package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.meta.Meta;
import java.util.Collection;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldAuthorization.class */
public class RoleBasedFieldAuthorization extends RoleBasedAuthorizationBase<FlsRule, FlsRule> {

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldAuthorization$FlsRule.class */
    public static abstract class FlsRule {
        public static final FlsRule ALLOW_ALL = new SingleRole((ImmutableList<Role.Index.FlsPattern>) ImmutableList.of(Role.Index.FlsPattern.INCLUDE_ALL));
        public static final FlsRule DENY_ALL = new SingleRole((ImmutableList<Role.Index.FlsPattern>) ImmutableList.of(Role.Index.FlsPattern.EXCLUDE_ALL));

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldAuthorization$FlsRule$MultiRole.class */
        public static class MultiRole extends FlsRule {
            final ImmutableList<SingleRole> entries;
            final Map<String, Boolean> cache;
            final boolean allowAll;

            MultiRole(ImmutableList<SingleRole> immutableList) {
                this.entries = immutableList;
                this.allowAll = immutableList.forAnyApplies(singleRole -> {
                    return singleRole.isAllowAll();
                });
                if (this.allowAll) {
                    this.cache = null;
                } else {
                    this.cache = new ConcurrentHashMap();
                }
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldAuthorization.FlsRule
            public boolean isAllowed(String str) {
                if (this.allowAll) {
                    return true;
                }
                if (this.cache == null) {
                    return internalIsAllowed(str);
                }
                Boolean bool = this.cache.get(str);
                if (bool != null) {
                    return bool.booleanValue();
                }
                Boolean valueOf = Boolean.valueOf(internalIsAllowed(str));
                this.cache.put(str, valueOf);
                return valueOf.booleanValue();
            }

            private boolean internalIsAllowed(String str) {
                String stripKeywordSuffix = stripKeywordSuffix(str);
                UnmodifiableIterator it = this.entries.iterator();
                while (it.hasNext()) {
                    if (((SingleRole) it.next()).isAllowed(stripKeywordSuffix)) {
                        return true;
                    }
                }
                return false;
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldAuthorization.FlsRule
            public boolean isAllowAll() {
                return this.allowAll;
            }

            public String toString() {
                return isAllowAll() ? "FLS:*" : "FLS:" + String.valueOf(this.entries.map(singleRole -> {
                    return singleRole.patterns;
                }));
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldAuthorization$FlsRule$SingleRole.class */
        public static class SingleRole extends FlsRule {
            final Role.Index sourceIndex;
            final ImmutableList<Role.Index.FlsPattern> patterns;
            final Map<String, Boolean> cache;
            final boolean allowAll;

            SingleRole(Role.Index index) {
                this.sourceIndex = index;
                int i = 0;
                int i2 = 0;
                UnmodifiableIterator it = index.getFls().iterator();
                while (it.hasNext()) {
                    if (((Role.Index.FlsPattern) it.next()).isExcluded()) {
                        i++;
                    } else {
                        i2++;
                    }
                }
                if (i == 0 && i2 == 0) {
                    this.patterns = ImmutableList.of(Role.Index.FlsPattern.INCLUDE_ALL);
                } else if (i != 0 && i2 == 0) {
                    this.patterns = ImmutableList.of(Role.Index.FlsPattern.INCLUDE_ALL).with(index.getFls());
                } else if (i != 0 || i2 == 0) {
                    this.patterns = index.getFls();
                } else {
                    this.patterns = ImmutableList.of(Role.Index.FlsPattern.EXCLUDE_ALL).with(index.getFls());
                }
                this.allowAll = this.patterns.isEmpty() || (this.patterns.size() == 1 && ((Role.Index.FlsPattern) this.patterns.get(0)).getPattern().isWildcard() && !((Role.Index.FlsPattern) this.patterns.get(0)).isExcluded());
                if (this.allowAll) {
                    this.cache = null;
                } else {
                    this.cache = new ConcurrentHashMap();
                }
            }

