package io.confluent.security.authorizer;

import io.confluent.security.authorizer.provider.AccessRuleProvider;
import io.confluent.security.authorizer.provider.AuditLogProvider;
import io.confluent.security.authorizer.provider.Auditable;
import io.confluent.security.authorizer.provider.ConfluentBuiltInProviders;
import io.confluent.security.authorizer.provider.GroupProvider;
import io.confluent.security.authorizer.provider.MetadataProvider;
import io.confluent.security.authorizer.provider.Provider;
import java.io.FileOutputStream;
import java.io.OutputStream;
import java.io.PrintStream;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.kafka.common.ClusterResource;
import org.apache.kafka.common.ClusterResourceListener;
import org.apache.kafka.common.config.AbstractConfig;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Utils;

/* loaded from: input_file:io/confluent/security/authorizer/ConfluentAuthorizerConfig.class */
public class ConfluentAuthorizerConfig extends AbstractConfig {
    private static final boolean ALLOW_IF_NO_ACLS_DEFAULT = false;
    private static final String SUPER_USERS_DEFAULT = "";
    private static final String BROKER_USERS_DEFAULT = "";
    private static final boolean MIGRATE_ACLS_FROM_ZK_DEFAULT = false;
    public final boolean allowEveryoneIfNoAcl;
    public final boolean migrateAclsFromZK;
    public Set<KafkaPrincipal> superUsers;
    public Set<KafkaPrincipal> brokerUsers;
    public final Duration initTimeout;
    private static final String ACCESS_RULE_PROVIDERS_DEFAULT = ConfluentBuiltInProviders.AccessRuleProviders.ZK_ACL.name();
    private static final String ACCESS_RULE_PROVIDERS_DOC = "List of access rule providers enabled.  Access rule providers supported are " + ConfluentBuiltInProviders.builtInAccessRuleProviders() + ". ACL-based provider is enabled by default.";
    public static final String ALLOW_IF_NO_ACLS_PROP = "allow.everyone.if.no.acl.found";
    private static final String ALLOW_IF_NO_ACLS_DOC = "Boolean flag that indicates if everyone is allowed access to a resource if no ACL is found.";
    public static final String SUPER_USERS_PROP = "super.users";
    private static final String SUPER_USERS_DOC = "Semicolon-separated list of principals of super users who are allowed access to all resources.";
    public static final String BROKER_USERS_PROP = "broker.users";
    private static final String BROKER_USERS_DOC = "Semicolon-separated list of principals of users who are allowed access to all resources on inter broker listener.";
    public static final String ACCESS_RULE_PROVIDERS_PROP = "confluent.authorizer.access.rule.providers";
    public static final String INIT_TIMEOUT_PROP = "confluent.authorizer.init.timeout.ms";
    private static final int INIT_TIMEOUT_DEFAULT = 600000;
    private static final String INIT_TIMEOUT_DOC = "The number of milliseconds to wait for authorizer to start up and initialize any metadata from Kafka topics. On brokers of the cluster hosting metadata topics, inter-broker listeners will be started prior to initialization of authorizer metadata from Kafka topics.";
    public static final String MIGRATE_ACLS_FROM_ZK_PROP = "confluent.authorizer.migrate.acls.from.zk";
    private static final String MIGRATE_ACLS_FROM_ZK_DOC = "This boolean flag is used when we want to migrate ZK ACLs to metadata service. For migration, configure both ACL and RBAC providers and do a rolling restart of the cluster. Also enable this flag on last broker of rolling restart. Based on this flag, last broker will copy the ACLs to metadata service. After migration, remove ACL provider and remove this flag from broker and do a rolling restart. Please check migration docs for more details.";
    public static final String ACL_MIGRATION_BATCH_SIZE_PROP = "confluent.authorizer.acl.migration.batch.size";
    private static final int ACL_MIGRATION_BATCH_SIZE_DEFAULT = 1000;
    private static final String ACL_MIGRATION_BATCH_SIZE_DOC = "Batch size used while migrating ACLs from zk to metadata service.";
    private static final ConfigDef CONFIG = new ConfigDef().define(ALLOW_IF_NO_ACLS_PROP, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.MEDIUM, ALLOW_IF_NO_ACLS_DOC).define(SUPER_USERS_PROP, ConfigDef.Type.STRING, "", ConfigDef.Importance.MEDIUM, SUPER_USERS_DOC).define(BROKER_USERS_PROP, ConfigDef.Type.STRING, "", ConfigDef.Importance.MEDIUM, BROKER_USERS_DOC).define(ACCESS_RULE_PROVIDERS_PROP, ConfigDef.Type.LIST, ACCESS_RULE_PROVIDERS_DEFAULT, ConfigDef.Importance.MEDIUM, ACCESS_RULE_PROVIDERS_DOC).define(INIT_TIMEOUT_PROP, ConfigDef.Type.INT, Integer.valueOf(INIT_TIMEOUT_DEFAULT), ConfigDef.Range.atLeast(0), ConfigDef.Importance.LOW, INIT_TIMEOUT_DOC).define(MIGRATE_ACLS_FROM_ZK_PROP, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.MEDIUM, MIGRATE_ACLS_FROM_ZK_DOC).define(ACL_MIGRATION_BATCH_SIZE_PROP, ConfigDef.Type.INT, Integer.valueOf(ACL_MIGRATION_BATCH_SIZE_DEFAULT), ConfigDef.Importance.MEDIUM, ACL_MIGRATION_BATCH_SIZE_DOC);

