package com.floragunn.searchguard.authz;

import com.floragunn.codova.config.templates.ExpressionEvaluationException;
import com.floragunn.codova.config.templates.Template;
import com.floragunn.codova.config.text.Pattern;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.CheckTable;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.authz.PrivilegesEvaluationResult;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.authz.config.ActionGroup;
import com.floragunn.searchguard.authz.config.MultiTenancyConfigurationProvider;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.floragunn.searchsupport.cstate.metrics.Count;
import com.floragunn.searchsupport.cstate.metrics.CountAggregation;
import com.floragunn.searchsupport.cstate.metrics.Measurement;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
import com.floragunn.searchsupport.queries.DateMathExpressionResolver;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorization.class */
public class RoleBasedActionAuthorization implements ActionAuthorization, ComponentStateProvider {
    private static final Logger log = LogManager.getLogger(RoleBasedActionAuthorization.class);
    private final SgDynamicConfiguration<Role> roles;
    private final ActionGroup.FlattenedIndex actionGroups;
    private final Actions actions;
    private final TenantManager tenantManager;
    private final ClusterPermissions cluster;
    private final ClusterPermissionExclusions clusterExclusions;
    private final IndexPermissions index;
    private final IndexPermissionExclusions indexExclusions;
    private final TenantPermissions tenant;
    private final ComponentState componentState;
    private final Pattern universallyDeniedIndices;
    private final MetricsLevel metricsLevel;
    private final Measurement<?> indexActionChecks;
    private final CountAggregation indexActionCheckResults;
    private final CountAggregation indexActionCheckResults_ok;
    private final CountAggregation indexActionCheckResults_insufficient;
    private final CountAggregation indexActionCheckResults_partially;
    private final CountAggregation indexActionTypes;
    private final CountAggregation indexActionTypes_wellKnown;
    private final CountAggregation indexActionTypes_nonWellKnown;
    private final Measurement<?> tenantActionChecks;
    private final CountAggregation tenantActionCheckResults;
    private final CountAggregation tenantActionCheckResults_ok;
    private final CountAggregation tenantActionCheckResults_insufficient;
    private final TimeAggregation statefulIndexRebuild;
    private volatile StatefulIndexPermssions statefulIndex;
    private final ComponentState statefulIndexState;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorization$ClusterPermissionExclusions.class */
    public static class ClusterPermissionExclusions implements ComponentStateProvider {
        private final ImmutableMap<Action, ImmutableSet<String>> actionToRoles;
        private final ImmutableMap<String, Pattern> rolesToActionPattern;
        private final ImmutableList<PrivilegesEvaluationResult.Error> initializationErrors;
        private final ComponentState componentState = new ComponentState("cluster_permission_exclusions");

        ClusterPermissionExclusions(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions) {
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(action -> {
                return new ImmutableSet.Builder();
            });
            ImmutableMap.Builder builder = new ImmutableMap.Builder();
            ImmutableList.Builder builder2 = new ImmutableList.Builder();
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str = (String) entry.getKey();
                    ImmutableSet<String> resolve = flattenedIndex.resolve(((Role) entry.getValue()).getExcludeClusterPermissions());
                    ArrayList arrayList = new ArrayList();
                    UnmodifiableIterator it2 = resolve.iterator();
                    while (it2.hasNext()) {
                        String str2 = (String) it2.next();
                        if (Pattern.isConstant(str2)) {
                            ((ImmutableSet.Builder) defaultValue.get(actions.get(str2))).add(str);
                        } else {
                            Pattern create = Pattern.create(str2);
                            UnmodifiableIterator it3 = actions.clusterActions().matching(wellKnownAction -> {
                                return create.matches(wellKnownAction.name());
                            }).iterator();
                            while (it3.hasNext()) {
                                ((ImmutableSet.Builder) defaultValue.get((Action.WellKnownAction) it3.next())).add(str);
                            }
                            arrayList.add(create);
                        }
                    }
                    if (!arrayList.isEmpty()) {
                        builder.put(str, Pattern.join(arrayList));
                    }
                } catch (Exception e) {
                    RoleBasedActionAuthorization.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    builder2.with(new PrivilegesEvaluationResult.Error("Unexpected exception while processing role", e, (String) entry.getKey()));
                } catch (ConfigValidationException e2) {
                    RoleBasedActionAuthorization.log.error("Invalid pattern in role: " + entry + "\nThis should have been caught before. Ignoring role.", e2);
                    builder2.with(new PrivilegesEvaluationResult.Error("Invalid pattern in role", e2, (String) entry.getKey()));
                }
            }
            this.actionToRoles = defaultValue.build((v0) -> {
                return v0.build();
            });
            this.rolesToActionPattern = builder.build();
            this.initializationErrors = builder2.build();
            this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
            if (this.initializationErrors.isEmpty()) {
                this.componentState.setInitialized();
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "contains_invalid_roles");
                this.componentState.addDetail(this.initializationErrors);
            }
        }

        PrivilegesEvaluationResult contains(Action action, Set<String> set) {
            ImmutableSet immutableSet = (ImmutableSet) this.actionToRoles.get(action);
            if (immutableSet != null && immutableSet.containsAny(set)) {
                return PrivilegesEvaluationResult.INSUFFICIENT.reason("Privilege exclusion in role " + immutableSet.intersection(set));
            }
            if (!(action instanceof Action.WellKnownAction)) {
                for (String str : set) {
                    Pattern pattern = (Pattern) this.rolesToActionPattern.get(str);
                    if (pattern != null && pattern.matches(action.name())) {
                        return PrivilegesEvaluationResult.INSUFFICIENT.reason("Privilege exclusion in role " + str);
                    }
                }
            }
            return PrivilegesEvaluationResult.PENDING;
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorization$ClusterPermissions.class */
    public static class ClusterPermissions implements ComponentStateProvider {
        private final ImmutableMap<Action, ImmutableSet<String>> actionToRoles;
        private final ImmutableSet<String> rolesWithWildcardPermissions;
        private final ImmutableMap<String, Pattern> rolesToActionPattern;
        private final ImmutableList<PrivilegesEvaluationResult.Error> initializationErrors;
        private final ComponentState componentState = new ComponentState("cluster_permissions");
        private final CountAggregation checks;
        private final CountAggregation nonWellKnownChecks;
        private final CountAggregation wildcardChecks;
        private final MetricsLevel metricsLevel;

