package org.elasticsearch.xpack.security.transport.filter;

import io.netty.handler.ipfilter.IpFilterRuleType;
import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.SetOnce;
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.common.collect.MapBuilder;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.ClusterSettings;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditTrailService;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/filter/IPFilter.class */
public class IPFilter {
    public static final String HTTP_PROFILE_NAME = ".http";
    public static final Setting<Boolean> ALLOW_BOUND_ADDRESSES_SETTING;
    public static final Setting<Boolean> IP_FILTER_ENABLED_HTTP_SETTING;
    public static final Setting<Boolean> IP_FILTER_ENABLED_SETTING;
    public static final Setting<List<String>> TRANSPORT_FILTER_ALLOW_SETTING;
    public static final Setting<List<String>> TRANSPORT_FILTER_DENY_SETTING;
    public static final Setting.AffixSetting<List<String>> PROFILE_FILTER_DENY_SETTING;
    public static final Setting.AffixSetting<List<String>> PROFILE_FILTER_ALLOW_SETTING;
    private static final Setting<List<String>> HTTP_FILTER_ALLOW_FALLBACK;
    public static final Setting<List<String>> HTTP_FILTER_ALLOW_SETTING;
    private static final Setting<List<String>> HTTP_FILTER_DENY_FALLBACK;
    public static final Setting<List<String>> HTTP_FILTER_DENY_SETTING;
    public static final Map<String, Object> DISABLED_USAGE_STATS;
    public static final SecurityIpFilterRule DEFAULT_PROFILE_ACCEPT_ALL;
    private final AuditTrailService auditTrail;
    private final XPackLicenseState licenseState;
    private final boolean alwaysAllowBoundAddresses;
    private final Logger logger;
    private volatile boolean isIpFilterEnabled;
    private volatile boolean isHttpFilterEnabled;
    private final Set<String> profiles;
    private volatile List<String> transportAllowFilter;
    private volatile List<String> transportDenyFilter;
    private volatile List<String> httpAllowFilter;
    private volatile List<String> httpDenyFilter;
    static final /* synthetic */ boolean $assertionsDisabled;
    private volatile Map<String, SecurityIpFilterRule[]> rules = Collections.emptyMap();
    private final SetOnce<BoundTransportAddress> boundTransportAddress = new SetOnce<>();
    private final SetOnce<BoundTransportAddress> boundHttpTransportAddress = new SetOnce<>();
    private final SetOnce<Map<String, BoundTransportAddress>> profileBoundAddress = new SetOnce<>();
    private final Map<String, List<String>> profileAllowRules = Collections.synchronizedMap(new HashMap());
    private final Map<String, List<String>> profileDenyRules = Collections.synchronizedMap(new HashMap());

    public IPFilter(Settings settings, AuditTrailService auditTrailService, ClusterSettings clusterSettings, XPackLicenseState xPackLicenseState) {
        this.logger = Loggers.getLogger(getClass(), settings, new String[0]);
        this.auditTrail = auditTrailService;
        this.licenseState = xPackLicenseState;
        this.alwaysAllowBoundAddresses = ALLOW_BOUND_ADDRESSES_SETTING.get(settings).booleanValue();
        this.httpDenyFilter = HTTP_FILTER_DENY_SETTING.get(settings);
        this.httpAllowFilter = HTTP_FILTER_ALLOW_SETTING.get(settings);
        this.transportAllowFilter = TRANSPORT_FILTER_ALLOW_SETTING.get(settings);
        this.transportDenyFilter = TRANSPORT_FILTER_DENY_SETTING.get(settings);
        this.isHttpFilterEnabled = IP_FILTER_ENABLED_HTTP_SETTING.get(settings).booleanValue();
        this.isIpFilterEnabled = IP_FILTER_ENABLED_SETTING.get(settings).booleanValue();
        this.profiles = (Set) settings.getGroups("transport.profiles.", true).keySet().stream().filter(str -> {
            return !"default".equals(str);
        }).collect(Collectors.toSet());
        for (String str2 : this.profiles) {
            this.profileAllowRules.put(str2, PROFILE_FILTER_ALLOW_SETTING.getConcreteSettingForNamespace(str2).get(settings));
            this.profileDenyRules.put(str2, PROFILE_FILTER_DENY_SETTING.getConcreteSettingForNamespace(str2).get(settings));
        }
        clusterSettings.addSettingsUpdateConsumer(IP_FILTER_ENABLED_HTTP_SETTING, (v1) -> {
            setHttpFiltering(v1);
        });
        clusterSettings.addSettingsUpdateConsumer(IP_FILTER_ENABLED_SETTING, (v1) -> {
            setTransportFiltering(v1);
        });
        clusterSettings.addSettingsUpdateConsumer(TRANSPORT_FILTER_ALLOW_SETTING, this::setTransportAllowFilter);
        clusterSettings.addSettingsUpdateConsumer(TRANSPORT_FILTER_DENY_SETTING, this::setTransportDenyFilter);
        clusterSettings.addSettingsUpdateConsumer(HTTP_FILTER_ALLOW_SETTING, this::setHttpAllowFilter);
        clusterSettings.addSettingsUpdateConsumer(HTTP_FILTER_DENY_SETTING, this::setHttpDenyFilter);
        clusterSettings.addAffixUpdateConsumer(PROFILE_FILTER_ALLOW_SETTING, this::setProfileAllowRules, (str3, list) -> {
        });
        clusterSettings.addAffixUpdateConsumer(PROFILE_FILTER_DENY_SETTING, this::setProfileDenyRules, (str4, list2) -> {
        });
        updateRules();
    }

