package org.elasticsearch.xpack.security.operator;

import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.util.Locale;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.ValidationException;
import org.elasticsearch.common.xcontent.ConstructingObjectParser;
import org.elasticsearch.common.xcontent.DeprecationHandler;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.ParseField;
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.core.List;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Set;
import org.elasticsearch.env.Environment;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.XPackPlugin;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/security/operator/FileOperatorUsersStore.class */
public class FileOperatorUsersStore {
    private final Path file;
    private volatile OperatorUsersDescriptor operatorUsersDescriptor;
    private static final Logger logger = LogManager.getLogger(FileOperatorUsersStore.class);
    private static final OperatorUsersDescriptor EMPTY_OPERATOR_USERS_DESCRIPTOR = new OperatorUsersDescriptor(List.of());
    private static final ConstructingObjectParser<Group, Void> GROUP_PARSER = new ConstructingObjectParser<>("operator_privileges.operator.group", false, objArr -> {
        return new Group(Set.copyOf((java.util.List) objArr[0]), (String) objArr[1], (String) objArr[2], (String) objArr[3]);
    });
    private static final ConstructingObjectParser<OperatorUsersDescriptor, Void> OPERATOR_USER_PARSER = new ConstructingObjectParser<>("operator_privileges.operator", false, objArr -> {
        return new OperatorUsersDescriptor((java.util.List) objArr[0]);
    });

    /* loaded from: input_file:org/elasticsearch/xpack/security/operator/FileOperatorUsersStore$Fields.class */
    public interface Fields {
        public static final ParseField OPERATOR = new ParseField("operator", new String[0]);
        public static final ParseField USERNAMES = new ParseField("usernames", new String[0]);
        public static final ParseField REALM_NAME = new ParseField("realm_name", new String[0]);
        public static final ParseField REALM_TYPE = new ParseField("realm_type", new String[0]);
        public static final ParseField AUTH_TYPE = new ParseField("auth_type", new String[0]);
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/operator/FileOperatorUsersStore$FileListener.class */
    private class FileListener implements FileChangesListener {
        private FileListener() {
        }

        public void onFileCreated(Path path) {
            onFileChanged(path);
        }

        public void onFileDeleted(Path path) {
            onFileChanged(path);
        }

        public void onFileChanged(Path path) {
            if (path.equals(FileOperatorUsersStore.this.file)) {
                OperatorUsersDescriptor parseFile = FileOperatorUsersStore.parseFile(path, FileOperatorUsersStore.logger);
                if (FileOperatorUsersStore.this.operatorUsersDescriptor.equals(parseFile)) {
                    return;
                }
                FileOperatorUsersStore.logger.info("operator users file [{}] changed. updating operator users...", path.toAbsolutePath());
                FileOperatorUsersStore.this.operatorUsersDescriptor = parseFile;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/operator/FileOperatorUsersStore$Group.class */
    public static final class Group {
        private static final java.util.Set<String> SINGLETON_REALM_TYPES = Set.of(new String[]{"file", "native", "reserved"});
        private final java.util.Set<String> usernames;
        private final String realmName;
        private final String realmType;
        private final Authentication.AuthenticationType authenticationType;

        Group(java.util.Set<String> set) {
            this(set, null);
        }

        Group(java.util.Set<String> set, @Nullable String str) {
            this(set, str, null, null);
        }

        Group(java.util.Set<String> set, @Nullable String str, @Nullable String str2, @Nullable String str3) {
            this.usernames = set;
            this.realmName = str;
            this.realmType = str2 == null ? "file" : str2;
            this.authenticationType = str3 == null ? Authentication.AuthenticationType.REALM : Authentication.AuthenticationType.valueOf(str3.toUpperCase(Locale.ROOT));
            validate();
        }

        private void validate() {
            ValidationException validationException = new ValidationException();
            if (false == "file".equals(this.realmType)) {
                validationException.addValidationError("[realm_type] only supports [file]");
            }
            if (Authentication.AuthenticationType.REALM != this.authenticationType) {
                validationException.addValidationError("[auth_type] only supports [realm]");
            }
            if (this.realmName == null && false == SINGLETON_REALM_TYPES.contains(this.realmType)) {
                validationException.addValidationError("[realm_name] must be specified for realm types other than [" + Strings.collectionToCommaDelimitedString(SINGLETON_REALM_TYPES) + "]");
            }
            if (false == validationException.validationErrors().isEmpty()) {
                throw validationException;
            }
        }

        public String toString() {
            StringBuilder sb = new StringBuilder("Group[");
            sb.append("usernames=").append(this.usernames);
            if (this.realmName != null) {
                sb.append(", realm_name=").append(this.realmName);
            }
            if (this.realmType != null) {
                sb.append(", realm_type=").append(this.realmType);
            }
            if (this.authenticationType != null) {
                sb.append(", auth_type=").append(this.authenticationType.name().toLowerCase(Locale.ROOT));
            }
            sb.append("]");
            return sb.toString();
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            Group group = (Group) obj;
            return this.usernames.equals(group.usernames) && Objects.equals(this.realmName, group.realmName) && this.realmType.equals(group.realmType) && this.authenticationType == group.authenticationType;
        }

