package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.codova.config.templates.ExpressionEvaluationException;
import com.floragunn.codova.config.text.Pattern;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.enterprise.dlsfls.DlsFlsConfig;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.google.common.primitives.Bytes;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.BytesRef;
import org.bouncycastle.crypto.digests.Blake2bDigest;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking.class */
public class RoleBasedFieldMasking implements ComponentStateProvider {
    private static final Logger log = LogManager.getLogger(RoleBasedFieldMasking.class);
    private final SgDynamicConfiguration<Role> roles;
    private final StaticIndexRules staticIndexQueries;
    private volatile StatefulIndexRules statefulIndexQueries;
    private final ComponentState componentState = new ComponentState("role_based_field_masking");
    private final DlsFlsConfig.FieldMasking fieldMaskingConfig;

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$FieldMaskingRule.class */
    public static abstract class FieldMaskingRule {
        public static final FieldMaskingRule ALLOW_ALL = new SingleRole(ImmutableList.empty());
        public static final FieldMaskingRule MASK_ALL = new SingleRole(ImmutableList.of(new Field(Role.Index.FieldMaskingExpression.MASK_ALL, DlsFlsConfig.FieldMasking.DEFAULT)));

        /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$FieldMaskingRule$Field.class */
        public static class Field {
            private final Role.Index.FieldMaskingExpression expression;
            private final byte[] salt;
            private final byte[] personalization;
            private final byte[] prefix;

            Field(Role.Index.FieldMaskingExpression fieldMaskingExpression, DlsFlsConfig.FieldMasking fieldMasking) {
                this.expression = fieldMaskingExpression;
                this.salt = fieldMasking.getSalt();
                this.personalization = fieldMasking.getPersonalization();
                this.prefix = fieldMasking.getPrefix() != null ? fieldMasking.getPrefix().getBytes() : null;
            }

            public Pattern getPattern() {
                return this.expression.getPattern();
            }

            public byte[] apply(byte[] bArr) {
                return isDefault() ? blake2bHash(bArr) : customHash(bArr);
            }

            public String apply(String str) {
                return isDefault() ? blake2bHash(str) : customHash(str);
            }

            public BytesRef apply(BytesRef bytesRef) {
                if (bytesRef == null) {
                    return null;
                }
                return isDefault() ? blake2bHash(bytesRef) : customHash(bytesRef);
            }

            public String toString() {
                return this.expression.toString();
            }

            private boolean isDefault() {
                return this.expression.getAlgo() == null && this.expression.getRegexReplacements() == null;
            }

            /* JADX WARN: Type inference failed for: r0v20, types: [byte[], byte[][]] */
            /* JADX WARN: Type inference failed for: r0v35, types: [byte[], byte[][]] */
            private byte[] customHash(byte[] bArr) {
                MessageDigest algo = this.expression.getAlgo();
                if (algo != null) {
                    return this.prefix != null ? Bytes.concat((byte[][]) new byte[]{this.prefix, Hex.encode(algo.digest(bArr))}) : Hex.encode(algo.digest(bArr));
                }
                if (this.expression.getRegexReplacements() == null) {
                    throw new IllegalArgumentException();
                }
                String str = new String(bArr, StandardCharsets.UTF_8);
                for (Role.Index.FieldMaskingExpression.RegexReplacement regexReplacement : this.expression.getRegexReplacements()) {
                    str = regexReplacement.getRegex().matcher(str).replaceAll(regexReplacement.getReplacement());
                }
                return this.prefix != null ? Bytes.concat((byte[][]) new byte[]{this.prefix, str.getBytes(StandardCharsets.UTF_8)}) : str.getBytes(StandardCharsets.UTF_8);
            }

            private BytesRef customHash(BytesRef bytesRef) {
                return new BytesRef(customHash(BytesRef.deepCopyOf(bytesRef).bytes));
            }

            private String customHash(String str) {
                return new String(customHash(str.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
            }

