package org.elasticsearch.xpack.security.authz.store;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.function.BiConsumer;
import java.util.stream.Collectors;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.cluster.health.ClusterHealthStatus;
import org.elasticsearch.cluster.health.ClusterIndexHealth;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.inject.internal.Nullable;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ConcurrentCollections;
import org.elasticsearch.common.util.concurrent.ReleasableLock;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.common.IteratingActionListener;
import org.elasticsearch.xpack.ml.action.util.PageParams;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.authc.esnative.NativeRealm;
import org.elasticsearch.xpack.security.authc.file.FileRealm;
import org.elasticsearch.xpack.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.security.authz.permission.FieldPermissionsDefinition;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege;
import org.elasticsearch.xpack.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.security.authz.privilege.Privilege;
import org.elasticsearch.xpack.watcher.input.none.NoneInput;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.class */
public class CompositeRolesStore extends AbstractComponent {
    private final ReleasableLock readLock;
    private final ReleasableLock writeLock;
    public static final Setting<Integer> CACHE_SIZE_SETTING;
    private final FileRolesStore fileRolesStore;
    private final NativeRolesStore nativeRolesStore;
    private final ReservedRolesStore reservedRolesStore;
    private final XPackLicenseState licenseState;
    private final Cache<Set<String>, Role> roleCache;
    private final Set<String> negativeLookupCache;
    private final ThreadContext threadContext;
    private final AtomicLong numInvalidation;
    private final List<BiConsumer<Set<String>, ActionListener<Set<RoleDescriptor>>>> customRolesProviders;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/CompositeRolesStore$MergeableIndicesPrivilege.class */
    public static class MergeableIndicesPrivilege {
        private Set<String> indices;
        private Set<String> privileges;
        private FieldPermissionsDefinition fieldPermissionsDefinition;
        private Set<BytesReference> query;
        static final /* synthetic */ boolean $assertionsDisabled;

        MergeableIndicesPrivilege(String[] strArr, String[] strArr2, @Nullable String[] strArr3, @Nullable String[] strArr4, @Nullable BytesReference bytesReference) {
            this.query = null;
            this.indices = Sets.newHashSet((Object[]) Objects.requireNonNull(strArr));
            this.privileges = Sets.newHashSet((Object[]) Objects.requireNonNull(strArr2));
            this.fieldPermissionsDefinition = new FieldPermissionsDefinition(strArr3, strArr4);
            if (bytesReference != null) {
                this.query = Sets.newHashSet(new BytesReference[]{bytesReference});
            }
        }

        void merge(MergeableIndicesPrivilege mergeableIndicesPrivilege) {
            if (!$assertionsDisabled && !this.indices.equals(mergeableIndicesPrivilege.indices)) {
                throw new AssertionError("index names must be equivalent in order to merge");
            }
            HashSet hashSet = new HashSet();
            hashSet.addAll(this.fieldPermissionsDefinition.getFieldGrantExcludeGroups());
            hashSet.addAll(mergeableIndicesPrivilege.fieldPermissionsDefinition.getFieldGrantExcludeGroups());
            this.fieldPermissionsDefinition = new FieldPermissionsDefinition(hashSet);
            this.privileges.addAll(mergeableIndicesPrivilege.privileges);
            if (this.query == null || mergeableIndicesPrivilege.query == null) {
                this.query = null;
            } else {
                this.query.addAll(mergeableIndicesPrivilege.query);
            }
        }

        static {
            $assertionsDisabled = !CompositeRolesStore.class.desiredAssertionStatus();
        }
    }

    public CompositeRolesStore(Settings settings, FileRolesStore fileRolesStore, NativeRolesStore nativeRolesStore, ReservedRolesStore reservedRolesStore, List<BiConsumer<Set<String>, ActionListener<Set<RoleDescriptor>>>> list, ThreadContext threadContext, XPackLicenseState xPackLicenseState) {
        super(settings);
        ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock();
        this.readLock = new ReleasableLock(reentrantReadWriteLock.readLock());
        this.writeLock = new ReleasableLock(reentrantReadWriteLock.writeLock());
        this.numInvalidation = new AtomicLong();
        this.fileRolesStore = fileRolesStore;
        fileRolesStore.addListener(this::invalidateAll);
        this.nativeRolesStore = nativeRolesStore;
        this.reservedRolesStore = reservedRolesStore;
        this.licenseState = xPackLicenseState;
        CacheBuilder builder = CacheBuilder.builder();
        int intValue = ((Integer) CACHE_SIZE_SETTING.get(settings)).intValue();
        if (intValue >= 0) {
            builder.setMaximumWeight(intValue);
        }
        this.roleCache = builder.build();
        this.threadContext = threadContext;
        this.negativeLookupCache = ConcurrentCollections.newConcurrentSet();
        this.customRolesProviders = Collections.unmodifiableList(list);
    }

