package io.strimzi.kafka.oauth.server.authorizer;

import com.fasterxml.jackson.databind.JsonNode;
import io.strimzi.kafka.oauth.common.BearerTokenWithPayload;
import io.strimzi.kafka.oauth.common.HttpException;
import io.strimzi.kafka.oauth.common.HttpUtil;
import io.strimzi.kafka.oauth.common.JSONUtil;
import io.strimzi.kafka.oauth.common.LogUtil;
import io.strimzi.kafka.oauth.common.OAuthAuthenticator;
import io.strimzi.kafka.oauth.common.SSLUtil;
import io.strimzi.kafka.oauth.common.TimeUtil;
import io.strimzi.kafka.oauth.metrics.SensorKeyProducer;
import io.strimzi.kafka.oauth.server.OAuthKafkaPrincipal;
import io.strimzi.kafka.oauth.server.authorizer.GrantsHandler;
import io.strimzi.kafka.oauth.server.authorizer.ScopesSpec;
import io.strimzi.kafka.oauth.server.authorizer.metrics.GrantsHttpSensorKeyProducer;
import io.strimzi.kafka.oauth.server.authorizer.metrics.KeycloakAuthorizationSensorKeyProducer;
import io.strimzi.kafka.oauth.services.OAuthMetrics;
import io.strimzi.kafka.oauth.services.ServiceException;
import io.strimzi.kafka.oauth.services.Services;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
@Deprecated
/* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.class */
public class KeycloakRBACAuthorizer implements Authorizer {
    static final Logger log = LoggerFactory.getLogger(KeycloakRBACAuthorizer.class);
    static final Logger GRANT_LOG = LoggerFactory.getLogger(KeycloakRBACAuthorizer.class.getName() + ".grant");
    static final Logger DENY_LOG = LoggerFactory.getLogger(KeycloakRBACAuthorizer.class.getName() + ".deny");
    private static final AtomicInteger INSTANCE_NUMBER_COUNTER = new AtomicInteger(1);
    private final Authorizer delegator;
    private SSLSocketFactory socketFactory;
    private HostnameVerifier hostnameVerifier;
    private OAuthMetrics metrics;
    private SensorKeyProducer authzSensorKeyProducer;
    private SensorKeyProducer grantsSensorKeyProducer;
    private Authorizer delegate;
    private GrantsHandler grantsHandler;
    private Configuration configuration;
    private final int instanceNumber = INSTANCE_NUMBER_COUNTER.getAndIncrement();
    private final boolean denyWhenTokenInvalid = true;

    public KeycloakRBACAuthorizer() {
        log.warn("KeycloakRBACAuthorizer has been deprecated, please use io.strimzi.kafka.oauth.server.authorizer.KeycloakAuthorizer instead.");
        this.delegator = null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeycloakRBACAuthorizer(Authorizer authorizer) {
        this.delegator = authorizer;
    }

    public void configure(Map<String, ?> map) {
        this.configuration = new Configuration(map);
        this.configuration.printLogs();
        assignFields(this.configuration);
        if (log.isDebugEnabled()) {
            log.debug("Configured " + String.valueOf(this) + (this.delegator != null ? " (via " + String.valueOf(this.delegator) + ")" : "") + ":\n    tokenEndpointUri: " + String.valueOf(this.configuration.getTokenEndpointUrl()) + "\n    sslSocketFactory: " + String.valueOf(this.socketFactory) + "\n    hostnameVerifier: " + String.valueOf(this.hostnameVerifier) + "\n    clientId: " + this.configuration.getClientId() + "\n    clusterName: " + this.configuration.getClusterName() + "\n    delegateToKafkaACL: " + this.configuration.isDelegateToKafkaACL() + "\n    superUsers: " + String.valueOf(this.configuration.getSuperUsers().stream().map(userSpec -> {
                return "'" + userSpec.getType() + ":" + userSpec.getName() + "'";
            }).collect(Collectors.toList())) + "\n    grantsRefreshPeriodSeconds: " + this.configuration.getGrantsRefreshPeriodSeconds() + "\n    grantsRefreshPoolSize: " + this.configuration.getGrantsRefreshPoolSize() + "\n    grantsMaxIdleTimeSeconds: " + this.configuration.getGrantsMaxIdleTimeSeconds() + "\n    httpRetries: " + this.configuration.getHttpRetries() + "\n    reuseGrants: " + this.configuration.isReuseGrants() + "\n    connectTimeoutSeconds: " + this.configuration.getConnectTimeoutSeconds() + "\n    readTimeoutSeconds: " + this.configuration.getReadTimeoutSeconds() + "\n    enableMetrics: " + this.configuration.isEnableMetrics() + "\n    gcPeriodSeconds: " + this.configuration.getGcPeriodSeconds() + "\n    includeAcceptHeader: " + this.configuration.getIncludeAcceptHeader());
        }
    }

