package org.elasticsearch.xpack.security.authz.store;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.component.AbstractLifecycleComponent;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.common.xcontent.yaml.YamlXContent;
import org.elasticsearch.env.Environment;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.security.authc.support.RefreshListener;
import org.elasticsearch.xpack.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.security.authz.permission.IndicesPermission;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.support.NoOpLogger;
import org.elasticsearch.xpack.security.support.Validation;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/FileRolesStore.class */
public class FileRolesStore extends AbstractLifecycleComponent implements RolesStore {
    private static final Pattern IN_SEGMENT_LINE;
    private static final Pattern SKIP_LINE;
    private final Path file;
    private final RefreshListener listener;
    private final ResourceWatcherService watcherService;
    private volatile Map<String, Role> permissions;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/FileRolesStore$FileListener.class */
    private class FileListener implements FileChangesListener {
        private FileListener() {
        }

        public void onFileCreated(Path path) {
            onFileChanged(path);
        }

        public void onFileDeleted(Path path) {
            onFileChanged(path);
        }

        public void onFileChanged(Path path) {
            if (path.equals(FileRolesStore.this.file)) {
                try {
                    FileRolesStore.this.permissions = FileRolesStore.parseFile(path, FileRolesStore.this.logger, FileRolesStore.this.settings);
                    FileRolesStore.this.logger.info("updated roles (roles file [{}] changed)", path.toAbsolutePath());
                    FileRolesStore.this.listener.onRefresh();
                } catch (Exception e) {
                    FileRolesStore.this.logger.error(() -> {
                        return new ParameterizedMessage("could not reload roles file [{}]. Current roles remain unmodified", path.toAbsolutePath());
                    }, e);
                }
            }
        }
    }

    public FileRolesStore(Settings settings, Environment environment, ResourceWatcherService resourceWatcherService) {
        this(settings, environment, resourceWatcherService, RefreshListener.NOOP);
    }

    public FileRolesStore(Settings settings, Environment environment, ResourceWatcherService resourceWatcherService, RefreshListener refreshListener) {
        super(settings);
        this.file = resolveFile(environment);
        this.listener = refreshListener;
        this.watcherService = resourceWatcherService;
        this.permissions = Collections.emptyMap();
    }

    protected void doStart() throws ElasticsearchException {
        FileWatcher fileWatcher = new FileWatcher(this.file.getParent());
        fileWatcher.addListener(new FileListener());
        try {
            this.watcherService.add(fileWatcher, ResourceWatcherService.Frequency.HIGH);
            this.permissions = parseFile(this.file, this.logger, this.settings);
        } catch (IOException e) {
            throw new ElasticsearchException("failed to setup roles file watcher", e, new Object[0]);
        }
    }

    protected void doStop() throws ElasticsearchException {
    }

    protected void doClose() throws ElasticsearchException {
    }

    @Override // org.elasticsearch.xpack.security.authz.store.RolesStore
    public Role role(String str) {
        return this.permissions.get(str);
    }

    @Override // org.elasticsearch.xpack.security.authz.store.RolesStore
    public Map<String, Object> usageStats() {
        HashMap hashMap = new HashMap();
        hashMap.put("size", Integer.valueOf(this.permissions.size()));
        boolean z = false;
        boolean z2 = false;
        Iterator<Role> it = this.permissions.values().iterator();
        while (it.hasNext()) {
            Iterator<IndicesPermission.Group> it2 = it.next().indices().iterator();
            while (it2.hasNext()) {
                IndicesPermission.Group next = it2.next();
                z2 = z2 || next.getFieldPermissions().hasFieldLevelSecurity();
                z = z || next.hasQuery();
            }
            if (z2 && z) {
                break;
            }
        }
        hashMap.put("fls", Boolean.valueOf(z2));
        hashMap.put("dls", Boolean.valueOf(z));
        return hashMap;
    }

    public static Path resolveFile(Environment environment) {
        return XPackPlugin.resolveConfigFile(environment, "roles.yml");
    }

    public static Set<String> parseFileForRoleNames(Path path, Logger logger) {
        Map<String, Role> parseFile = parseFile(path, logger, false, Settings.EMPTY);
        return parseFile == null ? Collections.emptySet() : parseFile.keySet();
    }

    public static Map<String, Role> parseFile(Path path, Logger logger, Settings settings) {
        return parseFile(path, logger, true, settings);
    }

    public static Map<String, Role> parseFile(Path path, Logger logger, boolean z, Settings settings) {
        if (logger == null) {
            logger = NoOpLogger.INSTANCE;
        }
        HashMap hashMap = new HashMap();
        logger.debug("attempting to read roles file located at [{}]", path.toAbsolutePath());
        if (!Files.exists(path, new LinkOption[0])) {
            logger.debug("roles file does not exist");
            return Collections.emptyMap();
        }
        try {
            Iterator<String> it = roleSegments(path).iterator();
            while (it.hasNext()) {
                Role parseRole = parseRole(it.next(), path, logger, z, settings);
                if (parseRole != null) {
                    if (ReservedRolesStore.isReserved(parseRole.name())) {
                        logger.warn("role [{}] is reserved. the relevant role definition in the mapping file will be ignored", parseRole.name());
                    } else {
                        hashMap.put(parseRole.name(), parseRole);
                    }
                }
            }
            logger.debug("parsed [{}] roles from file [{}]", Integer.valueOf(hashMap.size()), path.toAbsolutePath());
            return Collections.unmodifiableMap(hashMap);
        } catch (IOException e) {
            logger.error(() -> {
                return new ParameterizedMessage("failed to read roles file [{}]. skipping all roles...", path.toAbsolutePath());
            }, e);
            return Collections.emptyMap();
        }
    }

