package org.elasticsearch.xpack.security.authz.store;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.common.xcontent.LoggingDeprecationHandler;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Strings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xcontent.XContentParseException;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentParserConfiguration;
import org.elasticsearch.xcontent.yaml.YamlXContent;
import org.elasticsearch.xpack.core.XPackPlugin;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.core.security.authz.store.RoleRetrievalResult;
import org.elasticsearch.xpack.core.security.authz.support.DLSRoleQueryValidator;
import org.elasticsearch.xpack.core.security.support.NoOpLogger;
import org.elasticsearch.xpack.core.security.support.Validation;
import org.elasticsearch.xpack.security.PrivilegedFileWatcher;
import org.elasticsearch.xpack.security.authz.FileRoleValidator;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/FileRolesStore.class */
public class FileRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> {
    private static final Pattern IN_SEGMENT_LINE;
    private static final Pattern SKIP_LINE;
    private static final Logger logger;
    private static final RoleDescriptor.Parser ROLE_DESCRIPTOR_PARSER;
    private final Settings settings;
    private final Path file;
    private final FileRoleValidator roleValidator;
    private final XPackLicenseState licenseState;
    private final NamedXContentRegistry xContentRegistry;
    private final List<Consumer<Set<String>>> listeners;
    private volatile Map<String, RoleDescriptor> permissions;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/FileRolesStore$FileListener.class */
    private class FileListener implements FileChangesListener {
        private FileListener() {
        }

        public void onFileCreated(Path path) {
            onFileChanged(path);
        }

        public void onFileDeleted(Path path) {
            onFileChanged(path);
        }

        public synchronized void onFileChanged(Path path) {
            if (path.equals(FileRolesStore.this.file)) {
                Map<String, RoleDescriptor> map = FileRolesStore.this.permissions;
                try {
                    FileRolesStore.this.permissions = FileRolesStore.parseFile(path, FileRolesStore.logger, FileRolesStore.this.settings, FileRolesStore.this.licenseState, FileRolesStore.this.xContentRegistry, FileRolesStore.this.roleValidator);
                    Set unmodifiableSet = Collections.unmodifiableSet(Sets.union((Set) Sets.difference(map.entrySet(), FileRolesStore.this.permissions.entrySet()).stream().map((v0) -> {
                        return v0.getKey();
                    }).collect(Collectors.toSet()), Sets.difference(FileRolesStore.this.permissions.keySet(), map.keySet())));
                    if (unmodifiableSet.isEmpty()) {
                        return;
                    }
                    FileRolesStore.logger.info("updated roles (roles file [{}] {})", path.toAbsolutePath(), Files.exists(path, new LinkOption[0]) ? "changed" : "removed");
                    FileRolesStore.this.listeners.forEach(consumer -> {
                        consumer.accept(unmodifiableSet);
                    });
                } catch (Exception e) {
                    FileRolesStore.logger.error(() -> {
                        return Strings.format("could not reload roles file [%s]. Current roles remain unmodified", new Object[]{path.toAbsolutePath()});
                    }, e);
                }
            }
        }
    }

    public FileRolesStore(Settings settings, Environment environment, ResourceWatcherService resourceWatcherService, XPackLicenseState xPackLicenseState, NamedXContentRegistry namedXContentRegistry, FileRoleValidator fileRoleValidator) throws IOException {
        this(settings, environment, resourceWatcherService, null, fileRoleValidator, xPackLicenseState, namedXContentRegistry);
    }

    FileRolesStore(Settings settings, Environment environment, ResourceWatcherService resourceWatcherService, Consumer<Set<String>> consumer, FileRoleValidator fileRoleValidator, XPackLicenseState xPackLicenseState, NamedXContentRegistry namedXContentRegistry) throws IOException {
        this.listeners = new ArrayList();
        this.settings = settings;
        this.file = resolveFile(environment);
        this.roleValidator = fileRoleValidator;
        if (consumer != null) {
            this.listeners.add(consumer);
        }
        this.licenseState = xPackLicenseState;
        this.xContentRegistry = namedXContentRegistry;
        PrivilegedFileWatcher privilegedFileWatcher = new PrivilegedFileWatcher(this.file.getParent());
        privilegedFileWatcher.addListener(new FileListener());
        resourceWatcherService.add(privilegedFileWatcher, ResourceWatcherService.Frequency.HIGH);
        this.permissions = parseFile(this.file, logger, settings, xPackLicenseState, namedXContentRegistry, fileRoleValidator);
    }