    private void assignFields(Configuration configuration) {
        this.socketFactory = createSSLFactory(configuration);
        this.hostnameVerifier = createHostnameVerifier(configuration);
        if (!Services.isAvailable()) {
            Services.configure(configuration.getConfigMap());
        }
        if (configuration.isEnableMetrics()) {
            this.metrics = Services.getInstance().getMetrics();
        }
        this.authzSensorKeyProducer = new KeycloakAuthorizationSensorKeyProducer("keycloak-authorizer", configuration.getTokenEndpointUrl());
        this.grantsSensorKeyProducer = new GrantsHttpSensorKeyProducer("keycloak-authorizer", configuration.getTokenEndpointUrl());
        this.grantsHandler = new GrantsHandler(configuration.getGrantsRefreshPeriodSeconds(), configuration.getGrantsRefreshPoolSize(), configuration.getGrantsMaxIdleTimeSeconds(), this::fetchAuthorizationGrantsOnce, configuration.getHttpRetries(), configuration.getGcPeriodSeconds());
        if (this.delegate != null) {
            this.delegate.configure(configuration.getConfigMap());
        }
    }

    static SSLSocketFactory createSSLFactory(Configuration configuration) {
        return SSLUtil.createSSLFactory(configuration.getTruststore(), configuration.getTruststoreData(), configuration.getTruststorePassword(), configuration.getTruststoreType(), configuration.getPrng());
    }

    static HostnameVerifier createHostnameVerifier(Configuration configuration) {
        if ("".equals(configuration.getCertificateHostCheckAlgorithm())) {
            return SSLUtil.createAnyHostHostnameVerifier();
        }
        return null;
    }

