package io.confluent.rbacdb.orm;

import com.google.common.base.Stopwatch;
import com.zaxxer.hikari.HikariConfig;
import com.zaxxer.hikari.HikariDataSource;
import com.zaxxer.hikari.HikariPoolMXBean;
import io.confluent.cloud.rbac.CloudRoleBinding;
import io.confluent.cloud.rbac.CloudScope;
import io.confluent.cloud.rbac.Cursor;
import io.confluent.rbacdb.jooq.Sequences;
import io.confluent.rbacdb.jooq.Tables;
import io.confluent.rbacdb.jooq.tables.records.RoleBindingRecord;
import io.confluent.security.authorizer.ResourcePattern;
import io.confluent.security.authorizer.ResourcePatternFilter;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.rbac.RbacRoles;
import io.confluent.security.rbac.RoleBinding;
import io.confluent.security.rbac.RoleBindingFilter;
import java.lang.management.ManagementFactory;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.management.JMX;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.ws.rs.ClientErrorException;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.hashids.Hashids;
import org.jooq.Allow;
import org.jooq.CommonTableExpression;
import org.jooq.Condition;
import org.jooq.DSLContext;
import org.jooq.Field;
import org.jooq.GroupField;
import org.jooq.JSONB;
import org.jooq.Record;
import org.jooq.Record1;
import org.jooq.Record10;
import org.jooq.Record3;
import org.jooq.Result;
import org.jooq.SQLDialect;
import org.jooq.Select;
import org.jooq.SelectFieldOrAsterisk;
import org.jooq.SelectSeekStep1;
import org.jooq.impl.DSL;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rbacdb/orm/RbacOrmDbService.class */
public class RbacOrmDbService implements RbacOrmService, AutoCloseable {
    private static final Logger log = LoggerFactory.getLogger(RbacOrmDbService.class);
    private final HikariDataSource dataSource;
    private final HikariPoolMXBean poolProxy;
    private final Hashids hashids;
    private final RbacRoles rbacRoles;
    private final boolean skipHealthcheck;
    private final Select<Record1<Integer>> writePrivilegeCheckQuery;
    private final int transactionLockTimeout;

    public RbacOrmDbService(RbacRoles rbacRoles, String str, String str2, String str3, boolean z, int i) throws MalformedObjectNameException {
        this(rbacRoles, str, str2, str3, z, i, 0);
    }

    public RbacOrmDbService(String str, String str2, String str3, boolean z, int i) throws MalformedObjectNameException {
        this(RbacRoles.loadDefaultPolicy(true), str, str2, str3, z, i, 0);
    }

    public RbacOrmDbService(String str, String str2, String str3, boolean z, int i, int i2) throws MalformedObjectNameException {
        this(RbacRoles.loadDefaultPolicy(true), str, str2, str3, z, i, i2);
    }

    public RbacOrmDbService(RbacRoles rbacRoles, String str, String str2, String str3, boolean z, int i, int i2) throws MalformedObjectNameException {
        this.rbacRoles = rbacRoles;
        this.skipHealthcheck = z;
        HikariConfig hikariConfig = new HikariConfig();
        hikariConfig.setJdbcUrl(str);
        hikariConfig.setUsername(str2);
        hikariConfig.setPassword(str3);
        hikariConfig.setMaximumPoolSize(i);
        hikariConfig.setRegisterMbeans(true);
        this.dataSource = new HikariDataSource(hikariConfig);
        this.transactionLockTimeout = i2;
        this.poolProxy = (HikariPoolMXBean) JMX.newMXBeanProxy(ManagementFactory.getPlatformMBeanServer(), new ObjectName("com.zaxxer.hikari:type=Pool (" + this.dataSource.getPoolName() + ")"), HikariPoolMXBean.class);
        this.writePrivilegeCheckQuery = createWritePrivilegeCheckQuery(str2);
        if (z) {
            log.warn("WARNING: Skipping DB healthcheck!!!");
        } else {
            log.info("Connecting to DB to run healthcheck...");
            doHealthCheck();
            log.info("DB healthcheck passed");
        }
        this.hashids = new Hashids("SALT for ConfluentRBAC rolebinding IDs");
    }

    @Allow.PlainSQL
    private Select<Record1<Integer>> createWritePrivilegeCheckQuery(String str) {
        return getDSLContext().select(DSL.count()).from("information_schema.role_table_grants").where(DSL.field("grantee").eq(str)).and(DSL.field("table_name").eq("role_binding")).and(DSL.field("privilege_type").in(new Object[]{"INSERT", "UPDATE"}));
    }

    @Override // java.lang.AutoCloseable
    public void close() throws Exception {
        this.dataSource.close();
    }

    protected DSLContext getDSLContext() {
        return DSL.using(this.dataSource, SQLDialect.POSTGRES);
    }

    private void doHealthCheck() {
        DSLContext dSLContext = getDSLContext();
        if (dSLContext.select(Tables.ROLE_BINDING.ID).from(Tables.ROLE_BINDING).where(Tables.ROLE_BINDING.ORGANIZATION_ID.isNull()).limit(1).execute() < 1) {
            throw new IllegalStateException("Admins missing from DB. Has the DB schema been applied?");
        }
        if (((Integer) dSLContext.fetchValue(this.writePrivilegeCheckQuery)).intValue() != 2) {
            throw new IllegalStateException("DB user doesn't have write privileges");
        }
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public CloudRoleBinding addRoleBinding(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, String str2) {
        DSLContext dSLContext = getDSLContext();
        String str3 = "rb-" + this.hashids.encode(new long[]{((Long) dSLContext.nextval(Sequences.ROLE_BINDING_ID_SEQ)).longValue()});
        CloudScope cloudScope = new CloudScope(scope);
        Record fetchOne = dSLContext.insertInto(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.ID, str3).set(Tables.ROLE_BINDING.USER_ID, kafkaPrincipal2.getName()).set(Tables.ROLE_BINDING.ROLE_NAME, str).set(Tables.ROLE_BINDING.ORGANIZATION_ID, cloudScope.orgId).set(Tables.ROLE_BINDING.ACCOUNT_ID, cloudScope.accountId).set(Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, cloudScope.cloudClusterId).set(Tables.ROLE_BINDING.CLUSTER_TYPE, cloudScope.clusterType).set(Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, cloudScope.logicalClusterId).set(Tables.ROLE_BINDING.CREATED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str2)).onDuplicateKeyIgnore().returningResult(new SelectFieldOrAsterisk[]{Tables.ROLE_BINDING.asterisk()}).fetchOne();
        if (fetchOne == null) {
            fetchOne = dSLContext.selectFrom(Tables.ROLE_BINDING).where(Tables.ROLE_BINDING.USER_ID.eq(kafkaPrincipal2.getName())).and(Tables.ROLE_BINDING.ROLE_NAME.eq(str)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.ORGANIZATION_ID, cloudScope.orgId)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.ACCOUNT_ID, cloudScope.accountId)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, cloudScope.cloudClusterId)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.CLUSTER_TYPE, cloudScope.clusterType)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, cloudScope.logicalClusterId)).and(Tables.ROLE_BINDING.RESOURCE_TYPE.isNull()).and(Tables.ROLE_BINDING.RESOURCE_NAME.isNull()).and(Tables.ROLE_BINDING.PATTERN_TYPE.isNull()).and(DSL.or(Tables.ROLE_BINDING.DELETED.isNull(), Tables.ROLE_BINDING.DELETED.isFalse())).fetchOne();
        }
        return getCloudRoleBindingFromRecord(fetchOne);
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Optional<CloudRoleBinding> removeRoleBinding(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, String str2) {
        Record fetchOne = getDSLContext().update(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.DELETED, true).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str2)).where(Tables.ROLE_BINDING.DELETED.eq(false)).and(Tables.ROLE_BINDING.USER_ID.eq(kafkaPrincipal2.getName())).and(Tables.ROLE_BINDING.ROLE_NAME.eq(str)).and(ScopeConditions.getExactScopeCondition(scope)).and(Tables.ROLE_BINDING.RESOURCE_TYPE.isNull()).returningResult(new SelectFieldOrAsterisk[]{Tables.ROLE_BINDING.asterisk()}).fetchOne();
        return fetchOne == null ? Optional.empty() : Optional.of(getCloudRoleBindingFromRecord(fetchOne));
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Collection<CloudRoleBinding> addResourceRoleBindings(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, Collection<ResourcePattern> collection, String str2) {
        DSLContext dSLContext = getDSLContext();
        ArrayList arrayList = new ArrayList();
        dSLContext.transaction(configuration -> {
            arrayList.addAll(addResourceRoleBindings(DSL.using(configuration), kafkaPrincipal, kafkaPrincipal2, str, scope, collection, str2));
        });
        return arrayList;
    }

