package com.floragunn.searchguard.authz.config;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Document;
import com.floragunn.codova.documents.Parser;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.codova.validation.ValidationResult;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.Hideable;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.IPAddressCollection;
import com.floragunn.searchguard.support.Pattern;
import com.floragunn.searchguard.support.PatternMap;
import com.floragunn.searchguard.user.User;
import com.google.common.collect.ArrayListMultimap;
import inet.ipaddr.IPAddress;
import inet.ipaddr.IPAddressNetwork;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.transport.TransportAddress;

/* loaded from: input_file:com/floragunn/searchguard/authz/config/RoleMapping.class */
public class RoleMapping implements Document<RoleMapping>, Hideable {
    private static final Logger log = LogManager.getLogger(RoleMapping.class);
    private final DocNode source;
    private final boolean reserved;
    private final boolean hidden;
    private final Pattern backendRoles;
    private final Pattern users;
    private final Pattern hosts;
    private final IPAddressCollection ips;
    private final ImmutableSet<Pattern> andBackendRoles;
    private final String description;

    /* loaded from: input_file:com/floragunn/searchguard/authz/config/RoleMapping$InvertedIndex.class */
    public static class InvertedIndex {
        private final PatternMap<String> byUsers;
        private final PatternMap<String> byBackendRoles;
        private final PatternMap<String> byHostNames;
        private final ImmutableMap<IPAddressCollection, ImmutableSet<String>> byIps;
        private final ImmutableMap<ImmutableSet<Pattern>, ImmutableSet<String>> byBackendRolesAnded;
        private static final IPAddressNetwork.IPAddressGenerator ipAddressGenerator = new IPAddressNetwork.IPAddressGenerator();

        public InvertedIndex(SgDynamicConfiguration<RoleMapping> sgDynamicConfiguration) {
            PatternMap.Builder builder = new PatternMap.Builder();
            PatternMap.Builder builder2 = new PatternMap.Builder();
            PatternMap.Builder builder3 = new PatternMap.Builder();
            ArrayListMultimap create = ArrayListMultimap.create();
            ArrayListMultimap create2 = ArrayListMultimap.create();
            for (Map.Entry<String, RoleMapping> entry : sgDynamicConfiguration.getCEntries().entrySet()) {
                String key = entry.getKey();
                RoleMapping value = entry.getValue();
                builder.add(value.getUsers(), key);
                builder2.add(value.getBackendRoles(), key);
                builder3.add(value.getHosts(), key);
                if (value.getIps() != null && !value.getIps().getSource().isEmpty()) {
                    Iterator<String> it = value.getIps().getSource().iterator();
                    while (it.hasNext()) {
                        create.put(it.next(), key);
                    }
                }
                if (value.getAndBackendRoles() != null && !value.getAndBackendRoles().isEmpty()) {
                    create2.put(ImmutableSet.of(value.getAndBackendRoles()), key);
                }
            }
            this.byUsers = builder.build();
            this.byBackendRoles = builder2.build();
            this.byHostNames = builder3.build();
            this.byIps = ImmutableMap.map(create.asMap(), str -> {
                return ip(str);
            }, collection -> {
                return ImmutableSet.of(collection);
            });
            this.byBackendRolesAnded = ImmutableMap.map(create2.asMap(), immutableSet -> {
                return immutableSet;
            }, collection2 -> {
                return ImmutableSet.of(collection2);
            });
        }

        public ImmutableSet<String> evaluate(User user, TransportAddress transportAddress, ConfigConstants.RolesMappingResolution rolesMappingResolution) {
            if (user == null) {
                return ImmutableSet.empty();
            }
            ImmutableSet.Builder builder = new ImmutableSet.Builder(user.getSearchGuardRoles());
            if (rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || rolesMappingResolution == ConfigConstants.RolesMappingResolution.BACKENDROLES_ONLY) {
                builder.addAll(user.getRoles());
            }
            if (rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || rolesMappingResolution == ConfigConstants.RolesMappingResolution.MAPPING_ONLY) {
                builder.addAll(this.byUsers.get(user.getName()));
                builder.addAll(this.byBackendRoles.get(user.getRoles()));
                if (transportAddress != null) {
                    if (!this.byHostNames.isEmpty()) {
                        builder.addAll(this.byHostNames.get(transportAddress.address().getHostName()));
                        builder.addAll(this.byHostNames.get(transportAddress.getAddress()));
                    }
                    if (!this.byIps.isEmpty()) {
                        IPAddress from = ipAddressGenerator.from(transportAddress.address().getAddress());
                        for (Map.Entry entry : this.byIps.entrySet()) {
                            if (((IPAddressCollection) entry.getKey()).contains(from)) {
                                builder.addAll((Collection) entry.getValue());
                            }
                        }
                    }
                }
                if (!this.byBackendRolesAnded.isEmpty()) {
                    for (ImmutableSet immutableSet : this.byBackendRolesAnded.keySet()) {
                        if (immutableSet.forAllApplies(pattern -> {
                            return pattern.matches(user.getRoles());
                        })) {
                            builder.addAll((Collection) this.byBackendRolesAnded.get(immutableSet));
                        }
                    }
                }
            }
            return builder.build();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static IPAddressCollection ip(String str) {
            try {
                return IPAddressCollection.parse((List<String>) Collections.singletonList(str));
            } catch (Exception e) {
                RoleMapping.log.error("Error while compiling IP address " + str, e);
                return null;
            }
        }
    }