    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        return authorize(this.delegate, authorizableRequestContext, list);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<AuthorizationResult> authorize(Authorizer authorizer, AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        long currentTimeMillis = System.currentTimeMillis();
        try {
            OAuthKafkaPrincipal principal = authorizableRequestContext.principal();
            for (UserSpec userSpec : this.configuration.getSuperUsers()) {
                if (principal.getPrincipalType().equals(userSpec.getType()) && principal.getName().equals(userSpec.getName())) {
                    for (Action action : list) {
                        if (GRANT_LOG.isDebugEnabled() && action.logIfAllowed()) {
                            GRANT_LOG.debug("Authorization GRANTED - user is a superuser: " + String.valueOf(authorizableRequestContext.principal()) + ", cluster: " + this.configuration.getClusterName() + ", operation: " + String.valueOf(action.operation()) + ", resource: " + fromResourcePattern(action.resourcePattern()));
                        }
                    }
                    addAuthzMetricSuccessTime(currentTimeMillis);
                    return Collections.nCopies(list.size(), AuthorizationResult.ALLOWED);
                }
            }
            if (!(principal instanceof OAuthKafkaPrincipal)) {
                List<AuthorizationResult> delegateIfRequested = delegateIfRequested(authorizer, authorizableRequestContext, list, null);
                addAuthzMetricSuccessTime(currentTimeMillis);
                return delegateIfRequested;
            }
            BearerTokenWithPayload jwt = principal.getJwt();
            if (denyIfTokenInvalid(jwt)) {
                addAuthzMetricSuccessTime(currentTimeMillis);
                return Collections.nCopies(list.size(), AuthorizationResult.DENIED);
            }
            if (this.grantsHandler == null) {
                throw new IllegalStateException("Authorizer has not been configured - configure() not called");
            }
            GrantsHandler.Info grantsInfoFromCache = this.grantsHandler.getGrantsInfoFromCache(jwt);
            log.trace("Got grantsInfo: {}", grantsInfoFromCache);
            JsonNode grants = grantsInfoFromCache.getGrants();
            boolean z = !this.configuration.isReuseGrants() && (jwt.getPayload() == null);
            if (grants == null || z) {
                if (grants == null) {
                    log.debug("No grants yet for user: {}", principal);
                } else {
                    log.debug("Grants available but new session and reuseGrants is `false`");
                }
                grants = this.grantsHandler.fetchGrantsForUserOrWaitForDelivery(principal.getName(), grantsInfoFromCache);
                if (z) {
                    jwt.setPayload(JSONUtil.newObjectNode());
                }
            }
            log.debug("Got grants for '{}': {}", principal, grants);
            List<AuthorizationResult> allowOrDenyBasedOnGrants = grants != null ? allowOrDenyBasedOnGrants(authorizer, authorizableRequestContext, list, grants) : delegateIfRequested(authorizer, authorizableRequestContext, list, null);
            addAuthzMetricSuccessTime(currentTimeMillis);
            return allowOrDenyBasedOnGrants;
        } catch (Throwable th) {
            log.error("An unexpected exception has occurred: ", th);
            if (DENY_LOG.isDebugEnabled()) {
                DENY_LOG.debug("Authorization DENIED due to error - user: " + String.valueOf(authorizableRequestContext.principal()) + ", cluster: " + this.configuration.getClusterName() + ", actions: " + String.valueOf(list) + ",\n permissions: " + String.valueOf((Object) null));
            }
            addAuthzMetricErrorTime(th, currentTimeMillis);
            return Collections.nCopies(list.size(), AuthorizationResult.DENIED);
        }
    }

    private String fromResourcePattern(ResourcePattern resourcePattern) {
        return String.valueOf(resourcePattern.resourceType()) + ":" + resourcePattern.name();
    }

    private List<AuthorizationResult> allowOrDenyBasedOnGrants(Authorizer authorizer, AuthorizableRequestContext authorizableRequestContext, List<Action> list, JsonNode jsonNode) {
        ArrayList arrayList = new ArrayList(list.size());
        for (Action action : list) {
            Iterator it = jsonNode.iterator();
            while (it.hasNext()) {
                JsonNode jsonNode2 = (JsonNode) it.next();
                ResourceSpec of = ResourceSpec.of(jsonNode2.get("rsname").asText());
                if (of.match(this.configuration.getClusterName(), action.resourcePattern().resourceType().name(), action.resourcePattern().name())) {
                    JsonNode jsonNode3 = jsonNode2.get("scopes");
                    ScopesSpec of2 = jsonNode3 == null ? null : ScopesSpec.of(validateScopes(JSONUtil.asListOfString(jsonNode3)));
                    if (jsonNode3 == null || of2.isGranted(action.operation().name())) {
                        if (GRANT_LOG.isDebugEnabled() && action.logIfAllowed()) {
                            GRANT_LOG.debug("Authorization GRANTED - cluster: " + this.configuration.getClusterName() + ", user: " + String.valueOf(authorizableRequestContext.principal()) + ", operation: " + String.valueOf(action.operation()) + ", resource: " + fromResourcePattern(action.resourcePattern()) + "\nGranted scopes for resource (" + String.valueOf(of) + "): " + String.valueOf(of2 == null ? "ALL" : of2));
                        }
                        arrayList.add(AuthorizationResult.ALLOWED);
                    }
                }
            }
            arrayList.addAll(delegateIfRequested(authorizer, authorizableRequestContext, Collections.singletonList(action), jsonNode));
        }
        return arrayList;
    }

