package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.codova.config.templates.ExpressionEvaluationException;
import com.floragunn.codova.config.templates.Template;
import com.floragunn.codova.config.text.Pattern;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.enterprise.dlsfls.DlsRestriction;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
import com.floragunn.searchsupport.queries.Query;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorization.class */
public class RoleBasedDocumentAuthorization implements ComponentStateProvider {
    private static final Logger log = LogManager.getLogger(RoleBasedDocumentAuthorization.class);
    private final SgDynamicConfiguration<Role> roles;
    private final StaticIndexQueries staticIndexQueries;
    private volatile StatefulIndexQueries statefulIndexQueries;
    private final MetricsLevel metricsLevel;
    private final ComponentState componentState = new ComponentState("role_based_document_authorization");
    private final TimeAggregation statefulIndexRebuild = new TimeAggregation.Milliseconds();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorization$DlsQuery.class */
    public static class DlsQuery {
        final Template<Query> queryTemplate;

        DlsQuery(Template<Query> template) {
            this.queryTemplate = template;
        }

        public int hashCode() {
            return this.queryTemplate.hashCode();
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (!(obj instanceof DlsQuery)) {
                return false;
            }
            DlsQuery dlsQuery = (DlsQuery) obj;
            return this.queryTemplate == null ? dlsQuery.queryTemplate == null : this.queryTemplate.equals(dlsQuery.queryTemplate);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorization$StatefulIndexQueries.class */
    public static class StatefulIndexQueries implements ComponentStateProvider {
        private final ImmutableMap<String, ImmutableMap<String, DlsQuery>> indexToRoleToQuery;
        private final ImmutableMap<String, ImmutableSet<String>> indexToRoleWithoutQuery;
        private final ImmutableSet<String> indices;
        private final ImmutableMap<String, ImmutableList<Exception>> rolesToInitializationErrors;
        private final ComponentState componentState = new ComponentState("stateful_index_queries");

        StatefulIndexQueries(SgDynamicConfiguration<Role> sgDynamicConfiguration, Set<String> set) {
            this.indices = ImmutableSet.of(set);
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(str -> {
                return new ImmutableMap.Builder();
            });
            ImmutableMap.Builder defaultValue2 = new ImmutableMap.Builder().defaultValue(str2 -> {
                return new ImmutableSet.Builder();
            });
            ImmutableMap.Builder defaultValue3 = new ImmutableMap.Builder().defaultValue(str3 -> {
                return new ImmutableList.Builder();
            });
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str4 = (String) entry.getKey();
                    UnmodifiableIterator it2 = ((Role) entry.getValue()).getIndexPermissions().iterator();
                    while (it2.hasNext()) {
                        Role.Index index = (Role.Index) it2.next();
                        if (!index.getIndexPatterns().forAnyApplies(template -> {
                            return template.isConstant() && ((Pattern) template.getConstantValue()).isWildcard();
                        })) {
                            UnmodifiableIterator it3 = index.getIndexPatterns().iterator();
                            while (it3.hasNext()) {
                                Template template2 = (Template) it3.next();
                                if (template2.isConstant()) {
                                    Pattern pattern = (Pattern) template2.getConstantValue();
                                    Template dls = index.getDls();
                                    if (dls != null) {
                                        DlsQuery dlsQuery = new DlsQuery(dls);
                                        Iterator it4 = pattern.iterateMatching(set).iterator();
                                        while (it4.hasNext()) {
                                            ((ImmutableMap.Builder) defaultValue.get((String) it4.next())).put(str4, dlsQuery);
                                        }
                                    } else {
                                        Iterator it5 = pattern.iterateMatching(set).iterator();
                                        while (it5.hasNext()) {
                                            ((ImmutableSet.Builder) defaultValue2.get((String) it5.next())).add(str4);
                                        }
                                    }
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    RoleBasedDocumentAuthorization.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    ((ImmutableList.Builder) defaultValue3.get((String) entry.getKey())).with(e);
                }
            }
            this.indexToRoleToQuery = defaultValue.build(builder -> {
                return builder.build();
            });
            this.indexToRoleWithoutQuery = defaultValue2.build(builder2 -> {
                return builder2.build();
            });
            this.rolesToInitializationErrors = defaultValue3.build(builder3 -> {
                return builder3.build();
            });
            if (this.rolesToInitializationErrors.isEmpty()) {
                this.componentState.initialized();
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "roles_with_errors");
                this.componentState.addDetail(defaultValue3);
            }
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorization$StaticIndexQueries.class */
    public static class StaticIndexQueries implements ComponentStateProvider {
        private final ComponentState componentState = new ComponentState("static_index_queries");
        private final ImmutableSet<String> rolesWithIndexWildcardWithoutQuery;
        private final ImmutableMap<String, DlsQuery> roleWithIndexWildcardToQuery;
        private final ImmutableMap<String, ImmutableMap<Template<Pattern>, DlsQuery>> rolesToIndexPatternTemplateToQuery;
        private final ImmutableMap<String, ImmutableList<Exception>> rolesToInitializationErrors;

