package io.strimzi.kafka.oauth.server.authorizer;

import io.strimzi.kafka.oauth.common.ConfigException;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.atomic.AtomicInteger;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.metadata.authorizer.AclMutator;
import org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer;
import org.apache.kafka.metadata.authorizer.StandardAcl;
import org.apache.kafka.metadata.authorizer.StandardAuthorizer;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/KeycloakAuthorizer.class */
public class KeycloakAuthorizer implements ClusterMetadataAuthorizer {
    private static final Logger log = LoggerFactory.getLogger(KeycloakAuthorizer.class);
    private static final AtomicInteger INSTANCE_NUMBER_COUNTER = new AtomicInteger(1);
    private final int instanceNumber = INSTANCE_NUMBER_COUNTER.getAndIncrement();
    private StandardAuthorizer delegate;
    private KeycloakRBACAuthorizer singleton;

    public void configure(Map<String, ?> map) {
        Configuration configuration = new Configuration(map);
        this.singleton = KeycloakAuthorizerService.getInstance();
        if (this.singleton == null) {
            this.singleton = new KeycloakRBACAuthorizer(this);
            this.singleton.configure(map);
            KeycloakAuthorizerService.setInstance(this.singleton);
        } else if (!configuration.equals(this.singleton.getConfiguration())) {
            throw new ConfigException("Only one authorizer configuration per JVM is supported");
        }
        if (configuration.isDelegateToKafkaACL() && configuration.isKRaft()) {
            this.delegate = instantiateStandardAuthorizer();
            this.delegate.configure(map);
        }
        if (log.isDebugEnabled()) {
            log.debug("Configured " + this + " using " + this.singleton);
        }
    }

    private StandardAuthorizer instantiateStandardAuthorizer() {
        try {
            log.debug("Using StandardAuthorizer (KRaft based) as a delegate");
            return new StandardAuthorizer();
        } catch (Exception e) {
            throw new ConfigException("KRaft mode detected ('process.roles' configured), but failed to instantiate org.apache.kafka.metadata.authorizer.StandardAuthorizer", e);
        }
    }

    public Map<Endpoint, ? extends CompletionStage<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        return this.delegate != null ? this.delegate.start(authorizerServerInfo) : this.singleton.start(authorizerServerInfo);
    }

    public void setAclMutator(AclMutator aclMutator) {
        if (this.delegate != null) {
            this.delegate.setAclMutator(aclMutator);
        }
    }

    public AclMutator aclMutatorOrException() {
        if (this.delegate != null) {
            return this.delegate.aclMutatorOrException();
        }
        throw new IllegalStateException("KeycloakAuthorizer has not been properly configured");
    }

    public void completeInitialLoad() {
        if (this.delegate != null) {
            this.delegate.completeInitialLoad();
        }
    }

    public void completeInitialLoad(Exception exc) {
        if (exc != null) {
            exc.printStackTrace();
        }
        if (this.delegate != null) {
            this.delegate.completeInitialLoad(exc);
        }
    }

    public void loadSnapshot(Map<Uuid, StandardAcl> map) {
        if (this.delegate != null) {
            this.delegate.loadSnapshot(map);
        }
    }

    public void addAcl(Uuid uuid, StandardAcl standardAcl) {
        if (this.delegate == null) {
            throw new UnsupportedOperationException("ACL delegation not enabled");
        }
        this.delegate.addAcl(uuid, standardAcl);
    }

    public void removeAcl(Uuid uuid) {
        if (this.delegate == null) {
            throw new UnsupportedOperationException("ACL delegation not enabled");
        }
        this.delegate.removeAcl(uuid);
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        if (this.delegate != null) {
            return this.delegate.acls(aclBindingFilter);
        }
        if (this.singleton != null) {
            return this.singleton.acls(aclBindingFilter);
        }
        throw new UnsupportedOperationException("ACL delegation not enabled");
    }

    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        if (this.delegate != null) {
            return this.delegate.createAcls(authorizableRequestContext, list);
        }
        if (this.singleton != null) {
            return this.singleton.createAcls(authorizableRequestContext, list);
        }
        throw new UnsupportedOperationException("ACL delegation not enabled");
    }

    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        if (this.delegate != null) {
            return this.delegate.deleteAcls(authorizableRequestContext, list);
        }
        if (this.singleton != null) {
            return this.singleton.deleteAcls(authorizableRequestContext, list);
        }
        throw new UnsupportedOperationException("ACL delegation not enabled");
    }

    public int aclCount() {
        if (this.delegate != null) {
            return this.delegate.aclCount();
        }
        if (this.singleton != null) {
            return this.singleton.aclCount();
        }
        throw new UnsupportedOperationException("ACL delegation not enabled");
    }

    public AuthorizationResult authorizeByResourceType(AuthorizableRequestContext authorizableRequestContext, AclOperation aclOperation, ResourceType resourceType) {
        if (this.delegate != null) {
            return this.delegate.authorizeByResourceType(authorizableRequestContext, aclOperation, resourceType);
        }
        if (this.singleton != null) {
            return this.singleton.authorizeByResourceType(authorizableRequestContext, aclOperation, resourceType);
        }
        throw new UnsupportedOperationException("ACL delegation not enabled");
    }

    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        return this.delegate != null ? this.singleton.authorize(this.delegate, authorizableRequestContext, list) : this.singleton.authorize(authorizableRequestContext, list);
    }

    public void close() throws IOException {
        if (this.singleton != null) {
            this.singleton.close();
        }
        if (this.delegate != null) {
            this.delegate.close();
        }
    }

    public String toString() {
        return KeycloakAuthorizer.class.getSimpleName() + "@" + this.instanceNumber;
    }
}