            public SingleRole(ImmutableList<Role.Index.FlsPattern> immutableList) {
                this.patterns = immutableList;
                this.sourceIndex = null;
                this.allowAll = immutableList.isEmpty() || (immutableList.size() == 1 && ((Role.Index.FlsPattern) immutableList.get(0)).getPattern().isWildcard() && !((Role.Index.FlsPattern) immutableList.get(0)).isExcluded());
                this.cache = null;
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldAuthorization.FlsRule
            public boolean isAllowed(String str) {
                if (this.allowAll) {
                    return true;
                }
                if (this.cache == null) {
                    return internalIsAllowed(str);
                }
                Boolean bool = this.cache.get(str);
                if (bool != null) {
                    return bool.booleanValue();
                }
                Boolean valueOf = Boolean.valueOf(internalIsAllowed(str));
                this.cache.put(str, valueOf);
                return valueOf.booleanValue();
            }

            private boolean internalIsAllowed(String str) {
                String stripKeywordSuffix = stripKeywordSuffix(str);
                boolean z = false;
                UnmodifiableIterator it = this.patterns.iterator();
                while (it.hasNext()) {
                    Role.Index.FlsPattern flsPattern = (Role.Index.FlsPattern) it.next();
                    if (flsPattern.getPattern().matches(stripKeywordSuffix)) {
                        z = !flsPattern.isExcluded();
                    }
                }
                return z;
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldAuthorization.FlsRule
            public boolean isAllowAll() {
                return this.allowAll;
            }

            public String toString() {
                return isAllowAll() ? "FLS:*" : "FLS:" + String.valueOf(this.patterns);
            }
        }

        public static FlsRule of(String... strArr) throws ConfigValidationException {
            ImmutableList.Builder builder = new ImmutableList.Builder();
            for (String str : strArr) {
                builder.add(new Role.Index.FlsPattern(str));
            }
            return new SingleRole((ImmutableList<Role.Index.FlsPattern>) builder.build());
        }

        static FlsRule merge(Collection<FlsRule> collection) {
            if (collection.size() == 1) {
                return collection.iterator().next();
            }
            ImmutableList.Builder builder = new ImmutableList.Builder(collection.size());
            for (FlsRule flsRule : collection) {
                if (flsRule instanceof SingleRole) {
                    builder.add((SingleRole) flsRule);
                } else if (flsRule instanceof MultiRole) {
                    UnmodifiableIterator it = ((MultiRole) flsRule).entries.iterator();
                    while (it.hasNext()) {
                        builder.add((SingleRole) it.next());
                    }
                }
            }
            return new MultiRole(builder.build());
        }

        public abstract boolean isAllowed(String str);

        public abstract boolean isAllowAll();

        static String stripKeywordSuffix(String str) {
            return str.endsWith(".keyword") ? str.substring(0, str.length() - ".keyword".length()) : str;
        }
    }

    public RoleBasedFieldAuthorization(SgDynamicConfiguration<Role> sgDynamicConfiguration, Meta meta, MetricsLevel metricsLevel) {
        super(sgDynamicConfiguration, meta, metricsLevel, RoleBasedFieldAuthorization::roleToRule);
    }

    static FlsRule roleToRule(Role.Index index) {
        ImmutableList fls = index.getFls();
        if (fls == null || fls.isEmpty()) {
            return null;
        }
        return new FlsRule.SingleRole(index);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    public FlsRule unrestricted() {
        return FlsRule.ALLOW_ALL;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    public FlsRule fullyRestricted() {
        return FlsRule.DENY_ALL;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    public FlsRule compile(PrivilegesEvaluationContext privilegesEvaluationContext, Collection<FlsRule> collection) throws PrivilegesEvaluationException {
        return collection.isEmpty() ? FlsRule.DENY_ALL : FlsRule.merge(collection);
    }

    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    protected String hasRestrictionsMetricName() {
        return "has_fls_restrictions";
    }

    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    protected String evaluateRestrictionsMetricName() {
        return "evaluate_fls_restrictions";
    }

    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    protected String componentName() {
        return "role_based_field_authorization";
    }
}
