package io.strimzi.kafka.oauth.server.authorizer;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import io.strimzi.kafka.oauth.common.BearerTokenWithPayload;
import io.strimzi.kafka.oauth.common.Config;
import io.strimzi.kafka.oauth.common.ConfigUtil;
import io.strimzi.kafka.oauth.common.HttpException;
import io.strimzi.kafka.oauth.common.HttpUtil;
import io.strimzi.kafka.oauth.common.JSONUtil;
import io.strimzi.kafka.oauth.common.OAuthAuthenticator;
import io.strimzi.kafka.oauth.common.SSLUtil;
import io.strimzi.kafka.oauth.server.authorizer.ScopesSpec;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.stream.Collectors;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import kafka.network.RequestChannel;
import kafka.security.auth.Acl;
import kafka.security.auth.Operation;
import kafka.security.auth.Resource;
import kafka.security.auth.SimpleAclAuthorizer;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import scala.collection.immutable.Set;

/* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/KeycloakRBACAuthorizer.class */
public class KeycloakRBACAuthorizer extends SimpleAclAuthorizer {
    private static final String PRINCIPAL_BUILDER_CLASS = "io.strimzi.kafka.oauth.server.authorizer.JwtKafkaPrincipalBuilder";
    static final Logger log = LoggerFactory.getLogger(KeycloakRBACAuthorizer.class);
    static final Logger GRANT_LOG = LoggerFactory.getLogger(KeycloakRBACAuthorizer.class.getName() + ".grant");
    static final Logger DENY_LOG = LoggerFactory.getLogger(KeycloakRBACAuthorizer.class.getName() + ".deny");
    private URI tokenEndpointUrl;
    private String clientId;
    private String clusterName;
    private SSLSocketFactory socketFactory;
    private HostnameVerifier hostnameVerifier;
    private List<UserSpec> superUsers = Collections.emptyList();
    private boolean delegateToKafkaACL = false;

    public void configure(Map<String, ?> map) {
        super.configure(map);
        AuthzConfig convertToCommonConfig = convertToCommonConfig(map);
        if (!PRINCIPAL_BUILDER_CLASS.equals((String) map.get("principal.builder.class"))) {
            throw new RuntimeException("KeycloakRBACAuthorizer requires io.strimzi.kafka.oauth.server.authorizer.JwtKafkaPrincipalBuilder as 'principal.builder.class'");
        }
        String configWithFallbackLookup = ConfigUtil.getConfigWithFallbackLookup(convertToCommonConfig, AuthzConfig.STRIMZI_AUTHORIZATION_TOKEN_ENDPOINT_URI, "oauth.token.endpoint.uri");
        if (configWithFallbackLookup == null) {
            throw new RuntimeException("OAuth2 Token Endpoint ('strimzi.authorization.token.endpoint.uri') not set.");
        }
        try {
            this.tokenEndpointUrl = new URI(configWithFallbackLookup);
            this.clientId = ConfigUtil.getConfigWithFallbackLookup(convertToCommonConfig, AuthzConfig.STRIMZI_AUTHORIZATION_CLIENT_ID, "oauth.client.id");
            if (this.clientId == null) {
                throw new RuntimeException("OAuth2 Client Id ('strimzi.authorization.client.id') not set.");
            }
            this.socketFactory = createSSLFactory(convertToCommonConfig);
            this.hostnameVerifier = createHostnameVerifier(convertToCommonConfig);
            this.clusterName = convertToCommonConfig.getValue(AuthzConfig.STRIMZI_AUTHORIZATION_KAFKA_CLUSTER_NAME);
            if (this.clusterName == null) {
                this.clusterName = "kafka-cluster";
            }
            this.delegateToKafkaACL = convertToCommonConfig.getValueAsBoolean(AuthzConfig.STRIMZI_AUTHORIZATION_DELEGATE_TO_KAFKA_ACL, false);
            String str = (String) map.get("super.users");
            if (str != null) {
                this.superUsers = (List) Arrays.asList(str.split(";")).stream().map(str2 -> {
                    return UserSpec.of(str2);
                }).collect(Collectors.toList());
            }
            if (log.isDebugEnabled()) {
                log.debug("Configured KeycloakRBACAuthorizer:\n    tokenEndpointUri: " + this.tokenEndpointUrl + "\n    sslSocketFactory: " + this.socketFactory + "\n    hostnameVerifier: " + this.hostnameVerifier + "\n    clientId: " + this.clientId + "\n    clusterName: " + this.clusterName + "\n    delegateToKafkaACL: " + this.delegateToKafkaACL + "\n    superUsers: " + this.superUsers.stream().map(userSpec -> {
                    return userSpec.getType() + ":" + userSpec.getName();
                }).collect(Collectors.toList()));
            }
        } catch (URISyntaxException e) {
            throw new RuntimeException("Specified token endpoint uri is invalid: " + configWithFallbackLookup);
        }
    }