    private Collection<CloudRoleBinding> addResourceRoleBindings(DSLContext dSLContext, KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, Collection<ResourcePattern> collection, String str2) {
        CloudScope cloudScope = new CloudScope(scope);
        ArrayList arrayList = new ArrayList();
        for (ResourcePattern resourcePattern : collection) {
            Record fetchOne = dSLContext.insertInto(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.ID, "rb-" + this.hashids.encode(new long[]{((Long) dSLContext.nextval(Sequences.ROLE_BINDING_ID_SEQ)).longValue()})).set(Tables.ROLE_BINDING.USER_ID, kafkaPrincipal2.getName()).set(Tables.ROLE_BINDING.ROLE_NAME, str).set(Tables.ROLE_BINDING.ORGANIZATION_ID, cloudScope.orgId).set(Tables.ROLE_BINDING.ACCOUNT_ID, cloudScope.accountId).set(Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, cloudScope.cloudClusterId).set(Tables.ROLE_BINDING.CLUSTER_TYPE, cloudScope.clusterType).set(Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, cloudScope.logicalClusterId).set(Tables.ROLE_BINDING.CREATED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.RESOURCE_TYPE, resourcePattern.resourceType().name()).set(Tables.ROLE_BINDING.RESOURCE_NAME, resourcePattern.name()).set(Tables.ROLE_BINDING.PATTERN_TYPE, resourcePattern.patternType().name()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str2)).onDuplicateKeyIgnore().returningResult(new SelectFieldOrAsterisk[]{Tables.ROLE_BINDING.asterisk()}).fetchOne();
            if (fetchOne == null) {
                fetchOne = dSLContext.selectFrom(Tables.ROLE_BINDING).where(Tables.ROLE_BINDING.USER_ID.eq(kafkaPrincipal2.getName())).and(Tables.ROLE_BINDING.ROLE_NAME.eq(str)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.ORGANIZATION_ID, cloudScope.orgId)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.ACCOUNT_ID, cloudScope.accountId)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, cloudScope.cloudClusterId)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.CLUSTER_TYPE, cloudScope.clusterType)).and(NullConsideringEqConditions.bothNullOrEq((Field<String>) Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, cloudScope.logicalClusterId)).and(Tables.ROLE_BINDING.RESOURCE_TYPE.eq(resourcePattern.resourceType().name())).and(Tables.ROLE_BINDING.RESOURCE_NAME.eq(resourcePattern.name())).and(Tables.ROLE_BINDING.PATTERN_TYPE.eq(resourcePattern.patternType().name())).and(DSL.or(Tables.ROLE_BINDING.DELETED.isNull(), Tables.ROLE_BINDING.DELETED.isFalse())).fetchOne();
            }
            arrayList.add(getCloudRoleBindingFromRecord(fetchOne));
        }
        return arrayList;
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public CloudRoleBinding addRoleBindingForResourcePattern(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, ResourcePattern resourcePattern, String str2) {
        return resourcePattern == null ? addRoleBinding(kafkaPrincipal, kafkaPrincipal2, str, scope, null) : addResourceRoleBindings(kafkaPrincipal, kafkaPrincipal2, str, scope, Arrays.asList(resourcePattern), null).iterator().next();
    }

    public Optional<CloudRoleBinding> removeRoleBindingForResourcePattern(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, ResourcePattern resourcePattern, String str2) {
        return resourcePattern == null ? removeRoleBinding(kafkaPrincipal, kafkaPrincipal2, str, scope, null) : removeResourceRoleBindings(kafkaPrincipal, kafkaPrincipal2, str, scope, Arrays.asList(resourcePattern.toFilter()), null).stream().findAny();
    }

    public Collection<CloudRoleBinding> deleteRoleBindingsByIds(KafkaPrincipal kafkaPrincipal, Collection<String> collection, String str) {
        return deleteRoleBindingsByIds(getDSLContext(), kafkaPrincipal, collection, str);
    }

    private Collection<CloudRoleBinding> deleteRoleBindingsByIds(DSLContext dSLContext, KafkaPrincipal kafkaPrincipal, Collection<String> collection, String str) {
        return (Collection) dSLContext.update(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.DELETED, true).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str)).where(Tables.ROLE_BINDING.ID.in(collection).and(Tables.ROLE_BINDING.DELETED.eq(false))).returningResult(new SelectFieldOrAsterisk[]{Tables.ROLE_BINDING.asterisk()}).fetch().stream().map(this::getCloudRoleBindingFromRecord).collect(Collectors.toList());
    }

    private List<String> filteredRoleBindingIds(DSLContext dSLContext, KafkaPrincipal kafkaPrincipal, String str, Scope scope, Collection<ResourcePatternFilter> collection, boolean z) {
        return (List) dSLContext.select(new SelectFieldOrAsterisk[0]).from(Tables.ROLE_BINDING).where(Tables.ROLE_BINDING.DELETED.eq(false)).and(Tables.ROLE_BINDING.USER_ID.eq(kafkaPrincipal.getName())).and(Tables.ROLE_BINDING.ROLE_NAME.eq(str)).and(ScopeConditions.getExactScopeCondition(scope)).fetch().stream().filter(record -> {
            ResourcePattern resourcePattern = new ResourcePattern((String) record.getValue(Tables.ROLE_BINDING.RESOURCE_TYPE), (String) record.getValue(Tables.ROLE_BINDING.RESOURCE_NAME), PatternType.fromString((String) record.getValue(Tables.ROLE_BINDING.PATTERN_TYPE)));
            return z == collection.stream().anyMatch(resourcePatternFilter -> {
                return resourcePatternFilter.matches(resourcePattern);
            });
        }).map(record2 -> {
            return (String) record2.getValue(Tables.ROLE_BINDING.ID);
        }).collect(Collectors.toList());
    }

