package com.floragunn.searchguard.sgconf;

import com.floragunn.searchguard.auth.blocking.ClientBlockRegistry;
import com.floragunn.searchguard.auth.blocking.IpRangeVerdictBasedBlockRegistry;
import com.floragunn.searchguard.auth.blocking.VerdictBasedBlockRegistry;
import com.floragunn.searchguard.auth.blocking.WildcardVerdictBasedBlockRegistry;
import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.sgconf.ConfigModel;
import com.floragunn.searchguard.sgconf.impl.SgDynamicConfiguration;
import com.floragunn.searchguard.sgconf.impl.v7.ActionGroupsV7;
import com.floragunn.searchguard.sgconf.impl.v7.BlocksV7;
import com.floragunn.searchguard.sgconf.impl.v7.RoleMappingsV7;
import com.floragunn.searchguard.sgconf.impl.v7.RoleV7;
import com.floragunn.searchguard.sgconf.impl.v7.TenantV7;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.StringInterpolationException;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchguard.user.UserAttributes;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ListMultimap;
import com.google.common.collect.MultimapBuilder;
import com.google.common.collect.SetMultimap;
import com.google.common.collect.Sets;
import inet.ipaddr.AddressStringException;
import inet.ipaddr.IPAddressString;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.ToXContentObject;
import org.elasticsearch.common.xcontent.XContentBuilder;

/* loaded from: input_file:com/floragunn/searchguard/sgconf/ConfigModelV7.class */
public class ConfigModelV7 extends ConfigModel {
    private static final Logger log = LogManager.getLogger(ConfigModelV7.class);
    private static boolean dfmEmptyOverridesAll;
    private ConfigConstants.RolesMappingResolution rolesMappingResolution;
    private ConfigModel.ActionGroupResolver agr;
    private SgRoles sgRoles;
    private TenantHolder tenantHolder;
    private RoleMappingHolder roleMappingHolder;
    private SgDynamicConfiguration<RoleV7> roles;
    private SgDynamicConfiguration<TenantV7> tenants;
    private ClientBlockRegistry<InetAddress> blockedIpAddresses;
    private ClientBlockRegistry<String> blockedUsers;
    private ClientBlockRegistry<IPAddressString> blockeNetmasks;

    /* loaded from: input_file:com/floragunn/searchguard/sgconf/ConfigModelV7$ExcludedIndexPermissions.class */
    public static class ExcludedIndexPermissions implements ToXContentObject {
        private final String indexPattern;
        private final Set<String> perms = new HashSet();

        public ExcludedIndexPermissions(String str) {
            this.indexPattern = (String) Objects.requireNonNull(str);
        }

        public ExcludedIndexPermissions addPerm(Set<String> set) {
            if (set != null) {
                this.perms.addAll(set);
            }
            return this;
        }

        public boolean matches(Set<String> set, User user, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) throws StringInterpolationException {
            String replaceAttributes = UserAttributes.replaceAttributes(this.indexPattern, user);
            if (ConfigModelV7.log.isTraceEnabled()) {
                ConfigModelV7.log.trace("matches(" + set + ") on " + this.indexPattern + " => " + replaceAttributes);
            }
            if (replaceAttributes.equals("*")) {
                return true;
            }
            if (WildcardMatcher.containsWildcard(replaceAttributes)) {
                if (WildcardMatcher.matchAny(replaceAttributes, set)) {
                    if (!ConfigModelV7.log.isTraceEnabled()) {
                        return true;
                    }
                    ConfigModelV7.log.trace("Direct pattern match");
                    return true;
                }
                String[] strArr = (String[]) clusterService.state().getMetadata().getIndicesLookup().entrySet().stream().filter(entry -> {
                    return ((IndexAbstraction) entry.getValue()).getType().equals(IndexAbstraction.Type.ALIAS);
                }).filter(entry2 -> {
                    return WildcardMatcher.match(replaceAttributes, (String) entry2.getKey());
                }).map(entry3 -> {
                    return (String) entry3.getKey();
                }).toArray(i -> {
                    return new String[i];
                });
                if (strArr.length <= 0) {
                    return false;
                }
                String[] concreteIndexNames = indexNameExpressionResolver.concreteIndexNames(clusterService.state(), IndicesOptions.lenientExpandOpen(), strArr);
                for (String str : concreteIndexNames) {
                    if (set.contains(str)) {
                        if (!ConfigModelV7.log.isTraceEnabled()) {
                            return true;
                        }
                        ConfigModelV7.log.trace("Match on alias: " + str + "; all resolved: " + Arrays.asList(concreteIndexNames));
                        return true;
                    }
                }
                return false;
            }
            if (set.contains(replaceAttributes)) {
                if (!ConfigModelV7.log.isTraceEnabled()) {
                    return true;
                }
                ConfigModelV7.log.trace("Direct match");
                return true;
            }
            String[] concreteIndexNames2 = indexNameExpressionResolver.concreteIndexNames(clusterService.state(), IndicesOptions.lenientExpandOpen(), new String[]{replaceAttributes});
            for (String str2 : concreteIndexNames2) {
                if (set.contains(str2)) {
                    if (!ConfigModelV7.log.isTraceEnabled()) {
                        return true;
                    }
                    ConfigModelV7.log.trace("Match on alias: " + str2 + "; all resolved: " + Arrays.asList(concreteIndexNames2));
                    return true;
                }
            }
            if (!ConfigModelV7.log.isTraceEnabled()) {
                return false;
            }
            ConfigModelV7.log.trace("No match on resolved aliases: " + Arrays.asList(concreteIndexNames2));
            return false;
        }

        public void removeMatches(Set<String> set, User user, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) throws StringInterpolationException {
            String replaceAttributes = UserAttributes.replaceAttributes(this.indexPattern, user);
            if (ConfigModelV7.log.isTraceEnabled()) {
                ConfigModelV7.log.trace("removeMatches(" + set + ") on " + this.indexPattern + " => " + replaceAttributes);
            }
            if (replaceAttributes.equals("*")) {
                set.clear();
                return;
            }
            if (!WildcardMatcher.containsWildcard(replaceAttributes)) {
                set.remove(replaceAttributes);
                if (ConfigModelV7.log.isTraceEnabled()) {
                    ConfigModelV7.log.trace("remaining indices after removing matches: " + set);
                }
                if (set.isEmpty()) {
                    return;
                }
                String[] concreteIndexNames = indexNameExpressionResolver.concreteIndexNames(clusterService.state(), IndicesOptions.lenientExpandOpen(), new String[]{replaceAttributes});
                for (String str : concreteIndexNames) {
                    set.remove(str);
                }
                if (ConfigModelV7.log.isTraceEnabled()) {
                    ConfigModelV7.log.trace("remaining indices after removing matching aliases (" + Arrays.asList(concreteIndexNames) + "): " + set);
                    return;
                }
                return;
            }
            set.removeIf(str2 -> {
                return WildcardMatcher.match(replaceAttributes, str2);
            });
            if (ConfigModelV7.log.isTraceEnabled()) {
                ConfigModelV7.log.trace("remaining indices after removing matches: " + set);
            }
            if (set.isEmpty()) {
                return;
            }
            String[] strArr = (String[]) clusterService.state().getMetadata().getIndicesLookup().entrySet().stream().filter(entry -> {
                return ((IndexAbstraction) entry.getValue()).getType().equals(IndexAbstraction.Type.ALIAS);
            }).filter(entry2 -> {
                return WildcardMatcher.match(replaceAttributes, (String) entry2.getKey());
            }).map(entry3 -> {
                return (String) entry3.getKey();
            }).toArray(i -> {
                return new String[i];
            });
            if (strArr.length > 0) {
                String[] concreteIndexNames2 = indexNameExpressionResolver.concreteIndexNames(clusterService.state(), IndicesOptions.lenientExpandOpen(), strArr);
                for (String str3 : concreteIndexNames2) {
                    set.remove(str3);
                }
                if (ConfigModelV7.log.isTraceEnabled()) {
                    ConfigModelV7.log.trace("remaining indices after removing matching aliases (" + Arrays.asList(concreteIndexNames2) + "): " + set);
                }
            }
        }

