package org.elasticsearch.xpack.security.authc.support.mapper;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.logging.log4j.message.Message;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.camunda.bpm.model.bpmn.impl.BpmnModelConstants;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.delete.DeleteResponse;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.common.CheckedBiConsumer;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.XContentFactory;
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.security.InternalSecurityClient;
import org.elasticsearch.xpack.security.SecurityLifecycleService;
import org.elasticsearch.xpack.security.action.rolemapping.DeleteRoleMappingRequest;
import org.elasticsearch.xpack.security.action.rolemapping.PutRoleMappingRequest;
import org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm;
import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.security.client.SecurityClient;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.class */
public class NativeRoleMappingStore extends AbstractComponent implements UserRoleMapper {
    static final String DOC_TYPE_FIELD = "doc_type";
    static final String DOC_TYPE_ROLE_MAPPING = "role-mapping";
    private static final String ID_PREFIX = "role-mapping_";
    private static final String SECURITY_GENERIC_TYPE = "doc";
    private final InternalSecurityClient client;
    private final boolean isTribeNode;
    private final SecurityLifecycleService securityLifecycleService;
    private final List<String> realmsToRefresh;
    static final /* synthetic */ boolean $assertionsDisabled;

    public NativeRoleMappingStore(Settings settings, InternalSecurityClient internalSecurityClient, SecurityLifecycleService securityLifecycleService) {
        super(settings);
        this.realmsToRefresh = new CopyOnWriteArrayList();
        this.client = internalSecurityClient;
        this.isTribeNode = XPackPlugin.isTribeNode(settings);
        this.securityLifecycleService = securityLifecycleService;
    }

    private String getNameFromId(String str) {
        if ($assertionsDisabled || str.startsWith(ID_PREFIX)) {
            return str.substring(ID_PREFIX.length());
        }
        throw new AssertionError();
    }

    private String getIdForName(String str) {
        return ID_PREFIX + str;
    }

    void loadMappings(ActionListener<List<ExpressionRoleMapping>> actionListener) {
        if (this.securityLifecycleService.isSecurityIndexOutOfDate()) {
            actionListener.onFailure(new IllegalStateException("Security index is not on the current version - the native realm will not be operational until the upgrade API is run on the security index"));
            return;
        }
        SearchRequest request = this.client.prepareSearch(SecurityLifecycleService.SECURITY_INDEX_NAME).setScroll(TimeValue.timeValueSeconds(10L)).setTypes("doc").setQuery(QueryBuilders.termQuery(DOC_TYPE_FIELD, DOC_TYPE_ROLE_MAPPING)).setSize(1000).setFetchSource(true).request();
        request.indicesOptions().ignoreUnavailable();
        InternalClient.fetchAllByEntity(this.client, request, ActionListener.wrap(collection -> {
            actionListener.onResponse(collection.stream().filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toList()));
        }, exc -> {
            this.logger.error((Message) new ParameterizedMessage("failed to load role mappings from index [{}] skipping all mappings.", SecurityLifecycleService.SECURITY_INDEX_NAME), (Throwable) exc);
            actionListener.onResponse(Collections.emptyList());
        }), searchHit -> {
            return buildMapping(getNameFromId(searchHit.getId()), searchHit.getSourceRef());
        });
    }

    private ExpressionRoleMapping buildMapping(String str, BytesReference bytesReference) {
        try {
            XContentParser parser = getParser(bytesReference);
            Throwable th = null;
            try {
                try {
                    ExpressionRoleMapping parse = ExpressionRoleMapping.parse(str, parser);
                    if (parser != null) {
                        if (0 != 0) {
                            try {
                                parser.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            parser.close();
                        }
                    }
                    return parse;
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            this.logger.warn((Message) new ParameterizedMessage("Role mapping [{}] cannot be parsed and will be skipped", str), (Throwable) e);
            return null;
        }
    }

    private static XContentParser getParser(BytesReference bytesReference) throws IOException {
        return XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, bytesReference);
    }

    public void putRoleMapping(PutRoleMappingRequest putRoleMappingRequest, ActionListener<Boolean> actionListener) {
        modifyMapping(putRoleMappingRequest.getName(), this::innerPutMapping, putRoleMappingRequest, actionListener);
    }