        StaticIndexQueries(SgDynamicConfiguration<Role> sgDynamicConfiguration) {
            Template dls;
            ImmutableSet.Builder builder = new ImmutableSet.Builder();
            ImmutableMap.Builder builder2 = new ImmutableMap.Builder();
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(str -> {
                return new ImmutableMap.Builder();
            });
            ImmutableMap.Builder defaultValue2 = new ImmutableMap.Builder().defaultValue(str2 -> {
                return new ImmutableList.Builder();
            });
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str3 = (String) entry.getKey();
                    UnmodifiableIterator it2 = ((Role) entry.getValue()).getIndexPermissions().iterator();
                    while (it2.hasNext()) {
                        Role.Index index = (Role.Index) it2.next();
                        if (index.getIndexPatterns().forAnyApplies(template -> {
                            return template.isConstant() && ((Pattern) template.getConstantValue()).isWildcard();
                        })) {
                            Template dls2 = index.getDls();
                            if (dls2 == null) {
                                builder.add(str3);
                            } else {
                                builder2.put(str3, new DlsQuery(dls2));
                            }
                        } else {
                            UnmodifiableIterator it3 = index.getIndexPatterns().iterator();
                            while (it3.hasNext()) {
                                Template template2 = (Template) it3.next();
                                if (!template2.isConstant() && (dls = index.getDls()) != null) {
                                    ((ImmutableMap.Builder) defaultValue.get(str3)).put(template2, new DlsQuery(dls));
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    RoleBasedDocumentAuthorization.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    ((ImmutableList.Builder) defaultValue2.get((String) entry.getKey())).with(e);
                }
            }
            this.rolesWithIndexWildcardWithoutQuery = builder.build();
            this.roleWithIndexWildcardToQuery = builder2.build();
            this.rolesToIndexPatternTemplateToQuery = defaultValue.build(builder3 -> {
                return builder3.build();
            });
            this.rolesToInitializationErrors = defaultValue2.build(builder4 -> {
                return builder4.build();
            });
            if (this.rolesToInitializationErrors.isEmpty()) {
                this.componentState.initialized();
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "roles_with_errors");
                this.componentState.addDetail(defaultValue2);
            }
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    public RoleBasedDocumentAuthorization(SgDynamicConfiguration<Role> sgDynamicConfiguration, Set<String> set, MetricsLevel metricsLevel) {
        this.roles = sgDynamicConfiguration;
        this.metricsLevel = metricsLevel;
        this.staticIndexQueries = new StaticIndexQueries(sgDynamicConfiguration);
        Meter basic = Meter.basic(metricsLevel, this.statefulIndexRebuild);
        try {
            this.statefulIndexQueries = new StatefulIndexQueries(sgDynamicConfiguration, set);
            if (basic != null) {
                basic.close();
            }
            this.componentState.addPart(this.staticIndexQueries.getComponentState());
            this.componentState.addPart(this.statefulIndexQueries.getComponentState());
            this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
            this.componentState.updateStateFromParts();
            if (metricsLevel.basicEnabled()) {
                this.componentState.addMetrics("stateful_index_rebuilds", this.statefulIndexRebuild);
            }
        } catch (Throwable th) {
            if (basic != null) {
                try {
                    basic.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasDlsRestrictions(PrivilegesEvaluationContext privilegesEvaluationContext, Collection<String> collection, Meter meter) throws PrivilegesEvaluationException {
        try {
            Meter detail = meter.detail("has_dls_restriction");
            try {
                if (this.staticIndexQueries.rolesWithIndexWildcardWithoutQuery.containsAny(privilegesEvaluationContext.getMappedRoles())) {
                    if (detail != null) {
                        detail.close();
                    }
                    return false;
                }
                StatefulIndexQueries statefulIndexQueries = this.statefulIndexQueries;
                if (!statefulIndexQueries.indices.containsAll(collection)) {
                    if (log.isDebugEnabled()) {
                        log.debug("Indices {} do not exist. Assuming full document restriction.", collection);
                    }
                    if (detail != null) {
                        detail.close();
                    }
                    return true;
                }
                for (String str : collection) {
                    ImmutableSet immutableSet = (ImmutableSet) statefulIndexQueries.indexToRoleWithoutQuery.get(str);
                    if (immutableSet == null || !immutableSet.containsAny(privilegesEvaluationContext.getMappedRoles())) {
                        ImmutableMap immutableMap = (ImmutableMap) this.statefulIndexQueries.indexToRoleToQuery.get(str);
                        UnmodifiableIterator it = privilegesEvaluationContext.getMappedRoles().iterator();
                        while (it.hasNext()) {
                            String str2 = (String) it.next();
                            if (((DlsQuery) this.staticIndexQueries.roleWithIndexWildcardToQuery.get(str2)) != null) {
                                if (detail != null) {
                                    detail.close();
                                }
                                return true;
                            }
                            if (immutableMap != null && ((DlsQuery) immutableMap.get(str2)) != null) {
                                if (detail != null) {
                                    detail.close();
                                }
                                return true;
                            }
                            ImmutableMap immutableMap2 = (ImmutableMap) this.staticIndexQueries.rolesToIndexPatternTemplateToQuery.get(str2);
                            if (immutableMap2 != null) {
                                UnmodifiableIterator it2 = immutableMap2.entrySet().iterator();
                                while (it2.hasNext()) {
                                    try {
                                        if (privilegesEvaluationContext.getRenderedPattern((Template) ((Map.Entry) it2.next()).getKey()).matches(str)) {
                                            if (detail != null) {
                                                detail.close();
                                            }
                                            return true;
                                        }
                                    } catch (ExpressionEvaluationException e) {
                                        throw new PrivilegesEvaluationException("Error while rendering index pattern of role " + str2, e);
                                    }
                                }
                            }
                        }
                    }
                }
                if (detail != null) {
                    detail.close();
                }
                return false;
            } finally {
            }
        } catch (PrivilegesEvaluationException e2) {
            this.componentState.addLastException("has_dls_restriction", e2);
            throw e2;
        } catch (RuntimeException e3) {
            this.componentState.addLastException("has_dls_restriction_u", e3);
            throw e3;
        }
    }