        public Set<String> getPerms() {
            return Collections.unmodifiableSet(this.perms);
        }

        public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
            xContentBuilder.startObject();
            xContentBuilder.field("index_patterns", Collections.singletonList(this.indexPattern));
            if (this.perms != null && this.perms.size() > 0) {
                xContentBuilder.field("actions", this.perms);
            }
            xContentBuilder.endObject();
            return xContentBuilder;
        }

        public int hashCode() {
            return (31 * ((31 * 1) + (this.indexPattern == null ? 0 : this.indexPattern.hashCode()))) + (this.perms == null ? 0 : this.perms.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            ExcludedIndexPermissions excludedIndexPermissions = (ExcludedIndexPermissions) obj;
            if (this.indexPattern == null) {
                if (excludedIndexPermissions.indexPattern != null) {
                    return false;
                }
            } else if (!this.indexPattern.equals(excludedIndexPermissions.indexPattern)) {
                return false;
            }
            return this.perms == null ? excludedIndexPermissions.perms == null : this.perms.equals(excludedIndexPermissions.perms);
        }

        public String toString() {
            return "ExcludedIndexPermissions [indexPattern=" + this.indexPattern + ", perms=" + this.perms + "]";
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/sgconf/ConfigModelV7$IndexPattern.class */
    public static class IndexPattern implements ToXContentObject {
        private final String indexPattern;
        private String dlsQuery;
        private final Set<String> fls = new HashSet();
        private final Set<String> maskedFields = new HashSet();
        private final Set<String> perms = new HashSet();

        public IndexPattern(String str) {
            this.indexPattern = (String) Objects.requireNonNull(str);
        }

        public IndexPattern addFlsFields(List<String> list) {
            if (list != null) {
                this.fls.addAll(list);
            }
            return this;
        }

        public IndexPattern addMaskedFields(List<String> list) {
            if (list != null) {
                this.maskedFields.addAll(list);
            }
            return this;
        }

        public IndexPattern addPerm(Set<String> set) {
            if (set != null) {
                this.perms.addAll(set);
            }
            return this;
        }

        public IndexPattern setDlsQuery(String str) {
            if (str != null) {
                this.dlsQuery = str;
            }
            return this;
        }

        public int hashCode() {
            return (31 * ((31 * ((31 * ((31 * ((31 * 1) + (this.dlsQuery == null ? 0 : this.dlsQuery.hashCode()))) + (this.fls == null ? 0 : this.fls.hashCode()))) + (this.maskedFields == null ? 0 : this.maskedFields.hashCode()))) + (this.indexPattern == null ? 0 : this.indexPattern.hashCode()))) + (this.perms == null ? 0 : this.perms.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            IndexPattern indexPattern = (IndexPattern) obj;
            if (this.dlsQuery == null) {
                if (indexPattern.dlsQuery != null) {
                    return false;
                }
            } else if (!this.dlsQuery.equals(indexPattern.dlsQuery)) {
                return false;
            }
            if (this.fls == null) {
                if (indexPattern.fls != null) {
                    return false;
                }
            } else if (!this.fls.equals(indexPattern.fls)) {
                return false;
            }
            if (this.maskedFields == null) {
                if (indexPattern.maskedFields != null) {
                    return false;
                }
            } else if (!this.maskedFields.equals(indexPattern.maskedFields)) {
                return false;
            }
            if (this.indexPattern == null) {
                if (indexPattern.indexPattern != null) {
                    return false;
                }
            } else if (!this.indexPattern.equals(indexPattern.indexPattern)) {
                return false;
            }
            return this.perms == null ? indexPattern.perms == null : this.perms.equals(indexPattern.perms);
        }

        public String toString() {
            return System.lineSeparator() + "        indexPattern=" + this.indexPattern + System.lineSeparator() + "          dlsQuery=" + this.dlsQuery + System.lineSeparator() + "          fls=" + this.fls + System.lineSeparator() + "          perms=" + this.perms;
        }

        public String getUnresolvedIndexPattern(User user) throws StringInterpolationException {
            return ConfigModelV7.replaceProperties(this.indexPattern, user);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String[] getResolvedIndexPatterns(User user, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService, boolean z) throws StringInterpolationException {
            String[] strArr;
            String unresolvedIndexPattern = getUnresolvedIndexPattern(user);
            String[] strArr2 = null;
            if (WildcardMatcher.containsWildcard(unresolvedIndexPattern) && (strArr = (String[]) clusterService.state().getMetadata().getIndicesLookup().entrySet().stream().filter(entry -> {
                return ((IndexAbstraction) entry.getValue()).getType().equals(IndexAbstraction.Type.ALIAS);
            }).filter(entry2 -> {
                return WildcardMatcher.match(unresolvedIndexPattern, (String) entry2.getKey());
            }).map(entry3 -> {
                return (String) entry3.getKey();
            }).toArray(i -> {
                return new String[i];
            })) != null && strArr.length > 0) {
                strArr2 = indexNameExpressionResolver.concreteIndexNames(clusterService.state(), IndicesOptions.lenientExpandOpen(), strArr);
            }
            if (strArr2 == null && !unresolvedIndexPattern.isEmpty()) {
                strArr2 = indexNameExpressionResolver.concreteIndexNames(clusterService.state(), IndicesOptions.lenientExpandOpen(), new String[]{unresolvedIndexPattern});
            }
            if (strArr2 == null || strArr2.length == 0) {
                return new String[]{unresolvedIndexPattern};
            }
            if (!z) {
                return strArr2;
            }
            String[] strArr3 = (String[]) Arrays.copyOf(strArr2, strArr2.length + 1);
            strArr3[strArr3.length - 1] = unresolvedIndexPattern;
            return strArr3;
        }

        public String getDlsQuery(User user) throws StringInterpolationException {
            return ConfigModelV7.replaceProperties(this.dlsQuery, user);
        }

        public boolean hasDlsQuery() {
            return (this.dlsQuery == null || this.dlsQuery.isEmpty()) ? false : true;
        }

        public Set<String> getFls() {
            return Collections.unmodifiableSet(this.fls);
        }

        public boolean hasFlsFields() {
            return (this.fls == null || this.fls.isEmpty()) ? false : true;
        }

        public Set<String> getMaskedFields() {
            return Collections.unmodifiableSet(this.maskedFields);
        }

        public boolean hasMaskedFields() {
            return (this.maskedFields == null || this.maskedFields.isEmpty()) ? false : true;
        }

        public Set<String> getPerms() {
            return Collections.unmodifiableSet(this.perms);
        }

        public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
            xContentBuilder.startObject();
            xContentBuilder.field("index_patterns", Collections.singletonList(this.indexPattern));
            if (this.dlsQuery != null) {
                xContentBuilder.field("dls", this.dlsQuery);
            }
            if (this.fls != null && this.fls.size() > 0) {
                xContentBuilder.field("fls", this.fls);
            }
            if (this.maskedFields != null && this.maskedFields.size() > 0) {
                xContentBuilder.field("masked_fields", this.maskedFields);
            }
            if (this.perms != null && this.perms.size() > 0) {
                xContentBuilder.field("allowed_actions", this.perms);
            }
            xContentBuilder.endObject();
            return xContentBuilder;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/sgconf/ConfigModelV7$RoleMappingHolder.class */
    private class RoleMappingHolder {
        private ListMultimap<String, String> users;
        private ListMultimap<Set<String>, String> abars;
        private ListMultimap<String, String> bars;
        private ListMultimap<String, String> hosts;
        private final String hostResolverMode;

