package com.purbon.kafka.topology;

import com.damnhandy.uri.template.UriTemplate;
import com.purbon.kafka.topology.actions.Action;
import com.purbon.kafka.topology.actions.access.ClearBindings;
import com.purbon.kafka.topology.actions.access.CreateBindings;
import com.purbon.kafka.topology.actions.access.builders.AclBindingsResult;
import com.purbon.kafka.topology.actions.access.builders.BuildBindingsForRole;
import com.purbon.kafka.topology.actions.access.builders.ConsumerAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.ControlCenterAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.KConnectAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.KSqlAppAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.KSqlServerAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.KStreamsAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.ProducerAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.SchemaRegistryAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.rbac.BuildBindingsForSchemaAuthorization;
import com.purbon.kafka.topology.actions.access.builders.rbac.ClusterLevelAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.rbac.ConnectorAuthorizationAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.rbac.PredefinedAclBindingsBuilder;
import com.purbon.kafka.topology.actions.access.builders.rbac.SchemaAuthorizationAclBindingsBuilder;
import com.purbon.kafka.topology.exceptions.RemoteValidationException;
import com.purbon.kafka.topology.model.Component;
import com.purbon.kafka.topology.model.DynamicUser;
import com.purbon.kafka.topology.model.JulieRoles;
import com.purbon.kafka.topology.model.Platform;
import com.purbon.kafka.topology.model.Project;
import com.purbon.kafka.topology.model.Topic;
import com.purbon.kafka.topology.model.Topology;
import com.purbon.kafka.topology.model.User;
import com.purbon.kafka.topology.model.users.Connector;
import com.purbon.kafka.topology.model.users.KSqlApp;
import com.purbon.kafka.topology.model.users.KStream;
import com.purbon.kafka.topology.model.users.Other;
import com.purbon.kafka.topology.model.users.Schemas;
import com.purbon.kafka.topology.model.users.platform.ControlCenterInstance;
import com.purbon.kafka.topology.model.users.platform.KsqlServerInstance;
import com.purbon.kafka.topology.model.users.platform.SchemaRegistryInstance;
import com.purbon.kafka.topology.roles.ResourceFilter;
import com.purbon.kafka.topology.roles.TopologyAclBinding;
import java.io.IOException;
import java.io.PrintStream;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/purbon/kafka/topology/AccessControlManager.class */
public class AccessControlManager implements ExecutionPlanUpdater {
    private static final Logger LOGGER = LogManager.getLogger((Class<?>) AccessControlManager.class);
    private final Configuration config;
    private final JulieRoles julieRoles;
    private AccessControlProvider controlProvider;
    private BindingsBuilderProvider bindingsBuilder;
    private final ResourceFilter resourceFilter;

    public AccessControlManager(AccessControlProvider accessControlProvider, BindingsBuilderProvider bindingsBuilderProvider) {
        this(accessControlProvider, bindingsBuilderProvider, new Configuration());
    }

    public AccessControlManager(AccessControlProvider accessControlProvider, BindingsBuilderProvider bindingsBuilderProvider, Configuration configuration) {
        this(accessControlProvider, bindingsBuilderProvider, new JulieRoles(), configuration);
    }

    public AccessControlManager(AccessControlProvider accessControlProvider, BindingsBuilderProvider bindingsBuilderProvider, JulieRoles julieRoles, Configuration configuration) {
        this.controlProvider = accessControlProvider;
        this.bindingsBuilder = bindingsBuilderProvider;
        this.config = configuration;
        this.julieRoles = julieRoles;
        this.resourceFilter = new ResourceFilter(configuration);
    }