    @Allow.PlainSQL
    private void lockRoleBindingTable(DSLContext dSLContext) {
        dSLContext.execute("LOCK TABLE " + Tables.ROLE_BINDING + " IN SHARE ROW EXCLUSIVE MODE");
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Collection<CloudRoleBinding> removeResourceRoleBindings(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, Collection<ResourcePatternFilter> collection, String str2) {
        DSLContext dSLContext = getDSLContext();
        ArrayList arrayList = new ArrayList();
        dSLContext.transaction(configuration -> {
            DSLContext using = DSL.using(configuration);
            lockRoleBindingTable(using);
            arrayList.addAll(deleteRoleBindingsByIds(using, kafkaPrincipal, filteredRoleBindingIds(using, kafkaPrincipal2, str, scope, collection, true), str2));
        });
        return arrayList;
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Collection<CloudRoleBinding> replaceResourceRoleBindings(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str, Scope scope, Collection<ResourcePattern> collection, String str2) {
        DSLContext dSLContext = getDSLContext();
        ArrayList arrayList = new ArrayList();
        dSLContext.transaction(configuration -> {
            DSLContext using = DSL.using(configuration);
            lockRoleBindingTable(using);
            arrayList.addAll(deleteRoleBindingsByIds(using, kafkaPrincipal, filteredRoleBindingIds(using, kafkaPrincipal2, str, scope, (List) collection.stream().map((v0) -> {
                return v0.toFilter();
            }).collect(Collectors.toList()), false), str2));
            arrayList.addAll(addResourceRoleBindings(using, kafkaPrincipal, kafkaPrincipal2, str, scope, collection, str2));
        });
        return arrayList;
    }

    private Collection<CloudRoleBinding> removeAllRoleBindingsWhere(KafkaPrincipal kafkaPrincipal, Condition condition, String str) {
        return (Collection) getDSLContext().update(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.DELETED, true).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str)).where(condition.and(Tables.ROLE_BINDING.DELETED.eq(false))).returningResult(new SelectFieldOrAsterisk[]{Tables.ROLE_BINDING.asterisk()}).fetch().stream().map(this::getCloudRoleBindingFromRecord).collect(Collectors.toList());
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public void removeAllRoleBindingsForPrincipal(KafkaPrincipal kafkaPrincipal, KafkaPrincipal kafkaPrincipal2, String str) {
        removeAllRoleBindingsWhere(kafkaPrincipal, Tables.ROLE_BINDING.USER_ID.eq(kafkaPrincipal2.getName()), str);
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public void removeAllRoleBindingsForScope(KafkaPrincipal kafkaPrincipal, Scope scope, String str) {
        Objects.requireNonNull(new CloudScope(scope).orgId);
        removeAllRoleBindingsWhere(kafkaPrincipal, ScopeConditions.getDescendantScopesCondition(scope), str);
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public void duplicateRoleBindingsForOrganization(KafkaPrincipal kafkaPrincipal, String str, String str2, String str3) {
        Objects.requireNonNull(str);
        Objects.requireNonNull(str2);
        getDSLContext().transaction(configuration -> {
            DSLContext using = DSL.using(configuration);
            lockRoleBindingTable(using);
            using.select(Tables.ROLE_BINDING.USER_ID, Tables.ROLE_BINDING.ROLE_NAME, Tables.ROLE_BINDING.ACCOUNT_ID, Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, Tables.ROLE_BINDING.CLUSTER_TYPE, Tables.ROLE_BINDING.RESOURCE_TYPE, Tables.ROLE_BINDING.RESOURCE_NAME, Tables.ROLE_BINDING.PATTERN_TYPE).from(Tables.ROLE_BINDING).where(Tables.ROLE_BINDING.ORGANIZATION_ID.eq(str).and(Tables.ROLE_BINDING.DELETED.eq(false))).orderBy(Tables.ROLE_BINDING.LAST_CHANGE_ID).fetch().forEach(record9 -> {
                using.insertInto(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.ID, "rb-" + this.hashids.encode(new long[]{((Long) using.nextval(Sequences.ROLE_BINDING_ID_SEQ)).longValue()})).set(Tables.ROLE_BINDING.USER_ID, record9.get(Tables.ROLE_BINDING.USER_ID)).set(Tables.ROLE_BINDING.ROLE_NAME, record9.get(Tables.ROLE_BINDING.ROLE_NAME)).set(Tables.ROLE_BINDING.ORGANIZATION_ID, str2).set(Tables.ROLE_BINDING.ACCOUNT_ID, record9.get(Tables.ROLE_BINDING.ACCOUNT_ID)).set(Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, record9.get(Tables.ROLE_BINDING.CLOUD_CLUSTER_ID)).set(Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, record9.get(Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID)).set(Tables.ROLE_BINDING.CLUSTER_TYPE, record9.get(Tables.ROLE_BINDING.CLUSTER_TYPE)).set(Tables.ROLE_BINDING.RESOURCE_TYPE, record9.get(Tables.ROLE_BINDING.RESOURCE_TYPE)).set(Tables.ROLE_BINDING.RESOURCE_NAME, record9.get(Tables.ROLE_BINDING.RESOURCE_NAME)).set(Tables.ROLE_BINDING.PATTERN_TYPE, record9.get(Tables.ROLE_BINDING.PATTERN_TYPE)).set(Tables.ROLE_BINDING.CREATED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str3)).onDuplicateKeyIgnore().execute();
            });
        });
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public List<CloudRoleBinding> undeleteRoleBindingsForUser(KafkaPrincipal kafkaPrincipal, String str, String str2, String str3, String str4) {
        Objects.requireNonNull(str);
        Objects.requireNonNull(str2);
        Objects.requireNonNull(str4);
        if (str3 != null && (str3.equals("") || str3.equals("{:}"))) {
            throw new ClientErrorException("Invalid reason parameter format", 400);
        }
        List<CloudRoleBinding> list = (List) getDSLContext().update(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.DELETED, false).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str4)).where(Tables.ROLE_BINDING.USER_ID.eq(str2).and(Tables.ROLE_BINDING.ORGANIZATION_ID.eq(str)).and(Tables.ROLE_BINDING.REASON.eq(JSONB.valueOf(str3))).and(Tables.ROLE_BINDING.DELETED.eq(true))).returningResult(new SelectFieldOrAsterisk[]{Tables.ROLE_BINDING.asterisk()}).fetch().stream().map(this::getCloudRoleBindingFromRecord).collect(Collectors.toList());
        if (list.isEmpty()) {
            throw new ClientErrorException("No role bindings found", 400);
        }
        return list;
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public List<CloudRoleBinding> undeleteRoleBindingsForScope(KafkaPrincipal kafkaPrincipal, Scope scope, String str, String str2) {
        Objects.requireNonNull(new CloudScope(scope).orgId);
        List<CloudRoleBinding> undeleteAllRoleBindingsWhere = undeleteAllRoleBindingsWhere(kafkaPrincipal, ScopeConditions.getDescendantScopesCondition(scope), str, str2);
        if (undeleteAllRoleBindingsWhere.isEmpty()) {
            throw new ClientErrorException("No role bindings found", 400);
        }
        return undeleteAllRoleBindingsWhere;
    }