        private RoleMappingHolder(SgDynamicConfiguration<RoleMappingsV7> sgDynamicConfiguration, String str) {
            this.hostResolverMode = str;
            if (ConfigModelV7.this.roles != null) {
                ArrayListMultimap create = ArrayListMultimap.create();
                ArrayListMultimap create2 = ArrayListMultimap.create();
                ArrayListMultimap create3 = ArrayListMultimap.create();
                ArrayListMultimap create4 = ArrayListMultimap.create();
                for (Map.Entry<String, RoleMappingsV7> entry : sgDynamicConfiguration.getCEntries().entrySet()) {
                    Iterator<String> it = entry.getValue().getUsers().iterator();
                    while (it.hasNext()) {
                        create.put(it.next(), entry.getKey());
                    }
                    HashSet hashSet = new HashSet(entry.getValue().getAnd_backend_roles());
                    if (!hashSet.isEmpty()) {
                        create2.put(hashSet, entry.getKey());
                    }
                    Iterator<String> it2 = entry.getValue().getBackend_roles().iterator();
                    while (it2.hasNext()) {
                        create3.put(it2.next(), entry.getKey());
                    }
                    Iterator<String> it3 = entry.getValue().getHosts().iterator();
                    while (it3.hasNext()) {
                        create4.put(it3.next(), entry.getKey());
                    }
                }
                this.users = create;
                this.abars = create2;
                this.bars = create3;
                this.hosts = create4;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> map(User user, TransportAddress transportAddress) {
            if (user == null || this.users == null || this.abars == null || this.bars == null || this.hosts == null) {
                return Collections.emptySet();
            }
            TreeSet treeSet = new TreeSet(user.getSearchGuardRoles());
            if (ConfigModelV7.this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || ConfigModelV7.this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BACKENDROLES_ONLY) {
                if (ConfigModelV7.log.isDebugEnabled()) {
                    ConfigModelV7.log.debug("Pass backendroles from {}", user);
                }
                treeSet.addAll(user.getRoles());
            }
            if (ConfigModelV7.this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || ConfigModelV7.this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.MAPPING_ONLY) {
                Iterator<String> it = WildcardMatcher.getAllMatchingPatterns(this.users.keySet(), user.getName()).iterator();
                while (it.hasNext()) {
                    treeSet.addAll(this.users.get(it.next()));
                }
                Iterator<String> it2 = WildcardMatcher.getAllMatchingPatterns(this.bars.keySet(), user.getRoles()).iterator();
                while (it2.hasNext()) {
                    treeSet.addAll(this.bars.get(it2.next()));
                }
                for (Set set : this.abars.keySet()) {
                    if (WildcardMatcher.allPatternsMatched(set, user.getRoles())) {
                        treeSet.addAll(this.abars.get(set));
                    }
                }
                if (transportAddress != null) {
                    Iterator<String> it3 = WildcardMatcher.getAllMatchingPatterns(this.hosts.keySet(), transportAddress.getAddress()).iterator();
                    while (it3.hasNext()) {
                        treeSet.addAll(this.hosts.get(it3.next()));
                    }
                    if (transportAddress.address() != null && (this.hostResolverMode.equalsIgnoreCase("ip-hostname") || this.hostResolverMode.equalsIgnoreCase("ip-hostname-lookup"))) {
                        Iterator<String> it4 = WildcardMatcher.getAllMatchingPatterns(this.hosts.keySet(), transportAddress.address().getHostString()).iterator();
                        while (it4.hasNext()) {
                            treeSet.addAll(this.hosts.get(it4.next()));
                        }
                    }
                    if (transportAddress.address() != null && this.hostResolverMode.equalsIgnoreCase("ip-hostname-lookup")) {
                        Iterator<String> it5 = WildcardMatcher.getAllMatchingPatterns(this.hosts.keySet(), transportAddress.address().getHostName()).iterator();
                        while (it5.hasNext()) {
                            treeSet.addAll(this.hosts.get(it5.next()));
                        }
                    }
                }
            }
            return Collections.unmodifiableSet(treeSet);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/sgconf/ConfigModelV7$SgRole.class */
    public static class SgRole implements ToXContentObject {
        private final String name;
        private final Set<IndexPattern> ipatterns = new HashSet();
        private final Set<String> clusterPerms = new HashSet();
        private final Set<ExcludedIndexPermissions> indexPermissionExclusions = new HashSet();
        private final Set<String> clusterPermissionExclusions = new HashSet();

        static SgRole create(String str, RoleV7 roleV7, ConfigModel.ActionGroupResolver actionGroupResolver) {
            SgRole sgRole = new SgRole(str);
            sgRole.addClusterPerms(actionGroupResolver.resolvedActions(roleV7.getCluster_permissions()));
            for (RoleV7.Index index : roleV7.getIndex_permissions()) {
                String dls = index.getDls();
                List<String> fls = index.getFls();
                List<String> masked_fields = index.getMasked_fields();
                Iterator<String> it = index.getIndex_patterns().iterator();
                while (it.hasNext()) {
                    IndexPattern indexPattern = new IndexPattern(it.next());
                    indexPattern.setDlsQuery(dls);
                    indexPattern.addFlsFields(fls);
                    indexPattern.addMaskedFields(masked_fields);
                    indexPattern.addPerm(actionGroupResolver.resolvedActions(index.getAllowed_actions()));
                    sgRole.addIndexPattern(indexPattern);
                }
            }
            if (roleV7.getExclude_cluster_permissions() != null) {
                sgRole.clusterPermissionExclusions.addAll(actionGroupResolver.resolvedActions(roleV7.getExclude_cluster_permissions()));
            }
            if (roleV7.getExclude_index_permissions() != null) {
                for (RoleV7.ExcludeIndex excludeIndex : roleV7.getExclude_index_permissions()) {
                    Iterator<String> it2 = excludeIndex.getIndex_patterns().iterator();
                    while (it2.hasNext()) {
                        ExcludedIndexPermissions excludedIndexPermissions = new ExcludedIndexPermissions(it2.next());
                        excludedIndexPermissions.addPerm(actionGroupResolver.resolvedActions(excludeIndex.getActions()));
                        sgRole.indexPermissionExclusions.add(excludedIndexPermissions);
                    }
                }
            }
            return sgRole;
        }