            /* JADX WARN: Type inference failed for: r0v12, types: [byte[], byte[][]] */
            private byte[] blake2bHash(byte[] bArr) {
                Blake2bDigest blake2bDigest = new Blake2bDigest((byte[]) null, 32, this.salt, this.personalization);
                blake2bDigest.update(bArr, 0, bArr.length);
                byte[] bArr2 = new byte[blake2bDigest.getDigestSize()];
                blake2bDigest.doFinal(bArr2, 0);
                return this.prefix != null ? Bytes.concat((byte[][]) new byte[]{this.prefix, Hex.encode(bArr2)}) : Hex.encode(bArr2);
            }

            private BytesRef blake2bHash(BytesRef bytesRef) {
                return new BytesRef(blake2bHash(BytesRef.deepCopyOf(bytesRef).bytes));
            }

            private String blake2bHash(String str) {
                return new String(blake2bHash(str.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
            }
        }

        /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$FieldMaskingRule$MultiRole.class */
        public static class MultiRole extends FieldMaskingRule {
            final ImmutableList<SingleRole> parts;
            final boolean allowAll;

            MultiRole(Collection<SingleRole> collection) {
                this.parts = ImmutableList.of(collection);
                this.allowAll = this.parts.forAnyApplies(singleRole -> {
                    return singleRole.isAllowAll();
                });
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking.FieldMaskingRule
            public Field get(String str) {
                String stripKeywordSuffix = stripKeywordSuffix(str);
                Field field = null;
                UnmodifiableIterator it = this.parts.iterator();
                while (it.hasNext()) {
                    field = ((SingleRole) it.next()).get(stripKeywordSuffix);
                    if (field == null) {
                        return null;
                    }
                }
                return field;
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking.FieldMaskingRule
            public boolean isAllowAll() {
                return this.allowAll;
            }

            public String toString() {
                return isAllowAll() ? "FM:*" : "FM:" + this.parts.map(singleRole -> {
                    return singleRole.expressions;
                });
            }
        }

        /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$FieldMaskingRule$SingleRole.class */
        public static class SingleRole extends FieldMaskingRule {
            final Role sourceRole;
            final Role.Index sourceIndex;
            final ImmutableList<Field> expressions;

            SingleRole(Role role, Role.Index index, DlsFlsConfig.FieldMasking fieldMasking) {
                this.sourceRole = role;
                this.sourceIndex = index;
                this.expressions = ImmutableList.of((Collection) index.getMaskedFields().stream().map(fieldMaskingExpression -> {
                    return new Field(fieldMaskingExpression, fieldMasking);
                }).collect(Collectors.toList()));
            }

            SingleRole(ImmutableList<Field> immutableList) {
                this.sourceIndex = null;
                this.sourceRole = null;
                this.expressions = immutableList;
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking.FieldMaskingRule
            public Field get(String str) {
                return internalGet(stripKeywordSuffix(str));
            }

            private Field internalGet(String str) {
                UnmodifiableIterator it = this.expressions.iterator();
                while (it.hasNext()) {
                    Field field = (Field) it.next();
                    if (field.getPattern().matches(str)) {
                        return field;
                    }
                }
                return null;
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking.FieldMaskingRule
            public boolean isAllowAll() {
                return this.expressions.isEmpty();
            }

            public String toString() {
                return isAllowAll() ? "FM:*" : "FM:" + this.expressions;
            }
        }

        public static FieldMaskingRule of(DlsFlsConfig.FieldMasking fieldMasking, String... strArr) throws ConfigValidationException {
            ImmutableList.Builder builder = new ImmutableList.Builder();
            for (String str : strArr) {
                builder.add(new Role.Index.FieldMaskingExpression(str));
            }
            return new SingleRole(builder.build().map(fieldMaskingExpression -> {
                return new Field(fieldMaskingExpression, fieldMasking);
            }));
        }

        public abstract Field get(String str);

        public abstract boolean isAllowAll();

