package org.elasticsearch.xpack.security.authc.support;

import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPException;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.function.Function;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.env.Environment;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;
import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;

/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/support/DnRoleMapper.class */
public class DnRoleMapper implements UserRoleMapper {
    private static final String DEFAULT_FILE_NAME = "role_mapping.yml";
    public static final Setting<String> ROLE_MAPPING_FILE_SETTING = new Setting<>("files.role_mapping", DEFAULT_FILE_NAME, Function.identity(), Setting.Property.NodeScope);
    public static final Setting<Boolean> USE_UNMAPPED_GROUPS_AS_ROLES_SETTING = Setting.boolSetting("unmapped_groups_as_roles", false, Setting.Property.NodeScope);
    protected final Logger logger;
    protected final RealmConfig config;
    private final Path file;
    private final boolean useUnmappedGroupsAsRoles;
    private final CopyOnWriteArrayList<Runnable> listeners = new CopyOnWriteArrayList<>();
    private volatile Map<DN, Set<String>> dnRoles;

    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/support/DnRoleMapper$FileListener.class */
    private class FileListener implements FileChangesListener {
        private FileListener() {
        }

        @Override // org.elasticsearch.watcher.FileChangesListener
        public void onFileCreated(Path path) {
            onFileChanged(path);
        }

        @Override // org.elasticsearch.watcher.FileChangesListener
        public void onFileDeleted(Path path) {
            onFileChanged(path);
        }

        @Override // org.elasticsearch.watcher.FileChangesListener
        public void onFileChanged(Path path) {
            if (path.equals(DnRoleMapper.this.file)) {
                DnRoleMapper.this.logger.info("role mappings file [{}] changed for realm [{}/{}]. updating mappings...", path.toAbsolutePath(), DnRoleMapper.this.config.type(), DnRoleMapper.this.config.name());
                DnRoleMapper.this.dnRoles = DnRoleMapper.parseFileLenient(path, DnRoleMapper.this.logger, DnRoleMapper.this.config.type(), DnRoleMapper.this.config.name());
                DnRoleMapper.this.notifyRefresh();
            }
        }
    }

    public DnRoleMapper(RealmConfig realmConfig, ResourceWatcherService resourceWatcherService) {
        this.config = realmConfig;
        this.logger = realmConfig.logger(getClass());
        this.useUnmappedGroupsAsRoles = USE_UNMAPPED_GROUPS_AS_ROLES_SETTING.get(realmConfig.settings()).booleanValue();
        this.file = resolveFile(realmConfig.settings(), realmConfig.env());
        this.dnRoles = parseFileLenient(this.file, this.logger, realmConfig.type(), realmConfig.name());
        FileWatcher fileWatcher = new FileWatcher(this.file.getParent());
        fileWatcher.addListener(new FileListener());
        try {
            resourceWatcherService.add(fileWatcher, ResourceWatcherService.Frequency.HIGH);
        } catch (IOException e) {
            throw new ElasticsearchException("failed to start file watcher for role mapping file [" + this.file.toAbsolutePath() + "]", e, new Object[0]);
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.support.UserRoleMapper
    public void refreshRealmOnChange(CachingUsernamePasswordRealm cachingUsernamePasswordRealm) {
        cachingUsernamePasswordRealm.getClass();
        addListener(cachingUsernamePasswordRealm::expireAll);
    }

    /* JADX WARN: Multi-variable type inference failed */
    synchronized void addListener(Runnable runnable) {
        this.listeners.add(Objects.requireNonNull(runnable, "listener cannot be null"));
    }

    public static Path resolveFile(Settings settings, Environment environment) {
        return XPackPlugin.resolveConfigFile(environment, ROLE_MAPPING_FILE_SETTING.get(settings));
    }

    public static Map<DN, Set<String>> parseFileLenient(Path path, Logger logger, String str, String str2) {
        try {
            return parseFile(path, logger, str, str2, false);
        } catch (Exception e) {
            logger.error(() -> {
                return new ParameterizedMessage("failed to parse role mappings file [{}]. skipping/removing all mappings...", path.toAbsolutePath());
            }, (Throwable) e);
            return Collections.emptyMap();
        }
    }