    private List<CloudRoleBinding> undeleteAllRoleBindingsWhere(KafkaPrincipal kafkaPrincipal, Condition condition, String str, String str2) {
        Objects.requireNonNull(condition);
        Objects.requireNonNull(str2);
        if (str == null || !(str.equals("") || str.equals("{:}"))) {
            return (List) getDSLContext().update(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.DELETED, false).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str2)).where(condition).and(Tables.ROLE_BINDING.REASON.eq(JSONB.valueOf(str))).and(Tables.ROLE_BINDING.DELETED.eq(true)).returningResult(new SelectFieldOrAsterisk[]{Tables.ROLE_BINDING.asterisk()}).fetch().stream().map(this::getCloudRoleBindingFromRecord).collect(Collectors.toList());
        }
        throw new ClientErrorException("Invalid reason parameter format", 400);
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Collection<CloudRoleBinding> deleteUndeleteRoleBindingsByIds(List<String> list, List<String> list2, String str, KafkaPrincipal kafkaPrincipal) {
        DSLContext dSLContext = getDSLContext();
        ArrayList arrayList = new ArrayList();
        dSLContext.transaction(configuration -> {
            DSLContext using = DSL.using(configuration);
            if (!list.isEmpty()) {
                arrayList.addAll((List) using.update(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.DELETED, true).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str)).where(Tables.ROLE_BINDING.ID.in(list).and(Tables.ROLE_BINDING.DELETED.eq(false))).returningResult(new SelectFieldOrAsterisk[]{Tables.ROLE_BINDING.asterisk()}).fetch().stream().map(this::getCloudRoleBindingFromRecord).collect(Collectors.toList()));
            }
            if (list2.isEmpty()) {
                return;
            }
            arrayList.addAll((List) using.update(Tables.ROLE_BINDING).set(Tables.ROLE_BINDING.DELETED, false).set(Tables.ROLE_BINDING.MODIFIED_BY, kafkaPrincipal.getName()).set(Tables.ROLE_BINDING.REASON, JSONB.valueOf(str)).where(Tables.ROLE_BINDING.ID.in(list2).and(Tables.ROLE_BINDING.DELETED.eq(true))).returningResult(new SelectFieldOrAsterisk[]{Tables.ROLE_BINDING.asterisk()}).fetch().stream().map(this::getCloudRoleBindingFromRecord).collect(Collectors.toList()));
        });
        return arrayList;
    }

    private Scope getScopeFromRecord(Record record) {
        return CloudScope.getScope((String) record.getValue(Tables.ROLE_BINDING.ORGANIZATION_ID), (String) record.getValue(Tables.ROLE_BINDING.ACCOUNT_ID), (String) record.getValue(Tables.ROLE_BINDING.CLOUD_CLUSTER_ID), (String) record.getValue(Tables.ROLE_BINDING.CLUSTER_TYPE), (String) record.getValue(Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID));
    }

    private RoleBinding getRoleBindingFromRecord(Record record) {
        KafkaPrincipal kafkaPrincipal = new KafkaPrincipal("User", (String) record.getValue(Tables.ROLE_BINDING.USER_ID));
        Scope scopeFromRecord = getScopeFromRecord(record);
        ArrayList arrayList = new ArrayList();
        for (String[] strArr : (String[][]) record.getValue("resource_patterns")) {
            String str = strArr[0];
            if (str != null) {
                arrayList.add(new ResourcePattern(str, strArr[1], PatternType.fromString(strArr[2])));
            }
        }
        return new RoleBinding(kafkaPrincipal, (String) record.getValue(Tables.ROLE_BINDING.ROLE_NAME), scopeFromRecord, arrayList);
    }

    private List<CloudRoleBinding> fetchCloudRoleBindings(Condition condition, Integer num) {
        SelectSeekStep1 orderBy = getDSLContext().select(Tables.ROLE_BINDING.ID, Tables.ROLE_BINDING.USER_ID, Tables.ROLE_BINDING.ROLE_NAME, Tables.ROLE_BINDING.ORGANIZATION_ID, Tables.ROLE_BINDING.ACCOUNT_ID, Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, Tables.ROLE_BINDING.CLUSTER_TYPE, Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, Tables.ROLE_BINDING.RESOURCE_TYPE, Tables.ROLE_BINDING.RESOURCE_NAME, Tables.ROLE_BINDING.PATTERN_TYPE, Tables.ROLE_BINDING.CREATED, Tables.ROLE_BINDING.DELETED, Tables.ROLE_BINDING.MODIFIED, Tables.ROLE_BINDING.REASON, Tables.ROLE_BINDING.LAST_CHANGE_ID).from(Tables.ROLE_BINDING).where(condition).orderBy(Tables.ROLE_BINDING.ID);
        Result fetch = num != null ? orderBy.limit(num).fetch() : orderBy.fetch();
        ArrayList arrayList = new ArrayList();
        Iterator it = fetch.iterator();
        while (it.hasNext()) {
            arrayList.add(getCloudRoleBindingFromRecord((Record) it.next()));
        }
        return arrayList;
    }

    private List<CloudRoleBinding> fetchCloudRoleBindings(Condition condition) {
        return fetchCloudRoleBindings(condition, null);
    }

    private Set<RoleBinding> fetchRoleBindings(Condition condition) {
        Result fetch = getDSLContext().select(Tables.ROLE_BINDING.USER_ID, Tables.ROLE_BINDING.ROLE_NAME, Tables.ROLE_BINDING.ORGANIZATION_ID, Tables.ROLE_BINDING.ACCOUNT_ID, Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, Tables.ROLE_BINDING.CLUSTER_TYPE, Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, DSL.arrayAgg(DSL.array(new Field[]{Tables.ROLE_BINDING.RESOURCE_TYPE, Tables.ROLE_BINDING.RESOURCE_NAME, Tables.ROLE_BINDING.PATTERN_TYPE})).as("resource_patterns")).from(Tables.ROLE_BINDING).where(condition).groupBy(new GroupField[]{Tables.ROLE_BINDING.USER_ID, Tables.ROLE_BINDING.ROLE_NAME, Tables.ROLE_BINDING.ORGANIZATION_ID, Tables.ROLE_BINDING.ACCOUNT_ID, Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, Tables.ROLE_BINDING.CLUSTER_TYPE, Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID}).fetch();
        HashSet hashSet = new HashSet();
        Iterator it = fetch.iterator();
        while (it.hasNext()) {
            hashSet.add(getRoleBindingFromRecord((Record) it.next()));
        }
        return hashSet;
    }

    private List<CloudRoleBinding> fetchNonDeletedCloudRoleBindings(Condition condition) {
        return fetchCloudRoleBindings(condition.and(Tables.ROLE_BINDING.DELETED.eq(false)));
    }