    public Map<String, Object> usageStats() {
        HashMap hashMap = new HashMap(2);
        boolean z = this.isHttpFilterEnabled && !(this.httpAllowFilter.isEmpty() && this.httpDenyFilter.isEmpty());
        boolean z2 = this.isIpFilterEnabled && !(this.transportAllowFilter.isEmpty() && this.transportDenyFilter.isEmpty());
        hashMap.put("http", Boolean.valueOf(z));
        hashMap.put(TransportClient.CLIENT_TYPE, Boolean.valueOf(z2));
        return hashMap;
    }

    private void setProfileAllowRules(String str, List<String> list) {
        this.profileAllowRules.put(str, list);
        updateRules();
    }

    private void setProfileDenyRules(String str, List<String> list) {
        this.profileDenyRules.put(str, list);
        updateRules();
    }

    private void setHttpDenyFilter(List<String> list) {
        this.httpDenyFilter = list;
        updateRules();
    }

    private void setHttpAllowFilter(List<String> list) {
        this.httpAllowFilter = list;
        updateRules();
    }

    private void setTransportDenyFilter(List<String> list) {
        this.transportDenyFilter = list;
        updateRules();
    }

    private void setTransportAllowFilter(List<String> list) {
        this.transportAllowFilter = list;
        updateRules();
    }

    private void setTransportFiltering(boolean z) {
        this.isIpFilterEnabled = z;
        updateRules();
    }

    private void setHttpFiltering(boolean z) {
        this.isHttpFilterEnabled = z;
        updateRules();
    }

    public boolean accept(String str, InetSocketAddress inetSocketAddress) {
        if (!this.licenseState.isIpFilteringAllowed() || !this.rules.containsKey(str)) {
            return true;
        }
        for (SecurityIpFilterRule securityIpFilterRule : this.rules.get(str)) {
            if (securityIpFilterRule.matches(inetSocketAddress)) {
                boolean z = securityIpFilterRule.ruleType() == IpFilterRuleType.ACCEPT;
                if (z) {
                    this.auditTrail.connectionGranted(inetSocketAddress.getAddress(), str, securityIpFilterRule);
                } else {
                    this.auditTrail.connectionDenied(inetSocketAddress.getAddress(), str, securityIpFilterRule);
                }
                return z;
            }
        }
        this.auditTrail.connectionGranted(inetSocketAddress.getAddress(), str, DEFAULT_PROFILE_ACCEPT_ALL);
        return true;
    }

    private synchronized void updateRules() {
        this.rules = parseSettings();
    }

    private Map<String, SecurityIpFilterRule[]> parseSettings() {
        if (!this.isIpFilterEnabled && !this.isHttpFilterEnabled) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        if (this.isHttpFilterEnabled && this.boundHttpTransportAddress.get() != null) {
            hashMap.put(HTTP_PROFILE_NAME, createRules(this.httpAllowFilter, this.httpDenyFilter, this.boundHttpTransportAddress.get().boundAddresses()));
        }
        if (this.isIpFilterEnabled && this.boundTransportAddress.get() != null) {
            hashMap.put("default", createRules(this.transportAllowFilter, this.transportDenyFilter, this.boundTransportAddress.get().boundAddresses()));
            for (String str : this.profiles) {
                BoundTransportAddress boundTransportAddress = this.profileBoundAddress.get().get(str);
                if (boundTransportAddress == null) {
                    this.logger.warn("skipping ip filter rules for profile [{}] since the profile is not bound to any addresses", str);
                } else {
                    hashMap.put(str, createRules(this.profileAllowRules.getOrDefault(str, Collections.emptyList()), this.profileDenyRules.getOrDefault(str, Collections.emptyList()), boundTransportAddress.boundAddresses()));
                }
            }
        }
        this.logger.debug("loaded ip filtering profiles: {}", hashMap.keySet());
        return Collections.unmodifiableMap(hashMap);
    }