        private SgRole(String str) {
            this.name = (String) Objects.requireNonNull(str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean impliesClusterPermission(String str) {
            return WildcardMatcher.matchAny(this.clusterPerms, str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean excludesClusterPermission(String str) {
            return WildcardMatcher.matchAny(this.clusterPermissionExclusions, str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> getAllResolvedPermittedIndices(IndexResolverReplacer.Resolved resolved, User user, String[] strArr, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
            HashSet hashSet = new HashSet();
            for (IndexPattern indexPattern : this.ipatterns) {
                if (WildcardMatcher.matchAll((String[]) indexPattern.getPerms().toArray(new String[0]), strArr)) {
                    try {
                        String[] resolvedIndexPatterns = indexPattern.getResolvedIndexPatterns(user, indexNameExpressionResolver, clusterService, true);
                        HashSet hashSet2 = new HashSet();
                        if (resolved.isLocalAll() || resolved.getAllIndicesOrPattern().contains("*") || resolved.getAllIndicesOrPattern().contains("_all")) {
                            HashSet hashSet3 = new HashSet(Arrays.asList(clusterService.state().getMetadata().getConcreteAllOpenIndices()));
                            WildcardMatcher.wildcardRetainInSet(hashSet3, resolvedIndexPatterns);
                            hashSet2.addAll(hashSet3);
                        } else {
                            HashSet hashSet4 = new HashSet(resolved.getAllIndices());
                            WildcardMatcher.wildcardRetainInSet(hashSet4, resolvedIndexPatterns);
                            hashSet2.addAll(hashSet4);
                        }
                        hashSet.addAll(hashSet2);
                    } catch (StringInterpolationException e) {
                        ConfigModelV7.log.warn("Invalid index pattern " + indexPattern.indexPattern, e);
                    }
                }
            }
            return Collections.unmodifiableSet(hashSet);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void removeAllResolvedExcludedIndices(Set<String> set, User user, String[] strArr, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
            for (ExcludedIndexPermissions excludedIndexPermissions : this.indexPermissionExclusions) {
                if (set.isEmpty()) {
                    return;
                }
                if (WildcardMatcher.matchAll((String[]) excludedIndexPermissions.getPerms().toArray(new String[0]), strArr)) {
                    if (excludedIndexPermissions.indexPattern.equals("*")) {
                        set.clear();
                        return;
                    }
                    try {
                        excludedIndexPermissions.removeMatches(set, user, indexNameExpressionResolver, clusterService);
                    } catch (StringInterpolationException e) {
                        ConfigModelV7.log.warn("Invalid index pattern " + excludedIndexPermissions.indexPattern + " in permission exclusion.\nIn order to fail safely, the requested actions will be denied for all indices.", e);
                        set.clear();
                        return;
                    }
                }
            }
        }

        private SgRole addIndexPattern(IndexPattern indexPattern) {
            if (indexPattern != null) {
                this.ipatterns.add(indexPattern);
            }
            return this;
        }

        private SgRole addClusterPerms(Collection<String> collection) {
            if (collection != null) {
                this.clusterPerms.addAll(collection);
            }
            return this;
        }

        public int hashCode() {
            return (31 * ((31 * ((31 * ((31 * ((31 * 1) + (this.clusterPermissionExclusions == null ? 0 : this.clusterPermissionExclusions.hashCode()))) + (this.clusterPerms == null ? 0 : this.clusterPerms.hashCode()))) + (this.indexPermissionExclusions == null ? 0 : this.indexPermissionExclusions.hashCode()))) + (this.ipatterns == null ? 0 : this.ipatterns.hashCode()))) + (this.name == null ? 0 : this.name.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            SgRole sgRole = (SgRole) obj;
            if (this.clusterPermissionExclusions == null) {
                if (sgRole.clusterPermissionExclusions != null) {
                    return false;
                }
            } else if (!this.clusterPermissionExclusions.equals(sgRole.clusterPermissionExclusions)) {
                return false;
            }
            if (this.clusterPerms == null) {
                if (sgRole.clusterPerms != null) {
                    return false;
                }
            } else if (!this.clusterPerms.equals(sgRole.clusterPerms)) {
                return false;
            }
            if (this.indexPermissionExclusions == null) {
                if (sgRole.indexPermissionExclusions != null) {
                    return false;
                }
            } else if (!this.indexPermissionExclusions.equals(sgRole.indexPermissionExclusions)) {
                return false;
            }
            if (this.ipatterns == null) {
                if (sgRole.ipatterns != null) {
                    return false;
                }
            } else if (!this.ipatterns.equals(sgRole.ipatterns)) {
                return false;
            }
            return this.name == null ? sgRole.name == null : this.name.equals(sgRole.name);
        }

        public String toString() {
            return System.lineSeparator() + "  " + this.name + System.lineSeparator() + "    ipatterns=" + this.ipatterns + System.lineSeparator() + "    clusterPerms=" + this.clusterPerms;
        }

        public Set<IndexPattern> getIpatterns() {
            return Collections.unmodifiableSet(this.ipatterns);
        }

        public Set<String> getClusterPerms() {
            return Collections.unmodifiableSet(this.clusterPerms);
        }

        public String getName() {
            return this.name;
        }

        public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
            xContentBuilder.startObject();
            if (this.clusterPerms != null && this.clusterPerms.size() > 0) {
                xContentBuilder.field("cluster_permissions", this.clusterPerms);
            }
            if (this.ipatterns != null && this.ipatterns.size() > 0) {
                xContentBuilder.field("index_permissions", this.ipatterns);
            }
            if (this.clusterPermissionExclusions != null && this.clusterPermissionExclusions.size() > 0) {
                xContentBuilder.field("excluded_cluster_permissions", this.clusterPermissionExclusions);
            }
            if (this.indexPermissionExclusions != null && this.indexPermissionExclusions.size() > 0) {
                xContentBuilder.field("excluded_index_permissions", this.indexPermissionExclusions);
            }
            xContentBuilder.endObject();
            return xContentBuilder;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/sgconf/ConfigModelV7$SgRoles.class */
    public static class SgRoles extends com.floragunn.searchguard.sgconf.SgRoles implements ToXContentObject {
        protected final Logger log;
        final Set<SgRole> roles;

        public static SgRoles create(SgDynamicConfiguration<RoleV7> sgDynamicConfiguration, ConfigModel.ActionGroupResolver actionGroupResolver) {
            SgRoles sgRoles = new SgRoles(sgDynamicConfiguration.getCEntries().size());
            for (Map.Entry<String, RoleV7> entry : sgDynamicConfiguration.getCEntries().entrySet()) {
                if (entry.getValue() != null) {
                    sgRoles.addSgRole(SgRole.create(entry.getKey(), entry.getValue(), actionGroupResolver));
                }
            }
            return sgRoles;
        }

        private SgRoles(int i) {
            this.log = LogManager.getLogger(getClass());
            this.roles = new HashSet(i);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public SgRoles addSgRole(SgRole sgRole) {
            if (sgRole != null) {
                this.roles.add(sgRole);
            }
            return this;
        }

        public int hashCode() {
            return (31 * 1) + (this.roles == null ? 0 : this.roles.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            SgRoles sgRoles = (SgRoles) obj;
            return this.roles == null ? sgRoles.roles == null : this.roles.equals(sgRoles.roles);
        }

