package com.tokera.ate.io.kafka.core;

import com.tokera.ate.BootstrapConfig;
import com.tokera.ate.delegates.AteDelegate;
import com.tokera.ate.enumerations.EnquireDomainKeyHandling;
import java.util.Date;
import java.util.HashSet;
import kafka.network.RequestChannel;
import kafka.security.auth.Acl;
import kafka.security.auth.Authorizer;
import kafka.security.auth.Operation;
import kafka.security.auth.Resource;
import org.apache.commons.lang3.time.DateUtils;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import scala.collection.immutable.Map;
import scala.collection.immutable.Set;

/* loaded from: input_file:com/tokera/ate/io/kafka/core/AteKafkaAuthorizer.class */
public class AteKafkaAuthorizer implements Authorizer {
    private AteDelegate d = AteDelegate.get();
    private volatile HashSet<String> allowedClients = new HashSet<>();
    private volatile Date refreshAfter = DateUtils.addYears(new Date(), -10);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.tokera.ate.io.kafka.core.AteKafkaAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:com/tokera/ate/io/kafka/core/AteKafkaAuthorizer$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$resource$ResourceType = new int[ResourceType.values().length];

        static {
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.CLUSTER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$resource$ResourceType[ResourceType.TOPIC.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:com/tokera/ate/io/kafka/core/AteKafkaAuthorizer$AuthorityAssessment.class */
    private class AuthorityAssessment {
        public final KafkaPrincipal principal;
        public final RequestChannel.Session session;
        public final AclOperation operation;
        public final Resource resource;
        public final ResourceType resourceType;
        public final String clientAddress;

        public AuthorityAssessment(RequestChannel.Session session, Operation operation, Resource resource) {
            this.session = session;
            this.operation = operation.toJava();
            this.resource = resource;
            this.resourceType = resource.resourceType().toJava();
            this.principal = session.principal();
            this.clientAddress = this.session.clientAddress().getHostAddress().toLowerCase();
        }

        public boolean isApi() {
            return isTrustedApi();
        }

        public boolean isTrustedApi() {
            return AteKafkaAuthorizer.this.allowedClients.contains(this.clientAddress);
        }

        public boolean isRead() {
            return this.operation == AclOperation.READ || this.operation == AclOperation.DESCRIBE;
        }

        public boolean isTrustedAdmin() {
            switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$resource$ResourceType[this.resourceType.ordinal()]) {
                case 1:
                    return this.operation == AclOperation.CREATE || this.operation == AclOperation.CLUSTER_ACTION;
                case 2:
                    return this.operation == AclOperation.CREATE;
                default:
                    return false;
            }
        }

        public boolean isNormalAdmin() {
            switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$resource$ResourceType[this.resourceType.ordinal()]) {
                case 2:
                    return this.operation == AclOperation.WRITE;
                default:
                    return false;
            }
        }

        public boolean isAllowed() {
            if (isRead()) {
                return true;
            }
            if (isApi() && isNormalAdmin()) {
                return true;
            }
            return isTrustedApi() && isTrustedAdmin();
        }
    }

    private void touch() {
        if (new Date().after(this.refreshAfter)) {
            refresh();
            this.refreshAfter = DateUtils.addMinutes(new Date(), 1);
        }
    }

    private void refresh() {
        String propertyOrThrow = BootstrapConfig.propertyOrThrow(this.d.bootstrapConfig.propertiesForAte(), "kafka.bootstrap");
        HashSet<String> hashSet = new HashSet<>();
        hashSet.add("localhost");
        hashSet.add("127.0.0.1");
        hashSet.add("::1");
        hashSet.addAll(this.d.implicitSecurity.enquireDomainAddresses(propertyOrThrow, EnquireDomainKeyHandling.ThrowOnError));
        this.allowedClients = hashSet;
    }

    public boolean authorize(RequestChannel.Session session, Operation operation, Resource resource) {
        touch();
        boolean isAllowed = new AuthorityAssessment(session, operation, resource).isAllowed();
        this.d.debugLogging.logKafkaAuthorize(session, operation, resource, isAllowed);
        return isAllowed;
    }

    public void addAcls(Set<Acl> set, Resource resource) {
    }

    public boolean removeAcls(Set<Acl> set, Resource resource) {
        return true;
    }

    public boolean removeAcls(Resource resource) {
        return true;
    }

    public Set<Acl> getAcls(Resource resource) {
        return null;
    }

    public Map<Resource, Set<Acl>> getAcls(KafkaPrincipal kafkaPrincipal) {
        return null;
    }

    public Map<Resource, Set<Acl>> getAcls() {
        return null;
    }

    public void close() {
    }

    public void configure(java.util.Map<String, ?> map) {
    }
}
