package com.floragunn.searchguard.dlic.rest.api;

import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.authz.AuthorizationService;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContextProviderRegistry;
import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.ssl.util.SSLRequestHelper;
import com.floragunn.searchguard.user.User;
import java.io.IOException;
import java.nio.file.Path;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.XContentType;

/* loaded from: input_file:com/floragunn/searchguard/dlic/rest/api/RestApiPrivilegesEvaluator.class */
public class RestApiPrivilegesEvaluator {
    private final AdminDNs adminDNs;
    private final AuthorizationService authorizationService;
    private final SpecialPrivilegesEvaluationContextProviderRegistry specialPrivilegesEvaluationContextProviderRegistry;
    private final PrincipalExtractor principalExtractor;
    private final Path configPath;
    private final ThreadPool threadPool;
    private final Settings settings;
    Map<Endpoint, List<RestRequest.Method>> globallyDisabledEndpoints;
    Map<Endpoint, List<RestRequest.Method>> allEndpoints;
    private final Boolean roleBasedAccessEnabled;
    protected final Logger logger = LogManager.getLogger(getClass());
    private final Set<String> allowedRoles = new HashSet();
    private final Map<String, Map<Endpoint, List<RestRequest.Method>>> disabledEndpointsForRoles = new HashMap();
    private final Map<String, Map<Endpoint, List<RestRequest.Method>>> disabledEndpointsForUsers = new HashMap();

    public RestApiPrivilegesEvaluator(Settings settings, AdminDNs adminDNs, AuthorizationService authorizationService, SpecialPrivilegesEvaluationContextProviderRegistry specialPrivilegesEvaluationContextProviderRegistry, PrincipalExtractor principalExtractor, Path path, ThreadPool threadPool) {
        this.globallyDisabledEndpoints = new HashMap();
        this.allEndpoints = new HashMap();
        this.adminDNs = adminDNs;
        this.authorizationService = authorizationService;
        this.principalExtractor = principalExtractor;
        this.configPath = path;
        this.threadPool = threadPool;
        this.settings = settings;
        this.specialPrivilegesEvaluationContextProviderRegistry = specialPrivilegesEvaluationContextProviderRegistry;
        HashMap hashMap = new HashMap();
        for (Endpoint endpoint : Endpoint.values()) {
            LinkedList linkedList = new LinkedList();
            linkedList.addAll(Arrays.asList(RestRequest.Method.values()));
            hashMap.put(endpoint, linkedList);
        }
        this.allEndpoints = Collections.unmodifiableMap(hashMap);
        this.allowedRoles.addAll(settings.getAsList("searchguard.restapi.roles_enabled"));
        this.roleBasedAccessEnabled = Boolean.valueOf(!this.allowedRoles.isEmpty());
        Settings asSettings = settings.getAsSettings("searchguard.restapi.endpoints_disabled.global");
        if (!asSettings.isEmpty()) {
            this.globallyDisabledEndpoints = parseDisabledEndpoints(asSettings);
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Globally disabled endpoints: {}", this.globallyDisabledEndpoints);
        }
        for (String str : this.allowedRoles) {
            Settings asSettings2 = settings.getAsSettings("searchguard.restapi.endpoints_disabled." + str);
            if (!asSettings2.isEmpty()) {
                Map<Endpoint, List<RestRequest.Method>> parseDisabledEndpoints = parseDisabledEndpoints(asSettings2);
                if (parseDisabledEndpoints.isEmpty()) {
                    this.logger.warn("Disabled endpoints/methods empty for role {}, please check configuration", str);
                } else {
                    this.disabledEndpointsForRoles.put(str, parseDisabledEndpoints);
                }
            } else if (this.logger.isDebugEnabled()) {
                this.logger.debug("No disabled endpoints/methods for permitted role {} found, allowing all", str);
            }
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Parsed permission set for endpoints: {}", this.disabledEndpointsForRoles);
        }
    }

