package io.strimzi.kafka.oauth.server.authorizer;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import io.strimzi.kafka.oauth.common.BearerTokenWithPayload;
import io.strimzi.kafka.oauth.common.Config;
import io.strimzi.kafka.oauth.common.ConfigUtil;
import io.strimzi.kafka.oauth.common.HttpException;
import io.strimzi.kafka.oauth.common.HttpUtil;
import io.strimzi.kafka.oauth.common.JSONUtil;
import io.strimzi.kafka.oauth.common.LogUtil;
import io.strimzi.kafka.oauth.common.OAuthAuthenticator;
import io.strimzi.kafka.oauth.common.SSLUtil;
import io.strimzi.kafka.oauth.common.TimeUtil;
import io.strimzi.kafka.oauth.server.OAuthKafkaPrincipal;
import io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder;
import io.strimzi.kafka.oauth.server.authorizer.ScopesSpec;
import io.strimzi.kafka.oauth.services.Services;
import io.strimzi.kafka.oauth.services.SessionFuture;
import io.strimzi.kafka.oauth.services.Sessions;
import io.strimzi.kafka.oauth.validator.DaemonThreadFactory;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentLinkedQueue;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import kafka.security.authorizer.AclAuthorizer;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.class */
public class KeycloakRBACAuthorizer extends AclAuthorizer {
    private static final String PRINCIPAL_BUILDER_CLASS = OAuthKafkaPrincipalBuilder.class.getName();
    private static final String DEPRECATED_PRINCIPAL_BUILDER_CLASS = JwtKafkaPrincipalBuilder.class.getName();
    static final Logger log = LoggerFactory.getLogger(KeycloakRBACAuthorizer.class);
    static final Logger GRANT_LOG = LoggerFactory.getLogger(KeycloakRBACAuthorizer.class.getName() + ".grant");
    static final Logger DENY_LOG = LoggerFactory.getLogger(KeycloakRBACAuthorizer.class.getName() + ".deny");
    private URI tokenEndpointUrl;
    private String clientId;
    private String clusterName;
    private SSLSocketFactory socketFactory;
    private HostnameVerifier hostnameVerifier;
    private int connectTimeoutSeconds;
    private int readTimeoutSeconds;
    private ExecutorService workerPool;
    private List<UserSpec> superUsers = Collections.emptyList();
    private boolean delegateToKafkaACL = false;
    private final boolean denyWhenTokenInvalid = true;