        ClusterPermissions(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions, MetricsLevel metricsLevel) {
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(action -> {
                return new ImmutableSet.Builder();
            });
            ImmutableSet.Builder builder = new ImmutableSet.Builder();
            ImmutableMap.Builder builder2 = new ImmutableMap.Builder();
            ImmutableList.Builder builder3 = new ImmutableList.Builder();
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str = (String) entry.getKey();
                    Role role = (Role) entry.getValue();
                    ImmutableSet<String> resolve = flattenedIndex.resolve(role.getClusterPermissions());
                    ImmutableSet<String> resolve2 = flattenedIndex.resolve(role.getExcludeClusterPermissions());
                    Pattern createWithoutExclusions = Pattern.createWithoutExclusions(resolve2);
                    ArrayList arrayList = new ArrayList();
                    if (resolve.contains("*") && resolve2.isEmpty()) {
                        builder.add(str);
                    } else {
                        UnmodifiableIterator it2 = resolve.iterator();
                        while (it2.hasNext()) {
                            String str2 = (String) it2.next();
                            if (!Pattern.isConstant(str2)) {
                                Pattern create = Pattern.create(str2);
                                UnmodifiableIterator it3 = actions.clusterActions().matching(wellKnownAction -> {
                                    return create.matches(wellKnownAction.name()) && !createWithoutExclusions.matches(wellKnownAction.name());
                                }).iterator();
                                while (it3.hasNext()) {
                                    ((ImmutableSet.Builder) defaultValue.get((Action.WellKnownAction) it3.next())).add(str);
                                }
                                arrayList.add(create);
                            } else if (!createWithoutExclusions.matches(str2) && RoleBasedActionAuthorization.isActionName(str2)) {
                                ((ImmutableSet.Builder) defaultValue.get(actions.get(str2))).add(str);
                            }
                        }
                        if (!arrayList.isEmpty()) {
                            builder2.put(str, Pattern.join(arrayList).excluding(createWithoutExclusions));
                        }
                    }
                } catch (Exception e) {
                    RoleBasedActionAuthorization.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    builder3.with(new PrivilegesEvaluationResult.Error("Unexpected exception while processing role", e, (String) entry.getKey()));
                } catch (ConfigValidationException e2) {
                    RoleBasedActionAuthorization.log.error("Invalid pattern in role: " + entry + "\nThis should have been caught before. Ignoring role.", e2);
                    builder3.with(new PrivilegesEvaluationResult.Error("Invalid pattern in role", e2, (String) entry.getKey()));
                }
            }
            this.actionToRoles = defaultValue.build((v0) -> {
                return v0.build();
            });
            this.rolesWithWildcardPermissions = builder.build();
            this.rolesToActionPattern = builder2.build();
            this.initializationErrors = builder3.build();
            this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
            this.checks = CountAggregation.basic(metricsLevel);
            this.nonWellKnownChecks = this.checks.getSubCount("non_well_known_actions");
            this.wildcardChecks = this.checks.getSubCount("wildcard");
            this.metricsLevel = metricsLevel;
            if (metricsLevel.basicEnabled()) {
                this.componentState.addMetrics("checks", this.checks);
                this.componentState.addMetrics("action_to_roles_map", new Count(defaultValue.size()));
                this.componentState.addMetrics("roles_to_action_pattern_map", new Count(builder2.size()));
            }
            if (this.initializationErrors.isEmpty()) {
                this.componentState.setInitialized();
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "contains_invalid_roles");
                this.componentState.addDetail(builder3);
            }
        }

        PrivilegesEvaluationResult contains(Action action, Set<String> set) {
            this.checks.increment();
            if (this.rolesWithWildcardPermissions.containsAny(set)) {
                this.wildcardChecks.increment();
                return PrivilegesEvaluationResult.OK;
            }
            ImmutableSet immutableSet = (ImmutableSet) this.actionToRoles.get(action);
            if (immutableSet != null && immutableSet.containsAny(set)) {
                return PrivilegesEvaluationResult.OK;
            }
            if (!(action instanceof Action.WellKnownAction)) {
                Meter basic = Meter.basic(MetricsLevel.BASIC, this.nonWellKnownChecks);
                try {
                    if (this.metricsLevel.detailedEnabled()) {
                        basic.count(action.name());
                    }
                    Iterator<String> it = set.iterator();
                    while (it.hasNext()) {
                        Pattern pattern = (Pattern) this.rolesToActionPattern.get(it.next());
                        if (pattern != null && pattern.matches(action.name())) {
                            PrivilegesEvaluationResult privilegesEvaluationResult = PrivilegesEvaluationResult.OK;
                            if (basic != null) {
                                basic.close();
                            }
                            return privilegesEvaluationResult;
                        }
                    }
                    if (basic != null) {
                        basic.close();
                    }
                } catch (Throwable th) {
                    if (basic != null) {
                        try {
                            basic.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            return PrivilegesEvaluationResult.INSUFFICIENT.with(this.initializationErrors).missingPrivileges(action);
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorization$IndexPattern.class */
    public static class IndexPattern {
        private final Pattern pattern;
        private final ImmutableList<Role.IndexPatterns.IndexPatternTemplate> patternTemplates;
        private final ImmutableList<Role.IndexPatterns.DateMathExpression> dateMathExpressions;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorization$IndexPattern$Builder.class */
        public static class Builder {
            private List<Pattern> constantPatterns = new ArrayList();
            private List<Role.IndexPatterns.IndexPatternTemplate> patternTemplates = new ArrayList();
            private List<Role.IndexPatterns.DateMathExpression> dateMathExpressions = new ArrayList();

            Builder() {
            }

            void add(Role.IndexPatterns indexPatterns) {
                this.constantPatterns.add(indexPatterns.getPattern());
                this.patternTemplates.addAll(indexPatterns.getPatternTemplates());
                this.dateMathExpressions.addAll(indexPatterns.getDateMathExpressions());
            }

            IndexPattern build() {
                return new IndexPattern(Pattern.join(this.constantPatterns), ImmutableList.of(this.patternTemplates), ImmutableList.of(this.dateMathExpressions));
            }
        }

        IndexPattern(Pattern pattern, ImmutableList<Role.IndexPatterns.IndexPatternTemplate> immutableList, ImmutableList<Role.IndexPatterns.DateMathExpression> immutableList2) {
            this.pattern = pattern;
            this.patternTemplates = immutableList;
            this.dateMathExpressions = immutableList2;
        }

        public boolean matches(String str, User user, PrivilegesEvaluationContext privilegesEvaluationContext, Meter meter) throws PrivilegesEvaluationException {
            if (this.pattern.matches(str)) {
                return true;
            }
            if (!this.patternTemplates.isEmpty()) {
                UnmodifiableIterator it = this.patternTemplates.iterator();
                while (it.hasNext()) {
                    Role.IndexPatterns.IndexPatternTemplate indexPatternTemplate = (Role.IndexPatterns.IndexPatternTemplate) it.next();
                    try {
                        Meter basic = meter.basic("render_index_pattern_template");
                        try {
                            if (privilegesEvaluationContext.getRenderedPattern(indexPatternTemplate.getTemplate()).matches(str) && !indexPatternTemplate.getExclusions().matches(str)) {
                                if (basic != null) {
                                    basic.close();
                                }
                                return true;
                            }
                            if (basic != null) {
                                basic.close();
                            }
                        } finally {
                        }
                    } catch (ExpressionEvaluationException e) {
                        throw new PrivilegesEvaluationException("Error while evaluating dynamic index pattern: " + indexPatternTemplate, e);
                    }
                }
            }
            if (this.dateMathExpressions.isEmpty()) {
                return false;
            }
            Meter basic2 = meter.basic("render_date_math_expression");
            try {
                UnmodifiableIterator it2 = this.dateMathExpressions.iterator();
                while (it2.hasNext()) {
                    Role.IndexPatterns.DateMathExpression dateMathExpression = (Role.IndexPatterns.DateMathExpression) it2.next();
                    try {
                        String resolveExpression = DateMathExpressionResolver.resolveExpression(dateMathExpression.getDateMathExpression());
                        if (Template.containsPlaceholders(resolveExpression)) {
                            if (((Pattern) new Template(resolveExpression, Pattern::create).render(user)).matches(str) && !dateMathExpression.getExclusions().matches(str)) {
                                if (basic2 != null) {
                                    basic2.close();
                                }
                                return true;
                            }
                        } else if (Pattern.create(resolveExpression).matches(str) && !dateMathExpression.getExclusions().matches(str)) {
                            if (basic2 != null) {
                                basic2.close();
                            }
                            return true;
                        }
                    } catch (Exception e2) {
                        throw new PrivilegesEvaluationException("Error while evaluating date math expression: " + dateMathExpression, e2);
                    }
                }
                if (basic2 == null) {
                    return false;
                }
                basic2.close();
                return false;
            } catch (Throwable th) {
                if (basic2 != null) {
                    try {
                        basic2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        public String toString() {
            return (this.pattern == null || this.patternTemplates == null || this.patternTemplates.size() == 0) ? this.pattern != null ? this.pattern.toString() : this.patternTemplates != null ? this.patternTemplates.toString() : "-/-" : this.pattern + " " + this.patternTemplates;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorization$IndexPermissionExclusions.class */
    static class IndexPermissionExclusions implements ComponentStateProvider {
        private final ImmutableMap<String, ImmutableMap<Action, IndexPattern>> rolesToActionToIndexPattern;
        private final ImmutableMap<String, ImmutableMap<Pattern, IndexPattern>> rolesToActionPatternToIndexPattern;
        private final ImmutableMap<String, ImmutableList<Exception>> rolesToInitializationErrors;
        private final ComponentState componentState = new ComponentState("index_permission_exclusions");