    private Map<Endpoint, List<RestRequest.Method>> parseDisabledEndpoints(Settings settings) {
        if (settings == null || settings.isEmpty()) {
            this.logger.error("Settings for disabled endpoint is null or empty: '{}', skipping.", settings);
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Object> entry : convertJsonToxToStructuredMap(settings).entrySet()) {
            String upperCase = entry.getKey().toUpperCase();
            try {
                Endpoint valueOf = Endpoint.valueOf(upperCase);
                if (entry.getValue() == null) {
                    this.logger.error("Disabled HTTP methods of endpoint '{}' is null, skipping.", upperCase);
                } else {
                    if (!(entry.getValue() instanceof Collection)) {
                        this.logger.error("Disabled HTTP methods of endpoint '{}' must be an array, actually is '{}', skipping.", upperCase, entry.getValue().toString());
                    }
                    LinkedList linkedList = new LinkedList();
                    Iterator it = ((Collection) entry.getValue()).iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        Object next = it.next();
                        if (next == null) {
                            this.logger.error("Found null value in disabled HTTP methods of endpoint '{}', skipping.", upperCase);
                        } else if (next instanceof String) {
                            String str = (String) next;
                            if (str.trim().equals("*")) {
                                linkedList.addAll(Arrays.asList(RestRequest.Method.values()));
                                break;
                            }
                            try {
                                linkedList.add(RestRequest.Method.valueOf(str.toUpperCase()));
                            } catch (Exception e) {
                                this.logger.error("Invalid HTTP method '{}' found in disabled HTTP methods of endpoint '{}', skipping.", str.toUpperCase(), upperCase);
                            }
                        } else {
                            this.logger.error("Found non-String value in disabled HTTP methods of endpoint '{}', skipping.", upperCase);
                        }
                    }
                    hashMap.put(valueOf, linkedList);
                }
            } catch (Exception e2) {
                this.logger.error("Unknown endpoint '{}' found in configuration, skipping.", upperCase);
            }
        }
        return hashMap;
    }

    private static Map<String, Object> convertJsonToxToStructuredMap(ToXContent toXContent) {
        try {
            return (Map) XContentHelper.convertToMap(XContentHelper.toXContent(toXContent, XContentType.JSON, false), false, XContentType.JSON).v2();
        } catch (IOException e) {
            throw ExceptionsHelper.convertToElastic(e);
        }
    }

    public String checkAccessPermissions(RestRequest restRequest, Endpoint endpoint) throws IOException {
        String checkAdminCertBasedAccessPermissions;
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Checking admin access for endpoint {}, path {} and method {}", endpoint.name(), restRequest.path(), restRequest.method().name());
        }
        String checkRoleBasedAccessPermissions = checkRoleBasedAccessPermissions(restRequest, endpoint);
        if (checkRoleBasedAccessPermissions == null || (checkAdminCertBasedAccessPermissions = checkAdminCertBasedAccessPermissions(restRequest)) == null) {
            return null;
        }
        return constructAccessErrorMessage(checkRoleBasedAccessPermissions, checkAdminCertBasedAccessPermissions);
    }

    public boolean currentUserHasRestApiAccess(Set<String> set) {
        return !Collections.disjoint(this.allowedRoles, set);
    }

    public Map<Endpoint, List<RestRequest.Method>> getDisabledEndpointsForCurrentUser(User user, Set<String> set) {
        String name = user.getName();
        if (this.disabledEndpointsForUsers.containsKey(name)) {
            return this.disabledEndpointsForUsers.get(name);
        }
        if (!currentUserHasRestApiAccess(set)) {
            return this.allEndpoints;
        }
        HashMap hashMap = new HashMap();
        LinkedList<Endpoint> linkedList = new LinkedList(Arrays.asList(Endpoint.values()));
        boolean z = false;
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            Map<Endpoint, List<RestRequest.Method>> map = this.disabledEndpointsForRoles.get(it.next());
            if (map != null && !map.isEmpty()) {
                linkedList.retainAll(map.keySet());
                z = true;
            }
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Remaining endpoints for user {} after retaining all : {}", name, linkedList);
        }
        if (!z) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("No disabled endpoints for user {} at all,  only globally disabledendpoints apply.", name, linkedList);
            }
            this.disabledEndpointsForUsers.put(name, addGloballyDisabledEndpoints(hashMap));
            return hashMap;
        }
        for (Endpoint endpoint : linkedList) {
            LinkedList linkedList2 = new LinkedList(Arrays.asList(RestRequest.Method.values()));
            Iterator<String> it2 = set.iterator();
            while (it2.hasNext()) {
                Map<Endpoint, List<RestRequest.Method>> map2 = this.disabledEndpointsForRoles.get(it2.next());
                if (map2 != null && !map2.isEmpty()) {
                    linkedList2.retainAll(map2.get(endpoint));
                }
            }
            hashMap.put(endpoint, linkedList2);
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Disabled endpoints for user {} after retaining all : {}", name, hashMap);
        }
        addGloballyDisabledEndpoints(hashMap);
        this.disabledEndpointsForUsers.put(name, hashMap);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Disabled endpoints for user {} after retaining all : {}", this.disabledEndpointsForUsers.get(name));
        }
        return this.disabledEndpointsForUsers.get(name);
    }

