 = () -> {
            return SecurityUtils.toPascalCase(confluentAuthorizationEvent.action().resourceType().name()) + ":" + confluentAuthorizationEvent.action().resourcePattern().patternType() + ":" + confluentAuthorizationEvent.action().resourceName();
        };
        if (confluentAuthorizationEvent.authorizeResult() == AuthorizeResult.ALLOWED) {
            if (confluentAuthorizationEvent.action().logIfAllowed() && log.isDebugEnabled()) {
                log.debug("Principal = {} is {} Operation = {} from host = {} on resource = {}", principal, "Allowed", name, supplier.get(), supplier2.get());
                return;
            } else {
                if (log.isTraceEnabled()) {
                    log.trace("Principal = {} is {} Operation = {} from host = {} on resource = {}", principal, "Allowed", name, supplier.get(), supplier2.get());
                    return;
                }
                return;
            }
        }
        if (confluentAuthorizationEvent.action().logIfDenied() && log.isInfoEnabled()) {
            log.info("Principal = {} is {} Operation = {} from host = {} on resource = {}", principal, "Denied", name, supplier.get(), supplier2.get());
        } else if (log.isTraceEnabled()) {
            log.trace("Principal = {} is {} Operation = {} from host = {} on resource = {}", principal, "Denied", name, supplier.get(), supplier2.get());
        }
    }

    protected CompletableFuture<Void> futureOrTimeout(CompletableFuture<Void> completableFuture, Duration duration) {
        if (completableFuture.isDone()) {
            return completableFuture;
        }
        CompletableFuture completableFuture2 = new CompletableFuture();
        ScheduledExecutorService newSingleThreadScheduledExecutor = Executors.newSingleThreadScheduledExecutor(ThreadUtils.createThreadFactory("authorizer-%d", true));
        newSingleThreadScheduledExecutor.schedule(() -> {
            completableFuture2.completeExceptionally(new TimeoutException(String.format("Authorizer did not start up within the timeout %s=%d ms. This may be due to one or more brokers being down for longer than this interval. Please start all brokers in the cluster within '%s' of each other to ensure that all partitions required for authorizer start up are available within this timeout.", ConfluentAuthorizerConfig.INIT_TIMEOUT_PROP, Long.valueOf(this.initTimeout.toMillis()), ConfluentAuthorizerConfig.INIT_TIMEOUT_PROP)));
        }, duration.toMillis(), TimeUnit.MILLISECONDS);
        return CompletableFuture.anyOf(completableFuture, completableFuture2).thenApply(obj -> {
            return (Void) null;
        }).whenComplete((BiConsumer<? super U, ? super Throwable>) (r3, th) -> {
            newSingleThreadScheduledExecutor.shutdownNow();
        });
    }

    protected Metrics metrics() {
        return this.authorizerMetrics.metrics();
    }

    void setupAuthorizerMetrics(Time time) {
        this.authorizerMetrics = new AuthorizerMetrics(time);
    }

    protected Time metricsTime() {
        return this.authorizerMetrics.metricsTime();
    }

    public static void removeFromAuthorizerProvidersMap(String str) {
        if (str != null) {
            synchronized (AUTHORIZER_PROVIDERS_MAP_LOCK) {
                AUTHORIZER_PROVIDERS_MAP.remove(str);
            }
        }
    }

    public static void clearAuthorizerProvidersMap() {
        synchronized (AUTHORIZER_PROVIDERS_MAP_LOCK) {
            AUTHORIZER_PROVIDERS_MAP.clear();
        }
    }
}