    public void roles(Set<String> set, FieldPermissionsCache fieldPermissionsCache, ActionListener<Role> actionListener) {
        Role role = (Role) this.roleCache.get(set);
        if (role != null) {
            actionListener.onResponse(role);
            return;
        }
        long j = this.numInvalidation.get();
        CheckedConsumer checkedConsumer = set2 -> {
            Role buildRoleFromDescriptors = this.licenseState.isDocumentAndFieldLevelSecurityAllowed() ? buildRoleFromDescriptors(set2, fieldPermissionsCache) : buildRoleFromDescriptors((Set) set2.stream().filter(roleDescriptor -> {
                return !roleDescriptor.isUsingDocumentOrFieldLevelSecurity();
            }).collect(Collectors.toSet()), fieldPermissionsCache);
            if (buildRoleFromDescriptors != null) {
                ReleasableLock acquire = this.readLock.acquire();
                Throwable th = null;
                try {
                    try {
                        if (j == this.numInvalidation.get()) {
                            Role role2 = buildRoleFromDescriptors;
                            this.roleCache.computeIfAbsent(set, set2 -> {
                                return role2;
                            });
                        }
                        if (acquire != null) {
                            if (0 != 0) {
                                try {
                                    acquire.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                acquire.close();
                            }
                        }
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (acquire != null) {
                        if (th != null) {
                            try {
                                acquire.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            acquire.close();
                        }
                    }
                    throw th3;
                }
            }
            actionListener.onResponse(buildRoleFromDescriptors);
        };
        actionListener.getClass();
        roleDescriptors(set, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void roleDescriptors(Set<String> set, ActionListener<Set<RoleDescriptor>> actionListener) {
        Set<String> set2 = (Set) set.stream().filter(str -> {
            return !this.negativeLookupCache.contains(str);
        }).collect(Collectors.toSet());
        Set<RoleDescriptor> builtInRoleDescriptors = getBuiltInRoleDescriptors(set2);
        Set<String> difference = difference(set2, builtInRoleDescriptors);
        if (difference.isEmpty()) {
            actionListener.onResponse(Collections.unmodifiableSet(builtInRoleDescriptors));
            return;
        }
        NativeRolesStore nativeRolesStore = this.nativeRolesStore;
        String[] strArr = (String[]) difference.toArray(Strings.EMPTY_ARRAY);
        CheckedConsumer checkedConsumer = collection -> {
            builtInRoleDescriptors.addAll(collection);
            if (builtInRoleDescriptors.size() == set2.size()) {
                actionListener.onResponse(Collections.unmodifiableSet(builtInRoleDescriptors));
                return;
            }
            Set<String> difference2 = difference(set2, builtInRoleDescriptors);
            if (!$assertionsDisabled && difference2.isEmpty()) {
                throw new AssertionError("the missing set should not be empty if the sizes didn't match");
            }
            if (this.licenseState.isCustomRoleProvidersAllowed() && !this.customRolesProviders.isEmpty()) {
                new IteratingActionListener(actionListener, (biConsumer, actionListener2) -> {
                    CheckedConsumer checkedConsumer2 = set3 -> {
                        builtInRoleDescriptors.addAll(set3);
                        Iterator it = set3.iterator();
                        while (it.hasNext()) {
                            difference2.remove(((RoleDescriptor) it.next()).getName());
                        }
                        if (difference2.isEmpty()) {
                            actionListener2.onResponse(Collections.unmodifiableSet(builtInRoleDescriptors));
                        } else {
                            actionListener2.onResponse((Object) null);
                        }
                    };
                    actionListener2.getClass();
                    biConsumer.accept(difference2, ActionListener.wrap(checkedConsumer2, actionListener2::onFailure));
                }, this.customRolesProviders, this.threadContext, () -> {
                    this.negativeLookupCache.addAll(difference2);
                    return builtInRoleDescriptors;
                }).run();
            } else {
                this.negativeLookupCache.addAll(difference2);
                actionListener.onResponse(Collections.unmodifiableSet(builtInRoleDescriptors));
            }
        };
        actionListener.getClass();
        nativeRolesStore.getRoleDescriptors(strArr, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private Set<RoleDescriptor> getBuiltInRoleDescriptors(Set<String> set) {
        Set<RoleDescriptor> set2 = (Set) this.reservedRolesStore.roleDescriptors().stream().filter(roleDescriptor -> {
            return set.contains(roleDescriptor.getName());
        }).collect(Collectors.toCollection(HashSet::new));
        Set<String> difference = difference(set, set2);
        if (!difference.isEmpty()) {
            set2.addAll(this.fileRolesStore.roleDescriptors(difference));
        }
        return set2;
    }

    private Set<String> difference(Set<String> set, Set<RoleDescriptor> set2) {
        return Sets.difference(set, (Set) set2.stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()));
    }