    static AuthzConfig convertToCommonConfig(Map<String, ?> map) {
        Properties properties = new Properties();
        for (String str : new String[]{AuthzConfig.STRIMZI_AUTHORIZATION_DELEGATE_TO_KAFKA_ACL, AuthzConfig.STRIMZI_AUTHORIZATION_KAFKA_CLUSTER_NAME, AuthzConfig.STRIMZI_AUTHORIZATION_CLIENT_ID, "oauth.client.id", AuthzConfig.STRIMZI_AUTHORIZATION_TOKEN_ENDPOINT_URI, "oauth.token.endpoint.uri", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_LOCATION, "oauth.ssl.truststore.location", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_PASSWORD, "oauth.ssl.truststore.password", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_TYPE, "oauth.ssl.truststore.type", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_SECURE_RANDOM_IMPLEMENTATION, "oauth.ssl.secure.random.implementation", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, "oauth.ssl.endpoint.identification.algorithm"}) {
            ConfigUtil.putIfNotNull(properties, str, map.get(str));
        }
        return new AuthzConfig(properties);
    }

    static SSLSocketFactory createSSLFactory(Config config) {
        return SSLUtil.createSSLFactory(ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_LOCATION, "oauth.ssl.truststore.location"), ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_PASSWORD, "oauth.ssl.truststore.password"), ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_TYPE, "oauth.ssl.truststore.type"), ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_SECURE_RANDOM_IMPLEMENTATION, "oauth.ssl.secure.random.implementation"));
    }

    static HostnameVerifier createHostnameVerifier(Config config) {
        String configWithFallbackLookup = ConfigUtil.getConfigWithFallbackLookup(config, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, "oauth.ssl.endpoint.identification.algorithm");
        if (configWithFallbackLookup == null) {
            configWithFallbackLookup = "HTTPS";
        }
        if ("".equals(configWithFallbackLookup)) {
            return SSLUtil.createAnyHostHostnameVerifier();
        }
        return null;
    }

    public boolean authorize(RequestChannel.Session session, Operation operation, Resource resource) {
        KafkaPrincipal principal = session.principal();
        for (UserSpec userSpec : this.superUsers) {
            if (principal.getPrincipalType().equals(userSpec.getType()) && principal.getName().equals(userSpec.getName())) {
                if (!GRANT_LOG.isDebugEnabled()) {
                    return true;
                }
                GRANT_LOG.debug("Authorization GRANTED - user is a superuser: " + session.principal() + ", operation: " + operation + ", resource: " + resource);
                return true;
            }
        }
        if (!(principal instanceof JwtKafkaPrincipal)) {
            return delegateIfRequested(session, operation, resource, null);
        }
        BearerTokenWithPayload jwt = ((JwtKafkaPrincipal) principal).getJwt();
        JsonNode jsonNode = (JsonNode) jwt.getPayload();
        if (jsonNode == null) {
            try {
                jsonNode = fetchAuthorizationGrants(jwt.value());
                if (jsonNode == null) {
                    jsonNode = new ObjectNode(JSONUtil.MAPPER.getNodeFactory());
                }
            } catch (HttpException e) {
                if (e.getStatus() == 403) {
                    jsonNode = new ObjectNode(JSONUtil.MAPPER.getNodeFactory());
                } else {
                    log.warn("Unexpected status while fetching authorization data - will retry next time: " + e.getMessage());
                }
            }
            if (jsonNode != null) {
                jwt.setPayload(jsonNode);
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("authorize(): " + jsonNode);
        }
        if (jsonNode != null) {
            Iterator it = jsonNode.iterator();
            while (it.hasNext()) {
                JsonNode jsonNode2 = (JsonNode) it.next();
                ResourceSpec of = ResourceSpec.of(jsonNode2.get("rsname").asText());
                if (of.match(this.clusterName, resource.resourceType().name(), resource.name())) {
                    ScopesSpec of2 = ScopesSpec.of(validateScopes(JSONUtil.asListOfString(jsonNode2.get("scopes"))));
                    if (of2.isGranted(operation.name())) {
                        if (!GRANT_LOG.isDebugEnabled()) {
                            return true;
                        }
                        GRANT_LOG.debug("Authorization GRANTED - cluster: " + this.clusterName + ", user: " + session.principal() + ", operation: " + operation + ", resource: " + resource + "\nGranted scopes for resource (" + of + "): " + of2);
                        return true;
                    }
                }
            }
        }
        return delegateIfRequested(session, operation, resource, jsonNode);
    }

