package org.openpolicyagent.kafka;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.typesafe.scalalogging.LazyLogging;
import com.typesafe.scalalogging.Logger;
import java.io.File;
import java.io.FileInputStream;
import java.net.URI;
import java.net.URL;
import java.net.http.HttpClient;
import java.security.KeyStore;
import java.time.Duration;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.metrics.JmxReporter;
import org.apache.kafka.common.metrics.KafkaMetricsContext;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.metrics.MetricsContext;
import org.apache.kafka.common.metrics.stats.CumulativeCount;
import org.apache.kafka.common.metrics.stats.Value;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import scala.$less$colon$less$;
import scala.Array$;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Predef$ArrowAssoc$;
import scala.Tuple2;
import scala.collection.IterableOnceOps;
import scala.collection.StringOps$;
import scala.collection.immutable.List;
import scala.collection.immutable.Map;
import scala.collection.immutable.Nil$;
import scala.collection.mutable.Buffer;
import scala.jdk.CollectionConverters$;
import scala.reflect.ClassTag$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.runtime.ScalaRunTime$;

/* compiled from: OpaAuthorizer.scala */
@ScalaSignature(bytes = "\u0006\u0005\t}e\u0001\u0002\u0010 \u0001\u0019BQ\u0001\u0012\u0001\u0005\u0002\u0015Cq\u0001\u0013\u0001A\u0002\u0013%\u0011\nC\u0004[\u0001\u0001\u0007I\u0011B.\t\r\t\u0004\u0001\u0015)\u0003K\u0011!\u0019\u0007\u0001#b\u0001\n\u0013!\u0007\u0002C6\u0001\u0011\u000b\u0007I\u0011\u00027\t\u0011A\u0004\u0001R1A\u0005\nED\u0001\u0002 \u0001\t\u0006\u0004%I! \u0005\u000b\u0003\u0007\u0001\u0001R1A\u0005\n\u0005\u0015\u0001BCA\u0007\u0001!\u0015\r\u0011\"\u0003\u0002\u0006!Q\u0011q\u0002\u0001\t\u0006\u0004%I!!\u0002\t\u0013\u0005E\u0001\u00011A\u0005\n\u0005M\u0001\"CA\u0013\u0001\u0001\u0007I\u0011BA\u0014\u0011!\tY\u0003\u0001Q!\n\u0005U\u0001BCA\u0017\u0001!\u0015\r\u0011\"\u0003\u00020!9\u0011q\t\u0001\u0005B\u0005%\u0003bBA9\u0001\u0011\u0005\u00131\u000f\u0005\b\u0003+\u0003A\u0011IAL\u0011!\tI\r\u0001C\u0001?\u0005-\u0007bBAk\u0001\u0011%\u0011q\u001b\u0005\t\u0003G\u0004A\u0011A\u0010\u00020!9\u00111\u001f\u0001\u0005B\u0005U\bbBA|\u0001\u0011\u0005\u0013\u0011 \u0005\b\u0005+\u0001A\u0011\tB\f\u0011\u001d\u0011)\u0004\u0001C!\u0005oAqA!\u0016\u0001\t\u0013\u00119\u0006C\u0004\u0003`\u0001!\tE!\u0019\t\u000f\t}\u0004\u0001\"\u0003\u0003\u0002\"9!q\u0011\u0001\u0005\u0002\t%%!D(qC\u0006+H\u000f[8sSj,'O\u0003\u0002!C\u0005)1.