    private boolean denyIfTokenInvalid(BearerTokenWithPayload bearerTokenWithPayload) {
        if (bearerTokenWithPayload.lifetimeMs() > System.currentTimeMillis()) {
            return false;
        }
        if (!DENY_LOG.isDebugEnabled()) {
            return true;
        }
        Logger logger = DENY_LOG;
        long lifetimeMs = bearerTokenWithPayload.lifetimeMs();
        String formatIsoDateTimeUTC = TimeUtil.formatIsoDateTimeUTC(bearerTokenWithPayload.lifetimeMs());
        LogUtil.mask(bearerTokenWithPayload.value());
        logger.debug("Authorization DENIED due to token expiry - The token expired at: " + lifetimeMs + " (" + logger + " UTC), for token: " + formatIsoDateTimeUTC);
        return true;
    }

    static List<ScopesSpec.AuthzScope> validateScopes(List<String> list) {
        ArrayList arrayList = new ArrayList(list.size());
        for (String str : list) {
            try {
                arrayList.add(ScopesSpec.AuthzScope.of(str));
            } catch (Exception e) {
                log.warn("[IGNORED] Invalid scope detected in authorization scopes list: " + str);
            }
        }
        return arrayList;
    }

    private List<AuthorizationResult> delegateIfRequested(Authorizer authorizer, AuthorizableRequestContext authorizableRequestContext, List<Action> list, JsonNode jsonNode) {
        String str = authorizableRequestContext.principal() instanceof OAuthKafkaPrincipal ? "" : " non-oauth";
        if (authorizer == null) {
            if (DENY_LOG.isDebugEnabled()) {
                for (Action action : list) {
                    if (action.logIfDenied()) {
                        logDenied(DENY_LOG, authorizableRequestContext, jsonNode, str, action);
                    }
                }
            } else if (log.isDebugEnabled()) {
                Iterator<Action> it = list.iterator();
                while (it.hasNext()) {
                    logDenied(log, authorizableRequestContext, jsonNode, str, it.next());
                }
            }
            return Collections.nCopies(list.size(), AuthorizationResult.DENIED);
        }
        List<AuthorizationResult> authorize = authorizer.authorize(authorizableRequestContext, list);
        int i = 0;
        Iterator<AuthorizationResult> it2 = authorize.iterator();
        while (it2.hasNext()) {
            AuthorizationResult next = it2.next();
            Action action2 = list.get(i);
            boolean z = next == AuthorizationResult.ALLOWED && GRANT_LOG.isDebugEnabled() && action2.logIfAllowed();
            boolean z2 = next == AuthorizationResult.DENIED && DENY_LOG.isDebugEnabled() && action2.logIfDenied();
            if (z || z2) {
                String aCLMessage = getACLMessage(authorizableRequestContext, str, action2, next == AuthorizationResult.ALLOWED ? "GRANTED" : "DENIED");
                if (z) {
                    GRANT_LOG.debug(aCLMessage);
                } else {
                    DENY_LOG.debug(aCLMessage);
                }
            } else if (next == AuthorizationResult.DENIED && log.isDebugEnabled()) {
                log.debug(getACLMessage(authorizableRequestContext, str, action2, "DENIED"));
            }
            i++;
        }
        return authorize;
    }

    private String getACLMessage(AuthorizableRequestContext authorizableRequestContext, String str, Action action, String str2) {
        return "Authorization " + str2 + " by ACL -" + str + " user: " + String.valueOf(authorizableRequestContext.principal()) + ", operation: " + String.valueOf(action.operation()) + ", resource: " + fromResourcePattern(action.resourcePattern());
    }

    private void logDenied(Logger logger, AuthorizableRequestContext authorizableRequestContext, JsonNode jsonNode, String str, Action action) {
        logger.debug("Authorization DENIED -" + str + " user: " + String.valueOf(authorizableRequestContext.principal()) + ", cluster: " + this.configuration.getClusterName() + ", operation: " + String.valueOf(action.operation()) + ", resource: " + fromResourcePattern(action.resourcePattern()) + ",\n permissions: " + String.valueOf(jsonNode));
    }