    public void deleteRoleMapping(DeleteRoleMappingRequest deleteRoleMappingRequest, ActionListener<Boolean> actionListener) {
        modifyMapping(deleteRoleMappingRequest.getName(), this::innerDeleteMapping, deleteRoleMappingRequest, actionListener);
    }

    private <Request, Result> void modifyMapping(String str, CheckedBiConsumer<Request, ActionListener<Result>, Exception> checkedBiConsumer, Request request, ActionListener<Result> actionListener) {
        if (this.isTribeNode) {
            actionListener.onFailure(new UnsupportedOperationException("role-mappings may not be modified using a tribe node"));
            return;
        }
        if (this.securityLifecycleService.isSecurityIndexOutOfDate()) {
            actionListener.onFailure(new IllegalStateException("Security index is not on the current version - the native realm will not be operational until the upgrade API is run on the security index"));
            return;
        }
        if (!this.securityLifecycleService.isSecurityIndexWriteable()) {
            actionListener.onFailure(new IllegalStateException("role-mappings cannot be modified until template and mappings are up to date"));
            return;
        }
        try {
            CheckedConsumer checkedConsumer = obj -> {
                refreshRealms(actionListener, obj);
            };
            actionListener.getClass();
            checkedBiConsumer.accept(request, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } catch (Exception e) {
            this.logger.error((Message) new ParameterizedMessage("failed to modify role-mapping [{}]", str), (Throwable) e);
            actionListener.onFailure(e);
        }
    }

    private void innerPutMapping(PutRoleMappingRequest putRoleMappingRequest, ActionListener<Boolean> actionListener) {
        ExpressionRoleMapping mapping = putRoleMappingRequest.getMapping();
        this.securityLifecycleService.createIndexIfNeededThenExecute(actionListener, () -> {
            try {
                this.client.prepareIndex(SecurityLifecycleService.SECURITY_INDEX_NAME, "doc", getIdForName(mapping.getName())).setSource(mapping.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS, true)).setRefreshPolicy(putRoleMappingRequest.getRefreshPolicy()).execute(new ActionListener<IndexResponse>() { // from class: org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore.1
                    @Override // org.elasticsearch.action.ActionListener
                    public void onResponse(IndexResponse indexResponse) {
                        actionListener.onResponse(Boolean.valueOf(indexResponse.getResult() == DocWriteResponse.Result.CREATED));
                    }

                    @Override // org.elasticsearch.action.ActionListener
                    public void onFailure(Exception exc) {
                        NativeRoleMappingStore.this.logger.error((Message) new ParameterizedMessage("failed to put role-mapping [{}]", mapping.getName()), (Throwable) exc);
                        actionListener.onFailure(exc);
                    }
                });
            } catch (IOException e) {
                actionListener.onFailure(e);
            }
        });
    }

    private void innerDeleteMapping(final DeleteRoleMappingRequest deleteRoleMappingRequest, final ActionListener<Boolean> actionListener) throws IOException {
        if (this.securityLifecycleService.isSecurityIndexOutOfDate()) {
            actionListener.onFailure(new IllegalStateException("Security index is not on the current version - the native realm will not be operational until the upgrade API is run on the security index"));
        } else {
            this.client.prepareDelete(SecurityLifecycleService.SECURITY_INDEX_NAME, "doc", getIdForName(deleteRoleMappingRequest.getName())).setRefreshPolicy(deleteRoleMappingRequest.getRefreshPolicy()).execute(new ActionListener<DeleteResponse>() { // from class: org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore.2
                @Override // org.elasticsearch.action.ActionListener
                public void onResponse(DeleteResponse deleteResponse) {
                    actionListener.onResponse(Boolean.valueOf(deleteResponse.getResult() == DocWriteResponse.Result.DELETED));
                }

                @Override // org.elasticsearch.action.ActionListener
                public void onFailure(Exception exc) {
                    NativeRoleMappingStore.this.logger.error((Message) new ParameterizedMessage("failed to delete role-mapping [{}]", deleteRoleMappingRequest.getName()), (Throwable) exc);
                    actionListener.onFailure(exc);
                }
            });
        }
    }

    public void getRoleMappings(final Set<String> set, final ActionListener<List<ExpressionRoleMapping>> actionListener) {
        if (set == null || set.isEmpty()) {
            getMappings(actionListener);
        } else {
            getMappings(new ActionListener<List<ExpressionRoleMapping>>() { // from class: org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore.3
                @Override // org.elasticsearch.action.ActionListener
                public void onResponse(List<ExpressionRoleMapping> list) {
                    Stream<ExpressionRoleMapping> stream = list.stream();
                    Set set2 = set;
                    actionListener.onResponse((List) stream.filter(expressionRoleMapping -> {
                        return set2.contains(expressionRoleMapping.getName());
                    }).collect(Collectors.toList()));
                }