\u00194lC*\u0011!eI\u0001\u0010_B,g\u000e]8mS\u000eL\u0018mZ3oi*\tA%A\u0002pe\u001e\u001c\u0001a\u0005\u0003\u0001O=R\u0004C\u0001\u0015.\u001b\u0005I#B\u0001\u0016,\u0003\u0011a\u0017M\\4\u000b\u00031\nAA[1wC&\u0011a&\u000b\u0002\u0007\u001f\nTWm\u0019;\u0011\u0005ABT\"A\u0019\u000b\u0005I\u001a\u0014AC1vi\"|'/\u001b>fe*\u0011A'N\u0001\u0007g\u0016\u0014h/\u001a:\u000b\u0005\u00012$BA\u001c$\u0003\u0019\t\u0007/Y2iK&\u0011\u0011(\r\u0002\u000b\u0003V$\bn\u001c:ju\u0016\u0014\bCA\u001eC\u001b\u0005a$BA\u001f?\u00031\u00198-\u00197bY><w-\u001b8h\u0015\ty\u0004)\u0001\u0005usB,7/\u00194f\u0015\u0005\t\u0015aA2p[&\u00111\t\u0010\u0002\f\u0019\u0006T\u0018\u0010T8hO&tw-\u0001\u0004=S:LGO\u0010\u000b\u0002\rB\u0011q\tA\u0007\u0002?\u000511m\u001c8gS\u001e,\u0012A\u0013\t\u0005\u0017R;vK\u0004\u0002M%B\u0011Q\nU\u0007\u0002\u001d*\u0011q*J\u0001\u0007yI|w\u000e\u001e \u000b\u0003E\u000bQa]2bY\u0006L!a\u0015)\u0002\rA\u0013X\rZ3g\u0013\t)fKA\u0002NCBT!a\u0015)\u0011\u0005-C\u0016BA-W\u0005\u0019\u0019FO]5oO\u0006Q1m\u001c8gS\u001e|F%Z9\u0015\u0005q\u0003\u0007CA/_\u001b\u0005\u0001\u0016BA0Q\u0005\u0011)f.\u001b;\t\u000f\u0005\u001c\u0011\u0011!a\u0001\u0015\u0006\u0019\u0001\u0010J\u0019\u0002\u000f\r|gNZ5hA\u00051q\u000e]1Ve2,\u0012!\u001a\t\u0003M&l\u0011a\u001a\u0006\u0003Q.\n1A\\3u\u0013\tQwMA\u0002V%&\u000bA\"\u00197m_^|e.\u0012:s_J,\u0012!\u001c\t\u0003;:L!a\u001c)\u0003\u000f\t{w\u000e\\3b]\u0006Q1/\u001e9feV\u001bXM]:\u0016\u0003I\u00042a\u001d={\u001b\u0005!(BA;w\u0003%IW.\\;uC\ndWM\u0003\u0002x!\u0006Q1m\u001c7mK\u000e$\u0018n\u001c8\n\u0005e$(\u0001\u0002'jgR\u0004\"\u0001K>\n\u0005eK\u0013\u0001E7bq\u000e\u000b7\r[3DCB\f7-\u001b;z+\u0005q\bCA/��\u0013\r\t\t\u0001\u0015\u0002\u0004\u0013:$\u0018A\u0004;skN$8\u000b^8sKB\u000bG\u000f[\u000b\u0003\u0003\u000f\u0001B!XA\u0005/&\u0019\u00111\u0002)\u0003\r=\u0003H/[8o\u0003I!(/^:u'R|'/\u001a)bgN<xN\u001d3\u0002\u001dQ\u0014Xo\u001d;Ti>\u0014X\rV=qK\u00069Q.\u001a;sS\u000e\u001cXCAA\u000b!\u0015i\u0016\u0011BA\f!\u0011\tI\"!\t\u000e\u0005\u0005m!\u0002BA\t\u0003;Q1!a\b6\u0003\u0019\u0019w.\\7p]&!\u00111EA\u000e\u0005\u001diU\r\u001e:jGN\f1\"\\3ue&\u001c7o\u0018\u0013fcR\u0019A,!\u000b\t\u0011\u0005l\u0011\u0011!a\u0001\u0003+\t\u0001\"\\3ue&\u001c7\u000fI\u0001\u0006G\u0006\u001c\u0007.Z\u000b\u0003\u0003c\u0001r!a\r\u0002>\u0005\u0005S.\u0004\u0002\u00026)!\u0011QFA\u001c\u0015\u0011\ty\"!\u000f\u000b\u0007\u0005m\u0002)\u0001\u0004h_><G.Z\u0005\u0005\u0003\u007f\t)DA\u0003DC\u000eDW\rE\u0002H\u0003\u0007J1!!\u0012 \u0005A\u0019\u0015m\u00195fC\ndWMU3rk\u0016\u001cH/A\u0005bkRDwN]5{KR1\u00111JA.\u0003K\u0002b!!