package io.quarkiverse.operatorsdk.deployment;

import io.fabric8.kubernetes.api.model.rbac.ClusterRole;
import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding;
import io.fabric8.kubernetes.api.model.rbac.RoleBinding;
import io.quarkiverse.operatorsdk.runtime.BuildTimeOperatorConfiguration;
import io.quarkiverse.operatorsdk.runtime.QuarkusControllerConfiguration;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.Produce;
import io.quarkus.deployment.builditem.ApplicationInfoBuildItem;
import io.quarkus.deployment.pkg.builditem.ArtifactResultBuildItem;
import io.quarkus.kubernetes.deployment.KubernetesConfig;
import io.quarkus.kubernetes.deployment.ResourceNameUtil;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.KubernetesClusterRoleBuildItem;
import io.quarkus.kubernetes.spi.KubernetesEffectiveServiceAccountBuildItem;
import io.quarkus.kubernetes.spi.KubernetesRoleBindingBuildItem;
import io.quarkus.kubernetes.spi.PolicyRule;
import io.quarkus.kubernetes.spi.RoleRef;
import io.quarkus.kubernetes.spi.Subject;
import io.quarkus.kubernetes.spi.Targetable;
import java.util.Collection;
import java.util.List;
import java.util.function.BooleanSupplier;

/* loaded from: input_file:io/quarkiverse/operatorsdk/deployment/RBACAugmentationStep.class */
public class RBACAugmentationStep {
    private static final String ANY_TARGET = null;

    /* loaded from: input_file:io/quarkiverse/operatorsdk/deployment/RBACAugmentationStep$IsRBACEnabled.class */
    private static class IsRBACEnabled implements BooleanSupplier {
        private BuildTimeOperatorConfiguration config;

        private IsRBACEnabled() {
        }

        @Override // java.util.function.BooleanSupplier
        public boolean getAsBoolean() {
            return !this.config.disableRbacGeneration().booleanValue();
        }
    }

    @BuildStep(onlyIf = {IsRBACEnabled.class})
    @Produce(ArtifactResultBuildItem.class)
    void augmentRBACForResources(BuildTimeOperatorConfiguration buildTimeOperatorConfiguration, ControllerConfigurationsBuildItem controllerConfigurationsBuildItem, KubernetesConfig kubernetesConfig, ApplicationInfoBuildItem applicationInfoBuildItem, List<KubernetesEffectiveServiceAccountBuildItem> list, BuildProducer<KubernetesClusterRoleBuildItem> buildProducer, BuildProducer<KubernetesRoleBindingBuildItem> buildProducer2, BuildProducer<KubernetesClusterRoleBindingBuildItem> buildProducer3) {
        String serviceAccountName;
        String namespace;
        Collection<QuarkusControllerConfiguration<?>> values = controllerConfigurationsBuildItem.getControllerConfigs().values();
        ClusterRoles.createClusterRoles(values, buildTimeOperatorConfiguration.crd().validate().booleanValue()).forEach(clusterRole -> {
            buildProducer.produce(clusterRoleBuildItemFrom(clusterRole));
        });
        List list2 = Targetable.filteredByTarget(list, "kubernetes").toList();
        if (list2.isEmpty()) {
            serviceAccountName = ResourceNameUtil.getResourceName(kubernetesConfig, applicationInfoBuildItem);
            namespace = (String) kubernetesConfig.namespace().orElse(null);
        } else {
            if (list2.size() > 1) {
                throw new IllegalStateException("More than one effective service account found for application " + applicationInfoBuildItem.getName());
            }
            KubernetesEffectiveServiceAccountBuildItem kubernetesEffectiveServiceAccountBuildItem = (KubernetesEffectiveServiceAccountBuildItem) list2.get(0);
            serviceAccountName = kubernetesEffectiveServiceAccountBuildItem.getServiceAccountName();
            namespace = kubernetesEffectiveServiceAccountBuildItem.getNamespace();
        }
        RoleBindings.createRoleBindings(values, buildTimeOperatorConfiguration, serviceAccountName, namespace).forEach(roleBinding -> {
            buildProducer2.produce(roleBindingItemFor(roleBinding));
        });
        RoleBindings.createClusterRoleBindings(values, buildTimeOperatorConfiguration, serviceAccountName, namespace).forEach(clusterRoleBinding -> {
            buildProducer3.produce(clusterRoleBindingFor(clusterRoleBinding));
        });
    }

    private KubernetesRoleBindingBuildItem roleBindingItemFor(RoleBinding roleBinding) {
        return new KubernetesRoleBindingBuildItem(roleBinding.getMetadata().getName(), roleBinding.getMetadata().getNamespace(), ANY_TARGET, roleBinding.getMetadata().getLabels(), convertToQuarkusRoleRef(roleBinding.getRoleRef()), (Subject[]) roleBinding.getSubjects().stream().map(RBACAugmentationStep::convertToQuarkusSubject).toArray(i -> {
            return new Subject[i];
        }));
    }

    private KubernetesClusterRoleBindingBuildItem clusterRoleBindingFor(ClusterRoleBinding clusterRoleBinding) {
        return new KubernetesClusterRoleBindingBuildItem(clusterRoleBinding.getMetadata().getName(), ANY_TARGET, clusterRoleBinding.getMetadata().getLabels(), convertToQuarkusRoleRef(clusterRoleBinding.getRoleRef()), (Subject[]) clusterRoleBinding.getSubjects().stream().map(RBACAugmentationStep::convertToQuarkusSubject).toArray(i -> {
            return new Subject[i];
        }));
    }

    private static Subject convertToQuarkusSubject(io.fabric8.kubernetes.api.model.rbac.Subject subject) {
        return new Subject(subject.getApiGroup(), subject.getKind(), subject.getName(), subject.getNamespace());
    }

    private static RoleRef convertToQuarkusRoleRef(io.fabric8.kubernetes.api.model.rbac.RoleRef roleRef) {
        return new RoleRef(roleRef.getName(), RoleBindings.CLUSTER_ROLE.equals(roleRef.getKind()));
    }

    private static KubernetesClusterRoleBuildItem clusterRoleBuildItemFrom(ClusterRole clusterRole) {
        return new KubernetesClusterRoleBuildItem(clusterRole.getMetadata().getName(), clusterRole.getRules().stream().map(RBACAugmentationStep::convertToQuarkusPolicyRule).toList(), ANY_TARGET);
    }

    private static PolicyRule convertToQuarkusPolicyRule(io.fabric8.kubernetes.api.model.rbac.PolicyRule policyRule) {
        return new PolicyRule(policyRule.getApiGroups(), policyRule.getNonResourceURLs(), policyRule.getResourceNames(), policyRule.getResources(), policyRule.getVerbs());
    }
}