        public String toString() {
            return "roles=" + this.roles;
        }

        public Set<SgRole> getRoles() {
            return Collections.unmodifiableSet(this.roles);
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public Set<String> getRoleNames() {
            return (Set) getRoles().stream().map(sgRole -> {
                return sgRole.getName();
            }).collect(Collectors.toSet());
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public SgRoles filter(Set<String> set) {
            SgRoles sgRoles = new SgRoles(this.roles.size());
            for (SgRole sgRole : this.roles) {
                if (set.contains(sgRole.getName())) {
                    sgRoles.addSgRole(sgRole);
                }
            }
            return sgRoles;
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public Map<String, Set<String>> getMaskedFields(User user, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
            boolean z = false;
            Iterator<SgRole> it = this.roles.iterator();
            loop0: while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Iterator<IndexPattern> it2 = it.next().getIpatterns().iterator();
                while (it2.hasNext()) {
                    if (it2.next().hasMaskedFields()) {
                        z = true;
                        break loop0;
                    }
                }
            }
            if (!z) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("No masked fields found for {} in {} sg roles", user, Integer.valueOf(this.roles.size()));
                }
                return Collections.emptyMap();
            }
            HashMap hashMap = new HashMap();
            HashSet hashSet = new HashSet();
            for (SgRole sgRole : this.roles) {
                for (IndexPattern indexPattern : sgRole.getIpatterns()) {
                    Set<String> maskedFields = indexPattern.getMaskedFields();
                    try {
                        String[] resolvedIndexPatterns = indexPattern.getResolvedIndexPatterns(user, indexNameExpressionResolver, clusterService, false);
                        if (maskedFields != null && maskedFields.size() > 0) {
                            for (String str : resolvedIndexPatterns) {
                                if (hashMap.containsKey(str)) {
                                    ((Set) hashMap.get(str)).addAll(Sets.newHashSet(maskedFields));
                                } else {
                                    hashMap.put(str, new HashSet());
                                    ((Set) hashMap.get(str)).addAll(Sets.newHashSet(maskedFields));
                                }
                            }
                        } else if (ConfigModelV7.dfmEmptyOverridesAll) {
                            hashSet.addAll(Arrays.asList(resolvedIndexPatterns));
                        }
                    } catch (StringInterpolationException e) {
                        throw new ElasticsearchSecurityException("Invalid index pattern in role " + sgRole.getName() + ": " + indexPattern.indexPattern, e, new Object[0]);
                    }
                }
            }
            if (ConfigModelV7.dfmEmptyOverridesAll) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Index patterns with no masked fields attached: {} - They will be removed from {}", hashSet, hashMap.keySet());
                }
                WildcardMatcher.wildcardRemoveFromSet((Set<String>) hashMap.keySet(), hashSet);
            }
            return hashMap;
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public Tuple<Map<String, Set<String>>, Map<String, Set<String>>> getDlsFls(User user, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
            boolean z = false;
            Iterator<SgRole> it = this.roles.iterator();
            loop0: while (it.hasNext()) {
                for (IndexPattern indexPattern : it.next().getIpatterns()) {
                    if (indexPattern.hasDlsQuery() || indexPattern.hasFlsFields()) {
                        z = true;
                        break loop0;
                    }
                }
            }
            if (!z) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("No fls or dls found for {} in {} sg roles", user, Integer.valueOf(this.roles.size()));
                }
                return new Tuple<>(Collections.emptyMap(), Collections.emptyMap());
            }
            HashMap hashMap = new HashMap();
            HashMap hashMap2 = new HashMap();
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            for (SgRole sgRole : this.roles) {
                for (IndexPattern indexPattern2 : sgRole.getIpatterns()) {
                    Set<String> fls = indexPattern2.getFls();
                    try {
                        String dlsQuery = indexPattern2.getDlsQuery(user);
                        try {
                            String[] resolvedIndexPatterns = indexPattern2.getResolvedIndexPatterns(user, indexNameExpressionResolver, clusterService, false);
                            if (dlsQuery != null && dlsQuery.length() > 0) {
                                for (String str : resolvedIndexPatterns) {
                                    if (hashMap.containsKey(str)) {
                                        ((Set) hashMap.get(str)).add(dlsQuery);
                                    } else {
                                        hashMap.put(str, new HashSet());
                                        ((Set) hashMap.get(str)).add(dlsQuery);
                                    }
                                }
                            } else if (ConfigModelV7.dfmEmptyOverridesAll) {
                                hashSet.addAll(Arrays.asList(resolvedIndexPatterns));
                            }
                            if (fls == null || fls.size() <= 0) {
                                hashSet2.addAll(Arrays.asList(resolvedIndexPatterns));
                            } else {
                                for (String str2 : resolvedIndexPatterns) {
                                    if (hashMap2.containsKey(str2)) {
                                        ((Set) hashMap2.get(str2)).addAll(Sets.newHashSet(fls));
                                    } else {
                                        hashMap2.put(str2, new HashSet());
                                        ((Set) hashMap2.get(str2)).addAll(Sets.newHashSet(fls));
                                    }
                                }
                            }
                        } catch (StringInterpolationException e) {
                            throw new ElasticsearchSecurityException("Invalid index pattern in role " + sgRole.getName() + ": " + indexPattern2.indexPattern, e, new Object[0]);
                        }
                    } catch (StringInterpolationException e2) {
                        throw new ElasticsearchSecurityException("Invalid DLS query in role " + sgRole.getName() + ": " + indexPattern2.dlsQuery, e2, new Object[0]);
                    }
                }
            }
            if (ConfigModelV7.dfmEmptyOverridesAll) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Index patterns with no dls queries attached: {} - They will be removed from {}", hashSet, hashMap.keySet());
                    this.log.debug("Index patterns with no fls fields attached: {} - They will be removed from {}", hashSet2, hashMap2.keySet());
                }
                WildcardMatcher.wildcardRemoveFromSet((Set<String>) hashMap.keySet(), hashSet);
                WildcardMatcher.wildcardRemoveFromSet((Set<String>) hashMap2.keySet(), hashSet2);
            }
            return new Tuple<>(hashMap, hashMap2);
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public Set<String> getAllPermittedIndicesForKibana(IndexResolverReplacer.Resolved resolved, User user, String[] strArr, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
            HashSet hashSet = new HashSet();
            Iterator<SgRole> it = this.roles.iterator();
            while (it.hasNext()) {
                hashSet.addAll(it.next().getAllResolvedPermittedIndices(IndexResolverReplacer.Resolved._LOCAL_ALL, user, strArr, indexNameExpressionResolver, clusterService));
            }
            Iterator<SgRole> it2 = this.roles.iterator();
            while (it2.hasNext()) {
                it2.next().removeAllResolvedExcludedIndices(hashSet, user, strArr, indexNameExpressionResolver, clusterService);
            }
            hashSet.addAll(resolved.getRemoteIndices());
            return Collections.unmodifiableSet(hashSet);
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public Set<String> reduce(IndexResolverReplacer.Resolved resolved, User user, String[] strArr, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
            HashSet hashSet = new HashSet();
            Iterator<SgRole> it = this.roles.iterator();
            while (it.hasNext()) {
                hashSet.addAll(it.next().getAllResolvedPermittedIndices(resolved, user, strArr, indexNameExpressionResolver, clusterService));
            }
            Iterator<SgRole> it2 = this.roles.iterator();
            while (it2.hasNext()) {
                it2.next().removeAllResolvedExcludedIndices(hashSet, user, strArr, indexNameExpressionResolver, clusterService);
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("Reduced requested resolved indices {} to permitted indices {}.", resolved, hashSet);
            }
            return Collections.unmodifiableSet(hashSet);
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public boolean get(IndexResolverReplacer.Resolved resolved, User user, String[] strArr, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
            if (isIndexActionExcluded(resolved, user, strArr, indexNameExpressionResolver, clusterService)) {
                return false;
            }
            Iterator<SgRole> it = this.roles.iterator();
            while (it.hasNext()) {
                if (ConfigModelV7.impliesTypePerm(it.next().getIpatterns(), resolved, user, strArr, indexNameExpressionResolver, clusterService)) {
                    return true;
                }
            }
            return false;
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public boolean impliesClusterPermissionPermission(String str) {
            Iterator<SgRole> it = this.roles.iterator();
            while (it.hasNext()) {
                if (it.next().excludesClusterPermission(str)) {
                    return false;
                }
            }
            Iterator<SgRole> it2 = this.roles.iterator();
            while (it2.hasNext()) {
                if (it2.next().impliesClusterPermission(str)) {
                    return true;
                }
            }
            return false;
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public boolean impliesTypePermGlobal(IndexResolverReplacer.Resolved resolved, User user, String[] strArr, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
            if (isIndexActionExcluded(resolved, user, strArr, indexNameExpressionResolver, clusterService)) {
                return false;
            }
            HashSet hashSet = new HashSet();
            this.roles.stream().forEach(sgRole -> {
                hashSet.addAll(sgRole.getIpatterns());
            });
            return ConfigModelV7.impliesTypePerm(hashSet, resolved, user, strArr, indexNameExpressionResolver, clusterService);
        }