        IndexPermissionExclusions(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions) {
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(str -> {
                return new ImmutableMap.Builder().defaultValue(action -> {
                    return new IndexPattern.Builder();
                });
            });
            ImmutableMap.Builder defaultValue2 = new ImmutableMap.Builder().defaultValue(str2 -> {
                return new ImmutableMap.Builder().defaultValue(pattern -> {
                    return new IndexPattern.Builder();
                });
            });
            ImmutableMap.Builder defaultValue3 = new ImmutableMap.Builder().defaultValue(str3 -> {
                return new ImmutableList.Builder();
            });
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str4 = (String) entry.getKey();
                    UnmodifiableIterator it2 = ((Role) entry.getValue()).getExcludeIndexPermissions().iterator();
                    while (it2.hasNext()) {
                        Role.ExcludeIndex excludeIndex = (Role.ExcludeIndex) it2.next();
                        UnmodifiableIterator it3 = flattenedIndex.resolve(excludeIndex.getActions()).iterator();
                        while (it3.hasNext()) {
                            String str5 = (String) it3.next();
                            if (Pattern.isConstant(str5)) {
                                ((IndexPattern.Builder) ((ImmutableMap.Builder) defaultValue.get(str4)).get(actions.get(str5))).add(excludeIndex.getIndexPatterns());
                            } else {
                                Pattern create = Pattern.create(str5);
                                UnmodifiableIterator it4 = actions.indexActions().matching(wellKnownAction -> {
                                    return create.matches(wellKnownAction.name());
                                }).iterator();
                                while (it4.hasNext()) {
                                    ((IndexPattern.Builder) ((ImmutableMap.Builder) defaultValue.get(str4)).get((Action.WellKnownAction) it4.next())).add(excludeIndex.getIndexPatterns());
                                }
                                ((IndexPattern.Builder) ((ImmutableMap.Builder) defaultValue2.get(str4)).get(create)).add(excludeIndex.getIndexPatterns());
                            }
                        }
                    }
                } catch (Exception e) {
                    RoleBasedActionAuthorization.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    ((ImmutableList.Builder) defaultValue3.get((String) entry.getKey())).with(e);
                } catch (ConfigValidationException e2) {
                    RoleBasedActionAuthorization.log.error("Invalid configuration in role: " + entry + "\nThis should have been caught before. Ignoring role.", e2);
                    ((ImmutableList.Builder) defaultValue3.get((String) entry.getKey())).with(e2);
                }
            }
            this.rolesToActionToIndexPattern = defaultValue.build(builder -> {
                return builder.build((v0) -> {
                    return v0.build();
                });
            });
            this.rolesToActionPatternToIndexPattern = defaultValue2.build(builder2 -> {
                return builder2.build((v0) -> {
                    return v0.build();
                });
            });
            this.rolesToInitializationErrors = defaultValue3.build((v0) -> {
                return v0.build();
            });
            this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
            if (this.rolesToInitializationErrors.isEmpty()) {
                this.componentState.setInitialized();
                return;
            }
            this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "contains_invalid_roles");
            this.componentState.setMessage("Roles with initialization errors: " + this.rolesToInitializationErrors.keySet());
            this.componentState.addDetail(defaultValue3);
        }

        boolean contains(ImmutableSet<String> immutableSet, ImmutableSet<Action> immutableSet2) {
            ImmutableMap immutableMap;
            boolean forAllApplies = immutableSet2.forAllApplies(action -> {
                return action instanceof Action.WellKnownAction;
            });
            UnmodifiableIterator it = immutableSet.iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                ImmutableMap immutableMap2 = (ImmutableMap) this.rolesToActionToIndexPattern.get(str);
                if (immutableMap2 != null && immutableMap2.containsAny(immutableSet2)) {
                    return true;
                }
                if (!forAllApplies && (immutableMap = (ImmutableMap) this.rolesToActionPatternToIndexPattern.get(str)) != null) {
                    UnmodifiableIterator it2 = immutableMap.keySet().iterator();
                    while (it2.hasNext()) {
                        Pattern pattern = (Pattern) it2.next();
                        if (immutableSet2.forAnyApplies(action2 -> {
                            return pattern.test(action2.name());
                        })) {
                            return true;
                        }
                    }
                }
            }
            return false;
        }

        void uncheckExclusions(CheckTable<String, Action> checkTable, User user, ImmutableSet<String> immutableSet, ImmutableSet<Action> immutableSet2, ActionRequestIntrospector.ResolvedIndices resolvedIndices, PrivilegesEvaluationContext privilegesEvaluationContext, Meter meter) throws PrivilegesEvaluationException {
            Meter basic = meter.basic("well_known_actions_uncheck_exclusions");
            try {
                UnmodifiableIterator it = immutableSet.iterator();
                loop0: while (it.hasNext()) {
                    ImmutableMap immutableMap = (ImmutableMap) this.rolesToActionToIndexPattern.get((String) it.next());
                    if (immutableMap != null) {
                        UnmodifiableIterator it2 = immutableSet2.iterator();
                        while (it2.hasNext()) {
                            Action action = (Action) it2.next();
                            IndexPattern indexPattern = (IndexPattern) immutableMap.get(action);
                            if (indexPattern != null) {
                                for (String str : checkTable.iterateCheckedRows(action)) {
                                    if (indexPattern.matches(str, user, privilegesEvaluationContext, basic)) {
                                        checkTable.uncheck(str, action);
                                    }
                                }
                                if (checkTable.isBlank()) {
                                    break loop0;
                                }
                            }
                        }
                    }
                }
                if (basic != null) {
                    basic.close();
                }
                boolean forAllApplies = immutableSet2.forAllApplies(action2 -> {
                    return action2 instanceof Action.WellKnownAction;
                });
                if (checkTable.isBlank() || forAllApplies) {
                    return;
                }
                basic = meter.basic("non_well_known_actions_uncheck_exclusions");
                try {
                    UnmodifiableIterator it3 = immutableSet.iterator();
                    loop3: while (it3.hasNext()) {
                        ImmutableMap immutableMap2 = (ImmutableMap) this.rolesToActionPatternToIndexPattern.get((String) it3.next());
                        if (immutableMap2 != null) {
                            UnmodifiableIterator it4 = immutableSet2.iterator();
                            while (it4.hasNext()) {
                                Action action3 = (Action) it4.next();
                                if (!(action3 instanceof Action.WellKnownAction)) {
                                    UnmodifiableIterator it5 = immutableMap2.entrySet().iterator();
                                    while (it5.hasNext()) {
                                        Map.Entry entry = (Map.Entry) it5.next();
                                        Pattern pattern = (Pattern) entry.getKey();
                                        IndexPattern indexPattern2 = (IndexPattern) entry.getValue();
                                        if (pattern.matches(action3.name())) {
                                            for (String str2 : checkTable.iterateCheckedRows(action3)) {
                                                if (indexPattern2.matches(str2, user, privilegesEvaluationContext, basic)) {
                                                    checkTable.uncheck(str2, action3);
                                                }
                                            }
                                            if (checkTable.isBlank()) {
                                                break loop3;
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                    if (basic != null) {
                        basic.close();
                    }
                } finally {
                }
            } finally {
            }
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorization$IndexPermissions.class */
    static class IndexPermissions implements ComponentStateProvider {
        private final ImmutableMap<String, ImmutableMap<Action, IndexPattern>> rolesToActionToIndexPattern;
        private final ImmutableMap<String, ImmutableMap<Pattern, IndexPattern>> rolesToActionPatternToIndexPattern;
        private final ImmutableMap<Action, ImmutableSet<String>> actionToRolesWithWildcardIndexPrivileges;
        private final ImmutableList<PrivilegesEvaluationResult.Error> initializationErrors;
        private final ComponentState componentState = new ComponentState("index_permissions");

