package org.elasticsearch.xpack.security.authc;

import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.MapBuilder;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.concurrent.CountDown;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.LicensedFeature;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/Realms.class */
public class Realms implements Iterable<Realm> {
    private static final Logger logger;
    private static final DeprecationLogger deprecationLogger;
    private final Settings settings;
    private final Environment env;
    private final Map<String, Realm.Factory> factories;
    private final XPackLicenseState licenseState;
    private final ThreadContext threadContext;
    private final ReservedRealm reservedRealm;
    private final List<Realm> allConfiguredRealms;
    private volatile List<Realm> activeRealms;
    static final /* synthetic */ boolean $assertionsDisabled;

    public Realms(Settings settings, Environment environment, Map<String, Realm.Factory> map, XPackLicenseState xPackLicenseState, ThreadContext threadContext, ReservedRealm reservedRealm) throws Exception {
        this.settings = settings;
        this.env = environment;
        this.factories = map;
        this.licenseState = xPackLicenseState;
        this.threadContext = threadContext;
        this.reservedRealm = reservedRealm;
        if (!$assertionsDisabled && !((Boolean) XPackSettings.SECURITY_ENABLED.get(settings)).booleanValue()) {
            throw new AssertionError("security must be enabled");
        }
        if (!$assertionsDisabled && map.get("reserved") != null) {
            throw new AssertionError();
        }
        this.allConfiguredRealms = initRealms(buildRealmConfigs());
        this.allConfiguredRealms.forEach(realm -> {
            realm.initialize(this.allConfiguredRealms, xPackLicenseState);
        });
        if (!$assertionsDisabled && this.allConfiguredRealms.get(0) != reservedRealm) {
            throw new AssertionError("the first realm must be reserved realm");
        }
        recomputeActiveRealms();
        xPackLicenseState.addListener(this::recomputeActiveRealms);
    }

    protected void recomputeActiveRealms() {
        XPackLicenseState copyCurrentLicenseState = this.licenseState.copyCurrentLicenseState();
        List<Realm> calculateLicensedRealms = calculateLicensedRealms(copyCurrentLicenseState);
        logger.info("license mode is [{}], currently licensed security realms are [{}]", copyCurrentLicenseState.getOperationMode().description(), Strings.collectionToCommaDelimitedString(calculateLicensedRealms));
        if (this.activeRealms != null) {
            this.activeRealms.stream().filter(realm -> {
                return !calculateLicensedRealms.contains(realm);
            }).forEach(realm2 -> {
                handleDisabledRealmDueToLicenseChange(realm2, copyCurrentLicenseState);
            });
        }
        this.activeRealms = calculateLicensedRealms;
    }

    protected void handleDisabledRealmDueToLicenseChange(Realm realm, XPackLicenseState xPackLicenseState) {
        LicensedFeature.Persistent licensedFeatureForRealm = getLicensedFeatureForRealm(realm.type());
        if (!$assertionsDisabled && licensedFeatureForRealm == null) {
            throw new AssertionError("Realm [" + realm + "] with no licensed feature became inactive due to change to license mode [" + xPackLicenseState.getOperationMode() + "]");
        }
        licensedFeatureForRealm.stopTracking(xPackLicenseState, realm.name());
        logger.warn("The [{}.{}] realm has been automatically disabled due to a change in license [{}]", realm.type(), realm.name(), xPackLicenseState.statusDescription());
    }

    @Override // java.lang.Iterable
    public Iterator<Realm> iterator() {
        return getActiveRealms().iterator();
    }

    public List<Realm> getUnlicensedRealms() {
        List<Realm> list = this.activeRealms;
        return list.equals(this.allConfiguredRealms) ? Collections.emptyList() : (List) this.allConfiguredRealms.stream().filter(realm -> {
            return !list.contains(realm);
        }).collect(Collectors.toUnmodifiableList());
    }

    public Stream<Realm> stream() {
        return StreamSupport.stream(spliterator(), false);
    }

    public List<Realm> getActiveRealms() {
        if ($assertionsDisabled || this.activeRealms != null) {
            return this.activeRealms;
        }
        throw new AssertionError("Active realms not configured");
    }

    protected List<Realm> calculateLicensedRealms(XPackLicenseState xPackLicenseState) {
        return (List) this.allConfiguredRealms.stream().filter(realm -> {
            return checkLicense(realm, xPackLicenseState);
        }).collect(Collectors.toUnmodifiableList());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean checkLicense(Realm realm, XPackLicenseState xPackLicenseState) {
        LicensedFeature.Persistent licensedFeatureForRealm = getLicensedFeatureForRealm(realm.type());
        if (licensedFeatureForRealm == null) {
            return true;
        }
        return licensedFeatureForRealm.checkAndStartTracking(xPackLicenseState, realm.name());
    }

    public static boolean isRealmTypeAvailable(XPackLicenseState xPackLicenseState, String str) {
        LicensedFeature.Persistent licensedFeatureForRealm = getLicensedFeatureForRealm(str);
        if (licensedFeatureForRealm == null) {
            return true;
        }
        return licensedFeatureForRealm.checkWithoutTracking(xPackLicenseState);
    }