    private List<CloudRoleBinding> fetchDeletedCloudRoleBindings(Condition condition) {
        return fetchCloudRoleBindings(condition.and(Tables.ROLE_BINDING.DELETED.eq(true)));
    }

    private List<CloudRoleBinding> fetchNonDeletedCloudRoleBindingsLimit(Condition condition, Integer num) {
        return fetchCloudRoleBindings(condition.and(Tables.ROLE_BINDING.DELETED.eq(false)), num);
    }

    private Set<RoleBinding> fetchNonDeletedRoleBindings(Condition condition) {
        return fetchRoleBindings(condition.and(Tables.ROLE_BINDING.DELETED.eq(false)));
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public List<CloudRoleBinding> rbacCloudRoleBindings(KafkaPrincipal kafkaPrincipal, Set<String> set, ResourcePattern resourcePattern, Set<Scope> set2, boolean z) {
        if (set2.isEmpty()) {
            return Collections.emptyList();
        }
        Condition condition = (Condition) set2.stream().map(ScopeConditions::getExactScopeCondition).reduce((v0, v1) -> {
            return v0.or(v1);
        }).get();
        if (kafkaPrincipal != null) {
            condition = condition.and(Tables.ROLE_BINDING.USER_ID.eq(kafkaPrincipal.getName()));
        }
        if (set != null && !set.isEmpty()) {
            condition = condition.and((Condition) set.stream().map(str -> {
                return Tables.ROLE_BINDING.ROLE_NAME.eq(str);
            }).reduce((v0, v1) -> {
                return v0.or(v1);
            }).get());
        }
        if (resourcePattern != null) {
            condition = condition.and(Tables.ROLE_BINDING.RESOURCE_TYPE.eq(resourcePattern.resourceType().name()));
            if (!resourcePattern.equals(ResourcePattern.all(resourcePattern.resourceType()))) {
                condition = resourcePattern.patternType().equals(PatternType.PREFIXED) ? condition.and(Tables.ROLE_BINDING.RESOURCE_NAME.startsWith(resourcePattern.name())) : condition.and(Tables.ROLE_BINDING.RESOURCE_NAME.eq(resourcePattern.name())).and(Tables.ROLE_BINDING.PATTERN_TYPE.eq(resourcePattern.patternType().name()));
            }
        }
        return z ? fetchDeletedCloudRoleBindings(condition) : fetchNonDeletedCloudRoleBindings(condition);
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public List<CloudRoleBinding> rbacCloudRoleBindingsPaginated(KafkaPrincipal kafkaPrincipal, Set<String> set, ResourcePattern resourcePattern, Set<Scope> set2, Cursor cursor) {
        if (set2.isEmpty()) {
            return Collections.emptyList();
        }
        if (cursor == null) {
            throw new IllegalArgumentException("Pagination cursor cannot be null.");
        }
        Condition and = getRbacCloudRoleBindingWhereCondition(kafkaPrincipal, set, resourcePattern, set2).and(Tables.ROLE_BINDING.LAST_CHANGE_ID.lessOrEqual(Long.valueOf(cursor.lastSequenceId)));
        if (cursor.nextRoleBindingId != null) {
            and = and.and(Tables.ROLE_BINDING.ID.greaterOrEqual(cursor.nextRoleBindingId));
        }
        return fetchNonDeletedCloudRoleBindingsLimit(and, Integer.valueOf(cursor.pageSize));
    }

    private Condition getRbacCloudRoleBindingWhereCondition(KafkaPrincipal kafkaPrincipal, Set<String> set, ResourcePattern resourcePattern, Set<Scope> set2) {
        Condition condition = (Condition) set2.stream().map(ScopeConditions::getExactScopeCondition).reduce((v0, v1) -> {
            return v0.or(v1);
        }).get();
        if (kafkaPrincipal != null) {
            condition = condition.and(Tables.ROLE_BINDING.USER_ID.eq(kafkaPrincipal.getName()));
        }
        if (set != null && !set.isEmpty()) {
            condition = condition.and((Condition) set.stream().map(str -> {
                return Tables.ROLE_BINDING.ROLE_NAME.eq(str);
            }).reduce((v0, v1) -> {
                return v0.or(v1);
            }).get());
        }
        if (resourcePattern != null) {
            condition = condition.and(Tables.ROLE_BINDING.RESOURCE_TYPE.eq(resourcePattern.resourceType().name()));
            if (!resourcePattern.equals(ResourcePattern.all(resourcePattern.resourceType()))) {
                condition = resourcePattern.patternType().equals(PatternType.PREFIXED) ? condition.and(Tables.ROLE_BINDING.RESOURCE_NAME.startsWith(resourcePattern.name())) : condition.and(Tables.ROLE_BINDING.RESOURCE_NAME.eq(resourcePattern.name())).and(Tables.ROLE_BINDING.PATTERN_TYPE.eq(resourcePattern.patternType().name()));
            }
        }
        return condition;
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Optional<CloudRoleBinding> rbacCloudRoleBinding(String str) {
        return rbacCloudRoleBinding(str, false);
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Optional<CloudRoleBinding> rbacCloudRoleBinding(String str, boolean z) {
        Condition eq = Tables.ROLE_BINDING.ID.eq(str);
        List<CloudRoleBinding> fetchDeletedCloudRoleBindings = z ? fetchDeletedCloudRoleBindings(eq) : fetchNonDeletedCloudRoleBindings(eq);
        return fetchDeletedCloudRoleBindings.size() == 0 ? Optional.empty() : Optional.of(fetchDeletedCloudRoleBindings.get(0));
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Set<RoleBinding> rbacRoleBindings(Set<Scope> set) {
        return rbacRoleBindings(null, set);
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Set<RoleBinding> rbacRoleBindings(KafkaPrincipal kafkaPrincipal) {
        return fetchNonDeletedRoleBindings(Tables.ROLE_BINDING.USER_ID.equal(kafkaPrincipal.getName()));
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Set<RoleBinding> rbacRoleBindings(KafkaPrincipal kafkaPrincipal, Set<Scope> set) {
        if (set.isEmpty()) {
            return Collections.emptySet();
        }
        Condition condition = (Condition) set.stream().map(ScopeConditions::getExactScopeCondition).reduce((v0, v1) -> {
            return v0.or(v1);
        }).get();
        if (kafkaPrincipal != null) {
            condition = condition.and(Tables.ROLE_BINDING.USER_ID.eq(kafkaPrincipal.getName()));
        }
        return fetchNonDeletedRoleBindings(condition);
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Set<RoleBinding> rbacRoleBindings(RoleBindingFilter roleBindingFilter) {
        Objects.requireNonNull(roleBindingFilter.scope(), "Scope can not be null in RoleBindingFilter");
        Set<RoleBinding> fetchNonDeletedRoleBindings = fetchNonDeletedRoleBindings(ScopeConditions.getDescendantScopesCondition(roleBindingFilter.scope()));
        HashSet hashSet = new HashSet();
        fetchNonDeletedRoleBindings.forEach(roleBinding -> {
            RoleBinding matchingBinding = roleBindingFilter.matchingBinding(roleBinding, this.rbacRoles.role(roleBinding.role()).bindWithResource());
            if (matchingBinding != null) {
                hashSet.add(matchingBinding);
            }
        });
        return hashSet;
    }