        IndexPermissions(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions) {
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(str -> {
                return new ImmutableMap.Builder().defaultValue(action -> {
                    return new IndexPattern.Builder();
                });
            });
            ImmutableMap.Builder defaultValue2 = new ImmutableMap.Builder().defaultValue(str2 -> {
                return new ImmutableMap.Builder().defaultValue(pattern -> {
                    return new IndexPattern.Builder();
                });
            });
            ImmutableMap.Builder defaultValue3 = new ImmutableMap.Builder().defaultValue(action -> {
                return new ImmutableSet.Builder();
            });
            ImmutableList.Builder builder = new ImmutableList.Builder();
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str3 = (String) entry.getKey();
                    UnmodifiableIterator it2 = ((Role) entry.getValue()).getIndexPermissions().iterator();
                    while (it2.hasNext()) {
                        Role.Index index = (Role.Index) it2.next();
                        UnmodifiableIterator it3 = flattenedIndex.resolve(index.getAllowedActions()).iterator();
                        while (it3.hasNext()) {
                            String str4 = (String) it3.next();
                            if (Pattern.isConstant(str4)) {
                                ((IndexPattern.Builder) ((ImmutableMap.Builder) defaultValue.get(str3)).get(actions.get(str4))).add(index.getIndexPatterns());
                                if (index.getIndexPatterns().getPattern().isWildcard()) {
                                    ((ImmutableSet.Builder) defaultValue3.get(actions.get(str4))).add(str3);
                                }
                            } else {
                                Pattern create = Pattern.create(str4);
                                UnmodifiableIterator it4 = actions.indexActions().matching(wellKnownAction -> {
                                    return create.matches(wellKnownAction.name());
                                }).iterator();
                                while (it4.hasNext()) {
                                    Action.WellKnownAction wellKnownAction2 = (Action.WellKnownAction) it4.next();
                                    ((IndexPattern.Builder) ((ImmutableMap.Builder) defaultValue.get(str3)).get(wellKnownAction2)).add(index.getIndexPatterns());
                                    if (index.getIndexPatterns().getPattern().isWildcard()) {
                                        ((ImmutableSet.Builder) defaultValue3.get(wellKnownAction2)).add(str3);
                                    }
                                }
                                ((IndexPattern.Builder) ((ImmutableMap.Builder) defaultValue2.get(str3)).get(create)).add(index.getIndexPatterns());
                            }
                        }
                    }
                } catch (Exception e) {
                    RoleBasedActionAuthorization.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    builder.with(new PrivilegesEvaluationResult.Error("Unexpected exception while processing role", e, (String) entry.getKey()));
                } catch (ConfigValidationException e2) {
                    RoleBasedActionAuthorization.log.error("Invalid configuration in role: " + entry + "\nThis should have been caught before. Ignoring role.", e2);
                    builder.with(new PrivilegesEvaluationResult.Error("Invalid pattern in role", e2, (String) entry.getKey()));
                }
            }
            this.rolesToActionToIndexPattern = defaultValue.build(builder2 -> {
                return builder2.build((v0) -> {
                    return v0.build();
                });
            });
            this.rolesToActionPatternToIndexPattern = defaultValue2.build(builder3 -> {
                return builder3.build((v0) -> {
                    return v0.build();
                });
            });
            this.actionToRolesWithWildcardIndexPrivileges = defaultValue3.build((v0) -> {
                return v0.build();
            });
            this.initializationErrors = builder.build();
            this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
            if (this.initializationErrors.isEmpty()) {
                this.componentState.setInitialized();
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "contains_invalid_roles");
                this.componentState.addDetail(builder);
            }
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorization$StatefulIndexPermssions.class */
    public static class StatefulIndexPermssions implements ComponentStateProvider {
        private final ImmutableMap<Action.WellKnownAction<?, ?, ?>, ImmutableMap<String, ImmutableSet<String>>> actionToIndexToRoles;
        private final ImmutableMap<Action.WellKnownAction<?, ?, ?>, ImmutableMap<String, ImmutableSet<String>>> excludedActionToIndexToRoles;
        private final ImmutableSet<String> rolesWithTemplatedExclusions;
        private final ImmutableSet<String> indices;
        private final ImmutableMap<String, ImmutableList<Exception>> rolesToInitializationErrors;
        private final ComponentState componentState;
        private final Pattern universallyDeniedIndices;