                @Override // org.elasticsearch.action.ActionListener
                public void onFailure(Exception exc) {
                    actionListener.onFailure(exc);
                }
            });
        }
    }

    private void getMappings(ActionListener<List<ExpressionRoleMapping>> actionListener) {
        if (this.securityLifecycleService.isSecurityIndexAvailable()) {
            loadMappings(actionListener);
            return;
        }
        this.logger.info("The security index is not yet available - no role mappings can be loaded");
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Security Index [{}] [exists: {}] [available: {}] [writable: {}]", SecurityLifecycleService.SECURITY_INDEX_NAME, Boolean.valueOf(this.securityLifecycleService.isSecurityIndexExisting()), Boolean.valueOf(this.securityLifecycleService.isSecurityIndexAvailable()), Boolean.valueOf(this.securityLifecycleService.isSecurityIndexWriteable()));
        }
        actionListener.onResponse(Collections.emptyList());
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        if (!this.securityLifecycleService.isSecurityIndexExisting()) {
            reportStats(actionListener, Collections.emptyList());
            return;
        }
        CheckedConsumer checkedConsumer = list -> {
            reportStats(actionListener, list);
        };
        actionListener.getClass();
        getMappings(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void reportStats(ActionListener<Map<String, Object>> actionListener, List<ExpressionRoleMapping> list) {
        HashMap hashMap = new HashMap();
        hashMap.put(BpmnModelConstants.DC_ATTRIBUTE_SIZE, Integer.valueOf(list.size()));
        hashMap.put("enabled", Long.valueOf(list.stream().filter((v0) -> {
            return v0.isEnabled();
        }).count()));
        actionListener.onResponse(hashMap);
    }

    private <Result> void refreshRealms(ActionListener<Result> actionListener, Result result) {
        String[] strArr = (String[]) this.realmsToRefresh.toArray(new String[this.realmsToRefresh.size()]);
        new SecurityClient(this.client).prepareClearRealmCache().realms(strArr).execute(ActionListener.wrap(clearRealmCacheResponse -> {
            this.logger.debug(() -> {
                return new ParameterizedMessage("Cleared cached in realms [{}] due to role mapping change", Arrays.toString(strArr));
            });
            actionListener.onResponse(result);
        }, exc -> {
            this.logger.warn("Failed to clear cache for realms [{}]", Arrays.toString(strArr));
            actionListener.onFailure(exc);
        }));
    }

    @Override // org.elasticsearch.xpack.security.authc.support.UserRoleMapper
    public void resolveRoles(UserRoleMapper.UserData userData, ActionListener<Set<String>> actionListener) {
        CheckedConsumer checkedConsumer = list -> {
            Map<String, Object> asMap = userData.asMap();
            Stream filter = list.stream().filter((v0) -> {
                return v0.isEnabled();
            }).filter(expressionRoleMapping -> {
                return expressionRoleMapping.getExpression().match(asMap);
            });
            if (this.logger.isTraceEnabled()) {
                filter = filter.map(expressionRoleMapping2 -> {
                    this.logger.trace("User [{}] matches role-mapping [{}] with roles [{}]", userData.getUsername(), expressionRoleMapping2.getName(), expressionRoleMapping2.getRoles());
                    return expressionRoleMapping2;
                });
            }
            Set set = (Set) filter.flatMap(expressionRoleMapping3 -> {
                return expressionRoleMapping3.getRoles().stream();
            }).collect(Collectors.toSet());
            this.logger.debug("Mapping user [{}] to roles [{}]", userData, set);
            actionListener.onResponse(set);
        };
        actionListener.getClass();
        getRoleMappings(null, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.support.UserRoleMapper
    public void refreshRealmOnChange(CachingUsernamePasswordRealm cachingUsernamePasswordRealm) {
        this.realmsToRefresh.add(cachingUsernamePasswordRealm.name());
    }

    static {
        $assertionsDisabled = !NativeRoleMappingStore.class.desiredAssertionStatus();
    }
}