    public static Map<DN, Set<String>> parseFile(Path path, Logger logger, String str, String str2, boolean z) {
        logger.trace("reading realm [{}/{}] role mappings file [{}]...", str, str2, path.toAbsolutePath());
        if (!Files.exists(path, new LinkOption[0])) {
            ParameterizedMessage parameterizedMessage = new ParameterizedMessage("Role mapping file [{}] for realm [{}] does not exist.", path.toAbsolutePath(), str2);
            if (z) {
                throw new ElasticsearchException(parameterizedMessage.getFormattedMessage(), new Object[0]);
            }
            logger.warn(parameterizedMessage.getFormattedMessage() + " Role mapping will be skipped.");
            return Collections.emptyMap();
        }
        try {
            Settings build = Settings.builder().loadFromPath(path).build();
            HashMap hashMap = new HashMap();
            for (String str3 : build.names()) {
                for (String str4 : build.getAsList(str3)) {
                    try {
                        DN dn = new DN(str4);
                        Set set = (Set) hashMap.get(dn);
                        if (set == null) {
                            set = new HashSet();
                            hashMap.put(dn, set);
                        }
                        set.add(str3);
                    } catch (LDAPException e) {
                        ParameterizedMessage parameterizedMessage2 = new ParameterizedMessage("invalid DN [{}] found in [{}] role mappings [{}] for realm [{}/{}].", str4, str, path.toAbsolutePath(), str, str2);
                        if (z) {
                            throw new ElasticsearchException(parameterizedMessage2.getFormattedMessage(), e, new Object[0]);
                        }
                        logger.error(parameterizedMessage2.getFormattedMessage() + " skipping...", (Throwable) e);
                    }
                }
            }
            logger.debug("[{}] role mappings found in file [{}] for realm [{}/{}]", Integer.valueOf(hashMap.size()), path.toAbsolutePath(), str, str2);
            return Collections.unmodifiableMap(hashMap);
        } catch (IOException | SettingsException e2) {
            throw new ElasticsearchException("could not read realm [" + str + "/" + str2 + "] role mappings file [" + path.toAbsolutePath() + "]", e2, new Object[0]);
        }
    }

    int mappingsCount() {
        return this.dnRoles.size();
    }

    @Override // org.elasticsearch.xpack.security.authc.support.UserRoleMapper
    public void resolveRoles(UserRoleMapper.UserData userData, ActionListener<Set<String>> actionListener) {
        try {
            actionListener.onResponse(resolveRoles(userData.getDn(), userData.getGroups()));
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    public Set<String> resolveRoles(String str, Collection<String> collection) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            DN dn = LdapUtils.dn(it.next());
            if (this.dnRoles.containsKey(dn)) {
                hashSet.addAll(this.dnRoles.get(dn));
            } else if (this.useUnmappedGroupsAsRoles) {
                hashSet.add(LdapUtils.relativeName(dn));
            }
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("the roles [{}], are mapped from these [{}] groups [{}] using file [{}] for realm [{}/{}]", hashSet, this.config.type(), collection, this.file.getFileName(), this.config.type(), this.config.name());
        }
        Set<String> set = this.dnRoles.get(LdapUtils.dn(str));
        if (set != null) {
            hashSet.addAll(set);
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("the roles [{}], are mapped from the user [{}] using file [{}] for realm [{}/{}]", set == null ? Collections.emptySet() : set, str, this.file.getFileName(), this.config.type(), this.config.name());
        }
        return hashSet;
    }

    public void notifyRefresh() {
        this.listeners.forEach((v0) -> {
            v0.run();
        });
    }

    public static List<Setting<?>> getSettings() {
        return Arrays.asList(USE_UNMAPPED_GROUPS_AS_ROLES_SETTING, ROLE_MAPPING_FILE_SETTING);
    }
}
