package io.quarkiverse.operatorsdk.deployment;

import io.dekorate.kubernetes.decorator.ResourceProvidingDecorator;
import io.fabric8.kubernetes.api.model.HasMetadata;
import io.fabric8.kubernetes.api.model.KubernetesListBuilder;
import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBinding;
import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBindingBuilder;
import io.fabric8.kubernetes.api.model.rbac.RoleBinding;
import io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder;
import io.fabric8.kubernetes.api.model.rbac.RoleRef;
import io.fabric8.kubernetes.api.model.rbac.RoleRefBuilder;
import io.quarkiverse.operatorsdk.runtime.BuildTimeOperatorConfiguration;
import io.quarkiverse.operatorsdk.runtime.QuarkusControllerConfiguration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.eclipse.microprofile.config.ConfigProvider;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkiverse/operatorsdk/deployment/AddRoleBindingsDecorator.class */
public class AddRoleBindingsDecorator extends ResourceProvidingDecorator<KubernetesListBuilder> {
    protected static final String SERVICE_ACCOUNT = "ServiceAccount";
    private final Collection<QuarkusControllerConfiguration<?>> configs;
    private final BuildTimeOperatorConfiguration operatorConfiguration;
    private static final Logger log = Logger.getLogger(AddRoleBindingsDecorator.class);
    private static final ConcurrentMap<QuarkusControllerConfiguration, List<HasMetadata>> cachedBindings = new ConcurrentHashMap();
    private static final Optional<String> deployNamespace = ConfigProvider.getConfig().getOptionalValue("quarkus.kubernetes.namespace", String.class);
    protected static final String RBAC_AUTHORIZATION_GROUP = "rbac.authorization.k8s.io";
    public static final String CLUSTER_ROLE = "ClusterRole";
    public static final RoleRef CRD_VALIDATING_ROLE_REF = new RoleRef(RBAC_AUTHORIZATION_GROUP, CLUSTER_ROLE, AddClusterRolesDecorator.JOSDK_CRD_VALIDATING_CLUSTER_ROLE_NAME);

    public AddRoleBindingsDecorator(Collection<QuarkusControllerConfiguration<?>> collection, BuildTimeOperatorConfiguration buildTimeOperatorConfiguration) {
        this.configs = collection;
        this.operatorConfiguration = buildTimeOperatorConfiguration;
    }

    public void visit(KubernetesListBuilder kubernetesListBuilder) {
        String name = getMandatoryDeploymentMetadata(kubernetesListBuilder).getName();
        this.configs.forEach(quarkusControllerConfiguration -> {
            kubernetesListBuilder.addAllToItems(cachedBindings.computeIfAbsent(quarkusControllerConfiguration, quarkusControllerConfiguration -> {
                return bindingsFor(quarkusControllerConfiguration, name);
            }));
        });
    }

