package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.codova.config.text.Pattern;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.enterprise.dlsfls.DlsFlsConfig;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.meta.Meta;
import com.google.common.io.BaseEncoding;
import com.google.common.primitives.Bytes;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Collection;
import java.util.stream.Collectors;
import org.apache.lucene.util.BytesRef;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking.class */
public class RoleBasedFieldMasking extends RoleBasedAuthorizationBase<FieldMaskingRule.SingleRole, FieldMaskingRule> {
    private final DlsFlsConfig.FieldMasking fieldMaskingConfig;
    private static final BaseEncoding hex = BaseEncoding.base16().lowerCase();

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$FieldMaskingRule.class */
    public static abstract class FieldMaskingRule {
        public static final FieldMaskingRule ALLOW_ALL = new SingleRole(ImmutableList.empty());
        public static final FieldMaskingRule MASK_ALL = new SingleRole(ImmutableList.of(new Field(Role.Index.FieldMaskingExpression.MASK_ALL, DlsFlsConfig.FieldMasking.DEFAULT)));

        /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$FieldMaskingRule$Field.class */
        public static class Field {
            private final Role.Index.FieldMaskingExpression expression;
            private final byte[] salt;
            private final byte[] personalization;
            private final byte[] prefix;

            Field(Role.Index.FieldMaskingExpression fieldMaskingExpression, DlsFlsConfig.FieldMasking fieldMasking) {
                this.expression = fieldMaskingExpression;
                this.salt = fieldMasking.getSalt();
                this.personalization = fieldMasking.getPersonalization();
                this.prefix = fieldMasking.getPrefix() != null ? fieldMasking.getPrefix().getBytes() : null;
            }

            public Pattern getPattern() {
                return this.expression.getPattern();
            }

            public byte[] apply(byte[] bArr) {
                return isDefault() ? blake2bHash(bArr) : customHash(bArr);
            }

            public String apply(String str) {
                return isDefault() ? blake2bHash(str) : customHash(str);
            }

            public BytesRef apply(BytesRef bytesRef) {
                if (bytesRef == null) {
                    return null;
                }
                return isDefault() ? blake2bHash(bytesRef) : customHash(bytesRef);
            }

            public String toString() {
                return this.expression.toString();
            }

            private boolean isDefault() {
                return this.expression.getAlgo() == null && this.expression.getRegexReplacements() == null;
            }

            /* JADX WARN: Type inference failed for: r0v20, types: [byte[], byte[][]] */
            /* JADX WARN: Type inference failed for: r0v35, types: [byte[], byte[][]] */
            private byte[] customHash(byte[] bArr) {
                MessageDigest algo = this.expression.getAlgo();
                if (algo != null) {
                    return this.prefix != null ? Bytes.concat((byte[][]) new byte[]{this.prefix, RoleBasedFieldMasking.hex.encode(algo.digest(bArr)).getBytes()}) : RoleBasedFieldMasking.hex.encode(algo.digest(bArr)).getBytes();
                }
                if (this.expression.getRegexReplacements() == null) {
                    throw new IllegalArgumentException();
                }
                String str = new String(bArr, StandardCharsets.UTF_8);
                for (Role.Index.FieldMaskingExpression.RegexReplacement regexReplacement : this.expression.getRegexReplacements()) {
                    str = regexReplacement.getRegex().matcher(str).replaceAll(regexReplacement.getReplacement());
                }
                return this.prefix != null ? Bytes.concat((byte[][]) new byte[]{this.prefix, str.getBytes(StandardCharsets.UTF_8)}) : str.getBytes(StandardCharsets.UTF_8);
            }

            private BytesRef customHash(BytesRef bytesRef) {
                return new BytesRef(customHash(BytesRef.deepCopyOf(bytesRef).bytes));
            }

            private String customHash(String str) {
                return new String(customHash(str.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
            }

            /* JADX WARN: Type inference failed for: r0v13, types: [byte[], byte[][]] */
            private byte[] blake2bHash(byte[] bArr) {
                Blake2bDigest blake2bDigest = new Blake2bDigest(null, 32, this.salt, this.personalization);
                blake2bDigest.update(bArr, 0, bArr.length);
                byte[] bArr2 = new byte[blake2bDigest.getDigestSize()];
                blake2bDigest.doFinal(bArr2, 0);
                return this.prefix != null ? Bytes.concat((byte[][]) new byte[]{this.prefix, RoleBasedFieldMasking.hex.encode(bArr2).getBytes()}) : RoleBasedFieldMasking.hex.encode(bArr2).getBytes();
            }

            private BytesRef blake2bHash(BytesRef bytesRef) {
                return new BytesRef(blake2bHash(BytesRef.deepCopyOf(bytesRef).bytes));
            }

            private String blake2bHash(String str) {
                return new String(blake2bHash(str.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
            }
        }

