package org.elasticsearch.xpack.security.authz.store;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.common.xcontent.yaml.YamlXContent;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.security.support.NoOpLogger;
import org.elasticsearch.xpack.security.support.Validation;

/* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/authz/store/FileRolesStore.class */
public class FileRolesStore extends AbstractComponent {
    private static final Pattern IN_SEGMENT_LINE;
    private static final Pattern SKIP_LINE;
    private final Path file;
    private final XPackLicenseState licenseState;
    private final List<Runnable> listeners;
    private volatile Map<String, RoleDescriptor> permissions;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/authz/store/FileRolesStore$FileListener.class */
    private class FileListener implements FileChangesListener {
        private FileListener() {
        }

        @Override // org.elasticsearch.watcher.FileChangesListener
        public void onFileCreated(Path path) {
            onFileChanged(path);
        }

        @Override // org.elasticsearch.watcher.FileChangesListener
        public void onFileDeleted(Path path) {
            onFileChanged(path);
        }

        @Override // org.elasticsearch.watcher.FileChangesListener
        public void onFileChanged(Path path) {
            if (path.equals(FileRolesStore.this.file)) {
                try {
                    FileRolesStore.this.permissions = FileRolesStore.parseFile(path, FileRolesStore.this.logger, FileRolesStore.this.settings, FileRolesStore.this.licenseState);
                    FileRolesStore.this.logger.info("updated roles (roles file [{}] changed)", path.toAbsolutePath());
                    synchronized (FileRolesStore.this) {
                        FileRolesStore.this.listeners.forEach((v0) -> {
                            v0.run();
                        });
                    }
                } catch (Exception e) {
                    FileRolesStore.this.logger.error(() -> {
                        return new ParameterizedMessage("could not reload roles file [{}]. Current roles remain unmodified", path.toAbsolutePath());
                    }, (Throwable) e);
                }
            }
        }
    }

    public FileRolesStore(Settings settings, Environment environment, ResourceWatcherService resourceWatcherService, XPackLicenseState xPackLicenseState) throws IOException {
        this(settings, environment, resourceWatcherService, () -> {
        }, xPackLicenseState);
    }

    FileRolesStore(Settings settings, Environment environment, ResourceWatcherService resourceWatcherService, Runnable runnable, XPackLicenseState xPackLicenseState) throws IOException {
        super(settings);
        this.listeners = new ArrayList();
        this.file = resolveFile(environment);
        if (runnable != null) {
            this.listeners.add(runnable);
        }
        this.licenseState = xPackLicenseState;
        FileWatcher fileWatcher = new FileWatcher(this.file.getParent());
        fileWatcher.addListener(new FileListener());
        resourceWatcherService.add(fileWatcher, ResourceWatcherService.Frequency.HIGH);
        this.permissions = parseFile(this.file, this.logger, settings, xPackLicenseState);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Set<RoleDescriptor> roleDescriptors(Set<String> set) {
        HashSet hashSet = new HashSet();
        set.forEach(str -> {
            RoleDescriptor roleDescriptor = this.permissions.get(str);
            if (roleDescriptor != null) {
                hashSet.add(roleDescriptor);
            }
        });
        return hashSet;
    }

    public Map<String, Object> usageStats() {
        HashMap hashMap = new HashMap();
        hashMap.put("size", Integer.valueOf(this.permissions.size()));
        boolean z = false;
        boolean z2 = false;
        Iterator<RoleDescriptor> it = this.permissions.values().iterator();
        while (it.hasNext()) {
            for (RoleDescriptor.IndicesPrivileges indicesPrivileges : it.next().getIndicesPrivileges()) {
                z2 = (!z2 && indicesPrivileges.getGrantedFields() == null && indicesPrivileges.getDeniedFields() == null) ? false : true;
                z = z || indicesPrivileges.getQuery() != null;
            }
            if (z2 && z) {
                break;
            }
        }
        hashMap.put("fls", Boolean.valueOf(z2));
        hashMap.put("dls", Boolean.valueOf(z));
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addListener(Runnable runnable) {
        Objects.requireNonNull(runnable);
        synchronized (this) {
            this.listeners.add(runnable);
        }
    }

