package io.streamnative.pulsar.handlers.kop.security.auth;

import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import io.streamnative.pulsar.handlers.kop.security.KafkaPrincipal;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import org.apache.pulsar.broker.PulsarService;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.common.naming.NamespaceName;
import org.apache.pulsar.common.naming.TopicName;
import org.apache.pulsar.common.policies.data.AuthAction;
import org.apache.pulsar.common.policies.data.Policies;
import org.apache.pulsar.common.policies.data.TenantInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/streamnative/pulsar/handlers/kop/security/auth/SimpleAclAuthorizer.class */
public class SimpleAclAuthorizer implements Authorizer {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SimpleAclAuthorizer.class);
    private static final String POLICY_ROOT = "/admin/policies/";
    private final PulsarService pulsarService;
    private final ServiceConfiguration conf;

    public SimpleAclAuthorizer(PulsarService pulsarService) {
        this.pulsarService = pulsarService;
        this.conf = pulsarService.getConfiguration();
    }

    protected PulsarService getPulsarService() {
        return this.pulsarService;
    }

    private CompletableFuture<Boolean> authorize(KafkaPrincipal kafkaPrincipal, AuthAction authAction, Resource resource) {
        CompletableFuture<Boolean> completableFuture = new CompletableFuture<>();
        TopicName topicName = TopicName.get(resource.getName());
        NamespaceName namespaceObject = topicName.getNamespaceObject();
        if (namespaceObject == null) {
            completableFuture.completeExceptionally(new IllegalArgumentException("Resource name must contains namespace."));
            return completableFuture;
        }
        String path = path(namespaceObject.toString());
        isSuperUserOrTenantAdmin(namespaceObject.getTenant(), kafkaPrincipal.getName()).whenComplete((bool, th) -> {
            if (th != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Verify if role {} is allowed to {} to resource {}: isSuperUserOrAdmin={}", kafkaPrincipal.getName(), authAction, resource.getName(), bool);
                }
                bool = false;
            }
            if (bool.booleanValue()) {
                completableFuture.complete(true);
            } else {
                getPulsarService().getPulsarResources().getNamespaceResources().getAsync(path).thenAccept(optional -> {
                    Set set;
                    if (optional.isPresent()) {
                        String name = kafkaPrincipal.getName();
                        Map map = (Map) ((Policies) optional.get()).auth_policies.getTopicAuthentication().get(topicName.toString());
                        if (map != null && name != null && (set = (Set) map.get(name)) != null && set.contains(authAction)) {
                            completableFuture.complete(true);
                            return;
                        }
                        Map<String, Set<AuthAction>> namespaceAuthentication = ((Policies) optional.get()).auth_policies.getNamespaceAuthentication();
                        Set<AuthAction> set2 = namespaceAuthentication.get(name);
                        if (set2 != null && set2.contains(authAction)) {
                            completableFuture.complete(true);
                            return;
                        } else if (this.conf.isAuthorizationAllowWildcardsMatching() && checkWildcardPermission(name, authAction, namespaceAuthentication)) {
                            completableFuture.complete(true);
                            return;
                        }
                    } else if (log.isDebugEnabled()) {
                        log.debug("Policies node couldn't be found for namespace : {}", kafkaPrincipal);
                    }
                    completableFuture.complete(false);
                }).exceptionally(th -> {
                    if (log.isDebugEnabled()) {
                        log.debug("Client with Principal - {} failed to get permissions for resource - {}. {}", kafkaPrincipal, resource, th.getMessage());
                    }
                    completableFuture.completeExceptionally(th);
                    return null;
                });
            }
        });
        return completableFuture;
    }