        static String stripKeywordSuffix(String str) {
            return str.endsWith(".keyword") ? str.substring(0, str.length() - ".keyword".length()) : str;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$StatefulIndexRules.class */
    public static class StatefulIndexRules implements ComponentStateProvider {
        private final ImmutableMap<String, ImmutableMap<String, FieldMaskingRule.SingleRole>> indexToRoleToRule;
        private final ImmutableMap<String, ImmutableSet<String>> indexToRoleWithoutRule;
        private final ImmutableSet<String> indices;
        private final ImmutableMap<String, ImmutableList<Exception>> rolesToInitializationErrors;
        private final ComponentState componentState = new ComponentState("stateful_index_queries");

        StatefulIndexRules(SgDynamicConfiguration<Role> sgDynamicConfiguration, DlsFlsConfig.FieldMasking fieldMasking, Set<String> set) {
            this.indices = ImmutableSet.of(set);
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(str -> {
                return new ImmutableMap.Builder();
            });
            ImmutableMap.Builder defaultValue2 = new ImmutableMap.Builder().defaultValue(str2 -> {
                return new ImmutableSet.Builder();
            });
            ImmutableMap.Builder defaultValue3 = new ImmutableMap.Builder().defaultValue(str3 -> {
                return new ImmutableList.Builder();
            });
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str4 = (String) entry.getKey();
                    Role role = (Role) entry.getValue();
                    UnmodifiableIterator it2 = role.getIndexPermissions().iterator();
                    while (it2.hasNext()) {
                        Role.Index index = (Role.Index) it2.next();
                        Pattern pattern = index.getIndexPatterns().getPattern();
                        if (!pattern.isWildcard() && !pattern.isBlank()) {
                            ImmutableList maskedFields = index.getMaskedFields();
                            if (maskedFields == null || maskedFields.isEmpty()) {
                                Iterator it3 = pattern.iterateMatching(set).iterator();
                                while (it3.hasNext()) {
                                    ((ImmutableSet.Builder) defaultValue2.get((String) it3.next())).add(str4);
                                }
                            } else {
                                FieldMaskingRule.SingleRole singleRole = new FieldMaskingRule.SingleRole(role, index, fieldMasking);
                                Iterator it4 = pattern.iterateMatching(set).iterator();
                                while (it4.hasNext()) {
                                    ((ImmutableMap.Builder) defaultValue.get((String) it4.next())).put(str4, singleRole);
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    RoleBasedFieldMasking.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    ((ImmutableList.Builder) defaultValue3.get((String) entry.getKey())).with(e);
                }
            }
            this.indexToRoleToRule = defaultValue.build(builder -> {
                return builder.build();
            });
            this.indexToRoleWithoutRule = defaultValue2.build(builder2 -> {
                return builder2.build();
            });
            this.rolesToInitializationErrors = defaultValue3.build(builder3 -> {
                return builder3.build();
            });
            if (this.rolesToInitializationErrors.isEmpty()) {
                this.componentState.initialized();
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "roles_with_errors");
                this.componentState.addDetail(defaultValue3);
            }
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$StaticIndexRules.class */
    public static class StaticIndexRules implements ComponentStateProvider {
        private final ComponentState componentState = new ComponentState("static_index_rules");
        private final ImmutableSet<String> rolesWithIndexWildcardWithoutRule;
        private final ImmutableMap<String, FieldMaskingRule.SingleRole> roleWithIndexWildcardToRule;
        private final ImmutableMap<String, ImmutableMap<Role.IndexPatterns.IndexPatternTemplate, FieldMaskingRule.SingleRole>> rolesToIndexPatternTemplateToRule;
        private final ImmutableMap<String, ImmutableList<Exception>> rolesToInitializationErrors;