\u0014\u0002T\u0005USBAA(\u0015\r\t\tfK\u0001\u0005kRLG.C\u0002z\u0003\u001f\u00022\u0001MA,\u0013\r\tI&\r\u0002\u0014\u0003V$\bn\u001c:ju\u0006$\u0018n\u001c8SKN,H\u000e\u001e\u0005\b\u0003;\u0002\u0002\u0019AA0\u00039\u0011X-];fgR\u001cuN\u001c;fqR\u00042\u0001MA1\u0013\r\t\u0019'\r\u0002\u001b\u0003V$\bn\u001c:ju\u0006\u0014G.\u001a*fcV,7\u000f^\"p]R,\u0007\u0010\u001e\u0005\b\u0003O\u0002\u0002\u0019AA5\u0003\u001d\t7\r^5p]N\u0004b!!\u0014\u0002T\u0005-\u0004c\u0001\u0019\u0002n%\u0019\u0011qN\u0019\u0003\r\u0005\u001bG/[8o\u0003%\u0019wN\u001c4jOV\u0014X\rF\u0002]\u0003kBq!a\u001e\u0012\u0001\u0004\tI(A\u0004d_:4\u0017nZ:1\t\u0005m\u00141\u0011\t\b\u0003\u001b\nihVA@\u0013\r)\u0016q\n\t\u0005\u0003\u0003\u000b\u0019\t\u0004\u0001\u0005\u0019\u0005\u0015\u0015QOA\u0001\u0002\u0003\u0015\t!a\"\u0003\u0007}#\u0013'\u0005\u0003\u0002\n\u0006=\u0005cA/\u0002\f&\u0019\u0011Q\u0012)\u0003\u000f9{G\u000f[5oOB\u0019Q,!%\n\u0007\u0005M\u0005KA\u0002B]f\fQa\u001d;beR$B!!'\u0002@B\"\u00111TAT!!\ti%! \u0002\u001e\u0006\u0015\u0006\u0003BAP\u0003Ck!!!\b\n\t\u0005\r\u0016Q\u0004\u0002\t\u000b:$\u0007o\\5oiB!\u0011\u0011QAT\t-\tIKEA\u0001\u0002\u0003\u0015\t!a+\u0003\u0007}##'\u0005\u0003\u0002\n\u00065\u0006CBAX\u0003k\u000bI,\u0004\u0002\u00022*!\u00111WA(\u0003)\u0019wN\\2veJ,g\u000e^\u0005\u0005\u0003o\u000b\tLA\bD_6\u0004H.\u001a;j_:\u001cF/Y4f!\rA\u00131X\u0005\u0004\u0003{K#\u0001\u0002,pS\u0012Dq!!1\u0013\u0001\u0004\t\u0019-\u0001\u000bbkRDwN]5{KJ\u001cVM\u001d<fe&sgm\u001c\t\u0004a\u0005\u0015\u0017bAAdc\t!\u0012)\u001e;i_JL'0\u001a:TKJ4XM]%oM>\f\u0011#\\1zE\u0016\u001cV\r^;q\u001b\u0016$(/[2t)\u0015a\u0016QZAi\u0011\u0019\tym\u0005a\u0001/\u0006I1\r\\;ti\u0016\u0014\u0018\n\u001a\u0005\u0007\u0003'\u001c\u0002\u0019\u0001@\u0002\u0011\t\u0014xn[3s\u0013\u0012\fAc\u0019:fCR,W*\u001a;sS\u000e\u001c8i\u001c8uKb$HCBAm\u0003?\f\t\u000f\u0005\u0003\u0002\u001a\u0005m\u0017\u0002BAo\u00037\u0011a\"T3ue&\u001c7oQ8oi\u0016DH\u000f\u0003\u0004\u0002PR\u0001\ra\u0016\u0005\u0007\u0003'$\u0002\u0019\u0001@\u0002\u0011\u001d,GoQ1dQ\u0016D3!FAt!\u0011\tI/a<\u000e\u0005\u0005-(\u0002BAw\u0003o\t1\"\u00198o_R\fG/[8og&!\u0011\u0011_Av\u0005E1\u0016n]5cY\u00164uN\u001d+fgRLgnZ\u0001\u0006G2|7/\u001a\u000b\u00029\u0006!\u0011m\u00197t)\u0011\tYP!\u0004\u0011\u000b!\niP!\u0001\n\u0007\u0005}\u0018F\u0001\u0005Ji\u0016\u0014\u0018M\u00197f!\u0011\u0011\u0019A!\u0003\u000e\u0005\t\u0015!\u0002\u0002B\u0004\u0003;\t1!Y2m\u0013\u0011\u0011YA!\u0002\u0003\u0015\u0005\u001bGNQ5oI&tw\rC\u0004\u0002x^\u0001\rAa\u0004\u0011\t\t\r!\u0011C\u0005\u0005\u0005'\u0011)A\u0001\tBG2\u0014\u0015N\u001c3j]\u001e4\u0015\u000e\u001c;fe\u0006QA-\u001a7fi\u0016\f5\r\\:\u0015\r\te!Q\u0006B\u0018a\u0011\u0011YBa\b\u0011\r\u00055\u00131\u000bB\u000f!