package org.elasticsearch.xpack.security.authc.support.mapper;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.delete.DeleteResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.CheckedBiConsumer;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.LoggingDeprecationHandler;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.index.query.TermQueryBuilder;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.search.SearchService;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.security.ScrollHelper;
import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheAction;
import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheRequest;
import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingRequest;
import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequest;
import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
import org.elasticsearch.xpack.core.security.authc.support.mapper.TemplateRoleName;
import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.ExpressionModel;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/mapper/NativeRoleMappingStore.class */
public class NativeRoleMappingStore implements UserRoleMapper {
    private static final Logger logger;
    static final String DOC_TYPE_FIELD = "doc_type";
    static final String DOC_TYPE_ROLE_MAPPING = "role-mapping";
    private static final String ID_PREFIX = "role-mapping_";
    private final Settings settings;
    private final Client client;
    private final SecurityIndexManager securityIndex;
    private final ScriptService scriptService;
    private final List<String> realmsToRefresh = new CopyOnWriteArrayList();
    static final /* synthetic */ boolean $assertionsDisabled;

    public NativeRoleMappingStore(Settings settings, Client client, SecurityIndexManager securityIndexManager, ScriptService scriptService) {
        this.settings = settings;
        this.client = client;
        this.securityIndex = securityIndexManager;
        this.scriptService = scriptService;
    }

    private static String getNameFromId(String str) {
        if ($assertionsDisabled || str.startsWith(ID_PREFIX)) {
            return str.substring(ID_PREFIX.length());
        }
        throw new AssertionError();
    }

    private static String getIdForName(String str) {
        return "role-mapping_" + str;
    }

    protected void loadMappings(ActionListener<List<ExpressionRoleMapping>> actionListener) {
        if (!this.securityIndex.isIndexUpToDate()) {
            actionListener.onFailure(new IllegalStateException("Security index is not on the current version - the native realm will not be operational until the upgrade API is run on the security index"));
            return;
        }
        TermQueryBuilder termQuery = QueryBuilders.termQuery(DOC_TYPE_FIELD, DOC_TYPE_ROLE_MAPPING);
        Supplier newRestorableContext = this.client.threadPool().getThreadContext().newRestorableContext(false);
        ThreadContext.StoredContext stashWithOrigin = this.client.threadPool().getThreadContext().stashWithOrigin("security");
        try {
            SearchRequest request = this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setScroll((TimeValue) SearchService.DEFAULT_KEEPALIVE_SETTING.get(this.settings)).setQuery(termQuery).setSize(1000).setFetchSource(true).request();
            request.indicesOptions().ignoreUnavailable();
            ScrollHelper.fetchAllByEntity(this.client, request, new ContextPreservingActionListener(newRestorableContext, ActionListener.wrap(collection -> {
                actionListener.onResponse(collection.stream().filter((v0) -> {
                    return Objects.nonNull(v0);
                }).toList());
            }, exc -> {
                logger.error(() -> {
                    return Strings.format("failed to load role mappings from index [%s] skipping all mappings.", new Object[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS});
                }, exc);
                actionListener.onResponse(Collections.emptyList());
            })), searchHit -> {
                return buildMapping(getNameFromId(searchHit.getId()), searchHit.getSourceRef());
            });
            if (stashWithOrigin != null) {
                stashWithOrigin.close();
            }
        } catch (Throwable th) {
            if (stashWithOrigin != null) {
                try {
                    stashWithOrigin.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static ExpressionRoleMapping buildMapping(String str, BytesReference bytesReference) {
        try {
            StreamInput streamInput = bytesReference.streamInput();
            try {
                XContentParser createParser = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, streamInput);
                try {
                    ExpressionRoleMapping parse = ExpressionRoleMapping.parse(str, createParser);
                    if (createParser != null) {
                        createParser.close();
                    }
                    if (streamInput != null) {
                        streamInput.close();
                    }
                    return parse;
                } catch (Throwable th) {
                    if (createParser != null) {
                        try {
                            createParser.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            logger.warn(() -> {
                return "Role mapping [" + str + "] cannot be parsed and will be skipped";
            }, e);
            return null;
        }
    }