    public void configure(Map<String, ?> map) {
        super.configure(map);
        AuthzConfig convertToCommonConfig = convertToCommonConfig(map);
        String str = (String) map.get("principal.builder.class");
        if (!PRINCIPAL_BUILDER_CLASS.equals(str) && !DEPRECATED_PRINCIPAL_BUILDER_CLASS.equals(str)) {
            throw new RuntimeException("KeycloakRBACAuthorizer requires " + PRINCIPAL_BUILDER_CLASS + " as 'principal.builder.class'");
        }
        if (DEPRECATED_PRINCIPAL_BUILDER_CLASS.equals(str)) {
            log.warn("The '" + DEPRECATED_PRINCIPAL_BUILDER_CLASS + "' class has been deprecated, and may be removed in the future. Please use '" + PRINCIPAL_BUILDER_CLASS + "' as 'principal.builder.class' instead.");
        }
        String configWithFallbackLookup = ConfigUtil.getConfigWithFallbackLookup(convertToCommonConfig, AuthzConfig.STRIMZI_AUTHORIZATION_TOKEN_ENDPOINT_URI, "oauth.token.endpoint.uri");
        if (configWithFallbackLookup == null) {
            throw new RuntimeException("OAuth2 Token Endpoint ('strimzi.authorization.token.endpoint.uri') not set.");
        }
        try {
            this.tokenEndpointUrl = new URI(configWithFallbackLookup);
            this.clientId = ConfigUtil.getConfigWithFallbackLookup(convertToCommonConfig, AuthzConfig.STRIMZI_AUTHORIZATION_CLIENT_ID, "oauth.client.id");
            if (this.clientId == null) {
                throw new RuntimeException("OAuth2 Client Id ('strimzi.authorization.client.id') not set.");
            }
            this.connectTimeoutSeconds = ConfigUtil.getTimeoutConfigWithFallbackLookup(convertToCommonConfig, AuthzConfig.STRIMZI_AUTHORIZATION_CONNECT_TIMEOUT_SECONDS, "oauth.connect.timeout.seconds");
            this.readTimeoutSeconds = ConfigUtil.getTimeoutConfigWithFallbackLookup(convertToCommonConfig, AuthzConfig.STRIMZI_AUTHORIZATION_READ_TIMEOUT_SECONDS, "oauth.read.timeout.seconds");
            this.socketFactory = createSSLFactory(convertToCommonConfig);
            this.hostnameVerifier = createHostnameVerifier(convertToCommonConfig);
            this.clusterName = convertToCommonConfig.getValue(AuthzConfig.STRIMZI_AUTHORIZATION_KAFKA_CLUSTER_NAME);
            if (this.clusterName == null) {
                this.clusterName = "kafka-cluster";
            }
            this.delegateToKafkaACL = convertToCommonConfig.getValueAsBoolean(AuthzConfig.STRIMZI_AUTHORIZATION_DELEGATE_TO_KAFKA_ACL, false);
            String str2 = (String) map.get("super.users");
            if (str2 != null) {
                this.superUsers = (List) Arrays.stream(str2.split(";")).map(UserSpec::of).collect(Collectors.toList());
            }
            int valueAsInt = convertToCommonConfig.getValueAsInt(AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_REFRESH_POOL_SIZE, 5);
            if (valueAsInt < 1) {
                throw new RuntimeException("Invalid value of 'strimzi.authorization.grants.refresh.pool.size': " + valueAsInt + ". Has to be >= 1.");
            }
            int valueAsInt2 = convertToCommonConfig.getValueAsInt(AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_REFRESH_PERIOD_SECONDS, 60);
            if (valueAsInt2 > 0) {
                this.workerPool = Executors.newFixedThreadPool(valueAsInt);
                setupRefreshGrantsJob(valueAsInt2);
            }
            if (!Services.isAvailable()) {
                Services.configure(map);
            }
            if (log.isDebugEnabled()) {
                log.debug("Configured KeycloakRBACAuthorizer:\n    tokenEndpointUri: " + this.tokenEndpointUrl + "\n    sslSocketFactory: " + this.socketFactory + "\n    hostnameVerifier: " + this.hostnameVerifier + "\n    clientId: " + this.clientId + "\n    clusterName: " + this.clusterName + "\n    delegateToKafkaACL: " + this.delegateToKafkaACL + "\n    superUsers: " + this.superUsers.stream().map(userSpec -> {
                    return "'" + userSpec.getType() + ":" + userSpec.getName() + "'";
                }).collect(Collectors.toList()) + "\n    grantsRefreshPeriodSeconds: " + valueAsInt2 + "\n    grantsRefreshPoolSize: " + valueAsInt + "\n    connectTimeoutSeconds: " + this.connectTimeoutSeconds + "\n    readTimeoutSeconds: " + this.readTimeoutSeconds);
            }
        } catch (URISyntaxException e) {
            throw new RuntimeException("Specified token endpoint uri is invalid: " + configWithFallbackLookup);
        }
    }

    static AuthzConfig convertToCommonConfig(Map<String, ?> map) {
        Properties properties = new Properties();
        for (String str : new String[]{AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_REFRESH_PERIOD_SECONDS, AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_REFRESH_POOL_SIZE, AuthzConfig.STRIMZI_AUTHORIZATION_DELEGATE_TO_KAFKA_ACL, AuthzConfig.STRIMZI_AUTHORIZATION_KAFKA_CLUSTER_NAME, AuthzConfig.STRIMZI_AUTHORIZATION_CLIENT_ID, "oauth.client.id", AuthzConfig.STRIMZI_AUTHORIZATION_TOKEN_ENDPOINT_URI, "oauth.token.endpoint.uri", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_LOCATION, "oauth.ssl.truststore.location", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_CERTIFICATES, "oauth.ssl.truststore.certificates", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_PASSWORD, "oauth.ssl.truststore.password", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_TYPE, "oauth.ssl.truststore.type", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_SECURE_RANDOM_IMPLEMENTATION, "oauth.ssl.secure.random.implementation", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, "oauth.ssl.endpoint.identification.algorithm", AuthzConfig.STRIMZI_AUTHORIZATION_CONNECT_TIMEOUT_SECONDS, "oauth.connect.timeout.seconds", AuthzConfig.STRIMZI_AUTHORIZATION_READ_TIMEOUT_SECONDS, "oauth.read.timeout.seconds"}) {
            ConfigUtil.putIfNotNull(properties, str, map.get(str));
        }
        return new AuthzConfig(properties);
    }

