package com.floragunn.searchguard.configuration;

import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.User;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.ListMultimap;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.Settings;

/* loaded from: input_file:com/floragunn/searchguard/configuration/AdminDNs.class */
public class AdminDNs {
    protected final Logger log = LogManager.getLogger(AdminDNs.class);
    private final Set<LdapName> adminDn = new HashSet();
    private final ListMultimap<LdapName, String> allowedImpersonations = ArrayListMultimap.create();
    private final ListMultimap<String, String> allowedRestImpersonations = ArrayListMultimap.create();

    public AdminDNs(Settings settings) {
        for (String str : settings.getAsList(ConfigConstants.SEARCHGUARD_AUTHCZ_ADMIN_DN, Collections.emptyList())) {
            try {
                this.log.debug("{} is registered as an admin dn", str);
                this.adminDn.add(new LdapName(str));
            } catch (InvalidNameException e) {
                this.log.error("Unable to parse admin dn {}", str, e);
            }
        }
        this.log.debug("Loaded {} admin DN's {}", Integer.valueOf(this.adminDn.size()), this.adminDn);
        for (String str2 : settings.getByPrefix("searchguard.authcz.impersonation_dn.").keySet()) {
            try {
                this.allowedImpersonations.putAll(new LdapName(str2), settings.getAsList("searchguard.authcz.impersonation_dn." + str2));
            } catch (InvalidNameException e2) {
                this.log.error("Unable to parse allowedImpersonations dn {}", str2, e2);
            }
        }
        this.log.debug("Loaded {} impersonation DN's {}", Integer.valueOf(this.allowedImpersonations.size()), this.allowedImpersonations);
        for (String str3 : settings.getByPrefix("searchguard.authcz.rest_impersonation_user.").keySet()) {
            this.allowedRestImpersonations.putAll(str3, settings.getAsList("searchguard.authcz.rest_impersonation_user." + str3));
        }
        this.log.debug("Loaded {} impersonation users for REST {}", Integer.valueOf(this.allowedRestImpersonations.size()), this.allowedRestImpersonations);
    }

    public boolean isAdmin(User user) {
        return isAdminDN(user.getName());
    }

    public boolean isAdminDN(String str) {
        if (str == null) {
            return false;
        }
        try {
            return isAdminDN(new LdapName(str));
        } catch (InvalidNameException e) {
            return false;
        }
    }

    private boolean isAdminDN(LdapName ldapName) {
        if (ldapName == null) {
            return false;
        }
        boolean contains = this.adminDn.contains(ldapName);
        if (this.log.isTraceEnabled()) {
            this.log.trace("Is principal {} an admin cert? {}", ldapName.toString(), Boolean.valueOf(contains));
        }
        return contains;
    }

    public boolean isTransportImpersonationAllowed(LdapName ldapName, String str) {
        if (ldapName == null) {
            return false;
        }
        if (isAdminDN(ldapName)) {
            return true;
        }
        return WildcardMatcher.matchAny(this.allowedImpersonations.get(ldapName), str);
    }

    public boolean isRestImpersonationAllowed(String str, String str2) {
        if (str == null) {
            return false;
        }
        return WildcardMatcher.matchAny(this.allowedRestImpersonations.get(str), str2);
    }
}
