package com.floragunn.searchguard.enterprise.femt;

import com.floragunn.codova.config.templates.ExpressionEvaluationException;
import com.floragunn.codova.config.templates.Template;
import com.floragunn.codova.config.text.Pattern;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.PrivilegesEvaluationResult;
import com.floragunn.searchguard.authz.TenantManager;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.authz.config.ActionGroup;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.floragunn.searchsupport.cstate.metrics.CountAggregation;
import com.floragunn.searchsupport.cstate.metrics.Measurement;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/RoleBasedTenantAuthorization.class */
public class RoleBasedTenantAuthorization implements TenantAuthorization, ComponentStateProvider {
    private static final Logger log = LogManager.getLogger(RoleBasedTenantAuthorization.class);
    private final TenantManager tenantManager;
    private final TenantPermissions tenant;
    private final ComponentState componentState = new ComponentState("role_based_tenant_authorization");
    private final MetricsLevel metricsLevel;
    private final Measurement<?> tenantActionChecks;
    private final CountAggregation tenantActionCheckResults;
    private final CountAggregation tenantActionCheckResults_ok;
    private final CountAggregation tenantActionCheckResults_insufficient;

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/RoleBasedTenantAuthorization$TenantPermissions.class */
    static class TenantPermissions implements ComponentStateProvider {
        private final ImmutableMap<Action, ImmutableMap<String, ImmutableSet<String>>> actionToTenantToRoles;
        private final ImmutableMap<String, ImmutableMap<Action, ImmutableSet<Template<Pattern>>>> roleToActionToTenantPattern;
        private final ImmutableList<PrivilegesEvaluationResult.Error> initializationErrors;
        private final ComponentState componentState;

        TenantPermissions(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions, ImmutableSet<String> immutableSet) {
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(action -> {
                return new ImmutableMap.Builder().defaultValue(str -> {
                    return new ImmutableSet.Builder();
                });
            });
            ImmutableMap.Builder defaultValue2 = new ImmutableMap.Builder().defaultValue(str -> {
                return new ImmutableMap.Builder().defaultValue(action2 -> {
                    return new ImmutableSet.Builder();
                });
            });
            ImmutableList.Builder builder = new ImmutableList.Builder();
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str2 = (String) entry.getKey();
                    UnmodifiableIterator it2 = ((Role) entry.getValue()).getTenantPermissions().iterator();
                    while (it2.hasNext()) {
                        Role.Tenant tenant = (Role.Tenant) it2.next();
                        UnmodifiableIterator it3 = flattenedIndex.resolve(tenant.getAllowedActions()).iterator();
                        while (it3.hasNext()) {
                            String str3 = (String) it3.next();
                            UnmodifiableIterator it4 = tenant.getTenantPatterns().iterator();
                            while (it4.hasNext()) {
                                Template template = (Template) it4.next();
                                if (template.isConstant()) {
                                    ImmutableSet matching = immutableSet.matching((Pattern) template.getConstantValue());
                                    if (Pattern.isConstant(str3)) {
                                        UnmodifiableIterator it5 = matching.iterator();
                                        while (it5.hasNext()) {
                                            ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue.get(actions.get(str3))).get((String) it5.next())).add(str2);
                                        }
                                    } else {
                                        Pattern create = Pattern.create(str3);
                                        UnmodifiableIterator it6 = actions.tenantActions().matching(wellKnownAction -> {
                                            return create.matches(wellKnownAction.name());
                                        }).iterator();
                                        while (it6.hasNext()) {
                                            Action.WellKnownAction wellKnownAction2 = (Action.WellKnownAction) it6.next();
                                            UnmodifiableIterator it7 = matching.iterator();
                                            while (it7.hasNext()) {
                                                ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue.get(wellKnownAction2)).get((String) it7.next())).add(str2);
                                            }
                                        }
                                    }
                                } else if (Pattern.isConstant(str3)) {
                                    ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue2.get(str2)).get(actions.get(str3))).add(template);
                                } else {
                                    Pattern create2 = Pattern.create(str3);
                                    UnmodifiableIterator it8 = actions.tenantActions().matching(wellKnownAction3 -> {
                                        return create2.matches(wellKnownAction3.name());
                                    }).iterator();
                                    while (it8.hasNext()) {
                                        ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue2.get(str2)).get((Action.WellKnownAction) it8.next())).add(template);
                                    }
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    RoleBasedTenantAuthorization.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    builder.with(new PrivilegesEvaluationResult.Error("Unexpected exception while processing role", e, (String) entry.getKey()));
                } catch (ConfigValidationException e2) {
                    RoleBasedTenantAuthorization.log.error("Invalid configuration in role: " + entry + "\nThis should have been caught before. Ignoring role.", e2);
                    builder.with(new PrivilegesEvaluationResult.Error("Invalid configuration in role", e2, (String) entry.getKey()));
                }
            }
            this.actionToTenantToRoles = defaultValue.build(builder2 -> {
                return builder2.build((v0) -> {
                    return v0.build();
                });
            });
            this.roleToActionToTenantPattern = defaultValue2.build(builder3 -> {
                return builder3.build((v0) -> {
                    return v0.build();
                });
            });
            this.initializationErrors = builder.build();
            this.componentState = new ComponentState("tenant_permissions");
            this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
            if (this.initializationErrors.isEmpty()) {
                this.componentState.setInitialized();
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "contains_invalid_roles");
                this.componentState.addDetail(builder);
            }
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    public RoleBasedTenantAuthorization(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions, TenantManager tenantManager, MetricsLevel metricsLevel) {
        this.metricsLevel = metricsLevel;
        this.tenantManager = tenantManager;
        this.tenant = new TenantPermissions(sgDynamicConfiguration, flattenedIndex, actions, this.tenantManager.getConfiguredTenantNames());
        this.componentState.addParts(new ComponentState[]{this.tenant.getComponentState()});
        this.componentState.updateStateFromParts();
        this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
        if (metricsLevel.detailedEnabled()) {
            this.tenantActionChecks = new TimeAggregation.Nanoseconds();
            this.tenantActionCheckResults = new CountAggregation();
        } else if (metricsLevel.basicEnabled()) {
            this.tenantActionChecks = new CountAggregation();
            this.tenantActionCheckResults = new CountAggregation();
        } else {
            this.tenantActionChecks = CountAggregation.noop();
            this.tenantActionCheckResults = CountAggregation.noop();
        }
        this.tenantActionCheckResults_ok = this.tenantActionCheckResults.getSubCount("ok");
        this.tenantActionCheckResults_insufficient = this.tenantActionCheckResults.getSubCount("insufficient");
        if (metricsLevel.basicEnabled()) {
            this.componentState.addMetrics("tenant_action_check_results", this.tenantActionCheckResults);
            this.componentState.addMetrics("tenant_action_checks", this.tenantActionChecks);
        }
    }