        StaticIndexRules(SgDynamicConfiguration<Role> sgDynamicConfiguration, DlsFlsConfig.FieldMasking fieldMasking) {
            ImmutableSet.Builder builder = new ImmutableSet.Builder();
            ImmutableMap.Builder builder2 = new ImmutableMap.Builder();
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(str -> {
                return new ImmutableMap.Builder();
            });
            ImmutableMap.Builder defaultValue2 = new ImmutableMap.Builder().defaultValue(str2 -> {
                return new ImmutableList.Builder();
            });
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str3 = (String) entry.getKey();
                    Role role = (Role) entry.getValue();
                    UnmodifiableIterator it2 = role.getIndexPermissions().iterator();
                    while (it2.hasNext()) {
                        Role.Index index = (Role.Index) it2.next();
                        if (index.getIndexPatterns().getPattern().isWildcard()) {
                            ImmutableList maskedFields = index.getMaskedFields();
                            if (maskedFields == null || maskedFields.isEmpty()) {
                                builder.add(str3);
                            } else {
                                builder2.put(str3, new FieldMaskingRule.SingleRole(role, index, fieldMasking));
                            }
                        } else {
                            UnmodifiableIterator it3 = index.getIndexPatterns().getPatternTemplates().iterator();
                            while (it3.hasNext()) {
                                Role.IndexPatterns.IndexPatternTemplate indexPatternTemplate = (Role.IndexPatterns.IndexPatternTemplate) it3.next();
                                ImmutableList maskedFields2 = index.getMaskedFields();
                                if (maskedFields2 != null && !maskedFields2.isEmpty()) {
                                    ((ImmutableMap.Builder) defaultValue.get(str3)).put(indexPatternTemplate, new FieldMaskingRule.SingleRole(role, index, fieldMasking));
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    RoleBasedFieldMasking.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    ((ImmutableList.Builder) defaultValue2.get((String) entry.getKey())).with(e);
                }
            }
            this.rolesWithIndexWildcardWithoutRule = builder.build();
            this.roleWithIndexWildcardToRule = builder2.build();
            this.rolesToIndexPatternTemplateToRule = defaultValue.build(builder3 -> {
                return builder3.build();
            });
            this.rolesToInitializationErrors = defaultValue2.build(builder4 -> {
                return builder4.build();
            });
            if (this.rolesToInitializationErrors.isEmpty()) {
                this.componentState.initialized();
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "roles_with_errors");
                this.componentState.addDetail(defaultValue2);
            }
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    public RoleBasedFieldMasking(SgDynamicConfiguration<Role> sgDynamicConfiguration, DlsFlsConfig.FieldMasking fieldMasking, Set<String> set, MetricsLevel metricsLevel) {
        this.roles = sgDynamicConfiguration;
        this.fieldMaskingConfig = fieldMasking;
        this.staticIndexQueries = new StaticIndexRules(sgDynamicConfiguration, fieldMasking);
        this.statefulIndexQueries = new StatefulIndexRules(sgDynamicConfiguration, fieldMasking, set);
        this.componentState.setInitialized();
        this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
        this.componentState.addPart(this.statefulIndexQueries.getComponentState());
        this.componentState.addPart(this.staticIndexQueries.getComponentState());
    }

