package com.floragunn.searchguard.authc.base;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Document;
import com.floragunn.codova.documents.Metadata;
import com.floragunn.codova.documents.Parser;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.searchguard.authc.RequestMetaData;
import com.floragunn.searchguard.support.IPAddressCollection;
import com.floragunn.searchguard.support.Pattern;
import com.floragunn.searchguard.user.AuthCredentials;
import inet.ipaddr.IPAddress;

/* loaded from: input_file:com/floragunn/searchguard/authc/base/AcceptanceRules.class */
public class AcceptanceRules {
    private final Criteria accept;
    private final Criteria skip;

    /* loaded from: input_file:com/floragunn/searchguard/authc/base/AcceptanceRules$Criteria.class */
    public static class Criteria implements Document<Criteria> {
        public static final Metadata<Criteria> META = Metadata.create(Criteria.class, "Acceptance rules criteria", Criteria::parse, new Metadata.Attribute[]{Metadata.Attribute.list("originating_ips", String.class, "Matches the actual IP address of the client where request originates from. You can specify CIDR expressions like 10.10.10.0/24"), Metadata.Attribute.list("ips", String.class, "Matches the direct IP address of the host connecting to the node. You can specify CIDR expressions like 10.10.10.0/24"), Metadata.Attribute.optional("trusted_ips", Boolean.class, "Matches only trusted IPs according to network.trusted_proxies").defaultValue(false), Metadata.Attribute.list("users", String.class, "Matches the user names"), Metadata.Attribute.list("client_certs", String.class, "Matches the DNs of client certificates")});
        private final DocNode source;
        private final IPAddressCollection originatingIps;
        private final IPAddressCollection directIps;
        private final Pattern users;
        private final Pattern clientCerts;
        private final boolean trustedIps;

        public Criteria(DocNode docNode, IPAddressCollection iPAddressCollection, IPAddressCollection iPAddressCollection2, boolean z, Pattern pattern, Pattern pattern2) {
            this.source = docNode;
            this.originatingIps = iPAddressCollection;
            this.directIps = iPAddressCollection2;
            this.users = pattern;
            this.clientCerts = pattern2;
            this.trustedIps = z;
        }

        public static Criteria parse(DocNode docNode, Parser.Context context) throws ConfigValidationException {
            ValidationErrors validationErrors = new ValidationErrors();
            ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode, validationErrors, context);
            IPAddressCollection iPAddressCollection = (IPAddressCollection) validatingDocNode.get("originating_ips").by(IPAddressCollection::parse);
            IPAddressCollection iPAddressCollection2 = (IPAddressCollection) validatingDocNode.get("ips").by(IPAddressCollection::parse);
            boolean asBoolean = validatingDocNode.get("trusted_ips").withDefault(false).asBoolean();
            Pattern pattern = (Pattern) validatingDocNode.get("users").by(Pattern::parse);
            Pattern pattern2 = (Pattern) validatingDocNode.get("client_certs").by(Pattern::parse);
            validationErrors.throwExceptionForPresentErrors();
            return new Criteria(docNode, iPAddressCollection, iPAddressCollection2, asBoolean, pattern, pattern2);
        }

        public Pattern getUsers() {
            return this.users;
        }

        public IPAddressCollection getOriginatingIps() {
            return this.originatingIps;
        }

        public IPAddressCollection getDirectIps() {
            return this.directIps;
        }

        public Pattern getClientCerts() {
            return this.clientCerts;
        }

        public boolean isTrustedIps() {
            return this.trustedIps;
        }

        public Object toBasicObject() {
            return this.source;
        }
    }

    public AcceptanceRules(Criteria criteria, Criteria criteria2) {
        this.accept = criteria;
        this.skip = criteria2;
    }

    public boolean accept(RequestMetaData<?> requestMetaData) {
        IPAddress directIpAddress = requestMetaData.getDirectIpAddress();
        if (this.accept != null && this.accept.directIps != null && !this.accept.directIps.contains(directIpAddress)) {
            return false;
        }
        if (this.skip != null && this.skip.directIps != null && this.skip.directIps.contains(directIpAddress)) {
            return false;
        }
        IPAddress originatingIpAddress = requestMetaData.getOriginatingIpAddress();
        if (this.accept != null && this.accept.originatingIps != null && !this.accept.originatingIps.contains(originatingIpAddress)) {
            return false;
        }
        if (this.skip != null && this.skip.originatingIps != null && this.skip.originatingIps.contains(originatingIpAddress)) {
            return false;
        }
        if (this.accept != null && this.accept.trustedIps && !requestMetaData.isTrustedProxy()) {
            return false;
        }
        String clientCertSubject = requestMetaData.getClientCertSubject();
        if (clientCertSubject == null) {
            if (this.accept != null && this.accept.clientCerts != null) {
                return false;
            }
            if (this.skip != null && this.skip.clientCerts != null) {
                return false;
            }
        }
        if (this.accept == null || this.accept.clientCerts == null || this.accept.clientCerts.matches(clientCertSubject)) {
            return this.skip == null || this.skip.clientCerts == null || !this.skip.clientCerts.matches(clientCertSubject);
        }
        return false;
    }

    public boolean accept(AuthCredentials authCredentials) {
        if (this.accept == null || this.accept.users == null || this.accept.users.matches(authCredentials.getName())) {
            return this.skip == null || this.skip.users == null || !this.skip.users.matches(authCredentials.getName());
        }
        return false;
    }
}