    private boolean checkWildcardPermission(String str, AuthAction authAction, Map<String, Set<AuthAction>> map) {
        for (Map.Entry<String, Set<AuthAction>> entry : map.entrySet()) {
            String key = entry.getKey();
            Set<AuthAction> value = entry.getValue();
            if (str != null) {
                if (key.charAt(key.length() - 1) == '*' && str.startsWith(key.substring(0, key.length() - 1)) && value.contains(authAction)) {
                    return true;
                }
                if (key.charAt(0) == '*' && str.endsWith(key.substring(1)) && value.contains(authAction)) {
                    return true;
                }
            }
        }
        return false;
    }

    private CompletableFuture<Boolean> isSuperUser(String str) {
        return CompletableFuture.completedFuture(Boolean.valueOf(str != null && this.conf.getSuperUserRoles().contains(str)));
    }

    private CompletableFuture<Boolean> isSuperUserOrTenantAdmin(String str, String str2) {
        CompletableFuture<Boolean> completableFuture = new CompletableFuture<>();
        isSuperUser(str2).whenComplete((bool, th) -> {
            if (th == null && bool.booleanValue()) {
                completableFuture.complete(true);
            } else {
                this.pulsarService.getPulsarResources().getTenantResources().getAsync(path(str)).thenAccept(optional -> {
                    if (!optional.isPresent()) {
                        completableFuture.complete(false);
                    } else {
                        TenantInfo tenantInfo = (TenantInfo) optional.get();
                        completableFuture.complete(Boolean.valueOf((str2 == null || tenantInfo.getAdminRoles() == null || !tenantInfo.getAdminRoles().contains(str2)) ? false : true));
                    }
                });
            }
        });
        return completableFuture;
    }

    private static String path(String... strArr) {
        StringBuilder sb = new StringBuilder();
        sb.append(POLICY_ROOT);
        Joiner.on('/').appendTo(sb, strArr);
        return sb.toString();
    }

    @Override // io.streamnative.pulsar.handlers.kop.security.auth.Authorizer
    public CompletableFuture<Boolean> canLookupAsync(KafkaPrincipal kafkaPrincipal, Resource resource) {
        Preconditions.checkArgument(resource.getResourceType() == ResourceType.TOPIC, String.format("Expected resource type is TOPIC, but have [%s]", resource.getResourceType()));
        CompletableFuture<Boolean> completableFuture = new CompletableFuture<>();
        authorize(kafkaPrincipal, AuthAction.consume, resource).whenComplete((bool, th) -> {
            if (th != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Resource [{}] Principal [{}] exception occurred while trying to check Consume permissions. {}", resource, kafkaPrincipal, th.getMessage());
                }
                bool = false;
            }
            if (bool.booleanValue()) {
                completableFuture.complete(true);
            } else {
                authorize(kafkaPrincipal, AuthAction.produce, resource).whenComplete((bool, th) -> {
                    if (th == null) {
                        completableFuture.complete(bool);
                        return;
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("Resource [{}] Principal [{}] exception occurred while trying to check Produce permissions. {}", resource, kafkaPrincipal, th.getMessage());
                    }
                    completableFuture.completeExceptionally(th);
                });
            }
        });
        return completableFuture;
    }

    @Override // io.streamnative.pulsar.handlers.kop.security.auth.Authorizer
    public CompletableFuture<Boolean> canProduceAsync(KafkaPrincipal kafkaPrincipal, Resource resource) {
        Preconditions.checkArgument(resource.getResourceType() == ResourceType.TOPIC, String.format("Expected resource type is TOPIC, but have [%s]", resource.getResourceType()));
        return authorize(kafkaPrincipal, AuthAction.produce, resource);
    }

    @Override // io.streamnative.pulsar.handlers.kop.security.auth.Authorizer
    public CompletableFuture<Boolean> canConsumeAsync(KafkaPrincipal kafkaPrincipal, Resource resource) {
        Preconditions.checkArgument(resource.getResourceType() == ResourceType.TOPIC, String.format("Expected resource type is TOPIC, but have [%s]", resource.getResourceType()));
        return authorize(kafkaPrincipal, AuthAction.consume, resource);
    }
}