    static SSLSocketFactory createSSLFactory(Config config) {
        return SSLUtil.createSSLFactory(ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_LOCATION, "oauth.ssl.truststore.location"), ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_CERTIFICATES, "oauth.ssl.truststore.certificates"), ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_PASSWORD, "oauth.ssl.truststore.password"), ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_TYPE, "oauth.ssl.truststore.type"), ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_SECURE_RANDOM_IMPLEMENTATION, "oauth.ssl.secure.random.implementation"));
    }

    static HostnameVerifier createHostnameVerifier(Config config) {
        String configWithFallbackLookup = ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, "oauth.ssl.endpoint.identification.algorithm");
        if (configWithFallbackLookup == null) {
            configWithFallbackLookup = "HTTPS";
        }
        if ("".equals(configWithFallbackLookup)) {
            return SSLUtil.createAnyHostHostnameVerifier();
        }
        return null;
    }

    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        try {
            OAuthKafkaPrincipal principal = authorizableRequestContext.principal();
            for (UserSpec userSpec : this.superUsers) {
                if (principal.getPrincipalType().equals(userSpec.getType()) && principal.getName().equals(userSpec.getName())) {
                    for (Action action : list) {
                        if (GRANT_LOG.isDebugEnabled() && action.logIfAllowed()) {
                            GRANT_LOG.debug("Authorization GRANTED - user is a superuser: " + authorizableRequestContext.principal() + ", cluster: " + this.clusterName + ", operation: " + action.operation() + ", resource: " + fromResourcePattern(action.resourcePattern()));
                        }
                    }
                    return Collections.nCopies(list.size(), AuthorizationResult.ALLOWED);
                }
            }
            if (!(principal instanceof OAuthKafkaPrincipal)) {
                return delegateIfRequested(authorizableRequestContext, list, null);
            }
            BearerTokenWithPayload jwt = principal.getJwt();
            if (denyIfTokenInvalid(jwt)) {
                return Collections.nCopies(list.size(), AuthorizationResult.DENIED);
            }
            JsonNode jsonNode = (JsonNode) jwt.getPayload();
            if (jsonNode == null) {
                jsonNode = handleFetchingGrants(jwt);
            }
            if (log.isDebugEnabled()) {
                log.debug("Authorization grants for user {}: {}", principal, jsonNode);
            }
            return jsonNode != null ? allowOrDenyBasedOnGrants(authorizableRequestContext, list, jsonNode) : delegateIfRequested(authorizableRequestContext, list, null);
        } catch (Throwable th) {
            log.error("An unexpected exception has occurred: ", th);
            if (DENY_LOG.isDebugEnabled()) {
                DENY_LOG.debug("Authorization DENIED due to error - user: " + authorizableRequestContext.principal() + ", cluster: " + this.clusterName + ", actions: " + list + ",\n permissions: " + ((Object) null));
            }
            return Collections.nCopies(list.size(), AuthorizationResult.DENIED);
        }
    }

    private String fromResourcePattern(ResourcePattern resourcePattern) {
        return resourcePattern.resourceType() + ":" + resourcePattern.name();
    }