        /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$FieldMaskingRule$MultiRole.class */
        public static class MultiRole extends FieldMaskingRule {
            final ImmutableList<SingleRole> parts;
            final boolean allowAll;

            MultiRole(Collection<SingleRole> collection) {
                this.parts = ImmutableList.of(collection);
                this.allowAll = this.parts.forAnyApplies(singleRole -> {
                    return singleRole.isAllowAll();
                });
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking.FieldMaskingRule
            public Field get(String str) {
                String stripKeywordSuffix = stripKeywordSuffix(str);
                Field field = null;
                UnmodifiableIterator it = this.parts.iterator();
                while (it.hasNext()) {
                    field = ((SingleRole) it.next()).get(stripKeywordSuffix);
                    if (field == null) {
                        return null;
                    }
                }
                return field;
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking.FieldMaskingRule
            public boolean isAllowAll() {
                return this.allowAll;
            }

            public String toString() {
                return isAllowAll() ? "FM:*" : "FM:" + this.parts.map(singleRole -> {
                    return singleRole.expressions;
                });
            }
        }

        /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedFieldMasking$FieldMaskingRule$SingleRole.class */
        public static class SingleRole extends FieldMaskingRule {
            final Role.Index sourceIndex;
            final ImmutableList<Field> expressions;

            SingleRole(Role.Index index, DlsFlsConfig.FieldMasking fieldMasking) {
                this.sourceIndex = index;
                this.expressions = ImmutableList.of((Collection) index.getMaskedFields().stream().map(fieldMaskingExpression -> {
                    return new Field(fieldMaskingExpression, fieldMasking);
                }).collect(Collectors.toList()));
            }

            SingleRole(ImmutableList<Field> immutableList) {
                this.sourceIndex = null;
                this.expressions = immutableList;
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking.FieldMaskingRule
            public Field get(String str) {
                return internalGet(stripKeywordSuffix(str));
            }

            private Field internalGet(String str) {
                UnmodifiableIterator it = this.expressions.iterator();
                while (it.hasNext()) {
                    Field field = (Field) it.next();
                    if (field.getPattern().matches(str)) {
                        return field;
                    }
                }
                return null;
            }

            @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking.FieldMaskingRule
            public boolean isAllowAll() {
                return this.expressions.isEmpty();
            }

            public String toString() {
                return isAllowAll() ? "FM:*" : "FM:" + this.expressions;
            }
        }

        public static FieldMaskingRule of(DlsFlsConfig.FieldMasking fieldMasking, String... strArr) throws ConfigValidationException {
            ImmutableList.Builder builder = new ImmutableList.Builder();
            for (String str : strArr) {
                builder.add(new Role.Index.FieldMaskingExpression(str));
            }
            return new SingleRole(builder.build().map(fieldMaskingExpression -> {
                return new Field(fieldMaskingExpression, fieldMasking);
            }));
        }

        public abstract Field get(String str);

        public abstract boolean isAllowAll();

        static String stripKeywordSuffix(String str) {
            return str.endsWith(".keyword") ? str.substring(0, str.length() - ".keyword".length()) : str;
        }
    }

    public RoleBasedFieldMasking(SgDynamicConfiguration<Role> sgDynamicConfiguration, DlsFlsConfig.FieldMasking fieldMasking, Meta meta, MetricsLevel metricsLevel) {
        super(sgDynamicConfiguration, meta, metricsLevel, index -> {
            return roleToRule(index, fieldMasking);
        });
        this.fieldMaskingConfig = fieldMasking;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static FieldMaskingRule.SingleRole roleToRule(Role.Index index, DlsFlsConfig.FieldMasking fieldMasking) {
        ImmutableList maskedFields = index.getMaskedFields();
        if (maskedFields == null || maskedFields.isEmpty()) {
            return null;
        }
        return new FieldMaskingRule.SingleRole(index, fieldMasking);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    public FieldMaskingRule unrestricted() {
        return FieldMaskingRule.ALLOW_ALL;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    public FieldMaskingRule fullyRestricted() {
        return FieldMaskingRule.MASK_ALL;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    public FieldMaskingRule compile(PrivilegesEvaluationContext privilegesEvaluationContext, Collection<FieldMaskingRule.SingleRole> collection) throws PrivilegesEvaluationException {
        return new FieldMaskingRule.MultiRole(collection);
    }

    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    protected String hasRestrictionsMetricName() {
        return "has_fm_restriction";
    }

    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    protected String evaluateRestrictionsMetricName() {
        return "evaluate_fm_restriction";
    }

    @Override // com.floragunn.searchguard.enterprise.dlsfls.RoleBasedAuthorizationBase
    protected String componentName() {
        return "role_based_field_masking";
    }

    public DlsFlsConfig.FieldMasking getFieldMaskingConfig() {
        return this.fieldMaskingConfig;
    }
}