    @Override // com.purbon.kafka.topology.ExecutionPlanUpdater
    public void updatePlan(ExecutionPlan executionPlan, Map<String, Topology> map) throws IOException {
        ArrayList arrayList = new ArrayList();
        for (Topology topology : map.values()) {
            this.julieRoles.validateTopology(topology);
            arrayList.addAll(buildProjectAclBindings(topology));
            arrayList.addAll(buildPlatformLevelActions(topology));
            arrayList.addAll(buildSpecialTopicsAcls(topology));
        }
        List<Action> buildUpdateBindingsActions = buildUpdateBindingsActions(arrayList, loadActualClusterStateIfAvailable(executionPlan));
        Objects.requireNonNull(executionPlan);
        buildUpdateBindingsActions.forEach(executionPlan::add);
    }

    private Set<TopologyAclBinding> loadActualClusterStateIfAvailable(ExecutionPlan executionPlan) throws IOException {
        Stream<TopologyAclBinding> stream = (this.config.fetchStateFromTheCluster() ? providerBindings() : executionPlan.getBindings()).stream();
        ResourceFilter resourceFilter = this.resourceFilter;
        Objects.requireNonNull(resourceFilter);
        Set<TopologyAclBinding> set = (Set) stream.filter(resourceFilter::matchesManagedPrefixList).filter(this::isNotInternalAcl).collect(Collectors.toSet());
        if (!this.config.shouldVerifyRemoteState().booleanValue()) {
            LOGGER.warn("Remote state verification disabled, this is not a good practice, be awarein future versions, this check is going to become mandatory.");
        }
        if (this.config.shouldVerifyRemoteState().booleanValue() && !this.config.fetchStateFromTheCluster()) {
            detectDivergencesInTheRemoteCluster(executionPlan);
        }
        return set;
    }

    private void detectDivergencesInTheRemoteCluster(ExecutionPlan executionPlan) throws RemoteValidationException {
        Set<TopologyAclBinding> providerBindings = providerBindings();
        List list = (List) executionPlan.getBindings().stream().filter(topologyAclBinding -> {
            return !providerBindings.contains(topologyAclBinding);
        }).collect(Collectors.toList());
        if (list.size() > 0) {
            String str = "Your remote state has changed since the last execution, this ACL(s): " + StringUtils.join(list, UriTemplate.DEFAULT_SEPARATOR) + " are in your local state, but not in the cluster, please investigate!";
            LOGGER.error(str);
            throw new RemoteValidationException(str);
        }
    }

    private boolean isNotInternalAcl(TopologyAclBinding topologyAclBinding) {
        return ((Boolean) this.config.getInternalPrincipalOptional().map(str -> {
            return Boolean.valueOf(!topologyAclBinding.getPrincipal().equals(str));
        }).orElse(true)).booleanValue();
    }

    private Set<TopologyAclBinding> providerBindings() {
        HashSet hashSet = new HashSet();
        Collection<List<TopologyAclBinding>> values = this.controlProvider.listAcls().values();
        Objects.requireNonNull(hashSet);
        values.forEach((v1) -> {
            r1.addAll(v1);
        });
        return hashSet;
    }

    private List<AclBindingsResult> buildProjectAclBindings(Topology topology) {
        List<AclBindingsResult> arrayList = new ArrayList<>();
        for (Project project : topology.getProjects()) {
            if (this.config.shouldOptimizeAcls().booleanValue()) {
                arrayList.addAll(buildOptimizeConsumerAndProducerAcls(project));
            } else {
                arrayList.addAll(buildDetailedConsumerAndProducerAcls(project));
            }
            String namePrefix = project.namePrefix();
            Iterator<KStream> it = project.getStreams().iterator();
            while (it.hasNext()) {
                Optional<AclBindingsResult> syncApplicationAcls = syncApplicationAcls(it.next(), namePrefix);
                Objects.requireNonNull(arrayList);
                syncApplicationAcls.ifPresent((v1) -> {
                    r1.add(v1);
                });
            }
            Iterator<KSqlApp> it2 = project.getKSqls().iterator();
            while (it2.hasNext()) {
                Optional<AclBindingsResult> syncApplicationAcls2 = syncApplicationAcls(it2.next(), namePrefix);
                Objects.requireNonNull(arrayList);
                syncApplicationAcls2.ifPresent((v1) -> {
                    r1.add(v1);
                });
            }
            for (Connector connector : project.getConnectors()) {
                Optional<AclBindingsResult> syncApplicationAcls3 = syncApplicationAcls(connector, namePrefix);
                Objects.requireNonNull(arrayList);
                syncApplicationAcls3.ifPresent((v1) -> {
                    r1.add(v1);
                });
                connector.getConnectors().ifPresent(list -> {
                    arrayList.add(new ConnectorAuthorizationAclBindingsBuilder(this.bindingsBuilder, connector).getAclBindings());
                });
            }
            Iterator<Schemas> it3 = project.getSchemas().iterator();
            while (it3.hasNext()) {
                arrayList.add(new SchemaAuthorizationAclBindingsBuilder(new BuildBindingsForSchemaAuthorization(this.bindingsBuilder, it3.next(), this.config, namePrefix)).getAclBindings());
            }
            syncRbacRawRoles(project.getRbacRawRoles(), namePrefix, arrayList);
            for (Map.Entry<String, List<Other>> entry : project.getOthers().entrySet()) {
                if (this.julieRoles.size() == 0) {
                    throw new IllegalStateException("Custom JulieRoles are being used without providing the required config file.");
                }
                BuildBindingsForRole buildBindingsForRole = new BuildBindingsForRole(this.bindingsBuilder, this.julieRoles.get(entry.getKey()), entry.getValue());
                try {
                    buildBindingsForRole.run();
                    arrayList.add(AclBindingsResult.forAclBindings(buildBindingsForRole.getAclBindings()));
                } catch (IOException e) {
                    throw new IllegalStateException(e);
                }
            }
        }
        return arrayList;
    }