    public DlsRestriction getDlsRestriction(PrivilegesEvaluationContext privilegesEvaluationContext, String str, Meter meter) throws PrivilegesEvaluationException {
        try {
            Meter detail = meter.detail("evaluate_dls");
            try {
                DlsRestriction dlsRestrictionInternal = getDlsRestrictionInternal(privilegesEvaluationContext, str);
                if (detail != null) {
                    detail.close();
                }
                return dlsRestrictionInternal;
            } catch (Throwable th) {
                if (detail != null) {
                    try {
                        detail.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (RuntimeException e) {
            this.componentState.addLastException("get_dls_restriction_u", e);
            throw e;
        } catch (PrivilegesEvaluationException e2) {
            this.componentState.addLastException("get_dls_restriction", e2);
            throw e2;
        }
    }

    public DlsRestriction.IndexMap getDlsRestriction(PrivilegesEvaluationContext privilegesEvaluationContext, Collection<String> collection, Meter meter) throws PrivilegesEvaluationException {
        try {
            Meter detail = meter.detail("evaluate_dls");
            try {
                if (this.staticIndexQueries.rolesWithIndexWildcardWithoutQuery.containsAny(privilegesEvaluationContext.getMappedRoles())) {
                    DlsRestriction.IndexMap indexMap = DlsRestriction.IndexMap.NONE;
                    if (detail != null) {
                        detail.close();
                    }
                    return indexMap;
                }
                ImmutableMap.Builder builder = new ImmutableMap.Builder(collection.size());
                int i = 0;
                for (String str : collection) {
                    DlsRestriction dlsRestrictionInternal = getDlsRestrictionInternal(privilegesEvaluationContext, str);
                    if (!dlsRestrictionInternal.isUnrestricted()) {
                        i++;
                    }
                    builder.put(str, dlsRestrictionInternal);
                }
                if (i == 0) {
                    DlsRestriction.IndexMap indexMap2 = DlsRestriction.IndexMap.NONE;
                    if (detail != null) {
                        detail.close();
                    }
                    return indexMap2;
                }
                DlsRestriction.IndexMap indexMap3 = new DlsRestriction.IndexMap(builder.build());
                if (detail != null) {
                    detail.close();
                }
                return indexMap3;
            } catch (Throwable th) {
                if (detail != null) {
                    try {
                        detail.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (RuntimeException e) {
            this.componentState.addLastException("get_dls_restriction_u", e);
            throw e;
        } catch (PrivilegesEvaluationException e2) {
            this.componentState.addLastException("get_dls_restriction", e2);
            throw e2;
        }
    }