    public static Path resolveFile(Environment environment) {
        return XPackPlugin.resolveConfigFile(environment, "roles.yml");
    }

    public static Set<String> parseFileForRoleNames(Path path, Logger logger) {
        return parseRoleDescriptors(path, logger, false, Settings.EMPTY).keySet();
    }

    public static Map<String, RoleDescriptor> parseFile(Path path, Logger logger, Settings settings, XPackLicenseState xPackLicenseState) {
        return parseFile(path, logger, true, settings, xPackLicenseState);
    }

    public static Map<String, RoleDescriptor> parseFile(Path path, Logger logger, boolean z, Settings settings, XPackLicenseState xPackLicenseState) {
        if (logger == null) {
            logger = NoOpLogger.INSTANCE;
        }
        HashMap hashMap = new HashMap();
        logger.debug("attempting to read roles file located at [{}]", path.toAbsolutePath());
        if (!Files.exists(path, new LinkOption[0])) {
            logger.debug("roles file does not exist");
            return Collections.emptyMap();
        }
        try {
            List<String> roleSegments = roleSegments(path);
            boolean isDocumentAndFieldLevelSecurityAllowed = xPackLicenseState.isDocumentAndFieldLevelSecurityAllowed();
            Iterator<String> it = roleSegments.iterator();
            while (it.hasNext()) {
                RoleDescriptor parseRoleDescriptor = parseRoleDescriptor(it.next(), path, logger, z, settings);
                if (parseRoleDescriptor != null) {
                    if (ReservedRolesStore.isReserved(parseRoleDescriptor.getName())) {
                        logger.warn("role [{}] is reserved. the relevant role definition in the mapping file will be ignored", parseRoleDescriptor.getName());
                    } else if (isDocumentAndFieldLevelSecurityAllowed || !parseRoleDescriptor.isUsingDocumentOrFieldLevelSecurity()) {
                        hashMap.put(parseRoleDescriptor.getName(), parseRoleDescriptor);
                    } else {
                        logger.warn("role [{}] uses document and/or field level security, which is not enabled by the current license. this role will be ignored", parseRoleDescriptor.getName());
                        hashMap.put(parseRoleDescriptor.getName(), parseRoleDescriptor);
                    }
                }
            }
            logger.debug("parsed [{}] roles from file [{}]", Integer.valueOf(hashMap.size()), path.toAbsolutePath());
            return Collections.unmodifiableMap(hashMap);
        } catch (IOException e) {
            logger.error(() -> {
                return new ParameterizedMessage("failed to read roles file [{}]. skipping all roles...", path.toAbsolutePath());
            }, (Throwable) e);
            return Collections.emptyMap();
        }
    }