    private int countCloudRoleBindings(Condition condition) {
        return getDSLContext().fetchCount(Tables.ROLE_BINDING, condition);
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public int countOrganizationCloudRoleBindings(String str) {
        return countCloudRoleBindings(Tables.ROLE_BINDING.DELETED.eq(false).and(Tables.ROLE_BINDING.ORGANIZATION_ID.eq(str)));
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public int countOrgEnvCloudRoleBindings(String str) {
        return countCloudRoleBindings(Tables.ROLE_BINDING.DELETED.eq(false).and(Tables.ROLE_BINDING.ORGANIZATION_ID.eq(str)).and(Tables.ROLE_BINDING.CLOUD_CLUSTER_ID.isNull().or(Tables.ROLE_BINDING.CLOUD_CLUSTER_ID.eq(""))));
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public int countOrgEnvCloudClusterCloudRoleBindings(String str, String str2, String str3) {
        return countCloudRoleBindings(Tables.ROLE_BINDING.DELETED.eq(false).and(Tables.ROLE_BINDING.ORGANIZATION_ID.eq(str)).and(Tables.ROLE_BINDING.ACCOUNT_ID.eq(str2)).and(Tables.ROLE_BINDING.CLOUD_CLUSTER_ID.eq(str3)));
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public List<RoleBindingRecord> rbacRoleBindingRecordsIncludingDeleted(String str) {
        return getDSLContext().selectFrom(Tables.ROLE_BINDING).where(Tables.ROLE_BINDING.REASON.eq(JSONB.valueOf(str))).orderBy(Tables.ROLE_BINDING.ID).fetch();
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public long maxRoleBindingLastChangeId() {
        Long l = (Long) getDSLContext().select(DSL.max(Tables.ROLE_BINDING.LAST_CHANGE_ID)).from(Tables.ROLE_BINDING).fetchOne(0, Long.class);
        if (l == null) {
            return -1L;
        }
        return l.longValue();
    }

    public long maxPublishedEventsKafkaMessageId(PublishAttributes publishAttributes) {
        Long l = (Long) getDSLContext().select(DSL.max(Tables.EXTRACTOR_PUBLISHER_STATE.EVENTS_KAFKA_MESSAGE_SEQUENCE_ID)).from(Tables.EXTRACTOR_PUBLISHER_STATE).where(Tables.EXTRACTOR_PUBLISHER_STATE.PUBLISH_TYPE.eq(publishAttributes.getPublishType())).fetchOne(0, Long.class);
        if (l == null) {
            return -1L;
        }
        return l.longValue();
    }

    public long maxPublishedEventsKafkaMessageId() {
        Long l = (Long) getDSLContext().select(DSL.max(Tables.EXTRACTOR_PUBLISHER_STATE.EVENTS_KAFKA_MESSAGE_SEQUENCE_ID)).from(Tables.EXTRACTOR_PUBLISHER_STATE).fetchOne(0, Long.class);
        if (l == null) {
            return -1L;
        }
        return l.longValue();
    }

    public long maxPublishedRoleBindingLastChangeId() {
        return maxPublishedRoleBindingLastChangeId(getDSLContext());
    }

    protected long maxPublishedRoleBindingLastChangeId(DSLContext dSLContext) {
        Long l = (Long) dSLContext.select(DSL.max(Tables.EXTRACTOR_PUBLISHER_STATE.ROLE_BINDING_LAST_CHANGE_ID)).from(Tables.EXTRACTOR_PUBLISHER_STATE).fetchOne(0, Long.class);
        if (l == null) {
            return -1L;
        }
        return l.longValue();
    }

    protected ExtractorPublisherStateData publisherStateRecordForMaxPublishedLastChangeId(DSLContext dSLContext) {
        ExtractorPublisherStateData extractorPublisherStateData = new ExtractorPublisherStateData();
        Record3 fetchOne = dSLContext.select(Tables.EXTRACTOR_PUBLISHER_STATE.EVENTS_KAFKA_MESSAGE_SEQUENCE_ID, Tables.EXTRACTOR_PUBLISHER_STATE.ROLE_BINDING_LAST_CHANGE_ID, Tables.EXTRACTOR_PUBLISHER_STATE.CREATED).from(Tables.EXTRACTOR_PUBLISHER_STATE).orderBy(Tables.EXTRACTOR_PUBLISHER_STATE.ROLE_BINDING_LAST_CHANGE_ID.desc(), Tables.EXTRACTOR_PUBLISHER_STATE.EVENTS_KAFKA_MESSAGE_SEQUENCE_ID.desc()).limit(1).fetchOne();
        if (fetchOne != null) {
            extractorPublisherStateData.setEventsKafkaMessageSequenceId(((Long) fetchOne.getValue(Tables.EXTRACTOR_PUBLISHER_STATE.EVENTS_KAFKA_MESSAGE_SEQUENCE_ID)).longValue());
            extractorPublisherStateData.setRoleBindingLastChangeId(((Long) fetchOne.getValue(Tables.EXTRACTOR_PUBLISHER_STATE.ROLE_BINDING_LAST_CHANGE_ID)).longValue());
            extractorPublisherStateData.setTimeCreated((LocalDateTime) fetchOne.getValue(Tables.EXTRACTOR_PUBLISHER_STATE.CREATED));
        }
        return extractorPublisherStateData;
    }

    protected List<Long> nextEventsKafkaMessageSequenceIds(DSLContext dSLContext, int i) {
        return dSLContext.select(Sequences.EXTRACTOR_EVENTS_KAFKA_MESSAGE_SEQUENCE_ID.nextval()).from(DSL.generateSeries(1, i)).fetch(0, Long.class);
    }

    protected void recordSuccessfulPublish(DSLContext dSLContext, long j, long j2, PublishAttributes publishAttributes) {
        dSLContext.insertInto(Tables.EXTRACTOR_PUBLISHER_STATE).set(Tables.EXTRACTOR_PUBLISHER_STATE.EVENTS_KAFKA_MESSAGE_SEQUENCE_ID, Long.valueOf(j)).set(Tables.EXTRACTOR_PUBLISHER_STATE.ROLE_BINDING_LAST_CHANGE_ID, Long.valueOf(j2)).set(Tables.EXTRACTOR_PUBLISHER_STATE.PUBLISH_TYPE, publishAttributes.getPublishType()).execute();
    }

    public long roleBindingLastChangeIdForMessageSequenceId(long j) {
        Long l = (Long) getDSLContext().select(DSL.max(Tables.EXTRACTOR_PUBLISHER_STATE.ROLE_BINDING_LAST_CHANGE_ID)).from(Tables.EXTRACTOR_PUBLISHER_STATE).where(Tables.EXTRACTOR_PUBLISHER_STATE.EVENTS_KAFKA_MESSAGE_SEQUENCE_ID.le(Long.valueOf(j))).fetchOne(0, Long.class);
        if (l == null) {
            return -1L;
        }
        return l.longValue();
    }