    private DlsRestriction getDlsRestrictionInternal(PrivilegesEvaluationContext privilegesEvaluationContext, String str) throws PrivilegesEvaluationException {
        DlsQuery dlsQuery;
        if (this.staticIndexQueries.rolesWithIndexWildcardWithoutQuery.containsAny(privilegesEvaluationContext.getMappedRoles())) {
            return DlsRestriction.NONE;
        }
        StatefulIndexQueries statefulIndexQueries = this.statefulIndexQueries;
        if (!statefulIndexQueries.indices.contains(str)) {
            if (log.isDebugEnabled()) {
                log.debug("Index {} does not exist. Assuming full document restriction.", str);
            }
            return DlsRestriction.FULL;
        }
        ImmutableSet immutableSet = (ImmutableSet) statefulIndexQueries.indexToRoleWithoutQuery.get(str);
        if (immutableSet != null && immutableSet.containsAny(privilegesEvaluationContext.getMappedRoles())) {
            return DlsRestriction.NONE;
        }
        ImmutableMap immutableMap = (ImmutableMap) this.statefulIndexQueries.indexToRoleToQuery.get(str);
        HashSet<DlsQuery> hashSet = new HashSet();
        UnmodifiableIterator it = privilegesEvaluationContext.getMappedRoles().iterator();
        while (it.hasNext()) {
            String str2 = (String) it.next();
            DlsQuery dlsQuery2 = (DlsQuery) this.staticIndexQueries.roleWithIndexWildcardToQuery.get(str2);
            if (dlsQuery2 != null) {
                hashSet.add(dlsQuery2);
            }
            if (immutableMap != null && (dlsQuery = (DlsQuery) immutableMap.get(str2)) != null) {
                hashSet.add(dlsQuery);
            }
            ImmutableMap immutableMap2 = (ImmutableMap) this.staticIndexQueries.rolesToIndexPatternTemplateToQuery.get(str2);
            if (immutableMap2 != null) {
                UnmodifiableIterator it2 = immutableMap2.entrySet().iterator();
                while (it2.hasNext()) {
                    Map.Entry entry = (Map.Entry) it2.next();
                    try {
                        if (privilegesEvaluationContext.getRenderedPattern((Template) entry.getKey()).matches(str)) {
                            hashSet.add((DlsQuery) entry.getValue());
                        }
                    } catch (ExpressionEvaluationException e) {
                        throw new PrivilegesEvaluationException("Error while rendering index pattern of role " + str2, e);
                    }
                }
            }
        }
        if (hashSet.isEmpty()) {
            return DlsRestriction.NONE;
        }
        ArrayList arrayList = new ArrayList(hashSet.size());
        for (DlsQuery dlsQuery3 : hashSet) {
            try {
                arrayList.add((Query) dlsQuery3.queryTemplate.render(privilegesEvaluationContext.getUser()));
            } catch (ExpressionEvaluationException e2) {
                throw new PrivilegesEvaluationException("Error while rendering query " + dlsQuery3, e2);
            }
        }
        return new DlsRestriction(ImmutableList.of(arrayList));
    }

    public synchronized void updateIndices(Set<String> set) {
        if (this.statefulIndexQueries.indices.equals(set)) {
            return;
        }
        Meter basic = Meter.basic(this.metricsLevel, this.statefulIndexRebuild);
        try {
            this.statefulIndexQueries = new StatefulIndexQueries(this.roles, set);
            this.componentState.replacePart(this.statefulIndexQueries.getComponentState());
            if (basic != null) {
                basic.close();
            }
        } catch (Throwable th) {
            if (basic != null) {
                try {
                    basic.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