        public int hashCode() {
            return Objects.hash(this.usernames, this.realmName, this.realmType, this.authenticationType);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/operator/FileOperatorUsersStore$OperatorUsersDescriptor.class */
    public static final class OperatorUsersDescriptor {
        private final java.util.List<Group> groups;

        private OperatorUsersDescriptor(java.util.List<Group> list) {
            this.groups = list;
        }

        java.util.List<Group> getGroups() {
            return this.groups;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            return this.groups.equals(((OperatorUsersDescriptor) obj).groups);
        }

        public int hashCode() {
            return Objects.hash(this.groups);
        }

        public String toString() {
            return "OperatorUsersDescriptor{groups=" + this.groups + '}';
        }
    }

    public FileOperatorUsersStore(Environment environment, ResourceWatcherService resourceWatcherService) {
        this.file = XPackPlugin.resolveConfigFile(environment, "operator_users.yml");
        this.operatorUsersDescriptor = parseFile(this.file, logger);
        FileWatcher fileWatcher = new FileWatcher(this.file.getParent());
        fileWatcher.addListener(new FileListener());
        try {
            resourceWatcherService.add(fileWatcher, ResourceWatcherService.Frequency.HIGH);
        } catch (IOException e) {
            throw new ElasticsearchException("Failed to start watching the operator users file [" + this.file.toAbsolutePath() + "]", e, new Object[0]);
        }
    }

    public boolean isOperatorUser(Authentication authentication) {
        if (authentication.getUser().isRunAs()) {
            return false;
        }
        if (User.isInternal(authentication.getUser())) {
            return true;
        }
        return this.operatorUsersDescriptor.groups.stream().anyMatch(group -> {
            Authentication.RealmRef sourceRealm = authentication.getSourceRealm();
            return group.usernames.contains(authentication.getUser().principal()) && group.authenticationType == authentication.getAuthenticationType() && sourceRealm.getType().equals(group.realmType) && (group.realmName == null || group.realmName.equals(sourceRealm.getName()));
        });
    }

    public OperatorUsersDescriptor getOperatorUsersDescriptor() {
        return this.operatorUsersDescriptor;
    }

    public static OperatorUsersDescriptor parseFile(Path path, Logger logger2) {
        if (false == Files.exists(path, new LinkOption[0])) {
            logger2.warn("Operator privileges [{}] is enabled, but operator user file does not exist. No user will be able to perform operator-only actions.", OperatorPrivileges.OPERATOR_PRIVILEGES_ENABLED.getKey());
            return EMPTY_OPERATOR_USERS_DESCRIPTOR;
        }
        logger2.debug("Reading operator users file [{}]", path.toAbsolutePath());
        try {
            InputStream newInputStream = Files.newInputStream(path, StandardOpenOption.READ);
            try {
                OperatorUsersDescriptor parseConfig = parseConfig(newInputStream);
                if (newInputStream != null) {
                    newInputStream.close();
                }
                return parseConfig;
            } finally {
            }
        } catch (IOException | RuntimeException e) {
            logger2.error(new ParameterizedMessage("Failed to parse operator users file [{}].", path), e);
            throw new ElasticsearchParseException("Error parsing operator users file [{}]", e, new Object[]{path.toAbsolutePath()});
        }
    }

    public static OperatorUsersDescriptor parseConfig(InputStream inputStream) throws IOException {
        XContentParser yamlParser = yamlParser(inputStream);
        try {
            OperatorUsersDescriptor operatorUsersDescriptor = (OperatorUsersDescriptor) OPERATOR_USER_PARSER.parse(yamlParser, (Object) null);
            logger.trace("Parsed: [{}]", operatorUsersDescriptor);
            if (yamlParser != null) {
                yamlParser.close();
            }
            return operatorUsersDescriptor;
        } catch (Throwable th) {
            if (yamlParser != null) {
                try {
                    yamlParser.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static XContentParser yamlParser(InputStream inputStream) throws IOException {
        return XContentType.YAML.xContent().createParser(NamedXContentRegistry.EMPTY, DeprecationHandler.THROW_UNSUPPORTED_OPERATION, inputStream);
    }

    static {
        GROUP_PARSER.declareStringArray(ConstructingObjectParser.constructorArg(), Fields.USERNAMES);
        GROUP_PARSER.declareString(ConstructingObjectParser.optionalConstructorArg(), Fields.REALM_NAME);
        GROUP_PARSER.declareString(ConstructingObjectParser.optionalConstructorArg(), Fields.REALM_TYPE);
        GROUP_PARSER.declareString(ConstructingObjectParser.optionalConstructorArg(), Fields.AUTH_TYPE);
        OPERATOR_USER_PARSER.declareObjectArray(ConstructingObjectParser.constructorArg(), (xContentParser, r5) -> {
            return (Group) GROUP_PARSER.parse(xContentParser, (Object) null);
        }, Fields.OPERATOR);
    }
}