    public static Map<String, RoleDescriptor> parseRoleDescriptors(Path path, Logger logger, boolean z, Settings settings) {
        if (logger == null) {
            logger = NoOpLogger.INSTANCE;
        }
        HashMap hashMap = new HashMap();
        logger.trace("attempting to read roles file located at [{}]", path.toAbsolutePath());
        if (Files.exists(path, new LinkOption[0])) {
            try {
                Iterator<String> it = roleSegments(path).iterator();
                while (it.hasNext()) {
                    RoleDescriptor parseRoleDescriptor = parseRoleDescriptor(it.next(), path, logger, z, settings);
                    if (parseRoleDescriptor != null) {
                        hashMap.put(parseRoleDescriptor.getName(), parseRoleDescriptor);
                    }
                }
            } catch (IOException e) {
                logger.error(() -> {
                    return new ParameterizedMessage("failed to read roles file [{}]. skipping all roles...", path.toAbsolutePath());
                }, (Throwable) e);
                return Collections.emptyMap();
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    @Nullable
    static RoleDescriptor parseRoleDescriptor(String str, Path path, Logger logger, boolean z, Settings settings) {
        String str2 = null;
        try {
            XContentParser createParser = YamlXContent.yamlXContent.createParser(NamedXContentRegistry.EMPTY, str);
            if (createParser.nextToken() != XContentParser.Token.START_OBJECT || createParser.nextToken() != XContentParser.Token.FIELD_NAME) {
                logger.error("invalid role definition [{}] in roles file [{}]. skipping role...", (Object) null, path.toAbsolutePath());
                return null;
            }
            String currentName = createParser.currentName();
            Object validateRoleName = Validation.Roles.validateRoleName(currentName);
            if (validateRoleName != null) {
                logger.error("invalid role definition [{}] in roles file [{}]. invalid role name - {}. skipping role... ", currentName, path.toAbsolutePath(), validateRoleName);
                return null;
            }
            if (!z) {
                return new RoleDescriptor(currentName, null, null, null);
            }
            if (createParser.nextToken() == XContentParser.Token.START_OBJECT) {
                return checkDescriptor(RoleDescriptor.parse(currentName, createParser, true), path, logger, settings);
            }
            logger.error("invalid role definition [{}] in roles file [{}]. skipping role...", currentName, path.toAbsolutePath());
            return null;
        } catch (IOException e) {
            if (0 != 0) {
                logger.error(() -> {
                    return new ParameterizedMessage("invalid role definition [{}] in roles file [{}]. skipping role...", str2, path);
                }, e);
                return null;
            }
            logger.error(() -> {
                return new ParameterizedMessage("invalid role definition in roles file [{}]. skipping role...", path);
            }, e);
            return null;
        } catch (ElasticsearchParseException e2) {
            if (!$assertionsDisabled && 0 == 0) {
                throw new AssertionError();
            }
            if (logger.isDebugEnabled()) {
                logger.debug(() -> {
                    return new ParameterizedMessage("parsing exception for role [{}]", str2);
                }, (Throwable) e2);
                return null;
            }
            logger.error(e2.getMessage() + ". skipping role...");
            return null;
        }
    }

    @Nullable
    private static RoleDescriptor checkDescriptor(RoleDescriptor roleDescriptor, Path path, Logger logger, Settings settings) {
        String name = roleDescriptor.getName();
        for (RoleDescriptor.IndicesPrivileges indicesPrivileges : roleDescriptor.getIndicesPrivileges()) {
            if ((indicesPrivileges.getQuery() != null || indicesPrivileges.getGrantedFields() != null || indicesPrivileges.getDeniedFields() != null) && !XPackSettings.DLS_FLS_ENABLED.get(settings).booleanValue()) {
                logger.error("invalid role definition [{}] in roles file [{}]. document and field level security is not enabled. set [{}] to [true] in the configuration file. skipping role...", name, path.toAbsolutePath(), XPackSettings.DLS_FLS_ENABLED.getKey());
                return null;
            }
        }
        return roleDescriptor;
    }

    private static List<String> roleSegments(Path path) throws IOException {
        ArrayList arrayList = new ArrayList();
        StringBuilder sb = null;
        for (String str : Files.readAllLines(path, StandardCharsets.UTF_8)) {
            if (!SKIP_LINE.matcher(str).matches()) {
                if (!IN_SEGMENT_LINE.matcher(str).matches()) {
                    if (sb != null) {
                        arrayList.add(sb.toString());
                    }
                    sb = new StringBuilder(str).append("\n");
                } else if (sb != null) {
                    sb.append(str).append("\n");
                }
            }
        }
        if (sb != null) {
            arrayList.add(sb.toString());
        }
        return arrayList;
    }

    static {
        $assertionsDisabled = !FileRolesStore.class.desiredAssertionStatus();
        IN_SEGMENT_LINE = Pattern.compile("^\\s+.+");
        SKIP_LINE = Pattern.compile("(^#.*|^\\s*)");
    }
}
