package org.elasticsearch.xpack.security.authc.support;

import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPException;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.AccessController;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.core.Strings;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.support.DnRoleMapperSettings;
import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.security.PrivilegedFileWatcher;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
import org.elasticsearch.xpack.security.authc.support.mapper.AbstractRoleMapperClearRealmCache;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/DnRoleMapper.class */
public class DnRoleMapper extends AbstractRoleMapperClearRealmCache {
    private static final Logger logger = LogManager.getLogger(DnRoleMapper.class);
    protected final RealmConfig config;
    private final Path file;
    private final boolean useUnmappedGroupsAsRoles;
    private volatile Map<String, List<String>> dnRoles;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/DnRoleMapper$FileListener.class */
    private class FileListener implements FileChangesListener {
        private FileListener() {
        }

        public void onFileCreated(Path path) {
            onFileChanged(path);
        }

        public void onFileDeleted(Path path) {
            onFileChanged(path);
        }

        public void onFileChanged(Path path) {
            if (path.equals(DnRoleMapper.this.file)) {
                Map<String, List<String>> map = DnRoleMapper.this.dnRoles;
                DnRoleMapper.this.dnRoles = (Map) AccessController.doPrivileged(() -> {
                    return DnRoleMapper.parseFileLenient(path, DnRoleMapper.logger, DnRoleMapper.this.config.type(), DnRoleMapper.this.config.name());
                });
                if (map.equals(DnRoleMapper.this.dnRoles)) {
                    return;
                }
                DnRoleMapper.logger.info("role mappings file [{}] changed for realm [{}/{}]. updating mappings...", path.toAbsolutePath(), DnRoleMapper.this.config.type(), DnRoleMapper.this.config.name());
                DnRoleMapper.this.clearRealmCachesOnLocalNode();
            }
        }
    }

    public DnRoleMapper(RealmConfig realmConfig, ResourceWatcherService resourceWatcherService) {
        this.config = realmConfig;
        this.useUnmappedGroupsAsRoles = ((Boolean) realmConfig.getSetting(DnRoleMapperSettings.USE_UNMAPPED_GROUPS_AS_ROLES_SETTING)).booleanValue();
        this.file = resolveFile(realmConfig);
        this.dnRoles = (Map) AccessController.doPrivileged(() -> {
            return parseFileLenient(this.file, logger, realmConfig.type(), realmConfig.name());
        });
        PrivilegedFileWatcher privilegedFileWatcher = new PrivilegedFileWatcher(this.file.getParent());
        privilegedFileWatcher.addListener(new FileListener());
        try {
            resourceWatcherService.add(privilegedFileWatcher, ResourceWatcherService.Frequency.HIGH);
        } catch (IOException e) {
            throw new ElasticsearchException("failed to start file watcher for role mapping file [" + this.file.toAbsolutePath() + "]", e, new Object[0]);
        }
    }

    public static Path resolveFile(RealmConfig realmConfig) {
        return Security.resolveSecuredConfigFile(realmConfig.env(), (String) realmConfig.getSetting(DnRoleMapperSettings.ROLE_MAPPING_FILE_SETTING));
    }

    public static Map<String, List<String>> parseFileLenient(Path path, Logger logger2, String str, String str2) {
        try {
            return parseFile(path, logger2, str, str2, false);
        } catch (Exception e) {
            logger2.error(() -> {
                return Strings.format("failed to parse role mappings file [%s]. skipping/removing all mappings...", new Object[]{path.toAbsolutePath()});
            }, e);
            return Collections.emptyMap();
        }
    }

    public static Map<String, List<String>> parseFile(Path path, Logger logger2, String str, String str2, boolean z) {
        logger2.trace("reading realm [{}/{}] role mappings file [{}]...", str, str2, path.toAbsolutePath());
        if (!Files.exists(path, new LinkOption[0])) {
            String format = Strings.format("Role mapping file [%s] for realm [%s] does not exist.", new Object[]{path.toAbsolutePath(), str2});
            if (z) {
                throw new ElasticsearchException(format, new Object[0]);
            }
            logger2.warn(format + " Role mapping will be skipped.");
            return Collections.emptyMap();
        }
        try {
            Settings build = Settings.builder().loadFromStream(path.getFileName().toString(), Files.newInputStream(path, new OpenOption[0]), false).build();
            HashMap hashMap = new HashMap();
            for (String str3 : build.names()) {
                for (String str4 : build.getAsList(str3)) {
                    try {
                        DN dn = new DN(str4);
                        Set set = (Set) hashMap.get(dn);
                        if (set == null) {
                            set = new HashSet();
                            hashMap.put(dn, set);
                        }
                        set.add(str3);
                    } catch (LDAPException e) {
                        String format2 = Strings.format("invalid DN [%s] found in [%s] role mappings [%s] for realm [%s/%s].", new Object[]{str4, str, path.toAbsolutePath(), str, str2});
                        if (z) {
                            throw new ElasticsearchException(format2, e, new Object[0]);
                        }
                        logger2.error(format2 + " skipping...", e);
                    }
                }
            }
            logger2.debug("[{}] role mappings found in file [{}] for realm [{}/{}]", Integer.valueOf(hashMap.size()), path.toAbsolutePath(), str, str2);
            return Collections.unmodifiableMap((Map) hashMap.entrySet().stream().collect(Collectors.toMap(entry -> {
                return ((DN) entry.getKey()).toNormalizedString();
            }, entry2 -> {
                return List.copyOf((Collection) entry2.getValue());
            })));
        } catch (IOException | SettingsException e2) {
            throw new ElasticsearchException("could not read realm [" + str + "/" + str2 + "] role mappings file [" + path.toAbsolutePath() + "]", e2, new Object[0]);
        }
    }

    int mappingsCount() {
        return this.dnRoles.size();
    }

    public void resolveRoles(UserRoleMapper.UserData userData, ActionListener<Set<String>> actionListener) {
        try {
            actionListener.onResponse(resolveRoles(userData.getDn(), userData.getGroups()));
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    public Set<String> resolveRoles(String str, Collection<String> collection) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            DN dn = LdapUtils.dn(it.next());
            String normalizedString = dn.toNormalizedString();
            if (this.dnRoles.containsKey(normalizedString)) {
                hashSet.addAll(this.dnRoles.get(normalizedString));
            } else if (this.useUnmappedGroupsAsRoles) {
                hashSet.add(LdapUtils.relativeName(dn));
            }
        }
        if (logger.isDebugEnabled()) {
            logger.debug("the roles [{}], are mapped from these [{}] groups [{}] using file [{}] for realm [{}/{}]", hashSet, this.config.type(), collection, this.file.getFileName(), this.config.type(), this.config.name());
        }
        String normalizedString2 = LdapUtils.dn(str).toNormalizedString();
        List<String> list = this.dnRoles.get(normalizedString2);
        if (list != null) {
            hashSet.addAll(list);
        }
        if (logger.isDebugEnabled()) {
            logger.debug("the roles [{}], are mapped from the user [{}] using file [{}] for realm [{}/{}]", list == null ? Collections.emptySet() : list, normalizedString2, this.file.getFileName(), this.config.type(), this.config.name());
        }
        return hashSet;
    }
}