\u0011\t\tIa\b\u0005\u0017\t\u0005\u0002$!A\u0001\u0002\u000b\u0005!1\u0005\u0002\u0004?\u0012\u001a\u0014\u0003BAE\u0005K\u0001b!a,\u00026\n\u001d\u0002c\u0001\u0019\u0003*%\u0019!1F\u0019\u0003\u001f\u0005\u001bG\u000eR3mKR,'+Z:vYRDq!!\u0018\u0019\u0001\u0004\ty\u0006C\u0004\u00032a\u0001\rAa\r\u0002#\u0005\u001cGNQ5oI&twMR5mi\u0016\u00148\u000f\u0005\u0004\u0002N\u0005M#qB\u0001\u000bGJ,\u0017\r^3BG2\u001cHC\u0002B\u001d\u0005\u001b\u0012y\u0005\r\u0003\u0003<\t}\u0002CBA'\u0003'\u0012i\u0004\u0005\u0003\u0002\u0002\n}Ba\u0003B!3\u0005\u0005\t\u0011!B\u0001\u0005\u0007\u00121a\u0018\u00135#\u0011\tII!\u0012\u0011\r\u0005=\u0016Q\u0017B$!\r\u0001$\u0011J\u0005\u0004\u0005\u0017\n$aD!dY\u000e\u0013X-\u0019;f%\u0016\u001cX\u000f\u001c;\t\u000f\u0005u\u0013\u00041\u0001\u0002`!9!\u0011K\rA\u0002\tM\u0013aC1dY\nKg\u000eZ5oON\u0004b!!\u0014\u0002T\t\u0005\u0011aD1vi\"|'/\u001b>f\u0003\u000e$\u0018n\u001c8\u0015\r\u0005U#\u0011\fB.\u0011\u001d\tiF\u0007a\u0001\u0003?BqA!\u0018\u001b\u0001\u0004\tY'\u0001\u0004bGRLwN\\\u0001\u0018CV$\bn\u001c:ju\u0016\u0014\u0015PU3t_V\u00148-\u001a+za\u0016$\u0002\"!\u0016\u0003d\t\u0015$q\u000e\u0005\b\u0003;Z\u0002\u0019AA0\u0011\u001d\u00119g\u0007a\u0001\u0005S\n!a\u001c9\u0011\t\t\r!1N\u0005\u0005\u0005[\u0012)A\u0001\u0007BG2|\u0005/\u001a:bi&|g\u000eC\u0004\u0003rm\u0001\rAa\u001d\u0002\u0019I,7o\\;sG\u0016$\u0016\u0010]3\u0011\t\tU$1P\u0007\u0003\u0005oRAA!\u001f\u0002\u001e\u0005A!/Z:pkJ\u001cW-\u0003\u0003\u0003~\t]$\u0001\u0004*fg>,(oY3UsB,\u0017a\u00033p\u0003V$\bn\u001c:ju\u0016$b!!\u0016\u0003\u0004\n\u0015\u0005bBA/9\u0001\u0007\u0011q\f\u0005\b\u0005;b\u0002\u0019AA6\u0003-I7oU;qKJ,6/\u001a:\u0015\u00075\u0014Y\tC\u0004\u0003\u000ev\u0001\rAa$\u0002\u0013A\u0014\u0018N\\2ja\u0006d\u0007\u0003\u0002BI\u00057k!Aa%\u000b\t\tU%qS\u0001\u0005CV$\bN\u0003\u0003\u0003\u001a\u0006u\u0011\u0001C:fGV\u0014\u0018\u000e^=\n\t\tu%1\u0013\u0002\u000f\u0017\u000647.\u0019)sS:\u001c\u0017\u000e]1m\u0001")
/* loaded from: input_file:org/openpolicyagent/kafka/OpaAuthorizer.class */
public class OpaAuthorizer implements Authorizer, LazyLogging {
    private URI opaUrl;
    private boolean allowOnError;
    private List<String> superUsers;
    private int maxCacheCapacity;
    private Option<String> trustStorePath;
    private Option<String> trustStorePassword;
    private Option<String> trustStoreType;
    private Cache<CacheableRequest, Object> cache;
    private Map<String, String> config;
    private Option<Metrics> metrics;
    private transient Logger logger;
    private volatile transient boolean bitmap$trans$0;
    private volatile byte bitmap$0;

