package io.confluent.rbacdb.kafka;

import io.confluent.rbacdb.config.DbAuthStoreConfig;
import io.confluent.rbacdb.orm.RbacOrmService;
import io.confluent.security.auth.metadata.AuthWriter;
import io.confluent.security.auth.utils.AuthWriterUtils;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourcePatternFilter;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.utils.ThreadUtils;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.store.kafka.clients.Writer;
import java.io.Closeable;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.function.Predicate;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rbacdb/kafka/DbAuthWriter.class */
public class DbAuthWriter implements AuthWriter, Writer, Closeable {
    private static final Logger log = LoggerFactory.getLogger(DbAuthWriter.class);
    private final RbacOrmService rbacDBService;
    private final DbRequestMetrics metrics;
    private final RbacRoles rbacRoles;
    private final Scope rootScope;
    private final ThreadPoolExecutor executor;

    public DbAuthWriter(Scope scope, DbAuthStoreConfig dbAuthStoreConfig, RbacOrmService rbacOrmService, Metrics metrics) {
        this(RbacRoles.loadDefaultPolicy(true), scope, dbAuthStoreConfig, rbacOrmService, metrics);
    }

    public DbAuthWriter(RbacRoles rbacRoles, Scope scope, DbAuthStoreConfig dbAuthStoreConfig, RbacOrmService rbacOrmService, Metrics metrics) {
        this.rbacRoles = rbacRoles;
        this.rootScope = scope;
        this.rbacDBService = rbacOrmService;
        this.executor = new ThreadPoolExecutor(dbAuthStoreConfig.getInt(DbAuthStoreConfig.NUM_WRITER_POOL_THREADS_CONFIG).intValue(), dbAuthStoreConfig.getInt(DbAuthStoreConfig.NUM_WRITER_POOL_THREADS_CONFIG).intValue(), 30L, TimeUnit.SECONDS, new LinkedBlockingQueue(), ThreadUtils.createThreadFactory("mds-db-writer-%d", true));
        this.metrics = new DbRequestMetrics(metrics, "mds-db-writer", this.executor, this.rbacDBService);
    }

    public CompletionStage<Void> addClusterRoleBinding(Optional<KafkaPrincipal> optional, KafkaPrincipal kafkaPrincipal, String str, Scope scope, String str2) {
        log.debug("addClusterRoleBinding targetPrincipal={} principal={} role={} scope={} reason={}", new Object[]{optional, kafkaPrincipal, str, scope, str2});
        this.metrics.request().record();
        AuthWriterUtils.validateRoleBindingUpdate(str, scope, Collections.emptyList(), true, this.rootScope, this.rbacRoles);
        return CompletableFuture.runAsync(this.metrics.callRecordingError(() -> {
            this.rbacDBService.addRoleBinding((KafkaPrincipal) optional.orElse(KafkaPrincipal.ANONYMOUS), kafkaPrincipal, str, scope, str2);
        }), this.executor);
    }

    public CompletionStage<Void> removeRoleBinding(Optional<KafkaPrincipal> optional, KafkaPrincipal kafkaPrincipal, String str, Scope scope, String str2) {
        log.debug("removeRoleBinding targetPrincipal={} principal={} role={} scope={} reason={}", new Object[]{optional, kafkaPrincipal, str, scope, str2});
        this.metrics.request().record();
        AuthWriterUtils.validateRoleBindingUpdate(str, scope, Collections.emptySet(), false, this.rootScope, this.rbacRoles);
        return CompletableFuture.runAsync(this.metrics.callRecordingError(() -> {
            this.rbacDBService.removeRoleBinding((KafkaPrincipal) optional.orElse(KafkaPrincipal.ANONYMOUS), kafkaPrincipal, str, scope, str2);
        }), this.executor);
    }

    public CompletionStage<Void> addResourceRoleBinding(Optional<KafkaPrincipal> optional, KafkaPrincipal kafkaPrincipal, String str, Scope scope, Collection<ResourcePattern> collection, String str2) {
        log.debug("addResourceRoleBinding callingPrincipal={} principal={} role={} reason={} scope={} resources={}", new Object[]{optional, kafkaPrincipal, str, scope, collection, str2});
        this.metrics.request().record();
        AuthWriterUtils.validateRoleBindingUpdate(str, scope, collection, true, this.rootScope, this.rbacRoles);
        AuthWriterUtils.validateRoleResources(collection);
        return CompletableFuture.runAsync(this.metrics.callRecordingError(() -> {
            this.rbacDBService.addResourceRoleBindings((KafkaPrincipal) optional.orElse(KafkaPrincipal.ANONYMOUS), kafkaPrincipal, str, scope, collection, str2);
        }), this.executor);
    }

    public CompletionStage<Void> removeResourceRoleBinding(Optional<KafkaPrincipal> optional, KafkaPrincipal kafkaPrincipal, String str, Scope scope, Collection<ResourcePatternFilter> collection, String str2) {
        log.debug("removeResourceRoleBinding callingPrincipal={} principal={} role={}  scope={} resources={} reason={}", new Object[]{optional, kafkaPrincipal, str, scope, collection, str2});
        this.metrics.request().record();
        AuthWriterUtils.validateRoleBindingUpdate(str, scope, collection, true, this.rootScope, this.rbacRoles);
        return CompletableFuture.runAsync(this.metrics.callRecordingError(() -> {
            this.rbacDBService.removeResourceRoleBindings((KafkaPrincipal) optional.orElse(KafkaPrincipal.ANONYMOUS), kafkaPrincipal, str, scope, collection, str2);
        }), this.executor);
    }

    public CompletionStage<Void> replaceResourceRoleBinding(Optional<KafkaPrincipal> optional, KafkaPrincipal kafkaPrincipal, String str, Scope scope, Collection<ResourcePattern> collection, String str2) {
        log.debug("replaceResourceRoleBinding callingPrincipal={} principal={} role={} scope={} resources={} reason={}", new Object[]{optional, kafkaPrincipal, str, scope, collection, str2});
        this.metrics.request().record();
        AuthWriterUtils.validateRoleBindingUpdate(str, scope, collection, true, this.rootScope, this.rbacRoles);
        AuthWriterUtils.validateRoleResources(collection);
        return CompletableFuture.runAsync(this.metrics.callRecordingError(() -> {
            this.rbacDBService.replaceResourceRoleBindings((KafkaPrincipal) optional.orElse(KafkaPrincipal.ANONYMOUS), kafkaPrincipal, str, scope, collection, str2);
        }), this.executor);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.executor.shutdown();
        this.metrics.close();
    }

    public CompletionStage<Void> createAcls(Optional<KafkaPrincipal> optional, Scope scope, AclBinding aclBinding) {
        throw new UnsupportedOperationException();
    }

    public Map<AclBinding, CompletionStage<AclCreateResult>> createAcls(Optional<KafkaPrincipal> optional, Scope scope, List<AclBinding> list) {
        throw new UnsupportedOperationException();
    }

    public CompletionStage<Collection<AclBinding>> deleteAcls(Optional<KafkaPrincipal> optional, Scope scope, AclBindingFilter aclBindingFilter, Predicate<ResourcePattern> predicate) {
        throw new UnsupportedOperationException();
    }

    public Map<AclBindingFilter, CompletionStage<AclDeleteResult>> deleteAcls(Optional<KafkaPrincipal> optional, Scope scope, List<AclBindingFilter> list, Predicate<ResourcePattern> predicate) {
        throw new UnsupportedOperationException();
    }

    public void startWriter(int i) {
    }

    public void stopWriter(Integer num) {
    }

    public boolean ready() {
        return true;
    }
}
