package com.amazon.opendistroforelasticsearch.reportsscheduler.security;

import com.amazon.opendistroforelasticsearch.commons.authuser.User;
import com.amazon.opendistroforelasticsearch.reportsscheduler.ReportsSchedulerPlugin;
import com.amazon.opendistroforelasticsearch.reportsscheduler.metrics.Metrics;
import com.amazon.opendistroforelasticsearch.reportsscheduler.model.RestTag;
import com.amazon.opendistroforelasticsearch.reportsscheduler.settings.PluginSettings;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import kotlin.Metadata;
import kotlin.NoWhenBranchMatchedException;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.rest.RestStatus;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: UserAccessManager.kt */
@Metadata(mv = {1, 4, 0}, bv = {1, 0, 3}, k = 1, d1 = {"��2\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0007\n\u0002\u0010\u000b\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010 \n\u0002\b\u0007\n\u0002\u0010\u0002\n\u0002\b\u0002\bÀ\u0002\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\u0010\u0010\u000b\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eH\u0002J&\u0010\u000f\u001a\u00020\f2\b\u0010\r\u001a\u0004\u0018\u00010\u000e2\u0006\u0010\u0010\u001a\u00020\u00042\f\u0010\u0011\u001a\b\u0012\u0004\u0012\u00020\u00040\u0012J\u0016\u0010\u0013\u001a\b\u0012\u0004\u0012\u00020\u00040\u00122\b\u0010\r\u001a\u0004\u0018\u00010\u000eJ\u0016\u0010\u0014\u001a\b\u0012\u0004\u0012\u00020\u00040\u00122\b\u0010\r\u001a\u0004\u0018\u00010\u000eJ\u0010\u0010\u0015\u001a\u00020\u00042\b\u0010\r\u001a\u0004\u0018\u00010\u000eJ\u0010\u0010\u0016\u001a\u00020\f2\b\u0010\r\u001a\u0004\u0018\u00010\u000eJ\u0010\u0010\u0017\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eH\u0002J\u0012\u0010\u0018\u001a\u00020\f2\b\u0010\r\u001a\u0004\u0018\u00010\u000eH\u0002J\u0010\u0010\u0019\u001a\u00020\u001a2\b\u0010\r\u001a\u0004\u0018\u00010\u000eJ\u0010\u0010\u001b\u001a\u00020\u001a2\b\u0010\r\u001a\u0004\u0018\u00010\u000eR\u000e\u0010\u0003\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��R\u000e\u0010\u0005\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��R\u000e\u0010\u0006\u001a\u00020\u0004X\u0086T¢\u0006\u0002\n��R\u000e\u0010\u0007\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��R\u000e\u0010\b\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��R\u000e\u0010\t\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��R\u000e\u0010\n\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n��¨\u0006\u001c"}, d2 = {"Lcom/amazon/opendistroforelasticsearch/reportsscheduler/security/UserAccessManager;", UserAccessManager.DEFAULT_TENANT, "()V", "ALL_ACCESS_ROLE", UserAccessManager.DEFAULT_TENANT, "BACKEND_ROLE_TAG", "DEFAULT_TENANT", "KIBANA_SERVER_USER", "PRIVATE_TENANT", "ROLE_TAG", "USER_TAG", "canAdminViewAllItems", UserAccessManager.DEFAULT_TENANT, "user", "Lcom/amazon/opendistroforelasticsearch/commons/authuser/User;", "doesUserHasAccess", RestTag.TENANT_FIELD, RestTag.ACCESS_LIST_FIELD, UserAccessManager.DEFAULT_TENANT, "getAllAccessInfo", "getSearchAccessInfo", "getUserTenant", "hasAllInfoAccess", "isAdminUser", "isUserPrivateTenant", "validatePollingUser", UserAccessManager.DEFAULT_TENANT, "validateUser", ReportsSchedulerPlugin.PLUGIN_NAME})
/* loaded from: input_file:com/amazon/opendistroforelasticsearch/reportsscheduler/security/UserAccessManager.class */
public final class UserAccessManager {
    private static final String USER_TAG = "User:";
    private static final String ROLE_TAG = "Role:";
    private static final String BACKEND_ROLE_TAG = "BERole:";
    private static final String ALL_ACCESS_ROLE = "all_access";
    private static final String KIBANA_SERVER_USER = "kibanaserver";
    private static final String PRIVATE_TENANT = "__user__";

    @NotNull
    public static final String DEFAULT_TENANT = "";
    public static final UserAccessManager INSTANCE = new UserAccessManager();

