package org.elasticsearch.xpack.security.authz.store;

import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.Locale;
import java.util.Map;
import java.util.Queue;
import java.util.Set;
import java.util.SortedMap;
import java.util.TreeMap;
import java.util.TreeSet;
import java.util.concurrent.RejectedExecutionException;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.core.security.support.StringMatcher;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/DeprecationRoleDescriptorConsumer.class */
public final class DeprecationRoleDescriptorConsumer implements Consumer<Collection<RoleDescriptor>> {
    private static final String ROLE_PERMISSION_DEPRECATION_STANZA = "Role [%s] contains index privileges covering the [%s] alias but which do not cover some of the indices that it points to [%s]. Granting privileges over an alias and hence granting privileges over all the indices that the alias points to is deprecated and will be removed in a future version of Elasticsearch. Instead define permissions exclusively on index names or index name patterns.";
    private static final Logger logger = LogManager.getLogger(DeprecationRoleDescriptorConsumer.class);
    private final DeprecationLogger deprecationLogger;
    private final ClusterService clusterService;
    private final ThreadPool threadPool;
    private final Object mutex;
    private final Queue<RoleDescriptor> workQueue;
    private boolean workerBusy;
    private final Set<String> dailyRoleCache;

    public DeprecationRoleDescriptorConsumer(ClusterService clusterService, ThreadPool threadPool) {
        this(clusterService, threadPool, DeprecationLogger.getLogger(DeprecationRoleDescriptorConsumer.class));
    }

    DeprecationRoleDescriptorConsumer(ClusterService clusterService, ThreadPool threadPool, DeprecationLogger deprecationLogger) {
        this.deprecationLogger = deprecationLogger;
        this.clusterService = clusterService;
        this.threadPool = threadPool;
        this.mutex = new Object();
        this.workQueue = new LinkedList();
        this.workerBusy = false;
        this.dailyRoleCache = Collections.newSetFromMap(new LinkedHashMap<String, Boolean>() { // from class: org.elasticsearch.xpack.security.authz.store.DeprecationRoleDescriptorConsumer.1
            @Override // java.util.LinkedHashMap
            protected boolean removeEldestEntry(Map.Entry<String, Boolean> entry) {
                return false == entry.getKey().startsWith(DeprecationRoleDescriptorConsumer.todayISODate());
            }
        });
    }

    @Override // java.util.function.Consumer
    public void accept(Collection<RoleDescriptor> collection) {
        synchronized (this.mutex) {
            for (RoleDescriptor roleDescriptor : collection) {
                if (this.dailyRoleCache.add(buildCacheKey(roleDescriptor))) {
                    this.workQueue.add(roleDescriptor);
                }
            }
            if (false == this.workerBusy) {
                this.workerBusy = true;
                try {
                    this.threadPool.generic().execute(new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.authz.store.DeprecationRoleDescriptorConsumer.2
                        /* JADX WARN: Multi-variable type inference failed */
                        public void onFailure(Exception exc) {
                            DeprecationRoleDescriptorConsumer.logger.warn("Failed to produce role deprecation messages", exc);
                            synchronized (DeprecationRoleDescriptorConsumer.this.mutex) {
                                if (DeprecationRoleDescriptorConsumer.this.workQueue.peek() != null) {
                                    DeprecationRoleDescriptorConsumer.this.workerBusy = true;
                                    try {
                                        DeprecationRoleDescriptorConsumer.this.threadPool.generic().execute(this);
                                    } catch (RejectedExecutionException e) {
                                        DeprecationRoleDescriptorConsumer.this.workerBusy = false;
                                        DeprecationRoleDescriptorConsumer.logger.warn("Failed to start working on role alias permisssion deprecation messages", e);
                                    }
                                } else {
                                    DeprecationRoleDescriptorConsumer.this.workerBusy = false;
                                }
                            }
                        }

                        protected void doRun() throws Exception {
                            RoleDescriptor poll;
                            while (true) {
                                synchronized (DeprecationRoleDescriptorConsumer.this.mutex) {
                                    poll = DeprecationRoleDescriptorConsumer.this.workQueue.poll();
                                    if (poll == null) {
                                        DeprecationRoleDescriptorConsumer.this.workerBusy = false;
                                        return;
                                    }
                                }
                                DeprecationRoleDescriptorConsumer.logger.trace("Begin role [" + poll.getName() + "] check for alias permission deprecation");
                                DeprecationRoleDescriptorConsumer.this.logDeprecatedPermission(poll);
                                DeprecationRoleDescriptorConsumer.logger.trace("Completed role [" + poll.getName() + "] check for alias permission deprecation");
                            }
                        }
                    });
                } catch (RejectedExecutionException e) {
                    this.workerBusy = false;
                    logger.warn("Failed to start working on role alias permisssion deprecation messages", e);
                }
            }
        }
    }

    private void logDeprecatedPermission(RoleDescriptor roleDescriptor) {
        SortedMap indicesLookup = this.clusterService.state().metadata().getIndicesLookup();
        HashMap hashMap = new HashMap();
        TreeMap treeMap = new TreeMap();
        for (RoleDescriptor.IndicesPrivileges indicesPrivileges : roleDescriptor.getIndicesPrivileges()) {
            StringMatcher of = StringMatcher.of(Arrays.asList(indicesPrivileges.getIndices()));
            for (Map.Entry entry : indicesLookup.entrySet()) {
                String str = (String) entry.getKey();
                if (of.test(str)) {
                    if (((IndexAbstraction) entry.getValue()).getType() == IndexAbstraction.Type.ALIAS) {
                        ((Set) hashMap.computeIfAbsent(str, str2 -> {
                            return new HashSet();
                        })).addAll(Arrays.asList(indicesPrivileges.getPrivileges()));
                    } else {
                        ((Set) treeMap.computeIfAbsent(str, str3 -> {
                            return new HashSet();
                        })).addAll(Arrays.asList(indicesPrivileges.getPrivileges()));
                    }
                }
            }
        }
        HashMap hashMap2 = new HashMap();
        for (Map.Entry entry2 : hashMap.entrySet()) {
            String str4 = (String) entry2.getKey();
            Automaton automaton = IndexPrivilege.get((Set) entry2.getValue()).getAutomaton();
            TreeSet treeSet = new TreeSet();
            Iterator it = ((IndexAbstraction) indicesLookup.get(str4)).getIndices().iterator();
            while (it.hasNext()) {
                String name = ((IndexMetadata) it.next()).getIndex().getName();
                Set set = (Set) treeMap.get(name);
                if (set == null) {
                    treeSet.add(name);
                } else if (false == Operations.subsetOf((Automaton) hashMap2.computeIfAbsent(name, str5 -> {
                    return IndexPrivilege.get(set).getAutomaton();
                }), automaton)) {
                    treeSet.add(name);
                }
            }
            if (false == treeSet.isEmpty()) {
                this.deprecationLogger.critical(DeprecationCategory.SECURITY, "index_permissions_on_alias", String.format(Locale.ROOT, ROLE_PERMISSION_DEPRECATION_STANZA, roleDescriptor.getName(), str4, String.join(", ", treeSet)), new Object[0]);
            }
        }
    }

    private static String todayISODate() {
        return ZonedDateTime.now(ZoneOffset.UTC).format(DateTimeFormatter.BASIC_ISO_DATE);
    }

    static String buildCacheKey(RoleDescriptor roleDescriptor) {
        return todayISODate() + "-" + roleDescriptor.getName();
    }
}