    public FieldMaskingRule getFieldMaskingRule(PrivilegesEvaluationContext privilegesEvaluationContext, String str, Meter meter) throws PrivilegesEvaluationException {
        FieldMaskingRule.SingleRole singleRole;
        try {
            Meter detail = meter.detail("evaluate_fm");
            try {
                if (this.staticIndexQueries.rolesWithIndexWildcardWithoutRule.containsAny(privilegesEvaluationContext.getMappedRoles())) {
                    FieldMaskingRule fieldMaskingRule = FieldMaskingRule.ALLOW_ALL;
                    if (detail != null) {
                        detail.close();
                    }
                    return fieldMaskingRule;
                }
                StatefulIndexRules statefulIndexRules = this.statefulIndexQueries;
                if (!statefulIndexRules.indices.contains(str)) {
                    FieldMaskingRule fieldMaskingRule2 = FieldMaskingRule.MASK_ALL;
                    if (detail != null) {
                        detail.close();
                    }
                    return fieldMaskingRule2;
                }
                ImmutableSet immutableSet = (ImmutableSet) statefulIndexRules.indexToRoleWithoutRule.get(str);
                if (immutableSet != null && immutableSet.containsAny(privilegesEvaluationContext.getMappedRoles())) {
                    FieldMaskingRule fieldMaskingRule3 = FieldMaskingRule.ALLOW_ALL;
                    if (detail != null) {
                        detail.close();
                    }
                    return fieldMaskingRule3;
                }
                ImmutableMap immutableMap = (ImmutableMap) this.statefulIndexQueries.indexToRoleToRule.get(str);
                ArrayList arrayList = new ArrayList();
                UnmodifiableIterator it = privilegesEvaluationContext.getMappedRoles().iterator();
                while (it.hasNext()) {
                    String str2 = (String) it.next();
                    FieldMaskingRule.SingleRole singleRole2 = (FieldMaskingRule.SingleRole) this.staticIndexQueries.roleWithIndexWildcardToRule.get(str2);
                    if (singleRole2 != null) {
                        arrayList.add(singleRole2);
                    }
                    if (immutableMap != null && (singleRole = (FieldMaskingRule.SingleRole) immutableMap.get(str2)) != null) {
                        arrayList.add(singleRole);
                    }
                    ImmutableMap immutableMap2 = (ImmutableMap) this.staticIndexQueries.rolesToIndexPatternTemplateToRule.get(str2);
                    if (immutableMap2 != null) {
                        UnmodifiableIterator it2 = immutableMap2.entrySet().iterator();
                        while (it2.hasNext()) {
                            Map.Entry entry = (Map.Entry) it2.next();
                            try {
                                if (privilegesEvaluationContext.getRenderedPattern(((Role.IndexPatterns.IndexPatternTemplate) entry.getKey()).getTemplate()).matches(str) && !((Role.IndexPatterns.IndexPatternTemplate) entry.getKey()).getExclusions().matches(str)) {
                                    arrayList.add((FieldMaskingRule.SingleRole) entry.getValue());
                                }
                            } catch (ExpressionEvaluationException e) {
                                throw new PrivilegesEvaluationException("Error while rendering index pattern of role " + str2, e);
                            }
                        }
                    }
                }
                if (arrayList.isEmpty()) {
                    FieldMaskingRule fieldMaskingRule4 = FieldMaskingRule.ALLOW_ALL;
                    if (detail != null) {
                        detail.close();
                    }
                    return fieldMaskingRule4;
                }
                FieldMaskingRule.MultiRole multiRole = new FieldMaskingRule.MultiRole(arrayList);
                if (detail != null) {
                    detail.close();
                }
                return multiRole;
            } finally {
            }
        } catch (PrivilegesEvaluationException e2) {
            this.componentState.addLastException("evaluate", e2);
            throw e2;
        } catch (RuntimeException e3) {
            this.componentState.addLastException("evaluate_u", e3);
            throw e3;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasFieldMaskingRestrictions(PrivilegesEvaluationContext privilegesEvaluationContext, Collection<String> collection, Meter meter) throws PrivilegesEvaluationException {
        try {
            Meter detail = meter.detail("has_fm_restriction");
            try {
                if (this.staticIndexQueries.rolesWithIndexWildcardWithoutRule.containsAny(privilegesEvaluationContext.getMappedRoles())) {
                    if (detail != null) {
                        detail.close();
                    }
                    return false;
                }
                StatefulIndexRules statefulIndexRules = this.statefulIndexQueries;
                if (!statefulIndexRules.indices.containsAll(collection)) {
                    if (detail != null) {
                        detail.close();
                    }
                    return true;
                }
                Iterator<String> it = collection.iterator();
                while (it.hasNext()) {
                    if (hasFieldMaskingRestrictions(privilegesEvaluationContext, it.next(), statefulIndexRules)) {
                        if (detail != null) {
                            detail.close();
                        }
                        return true;
                    }
                }
                if (detail != null) {
                    detail.close();
                }
                return false;
            } catch (Throwable th) {
                if (detail != null) {
                    try {
                        detail.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (RuntimeException e) {
            this.componentState.addLastException("has_restriction_u", e);
            throw e;
        } catch (PrivilegesEvaluationException e2) {
            this.componentState.addLastException("has_restriction", e2);
            throw e2;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasFieldMaskingRestrictions(PrivilegesEvaluationContext privilegesEvaluationContext, String str, Meter meter) throws PrivilegesEvaluationException {
        try {
            Meter detail = meter.detail("has_fm_restriction");
            try {
                if (this.staticIndexQueries.rolesWithIndexWildcardWithoutRule.containsAny(privilegesEvaluationContext.getMappedRoles())) {
                    if (detail != null) {
                        detail.close();
                    }
                    return false;
                }
                StatefulIndexRules statefulIndexRules = this.statefulIndexQueries;
                if (!statefulIndexRules.indices.contains(str)) {
                    if (detail != null) {
                        detail.close();
                    }
                    return true;
                }
                boolean hasFieldMaskingRestrictions = hasFieldMaskingRestrictions(privilegesEvaluationContext, str, statefulIndexRules);
                if (detail != null) {
                    detail.close();
                }
                return hasFieldMaskingRestrictions;
            } finally {
            }
        } catch (PrivilegesEvaluationException e) {
            this.componentState.addLastException("has_restriction", e);
            throw e;
        } catch (RuntimeException e2) {
            this.componentState.addLastException("has_restriction_u", e2);
            throw e2;
        }
    }