    public static Map<String, RoleDescriptor> parseRoleDescriptors(Path path, Logger logger, boolean z, Settings settings) {
        if (logger == null) {
            logger = NoOpLogger.INSTANCE;
        }
        HashMap hashMap = new HashMap();
        logger.trace("attempting to read roles file located at [{}]", path.toAbsolutePath());
        if (Files.exists(path, new LinkOption[0])) {
            try {
                Iterator<String> it = roleSegments(path).iterator();
                while (it.hasNext()) {
                    RoleDescriptor parseRoleDescriptor = parseRoleDescriptor(it.next(), path, logger, z, settings);
                    if (parseRoleDescriptor != null) {
                        hashMap.put(parseRoleDescriptor.getName(), parseRoleDescriptor);
                    }
                }
            } catch (IOException e) {
                logger.error(() -> {
                    return new ParameterizedMessage("failed to read roles file [{}]. skipping all roles...", path.toAbsolutePath());
                }, e);
                return Collections.emptyMap();
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    @Nullable
    private static Role parseRole(String str, Path path, Logger logger, boolean z, Settings settings) {
        RoleDescriptor parseRoleDescriptor = parseRoleDescriptor(str, path, logger, z, settings);
        if (parseRoleDescriptor == null) {
            return null;
        }
        String name = parseRoleDescriptor.getName();
        for (RoleDescriptor.IndicesPrivileges indicesPrivileges : parseRoleDescriptor.getIndicesPrivileges()) {
            if ((indicesPrivileges.getQuery() != null || indicesPrivileges.getFieldPermissions().hasFieldLevelSecurity()) && !((Boolean) XPackSettings.DLS_FLS_ENABLED.get(settings)).booleanValue()) {
                logger.error("invalid role definition [{}] in roles file [{}]. document and field level security is not enabled. set [{}] to [true] in the configuration file. skipping role...", name, path.toAbsolutePath(), XPackSettings.DLS_FLS_ENABLED.getKey());
                return null;
            }
        }
        return Role.builder(parseRoleDescriptor).build();
    }

    @Nullable
    static RoleDescriptor parseRoleDescriptor(String str, Path path, Logger logger, boolean z, Settings settings) {
        String str2 = null;
        try {
            XContentParser createParser = YamlXContent.yamlXContent.createParser(str);
            if (createParser.nextToken() != XContentParser.Token.START_OBJECT || createParser.nextToken() != XContentParser.Token.FIELD_NAME) {
                logger.error("invalid role definition [{}] in roles file [{}]. skipping role...", (Object) null, path.toAbsolutePath());
                return null;
            }
            String currentName = createParser.currentName();
            Validation.Error validateRoleName = Validation.Roles.validateRoleName(currentName);
            if (validateRoleName != null) {
                logger.error("invalid role definition [{}] in roles file [{}]. invalid role name - {}. skipping role... ", currentName, path.toAbsolutePath(), validateRoleName);
                return null;
            }
            if (!z) {
                return new RoleDescriptor(currentName, null, null, null);
            }
            if (createParser.nextToken() == XContentParser.Token.START_OBJECT) {
                return RoleDescriptor.parse(currentName, createParser, true);
            }
            logger.error("invalid role definition [{}] in roles file [{}]. skipping role...", currentName, path.toAbsolutePath());
            return null;
        } catch (ElasticsearchParseException e) {
            if (!$assertionsDisabled && 0 == 0) {
                throw new AssertionError();
            }
            if (logger.isDebugEnabled()) {
                logger.debug(() -> {
                    return new ParameterizedMessage("parsing exception for role [{}]", str2);
                }, e);
                return null;
            }
            logger.error(e.getMessage() + ". skipping role...");
            return null;
        } catch (IOException e2) {
            if (0 != 0) {
                logger.error(() -> {
                    return new ParameterizedMessage("invalid role definition [{}] in roles file [{}]. skipping role...", str2, path);
                }, e2);
                return null;
            }
            logger.error(() -> {
                return new ParameterizedMessage("invalid role definition in roles file [{}]. skipping role...", path);
            }, e2);
            return null;
        }
    }

    private static List<String> roleSegments(Path path) throws IOException {
        ArrayList arrayList = new ArrayList();
        StringBuilder sb = null;
        for (String str : Files.readAllLines(path, StandardCharsets.UTF_8)) {
            if (!SKIP_LINE.matcher(str).matches()) {
                if (!IN_SEGMENT_LINE.matcher(str).matches()) {
                    if (sb != null) {
                        arrayList.add(sb.toString());
                    }
                    sb = new StringBuilder(str).append("\n");
                } else if (sb != null) {
                    sb.append(str).append("\n");
                }
            }
        }
        if (sb != null) {
            arrayList.add(sb.toString());
        }
        return arrayList;
    }

    static {
        $assertionsDisabled = !FileRolesStore.class.desiredAssertionStatus();
        IN_SEGMENT_LINE = Pattern.compile("^\\s+.+");
        SKIP_LINE = Pattern.compile("(^#.*|^\\s*)");
    }
}