    private List<HasMetadata> bindingsFor(QuarkusControllerConfiguration<?> quarkusControllerConfiguration, String str) {
        ArrayList arrayList;
        String name = quarkusControllerConfiguration.getName();
        Set namespaces = quarkusControllerConfiguration.getNamespaces();
        if (this.operatorConfiguration.crd().validate().booleanValue()) {
            ClusterRoleBinding createClusterRoleBinding = createClusterRoleBinding(str, name, getCRDValidatingBindingName(name), "validate CRDs", CRD_VALIDATING_ROLE_REF);
            arrayList = new ArrayList(namespaces.size() + 1);
            arrayList.add(createClusterRoleBinding);
        } else {
            arrayList = new ArrayList(namespaces.size());
        }
        String roleBindingName = getRoleBindingName(name);
        if (quarkusControllerConfiguration.watchCurrentNamespace()) {
            arrayList.add(createRoleBinding(roleBindingName, str, null, createDefaultRoleRef(name)));
            ArrayList arrayList2 = arrayList;
            quarkusControllerConfiguration.getAdditionalRBACRoleRefs().forEach(roleRef -> {
                arrayList2.add(createRoleBinding(getSpecificRoleBindingName(name, roleRef), str, null, roleRef));
            });
        } else if (quarkusControllerConfiguration.watchAllNamespaces()) {
            arrayList.add(createClusterRoleBinding(str, name, getClusterRoleBindingName(name), "watch all namespaces", null));
            ArrayList arrayList3 = arrayList;
            quarkusControllerConfiguration.getAdditionalRBACRoleRefs().forEach(roleRef2 -> {
                if (CLUSTER_ROLE.equals(roleRef2.getKind())) {
                    arrayList3.add(createClusterRoleBinding(str, name, roleRef2.getName() + "-" + getClusterRoleBindingName(name), "watch all namespaces", roleRef2));
                } else {
                    log.warnv("Cannot create a ClusterRoleBinding for RoleRef ''{0}'' because it's not a ClusterRole", roleRef2);
                }
            });
        } else {
            ArrayList arrayList4 = arrayList;
            namespaces.forEach(str2 -> {
                arrayList4.add(createRoleBinding(roleBindingName, str, str2, createDefaultRoleRef(name)));
                quarkusControllerConfiguration.getAdditionalRBACRoleRefs().forEach(roleRef3 -> {
                    arrayList4.add(createRoleBinding(getSpecificRoleBindingName(name, roleRef3), str, str2, roleRef3));
                });
            });
        }
        return arrayList;
    }

    public static String getCRDValidatingBindingName(String str) {
        return str + "-crd-validating-role-binding";
    }

    public static String getClusterRoleBindingName(String str) {
        return str + "-cluster-role-binding";
    }

    public static String getRoleBindingName(String str) {
        return str + "-role-binding";
    }

    public static String getSpecificRoleBindingName(String str, String str2) {
        return str2 + "-" + getRoleBindingName(str);
    }

    public static String getSpecificRoleBindingName(String str, RoleRef roleRef) {
        return getSpecificRoleBindingName(str, roleRef.getName());
    }

    private static RoleRef createDefaultRoleRef(String str) {
        return new RoleRefBuilder().withApiGroup(RBAC_AUTHORIZATION_GROUP).withKind(CLUSTER_ROLE).withName(AddClusterRolesDecorator.getClusterRoleName(str)).build();
    }

    private static RoleBinding createRoleBinding(String str, String str2, String str3, RoleRef roleRef) {
        log.infov("Creating ''{0}'' RoleBinding to be applied to {1}", str, (str3 == null ? "current" : "'" + str3 + "'") + " namespace");
        return ((RoleBindingBuilder) new RoleBindingBuilder().withNewMetadata().withName(str).withNamespace(str3).endMetadata()).withRoleRef(roleRef).addNewSubject((String) null, SERVICE_ACCOUNT, str2, deployNamespace.orElse(null)).build();
    }

    private static ClusterRoleBinding createClusterRoleBinding(String str, String str2, String str3, String str4, RoleRef roleRef) {
        outputWarningIfNeeded(str2, str3, str4);
        RoleRef createDefaultRoleRef = roleRef == null ? createDefaultRoleRef(str2) : roleRef;
        String orElse = deployNamespace.orElse(null);
        log.infov("Creating ''{0}'' ClusterRoleBinding to be applied to ''{1}'' namespace", str3, orElse);
        return ((ClusterRoleBindingBuilder) ((ClusterRoleBindingBuilder) new ClusterRoleBindingBuilder().withNewMetadata().withName(str3).endMetadata()).withRoleRef(createDefaultRoleRef).addNewSubject().withKind(SERVICE_ACCOUNT).withName(str).withNamespace(orElse).endSubject()).build();
    }

    private static void outputWarningIfNeeded(String str, String str2, String str3) {
        if (deployNamespace.isEmpty()) {
            log.warnv("''{0}'' controller is configured to " + str3 + ", this requires a ClusterRoleBinding for which we MUST specify the namespace of the operator ServiceAccount. This can be specified by setting the ''quarkus.kubernetes.namespace'' property. However, as this property is not set, we are leaving the namespace blank to be provided by the user by editing the ''{1}'' ClusterRoleBinding to provide the namespace in which the operator will be deployed.", str, str2);
        }
    }
}