    static List<ScopesSpec.AuthzScope> validateScopes(List<String> list) {
        ArrayList arrayList = new ArrayList(list.size());
        for (String str : list) {
            try {
                arrayList.add(ScopesSpec.AuthzScope.valueOf(str));
            } catch (Exception e) {
                log.warn("[IGNORED] Invalid scope detected in authorization scopes list: " + str);
            }
        }
        return arrayList;
    }

    boolean delegateIfRequested(RequestChannel.Session session, Operation operation, Resource resource, JsonNode jsonNode) {
        String str = session.principal() instanceof JwtKafkaPrincipal ? "" : " non-oauth";
        if (!this.delegateToKafkaACL) {
            if (!DENY_LOG.isDebugEnabled()) {
                return false;
            }
            DENY_LOG.debug("Authorization DENIED -" + str + " user: " + session.principal() + ", cluster: " + this.clusterName + ", operation: " + operation + ", resource: " + resource + ",\n permissions: " + jsonNode);
            return false;
        }
        boolean authorize = super.authorize(session, operation, resource);
        boolean z = authorize && GRANT_LOG.isDebugEnabled();
        boolean z2 = !authorize && DENY_LOG.isDebugEnabled();
        if (z || z2) {
            String str2 = "Authorization " + (authorize ? "GRANTED" : "DENIED") + " by ACL -" + str + " user: " + session.principal() + ", operation: " + operation + ", resource: " + resource;
            if (z) {
                GRANT_LOG.debug(str2);
            } else if (z2) {
                DENY_LOG.debug(str2);
            }
        }
        return authorize;
    }

    JsonNode fetchAuthorizationGrants(String str) {
        try {
            return (JsonNode) HttpUtil.post(this.tokenEndpointUrl, this.socketFactory, this.hostnameVerifier, "Bearer " + str, "application/x-www-form-urlencoded", "audience=" + OAuthAuthenticator.urlencode(this.clientId) + "&grant_type=" + OAuthAuthenticator.urlencode("urn:ietf:params:oauth:grant-type:uma-ticket") + "&response_mode=permissions", JsonNode.class);
        } catch (Exception e) {
            throw new RuntimeException("Failed to fetch authorization data from authorization server: ", e);
        } catch (HttpException e2) {
            throw e2;
        }
    }

    public void addAcls(Set<Acl> set, Resource resource) {
        if (!this.delegateToKafkaACL) {
            throw new RuntimeException("Simple ACL delegation not enabled");
        }
        super.addAcls(set, resource);
    }

    public boolean removeAcls(Set<Acl> set, Resource resource) {
        if (this.delegateToKafkaACL) {
            return super.removeAcls(set, resource);
        }
        throw new RuntimeException("Simple ACL delegation not enabled");
    }

    public boolean removeAcls(Resource resource) {
        if (this.delegateToKafkaACL) {
            return super.removeAcls(resource);
        }
        throw new RuntimeException("Simple ACL delegation not enabled");
    }

    public Set<Acl> getAcls(Resource resource) {
        if (this.delegateToKafkaACL) {
            return super.getAcls(resource);
        }
        throw new RuntimeException("Simple ACL delegation not enabled");
    }

    public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls(KafkaPrincipal kafkaPrincipal) {
        if (this.delegateToKafkaACL) {
            return super.getAcls(kafkaPrincipal);
        }
        throw new RuntimeException("Simple ACL delegation not enabled");
    }

    public scala.collection.immutable.Map<Resource, Set<Acl>> getAcls() {
        if (this.delegateToKafkaACL) {
            return super.getAcls();
        }
        throw new RuntimeException("Simple ACL delegation not enabled");
    }

    public void close() {
        super.close();
    }
}