    public static Role buildRoleFromDescriptors(Set<RoleDescriptor> set, FieldPermissionsCache fieldPermissionsCache) {
        if (set.isEmpty()) {
            return Role.EMPTY;
        }
        StringBuilder sb = new StringBuilder();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashMap hashMap = new HashMap();
        for (RoleDescriptor roleDescriptor : set) {
            sb.append(roleDescriptor.getName());
            sb.append('_');
            if (roleDescriptor.getClusterPrivileges() != null) {
                hashSet.addAll(Arrays.asList(roleDescriptor.getClusterPrivileges()));
            }
            if (roleDescriptor.getRunAs() != null) {
                hashSet2.addAll(Arrays.asList(roleDescriptor.getRunAs()));
            }
            RoleDescriptor.IndicesPrivileges[] indicesPrivileges = roleDescriptor.getIndicesPrivileges();
            for (RoleDescriptor.IndicesPrivileges indicesPrivileges2 : indicesPrivileges) {
                HashSet newHashSet = Sets.newHashSet(indicesPrivileges2.getIndices());
                if (!(indicesPrivileges.length == 1 && NoneInput.TYPE.equalsIgnoreCase(indicesPrivileges2.getPrivileges()[0]))) {
                    hashMap.compute(newHashSet, (set2, mergeableIndicesPrivilege) -> {
                        if (mergeableIndicesPrivilege == null) {
                            return new MergeableIndicesPrivilege(indicesPrivileges2.getIndices(), indicesPrivileges2.getPrivileges(), indicesPrivileges2.getGrantedFields(), indicesPrivileges2.getDeniedFields(), indicesPrivileges2.getQuery());
                        }
                        mergeableIndicesPrivilege.merge(new MergeableIndicesPrivilege(indicesPrivileges2.getIndices(), indicesPrivileges2.getPrivileges(), indicesPrivileges2.getGrantedFields(), indicesPrivileges2.getDeniedFields(), indicesPrivileges2.getQuery()));
                        return mergeableIndicesPrivilege;
                    });
                }
            }
        }
        Role.Builder runAs = Role.builder(sb.toString(), fieldPermissionsCache).cluster(ClusterPrivilege.get(hashSet.isEmpty() ? null : hashSet)).runAs(hashSet2.isEmpty() ? Privilege.NONE : new Privilege(hashSet2, (String[]) hashSet2.toArray(Strings.EMPTY_ARRAY)));
        hashMap.entrySet().forEach(entry -> {
            MergeableIndicesPrivilege mergeableIndicesPrivilege2 = (MergeableIndicesPrivilege) entry.getValue();
            runAs.add(fieldPermissionsCache.getFieldPermissions(mergeableIndicesPrivilege2.fieldPermissionsDefinition), mergeableIndicesPrivilege2.query, IndexPrivilege.get(mergeableIndicesPrivilege2.privileges), (String[]) mergeableIndicesPrivilege2.indices.toArray(Strings.EMPTY_ARRAY));
        });
        return runAs.build();
    }

    public void invalidateAll() {
        this.numInvalidation.incrementAndGet();
        this.negativeLookupCache.clear();
        ReleasableLock acquire = this.readLock.acquire();
        Throwable th = null;
        try {
            this.roleCache.invalidateAll();
            if (acquire != null) {
                if (0 == 0) {
                    acquire.close();
                    return;
                }
                try {
                    acquire.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (acquire != null) {
                if (0 != 0) {
                    try {
                        acquire.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    acquire.close();
                }
            }
            throw th3;
        }
    }

    public void invalidate(String str) {
        this.numInvalidation.incrementAndGet();
        ReleasableLock acquire = this.writeLock.acquire();
        Throwable th = null;
        try {
            try {
                Iterator it = this.roleCache.keys().iterator();
                while (it.hasNext()) {
                    if (((Set) it.next()).contains(str)) {
                        it.remove();
                    }
                }
                if (acquire != null) {
                    if (0 != 0) {
                        try {
                            acquire.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        acquire.close();
                    }
                }
                this.negativeLookupCache.remove(str);
            } finally {
            }
        } catch (Throwable th3) {
            if (acquire != null) {
                if (th != null) {
                    try {
                        acquire.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    acquire.close();
                }
            }
            throw th3;
        }
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        HashMap hashMap = new HashMap(2);
        hashMap.put(FileRealm.TYPE, this.fileRolesStore.usageStats());
        NativeRolesStore nativeRolesStore = this.nativeRolesStore;
        CheckedConsumer checkedConsumer = map -> {
            hashMap.put(NativeRealm.TYPE, map);
            actionListener.onResponse(hashMap);
        };
        actionListener.getClass();
        nativeRolesStore.usageStats(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void onSecurityIndexHealthChange(ClusterIndexHealth clusterIndexHealth, ClusterIndexHealth clusterIndexHealth2) {
        boolean z = ((clusterIndexHealth != null && clusterIndexHealth.getStatus() != ClusterHealthStatus.RED) || clusterIndexHealth2 == null || clusterIndexHealth2.getStatus() == ClusterHealthStatus.RED) ? false : true;
        boolean z2 = clusterIndexHealth != null && clusterIndexHealth2 == null;
        if (z || z2) {
            invalidateAll();
        }
    }

    static {
        $assertionsDisabled = !CompositeRolesStore.class.desiredAssertionStatus();
        CACHE_SIZE_SETTING = Setting.intSetting(Security.setting("authz.store.roles.cache.max_size"), PageParams.MAX_FROM_SIZE_SUM, new Setting.Property[]{Setting.Property.NodeScope});
    }
}