    private Map<Endpoint, List<RestRequest.Method>> addGloballyDisabledEndpoints(Map<Endpoint, List<RestRequest.Method>> map) {
        if (this.globallyDisabledEndpoints != null && !this.globallyDisabledEndpoints.isEmpty()) {
            for (Endpoint endpoint : this.globallyDisabledEndpoints.keySet()) {
                map.putIfAbsent(endpoint, new LinkedList());
                map.get(endpoint).addAll(this.globallyDisabledEndpoints.get(endpoint));
            }
        }
        return map;
    }

    private String checkRoleBasedAccessPermissions(RestRequest restRequest, Endpoint endpoint) {
        ImmutableSet mappedRoles;
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Checking role based admin access for endpoint {} and method {}", endpoint.name(), restRequest.method().name());
        }
        if (!this.roleBasedAccessEnabled.booleanValue()) {
            return "Role based access not enabled.";
        }
        User user = (User) this.threadPool.getThreadContext().getTransient("_sg_user");
        SpecialPrivilegesEvaluationContext specialPrivilegesEvaluationContext = null;
        if (this.specialPrivilegesEvaluationContextProviderRegistry != null) {
            specialPrivilegesEvaluationContext = this.specialPrivilegesEvaluationContextProviderRegistry.provide(user, this.threadPool.getThreadContext());
        }
        if (specialPrivilegesEvaluationContext == null) {
            mappedRoles = this.authorizationService.getMappedRoles(user, (TransportAddress) this.threadPool.getThreadContext().getTransient("_sg_remote_address"));
        } else {
            user = specialPrivilegesEvaluationContext.getUser();
            TransportAddress caller = specialPrivilegesEvaluationContext.getCaller() != null ? specialPrivilegesEvaluationContext.getCaller() : (TransportAddress) this.threadPool.getThreadContext().getTransient("_sg_remote_address");
            mappedRoles = specialPrivilegesEvaluationContext.getMappedRoles();
            if (!specialPrivilegesEvaluationContext.isSgConfigRestApiAllowed()) {
                this.logger.info("User {} is authenticated with auth token which does not allow REST API access.", user, mappedRoles);
                return "User " + user.getName() + " is authenticated with auth token which does not allow REST API access.";
            }
        }
        if (!currentUserHasRestApiAccess(mappedRoles)) {
            this.logger.info("User {} with Search Guard roles {} does not have any role privileged for admin access.", user, mappedRoles);
            return "User " + user.getName() + " with Search Guard Roles " + mappedRoles + " does not have any role privileged for admin access";
        }
        Map<Endpoint, List<RestRequest.Method>> disabledEndpointsForCurrentUser = getDisabledEndpointsForCurrentUser(user, mappedRoles);
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Disabled endpoints for user {} : {} ", user, disabledEndpointsForCurrentUser);
        }
        List<RestRequest.Method> list = disabledEndpointsForCurrentUser.get(endpoint);
        if (list == null || list.isEmpty()) {
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.debug("No disabled methods for user {} and endpoint {}, access allowed ", user, endpoint);
            return null;
        }
        if (list.contains(restRequest.method())) {
            this.logger.info("User {} with Search Guard Roles {} does not have access to endpoint {} and method {}, checking admin TLS certificate now.", user, mappedRoles, endpoint.name(), restRequest.method());
            return "User " + user.getName() + " with Search Guard Roles " + mappedRoles + " does not have any access to endpoint " + endpoint.name() + " and method " + restRequest.method().name();
        }
        if (!this.logger.isDebugEnabled()) {
            return null;
        }
        this.logger.debug("Request method {} for user {} and endpoint {} not restricted, access allowed ", restRequest.method(), user, endpoint);
        return null;
    }

    private String checkAdminCertBasedAccessPermissions(RestRequest restRequest) throws IOException {
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Checking certificate based admin access for path {} and method {}", restRequest.path(), restRequest.method().name());
        }
        SSLRequestHelper.SSLInfo sSLInfo = SSLRequestHelper.getSSLInfo(this.settings, this.configPath, restRequest, this.principalExtractor);
        if (sSLInfo == null) {
            this.logger.warn("No ssl info found in request.");
            return "No ssl info found in request.";
        }
        X509Certificate[] x509Certs = sSLInfo.getX509Certs();
        if (x509Certs == null || x509Certs.length == 0) {
            this.logger.warn("No client TLS certificate found in request");
            return "No client TLS certificate found in request";
        }
        if (this.adminDNs.isAdminDN(sSLInfo.getPrincipal())) {
            return null;
        }
        this.logger.warn("SG admin permissions required but {} is not an admin", sSLInfo.getPrincipal());
        return "SG admin permissions required but " + sSLInfo.getPrincipal() + " is not an admin";
    }

    private String constructAccessErrorMessage(String str, String str2) {
        return str + ". " + str2;
    }
}