        StatefulIndexPermssions(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions, Set<String> set, Pattern pattern, ComponentState componentState) {
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(wellKnownAction -> {
                return new ImmutableMap.Builder().defaultValue(str -> {
                    return new ImmutableSet.Builder();
                });
            });
            ImmutableMap.Builder defaultValue2 = new ImmutableMap.Builder().defaultValue(wellKnownAction2 -> {
                return new ImmutableMap.Builder().defaultValue(str -> {
                    return new ImmutableSet.Builder();
                });
            });
            ImmutableSet.Builder builder = new ImmutableSet.Builder();
            ImmutableMap.Builder defaultValue3 = new ImmutableMap.Builder().defaultValue(str -> {
                return new ImmutableList.Builder();
            });
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str2 = (String) entry.getKey();
                    Role role = (Role) entry.getValue();
                    UnmodifiableIterator it2 = role.getExcludeIndexPermissions().iterator();
                    while (it2.hasNext()) {
                        Role.ExcludeIndex excludeIndex = (Role.ExcludeIndex) it2.next();
                        ImmutableSet<String> resolve = flattenedIndex.resolve(excludeIndex.getActions());
                        if (!excludeIndex.getIndexPatterns().getPattern().isWildcard()) {
                            if (excludeIndex.getIndexPatterns().getPatternTemplates().isEmpty() && excludeIndex.getIndexPatterns().getDateMathExpressions().isEmpty()) {
                                UnmodifiableIterator it3 = resolve.iterator();
                                while (it3.hasNext()) {
                                    String str3 = (String) it3.next();
                                    Pattern pattern2 = excludeIndex.getIndexPatterns().getPattern();
                                    if (Pattern.isConstant(str3)) {
                                        Action action = actions.get(str3);
                                        if (action instanceof Action.WellKnownAction) {
                                            Iterator it4 = pattern2.iterateMatching(set).iterator();
                                            while (it4.hasNext()) {
                                                ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue2.get((Action.WellKnownAction) action)).get((String) it4.next())).add(str2);
                                            }
                                        }
                                    } else {
                                        Pattern create = Pattern.create(str3);
                                        ImmutableSet matching = actions.indexActions().matching(wellKnownAction3 -> {
                                            return create.matches(wellKnownAction3.name());
                                        });
                                        for (String str4 : pattern2.iterateMatching(set)) {
                                            UnmodifiableIterator it5 = matching.iterator();
                                            while (it5.hasNext()) {
                                                ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue2.get((Action.WellKnownAction) it5.next())).get(str4)).add(str2);
                                            }
                                        }
                                    }
                                }
                            } else {
                                builder.add(str2);
                            }
                        }
                    }
                    UnmodifiableIterator it6 = role.getIndexPermissions().iterator();
                    while (it6.hasNext()) {
                        Role.Index index = (Role.Index) it6.next();
                        ImmutableSet<String> resolve2 = flattenedIndex.resolve(index.getAllowedActions());
                        Pattern pattern3 = index.getIndexPatterns().getPattern();
                        if (!pattern3.isWildcard() && !pattern3.isBlank()) {
                            UnmodifiableIterator it7 = resolve2.iterator();
                            while (it7.hasNext()) {
                                String str5 = (String) it7.next();
                                if (Pattern.isConstant(str5)) {
                                    Action action2 = actions.get(str5);
                                    if (action2 instanceof Action.WellKnownAction) {
                                        Iterator it8 = pattern3.iterateMatching(set).iterator();
                                        while (it8.hasNext()) {
                                            ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue.get((Action.WellKnownAction) action2)).get((String) it8.next())).add(str2);
                                        }
                                    }
                                } else {
                                    Pattern create2 = Pattern.create(str5);
                                    ImmutableSet matching2 = actions.indexActions().matching(wellKnownAction4 -> {
                                        return create2.matches(wellKnownAction4.name());
                                    });
                                    for (String str6 : pattern3.iterateMatching(set)) {
                                        UnmodifiableIterator it9 = matching2.iterator();
                                        while (it9.hasNext()) {
                                            ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue.get((Action.WellKnownAction) it9.next())).get(str6)).add(str2);
                                        }
                                    }
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    RoleBasedActionAuthorization.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    ((ImmutableList.Builder) defaultValue3.get((String) entry.getKey())).with(e);
                } catch (ConfigValidationException e2) {
                    RoleBasedActionAuthorization.log.error("Invalid pattern in role: " + entry + "\nThis should have been caught before. Ignoring role.", e2);
                    ((ImmutableList.Builder) defaultValue3.get((String) entry.getKey())).with(e2);
                }
            }
            this.actionToIndexToRoles = defaultValue.build(builder2 -> {
                return builder2.build((v0) -> {
                    return v0.build();
                });
            });
            this.excludedActionToIndexToRoles = defaultValue2.build(builder3 -> {
                return builder3.build((v0) -> {
                    return v0.build();
                });
            });
            this.rolesWithTemplatedExclusions = builder.build();
            this.indices = ImmutableSet.of(set);
            this.universallyDeniedIndices = pattern;
            this.rolesToInitializationErrors = defaultValue3.build((v0) -> {
                return v0.build();
            });
            this.componentState = componentState;
            this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
            if (this.rolesToInitializationErrors.isEmpty()) {
                this.componentState.setInitialized();
                this.componentState.setMessage("Initialized with " + this.indices.size() + " indices");
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "contains_invalid_roles");
                this.componentState.setMessage("Roles with initialization errors: " + this.rolesToInitializationErrors.keySet());
                this.componentState.addDetail(defaultValue3);
            }
        }

        PrivilegesEvaluationResult hasPermission(User user, ImmutableSet<String> immutableSet, ImmutableSet<Action> immutableSet2, ActionRequestIntrospector.ResolvedIndices resolvedIndices, PrivilegesEvaluationContext privilegesEvaluationContext, CheckTable<String, Action> checkTable) throws PrivilegesEvaluationException {
            if (!immutableSet2.forAllApplies(action -> {
                return action instanceof Action.WellKnownAction;
            }) || this.rolesWithTemplatedExclusions.containsAny(immutableSet)) {
                return null;
            }
            UnmodifiableIterator it = immutableSet2.iterator();
            loop0: while (it.hasNext()) {
                Action action2 = (Action) it.next();
                ImmutableMap immutableMap = (ImmutableMap) this.actionToIndexToRoles.get(action2);
                if (immutableMap != null) {
                    UnmodifiableIterator it2 = resolvedIndices.getLocalIndices().iterator();
                    while (it2.hasNext()) {
                        String str = (String) it2.next();
                        ImmutableSet immutableSet3 = (ImmutableSet) immutableMap.get(str);
                        if (immutableSet3 != null && immutableSet3.containsAny(immutableSet) && !isExcluded(action2, str, user, immutableSet, privilegesEvaluationContext) && checkTable.check(str, action2)) {
                            break loop0;
                        }
                    }
                }
            }
            if (checkTable.isComplete()) {
                return PrivilegesEvaluationResult.OK;
            }
            return null;
        }

        private boolean isExcluded(Action action, String str, User user, ImmutableSet<String> immutableSet, PrivilegesEvaluationContext privilegesEvaluationContext) {
            ImmutableSet immutableSet2;
            if (this.universallyDeniedIndices.matches(str)) {
                return true;
            }
            ImmutableMap immutableMap = (ImmutableMap) this.excludedActionToIndexToRoles.get(action);
            if (immutableMap == null || (immutableSet2 = (ImmutableSet) immutableMap.get(str)) == null) {
                return false;
            }
            return immutableSet2.containsAny(immutableSet);
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/authz/RoleBasedActionAuthorization$TenantPermissions.class */
    public static class TenantPermissions implements ComponentStateProvider {
        private final ImmutableMap<Action, ImmutableMap<String, ImmutableSet<String>>> actionToTenantToRoles;
        private final ImmutableMap<String, ImmutableMap<Action, ImmutableSet<Template<Pattern>>>> roleToActionToTenantPattern;
        private final ImmutableList<PrivilegesEvaluationResult.Error> initializationErrors;
        private final ComponentState componentState;

        TenantPermissions(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions, ImmutableSet<String> immutableSet) {
            ImmutableMap.Builder defaultValue = new ImmutableMap.Builder().defaultValue(action -> {
                return new ImmutableMap.Builder().defaultValue(str -> {
                    return new ImmutableSet.Builder();
                });
            });
            ImmutableMap.Builder defaultValue2 = new ImmutableMap.Builder().defaultValue(str -> {
                return new ImmutableMap.Builder().defaultValue(action2 -> {
                    return new ImmutableSet.Builder();
                });
            });
            ImmutableList.Builder builder = new ImmutableList.Builder();
            UnmodifiableIterator it = sgDynamicConfiguration.getCEntries().entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                try {
                    String str2 = (String) entry.getKey();
                    UnmodifiableIterator it2 = ((Role) entry.getValue()).getTenantPermissions().iterator();
                    while (it2.hasNext()) {
                        Role.Tenant tenant = (Role.Tenant) it2.next();
                        UnmodifiableIterator it3 = flattenedIndex.resolve(tenant.getAllowedActions()).iterator();
                        while (it3.hasNext()) {
                            String str3 = (String) it3.next();
                            UnmodifiableIterator it4 = tenant.getTenantPatterns().iterator();
                            while (it4.hasNext()) {
                                Template template = (Template) it4.next();
                                if (template.isConstant()) {
                                    ImmutableSet matching = immutableSet.matching((Pattern) template.getConstantValue());
                                    if (Pattern.isConstant(str3)) {
                                        UnmodifiableIterator it5 = matching.iterator();
                                        while (it5.hasNext()) {
                                            ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue.get(actions.get(str3))).get((String) it5.next())).add(str2);
                                        }
                                    } else {
                                        Pattern create = Pattern.create(str3);
                                        UnmodifiableIterator it6 = actions.tenantActions().matching(wellKnownAction -> {
                                            return create.matches(wellKnownAction.name());
                                        }).iterator();
                                        while (it6.hasNext()) {
                                            Action.WellKnownAction wellKnownAction2 = (Action.WellKnownAction) it6.next();
                                            UnmodifiableIterator it7 = matching.iterator();
                                            while (it7.hasNext()) {
                                                ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue.get(wellKnownAction2)).get((String) it7.next())).add(str2);
                                            }
                                        }
                                    }
                                } else if (Pattern.isConstant(str3)) {
                                    ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue2.get(str2)).get(actions.get(str3))).add(template);
                                } else {
                                    Pattern create2 = Pattern.create(str3);
                                    UnmodifiableIterator it8 = actions.tenantActions().matching(wellKnownAction3 -> {
                                        return create2.matches(wellKnownAction3.name());
                                    }).iterator();
                                    while (it8.hasNext()) {
                                        ((ImmutableSet.Builder) ((ImmutableMap.Builder) defaultValue2.get(str2)).get((Action.WellKnownAction) it8.next())).add(template);
                                    }
                                }
                            }
                        }
                    }
                } catch (Exception e) {
                    RoleBasedActionAuthorization.log.error("Unexpected exception while processing role: " + entry + "\nIgnoring role.", e);
                    builder.with(new PrivilegesEvaluationResult.Error("Unexpected exception while processing role", e, (String) entry.getKey()));
                } catch (ConfigValidationException e2) {
                    RoleBasedActionAuthorization.log.error("Invalid configuration in role: " + entry + "\nThis should have been caught before. Ignoring role.", e2);
                    builder.with(new PrivilegesEvaluationResult.Error("Invalid configuration in role", e2, (String) entry.getKey()));
                }
            }
            this.actionToTenantToRoles = defaultValue.build(builder2 -> {
                return builder2.build((v0) -> {
                    return v0.build();
                });
            });
            this.roleToActionToTenantPattern = defaultValue2.build(builder3 -> {
                return builder3.build((v0) -> {
                    return v0.build();
                });
            });
            this.initializationErrors = builder.build();
            this.componentState = new ComponentState("tenant_permissions");
            this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
            if (this.initializationErrors.isEmpty()) {
                this.componentState.setInitialized();
            } else {
                this.componentState.setState(ComponentState.State.PARTIALLY_INITIALIZED, "contains_invalid_roles");
                this.componentState.addDetail(builder);
            }
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    public RoleBasedActionAuthorization(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions, Set<String> set, Set<String> set2) {
        this(sgDynamicConfiguration, flattenedIndex, actions, set, set2, Pattern.blank(), MetricsLevel.NONE, MultiTenancyConfigurationProvider.DEFAULT);
    }