    public void putRoleMapping(PutRoleMappingRequest putRoleMappingRequest, ActionListener<Boolean> actionListener) {
        Iterator it = putRoleMappingRequest.getRoleTemplates().iterator();
        while (it.hasNext()) {
            ((TemplateRoleName) it.next()).validate(this.scriptService);
        }
        modifyMapping(putRoleMappingRequest.getName(), this::innerPutMapping, putRoleMappingRequest, actionListener);
    }

    public void deleteRoleMapping(DeleteRoleMappingRequest deleteRoleMappingRequest, ActionListener<Boolean> actionListener) {
        modifyMapping(deleteRoleMappingRequest.getName(), this::innerDeleteMapping, deleteRoleMappingRequest, actionListener);
    }

    private <Request, Result> void modifyMapping(String str, CheckedBiConsumer<Request, ActionListener<Result>, Exception> checkedBiConsumer, Request request, ActionListener<Result> actionListener) {
        if (!this.securityIndex.isIndexUpToDate()) {
            actionListener.onFailure(new IllegalStateException("Security index is not on the current version - the native realm will not be operational until the upgrade API is run on the security index"));
            return;
        }
        try {
            CheckedConsumer checkedConsumer = obj -> {
                refreshRealms(actionListener, obj);
            };
            Objects.requireNonNull(actionListener);
            checkedBiConsumer.accept(request, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } catch (Exception e) {
            logger.error(() -> {
                return "failed to modify role-mapping [" + str + "]";
            }, e);
            actionListener.onFailure(e);
        }
    }

    private void innerPutMapping(PutRoleMappingRequest putRoleMappingRequest, ActionListener<Boolean> actionListener) {
        ExpressionRoleMapping mapping = putRoleMappingRequest.getMapping();
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            try {
                XContentBuilder xContent = mapping.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS, true);
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                IndexRequest request = this.client.prepareIndex(SecuritySystemIndices.SECURITY_MAIN_ALIAS).setId(getIdForName(mapping.getName())).setSource(xContent).setRefreshPolicy(putRoleMappingRequest.getRefreshPolicy()).request();
                ActionListener<IndexResponse> actionListener2 = new ActionListener<IndexResponse>() { // from class: org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore.1
                    public void onResponse(IndexResponse indexResponse) {
                        actionListener.onResponse(Boolean.valueOf(indexResponse.getResult() == DocWriteResponse.Result.CREATED));
                    }

                    public void onFailure(Exception exc) {
                        Logger logger2 = NativeRoleMappingStore.logger;
                        ExpressionRoleMapping expressionRoleMapping = mapping;
                        logger2.error(() -> {
                            return "failed to put role-mapping [" + expressionRoleMapping.getName() + "]";
                        }, exc);
                        actionListener.onFailure(exc);
                    }
                };
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, client::index);
            } catch (IOException e) {
                actionListener.onFailure(e);
            }
        });
    }

    private void innerDeleteMapping(DeleteRoleMappingRequest deleteRoleMappingRequest, ActionListener<Boolean> actionListener) {
        SecurityIndexManager freeze = this.securityIndex.freeze();
        if (!freeze.indexExists()) {
            actionListener.onResponse(false);
        } else {
            if (!this.securityIndex.isAvailable()) {
                actionListener.onFailure(freeze.getUnavailableReason());
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                DeleteRequest request = this.client.prepareDelete(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForName(deleteRoleMappingRequest.getName())).setRefreshPolicy(deleteRoleMappingRequest.getRefreshPolicy()).request();
                ActionListener<DeleteResponse> actionListener2 = new ActionListener<DeleteResponse>() { // from class: org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore.2
                    public void onResponse(DeleteResponse deleteResponse) {
                        actionListener.onResponse(Boolean.valueOf(deleteResponse.getResult() == DocWriteResponse.Result.DELETED));
                    }

                    public void onFailure(Exception exc) {
                        Logger logger2 = NativeRoleMappingStore.logger;
                        DeleteRoleMappingRequest deleteRoleMappingRequest2 = deleteRoleMappingRequest;
                        logger2.error(() -> {
                            return "failed to delete role-mapping [" + deleteRoleMappingRequest2.getName() + "]";
                        }, exc);
                        actionListener.onFailure(exc);
                    }
                };
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, client::delete);
            });
        }
    }