    @Override // com.floragunn.searchguard.enterprise.femt.TenantAuthorization
    public PrivilegesEvaluationResult hasTenantPermission(PrivilegesEvaluationContext privilegesEvaluationContext, Action action, String str) throws PrivilegesEvaluationException {
        ImmutableSet immutableSet;
        Meter basic;
        ImmutableSet immutableSet2;
        try {
            Meter basic2 = Meter.basic(this.metricsLevel, this.tenantActionChecks);
            try {
                User user = privilegesEvaluationContext.getUser();
                ImmutableSet mappedRoles = privilegesEvaluationContext.getMappedRoles();
                ImmutableList<PrivilegesEvaluationResult.Error> immutableList = this.tenant.initializationErrors;
                ImmutableMap immutableMap = (ImmutableMap) this.tenant.actionToTenantToRoles.get(action);
                if (immutableMap != null && (immutableSet2 = (ImmutableSet) immutableMap.get(str)) != null && immutableSet2.containsAny(mappedRoles)) {
                    this.tenantActionCheckResults_ok.increment();
                    PrivilegesEvaluationResult privilegesEvaluationResult = PrivilegesEvaluationResult.OK;
                    if (basic2 != null) {
                        basic2.close();
                    }
                    return privilegesEvaluationResult;
                }
                if (!this.tenantManager.isTenantHeaderValid(str)) {
                    log.info("Invalid tenant requested: {}", str);
                    this.tenantActionCheckResults_insufficient.increment();
                    PrivilegesEvaluationResult reason = PrivilegesEvaluationResult.INSUFFICIENT.reason("Invalid requested tenant");
                    if (basic2 != null) {
                        basic2.close();
                    }
                    this.tenantActionCheckResults.increment();
                    return reason;
                }
                Meter basic3 = basic2.basic("action_tenant_pattern");
                try {
                    UnmodifiableIterator it = mappedRoles.iterator();
                    while (it.hasNext()) {
                        String str2 = (String) it.next();
                        ImmutableMap immutableMap2 = (ImmutableMap) this.tenant.roleToActionToTenantPattern.get(str2);
                        if (immutableMap2 != null && (immutableSet = (ImmutableSet) immutableMap2.get(action)) != null) {
                            UnmodifiableIterator it2 = immutableSet.iterator();
                            while (it2.hasNext()) {
                                Template template = (Template) it2.next();
                                try {
                                    basic = basic3.basic("render_tenant_template");
                                } catch (ExpressionEvaluationException e) {
                                    immutableList = immutableList.with(new PrivilegesEvaluationResult.Error("Error while evaluating tenant pattern", e, str2));
                                    log.error("Error while evaluating tenant privilege", e);
                                    this.componentState.addLastException("has_tenant_permission", e);
                                }
                                try {
                                    if (((Pattern) template.render(user)).matches(str)) {
                                        this.tenantActionCheckResults_ok.increment();
                                        PrivilegesEvaluationResult privilegesEvaluationResult2 = PrivilegesEvaluationResult.OK;
                                        if (basic != null) {
                                            basic.close();
                                        }
                                        if (basic3 != null) {
                                            basic3.close();
                                        }
                                        if (basic2 != null) {
                                            basic2.close();
                                        }
                                        this.tenantActionCheckResults.increment();
                                        return privilegesEvaluationResult2;
                                    }
                                    if (basic != null) {
                                        basic.close();
                                    }
                                } catch (Throwable th) {
                                    if (basic != null) {
                                        try {
                                            basic.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    }
                                    throw th;
                                }
                            }
                        }
                    }
                    if (basic3 != null) {
                        basic3.close();
                    }
                    this.tenantActionCheckResults_insufficient.increment();
                    PrivilegesEvaluationResult missingPrivileges = PrivilegesEvaluationResult.INSUFFICIENT.with(immutableList).missingPrivileges(action);
                    if (basic2 != null) {
                        basic2.close();
                    }
                    this.tenantActionCheckResults.increment();
                    return missingPrivileges;
                } catch (Throwable th3) {
                    if (basic3 != null) {
                        try {
                            basic3.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (Throwable th5) {
                if (basic2 != null) {
                    try {
                        basic2.close();
                    } catch (Throwable th6) {
                        th5.addSuppressed(th6);
                    }
                }
                throw th5;
            }
        } finally {
            this.tenantActionCheckResults.increment();
        }
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