    protected UpdatedRoleBindings recentlyUpdatedRoleBindings(DSLContext dSLContext, long j) {
        return queryUpdatedRoleBindings(dSLContext, Tables.ROLE_BINDING.LAST_CHANGE_ID.greaterThan(Long.valueOf(j)));
    }

    protected UpdatedRoleBindings queryUpdatedRoleBindings(DSLContext dSLContext, String str, long j) {
        return queryUpdatedRoleBindings(dSLContext, Tables.ROLE_BINDING.ORGANIZATION_ID.equal(str).and(Tables.ROLE_BINDING.LAST_CHANGE_ID.between(0L, Long.valueOf(j))));
    }

    protected UpdatedRoleBindings queryUpdatedRoleBindings(DSLContext dSLContext, Condition condition) {
        Stopwatch createStarted = Stopwatch.createStarted();
        CommonTableExpression as = DSL.name("recent").as(DSL.select(Tables.ROLE_BINDING.USER_ID, Tables.ROLE_BINDING.ROLE_NAME, Tables.ROLE_BINDING.ORGANIZATION_ID, Tables.ROLE_BINDING.ACCOUNT_ID, Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, Tables.ROLE_BINDING.CLUSTER_TYPE, DSL.max(Tables.ROLE_BINDING.LAST_CHANGE_ID).as("last_change_id")).from(Tables.ROLE_BINDING).where(condition.and(Tables.ROLE_BINDING.ORGANIZATION_ID.isNotNull())).groupBy(new GroupField[]{Tables.ROLE_BINDING.USER_ID, Tables.ROLE_BINDING.ROLE_NAME, Tables.ROLE_BINDING.ORGANIZATION_ID, Tables.ROLE_BINDING.ACCOUNT_ID, Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID, Tables.ROLE_BINDING.CLUSTER_TYPE}));
        GroupField field = as.field("user_id", String.class);
        GroupField field2 = as.field("role_name", String.class);
        GroupField field3 = as.field("organization_id", String.class);
        GroupField field4 = as.field("account_id", String.class);
        GroupField field5 = as.field("cloud_cluster_id", String.class);
        GroupField field6 = as.field("logical_cluster_id", String.class);
        GroupField field7 = as.field("cluster_type", String.class);
        GroupField field8 = as.field("last_change_id", Long.class);
        Result<Record> fetch = dSLContext.with(new CommonTableExpression[]{as}).select(field, field2, field3, field4, field5, field6, field7, field8, DSL.arrayAgg(DSL.array(new Field[]{Tables.ROLE_BINDING.RESOURCE_TYPE, Tables.ROLE_BINDING.RESOURCE_NAME, Tables.ROLE_BINDING.PATTERN_TYPE})).as("resource_patterns"), DSL.coalesce(DSL.boolAnd(Tables.ROLE_BINDING.DELETED), true).as("deleted")).from(as).leftJoin(Tables.ROLE_BINDING).on(Tables.ROLE_BINDING.USER_ID.eq(field)).and(Tables.ROLE_BINDING.ROLE_NAME.eq(field2)).and(NullConsideringEqConditions.bothNullOrEq((Field) field3, (Field) Tables.ROLE_BINDING.ORGANIZATION_ID)).and(NullConsideringEqConditions.bothNullOrEq((Field) field4, (Field) Tables.ROLE_BINDING.ACCOUNT_ID)).and(NullConsideringEqConditions.bothNullOrEq((Field) field5, (Field) Tables.ROLE_BINDING.CLOUD_CLUSTER_ID)).and(NullConsideringEqConditions.bothNullOrEq((Field) field6, (Field) Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID)).and(Tables.ROLE_BINDING.DELETED.eq(false)).groupBy(new GroupField[]{field, field2, field3, field4, field5, field6, field7, field8}).orderBy(field8).fetch();
        createStarted.stop();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        for (Record record : fetch) {
            arrayList.add(getRoleBindingFromRecord(record));
            arrayList2.add(record.getValue("deleted", Boolean.class));
            arrayList3.add(record.getValue("cluster_type", String.class));
        }
        return new UpdatedRoleBindings(arrayList, arrayList2, nextEventsKafkaMessageSequenceIds(dSLContext, arrayList.size()), arrayList3, fetch.isEmpty() ? -1L : ((Long) ((Record10) fetch.get(fetch.size() - 1)).getValue(field8)).longValue(), createStarted.elapsed(TimeUnit.MILLISECONDS));
    }

    private CloudRoleBinding getCloudRoleBindingFromRecord(Record record) {
        return new CloudRoleBinding((String) record.getValue(Tables.ROLE_BINDING.ID), new KafkaPrincipal("User", (String) record.getValue(Tables.ROLE_BINDING.USER_ID)), (String) record.getValue(Tables.ROLE_BINDING.ROLE_NAME), getScopeFromRecord(record), record.getValue(Tables.ROLE_BINDING.RESOURCE_TYPE) == null ? null : new ResourcePattern((String) record.getValue(Tables.ROLE_BINDING.RESOURCE_TYPE), (String) record.getValue(Tables.ROLE_BINDING.RESOURCE_NAME), PatternType.fromString((String) record.getValue(Tables.ROLE_BINDING.PATTERN_TYPE))), (LocalDateTime) record.getValue(Tables.ROLE_BINDING.CREATED), (LocalDateTime) record.getValue(Tables.ROLE_BINDING.MODIFIED), ((Boolean) record.getValue(Tables.ROLE_BINDING.DELETED)).booleanValue(), ((Long) record.getValue(Tables.ROLE_BINDING.LAST_CHANGE_ID)).longValue());
    }

    @Allow.PlainSQL
    private void lockExtractorPublisherStateTable(DSLContext dSLContext) {
        dSLContext.execute(String.format("SET LOCAL lock_timeout = %d", Integer.valueOf(this.transactionLockTimeout)));
        dSLContext.execute("LOCK TABLE " + Tables.EXTRACTOR_PUBLISHER_STATE + " IN SHARE ROW EXCLUSIVE MODE");
    }

    public int publishRecentlyUpdatedRoleBindings(Function<UpdatedRoleBindings, ExtractorPublisherCount> function) {
        DSLContext dSLContext = getDSLContext();
        AtomicInteger atomicInteger = new AtomicInteger(0);
        dSLContext.transaction(configuration -> {
            DSLContext using = DSL.using(configuration);
            lockExtractorPublisherStateTable(using);
            UpdatedRoleBindings recentlyUpdatedRoleBindings = recentlyUpdatedRoleBindings(using, maxPublishedRoleBindingLastChangeId(using));
            recentlyUpdatedRoleBindings.setPublishAttributes(PublishAttributes.PERIODIC);
            ExtractorPublisherCount extractorPublisherCount = (ExtractorPublisherCount) function.apply(recentlyUpdatedRoleBindings);
            if (extractorPublisherCount.getPublishedRoleBindingCount() == 0) {
                return;
            }
            atomicInteger.set(extractorPublisherCount.getPublishedRoleBindingCount());
            if (extractorPublisherCount.getPublishedRoleBindingCount() != extractorPublisherCount.getTotalRoleBindingCount()) {
                log.warn("Tried to publish {} role bindings, but actually published {}", Integer.valueOf(recentlyUpdatedRoleBindings.roleBindings.size()), extractorPublisherCount);
            } else {
                recordSuccessfulPublish(using, recentlyUpdatedRoleBindings.messageSequenceIds.get(recentlyUpdatedRoleBindings.messageSequenceIds.size() - 1).longValue(), recentlyUpdatedRoleBindings.lastChangeId, PublishAttributes.PERIODIC);
            }
        });
        return atomicInteger.get();
    }