    private List<AuthorizationResult> allowOrDenyBasedOnGrants(AuthorizableRequestContext authorizableRequestContext, List<Action> list, JsonNode jsonNode) {
        ArrayList arrayList = new ArrayList(list.size());
        for (Action action : list) {
            Iterator it = jsonNode.iterator();
            while (it.hasNext()) {
                JsonNode jsonNode2 = (JsonNode) it.next();
                ResourceSpec of = ResourceSpec.of(jsonNode2.get("rsname").asText());
                if (of.match(this.clusterName, action.resourcePattern().resourceType().name(), action.resourcePattern().name())) {
                    JsonNode jsonNode3 = jsonNode2.get("scopes");
                    ScopesSpec of2 = jsonNode3 == null ? null : ScopesSpec.of(validateScopes(JSONUtil.asListOfString(jsonNode3)));
                    if (jsonNode3 == null || of2.isGranted(action.operation().name())) {
                        if (GRANT_LOG.isDebugEnabled() && action.logIfAllowed()) {
                            GRANT_LOG.debug("Authorization GRANTED - cluster: " + this.clusterName + ", user: " + authorizableRequestContext.principal() + ", operation: " + action.operation() + ", resource: " + fromResourcePattern(action.resourcePattern()) + "\nGranted scopes for resource (" + of + "): " + (of2 == null ? "ALL" : of2));
                        }
                        arrayList.add(AuthorizationResult.ALLOWED);
                    }
                }
            }
            arrayList.addAll(delegateIfRequested(authorizableRequestContext, Collections.singletonList(action), jsonNode));
        }
        return arrayList;
    }

    private boolean denyIfTokenInvalid(BearerTokenWithPayload bearerTokenWithPayload) {
        if (bearerTokenWithPayload.lifetimeMs() > System.currentTimeMillis()) {
            return false;
        }
        if (!DENY_LOG.isDebugEnabled()) {
            return true;
        }
        DENY_LOG.debug("Authorization DENIED due to token expiry - The token expired at: " + bearerTokenWithPayload.lifetimeMs() + " (" + TimeUtil.formatIsoDateTimeUTC(bearerTokenWithPayload.lifetimeMs()) + " UTC), for token: " + LogUtil.mask(bearerTokenWithPayload.value()));
        return true;
    }

    private JsonNode handleFetchingGrants(BearerTokenWithPayload bearerTokenWithPayload) {
        ObjectNode objectNode = null;
        try {
            objectNode = fetchAuthorizationGrants(bearerTokenWithPayload.value());
            if (objectNode == null) {
                objectNode = JSONUtil.newObjectNode();
            }
        } catch (HttpException e) {
            if (e.getStatus() == 403) {
                objectNode = JSONUtil.newObjectNode();
            } else {
                log.warn("Unexpected status while fetching authorization data - will retry next time: " + e.getMessage());
            }
        }
        if (objectNode != null) {
            bearerTokenWithPayload.setPayload(objectNode);
        }
        return objectNode;
    }

    static List<ScopesSpec.AuthzScope> validateScopes(List<String> list) {
        ArrayList arrayList = new ArrayList(list.size());
        for (String str : list) {
            try {
                arrayList.add(ScopesSpec.AuthzScope.of(str));
            } catch (Exception e) {
                log.warn("[IGNORED] Invalid scope detected in authorization scopes list: " + str);
            }
        }
        return arrayList;
    }

    private List<AuthorizationResult> delegateIfRequested(AuthorizableRequestContext authorizableRequestContext, List<Action> list, JsonNode jsonNode) {
        String str = authorizableRequestContext.principal() instanceof OAuthKafkaPrincipal ? "" : " non-oauth";
        if (!this.delegateToKafkaACL) {
            if (DENY_LOG.isDebugEnabled()) {
                for (Action action : list) {
                    if (action.logIfDenied()) {
                        DENY_LOG.debug("Authorization DENIED -" + str + " user: " + authorizableRequestContext.principal() + ", cluster: " + this.clusterName + ", operation: " + action.operation() + ", resource: " + fromResourcePattern(action.resourcePattern()) + ",\n permissions: " + jsonNode);
                    }
                }
            }
            return Collections.nCopies(list.size(), AuthorizationResult.DENIED);
        }
        List<AuthorizationResult> authorize = super.authorize(authorizableRequestContext, list);
        int i = 0;
        Iterator<AuthorizationResult> it = authorize.iterator();
        while (it.hasNext()) {
            AuthorizationResult next = it.next();
            Action action2 = list.get(i);
            boolean z = next == AuthorizationResult.ALLOWED && GRANT_LOG.isDebugEnabled() && action2.logIfAllowed();
            boolean z2 = next == AuthorizationResult.DENIED && DENY_LOG.isDebugEnabled() && action2.logIfDenied();
            if (z || z2) {
                String str2 = "Authorization " + (next == AuthorizationResult.ALLOWED ? "GRANTED" : "DENIED") + " by ACL -" + str + " user: " + authorizableRequestContext.principal() + ", operation: " + action2.operation() + ", resource: " + fromResourcePattern(action2.resourcePattern());
                if (z) {
                    GRANT_LOG.debug(str2);
                } else {
                    DENY_LOG.debug(str2);
                }
            }
            i++;
        }
        return authorize;
    }