    @Override // java.util.function.BiConsumer
    public void accept(Set<String> set, ActionListener<RoleRetrievalResult> actionListener) {
        actionListener.onResponse(RoleRetrievalResult.success(roleDescriptors(set)));
    }

    Set<RoleDescriptor> roleDescriptors(Set<String> set) {
        Map<String, RoleDescriptor> map = this.permissions;
        HashSet hashSet = new HashSet();
        set.forEach(str -> {
            RoleDescriptor roleDescriptor = (RoleDescriptor) map.get(str);
            if (roleDescriptor != null) {
                hashSet.add(roleDescriptor);
            }
        });
        return hashSet;
    }

    public boolean exists(String str) {
        return this.permissions.containsKey(str);
    }

    public Map<String, Object> usageStats() {
        Map<String, RoleDescriptor> map = this.permissions;
        Map<String, Object> newMapWithExpectedSize = Maps.newMapWithExpectedSize(3);
        newMapWithExpectedSize.put("size", Integer.valueOf(map.size()));
        boolean z = false;
        boolean z2 = false;
        Iterator<RoleDescriptor> it = map.values().iterator();
        while (it.hasNext()) {
            for (RoleDescriptor.IndicesPrivileges indicesPrivileges : it.next().getIndicesPrivileges()) {
                z2 = (!z2 && indicesPrivileges.getGrantedFields() == null && indicesPrivileges.getDeniedFields() == null) ? false : true;
                z = z || indicesPrivileges.getQuery() != null;
            }
            if (z2 && z) {
                break;
            }
        }
        newMapWithExpectedSize.put("fls", Boolean.valueOf(z2));
        newMapWithExpectedSize.put("dls", Boolean.valueOf(z));
        newMapWithExpectedSize.put("remote_indices", Long.valueOf(map.values().stream().filter((v0) -> {
            return v0.hasRemoteIndicesPrivileges();
        }).count()));
        newMapWithExpectedSize.put("remote_cluster", Long.valueOf(map.values().stream().filter((v0) -> {
            return v0.hasRemoteClusterPermissions();
        }).count()));
        return newMapWithExpectedSize;
    }

    public void addListener(Consumer<Set<String>> consumer) {
        Objects.requireNonNull(consumer);
        synchronized (this) {
            this.listeners.add(consumer);
        }
    }

    public Path getFile() {
        return this.file;
    }

    public Map<String, RoleDescriptor> getAllRoleDescriptors() {
        return Collections.unmodifiableMap(this.permissions);
    }

    Set<String> getAllRoleNames() {
        return this.permissions.keySet();
    }

    public String toString() {
        return "file roles store (" + String.valueOf(this.file) + ")";
    }

    public static Path resolveFile(Environment environment) {
        return XPackPlugin.resolveConfigFile(environment, "roles.yml");
    }

    public static Set<String> parseFileForRoleNames(Path path, Logger logger2) {
        if (logger2 == null) {
            logger2 = NoOpLogger.INSTANCE;
        }
        HashMap hashMap = new HashMap();
        logger2.trace("attempting to read roles file located at [{}]", path.toAbsolutePath());
        if (Files.exists(path, new LinkOption[0])) {
            try {
                Iterator<String> it = roleSegments(path).iterator();
                while (it.hasNext()) {
                    RoleDescriptor parseRoleDescriptor = parseRoleDescriptor(it.next(), path, logger2, false, Settings.EMPTY, NamedXContentRegistry.EMPTY, new FileRoleValidator.Default());
                    if (parseRoleDescriptor != null) {
                        hashMap.put(parseRoleDescriptor.getName(), parseRoleDescriptor);
                    }
                }
            } catch (IOException e) {
                logger2.error(() -> {
                    return Strings.format("failed to read roles file [%s]. skipping all roles...", new Object[]{path.toAbsolutePath()});
                }, e);
                return Collections.emptySet();
            }
        }
        return Collections.unmodifiableSet(hashMap.keySet());
    }