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v8, types: [org.openpolicyagent.kafka.OpaAuthorizer] */
    private Logger logger$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (!this.bitmap$trans$0) {
                this.logger = LazyLogging.logger$(this);
                r0 = this;
                r0.bitmap$trans$0 = true;
            }
        }
        return this.logger;
    }

    public Logger logger() {
        return !this.bitmap$trans$0 ? logger$lzycompute() : this.logger;
    }

    private Map<String, String> config() {
        return this.config;
    }

    private void config_$eq(Map<String, String> map) {
        this.config = map;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.openpolicyagent.kafka.OpaAuthorizer] */
    private URI opaUrl$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 1)) == 0) {
                this.opaUrl = new URL((String) config().apply("opa.authorizer.url")).toURI();
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 1);
            }
        }
        return this.opaUrl;
    }

    private URI opaUrl() {
        return ((byte) (this.bitmap$0 & 1)) == 0 ? opaUrl$lzycompute() : this.opaUrl;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.openpolicyagent.kafka.OpaAuthorizer] */
    private boolean allowOnError$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 2)) == 0) {
                this.allowOnError = StringOps$.MODULE$.toBoolean$extension(Predef$.MODULE$.augmentString((String) config().getOrElse("opa.authorizer.allow.on.error", () -> {
                    return "false";
                })));
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 2);
            }
        }
        return this.allowOnError;
    }

    private boolean allowOnError() {
        return ((byte) (this.bitmap$0 & 2)) == 0 ? allowOnError$lzycompute() : this.allowOnError;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.openpolicyagent.kafka.OpaAuthorizer] */
    private List<String> superUsers$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 4)) == 0) {
                this.superUsers = Predef$.MODULE$.wrapRefArray(((String) config().getOrElse("super.users", () -> {
                    return "";
                })).split(";")).toList();
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 4);
            }
        }
        return this.superUsers;
    }

    private List<String> superUsers() {
        return ((byte) (this.bitmap$0 & 4)) == 0 ? superUsers$lzycompute() : this.superUsers;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.openpolicyagent.kafka.OpaAuthorizer] */
    private int maxCacheCapacity$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 8)) == 0) {
                this.maxCacheCapacity = StringOps$.MODULE$.toInt$extension(Predef$.MODULE$.augmentString((String) config().getOrElse("opa.authorizer.cache.maximum.size", () -> {
                    return "50000";
                })));
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 8);
            }
        }
        return this.maxCacheCapacity;
    }

    private int maxCacheCapacity() {
        return ((byte) (this.bitmap$0 & 8)) == 0 ? maxCacheCapacity$lzycompute() : this.maxCacheCapacity;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.openpolicyagent.kafka.OpaAuthorizer] */
    private Option<String> trustStorePath$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 16)) == 0) {
                this.trustStorePath = config().get("opa.authorizer.truststore.path");
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 16);
            }
        }
        return this.trustStorePath;
    }

    private Option<String> trustStorePath() {
        return ((byte) (this.bitmap$0 & 16)) == 0 ? trustStorePath$lzycompute() : this.trustStorePath;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.openpolicyagent.kafka.OpaAuthorizer] */
    private Option<String> trustStorePassword$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 32)) == 0) {
                this.trustStorePassword = config().get("opa.authorizer.truststore.password");
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 32);
            }
        }
        return this.trustStorePassword;
    }