    public ExtractorPublisherStateData republishAllRoleBindingsForOrg(Function<UpdatedRoleBindings, ExtractorPublisherCount> function, String str) {
        return republishAllRoleBindingsForScopes(function, Collections.singleton(CloudScope.getScope(str)), PublishAttributes.MANUAL);
    }

    public ExtractorPublisherStateData republishExactRoleBindingsForScope(Function<UpdatedRoleBindings, ExtractorPublisherCount> function, Collection<Scope> collection, PublishAttributes publishAttributes) {
        return republishRoleBindingsForScopes(function, collection, publishAttributes, (Condition) collection.stream().map(ScopeConditions::getExactScopeCondition).reduce((v0, v1) -> {
            return v0.or(v1);
        }).get());
    }

    public ExtractorPublisherStateData republishDescendantRoleBindingsForScope(Function<UpdatedRoleBindings, ExtractorPublisherCount> function, Collection<Scope> collection, PublishAttributes publishAttributes) {
        return republishRoleBindingsForScopes(function, collection, publishAttributes, (Condition) collection.stream().map(ScopeConditions::getDescendantScopesCondition).reduce((v0, v1) -> {
            return v0.or(v1);
        }).get());
    }

    public ExtractorPublisherStateData republishAllRoleBindingsForScopes(Function<UpdatedRoleBindings, ExtractorPublisherCount> function, Collection<Scope> collection, PublishAttributes publishAttributes) {
        return republishRoleBindingsForScopes(function, collection, publishAttributes, (Condition) collection.stream().map(ScopeConditions::getAncestorAndDescendantScopesCondition).reduce((v0, v1) -> {
            return v0.or(v1);
        }).get());
    }

    private ExtractorPublisherStateData republishRoleBindingsForScopes(Function<UpdatedRoleBindings, ExtractorPublisherCount> function, Collection<Scope> collection, PublishAttributes publishAttributes, Condition condition) {
        if (collection.isEmpty()) {
            throw new IllegalArgumentException("publishUpdatedRoleBindingsForScopes requires at least one scope");
        }
        DSLContext dSLContext = getDSLContext();
        AtomicReference atomicReference = new AtomicReference(new ExtractorPublisherStateData());
        dSLContext.transaction(configuration -> {
            DSLContext using = DSL.using(configuration);
            lockExtractorPublisherStateTable(using);
            UpdatedRoleBindings queryUpdatedRoleBindings = queryUpdatedRoleBindings(using, Tables.ROLE_BINDING.LAST_CHANGE_ID.between(0L, Long.valueOf(maxPublishedRoleBindingLastChangeId(using))).and(condition));
            queryUpdatedRoleBindings.setPublishAttributes(publishAttributes);
            ExtractorPublisherCount extractorPublisherCount = (ExtractorPublisherCount) function.apply(queryUpdatedRoleBindings);
            if (extractorPublisherCount.getPublishedRoleBindingCount() == 0) {
                return;
            }
            if (extractorPublisherCount.getPublishedRoleBindingCount() != extractorPublisherCount.getTotalRoleBindingCount()) {
                log.warn("Tried to publish {} role bindings, but actually published {}", Integer.valueOf(extractorPublisherCount.getTotalRoleBindingCount()), extractorPublisherCount);
                return;
            }
            recordSuccessfulPublish(using, queryUpdatedRoleBindings.messageSequenceIds.get(queryUpdatedRoleBindings.messageSequenceIds.size() - 1).longValue(), queryUpdatedRoleBindings.lastChangeId, publishAttributes);
            ExtractorPublisherStateData publisherStateRecordForMaxPublishedLastChangeId = publisherStateRecordForMaxPublishedLastChangeId(using);
            publisherStateRecordForMaxPublishedLastChangeId.setTotalRoleBindingRecordsPublished(extractorPublisherCount.getPublishedRoleBindingCount());
            atomicReference.set(publisherStateRecordForMaxPublishedLastChangeId);
            log.debug("published {} role bindings, last changed id {}, events Kafka message id {}, publish type {}", new Object[]{Integer.valueOf(publisherStateRecordForMaxPublishedLastChangeId.getTotalRoleBindingRecordsPublished()), Long.valueOf(publisherStateRecordForMaxPublishedLastChangeId.getRoleBindingLastChangeId()), Long.valueOf(publisherStateRecordForMaxPublishedLastChangeId.getEventsKafkaMessageSequenceId()), publishAttributes.getPublishType()});
        });
        return (ExtractorPublisherStateData) atomicReference.get();
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Collection<ResourcePattern> rbacResources(KafkaPrincipal kafkaPrincipal, String str, Scope scope) {
        return (Collection) fetchNonDeletedRoleBindings(Tables.ROLE_BINDING.USER_ID.eq(kafkaPrincipal.getName()).and(Tables.ROLE_BINDING.ROLE_NAME.eq(str)).and(ScopeConditions.getExactScopeCondition(scope))).stream().flatMap(roleBinding -> {
            return roleBinding.resources().stream();
        }).collect(Collectors.toList());
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Set<Scope> knownScopes() {
        return (Set) getDSLContext().selectDistinct(Tables.ROLE_BINDING.ORGANIZATION_ID, Tables.ROLE_BINDING.ACCOUNT_ID, Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, Tables.ROLE_BINDING.CLUSTER_TYPE, Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID).from(Tables.ROLE_BINDING).where(Tables.ROLE_BINDING.DELETED.eq(false)).fetch().stream().map((v1) -> {
            return getScopeFromRecord(v1);
        }).collect(Collectors.toSet());
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public Set<Scope> allKnownScopes() {
        return (Set) getDSLContext().selectDistinct(Tables.ROLE_BINDING.ORGANIZATION_ID, Tables.ROLE_BINDING.ACCOUNT_ID, Tables.ROLE_BINDING.CLOUD_CLUSTER_ID, Tables.ROLE_BINDING.CLUSTER_TYPE, Tables.ROLE_BINDING.LOGICAL_CLUSTER_ID).from(Tables.ROLE_BINDING).fetch().stream().map((v1) -> {
            return getScopeFromRecord(v1);
        }).collect(Collectors.toSet());
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public int getActiveConnections() {
        return this.poolProxy.getActiveConnections();
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public int getTotalConnections() {
        return this.poolProxy.getTotalConnections();
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public int getThreadsAwaitingConnection() {
        return this.poolProxy.getThreadsAwaitingConnection();
    }

    @Override // io.confluent.rbacdb.orm.RbacOrmService
    public void healthcheck() {
        if (this.skipHealthcheck) {
            return;
        }
        doHealthCheck();
    }
}