        private boolean isIndexActionExcluded(IndexResolverReplacer.Resolved resolved, User user, String[] strArr, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
            Iterator<SgRole> it = this.roles.iterator();
            while (it.hasNext()) {
                for (ExcludedIndexPermissions excludedIndexPermissions : it.next().indexPermissionExclusions) {
                    for (String str : strArr) {
                        if (WildcardMatcher.matchAny(excludedIndexPermissions.perms, str)) {
                            try {
                                if (resolved.isLocalAll() || excludedIndexPermissions.matches(resolved.getAllIndices(), user, indexNameExpressionResolver, clusterService)) {
                                    return true;
                                }
                            } catch (StringInterpolationException e) {
                                this.log.warn("Invalid index pattern " + excludedIndexPermissions.indexPattern + " in permission exclusion.\nIn order to fail safely, the requested actions will be denied for all indices.", e);
                                return true;
                            }
                        }
                    }
                }
            }
            return false;
        }

        public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
            xContentBuilder.startObject();
            xContentBuilder.startObject("_sg_meta");
            xContentBuilder.field(ConfigConstants.SEARCHGUARD_AUDIT_ES_TYPE, "roles");
            xContentBuilder.field("config_version", 2);
            xContentBuilder.endObject();
            for (SgRole sgRole : this.roles) {
                xContentBuilder.field(sgRole.getName(), sgRole);
            }
            xContentBuilder.endObject();
            return xContentBuilder;
        }

        @Override // com.floragunn.searchguard.sgconf.SgRoles
        public /* bridge */ /* synthetic */ com.floragunn.searchguard.sgconf.SgRoles filter(Set set) {
            return filter((Set<String>) set);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/sgconf/ConfigModelV7$Tenant.class */
    public static class Tenant {
        private final String tenant;
        private final boolean readWrite;

        private Tenant(String str, boolean z) {
            this.tenant = str;
            this.readWrite = z;
        }

        public String getTenant() {
            return this.tenant;
        }

        public boolean isReadWrite() {
            return this.readWrite;
        }

        public int hashCode() {
            return (31 * ((31 * 1) + (this.readWrite ? 1231 : 1237))) + (this.tenant == null ? 0 : this.tenant.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            Tenant tenant = (Tenant) obj;
            if (this.readWrite != tenant.readWrite) {
                return false;
            }
            return this.tenant == null ? tenant.tenant == null : this.tenant.equals(tenant.tenant);
        }

        public String toString() {
            return System.lineSeparator() + "                tenant=" + this.tenant + System.lineSeparator() + "                readWrite=" + this.readWrite;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/sgconf/ConfigModelV7$TenantHolder.class */
    public class TenantHolder {
        private static final String KIBANA_ALL_SAVED_OBJECTS_WRITE = "kibana:saved_objects/*/write";
        private final Set<String> KIBANA_ALL_SAVED_OBJECTS_WRITE_SET = ImmutableSet.of(KIBANA_ALL_SAVED_OBJECTS_WRITE);
        private SetMultimap<String, Tuple<String, Set<String>>> tenantsMM;

        public TenantHolder(SgDynamicConfiguration<RoleV7> sgDynamicConfiguration, final SgDynamicConfiguration<TenantV7> sgDynamicConfiguration2) {
            this.tenantsMM = null;
            HashSet hashSet = new HashSet(sgDynamicConfiguration.getCEntries().size());
            ExecutorService newFixedThreadPool = Executors.newFixedThreadPool(10);
            for (final Map.Entry<String, RoleV7> entry : sgDynamicConfiguration.getCEntries().entrySet()) {
                if (entry.getValue() != null) {
                    hashSet.add(newFixedThreadPool.submit(new Callable<Tuple<String, Set<Tuple<String, Set<String>>>>>() { // from class: com.floragunn.searchguard.sgconf.ConfigModelV7.TenantHolder.1
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.util.concurrent.Callable
                        public Tuple<String, Set<Tuple<String, Set<String>>>> call() throws Exception {
                            HashSet hashSet2 = new HashSet();
                            List<RoleV7.Tenant> tenant_permissions = ((RoleV7) entry.getValue()).getTenant_permissions();
                            if (tenant_permissions != null) {
                                for (RoleV7.Tenant tenant : tenant_permissions) {
                                    Iterator<String> it = WildcardMatcher.getMatchAny(tenant.getTenant_patterns(), sgDynamicConfiguration2.getCEntries().keySet()).iterator();
                                    while (it.hasNext()) {
                                        hashSet2.add(new Tuple(it.next(), ConfigModelV7.this.agr.resolvedActions(tenant.getAllowed_actions())));
                                    }
                                }
                            }
                            return new Tuple<>((String) entry.getKey(), hashSet2);
                        }
                    }));
                }
            }
            newFixedThreadPool.shutdown();
            try {
                newFixedThreadPool.awaitTermination(30L, TimeUnit.SECONDS);
                try {
                    SetMultimap<String, Tuple<String, Set<String>>> build = MultimapBuilder.SetMultimapBuilder.hashKeys(hashSet.size()).hashSetValues(16).build();
                    Iterator it = hashSet.iterator();
                    while (it.hasNext()) {
                        Tuple tuple = (Tuple) ((Future) it.next()).get();
                        build.putAll((String) tuple.v1(), (Iterable) tuple.v2());
                    }
                    this.tenantsMM = build;
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    ConfigModelV7.log.error("Thread interrupted (2) while loading tenants");
                } catch (ExecutionException e2) {
                    ConfigModelV7.log.error("Error while updating tenants: {}", e2.getCause(), e2.getCause());
                    throw ExceptionsHelper.convertToElastic(e2);
                }
            } catch (InterruptedException e3) {
                Thread.currentThread().interrupt();
                ConfigModelV7.log.error("Thread interrupted (1) while loading roles");
            }
        }

        public Map<String, Boolean> mapTenants(User user, Set<String> set) {
            if (user == null || this.tenantsMM == null) {
                return Collections.emptyMap();
            }
            HashMap hashMap = new HashMap(set.size());
            hashMap.put(user.getName(), true);
            this.tenantsMM.entries().stream().filter(entry -> {
                return set.contains(entry.getKey());
            }).filter(entry2 -> {
                return !user.getName().equals(((Tuple) entry2.getValue()).v1());
            }).forEach(entry3 -> {
                String str = (String) ((Tuple) entry3.getValue()).v1();
                boolean containsKibanaWritePermission = containsKibanaWritePermission((Set) ((Tuple) entry3.getValue()).v2());
                if (containsKibanaWritePermission || !hashMap.containsKey(str)) {
                    hashMap.put(str, Boolean.valueOf(containsKibanaWritePermission));
                }
            });
            if (!hashMap.containsKey("SGS_GLOBAL_TENANT") && (set.contains("sg_kibana_user") || set.contains("SGS_KIBANA_USER") || set.contains("sg_all_access") || set.contains("SGS_ALL_ACCESS"))) {
                hashMap.put("SGS_GLOBAL_TENANT", true);
            }
            return Collections.unmodifiableMap(hashMap);
        }