    public static ValidationResult<RoleMapping> parse(DocNode docNode, Parser.Context context) {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode, validationErrors, context);
        boolean asBoolean = validatingDocNode.get("reserved").withDefault(false).asBoolean();
        boolean asBoolean2 = validatingDocNode.get("hidden").withDefault(false).asBoolean();
        Pattern pattern = (Pattern) validatingDocNode.get("backend_roles").by(Pattern::parse);
        Pattern pattern2 = (Pattern) validatingDocNode.get("hosts").by(Pattern::parse);
        Pattern pattern3 = (Pattern) validatingDocNode.get("users").by(Pattern::parse);
        ImmutableSet of = validatingDocNode.hasNonNull("and_backend_roles") ? ImmutableSet.of(validatingDocNode.get("and_backend_roles").asList().ofObjectsParsedBy(Pattern::parse)) : null;
        IPAddressCollection iPAddressCollection = (IPAddressCollection) validatingDocNode.get("ips").by(IPAddressCollection::parse);
        String asString = validatingDocNode.get("description").asString();
        validatingDocNode.checkForUnusedAttributes();
        return new ValidationResult<>(new RoleMapping(docNode, asBoolean, asBoolean2, pattern, pattern3, pattern2, iPAddressCollection, of, asString), validationErrors);
    }

    public RoleMapping(DocNode docNode, ConfigurationRepository.Context context) throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode, validationErrors, context);
        this.source = docNode;
        this.reserved = validatingDocNode.get("reserved").withDefault(false).asBoolean();
        this.hidden = validatingDocNode.get("hidden").withDefault(false).asBoolean();
        this.backendRoles = (Pattern) validatingDocNode.get("backend_roles").by(Pattern::parse);
        this.hosts = (Pattern) validatingDocNode.get("hosts").by(Pattern::parse);
        this.users = (Pattern) validatingDocNode.get("users").by(Pattern::parse);
        this.andBackendRoles = validatingDocNode.hasNonNull("and_backend_roles") ? ImmutableSet.of(validatingDocNode.get("and_backend_roles").asList().ofObjectsParsedBy(Pattern::parse)) : null;
        this.ips = (IPAddressCollection) validatingDocNode.get("ips").by(IPAddressCollection::parse);
        this.description = validatingDocNode.get("description").asString();
        validatingDocNode.checkForUnusedAttributes();
        validationErrors.throwExceptionForPresentErrors();
    }

    public RoleMapping(DocNode docNode, boolean z, boolean z2, Pattern pattern, Pattern pattern2, Pattern pattern3, IPAddressCollection iPAddressCollection, ImmutableSet<Pattern> immutableSet, String str) {
        this.source = docNode;
        this.reserved = z;
        this.hidden = z2;
        this.backendRoles = pattern;
        this.users = pattern2;
        this.hosts = pattern3;
        this.ips = iPAddressCollection;
        this.andBackendRoles = immutableSet;
        this.description = str;
    }

    @Override // com.floragunn.searchguard.configuration.Hideable
    public boolean isReserved() {
        return this.reserved;
    }

    @Override // com.floragunn.searchguard.configuration.Hideable
    public boolean isHidden() {
        return this.hidden;
    }

    public Pattern getBackendRoles() {
        return this.backendRoles;
    }

    public Pattern getHosts() {
        return this.hosts;
    }

    public IPAddressCollection getIps() {
        return this.ips;
    }

    public Pattern getUsers() {
        return this.users;
    }

    public ImmutableSet<Pattern> getAndBackendRoles() {
        return this.andBackendRoles;
    }

    public String getDescription() {
        return this.description;
    }

    public Object toBasicObject() {
        return this.source;
    }
}