    /* loaded from: input_file:io/confluent/security/authorizer/ConfluentAuthorizerConfig$Providers.class */
    public static class Providers {
        public final List<AccessRuleProvider> accessRuleProviders;
        public final GroupProvider groupProvider;
        public final MetadataProvider metadataProvider;
        public final AuditLogProvider auditLogProvider;

        private Providers(List<AccessRuleProvider> list, GroupProvider groupProvider, MetadataProvider metadataProvider, AuditLogProvider auditLogProvider) {
            this.accessRuleProviders = list;
            this.groupProvider = groupProvider;
            this.metadataProvider = metadataProvider;
            this.auditLogProvider = auditLogProvider;
        }
    }

    public ConfluentAuthorizerConfig(Map<?, ?> map) {
        super(CONFIG, map);
        this.allowEveryoneIfNoAcl = getBoolean(ALLOW_IF_NO_ACLS_PROP).booleanValue();
        if (getList(ACCESS_RULE_PROVIDERS_PROP).isEmpty()) {
            throw new ConfigException("No access rule providers specified");
        }
        this.superUsers = parseUsers(getString(SUPER_USERS_PROP));
        this.brokerUsers = parseUsers(getString(BROKER_USERS_PROP));
        this.initTimeout = Duration.ofMillis(getInt(INIT_TIMEOUT_PROP).intValue());
        this.migrateAclsFromZK = getBoolean(MIGRATE_ACLS_FROM_ZK_PROP).booleanValue();
    }

    public static Set<KafkaPrincipal> parseUsers(String str) {
        return (str == null || str.trim().isEmpty()) ? Collections.emptySet() : (Set) Arrays.stream(str.split(";")).map(str2 -> {
            return SecurityUtils.parseKafkaPrincipal(str2.trim());
        }).collect(Collectors.toSet());
    }

    public final Providers createProviders(String str) {
        List list = getList(ACCESS_RULE_PROVIDERS_PROP);
        if (list.contains(ConfluentBuiltInProviders.AccessRuleProviders.ZK_ACL.name()) && list.contains(ConfluentBuiltInProviders.AccessRuleProviders.MULTI_TENANT.name())) {
            list = new ArrayList(list);
            list.remove(ConfluentBuiltInProviders.AccessRuleProviders.ZK_ACL.name());
        }
        if (list.isEmpty()) {
            throw new ConfigException("No access rule providers specified");
        }
        List<AccessRuleProvider> loadAccessRuleProviders = ConfluentBuiltInProviders.loadAccessRuleProviders(list);
        HashSet hashSet = new HashSet(loadAccessRuleProviders);
        GroupProvider groupProvider = (GroupProvider) createProvider(GroupProvider.class, ConfluentBuiltInProviders::loadGroupProvider, hashSet);
        hashSet.add(groupProvider);
        MetadataProvider metadataProvider = (MetadataProvider) createProvider(MetadataProvider.class, ConfluentBuiltInProviders::loadMetadataProvider, hashSet);
        hashSet.add(metadataProvider);
        AuditLogProvider auditLogProvider = (AuditLogProvider) createProvider(AuditLogProvider.class, ConfluentBuiltInProviders::loadAuditLogProvider, hashSet);
        hashSet.add(auditLogProvider);
        if (str != null) {
            ClusterResource clusterResource = new ClusterResource(str);
            hashSet.forEach(provider -> {
                if (provider instanceof ClusterResourceListener) {
                    ((ClusterResourceListener) provider).onUpdate(clusterResource);
                }
            });
        }
        hashSet.forEach(provider2 -> {
            provider2.configure(originals());
        });
        hashSet.stream().filter(provider3 -> {
            return provider3 instanceof Auditable;
        }).forEach(provider4 -> {
            ((Auditable) provider4).auditLogProvider(auditLogProvider);
        });
        return new Providers(loadAccessRuleProviders, groupProvider, metadataProvider, auditLogProvider);
    }

    private <T extends Provider> T createProvider(Class<T> cls, Function<Map<String, ?>, T> function, Collection<? extends Provider> collection) {
        Set set = (Set) collection.stream().map((v0) -> {
            return v0.providerName();
        }).collect(Collectors.toSet());
        Iterator<? extends Provider> it = collection.iterator();
        while (it.hasNext()) {
            T t = (T) it.next();
            if (set.contains(t.providerName()) && cls.isInstance(t)) {
                return t;
            }
        }
        return function.apply(originals());
    }

    public static Set<String> accessRuleProviders(Map<String, ?> map) {
        String str = (String) map.get(ACCESS_RULE_PROVIDERS_PROP);
        return (str == null || str.isEmpty()) ? Collections.emptySet() : Utils.mkSet(str.trim().split("\\s*,\\s*"));
    }

    public String toString() {
        return Utils.mkString(values(), "", "", "=", "%n\t");
    }

    public static void main(String[] strArr) throws Exception {
        PrintStream printStream = strArr.length == 0 ? System.out : new PrintStream((OutputStream) new FileOutputStream(strArr[0]), false, StandardCharsets.UTF_8.name());
        Throwable th = null;
        try {
            try {
                printStream.println(CONFIG.toHtmlTable());
                if (printStream != System.out) {
                    printStream.close();
                }
                if (printStream != null) {
                    if (0 == 0) {
                        printStream.close();
                        return;
                    }
                    try {
                        printStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (printStream != null) {
                if (th != null) {
                    try {
                        printStream.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    printStream.close();
                }
            }
            throw th4;
        }
    }
}