    private SecurityIpFilterRule[] createRules(List<String> list, List<String> list2, TransportAddress[] transportAddressArr) {
        ArrayList arrayList = new ArrayList();
        if (this.alwaysAllowBoundAddresses) {
            if (!$assertionsDisabled && (transportAddressArr == null || transportAddressArr.length <= 0)) {
                throw new AssertionError();
            }
            arrayList.add(new SecurityIpFilterRule(true, transportAddressArr));
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(new SecurityIpFilterRule(true, it.next()));
        }
        Iterator<String> it2 = list2.iterator();
        while (it2.hasNext()) {
            arrayList.add(new SecurityIpFilterRule(false, it2.next()));
        }
        return (SecurityIpFilterRule[]) arrayList.toArray(new SecurityIpFilterRule[arrayList.size()]);
    }

    public void setBoundTransportAddress(BoundTransportAddress boundTransportAddress, Map<String, BoundTransportAddress> map) {
        this.boundTransportAddress.set(boundTransportAddress);
        this.profileBoundAddress.set(map);
        updateRules();
    }

    public void setBoundHttpTransportAddress(BoundTransportAddress boundTransportAddress) {
        this.boundHttpTransportAddress.set(boundTransportAddress);
        updateRules();
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(ALLOW_BOUND_ADDRESSES_SETTING);
        list.add(IP_FILTER_ENABLED_SETTING);
        list.add(IP_FILTER_ENABLED_HTTP_SETTING);
        list.add(HTTP_FILTER_ALLOW_SETTING);
        list.add(HTTP_FILTER_DENY_SETTING);
        list.add(TRANSPORT_FILTER_ALLOW_SETTING);
        list.add(TRANSPORT_FILTER_DENY_SETTING);
        list.add(PROFILE_FILTER_ALLOW_SETTING);
        list.add(PROFILE_FILTER_DENY_SETTING);
    }

    static {
        $assertionsDisabled = !IPFilter.class.desiredAssertionStatus();
        ALLOW_BOUND_ADDRESSES_SETTING = Setting.boolSetting(Security.setting("filter.always_allow_bound_address"), true, Setting.Property.NodeScope);
        IP_FILTER_ENABLED_HTTP_SETTING = Setting.boolSetting(Security.setting("http.filter.enabled"), true, Setting.Property.Dynamic, Setting.Property.NodeScope);
        IP_FILTER_ENABLED_SETTING = Setting.boolSetting(Security.setting("transport.filter.enabled"), true, Setting.Property.Dynamic, Setting.Property.NodeScope);
        TRANSPORT_FILTER_ALLOW_SETTING = Setting.listSetting(Security.setting("transport.filter.allow"), (List<String>) Collections.emptyList(), Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope);
        TRANSPORT_FILTER_DENY_SETTING = Setting.listSetting(Security.setting("transport.filter.deny"), (List<String>) Collections.emptyList(), Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope);
        PROFILE_FILTER_DENY_SETTING = Setting.affixKeySetting("transport.profiles.", "xpack.security.filter.deny", str -> {
            return Setting.listSetting(str, (List<String>) Collections.emptyList(), Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope);
        });
        PROFILE_FILTER_ALLOW_SETTING = Setting.affixKeySetting("transport.profiles.", "xpack.security.filter.allow", str2 -> {
            return Setting.listSetting(str2, (List<String>) Collections.emptyList(), Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope);
        });
        HTTP_FILTER_ALLOW_FALLBACK = Setting.listSetting("transport.profiles.default.xpack.security.filter.allow", TRANSPORT_FILTER_ALLOW_SETTING, str3 -> {
            return str3;
        }, Setting.Property.NodeScope);
        HTTP_FILTER_ALLOW_SETTING = Setting.listSetting(Security.setting("http.filter.allow"), HTTP_FILTER_ALLOW_FALLBACK, Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope);
        HTTP_FILTER_DENY_FALLBACK = Setting.listSetting("transport.profiles.default.xpack.security.filter.deny", TRANSPORT_FILTER_DENY_SETTING, str4 -> {
            return str4;
        }, Setting.Property.NodeScope);
        HTTP_FILTER_DENY_SETTING = Setting.listSetting(Security.setting("http.filter.deny"), HTTP_FILTER_DENY_FALLBACK, Function.identity(), Setting.Property.Dynamic, Setting.Property.NodeScope);
        DISABLED_USAGE_STATS = new MapBuilder().put("http", false).put(TransportClient.CLIENT_TYPE, false).immutableMap();
        DEFAULT_PROFILE_ACCEPT_ALL = new SecurityIpFilterRule(true, "default:accept_all") { // from class: org.elasticsearch.xpack.security.transport.filter.IPFilter.1
            @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule, io.netty.handler.ipfilter.IpFilterRule
            public boolean matches(InetSocketAddress inetSocketAddress) {
                return true;
            }

            @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule, io.netty.handler.ipfilter.IpFilterRule
            public IpFilterRuleType ruleType() {
                return IpFilterRuleType.ACCEPT;
            }
        };
    }
}