    @Nullable
    private static LicensedFeature.Persistent getLicensedFeatureForRealm(String str) {
        if ($assertionsDisabled || Strings.hasText(str)) {
            return InternalRealms.isInternalRealm(str) ? InternalRealms.getLicensedFeature(str) : Security.CUSTOM_REALMS_FEATURE;
        }
        throw new AssertionError("Realm type must be provided (received [" + str + "])");
    }

    public Realm realm(String str) {
        for (Realm realm : this.activeRealms) {
            if (str.equals(realm.name())) {
                return realm;
            }
        }
        return null;
    }

    public Realm.Factory realmFactory(String str) {
        return this.factories.get(str);
    }

    protected List<Realm> initRealms(List<RealmConfig> list) throws Exception {
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        ArrayList arrayList2 = new ArrayList();
        for (RealmConfig realmConfig : list) {
            Realm.Factory factory = this.factories.get(realmConfig.identifier().getType());
            if (!$assertionsDisabled && factory == null) {
                throw new AssertionError("unknown realm type [" + realmConfig.identifier().getType() + "]");
            }
            if (realmConfig.identifier().getName().startsWith("_")) {
                arrayList2.add(realmConfig.identifier());
            }
            if (realmConfig.enabled()) {
                Realm create = factory.create(realmConfig);
                ((Set) hashMap.computeIfAbsent(create.name(), str -> {
                    return new HashSet();
                })).add(RealmSettings.realmSettingPrefix(create.type()) + create.name());
                hashMap2.computeIfAbsent(Integer.valueOf(create.order()), num -> {
                    return new HashSet();
                }).add(create.name());
                arrayList.add(create);
            } else if (logger.isDebugEnabled()) {
                logger.debug("realm [{}] is disabled", realmConfig.identifier());
            }
        }
        checkUniqueOrders(hashMap2);
        Collections.sort(arrayList);
        maybeAddBasicRealms(arrayList, findDisabledBasicRealmTypes(list));
        arrayList.add(0, this.reservedRealm);
        String str2 = (String) hashMap.entrySet().stream().filter(entry -> {
            return ((Set) entry.getValue()).size() > 1;
        }).map(entry2 -> {
            return ((String) entry2.getKey()) + ": " + entry2.getValue();
        }).collect(Collectors.joining("; "));
        if (Strings.hasText(str2)) {
            throw new IllegalArgumentException("Found multiple realms configured with the same name: " + str2);
        }
        logDeprecationForReservedPrefixedRealmNames(arrayList2);
        return Collections.unmodifiableList(arrayList);
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        XPackLicenseState copyCurrentLicenseState = this.licenseState.copyCurrentLicenseState();
        HashMap hashMap = new HashMap();
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        List<Realm> list = (List) getActiveRealms().stream().filter(realm -> {
            return !"reserved".equals(realm.type());
        }).collect(Collectors.toList());
        CountDown countDown = new CountDown(list.size());
        Runnable runnable = () -> {
            if ((list.isEmpty() || countDown.countDown()) && !atomicBoolean.get()) {
                for (String str : this.factories.keySet()) {
                    if (!$assertionsDisabled && "reserved".equals(str)) {
                        throw new AssertionError();
                    }
                    hashMap.compute(str, (str2, obj) -> {
                        if (obj == null) {
                            return MapBuilder.newMapBuilder().put("enabled", false).put("available", Boolean.valueOf(isRealmTypeAvailable(copyCurrentLicenseState, str))).map();
                        }
                        if (!$assertionsDisabled && !(obj instanceof Map)) {
                            throw new AssertionError();
                        }
                        Map map = (Map) obj;
                        map.put("enabled", true);
                        map.put("available", true);
                        return obj;
                    });
                }
                actionListener.onResponse(hashMap);
            }
        };
        if (list.isEmpty()) {
            runnable.run();
            return;
        }
        for (Realm realm2 : list) {
            realm2.usageStats(ActionListener.wrap(map -> {
                if (atomicBoolean.get()) {
                    return;
                }
                synchronized (hashMap) {
                    hashMap.compute(realm2.type(), (str, obj) -> {
                        if (obj == null) {
                            return convertToMapOfLists(map);
                        }
                        if (!$assertionsDisabled && !(obj instanceof Map)) {
                            throw new AssertionError();
                        }
                        combineMaps((Map) obj, map);
                        return obj;
                    });
                }
                runnable.run();
            }, exc -> {
                if (atomicBoolean.compareAndSet(false, true)) {
                    actionListener.onFailure(exc);
                }
            }));
        }
    }