    private List<AclBindingsResult> buildOptimizeConsumerAndProducerAcls(Project project) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new ConsumerAclBindingsBuilder(this.bindingsBuilder, project.getConsumers(), project.namePrefix(), true).getAclBindings());
        arrayList.add(new ProducerAclBindingsBuilder(this.bindingsBuilder, project.getProducers(), project.namePrefix(), true).getAclBindings());
        arrayList.addAll(buildBasicUsersAcls(project, false));
        return arrayList;
    }

    private List<AclBindingsResult> buildDetailedConsumerAndProducerAcls(Project project) {
        return buildBasicUsersAcls(project, true);
    }

    private List<AclBindingsResult> buildBasicUsersAcls(Project project, boolean z) {
        return buildBasicUsersAcls(project.getTopics(), project, z);
    }

    private List<AclBindingsResult> buildSpecialTopicsAcls(Topology topology) {
        return buildBasicUsersAcls(topology.getSpecialTopics(), null, false);
    }

    private List<AclBindingsResult> buildBasicUsersAcls(Collection<Topic> collection, Project project, boolean z) {
        ArrayList arrayList = new ArrayList();
        for (Topic topic : collection) {
            String topic2 = topic.toString();
            HashSet hashSet = new HashSet(topic.getConsumers());
            if (z) {
                hashSet.addAll(project.getConsumers());
            }
            if (!hashSet.isEmpty()) {
                arrayList.add(new ConsumerAclBindingsBuilder(this.bindingsBuilder, new ArrayList(hashSet), topic2, false).getAclBindings());
            }
            HashSet hashSet2 = new HashSet(topic.getProducers());
            if (z) {
                hashSet2.addAll(project.getProducers());
            }
            if (!hashSet2.isEmpty()) {
                arrayList.add(new ProducerAclBindingsBuilder(this.bindingsBuilder, new ArrayList(hashSet2), topic2, false).getAclBindings());
            }
        }
        return arrayList;
    }

    private List<Action> buildUpdateBindingsActions(List<AclBindingsResult> list, Set<TopologyAclBinding> set) throws IOException {
        ArrayList arrayList = new ArrayList();
        List list2 = (List) list.stream().filter((v0) -> {
            return v0.isError();
        }).map((v0) -> {
            return v0.getErrorMessage();
        }).collect(Collectors.toList());
        if (!list2.isEmpty()) {
            Iterator it = list2.iterator();
            while (it.hasNext()) {
                LOGGER.error((String) it.next());
            }
            throw new IOException((String) list2.get(0));
        }
        Set set2 = (Set) list.stream().flatMap(aclBindingsResult -> {
            return aclBindingsResult.getAclBindings().stream();
        }).collect(Collectors.toSet());
        Stream filter = set2.stream().filter((v0) -> {
            return Objects.nonNull(v0);
        });
        ResourceFilter resourceFilter = this.resourceFilter;
        Objects.requireNonNull(resourceFilter);
        Set set3 = (Set) filter.filter(resourceFilter::matchesManagedPrefixList).filter(topologyAclBinding -> {
            return !set.contains(topologyAclBinding);
        }).collect(Collectors.toSet());
        if (!set3.isEmpty()) {
            arrayList.add(new CreateBindings(this.controlProvider, set3));
        }
        if (this.config.isAllowDeleteBindings()) {
            Set set4 = (Set) set.stream().filter(topologyAclBinding2 -> {
                return !set2.contains(topologyAclBinding2);
            }).collect(Collectors.toSet());
            if (!set4.isEmpty()) {
                arrayList.add(new ClearBindings(this.controlProvider, set4));
            }
        }
        return arrayList;
    }