        public Map<String, Set<String>> mapTenantPermissions(User user, Set<String> set) {
            if (user == null || this.tenantsMM == null) {
                return Collections.emptyMap();
            }
            HashMap hashMap = new HashMap(set.size());
            hashMap.put(user.getName(), ImmutableSet.of("*"));
            this.tenantsMM.entries().stream().filter(entry -> {
                return set.contains(entry.getKey());
            }).filter(entry2 -> {
                return !user.getName().equals(((Tuple) entry2.getValue()).v1());
            }).forEach(entry3 -> {
                if (hashMap.get(((Tuple) entry3.getValue()).v1()) != null) {
                    ((Set) hashMap.get(((Tuple) entry3.getValue()).v1())).addAll((Collection) ((Tuple) entry3.getValue()).v2());
                } else {
                    hashMap.put((String) ((Tuple) entry3.getValue()).v1(), new HashSet((Collection) ((Tuple) entry3.getValue()).v2()));
                }
            });
            if (!hashMap.containsKey("SGS_GLOBAL_TENANT") && (set.contains("sg_kibana_user") || set.contains("SGS_KIBANA_USER") || set.contains("sg_all_access") || set.contains("SGS_ALL_ACCESS"))) {
                hashMap.put("SGS_GLOBAL_TENANT", this.KIBANA_ALL_SAVED_OBJECTS_WRITE_SET);
            }
            return Collections.unmodifiableMap(hashMap);
        }

        private boolean containsKibanaWritePermission(Set<String> set) {
            if (set.contains(KIBANA_ALL_SAVED_OBJECTS_WRITE) || set.contains("*")) {
                return true;
            }
            return WildcardMatcher.matchAny(set, KIBANA_ALL_SAVED_OBJECTS_WRITE);
        }
    }

    public ConfigModelV7(SgDynamicConfiguration<RoleV7> sgDynamicConfiguration, SgDynamicConfiguration<RoleMappingsV7> sgDynamicConfiguration2, SgDynamicConfiguration<ActionGroupsV7> sgDynamicConfiguration3, SgDynamicConfiguration<TenantV7> sgDynamicConfiguration4, SgDynamicConfiguration<BlocksV7> sgDynamicConfiguration5, DynamicConfigModel dynamicConfigModel, Settings settings) {
        this.roles = sgDynamicConfiguration;
        this.tenants = sgDynamicConfiguration4;
        try {
            this.rolesMappingResolution = ConfigConstants.RolesMappingResolution.valueOf(settings.get(ConfigConstants.SEARCHGUARD_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString()).toUpperCase());
        } catch (Exception e) {
            log.error("Cannot apply roles mapping resolution", e);
            this.rolesMappingResolution = ConfigConstants.RolesMappingResolution.MAPPING_ONLY;
        }
        this.agr = reloadActionGroups(sgDynamicConfiguration3);
        this.sgRoles = reload(sgDynamicConfiguration);
        this.tenantHolder = new TenantHolder(sgDynamicConfiguration, sgDynamicConfiguration4);
        this.roleMappingHolder = new RoleMappingHolder(sgDynamicConfiguration2, dynamicConfigModel.getHostsResolverMode());
        this.blockedIpAddresses = reloadBlockedIpAddresses(sgDynamicConfiguration5);
        this.blockedUsers = reloadBlockedUsers(sgDynamicConfiguration5);
        this.blockeNetmasks = reloadBlockedNetmasks(sgDynamicConfiguration5);
        dfmEmptyOverridesAll = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_DFM_EMPTY_OVERRIDES_ALL, false).booleanValue();
    }

    private ClientBlockRegistry<IPAddressString> reloadBlockedNetmasks(SgDynamicConfiguration<BlocksV7> sgDynamicConfiguration) {
        Function function = str -> {
            IPAddressString iPAddressString = new IPAddressString(str);
            try {
                iPAddressString.validate();
                return Optional.of(iPAddressString);
            } catch (AddressStringException e) {
                log.error("Reloading blocked IP addresses failed ", e);
                return Optional.empty();
            }
        };
        Tuple<Set<String>, Set<String>> readBlocks = readBlocks(sgDynamicConfiguration, BlocksV7.Type.net_mask);
        return new IpRangeVerdictBasedBlockRegistry((Set) ((Set) readBlocks.v1()).stream().map(function).flatMap(optional -> {
            return (Stream) optional.map((v0) -> {
                return Stream.of(v0);
            }).orElseGet(Stream::empty);
        }).collect(Collectors.toSet()), (Set) ((Set) readBlocks.v2()).stream().map(function).flatMap(optional2 -> {
            return (Stream) optional2.map((v0) -> {
                return Stream.of(v0);
            }).orElseGet(Stream::empty);
        }).collect(Collectors.toSet()));
    }

    private ClientBlockRegistry<String> reloadBlockedUsers(SgDynamicConfiguration<BlocksV7> sgDynamicConfiguration) {
        Tuple<Set<String>, Set<String>> readBlocks = readBlocks(sgDynamicConfiguration, BlocksV7.Type.name);
        return new WildcardVerdictBasedBlockRegistry((Set) readBlocks.v1(), (Set) readBlocks.v2());
    }

    private ClientBlockRegistry<InetAddress> reloadBlockedIpAddresses(SgDynamicConfiguration<BlocksV7> sgDynamicConfiguration) {
        Function function = str -> {
            try {
                return Optional.of(InetAddress.getByName(str));
            } catch (UnknownHostException e) {
                log.error("Reloading blocked IP addresses failed", e);
                return Optional.empty();
            }
        };
        Tuple<Set<String>, Set<String>> readBlocks = readBlocks(sgDynamicConfiguration, BlocksV7.Type.ip);
        return new VerdictBasedBlockRegistry(InetAddress.class, (Set) ((Set) readBlocks.v1()).stream().map(function).flatMap(optional -> {
            return (Stream) optional.map((v0) -> {
                return Stream.of(v0);
            }).orElseGet(Stream::empty);
        }).collect(Collectors.toSet()), (Set) ((Set) readBlocks.v2()).stream().map(function).flatMap(optional2 -> {
            return (Stream) optional2.map((v0) -> {
                return Stream.of(v0);
            }).orElseGet(Stream::empty);
        }).collect(Collectors.toSet()));
    }

    private Tuple<Set<String>, Set<String>> readBlocks(SgDynamicConfiguration<BlocksV7> sgDynamicConfiguration, BlocksV7.Type type) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        for (BlocksV7 blocksV7 : (List) sgDynamicConfiguration.getCEntries().values().stream().filter(blocksV72 -> {
            return blocksV72.getType() == type;
        }).collect(Collectors.toList())) {
            if (blocksV7.getVerdict() == null) {
                log.error("No verdict type found in blocks");
            } else if (blocksV7.getVerdict() == BlocksV7.Verdict.disallow) {
                hashSet2.addAll(blocksV7.getValue());
            } else if (blocksV7.getVerdict() == BlocksV7.Verdict.allow) {
                hashSet.addAll(blocksV7.getValue());
            } else {
                log.error("Found unknown verdict type: " + blocksV7.getVerdict());
            }
        }
        return new Tuple<>(hashSet, hashSet2);
    }

    @Override // com.floragunn.searchguard.sgconf.ConfigModel
    public Set<String> getAllConfiguredTenantNames() {
        return Collections.unmodifiableSet(this.tenants.getCEntries().keySet());
    }

    @Override // com.floragunn.searchguard.sgconf.ConfigModel
    public SgRoles getSgRoles() {
        return this.sgRoles;
    }

    @Override // com.floragunn.searchguard.sgconf.ConfigModel
    public ConfigModel.ActionGroupResolver getActionGroupResolver() {
        return this.agr;
    }

