package com.floragunn.searchguard.enterprise.dlsfls.legacy;

import com.floragunn.codova.documents.Parser;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.searchguard.authc.legacy.LegacySgConfig;
import com.floragunn.searchguard.authz.config.AuthorizationConfig;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.license.LicenseChangeListener;
import com.floragunn.searchguard.license.SearchGuardLicense;
import com.floragunn.searchsupport.StaticSettings;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.util.Arrays;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.admin.indices.cache.clear.ClearIndicesCacheRequest;
import org.elasticsearch.action.admin.indices.cache.clear.ClearIndicesCacheResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/legacy/DlsFlsComplianceConfig.class */
public class DlsFlsComplianceConfig implements LicenseChangeListener {
    private final Settings settings;
    private final byte[] salt16;
    private final boolean localHashingEnabled;
    private byte[] salt2_16;
    private final byte[] maskPrefix;
    private final Client client;
    private final Logger log = LogManager.getLogger(getClass());
    private volatile boolean enabled = true;

    public DlsFlsComplianceConfig(Settings settings, ConfigurationRepository configurationRepository, Client client) {
        this.settings = settings;
        this.client = client;
        this.localHashingEnabled = this.settings.getAsBoolean("searchguard.compliance.local_hashing_enabled", false).booleanValue();
        byte[] bytes = settings.get("searchguard.compliance.salt", "e1ukloTsQlOgPquJ").getBytes(StandardCharsets.UTF_8);
        if (bytes.length < 16) {
            throw new ElasticsearchException("searchguard.compliance.salt must at least contain 16 bytes", new Object[0]);
        }
        if (bytes.length > 16) {
            this.log.warn("searchguard.compliance.salt is greater than 16 bytes. Only the first 16 bytes are used for salting");
        }
        this.salt16 = Arrays.copyOf(bytes, 16);
        String str = settings.get("searchguard.compliance.mask_prefix", (String) null);
        if (str == null || str.isEmpty()) {
            this.maskPrefix = null;
        } else {
            this.maskPrefix = str.getBytes(StandardCharsets.UTF_8);
        }
        configurationRepository.subscribeOnChange(configMap -> {
            SgDynamicConfiguration sgDynamicConfiguration = configMap.get(CType.AUTHZ);
            SgDynamicConfiguration sgDynamicConfiguration2 = configMap.get(CType.CONFIG);
            if (sgDynamicConfiguration != null && sgDynamicConfiguration.getCEntry("default") != null) {
                AuthorizationConfig authorizationConfig = (AuthorizationConfig) sgDynamicConfiguration.getCEntry("default");
                setFieldAnonymizationSalt2(authorizationConfig.getFieldAnonymizationSalt());
                this.log.info("Updated authz config:\n" + sgDynamicConfiguration);
                if (this.log.isDebugEnabled()) {
                    this.log.debug(authorizationConfig);
                    return;
                }
                return;
            }
            if (sgDynamicConfiguration2 == null || sgDynamicConfiguration2.getCEntry("sg_config") == null) {
                return;
            }
            try {
                AuthorizationConfig parseLegacySgConfig = AuthorizationConfig.parseLegacySgConfig(((LegacySgConfig) sgDynamicConfiguration2.getCEntry("sg_config")).getSource(), (Parser.Context) null, new StaticSettings(settings, (Path) null));
                setFieldAnonymizationSalt2(parseLegacySgConfig.getFieldAnonymizationSalt());
                this.log.info("Updated authz config (legacy):\n" + sgDynamicConfiguration2);
                if (this.log.isDebugEnabled()) {
                    this.log.debug(parseLegacySgConfig);
                }
            } catch (ConfigValidationException e) {
                this.log.error("Error while parsing sg_config:\n" + e);
            }
        });
    }

    public void onChange(SearchGuardLicense searchGuardLicense) {
        if (searchGuardLicense == null) {
            this.enabled = false;
        } else if (searchGuardLicense.hasFeature(SearchGuardLicense.Feature.COMPLIANCE)) {
            this.enabled = true;
        } else {
            this.enabled = false;
        }
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public byte[] getSalt16() {
        return (byte[]) this.salt16.clone();
    }

    public boolean isLocalHashingEnabled() {
        return this.localHashingEnabled;
    }

    private void setFieldAnonymizationSalt2(String str) {
        if (this.log.isTraceEnabled()) {
            this.log.trace("ComplianceConfiguration#onChanged called");
            this.log.trace("isLocalHashingEnabled? " + isLocalHashingEnabled());
            this.log.trace("FieldAnonymizationSalt2: " + str);
        }
        if (!isLocalHashingEnabled() || str == null) {
            return;
        }
        if (str == null || str.isEmpty()) {
            this.log.error("searchguard.compliance.local_hashing_enabled is enabled but searchguard.dynamic.field_anonymization.salt2 is not set");
            return;
        }
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        if (bytes.length < 16) {
            this.log.error("searchguard.dynamic.field_anonymization.salt2 must at least contain 16 bytes");
        }
        if (bytes.length > 16) {
            this.log.warn("searchguard.dynamic.field_anonymization.salt2 is greater than 16 bytes. Only the first 16 bytes are used");
        }
        byte[] copyOf = Arrays.copyOf(bytes, 16);
        if (Arrays.equals(this.salt2_16, copyOf)) {
            return;
        }
        this.log.debug("value of searchguard.dynamic.field_anonymization.salt2 changed");
        this.salt2_16 = copyOf;
        ClearIndicesCacheRequest clearIndicesCacheRequest = new ClearIndicesCacheRequest(new String[0]);
        clearIndicesCacheRequest.fieldDataCache(false);
        clearIndicesCacheRequest.queryCache(false);
        clearIndicesCacheRequest.requestCache(true);
        this.client.admin().indices().clearCache(clearIndicesCacheRequest, new ActionListener<ClearIndicesCacheResponse>() { // from class: com.floragunn.searchguard.enterprise.dlsfls.legacy.DlsFlsComplianceConfig.1
            public void onResponse(ClearIndicesCacheResponse clearIndicesCacheResponse) {
                DlsFlsComplianceConfig.this.log.debug("Cache cleared due to salt2 changed: " + Strings.toString(clearIndicesCacheResponse));
            }

            public void onFailure(Exception exc) {
                DlsFlsComplianceConfig.this.log.debug("Cache cleared due to salt2 changed: " + exc, exc);
            }
        });
    }

    public byte[] getSalt2_16() {
        if (this.salt2_16 == null) {
            return null;
        }
        return (byte[]) this.salt2_16.clone();
    }

    public byte[] getMaskPrefix() {
        return this.maskPrefix;
    }
}