    public static Map<String, RoleDescriptor> parseFile(Path path, Logger logger2, Settings settings, XPackLicenseState xPackLicenseState, NamedXContentRegistry namedXContentRegistry, FileRoleValidator fileRoleValidator) {
        if (logger2 == null) {
            logger2 = NoOpLogger.INSTANCE;
        }
        HashMap hashMap = new HashMap();
        logger2.debug("attempting to read roles file located at [{}]", path.toAbsolutePath());
        if (!Files.exists(path, new LinkOption[0])) {
            logger2.debug("roles file does not exist");
            return Collections.emptyMap();
        }
        try {
            List<String> roleSegments = roleSegments(path);
            boolean checkWithoutTracking = SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.checkWithoutTracking(xPackLicenseState);
            Iterator<String> it = roleSegments.iterator();
            while (it.hasNext()) {
                RoleDescriptor parseRoleDescriptor = parseRoleDescriptor(it.next(), path, logger2, true, settings, namedXContentRegistry, fileRoleValidator);
                if (parseRoleDescriptor != null) {
                    if (ReservedRolesStore.isReserved(parseRoleDescriptor.getName())) {
                        logger2.warn("role [{}] is reserved. the relevant role definition in the mapping file will be ignored", parseRoleDescriptor.getName());
                    } else if (!parseRoleDescriptor.isUsingDocumentOrFieldLevelSecurity() || checkWithoutTracking) {
                        hashMap.put(parseRoleDescriptor.getName(), parseRoleDescriptor);
                    } else {
                        logger2.warn("role [{}] uses document and/or field level security, which is not enabled by the current license. this role will be ignored", parseRoleDescriptor.getName());
                        hashMap.put(parseRoleDescriptor.getName(), parseRoleDescriptor);
                    }
                }
            }
            logger2.info("parsed [{}] roles from file [{}]", Integer.valueOf(hashMap.size()), path.toAbsolutePath());
            return Collections.unmodifiableMap(hashMap);
        } catch (IOException e) {
            logger2.error(() -> {
                return Strings.format("failed to read roles file [%s]. skipping all roles...", new Object[]{path.toAbsolutePath()});
            }, e);
            return Collections.emptyMap();
        }
    }

    @Nullable
    static RoleDescriptor parseRoleDescriptor(String str, Path path, Logger logger2, boolean z, Settings settings, NamedXContentRegistry namedXContentRegistry, FileRoleValidator fileRoleValidator) {
        String str2 = null;
        try {
            try {
                XContentParser createParser = YamlXContent.yamlXContent.createParser(XContentParserConfiguration.EMPTY.withRegistry(namedXContentRegistry).withDeprecationHandler(LoggingDeprecationHandler.INSTANCE), str);
                try {
                    if (createParser.nextToken() != XContentParser.Token.START_OBJECT || createParser.nextToken() != XContentParser.Token.FIELD_NAME) {
                        logger2.error("invalid role definition [{}] in roles file [{}]. skipping role...", (Object) null, path.toAbsolutePath());
                        if (createParser != null) {
                            createParser.close();
                        }
                        return null;
                    }
                    String currentName = createParser.currentName();
                    Validation.Error validateRoleName = Validation.Roles.validateRoleName(currentName, false);
                    if (validateRoleName != null) {
                        logger2.error("invalid role definition [{}] in roles file [{}]. invalid role name - {}. skipping role...", currentName, path.toAbsolutePath(), validateRoleName);
                        if (createParser != null) {
                            createParser.close();
                        }
                        return null;
                    }
                    if (!z) {
                        RoleDescriptor roleDescriptor = new RoleDescriptor(currentName, (String[]) null, (RoleDescriptor.IndicesPrivileges[]) null, (String[]) null);
                        if (createParser != null) {
                            createParser.close();
                        }
                        return roleDescriptor;
                    }
                    if (createParser.nextToken() == XContentParser.Token.START_OBJECT) {
                        RoleDescriptor checkDescriptor = checkDescriptor(ROLE_DESCRIPTOR_PARSER.parse(currentName, createParser), path, logger2, settings, namedXContentRegistry, fileRoleValidator);
                        if (createParser != null) {
                            createParser.close();
                        }
                        return checkDescriptor;
                    }
                    logger2.error("invalid role definition [{}] in roles file [{}]. skipping role...", currentName, path.toAbsolutePath());
                    if (createParser != null) {
                        createParser.close();
                    }
                    return null;
                } catch (Throwable th) {
                    if (createParser != null) {
                        try {
                            createParser.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (ElasticsearchParseException e) {
                if (!$assertionsDisabled && 0 == 0) {
                    throw new AssertionError();
                }
                if (logger2.isDebugEnabled()) {
                    logger2.debug(() -> {
                        return "parsing exception for role [" + str2 + "]";
                    }, e);
                    return null;
                }
                logger2.error(e.getMessage() + ". skipping role...");
                return null;
            }
        } catch (IOException | XContentParseException e2) {
            if (0 != 0) {
                logger2.error(() -> {
                    return Strings.format("invalid role definition [%s] in roles file [%s]. skipping role...", new Object[]{str2, path});
                }, e2);
                return null;
            }
            logger2.error(() -> {
                return "invalid role definition in roles file [" + String.valueOf(path) + "]. skipping role...";
            }, e2);
            return null;
        }
    }