    private Option<String> trustStorePassword() {
        return ((byte) (this.bitmap$0 & 32)) == 0 ? trustStorePassword$lzycompute() : this.trustStorePassword;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.openpolicyagent.kafka.OpaAuthorizer] */
    private Option<String> trustStoreType$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 64)) == 0) {
                this.trustStoreType = config().get("opa.authorizer.truststore.type");
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 64);
            }
        }
        return this.trustStoreType;
    }

    private Option<String> trustStoreType() {
        return ((byte) (this.bitmap$0 & 64)) == 0 ? trustStoreType$lzycompute() : this.trustStoreType;
    }

    private Option<Metrics> metrics() {
        return this.metrics;
    }

    private void metrics_$eq(Option<Metrics> option) {
        this.metrics = option;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0 */
    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Throwable] */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.openpolicyagent.kafka.OpaAuthorizer] */
    private Cache<CacheableRequest, Object> cache$lzycompute() {
        ?? r0 = this;
        synchronized (r0) {
            if (((byte) (this.bitmap$0 & 128)) == 0) {
                this.cache = CacheBuilder.newBuilder().initialCapacity(StringOps$.MODULE$.toInt$extension(Predef$.MODULE$.augmentString((String) config().getOrElse("opa.authorizer.cache.initial.capacity", () -> {
                    return "5000";
                })))).maximumSize(maxCacheCapacity()).expireAfterWrite(StringOps$.MODULE$.toInt$extension(Predef$.MODULE$.augmentString((String) config().getOrElse("opa.authorizer.cache.expire.after.seconds", () -> {
                    return "3600";
                }))), TimeUnit.SECONDS).recordStats().build();
                r0 = this;
                r0.bitmap$0 = (byte) (this.bitmap$0 | 128);
            }
        }
        return this.cache;
    }

    private Cache<CacheableRequest, Object> cache() {
        return ((byte) (this.bitmap$0 & 128)) == 0 ? cache$lzycompute() : this.cache;
    }

    public java.util.List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, java.util.List<Action> list) {
        return CollectionConverters$.MODULE$.BufferHasAsJava((Buffer) CollectionConverters$.MODULE$.ListHasAsScala(list).asScala().map(action -> {
            return this.authorizeAction(authorizableRequestContext, action);
        })).asJava();
    }

    public void configure(java.util.Map<String, ?> map) {
        if (logger().underlying().isDebugEnabled()) {
            logger().underlying().debug("Call to configure() with config {}", map);
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        } else {
            BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
        }
        config_$eq(CollectionConverters$.MODULE$.MapHasAsScala(map).asScala().view().mapValues(obj -> {
            return (String) obj;
        }).toMap($less$colon$less$.MODULE$.refl()));
        if (trustStorePath().isDefined()) {
            if (logger().underlying().isInfoEnabled()) {
                logger().underlying().info("Enabling TLS truststore");
                BoxedUnit boxedUnit3 = BoxedUnit.UNIT;
            } else {
                BoxedUnit boxedUnit4 = BoxedUnit.UNIT;
            }
            if (!trustStorePassword().isEmpty()) {
                BoxedUnit boxedUnit5 = BoxedUnit.UNIT;
            } else if (logger().underlying().isInfoEnabled()) {
                logger().underlying().info("property 'opa.authorizer.truststore.password' not set. using default!");
                BoxedUnit boxedUnit6 = BoxedUnit.UNIT;
            } else {
                BoxedUnit boxedUnit7 = BoxedUnit.UNIT;
            }
            try {
                KeyStore keyStore = KeyStore.getInstance((String) trustStoreType().getOrElse(() -> {
                    return "PKCS12";
                }));
                FileInputStream fileInputStream = new FileInputStream(new File((String) trustStorePath().getOrElse(() -> {
                    return "";
                })));
                keyStore.load(fileInputStream, (char[]) StringOps$.MODULE$.toArray$extension(Predef$.MODULE$.augmentString((String) trustStorePassword().getOrElse(() -> {
                    return "changeit";
                })), ClassTag$.MODULE$.Char()));
                fileInputStream.close();
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(keyStore);
                TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init((KeyManager[]) Array$.MODULE$.apply(Nil$.MODULE$, ClassTag$.MODULE$.apply(KeyManager.class)), trustManagers, null);
                AllowCallable$.MODULE$.client_$eq(HttpClient.newBuilder().sslContext(sSLContext).connectTimeout(Duration.ofSeconds(5L)).build());
            } catch (Throwable th) {
                if (!logger().underlying().isErrorEnabled()) {
                    BoxedUnit boxedUnit8 = BoxedUnit.UNIT;
                } else {
                    logger().underlying().error("Failed to load truststore", th);
                    BoxedUnit boxedUnit9 = BoxedUnit.UNIT;
                }
            }
        }
    }

