package com.floragunn.searchguard.compliance;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.configuration.LicenseChangeListener;
import com.floragunn.searchguard.configuration.SearchGuardLicense;
import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;

/* loaded from: input_file:com/floragunn/searchguard/compliance/ComplianceConfig.class */
public class ComplianceConfig implements LicenseChangeListener {
    private final Settings settings;
    private final List<String> watchedWriteIndices;
    private DateTimeFormatter auditLogPattern;
    private String auditLogIndex;
    private final boolean logDiffsForWrite;
    private final boolean logWriteMetadataOnly;
    private final boolean logReadMetadataOnly;
    private final boolean logExternalConfig;
    private final boolean logInternalConfig;
    private final LoadingCache<String, Set<String>> cache;
    private final Set<String> immutableIndicesPatterns;
    private final byte[] salt16;
    private final String searchguardIndex;
    private final IndexResolverReplacer irr;
    private final Environment environment;
    private final AuditLog auditLog;
    private final Logger log = LogManager.getLogger(getClass());
    private final Map<String, Set<String>> readEnabledFields = new HashMap(100);
    private volatile boolean enabled = true;
    private volatile boolean externalConfigLogged = false;

    public ComplianceConfig(Environment environment, IndexResolverReplacer indexResolverReplacer, AuditLog auditLog) {
        this.auditLogPattern = null;
        this.auditLogIndex = null;
        this.settings = environment.settings();
        this.environment = environment;
        this.irr = indexResolverReplacer;
        this.auditLog = auditLog;
        List asList = this.settings.getAsList(ConfigConstants.SEARCHGUARD_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, Collections.emptyList(), false);
        this.watchedWriteIndices = this.settings.getAsList(ConfigConstants.SEARCHGUARD_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList());
        this.logDiffsForWrite = this.settings.getAsBoolean(ConfigConstants.SEARCHGUARD_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, false).booleanValue();
        this.logWriteMetadataOnly = this.settings.getAsBoolean(ConfigConstants.SEARCHGUARD_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, false).booleanValue();
        this.logReadMetadataOnly = this.settings.getAsBoolean(ConfigConstants.SEARCHGUARD_COMPLIANCE_HISTORY_READ_METADATA_ONLY, false).booleanValue();
        this.logExternalConfig = this.settings.getAsBoolean(ConfigConstants.SEARCHGUARD_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false).booleanValue();
        this.logInternalConfig = this.settings.getAsBoolean(ConfigConstants.SEARCHGUARD_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false).booleanValue();
        this.immutableIndicesPatterns = new HashSet(this.settings.getAsList(ConfigConstants.SEARCHGUARD_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList()));
        String str = this.settings.get(ConfigConstants.SEARCHGUARD_COMPLIANCE_SALT, ConfigConstants.SEARCHGUARD_COMPLIANCE_SALT_DEFAULT);
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        if (str.equals(ConfigConstants.SEARCHGUARD_COMPLIANCE_SALT_DEFAULT)) {
            this.log.warn("If you plan to use field masking pls configure searchguard.compliance.salt to be a random string of 16 chars length identical on all nodes");
        }
        if (bytes.length < 16) {
            throw new ElasticsearchException("searchguard.compliance.salt must at least contain 16 bytes", new Object[0]);
        }
        if (bytes.length > 16) {
            this.log.warn("searchguard.compliance.salt is greater than 16 bytes. Only the first 16 bytes are used for salting");
        }
        this.salt16 = Arrays.copyOf(bytes, 16);
        this.searchguardIndex = this.settings.get(ConfigConstants.SEARCHGUARD_CONFIG_INDEX_NAME, ConfigConstants.SG_DEFAULT_CONFIG_INDEX);
        Iterator it = asList.iterator();
        while (it.hasNext()) {
            ArrayList arrayList = new ArrayList(Arrays.asList(((String) it.next()).split(",")));
            if (!arrayList.isEmpty()) {
                if (arrayList.size() == 1) {
                    this.readEnabledFields.put((String) arrayList.get(0), Collections.singleton("*"));
                } else {
                    this.readEnabledFields.put((String) arrayList.get(0), new HashSet(arrayList.subList(1, arrayList.size())));
                }
            }
        }
        if ("internal_elasticsearch".equalsIgnoreCase(this.settings.get(ConfigConstants.SEARCHGUARD_AUDIT_TYPE_DEFAULT, (String) null))) {
            String str2 = this.settings.get("searchguard.audit.config.index", "'sg6-auditlog-'YYYY.MM.dd");
            try {
                this.auditLogPattern = DateTimeFormat.forPattern(str2);
            } catch (IllegalArgumentException e) {
                this.auditLogIndex = str2;
            } catch (Exception e2) {
                this.log.error("Unable to check if auditlog index {} is part of compliance setup", str2, e2);
            }
        }
        this.log.info("PII configuration [auditLogPattern={},  auditLogIndex={}]: {}", this.auditLogPattern, this.auditLogIndex, this.readEnabledFields);
        this.cache = CacheBuilder.newBuilder().maximumSize(1000L).build(new CacheLoader<String, Set<String>>() { // from class: com.floragunn.searchguard.compliance.ComplianceConfig.1
            public Set<String> load(String str3) throws Exception {
                return ComplianceConfig.this.getFieldsForIndex0(str3);
            }
        });
    }

