package com.floragunn.searchguard.auth;

import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.cache.Cache;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/floragunn/searchguard/auth/AuthorizationProcessor.class */
public class AuthorizationProcessor {
    private static final Logger log = LogManager.getLogger(AuthorizationProcessor.class);
    private final Set<AuthorizationDomain> authorizationDomains;
    private final Iterator<AuthorizationDomain> authorizationDomainIter;
    private final Cache<User, Set<String>> roleCache;
    private boolean cacheResult = true;

    public AuthorizationProcessor(Set<AuthorizationDomain> set, Cache<User, Set<String>> cache) {
        this.authorizationDomains = set;
        this.authorizationDomainIter = set.iterator();
        this.roleCache = cache;
    }

    public void authz(User user, Consumer<User> consumer, Consumer<Exception> consumer2) {
        Set set;
        if (this.roleCache != null && (set = (Set) this.roleCache.getIfPresent(user)) != null) {
            user.addRoles(new HashSet(set));
            consumer.accept(user);
        } else if (this.authorizationDomains == null || this.authorizationDomains.isEmpty()) {
            consumer.accept(user);
        } else {
            checkNextAuthzDomain(user, consumer, consumer2);
        }
    }

    private void checkNextAuthzDomain(User user, Consumer<User> consumer, Consumer<Exception> consumer2) {
        AuthorizationDomain nextAuthorizationDomain = nextAuthorizationDomain(user);
        if (nextAuthorizationDomain == null) {
            if (this.roleCache != null && this.cacheResult) {
                this.roleCache.put(user, new HashSet(user.getRoles()));
            }
            consumer.accept(user);
            return;
        }
        com.floragunn.searchguard.auth.api.AuthorizationBackend authorizationBackend = nextAuthorizationDomain.getAuthorizationBackend();
        try {
            if (log.isTraceEnabled()) {
                log.trace("Backend roles for " + user.getName() + " not cached, return from " + authorizationBackend.getType() + " backend directly");
            }
            authorizationBackend.retrieveRoles(user, AuthCredentials.forUser(user.getName()).build(), collection -> {
                user.addRoles(collection);
                checkNextAuthzDomain(user, consumer, consumer2);
            }, exc -> {
                log.error("Cannot retrieve roles for {} from {} due to {}", user, authorizationBackend.getType(), exc.toString(), exc);
                this.cacheResult = false;
                checkNextAuthzDomain(user, consumer, consumer2);
            });
        } catch (Exception e) {
            log.error("Cannot retrieve roles for {} from {} due to {}", user, authorizationBackend.getType(), e.toString(), e);
            this.cacheResult = false;
            checkNextAuthzDomain(user, consumer, consumer2);
        }
    }

    private AuthorizationDomain nextAuthorizationDomain(User user) {
        while (this.authorizationDomainIter.hasNext()) {
            AuthorizationDomain next = this.authorizationDomainIter.next();
            List<String> skippedUsers = next.getSkippedUsers();
            if (skippedUsers.isEmpty() || user.getName() == null || !WildcardMatcher.matchAny(skippedUsers, user.getName())) {
                return next;
            }
            if (log.isDebugEnabled()) {
                log.debug("Skipped authorization of user {}", user.getName());
            }
        }
        return null;
    }
}