    public java.util.Map<Endpoint, ? extends CompletionStage<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        maybeSetupMetrics(authorizerServerInfo.clusterResource().clusterId(), authorizerServerInfo.brokerId());
        return CollectionConverters$.MODULE$.MapHasAsJava(((IterableOnceOps) CollectionConverters$.MODULE$.CollectionHasAsScala(authorizerServerInfo.endpoints()).asScala().map(endpoint -> {
            return Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(endpoint), CompletableFuture.completedFuture(null));
        })).toMap($less$colon$less$.MODULE$.refl())).asJava();
    }

    public void maybeSetupMetrics(String str, int i) {
        if (StringOps$.MODULE$.toBoolean$extension(Predef$.MODULE$.augmentString((String) config().getOrElse("opa.authorizer.metrics.enabled", () -> {
            return "false";
        })))) {
            metrics_$eq(Option$.MODULE$.apply(new Metrics()));
            JmxReporter jmxReporter = new JmxReporter();
            jmxReporter.contextChange(createMetricsContext(str, i));
            ((Metrics) metrics().get()).addReporter(jmxReporter);
            ((Metrics) metrics().get()).sensor(MetricsLabel$.MODULE$.AUTHORIZED_REQUEST_COUNT()).add(((Metrics) metrics().get()).metricName(MetricsLabel$.MODULE$.AUTHORIZED_REQUEST_COUNT(), MetricsLabel$.MODULE$.RESULT_GROUP()), new CumulativeCount());
            ((Metrics) metrics().get()).sensor(MetricsLabel$.MODULE$.UNAUTHORIZED_REQUEST_COUNT()).add(((Metrics) metrics().get()).metricName(MetricsLabel$.MODULE$.UNAUTHORIZED_REQUEST_COUNT(), MetricsLabel$.MODULE$.RESULT_GROUP()), new CumulativeCount());
            ((Metrics) metrics().get()).sensor(MetricsLabel$.MODULE$.REQUEST_TO_OPA_COUNT()).add(((Metrics) metrics().get()).metricName(MetricsLabel$.MODULE$.REQUEST_TO_OPA_COUNT(), MetricsLabel$.MODULE$.REQUEST_HANDLE_GROUP()), new CumulativeCount());
            ((Metrics) metrics().get()).sensor(MetricsLabel$.MODULE$.CACHE_HIT_RATE()).add(((Metrics) metrics().get()).metricName(MetricsLabel$.MODULE$.CACHE_HIT_RATE(), MetricsLabel$.MODULE$.REQUEST_HANDLE_GROUP()), new Value());
            ((Metrics) metrics().get()).sensor(MetricsLabel$.MODULE$.CACHE_USAGE_PERCENTAGE()).add(((Metrics) metrics().get()).metricName(MetricsLabel$.MODULE$.CACHE_USAGE_PERCENTAGE(), MetricsLabel$.MODULE$.REQUEST_HANDLE_GROUP()), new Value());
        }
    }

    private MetricsContext createMetricsContext(String str, int i) {
        return new KafkaMetricsContext(MetricsLabel$.MODULE$.NAMESPACE(), CollectionConverters$.MODULE$.MapHasAsJava((scala.collection.Map) Predef$.MODULE$.Map().apply(ScalaRunTime$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("kafka.cluster.id"), str), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("kafka.broker.id"), Integer.toString(i))}))).asJava());
    }