    private JsonNode fetchAuthorizationGrantsOnce(String str) {
        String str2 = "Bearer " + str;
        StringBuilder append = new StringBuilder("audience=").append(OAuthAuthenticator.urlencode(this.configuration.getClientId())).append("&grant_type=").append(OAuthAuthenticator.urlencode("urn:ietf:params:oauth:grant-type:uma-ticket")).append("&response_mode=permissions");
        long currentTimeMillis = System.currentTimeMillis();
        try {
            JsonNode jsonNode = (JsonNode) HttpUtil.post(this.configuration.getTokenEndpointUrl(), this.socketFactory, this.hostnameVerifier, str2, "application/x-www-form-urlencoded", append.toString(), JsonNode.class, this.configuration.getConnectTimeoutSeconds(), this.configuration.getReadTimeoutSeconds(), this.configuration.getIncludeAcceptHeader());
            addGrantsHttpMetricSuccessTime(currentTimeMillis);
            return jsonNode;
        } catch (Exception e) {
            addGrantsHttpMetricErrorTime(e, currentTimeMillis);
            throw new ServiceException("Failed to fetch authorization data from authorization server: ", e);
        } catch (HttpException e2) {
            addGrantsHttpMetricErrorTime(e2, currentTimeMillis);
            throw e2;
        }
    }

    public void close() {
        if (this.grantsHandler != null) {
            try {
                this.grantsHandler.close();
            } catch (Exception e) {
                log.error("Failed to shutdown the worker pool", e);
            }
        }
        if (this.delegate != null) {
            try {
                this.delegate.close();
            } catch (Exception e2) {
                log.error("Failed to close the delegate authorizer", e2);
            }
        }
    }

    public Map<Endpoint, ? extends CompletionStage<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        CompletableFuture completedFuture = CompletableFuture.completedFuture(null);
        return this.delegate == null ? (Map) authorizerServerInfo.endpoints().stream().collect(Collectors.toMap(Function.identity(), endpoint -> {
            return completedFuture;
        })) : this.delegate.start(authorizerServerInfo);
    }

    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        if (this.delegate == null) {
            throw new UnsupportedOperationException("Simple ACL delegation not enabled");
        }
        return this.delegate.createAcls(authorizableRequestContext, list);
    }

    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        if (this.delegate == null) {
            throw new UnsupportedOperationException("Simple ACL delegation not enabled");
        }
        return this.delegate.deleteAcls(authorizableRequestContext, list);
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        if (this.delegate == null) {
            throw new UnsupportedOperationException("Simple ACL delegation not enabled");
        }
        return this.delegate.acls(aclBindingFilter);
    }

    private void addAuthzMetricSuccessTime(long j) {
        if (this.configuration.isEnableMetrics()) {
            this.metrics.addTime(this.authzSensorKeyProducer.successKey(), System.currentTimeMillis() - j);
        }
    }

    private void addAuthzMetricErrorTime(Throwable th, long j) {
        if (this.configuration.isEnableMetrics()) {
            this.metrics.addTime(this.authzSensorKeyProducer.errorKey(th), System.currentTimeMillis() - j);
        }
    }

    private void addGrantsHttpMetricSuccessTime(long j) {
        if (this.configuration.isEnableMetrics()) {
            this.metrics.addTime(this.grantsSensorKeyProducer.successKey(), System.currentTimeMillis() - j);
        }
    }

    private void addGrantsHttpMetricErrorTime(Throwable th, long j) {
        if (this.configuration.isEnableMetrics()) {
            this.metrics.addTime(this.grantsSensorKeyProducer.errorKey(th), System.currentTimeMillis() - j);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Configuration getConfiguration() {
        return this.configuration;
    }

    public String toString() {
        return KeycloakRBACAuthorizer.class.getSimpleName() + "@" + this.instanceNumber;
    }
}