    @Override // com.floragunn.searchguard.configuration.LicenseChangeListener
    public void onChange(SearchGuardLicense searchGuardLicense) {
        if (searchGuardLicense == null) {
            this.enabled = false;
        } else if (searchGuardLicense.hasFeature(SearchGuardLicense.Feature.COMPLIANCE)) {
            this.enabled = true;
        } else {
            this.enabled = false;
        }
        this.log.info("Compliance features are " + (this.enabled ? "enabled" : "disabled. To enable them you need a special license. Please contact support for this."));
        if (this.enabled && this.logExternalConfig && !this.externalConfigLogged) {
            this.auditLog.logExternalConfig(this.settings, this.environment);
            this.externalConfigLogged = true;
        }
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<String> getFieldsForIndex0(String str) {
        if (str == null) {
            return Collections.EMPTY_SET;
        }
        if (this.auditLogIndex != null && this.auditLogIndex.equalsIgnoreCase(str)) {
            return Collections.EMPTY_SET;
        }
        if (this.auditLogPattern != null && str.equalsIgnoreCase(getExpandedIndexName(this.auditLogPattern, null))) {
            return Collections.EMPTY_SET;
        }
        HashSet hashSet = new HashSet(100);
        for (String str2 : this.readEnabledFields.keySet()) {
            if (str2 != null && !str2.isEmpty() && WildcardMatcher.match(str2, str)) {
                hashSet.addAll(this.readEnabledFields.get(str2));
            }
        }
        return hashSet;
    }

    private String getExpandedIndexName(DateTimeFormatter dateTimeFormatter, String str) {
        return dateTimeFormatter == null ? str : dateTimeFormatter.print(DateTime.now(DateTimeZone.UTC));
    }

    public boolean writeHistoryEnabledForIndex(String str) {
        if (str == null) {
            return false;
        }
        if (this.searchguardIndex.equals(str)) {
            return this.logInternalConfig;
        }
        if (this.auditLogIndex != null && this.auditLogIndex.equalsIgnoreCase(str)) {
            return false;
        }
        if (this.auditLogPattern == null || !str.equalsIgnoreCase(getExpandedIndexName(this.auditLogPattern, null))) {
            return WildcardMatcher.matchAny(this.watchedWriteIndices, str);
        }
        return false;
    }

    public boolean readHistoryEnabledForIndex(String str) {
        if (!this.enabled) {
            return false;
        }
        if (this.searchguardIndex.equals(str)) {
            return this.logInternalConfig;
        }
        try {
            return !((Set) this.cache.get(str)).isEmpty();
        } catch (ExecutionException e) {
            this.log.error(e);
            return true;
        }
    }

    public boolean readHistoryEnabledForField(String str, String str2) {
        if (!this.enabled) {
            return false;
        }
        if (this.searchguardIndex.equals(str)) {
            return this.logInternalConfig;
        }
        try {
            Set set = (Set) this.cache.get(str);
            if (set.isEmpty()) {
                return false;
            }
            return WildcardMatcher.matchAny(set, str2);
        } catch (ExecutionException e) {
            this.log.error(e);
            return true;
        }
    }

    public boolean logDiffsForWrite() {
        return !logWriteMetadataOnly() && this.logDiffsForWrite;
    }

    public boolean logWriteMetadataOnly() {
        return this.logWriteMetadataOnly;
    }

    public boolean logReadMetadataOnly() {
        return this.logReadMetadataOnly;
    }

    public boolean isIndexImmutable(Object obj) {
        if (!this.enabled || this.immutableIndicesPatterns.isEmpty()) {
            return false;
        }
        IndexResolverReplacer.Resolved resolveRequest = this.irr.resolveRequest(obj);
        if (resolveRequest.isLocalAll()) {
            return true;
        }
        return WildcardMatcher.matchAny(this.immutableIndicesPatterns, resolveRequest.getAllIndices());
    }

    public byte[] getSalt16() {
        return (byte[]) this.salt16.clone();
    }
}