    @Override // com.floragunn.searchguard.sgconf.ConfigModel
    public List<ClientBlockRegistry<InetAddress>> getBlockIpAddresses() {
        return Collections.singletonList(this.blockedIpAddresses);
    }

    @Override // com.floragunn.searchguard.sgconf.ConfigModel
    public List<ClientBlockRegistry<String>> getBlockedUsers() {
        return Collections.singletonList(this.blockedUsers);
    }

    @Override // com.floragunn.searchguard.sgconf.ConfigModel
    public List<ClientBlockRegistry<IPAddressString>> getBlockedNetmasks() {
        return Collections.singletonList(this.blockeNetmasks);
    }

    private ConfigModel.ActionGroupResolver reloadActionGroups(final SgDynamicConfiguration<ActionGroupsV7> sgDynamicConfiguration) {
        return new ConfigModel.ActionGroupResolver() { // from class: com.floragunn.searchguard.sgconf.ConfigModelV7.1
            private Set<String> getGroupMembers(String str) {
                return sgDynamicConfiguration == null ? Collections.emptySet() : Collections.unmodifiableSet(resolve(sgDynamicConfiguration, str));
            }

            private Set<String> resolve(SgDynamicConfiguration<?> sgDynamicConfiguration2, String str) {
                if (!sgDynamicConfiguration2.getCEntries().containsKey(str)) {
                    return Collections.emptySet();
                }
                HashSet hashSet = new HashSet();
                Object obj = sgDynamicConfiguration2.getCEntries().get(str);
                if (obj != null && (obj instanceof List)) {
                    Iterator it = ((List) obj).iterator();
                    while (it.hasNext()) {
                        String valueOf = String.valueOf(it.next());
                        if (sgDynamicConfiguration2.getCEntries().keySet().contains(valueOf)) {
                            hashSet.addAll(resolve(sgDynamicConfiguration2, valueOf));
                        } else {
                            hashSet.add(valueOf);
                        }
                    }
                } else {
                    if (obj == null || !(obj instanceof ActionGroupsV7)) {
                        throw new RuntimeException("Unable to handle " + obj);
                    }
                    for (String str2 : ((ActionGroupsV7) obj).getAllowed_actions()) {
                        if (sgDynamicConfiguration2.getCEntries().keySet().contains(str2)) {
                            hashSet.addAll(resolve(sgDynamicConfiguration2, str2));
                        } else {
                            hashSet.add(str2);
                        }
                    }
                }
                return Collections.unmodifiableSet(hashSet);
            }

            @Override // com.floragunn.searchguard.sgconf.ConfigModel.ActionGroupResolver
            public Set<String> resolvedActions(List<String> list) {
                HashSet hashSet = new HashSet();
                for (String str : list) {
                    Set<String> groupMembers = getGroupMembers(str);
                    if (groupMembers.isEmpty()) {
                        hashSet.add(str);
                    } else {
                        hashSet.addAll(groupMembers);
                    }
                }
                return Collections.unmodifiableSet(hashSet);
            }
        };
    }

    private SgRoles reload(SgDynamicConfiguration<RoleV7> sgDynamicConfiguration) {
        HashSet hashSet = new HashSet(5000);
        ExecutorService newFixedThreadPool = Executors.newFixedThreadPool(10);
        for (Map.Entry<String, RoleV7> entry : sgDynamicConfiguration.getCEntries().entrySet()) {
            hashSet.add(newFixedThreadPool.submit(() -> {
                if (entry.getValue() == null) {
                    return null;
                }
                return SgRole.create((String) entry.getKey(), (RoleV7) entry.getValue(), this.agr);
            }));
        }
        newFixedThreadPool.shutdown();
        try {
            newFixedThreadPool.awaitTermination(30L, TimeUnit.SECONDS);
            try {
                SgRoles sgRoles = new SgRoles(hashSet.size());
                Iterator it = hashSet.iterator();
                while (it.hasNext()) {
                    sgRoles.addSgRole((SgRole) ((Future) it.next()).get());
                }
                return sgRoles;
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
                log.error("Thread interrupted (2) while loading roles");
                return null;
            } catch (ExecutionException e2) {
                log.error("Error while updating roles: {}", e2.getCause(), e2.getCause());
                throw ExceptionsHelper.convertToElastic(e2);
            }
        } catch (InterruptedException e3) {
            Thread.currentThread().interrupt();
            log.error("Thread interrupted (1) while loading roles");
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String replaceProperties(String str, User user) throws StringInterpolationException {
        return (user == null || str == null) ? str : UserAttributes.replaceAttributes(replaceObsoleteProperties(str, user), user);
    }

    @Deprecated
    private static String replaceObsoleteProperties(String str, User user) {
        if (user == null || str == null) {
            return str;
        }
        if (log.isTraceEnabled()) {
            log.trace("replaceObsoleteProperties()\nstring: " + str + "\nattrs: " + user.getCustomAttributesMap().keySet());
        }
        for (Map.Entry<String, String> entry : user.getCustomAttributesMap().entrySet()) {
            if (entry != null && entry.getKey() != null && entry.getValue() != null) {
                str = str.replace("${" + entry.getKey() + "}", entry.getValue()).replace("${" + entry.getKey().replace('.', '_') + "}", entry.getValue());
            }
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean impliesTypePerm(Set<IndexPattern> set, IndexResolverReplacer.Resolved resolved, User user, String[] strArr, IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService) {
        if (resolved.isLocalAll()) {
            for (IndexPattern indexPattern : set) {
                try {
                    if ("*".equals(indexPattern.getUnresolvedIndexPattern(user))) {
                        HashSet hashSet = new HashSet(Arrays.asList(strArr));
                        for (String str : strArr) {
                            if (WildcardMatcher.matchAny(indexPattern.perms, str)) {
                                hashSet.remove(str);
                            }
                        }
                        if (hashSet.isEmpty()) {
                            return true;
                        }
                    } else {
                        continue;
                    }
                } catch (StringInterpolationException e) {
                    log.warn("Invalid index pattern " + indexPattern.indexPattern, e);
                }
            }
            return false;
        }
        HashSet hashSet2 = new HashSet(resolved.getAllIndices());
        for (String str2 : resolved.getAllIndices()) {
            HashSet hashSet3 = new HashSet(Arrays.asList(strArr));
            for (IndexPattern indexPattern2 : set) {
                try {
                    if (WildcardMatcher.matchAny(indexPattern2.getResolvedIndexPatterns(user, indexNameExpressionResolver, clusterService, true), str2)) {
                        for (String str3 : strArr) {
                            if (WildcardMatcher.matchAny(indexPattern2.perms, str3)) {
                                hashSet3.remove(str3);
                            }
                        }
                    }
                } catch (StringInterpolationException e2) {
                    log.warn("Invalid index pattern " + indexPattern2.indexPattern, e2);
                }
            }
            if (hashSet3.isEmpty()) {
                hashSet2.remove(str2);
            }
        }
        return hashSet2.isEmpty();
    }

    @Override // com.floragunn.searchguard.sgconf.ConfigModel
    public Map<String, Set<String>> mapTenantPermissions(User user, Set<String> set) {
        return this.tenantHolder.mapTenantPermissions(user, set);
    }

    @Override // com.floragunn.searchguard.sgconf.ConfigModel
    public Map<String, Boolean> mapTenants(User user, Set<String> set) {
        return this.tenantHolder.mapTenants(user, set);
    }

    @Override // com.floragunn.searchguard.sgconf.ConfigModel
    public Set<String> mapSgRoles(User user, TransportAddress transportAddress) {
        return this.roleMappingHolder.map(user, transportAddress);
    }
}
