package org.elasticsearch.xpack.security.authc.support;

import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPException;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.function.Function;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.ldap.support.LdapUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/DnRoleMapper.class */
public class DnRoleMapper {
    private static final String DEFAULT_FILE_NAME = "role_mapping.yml";
    public static final Setting<String> ROLE_MAPPING_FILE_SETTING = new Setting<>("files.role_mapping", DEFAULT_FILE_NAME, Function.identity(), new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<Boolean> USE_UNMAPPED_GROUPS_AS_ROLES_SETTING = Setting.boolSetting("unmapped_groups_as_roles", false, new Setting.Property[]{Setting.Property.NodeScope});
    protected final Logger logger;
    protected final RealmConfig config;
    private final String realmType;
    private final Path file;
    private final boolean useUnmappedGroupsAsRoles;
    private volatile Map<DN, Set<String>> dnRoles;
    private CopyOnWriteArrayList<Runnable> listeners;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/DnRoleMapper$FileListener.class */
    private class FileListener implements FileChangesListener {
        private FileListener() {
        }

        public void onFileCreated(Path path) {
            onFileChanged(path);
        }

        public void onFileDeleted(Path path) {
            onFileChanged(path);
        }

        public void onFileChanged(Path path) {
            if (path.equals(DnRoleMapper.this.file)) {
                DnRoleMapper.this.logger.info("role mappings file [{}] changed for realm [{}/{}]. updating mappings...", path.toAbsolutePath(), DnRoleMapper.this.realmType, DnRoleMapper.this.config.name());
                DnRoleMapper.this.dnRoles = DnRoleMapper.parseFileLenient(path, DnRoleMapper.this.logger, DnRoleMapper.this.realmType, DnRoleMapper.this.config.name());
                DnRoleMapper.this.notifyRefresh();
            }
        }
    }

    public DnRoleMapper(String str, RealmConfig realmConfig, ResourceWatcherService resourceWatcherService, Runnable runnable) {
        this.realmType = str;
        this.config = realmConfig;
        this.logger = realmConfig.logger(getClass());
        this.listeners = new CopyOnWriteArrayList<>(Collections.singleton(runnable));
        this.useUnmappedGroupsAsRoles = ((Boolean) USE_UNMAPPED_GROUPS_AS_ROLES_SETTING.get(realmConfig.settings())).booleanValue();
        this.file = resolveFile(realmConfig.settings(), realmConfig.env());
        this.dnRoles = parseFileLenient(this.file, this.logger, str, realmConfig.name());
        FileWatcher fileWatcher = new FileWatcher(this.file.getParent());
        fileWatcher.addListener(new FileListener());
        try {
            resourceWatcherService.add(fileWatcher, ResourceWatcherService.Frequency.HIGH);
        } catch (IOException e) {
            throw new ElasticsearchException("failed to start file watcher for role mapping file [" + this.file.toAbsolutePath() + "]", e, new Object[0]);
        }
    }

    public synchronized void addListener(Runnable runnable) {
        this.listeners.add(runnable);
    }

    public static Path resolveFile(Settings settings, Environment environment) {
        return XPackPlugin.resolveConfigFile(environment, (String) ROLE_MAPPING_FILE_SETTING.get(settings));
    }

    public static Map<DN, Set<String>> parseFileLenient(Path path, Logger logger, String str, String str2) {
        try {
            return parseFile(path, logger, str, str2);
        } catch (Exception e) {
            logger.error(() -> {
                return new ParameterizedMessage("failed to parse role mappings file [{}]. skipping/removing all mappings...", path.toAbsolutePath());
            }, e);
            return Collections.emptyMap();
        }
    }

    public static Map<DN, Set<String>> parseFile(Path path, Logger logger, String str, String str2) {
        logger.trace("reading realm [{}/{}] role mappings file [{}]...", str, str2, path.toAbsolutePath());
        if (!Files.exists(path, new LinkOption[0])) {
            return Collections.emptyMap();
        }
        try {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    Settings build = Settings.builder().loadFromStream(path.toString(), newInputStream).build();
                    HashMap hashMap = new HashMap();
                    for (String str3 : build.names()) {
                        for (String str4 : build.getAsArray(str3)) {
                            try {
                                DN dn = new DN(str4);
                                Set set = (Set) hashMap.get(dn);
                                if (set == null) {
                                    set = new HashSet();
                                    hashMap.put(dn, set);
                                }
                                set.add(str3);
                            } catch (LDAPException e) {
                                logger.error(() -> {
                                    return new ParameterizedMessage("invalid DN [{}] found in [{}] role mappings [{}] for realm [{}/{}]. skipping... ", new Object[]{str4, str, path.toAbsolutePath(), str, str2});
                                }, e);
                            }
                        }
                    }
                    logger.debug("[{}] role mappings found in file [{}] for realm [{}/{}]", Integer.valueOf(hashMap.size()), path.toAbsolutePath(), str, str2);
                    Map<DN, Set<String>> unmodifiableMap = Collections.unmodifiableMap(hashMap);
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    return unmodifiableMap;
                } finally {
                }
            } finally {
            }
        } catch (IOException e2) {
            throw new ElasticsearchException("could not read realm [" + str + "/" + str2 + "] role mappings file [" + path.toAbsolutePath() + "]", e2, new Object[0]);
        }
    }

    int mappingsCount() {
        return this.dnRoles.size();
    }

    public Set<String> resolveRoles(String str, List<String> list) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            DN dn = LdapUtils.dn(it.next());
            if (this.dnRoles.containsKey(dn)) {
                hashSet.addAll(this.dnRoles.get(dn));
            } else if (this.useUnmappedGroupsAsRoles) {
                hashSet.add(LdapUtils.relativeName(dn));
            }
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("the roles [{}], are mapped from these [{}] groups [{}] for realm [{}/{}]", hashSet, this.realmType, list, this.realmType, this.config.name());
        }
        Set<String> set = this.dnRoles.get(LdapUtils.dn(str));
        if (set != null) {
            hashSet.addAll(set);
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("the roles [{}], are mapped from the user [{}] for realm [{}/{}]", set == null ? Collections.emptySet() : set, str, this.realmType, this.config.name());
        }
        return hashSet;
    }

    public void notifyRefresh() {
        this.listeners.forEach((v0) -> {
            v0.run();
        });
    }

    public static void getSettings(Set<Setting<?>> set) {
        set.add(USE_UNMAPPED_GROUPS_AS_ROLES_SETTING);
        set.add(ROLE_MAPPING_FILE_SETTING);
    }
}