    private List<AclBindingsResult> buildPlatformLevelActions(Topology topology) {
        ArrayList arrayList = new ArrayList();
        Platform platform = topology.getPlatform();
        syncClusterLevelRbac(platform.getKafka().getRbac(), Component.KAFKA, arrayList);
        syncClusterLevelRbac(platform.getKafkaConnect().getRbac(), Component.KAFKA_CONNECT, arrayList);
        syncClusterLevelRbac(platform.getSchemaRegistry().getRbac(), Component.SCHEMA_REGISTRY, arrayList);
        Iterator<SchemaRegistryInstance> it = platform.getSchemaRegistry().getInstances().iterator();
        while (it.hasNext()) {
            arrayList.add(new SchemaRegistryAclBindingsBuilder(this.bindingsBuilder, it.next()).getAclBindings());
        }
        Iterator<ControlCenterInstance> it2 = platform.getControlCenter().getInstances().iterator();
        while (it2.hasNext()) {
            arrayList.add(new ControlCenterAclBindingsBuilder(this.bindingsBuilder, it2.next()).getAclBindings());
        }
        Iterator<KsqlServerInstance> it3 = platform.getKsqlServer().getInstances().iterator();
        while (it3.hasNext()) {
            arrayList.add(new KSqlServerAclBindingsBuilder(this.bindingsBuilder, it3.next()).getAclBindings());
        }
        return arrayList;
    }

    private void syncClusterLevelRbac(Optional<Map<String, List<User>>> optional, Component component, List<AclBindingsResult> list) {
        if (optional.isPresent()) {
            Map<String, List<User>> map = optional.get();
            for (String str : map.keySet()) {
                Iterator<User> it = map.get(str).iterator();
                while (it.hasNext()) {
                    list.add(new ClusterLevelAclBindingsBuilder(this.bindingsBuilder, str, it.next(), component).getAclBindings());
                }
            }
        }
    }

    private void syncRbacRawRoles(Map<String, List<String>> map, String str, List<AclBindingsResult> list) {
        map.forEach((str2, list2) -> {
            list2.forEach(str2 -> {
                list.add(new PredefinedAclBindingsBuilder(this.bindingsBuilder, str2, str2, str).getAclBindings());
            });
        });
    }

    private Optional<AclBindingsResult> syncApplicationAcls(DynamicUser dynamicUser, String str) {
        AclBindingsResult aclBindingsResult = null;
        if (dynamicUser instanceof KStream) {
            aclBindingsResult = new KStreamsAclBindingsBuilder(this.bindingsBuilder, (KStream) dynamicUser, str).getAclBindings();
        } else if (dynamicUser instanceof Connector) {
            aclBindingsResult = new KConnectAclBindingsBuilder(this.bindingsBuilder, (Connector) dynamicUser, str).getAclBindings();
        } else if (dynamicUser instanceof KSqlApp) {
            aclBindingsResult = new KSqlAppAclBindingsBuilder(this.bindingsBuilder, (KSqlApp) dynamicUser, str).getAclBindings();
        }
        return Optional.ofNullable(aclBindingsResult);
    }

    @Override // com.purbon.kafka.topology.ExecutionPlanUpdater
    public void printCurrentState(PrintStream printStream) {
        printStream.println("List of ACLs: ");
        this.controlProvider.listAcls().forEach((str, list) -> {
            printStream.println(str);
            Objects.requireNonNull(printStream);
            list.forEach((v1) -> {
                r1.println(v1);
            });
        });
    }
}