    private JsonNode fetchAuthorizationGrants(String str) {
        try {
            return (JsonNode) HttpUtil.post(this.tokenEndpointUrl, this.socketFactory, this.hostnameVerifier, "Bearer " + str, "application/x-www-form-urlencoded", "audience=" + OAuthAuthenticator.urlencode(this.clientId) + "&grant_type=" + OAuthAuthenticator.urlencode("urn:ietf:params:oauth:grant-type:uma-ticket") + "&response_mode=permissions", JsonNode.class, this.connectTimeoutSeconds, this.readTimeoutSeconds);
        } catch (HttpException e) {
            throw e;
        } catch (Exception e2) {
            throw new RuntimeException("Failed to fetch authorization data from authorization server: ", e2);
        }
    }

    private void setupRefreshGrantsJob(int i) {
        Executors.newSingleThreadScheduledExecutor(new DaemonThreadFactory()).scheduleAtFixedRate(this::refreshGrants, i, i, TimeUnit.SECONDS);
    }

    private void refreshGrants() {
        try {
            try {
                log.debug("Refreshing authorization grants ...");
                ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap();
                Predicate<BearerTokenWithPayload> predicate = bearerTokenWithPayload -> {
                    ConcurrentLinkedQueue concurrentLinkedQueue = (ConcurrentLinkedQueue) concurrentHashMap.computeIfAbsent(bearerTokenWithPayload.value(), str -> {
                        ConcurrentLinkedQueue concurrentLinkedQueue2 = new ConcurrentLinkedQueue();
                        concurrentLinkedQueue2.add(bearerTokenWithPayload);
                        return concurrentLinkedQueue2;
                    });
                    if (bearerTokenWithPayload == concurrentLinkedQueue.peek()) {
                        return true;
                    }
                    concurrentLinkedQueue.add(bearerTokenWithPayload);
                    return false;
                };
                Sessions sessions = Services.getInstance().getSessions();
                for (SessionFuture<?> sessionFuture : scheduleGrantsRefresh(predicate, sessions)) {
                    try {
                        sessionFuture.get();
                    } catch (ExecutionException e) {
                        log.warn("[IGNORED] Failed to fetch grants for token: " + e.getMessage(), e);
                        HttpException cause = e.getCause();
                        if ((cause instanceof HttpException) && 401 == cause.getStatus()) {
                            ObjectNode newObjectNode = JSONUtil.newObjectNode();
                            Iterator it = ((ConcurrentLinkedQueue) concurrentHashMap.get(sessionFuture.getToken().value())).iterator();
                            while (it.hasNext()) {
                                BearerTokenWithPayload bearerTokenWithPayload2 = (BearerTokenWithPayload) it.next();
                                bearerTokenWithPayload2.setPayload(newObjectNode);
                                sessions.remove(bearerTokenWithPayload2);
                                if (log.isDebugEnabled()) {
                                    log.debug("Removed invalid session from sessions map (session: {}, token: {}). Will not refresh its grants any more.", Integer.valueOf(sessionFuture.getToken().getSessionId()), LogUtil.mask(sessionFuture.getToken().value()));
                                }
                            }
                        }
                    } catch (Throwable th) {
                        log.warn("[IGNORED] Failed to fetch grants for session: " + sessionFuture.getToken().getSessionId() + ", token: " + LogUtil.mask(sessionFuture.getToken().value()) + " - " + th.getMessage(), th);
                    }
                }
                Iterator it2 = concurrentHashMap.values().iterator();
                while (it2.hasNext()) {
                    BearerTokenWithPayload bearerTokenWithPayload3 = null;
                    Iterator it3 = ((ConcurrentLinkedQueue) it2.next()).iterator();
                    while (it3.hasNext()) {
                        BearerTokenWithPayload bearerTokenWithPayload4 = (BearerTokenWithPayload) it3.next();
                        if (bearerTokenWithPayload3 == null) {
                            bearerTokenWithPayload3 = bearerTokenWithPayload4;
                        } else {
                            Object payload = bearerTokenWithPayload4.getPayload();
                            Object payload2 = bearerTokenWithPayload3.getPayload();
                            if (payload2 == null) {
                                payload2 = JSONUtil.newObjectNode();
                            }
                            if (payload2.equals(payload)) {
                                break;
                            }
                            if (log.isDebugEnabled()) {
                                log.debug("Grants have changed for session: {}, token: {}\nbefore: {}\nafter: {}", new Object[]{Integer.valueOf(bearerTokenWithPayload4.getSessionId()), LogUtil.mask(bearerTokenWithPayload4.value()), payload, payload2});
                            }
                            bearerTokenWithPayload4.setPayload(payload2);
                        }
                    }
                }
                log.debug("Done refreshing grants");
            } catch (Throwable th2) {
                log.error(th2.getMessage(), th2);
                log.debug("Done refreshing grants");
            }
        } catch (Throwable th3) {
            log.debug("Done refreshing grants");
            throw th3;
        }
    }