    private void maybeAddBasicRealms(List<Realm> list, Set<String> set) throws Exception {
        Set set2 = (Set) list.stream().map((v0) -> {
            return v0.type();
        }).collect(Collectors.toUnmodifiableSet());
        if (false == set.contains("native") && false == set2.contains("native")) {
            RealmConfig.RealmIdentifier realmIdentifier = new RealmConfig.RealmIdentifier("native", "default_native");
            list.add(0, this.factories.get("native").create(new RealmConfig(realmIdentifier, ensureOrderSetting(this.settings, realmIdentifier, Integer.MIN_VALUE), this.env, this.threadContext)));
        }
        if (false == set.contains("file") && false == set2.contains("file")) {
            RealmConfig.RealmIdentifier realmIdentifier2 = new RealmConfig.RealmIdentifier("file", "default_file");
            list.add(0, this.factories.get("file").create(new RealmConfig(realmIdentifier2, ensureOrderSetting(this.settings, realmIdentifier2, Integer.MIN_VALUE), this.env, this.threadContext)));
        }
    }

    private Settings ensureOrderSetting(Settings settings, RealmConfig.RealmIdentifier realmIdentifier, int i) {
        return Settings.builder().put(settings).put(RealmSettings.realmSettingPrefix(realmIdentifier) + "order", i).build();
    }

    private void checkUniqueOrders(Map<Integer, Set<String>> map) {
        String str = (String) map.entrySet().stream().filter(entry -> {
            return ((Set) entry.getValue()).size() > 1;
        }).map(entry2 -> {
            return entry2.getKey() + ": " + entry2.getValue();
        }).collect(Collectors.joining("; "));
        if (Strings.hasText(str)) {
            throw new IllegalArgumentException("Found multiple realms configured with the same order: " + str);
        }
    }

    private List<RealmConfig> buildRealmConfigs() {
        Map realmSettings = RealmSettings.getRealmSettings(this.settings);
        RealmSettings.verifyRealmNameToDomainNameAssociation(this.settings, realmSettings.keySet());
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (RealmConfig.RealmIdentifier realmIdentifier : realmSettings.keySet()) {
            if (this.factories.get(realmIdentifier.getType()) == null) {
                throw new IllegalArgumentException("unknown realm type [" + realmIdentifier.getType() + "] for realm [" + realmIdentifier + "]");
            }
            RealmConfig realmConfig = new RealmConfig(realmIdentifier, this.settings, this.env, this.threadContext);
            if (InternalRealms.isBuiltinRealm(realmIdentifier.getType())) {
                if (hashSet.contains(realmIdentifier.getType())) {
                    throw new IllegalArgumentException("multiple [" + realmIdentifier.getType() + "] realms are configured. [" + realmIdentifier.getType() + "] is an internal realm and therefore there can only be one such realm configured");
                }
                hashSet.add(realmIdentifier.getType());
            }
            if ("kerberos".equals(realmIdentifier.getType())) {
                arrayList.add(realmIdentifier.getName());
                if (arrayList.size() > 1) {
                    throw new IllegalArgumentException("multiple realms " + arrayList.toString() + " configured of type [" + realmIdentifier.getType() + "], [" + realmIdentifier.getType() + "] can only have one such realm configured");
                }
            }
            arrayList2.add(realmConfig);
        }
        return arrayList2;
    }

    private Set<String> findDisabledBasicRealmTypes(List<RealmConfig> list) {
        return (Set) list.stream().filter(realmConfig -> {
            return InternalRealms.isBuiltinRealm(realmConfig.type());
        }).filter(realmConfig2 -> {
            return false == realmConfig2.enabled();
        }).map((v0) -> {
            return v0.type();
        }).collect(Collectors.toUnmodifiableSet());
    }

    private void logDeprecationForReservedPrefixedRealmNames(List<RealmConfig.RealmIdentifier> list) {
        if (false == list.isEmpty()) {
            deprecationLogger.warn(DeprecationCategory.SECURITY, "realm_name_with_reserved_prefix", "Found realm " + (list.size() == 1 ? "name" : "names") + " with reserved prefix [{}]: [{}]. In a future major release, node will fail to start if any realm names start with reserved prefix.", new Object[]{"_", list.stream().map(realmIdentifier -> {
                return "xpack.security.authc.realms." + realmIdentifier.getType() + "." + realmIdentifier.getName();
            }).sorted().collect(Collectors.joining("; "))});
        }
    }

    private static void combineMaps(Map<String, Object> map, Map<String, Object> map2) {
        for (Map.Entry<String, Object> entry : map2.entrySet()) {
            map.compute(entry.getKey(), (str, obj) -> {
                if (obj == null) {
                    return new ArrayList(Collections.singletonList(entry.getValue()));
                }
                if (!$assertionsDisabled && !(obj instanceof List)) {
                    throw new AssertionError();
                }
                ((List) obj).add(entry.getValue());
                return obj;
            });
        }
    }

    private static Map<String, Object> convertToMapOfLists(Map<String, Object> map) {
        Map<String, Object> newMapWithExpectedSize = Maps.newMapWithExpectedSize(map.size());
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            newMapWithExpectedSize.put(entry.getKey(), new ArrayList(Collections.singletonList(entry.getValue())));
        }
        return newMapWithExpectedSize;
    }

    static {
        $assertionsDisabled = !Realms.class.desiredAssertionStatus();
        logger = LogManager.getLogger(Realms.class);
        deprecationLogger = DeprecationLogger.getLogger(logger.getName());
    }
}