    public void getRoleMappings(Set<String> set, ActionListener<List<ExpressionRoleMapping>> actionListener) {
        if (set == null || set.isEmpty()) {
            getMappings(actionListener);
        } else {
            getMappings(actionListener.safeMap(list -> {
                return list.stream().filter(expressionRoleMapping -> {
                    return set.contains(expressionRoleMapping.getName());
                }).toList();
            }));
        }
    }

    private void getMappings(ActionListener<List<ExpressionRoleMapping>> actionListener) {
        if (this.securityIndex.isAvailable()) {
            loadMappings(actionListener);
            return;
        }
        logger.info("The security index is not yet available - no role mappings can be loaded");
        if (logger.isDebugEnabled()) {
            logger.debug("Security Index [{}] [exists: {}] [available: {}]", SecuritySystemIndices.SECURITY_MAIN_ALIAS, Boolean.valueOf(this.securityIndex.indexExists()), Boolean.valueOf(this.securityIndex.isAvailable()));
        }
        actionListener.onResponse(Collections.emptyList());
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        if (!this.securityIndex.isAvailable()) {
            reportStats(actionListener, Collections.emptyList());
            return;
        }
        CheckedConsumer checkedConsumer = list -> {
            reportStats(actionListener, list);
        };
        Objects.requireNonNull(actionListener);
        getMappings(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void reportStats(ActionListener<Map<String, Object>> actionListener, List<ExpressionRoleMapping> list) {
        HashMap hashMap = new HashMap();
        hashMap.put("size", Integer.valueOf(list.size()));
        hashMap.put("enabled", Long.valueOf(list.stream().filter((v0) -> {
            return v0.isEnabled();
        }).count()));
        actionListener.onResponse(hashMap);
    }

    public void onSecurityIndexStateChange(SecurityIndexManager.State state, SecurityIndexManager.State state2) {
        if (SecurityIndexManager.isMoveFromRedToNonRed(state, state2) || SecurityIndexManager.isIndexDeleted(state, state2) || !Objects.equals(state.indexUUID, state2.indexUUID) || state.isIndexUpToDate != state2.isIndexUpToDate) {
            refreshRealms(ActionListener.noop(), null);
        }
    }

    private <Result> void refreshRealms(ActionListener<Result> actionListener, Result result) {
        if (this.realmsToRefresh.isEmpty()) {
            actionListener.onResponse(result);
        } else {
            String[] strArr = (String[]) this.realmsToRefresh.toArray(org.elasticsearch.common.Strings.EMPTY_ARRAY);
            ClientHelper.executeAsyncWithOrigin(this.client, "security", ClearRealmCacheAction.INSTANCE, new ClearRealmCacheRequest().realms(strArr), ActionListener.wrap(clearRealmCacheResponse -> {
                logger.debug(() -> {
                    return Strings.format("Cleared cached in realms [%s] due to role mapping change", new Object[]{Arrays.toString(strArr)});
                });
                actionListener.onResponse(result);
            }, exc -> {
                logger.warn(() -> {
                    return "Failed to clear cache for realms [" + Arrays.toString(strArr) + "]";
                }, exc);
                actionListener.onFailure(exc);
            }));
        }
    }

    public void resolveRoles(UserRoleMapper.UserData userData, ActionListener<Set<String>> actionListener) {
        CheckedConsumer checkedConsumer = list -> {
            ExpressionModel asModel = userData.asModel();
            Set set = (Set) list.stream().filter((v0) -> {
                return v0.isEnabled();
            }).filter(expressionRoleMapping -> {
                return expressionRoleMapping.getExpression().match(asModel);
            }).flatMap(expressionRoleMapping2 -> {
                Set roleNames = expressionRoleMapping2.getRoleNames(this.scriptService, asModel);
                logger.trace("Applying role-mapping [{}] to user-model [{}] produced role-names [{}]", expressionRoleMapping2.getName(), asModel, roleNames);
                return roleNames.stream();
            }).collect(Collectors.toSet());
            logger.debug("Mapping user [{}] to roles [{}]", userData, set);
            actionListener.onResponse(set);
        };
        Objects.requireNonNull(actionListener);
        getRoleMappings(null, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void refreshRealmOnChange(CachingRealm cachingRealm) {
        this.realmsToRefresh.add(cachingRealm.name());
    }

    static {
        $assertionsDisabled = !NativeRoleMappingStore.class.desiredAssertionStatus();
        logger = LogManager.getLogger(NativeRoleMappingStore.class);
    }
}