    private boolean hasFieldMaskingRestrictions(PrivilegesEvaluationContext privilegesEvaluationContext, String str, StatefulIndexRules statefulIndexRules) throws PrivilegesEvaluationException {
        ImmutableSet immutableSet = (ImmutableSet) statefulIndexRules.indexToRoleWithoutRule.get(str);
        if (immutableSet != null && immutableSet.containsAny(privilegesEvaluationContext.getMappedRoles())) {
            return false;
        }
        ImmutableMap immutableMap = (ImmutableMap) statefulIndexRules.indexToRoleToRule.get(str);
        UnmodifiableIterator it = privilegesEvaluationContext.getMappedRoles().iterator();
        while (it.hasNext()) {
            String str2 = (String) it.next();
            if (((FieldMaskingRule) this.staticIndexQueries.roleWithIndexWildcardToRule.get(str2)) != null) {
                return true;
            }
            if (immutableMap != null && ((FieldMaskingRule) immutableMap.get(str2)) != null) {
                return true;
            }
            ImmutableMap immutableMap2 = (ImmutableMap) this.staticIndexQueries.rolesToIndexPatternTemplateToRule.get(str2);
            if (immutableMap2 != null) {
                UnmodifiableIterator it2 = immutableMap2.entrySet().iterator();
                while (it2.hasNext()) {
                    Map.Entry entry = (Map.Entry) it2.next();
                    try {
                        if (privilegesEvaluationContext.getRenderedPattern(((Role.IndexPatterns.IndexPatternTemplate) entry.getKey()).getTemplate()).matches(str) && !((Role.IndexPatterns.IndexPatternTemplate) entry.getKey()).getExclusions().matches(str)) {
                            return true;
                        }
                    } catch (ExpressionEvaluationException e) {
                        throw new PrivilegesEvaluationException("Error while rendering index pattern of role " + str2, e);
                    }
                }
            }
        }
        return false;
    }

    public synchronized void updateIndices(Set<String> set) {
        if (this.statefulIndexQueries.indices.equals(set)) {
            return;
        }
        this.statefulIndexQueries = new StatefulIndexRules(this.roles, this.fieldMaskingConfig, set);
        this.componentState.replacePart(this.statefulIndexQueries.getComponentState());
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }

    public DlsFlsConfig.FieldMasking getFieldMaskingConfig() {
        return this.fieldMaskingConfig;
    }
}