    public RoleBasedActionAuthorization(SgDynamicConfiguration<Role> sgDynamicConfiguration, ActionGroup.FlattenedIndex flattenedIndex, Actions actions, Set<String> set, Set<String> set2, Pattern pattern, MetricsLevel metricsLevel, MultiTenancyConfigurationProvider multiTenancyConfigurationProvider) {
        this.statefulIndexRebuild = new TimeAggregation.Milliseconds();
        this.statefulIndexState = new ComponentState("index_permissions_stateful");
        this.roles = sgDynamicConfiguration;
        this.actionGroups = flattenedIndex;
        this.actions = actions;
        this.metricsLevel = metricsLevel;
        this.tenantManager = new TenantManager(set2, multiTenancyConfigurationProvider);
        this.cluster = new ClusterPermissions(sgDynamicConfiguration, flattenedIndex, actions, metricsLevel);
        this.clusterExclusions = new ClusterPermissionExclusions(sgDynamicConfiguration, flattenedIndex, actions);
        this.index = new IndexPermissions(sgDynamicConfiguration, flattenedIndex, actions);
        this.indexExclusions = new IndexPermissionExclusions(sgDynamicConfiguration, flattenedIndex, actions);
        this.tenant = new TenantPermissions(sgDynamicConfiguration, flattenedIndex, actions, this.tenantManager.getConfiguredTenantNames());
        this.universallyDeniedIndices = pattern;
        this.componentState = new ComponentState("role_based_action_authorization");
        this.componentState.addParts(new ComponentState[]{this.cluster.getComponentState(), this.clusterExclusions.getComponentState(), this.index.getComponentState(), this.indexExclusions.getComponentState(), this.tenant.getComponentState(), this.statefulIndexState});
        if (set != null) {
            Meter basic = Meter.basic(metricsLevel, this.statefulIndexRebuild);
            try {
                this.statefulIndex = new StatefulIndexPermssions(sgDynamicConfiguration, flattenedIndex, actions, set, pattern, this.statefulIndexState);
                if (basic != null) {
                    basic.close();
                }
            } catch (Throwable th) {
                if (basic != null) {
                    try {
                        basic.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } else {
            this.statefulIndexState.setState(ComponentState.State.SUSPENDED, "no_index_information");
        }
        this.componentState.updateStateFromParts();
        this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
        if (metricsLevel.detailedEnabled()) {
            this.indexActionChecks = new TimeAggregation.Nanoseconds();
            this.indexActionCheckResults = new CountAggregation();
            this.tenantActionChecks = new TimeAggregation.Nanoseconds();
            this.tenantActionCheckResults = new CountAggregation();
            this.indexActionTypes = new CountAggregation();
        } else if (metricsLevel.basicEnabled()) {
            this.indexActionChecks = new CountAggregation();
            this.indexActionCheckResults = new CountAggregation();
            this.tenantActionChecks = new CountAggregation();
            this.tenantActionCheckResults = new CountAggregation();
            this.indexActionTypes = new CountAggregation();
        } else {
            this.indexActionChecks = CountAggregation.noop();
            this.indexActionCheckResults = CountAggregation.noop();
            this.tenantActionChecks = CountAggregation.noop();
            this.tenantActionCheckResults = CountAggregation.noop();
            this.indexActionTypes = CountAggregation.noop();
        }
        this.indexActionCheckResults_ok = this.indexActionCheckResults.getSubCount("ok");
        this.indexActionCheckResults_partially = this.indexActionCheckResults.getSubCount("partially_ok");
        this.indexActionCheckResults_insufficient = this.indexActionCheckResults.getSubCount("insufficient");
        this.tenantActionCheckResults_ok = this.tenantActionCheckResults.getSubCount("ok");
        this.tenantActionCheckResults_insufficient = this.tenantActionCheckResults.getSubCount("insufficient");
        this.indexActionTypes_wellKnown = this.indexActionTypes.getSubCount("well_known");
        this.indexActionTypes_nonWellKnown = this.indexActionTypes.getSubCount("non_well_known");
        if (metricsLevel.basicEnabled()) {
            this.componentState.addMetrics("index_action_check_results", this.indexActionCheckResults);
            this.componentState.addMetrics("tenant_action_check_results", this.tenantActionCheckResults);
            this.componentState.addMetrics("index_action_checks", this.indexActionChecks, "tenant_action_checks", this.tenantActionChecks, "statful_index_rebuilds", this.statefulIndexRebuild);
            this.componentState.addMetrics("index_action_types", this.indexActionTypes);
        }
    }

    @Override // com.floragunn.searchguard.authz.ActionAuthorization
    public PrivilegesEvaluationResult hasClusterPermission(PrivilegesEvaluationContext privilegesEvaluationContext, Action action) throws PrivilegesEvaluationException {
        PrivilegesEvaluationResult contains = this.clusterExclusions.contains(action, privilegesEvaluationContext.getMappedRoles());
        return contains.getStatus() != PrivilegesEvaluationResult.Status.PENDING ? contains.missingPrivileges(action) : this.cluster.contains(action, privilegesEvaluationContext.getMappedRoles());
    }