    private List<SessionFuture<?>> scheduleGrantsRefresh(Predicate<BearerTokenWithPayload> predicate, Sessions sessions) {
        return sessions.executeTask(this.workerPool, predicate, bearerTokenWithPayload -> {
            JsonNode newObjectNode;
            if (log.isTraceEnabled()) {
                log.trace("Fetch grants for session: " + bearerTokenWithPayload.getSessionId() + ", token: " + LogUtil.mask(bearerTokenWithPayload.value()));
            }
            try {
                newObjectNode = fetchAuthorizationGrants(bearerTokenWithPayload.value());
            } catch (HttpException e) {
                if (403 != e.getStatus()) {
                    throw e;
                }
                newObjectNode = JSONUtil.newObjectNode();
            }
            Object payload = bearerTokenWithPayload.getPayload();
            if (newObjectNode.equals(payload)) {
                return;
            }
            if (log.isDebugEnabled()) {
                log.debug("Grants have changed for session: {}, token: {}\nbefore: {}\nafter: {}", new Object[]{Integer.valueOf(bearerTokenWithPayload.getSessionId()), LogUtil.mask(bearerTokenWithPayload.value()), payload, newObjectNode});
            }
            bearerTokenWithPayload.setPayload(newObjectNode);
        });
    }

    public void close() {
        try {
            if (this.workerPool != null) {
                this.workerPool.shutdownNow();
            }
        } catch (Exception e) {
            log.error("Failed to shutdown the worker pool", e);
        }
        super.close();
    }

    public Map<Endpoint, ? extends CompletionStage<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        CompletableFuture completedFuture = CompletableFuture.completedFuture(null);
        return !this.delegateToKafkaACL ? (Map) authorizerServerInfo.endpoints().stream().collect(Collectors.toMap(Function.identity(), endpoint -> {
            return completedFuture;
        })) : super.start(authorizerServerInfo);
    }

    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        if (this.delegateToKafkaACL) {
            return super.createAcls(authorizableRequestContext, list);
        }
        throw new RuntimeException("Simple ACL delegation not enabled");
    }

    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        if (this.delegateToKafkaACL) {
            return super.deleteAcls(authorizableRequestContext, list);
        }
        throw new RuntimeException("Simple ACL delegation not enabled");
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        if (this.delegateToKafkaACL) {
            return super.acls(aclBindingFilter);
        }
        throw new RuntimeException("Simple ACL delegation not enabled");
    }
}