    @VisibleForTesting
    public Cache<CacheableRequest, Object> getCache() {
        return cache();
    }

    public void close() {
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        throw Predef$.MODULE$.$qmark$qmark$qmark();
    }

    public java.util.List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, java.util.List<AclBindingFilter> list) {
        throw Predef$.MODULE$.$qmark$qmark$qmark();
    }

    public java.util.List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, java.util.List<AclBinding> list) {
        throw Predef$.MODULE$.$qmark$qmark$qmark();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthorizationResult authorizeAction(AuthorizableRequestContext authorizableRequestContext, Action action) {
        ResourcePattern resourcePattern = action.resourcePattern();
        PatternType patternType = resourcePattern.patternType();
        PatternType patternType2 = PatternType.LITERAL;
        if (patternType != null ? !patternType.equals(patternType2) : patternType2 != null) {
            throw new IllegalArgumentException(new StringBuilder(43).append("Only literal resources are supported. Got: ").append(resourcePattern.patternType()).toString());
        }
        AuthorizationResult doAuthorize = doAuthorize(authorizableRequestContext, action);
        if (metrics().isDefined()) {
            ((Metrics) metrics().get()).sensor(MetricsLabel$.MODULE$.CACHE_HIT_RATE()).record(cache().stats().hitRate());
            ((Metrics) metrics().get()).sensor(MetricsLabel$.MODULE$.CACHE_USAGE_PERCENTAGE()).record(cache().size() / maxCacheCapacity());
            if (AuthorizationResult.DENIED.equals(doAuthorize)) {
                ((Metrics) metrics().get()).sensor(MetricsLabel$.MODULE$.UNAUTHORIZED_REQUEST_COUNT()).record();
                BoxedUnit boxedUnit = BoxedUnit.UNIT;
            } else {
                if (!AuthorizationResult.ALLOWED.equals(doAuthorize)) {
                    throw new MatchError(doAuthorize);
                }
                ((Metrics) metrics().get()).sensor(MetricsLabel$.MODULE$.AUTHORIZED_REQUEST_COUNT()).record();
                BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
            }
        }
        return doAuthorize;
    }

    public AuthorizationResult authorizeByResourceType(AuthorizableRequestContext authorizableRequestContext, AclOperation aclOperation, ResourceType resourceType) {
        return doAuthorize(authorizableRequestContext, new Action(aclOperation, new ResourcePattern(resourceType, "", PatternType.PREFIXED), 0, true, true));
    }

    private AuthorizationResult doAuthorize(AuthorizableRequestContext authorizableRequestContext, Action action) {
        KafkaPrincipal principal = authorizableRequestContext.principal();
        KafkaPrincipal kafkaPrincipal = !KafkaPrincipal.class.equals(principal.getClass()) ? new KafkaPrincipal(principal.getPrincipalType(), principal.getName()) : principal;
        return isSuperUser(kafkaPrincipal) || allowAccess$1(new CacheableRequest(kafkaPrincipal, action, authorizableRequestContext.clientAddress().getHostAddress()), new Request(new Input(authorizableRequestContext, action))) ? AuthorizationResult.ALLOWED : AuthorizationResult.DENIED;
    }

    public boolean isSuperUser(KafkaPrincipal kafkaPrincipal) {
        if (!superUsers().contains(kafkaPrincipal.toString())) {
            return false;
        }
        if (!logger().underlying().isTraceEnabled()) {
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
            return true;
        }
        logger().underlying().trace("User {} is super user", kafkaPrincipal);
        BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
        return true;
    }

    private final boolean allowAccess$1(CacheableRequest cacheableRequest, Request request) {
        try {
            return BoxesRunTime.unboxToBoolean(cache().get(cacheableRequest, new AllowCallable(request, opaUrl(), allowOnError(), metrics())));
        } catch (ExecutionException e) {
            if (logger().underlying().isWarnEnabled()) {
                logger().underlying().warn("Exception in decision retrieval: {}", e.getMessage());
                BoxedUnit boxedUnit = BoxedUnit.UNIT;
            } else {
                BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
            }
            if (logger().underlying().isTraceEnabled()) {
                logger().underlying().trace("Exception trace", e);
                BoxedUnit boxedUnit3 = BoxedUnit.UNIT;
            } else {
                BoxedUnit boxedUnit4 = BoxedUnit.UNIT;
            }
            return allowOnError();
        }
    }

    public OpaAuthorizer() {
        LazyLogging.$init$(this);
        this.config = Predef$.MODULE$.Map().empty();
        this.metrics = None$.MODULE$;
    }
}