    @Override // com.floragunn.searchguard.authz.ActionAuthorization
    public PrivilegesEvaluationResult hasIndexPermission(PrivilegesEvaluationContext privilegesEvaluationContext, ImmutableSet<Action> immutableSet, ActionRequestIntrospector.ResolvedIndices resolvedIndices) throws PrivilegesEvaluationException {
        Meter basic;
        PrivilegesEvaluationResult hasPermission;
        if (this.metricsLevel.basicEnabled()) {
            immutableSet.forEach(action -> {
                this.indexActionTypes.increment();
                if (action instanceof Action.WellKnownAction) {
                    this.indexActionTypes_wellKnown.increment();
                    return;
                }
                this.indexActionTypes_nonWellKnown.increment();
                if (this.metricsLevel.detailedEnabled()) {
                    this.indexActionTypes_nonWellKnown.getSubCount(action.name()).increment();
                }
            });
        }
        try {
            Meter basic2 = Meter.basic(this.metricsLevel, this.indexActionChecks);
            try {
                User user = privilegesEvaluationContext.getUser();
                ImmutableSet<String> mappedRoles = privilegesEvaluationContext.getMappedRoles();
                ImmutableList<PrivilegesEvaluationResult.Error> immutableList = this.index.initializationErrors;
                if (log.isTraceEnabled()) {
                    log.trace("hasIndexPermission()\nuser: " + user + "\nactions: " + immutableSet + "\nresolved: " + resolvedIndices);
                }
                if (resolvedIndices.isLocalAll() && this.universallyDeniedIndices.isBlank()) {
                    basic = basic2.basic("local_all");
                    try {
                        CheckTable<String, Action> create = CheckTable.create("*", immutableSet);
                        UnmodifiableIterator it = immutableSet.iterator();
                        while (it.hasNext()) {
                            Action action2 = (Action) it.next();
                            ImmutableSet immutableSet2 = (ImmutableSet) this.index.actionToRolesWithWildcardIndexPrivileges.get(action2);
                            if (immutableSet2 != null && immutableSet2.containsAny(mappedRoles) && create.check("*", action2)) {
                                break;
                            }
                        }
                        if (create.isComplete() && !this.indexExclusions.contains(mappedRoles, immutableSet)) {
                            this.indexActionCheckResults_ok.increment();
                            PrivilegesEvaluationResult privilegesEvaluationResult = PrivilegesEvaluationResult.OK;
                            if (basic != null) {
                                basic.close();
                            }
                            if (basic2 != null) {
                                basic2.close();
                            }
                            return privilegesEvaluationResult;
                        }
                        if (!privilegesEvaluationContext.isResolveLocalAll()) {
                            this.indexActionCheckResults_insufficient.increment();
                            if (create.isComplete()) {
                                PrivilegesEvaluationResult with = PrivilegesEvaluationResult.INSUFFICIENT.reason("Privileges excluded").with(create);
                                if (basic != null) {
                                    basic.close();
                                }
                                if (basic2 != null) {
                                    basic2.close();
                                }
                                this.indexActionCheckResults.increment();
                                return with;
                            }
                            PrivilegesEvaluationResult with2 = PrivilegesEvaluationResult.INSUFFICIENT.reason("Insufficient privileges").with(create);
                            if (basic != null) {
                                basic.close();
                            }
                            if (basic2 != null) {
                                basic2.close();
                            }
                            this.indexActionCheckResults.increment();
                            return with2;
                        }
                        if (basic != null) {
                            basic.close();
                        }
                    } finally {
                        if (basic != null) {
                            try {
                                basic.close();
                            } catch (Throwable th) {
                                th.addSuppressed(th);
                            }
                        }
                    }
                }
                if (resolvedIndices.getLocalIndices().isEmpty()) {
                    log.debug("No local indices; grant the request");
                    this.indexActionCheckResults_ok.increment();
                    PrivilegesEvaluationResult privilegesEvaluationResult2 = PrivilegesEvaluationResult.OK;
                    if (basic2 != null) {
                        basic2.close();
                    }
                    this.indexActionCheckResults.increment();
                    return privilegesEvaluationResult2;
                }
                CheckTable<String, Action> create2 = CheckTable.create(resolvedIndices.getLocalIndices(), immutableSet);
                StatefulIndexPermssions statefulIndexPermssions = this.statefulIndex;
                if (statefulIndexPermssions != null && (hasPermission = statefulIndexPermssions.hasPermission(user, mappedRoles, immutableSet, resolvedIndices, privilegesEvaluationContext, create2)) != null) {
                    if (log.isTraceEnabled()) {
                        log.trace("resultFromStatefulIndex: " + hasPermission);
                    }
                    if (basic2 != null) {
                        basic2.close();
                    }
                    this.indexActionCheckResults.increment();
                    return hasPermission;
                }
                basic = basic2.basic("well_known_action_index_pattern");
                try {
                    UnmodifiableIterator it2 = mappedRoles.iterator();
                    loop1: while (it2.hasNext()) {
                        String str = (String) it2.next();
                        ImmutableMap immutableMap = (ImmutableMap) this.index.rolesToActionToIndexPattern.get(str);
                        if (log.isTraceEnabled()) {
                            log.trace("Role " + str + " => " + immutableMap);
                        }
                        if (immutableMap != null) {
                            UnmodifiableIterator it3 = immutableSet.iterator();
                            while (it3.hasNext()) {
                                Action action3 = (Action) it3.next();
                                IndexPattern indexPattern = (IndexPattern) immutableMap.get(action3);
                                if (indexPattern != null) {
                                    for (String str2 : create2.iterateUncheckedRows(action3)) {
                                        try {
                                        } catch (PrivilegesEvaluationException e) {
                                            log.error("Error while evaluating index pattern of role " + str + ". Ignoring entry", e);
                                            this.componentState.addLastException("has_index_permission", e);
                                            immutableList = immutableList.with(new PrivilegesEvaluationResult.Error("Error while evaluating index pattern", e, str));
                                        }
                                        if (indexPattern.matches(str2, user, privilegesEvaluationContext, basic) && create2.check(str2, action3)) {
                                            break loop1;
                                        }
                                    }
                                }
                            }
                        }
                    }
                    if (basic != null) {
                        basic.close();
                    }
                    boolean forAllApplies = immutableSet.forAllApplies(action4 -> {
                        return action4 instanceof Action.WellKnownAction;
                    });
                    if (!create2.isComplete() && !forAllApplies) {
                        Meter basic3 = basic2.basic("non_well_known_actions_index_pattern");
                        try {
                            UnmodifiableIterator it4 = mappedRoles.iterator();
                            loop4: while (it4.hasNext()) {
                                String str3 = (String) it4.next();
                                ImmutableMap immutableMap2 = (ImmutableMap) this.index.rolesToActionPatternToIndexPattern.get(str3);
                                if (log.isTraceEnabled()) {
                                    log.trace("Role " + str3 + " => " + immutableMap2);
                                }
                                if (immutableMap2 != null) {
                                    UnmodifiableIterator it5 = immutableSet.iterator();
                                    while (it5.hasNext()) {
                                        Action action5 = (Action) it5.next();
                                        if (!(action5 instanceof Action.WellKnownAction)) {
                                            UnmodifiableIterator it6 = immutableMap2.entrySet().iterator();
                                            while (it6.hasNext()) {
                                                Map.Entry entry = (Map.Entry) it6.next();
                                                Pattern pattern = (Pattern) entry.getKey();
                                                IndexPattern indexPattern2 = (IndexPattern) entry.getValue();
                                                if (pattern.matches(action5.name())) {
                                                    for (String str4 : create2.iterateUncheckedRows(action5)) {
                                                        try {
                                                        } catch (PrivilegesEvaluationException e2) {
                                                            log.error("Error while evaluating index pattern. Ignoring entry", e2);
                                                            this.componentState.addLastException("has_index_permission", e2);
                                                            immutableList = immutableList.with(new PrivilegesEvaluationResult.Error("Error while evaluating index pattern", e2, str3));
                                                        }
                                                        if (indexPattern2.matches(str4, user, privilegesEvaluationContext, basic3) && create2.check(str4, action5)) {
                                                            break loop4;
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                            if (basic3 != null) {
                                basic3.close();
                            }
                        } catch (Throwable th2) {
                            if (basic3 != null) {
                                try {
                                    basic3.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            }
                            throw th2;
                        }
                    }
                    if (log.isTraceEnabled()) {
                        log.trace("Permissions before exclusions:\n" + create2);
                    }
                    create2.uncheckRowIf(str5 -> {
                        return this.universallyDeniedIndices.matches(str5);
                    });
                    if (log.isTraceEnabled()) {
                        log.trace("Permissions after universallyDeniedIndices exclusions:\n" + create2);
                    }
                    this.indexExclusions.uncheckExclusions(create2, user, mappedRoles, immutableSet, resolvedIndices, privilegesEvaluationContext, basic2);
                    if (log.isTraceEnabled()) {
                        log.trace("Permissions after exclusions:\n" + create2);
                    }
                    if (create2.isComplete()) {
                        this.indexActionCheckResults_ok.increment();
                        PrivilegesEvaluationResult privilegesEvaluationResult3 = PrivilegesEvaluationResult.OK;
                        if (basic2 != null) {
                            basic2.close();
                        }
                        this.indexActionCheckResults.increment();
                        return privilegesEvaluationResult3;
                    }
                    ImmutableSet<String> completeRows = create2.getCompleteRows();
                    if (completeRows.isEmpty()) {
                        this.indexActionCheckResults_insufficient.increment();
                        PrivilegesEvaluationResult reason = PrivilegesEvaluationResult.INSUFFICIENT.with(create2, immutableList).reason(resolvedIndices.getLocalIndices().size() == 1 ? "Insufficient permissions for the referenced index" : "None of " + resolvedIndices.getLocalIndices().size() + " referenced indices has sufficient permissions");
                        if (basic2 != null) {
                            basic2.close();
                        }
                        this.indexActionCheckResults.increment();
                        return reason;
                    }
                    this.indexActionCheckResults_partially.increment();
                    PrivilegesEvaluationResult availableIndices = PrivilegesEvaluationResult.PARTIALLY_OK.availableIndices(completeRows, create2, immutableList);
                    if (basic2 != null) {
                        basic2.close();
                    }
                    this.indexActionCheckResults.increment();
                    return availableIndices;
                } catch (Throwable th4) {
                    throw th4;
                }
            } finally {
            }
        } finally {
            this.indexActionCheckResults.increment();
        }
    }