    @Nullable
    private static RoleDescriptor checkDescriptor(RoleDescriptor roleDescriptor, Path path, Logger logger2, Settings settings, NamedXContentRegistry namedXContentRegistry, FileRoleValidator fileRoleValidator) {
        String name = roleDescriptor.getName();
        if (roleDescriptor.isUsingDocumentOrFieldLevelSecurity()) {
            if (!((Boolean) XPackSettings.DLS_FLS_ENABLED.get(settings)).booleanValue()) {
                logger2.error("invalid role definition [{}] in roles file [{}]. document and field level security is not enabled. set [{}] to [true] in the configuration file. skipping role...", name, path.toAbsolutePath(), XPackSettings.DLS_FLS_ENABLED.getKey());
                return null;
            }
            try {
                DLSRoleQueryValidator.validateQueryField(roleDescriptor.getIndicesPrivileges(), namedXContentRegistry);
            } catch (ElasticsearchException | IllegalArgumentException e) {
                logger2.error(() -> {
                    return Strings.format("invalid role definition [%s] in roles file [%s]. failed to validate query field. skipping role...", new Object[]{name, path.toAbsolutePath()});
                }, e);
                return null;
            }
        }
        ActionRequestValidationException validatePredefinedRole = fileRoleValidator.validatePredefinedRole(roleDescriptor);
        if (validatePredefinedRole != null) {
            throw validatePredefinedRole;
        }
        Validation.Error validateRoleDescription = Validation.Roles.validateRoleDescription(roleDescriptor.getDescription());
        if (validateRoleDescription == null) {
            return roleDescriptor;
        }
        logger2.error("invalid role definition [{}] in roles file [{}]. invalid description - {}. skipping role...", name, path.toAbsolutePath(), validateRoleDescription);
        return null;
    }

    private static List<String> roleSegments(Path path) throws IOException {
        ArrayList arrayList = new ArrayList();
        StringBuilder sb = null;
        for (String str : Files.readAllLines(path, StandardCharsets.UTF_8)) {
            if (!SKIP_LINE.matcher(str).matches()) {
                if (!IN_SEGMENT_LINE.matcher(str).matches()) {
                    if (sb != null) {
                        arrayList.add(sb.toString());
                    }
                    sb = new StringBuilder(str).append("\n");
                } else if (sb != null) {
                    sb.append(str).append("\n");
                }
            }
        }
        if (sb != null) {
            arrayList.add(sb.toString());
        }
        return arrayList;
    }

    static {
        $assertionsDisabled = !FileRolesStore.class.desiredAssertionStatus();
        IN_SEGMENT_LINE = Pattern.compile("^\\s+.+");
        SKIP_LINE = Pattern.compile("(^#.*|^\\s*)");
        logger = LogManager.getLogger(FileRolesStore.class);
        ROLE_DESCRIPTOR_PARSER = RoleDescriptor.parserBuilder().allow2xFormat(true).allowDescription(true).build();
    }
}
