package org.elasticsearch.xpack.core.security.authc.support;

import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.util.LDAPSDKUsageException;
import java.lang.ref.SoftReference;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.automaton.CharacterRunAutomaton;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.ExpressionModel;
import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.FieldExpression;

/* loaded from: input_file:lib/x-pack-core-7.17.14.jar:org/elasticsearch/xpack/core/security/authc/support/UserRoleMapper.class */
public interface UserRoleMapper {

    /* loaded from: input_file:lib/x-pack-core-7.17.14.jar:org/elasticsearch/xpack/core/security/authc/support/UserRoleMapper$DistinguishedNameNormalizer.class */
    public static class DistinguishedNameNormalizer {
        private static final Logger LOGGER = LogManager.getLogger((Class<?>) DistinguishedNameNormalizer.class);
        private static final SoftReference<String> NULL_REF = new SoftReference<>(null);
        private final Map<String, SoftReference<String>> cache = new HashMap();

        public String normalize(String str) {
            String str2;
            SoftReference<String> softReference = this.cache.get(str);
            if (softReference == NULL_REF) {
                return null;
            }
            if (softReference != null && (str2 = softReference.get()) != null) {
                return str2;
            }
            String doNormalize = doNormalize(str);
            if (doNormalize == null) {
                this.cache.put(str, NULL_REF);
            } else {
                this.cache.put(str, new SoftReference<>(doNormalize));
            }
            return doNormalize;
        }

        String doNormalize(String str) {
            try {
                return new DN(str).toNormalizedString();
            } catch (LDAPException | LDAPSDKUsageException e) {
                if (!LOGGER.isTraceEnabled()) {
                    return null;
                }
                LOGGER.trace(() -> {
                    return "failed to parse [" + str + "] as a DN";
                }, e);
                return null;
            }
        }
    }

    /* loaded from: input_file:lib/x-pack-core-7.17.14.jar:org/elasticsearch/xpack/core/security/authc/support/UserRoleMapper$DistinguishedNamePredicate.class */
    public static class DistinguishedNamePredicate implements Predicate<FieldExpression.FieldValue> {
        private final String string;
        private final DistinguishedNameNormalizer dnNormalizer;
        private final String normalizedDn;
        static final /* synthetic */ boolean $assertionsDisabled;

        public DistinguishedNamePredicate(String str, DistinguishedNameNormalizer distinguishedNameNormalizer) {
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError("DN string should not be null. Use the dedicated NULL_PREDICATE for every user null field.");
            }
            this.string = str;
            this.dnNormalizer = distinguishedNameNormalizer;
            this.normalizedDn = distinguishedNameNormalizer.normalize(str);
        }

        public String toString() {
            return this.string;
        }

        @Override // java.util.function.Predicate
        public boolean test(FieldExpression.FieldValue fieldValue) {
            CharacterRunAutomaton automaton = fieldValue.getAutomaton();
            if (automaton == null) {
                if (!(fieldValue.getValue() instanceof String)) {
                    return false;
                }
                String str = (String) fieldValue.getValue();
                if (str.equalsIgnoreCase(this.string)) {
                    return true;
                }
                if (this.normalizedDn == null) {
                    return false;
                }
                String normalize = this.dnNormalizer.normalize(str);
                return normalize != null ? this.normalizedDn.equals(normalize) : str.equalsIgnoreCase(this.normalizedDn);
            }
            if (automaton.run(this.string)) {
                return true;
            }
            if ((this.normalizedDn != null && automaton.run(this.normalizedDn)) || automaton.run(this.string.toLowerCase(Locale.ROOT)) || automaton.run(this.string.toUpperCase(Locale.ROOT))) {
                return true;
            }
            if (this.normalizedDn == null) {
                return false;
            }
            if (!$assertionsDisabled && !(fieldValue.getValue() instanceof String)) {
                throw new AssertionError("FieldValue " + fieldValue + " has automaton but value is " + (fieldValue.getValue() == null ? "<null>" : fieldValue.getValue().getClass()));
            }
            String str2 = (String) fieldValue.getValue();
            if (!str2.startsWith("*,")) {
                return false;
            }
            String substring = str2.substring(2);
            if (substring.indexOf(42) == -1) {
                return isDescendantOf(this.dnNormalizer.normalize(substring));
            }
            return false;
        }

        private boolean isDescendantOf(String str) {
            if (str == null) {
                return false;
            }
            return this.normalizedDn.endsWith(new StringBuilder().append(",").append(str).toString()) || (str.isEmpty() && false == this.normalizedDn.isEmpty());
        }

        static {
            $assertionsDisabled = !UserRoleMapper.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:lib/x-pack-core-7.17.14.jar:org/elasticsearch/xpack/core/security/authc/support/UserRoleMapper$UserData.class */
    public static class UserData {
        private final String username;

        @Nullable
        private final String dn;
        private final Set<String> groups;
        private final Map<String, Object> metadata;
        private final RealmConfig realm;

        public UserData(String str, @Nullable String str2, Collection<String> collection, Map<String, Object> map, RealmConfig realmConfig) {
            this.username = str;
            this.dn = str2;
            this.groups = (collection == null || collection.isEmpty()) ? Collections.emptySet() : Collections.unmodifiableSet(new HashSet(collection));
            this.metadata = (map == null || map.isEmpty()) ? Collections.emptyMap() : Collections.unmodifiableMap(map);
            this.realm = realmConfig;
        }

        public ExpressionModel asModel() {
            ExpressionModel expressionModel = new ExpressionModel();
            DistinguishedNameNormalizer dnNormalizer = getDnNormalizer();
            expressionModel.defineField("username", this.username);
            if (this.dn != null) {
                expressionModel.defineField("dn", this.dn, new DistinguishedNamePredicate(this.dn, dnNormalizer));
            }
            expressionModel.defineField("groups", this.groups, (Predicate) this.groups.stream().filter(str -> {
                return str != null;
            }).map(str2 -> {
                return new DistinguishedNamePredicate(str2, dnNormalizer);
            }).reduce((v0, v1) -> {
                return v0.or(v1);
            }).orElse(fieldValue -> {
                return false;
            }));
            this.metadata.keySet().forEach(str3 -> {
                expressionModel.defineField("metadata." + str3, this.metadata.get(str3));
            });
            expressionModel.defineField("realm.name", this.realm.name());
            return expressionModel;
        }

        public String toString() {
            return "UserData{username:" + this.username + "; dn:" + this.dn + "; groups:" + this.groups + "; metadata:" + this.metadata + "; realm=" + this.realm.name() + '}';
        }

        public String getUsername() {
            return this.username;
        }

        @Nullable
        public String getDn() {
            return this.dn;
        }

        public Set<String> getGroups() {
            return this.groups;
        }

        public Map<String, Object> getMetadata() {
            return this.metadata;
        }

        public RealmConfig getRealm() {
            return this.realm;
        }

        DistinguishedNameNormalizer getDnNormalizer() {
            return new DistinguishedNameNormalizer();
        }
    }

    void resolveRoles(UserData userData, ActionListener<Set<String>> actionListener);

    void refreshRealmOnChange(CachingRealm cachingRealm);
}