    @Override // com.floragunn.searchguard.authz.ActionAuthorization
    public PrivilegesEvaluationResult hasTenantPermission(PrivilegesEvaluationContext privilegesEvaluationContext, Action action, String str) throws PrivilegesEvaluationException {
        ImmutableSet immutableSet;
        Meter basic;
        ImmutableSet immutableSet2;
        try {
            Meter basic2 = Meter.basic(this.metricsLevel, this.tenantActionChecks);
            try {
                User user = privilegesEvaluationContext.getUser();
                ImmutableSet<String> mappedRoles = privilegesEvaluationContext.getMappedRoles();
                ImmutableList<PrivilegesEvaluationResult.Error> immutableList = this.tenant.initializationErrors;
                ImmutableMap immutableMap = (ImmutableMap) this.tenant.actionToTenantToRoles.get(action);
                if (immutableMap != null && (immutableSet2 = (ImmutableSet) immutableMap.get(str)) != null && immutableSet2.containsAny(mappedRoles)) {
                    this.tenantActionCheckResults_ok.increment();
                    PrivilegesEvaluationResult privilegesEvaluationResult = PrivilegesEvaluationResult.OK;
                    if (basic2 != null) {
                        basic2.close();
                    }
                    return privilegesEvaluationResult;
                }
                if (!this.tenantManager.isTenantHeaderValid(str)) {
                    log.info("Invalid tenant requested: {}", str);
                    this.tenantActionCheckResults_insufficient.increment();
                    PrivilegesEvaluationResult reason = PrivilegesEvaluationResult.INSUFFICIENT.reason("Invalid requested tenant");
                    if (basic2 != null) {
                        basic2.close();
                    }
                    this.tenantActionCheckResults.increment();
                    return reason;
                }
                Meter basic3 = basic2.basic("action_tenant_pattern");
                try {
                    UnmodifiableIterator it = mappedRoles.iterator();
                    while (it.hasNext()) {
                        String str2 = (String) it.next();
                        ImmutableMap immutableMap2 = (ImmutableMap) this.tenant.roleToActionToTenantPattern.get(str2);
                        if (immutableMap2 != null && (immutableSet = (ImmutableSet) immutableMap2.get(action)) != null) {
                            UnmodifiableIterator it2 = immutableSet.iterator();
                            while (it2.hasNext()) {
                                Template template = (Template) it2.next();
                                try {
                                    basic = basic3.basic("render_tenant_template");
                                    try {
                                    } catch (Throwable th) {
                                        if (basic != null) {
                                            try {
                                                basic.close();
                                            } catch (Throwable th2) {
                                                th.addSuppressed(th2);
                                            }
                                        }
                                        throw th;
                                    }
                                } catch (ExpressionEvaluationException e) {
                                    immutableList = immutableList.with(new PrivilegesEvaluationResult.Error("Error while evaluating tenant pattern", e, str2));
                                    log.error("Error while evaluating tenant privilege", e);
                                    this.componentState.addLastException("has_tenant_permission", e);
                                }
                                if (((Pattern) template.render(user)).matches(str)) {
                                    this.tenantActionCheckResults_ok.increment();
                                    PrivilegesEvaluationResult privilegesEvaluationResult2 = PrivilegesEvaluationResult.OK;
                                    if (basic != null) {
                                        basic.close();
                                    }
                                    if (basic3 != null) {
                                        basic3.close();
                                    }
                                    if (basic2 != null) {
                                        basic2.close();
                                    }
                                    this.tenantActionCheckResults.increment();
                                    return privilegesEvaluationResult2;
                                }
                                if (basic != null) {
                                    basic.close();
                                }
                            }
                        }
                    }
                    if (basic3 != null) {
                        basic3.close();
                    }
                    this.tenantActionCheckResults_insufficient.increment();
                    PrivilegesEvaluationResult missingPrivileges = PrivilegesEvaluationResult.INSUFFICIENT.with(immutableList).missingPrivileges(action);
                    if (basic2 != null) {
                        basic2.close();
                    }
                    this.tenantActionCheckResults.increment();
                    return missingPrivileges;
                } catch (Throwable th3) {
                    if (basic3 != null) {
                        try {
                            basic3.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (Throwable th5) {
                if (basic2 != null) {
                    try {
                        basic2.close();
                    } catch (Throwable th6) {
                        th5.addSuppressed(th6);
                    }
                }
                throw th5;
            }
        } finally {
            this.tenantActionCheckResults.increment();
        }
    }

    public void updateIndices(Set<String> set) {
        StatefulIndexPermssions statefulIndexPermssions = this.statefulIndex;
        if (statefulIndexPermssions == null || !statefulIndexPermssions.indices.equals(set)) {
            Meter basic = Meter.basic(this.metricsLevel, this.statefulIndexRebuild);
            try {
                this.statefulIndex = new StatefulIndexPermssions(this.roles, this.actionGroups, this.actions, set, this.universallyDeniedIndices, this.statefulIndexState);
                this.componentState.updateStateFromParts();
                if (basic != null) {
                    basic.close();
                }
            } catch (Throwable th) {
                if (basic != null) {
                    try {
                        basic.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    public ActionGroup.FlattenedIndex getActionGroups() {
        return this.actionGroups;
    }

    private static boolean isActionName(String str) {
        return str.indexOf(58) != -1;
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