    public final void validateUser(@Nullable User user) {
        if (isUserPrivateTenant(user)) {
            if ((user != null ? user.getName() : null) == null) {
                Metrics.REPORT_PERMISSION_USER_ERROR.getCounter().increment();
                throw new ElasticsearchStatusException("User name not provided for private tenant access", RestStatus.FORBIDDEN, new Object[0]);
            }
        }
        switch (PluginSettings.INSTANCE.getFilterBy()) {
            case NoFilter:
            default:
                return;
            case User:
                if (user == null || user.getName() == null) {
                    Metrics.REPORT_PERMISSION_USER_ERROR.getCounter().increment();
                    throw new ElasticsearchStatusException("Filter-by enabled with security disabled", RestStatus.FORBIDDEN, new Object[0]);
                }
                return;
            case Roles:
                if (user != null) {
                    List roles = user.getRoles();
                    if (!(roles == null || roles.isEmpty())) {
                        if (user.getRoles().stream().filter(new Predicate<String>() { // from class: com.amazon.opendistroforelasticsearch.reportsscheduler.security.UserAccessManager$validateUser$2
                            @Override // java.util.function.Predicate
                            public final boolean test(String str) {
                                return !PluginSettings.INSTANCE.getIgnoredRoles().contains(str);
                            }
                        }).count() == 0) {
                            Metrics.REPORT_PERMISSION_USER_ERROR.getCounter().increment();
                            throw new ElasticsearchStatusException("No distinguishing roles configured. Contact administrator.", RestStatus.FORBIDDEN, new Object[0]);
                        }
                        return;
                    }
                }
                Metrics.REPORT_PERMISSION_USER_ERROR.getCounter().increment();
                throw new ElasticsearchStatusException("User doesn't have roles configured. Contact administrator.", RestStatus.FORBIDDEN, new Object[0]);
            case BackendRoles:
                List backendRoles = user != null ? user.getBackendRoles() : null;
                if (backendRoles == null || backendRoles.isEmpty()) {
                    Metrics.REPORT_PERMISSION_USER_ERROR.getCounter().increment();
                    throw new ElasticsearchStatusException("User doesn't have backend roles configured. Contact administrator.", RestStatus.FORBIDDEN, new Object[0]);
                }
                return;
        }
    }

    public final void validatePollingUser(@Nullable User user) {
        if (user == null || !(!Intrinsics.areEqual(user.getName(), KIBANA_SERVER_USER))) {
            return;
        }
        Metrics.REPORT_PERMISSION_USER_ERROR.getCounter().increment();
        throw new ElasticsearchStatusException("Permission denied", RestStatus.FORBIDDEN, new Object[0]);
    }

    @NotNull
    public final String getUserTenant(@Nullable User user) {
        String requestedTenant = user != null ? user.getRequestedTenant() : null;
        return requestedTenant == null ? DEFAULT_TENANT : requestedTenant;
    }

    @NotNull
    public final List<String> getAllAccessInfo(@Nullable User user) {
        if (user == null) {
            return CollectionsKt.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        if (user.getName() != null) {
            arrayList.add(USER_TAG + user.getName());
        }
        List roles = user.getRoles();
        Intrinsics.checkNotNullExpressionValue(roles, "user.roles");
        Iterator it = roles.iterator();
        while (it.hasNext()) {
            arrayList.add(ROLE_TAG + ((String) it.next()));
        }
        List backendRoles = user.getBackendRoles();
        Intrinsics.checkNotNullExpressionValue(backendRoles, "user.backendRoles");
        Iterator it2 = backendRoles.iterator();
        while (it2.hasNext()) {
            arrayList.add(BACKEND_ROLE_TAG + ((String) it2.next()));
        }
        return arrayList;
    }

    @NotNull
    public final List<String> getSearchAccessInfo(@Nullable User user) {
        if (user == null) {
            return CollectionsKt.emptyList();
        }
        if (isUserPrivateTenant(user)) {
            return CollectionsKt.listOf(USER_TAG + user.getName());
        }
        if (canAdminViewAllItems(user)) {
            return CollectionsKt.emptyList();
        }
        switch (PluginSettings.INSTANCE.getFilterBy()) {
            case NoFilter:
                return CollectionsKt.emptyList();
            case User:
                return CollectionsKt.listOf(USER_TAG + user.getName());
            case Roles:
                Object collect = user.getRoles().stream().filter(new Predicate<String>() { // from class: com.amazon.opendistroforelasticsearch.reportsscheduler.security.UserAccessManager$getSearchAccessInfo$1
                    @Override // java.util.function.Predicate
                    public final boolean test(String str) {
                        return !PluginSettings.INSTANCE.getIgnoredRoles().contains(str);
                    }
                }).map(new Function<String, String>() { // from class: com.amazon.opendistroforelasticsearch.reportsscheduler.security.UserAccessManager$getSearchAccessInfo$2
                    @Override // java.util.function.Function
                    public final String apply(String str) {
                        return "Role:" + str;
                    }
                }).collect(Collectors.toList());
                Intrinsics.checkNotNullExpressionValue(collect, "user.roles.stream()\n    …lect(Collectors.toList())");
                return (List) collect;
            case BackendRoles:
                List backendRoles = user.getBackendRoles();
                Intrinsics.checkNotNullExpressionValue(backendRoles, "user.backendRoles");
                List list = backendRoles;
                ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(list, 10));
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    arrayList.add(BACKEND_ROLE_TAG + ((String) it.next()));
                }
                return arrayList;
            default:
                throw new NoWhenBranchMatchedException();
        }
    }

    public final boolean doesUserHasAccess(@Nullable User user, @NotNull String str, @NotNull final List<String> list) {
        Intrinsics.checkNotNullParameter(str, RestTag.TENANT_FIELD);
        Intrinsics.checkNotNullParameter(list, RestTag.ACCESS_LIST_FIELD);
        if (user == null) {
            return true;
        }
        if (!Intrinsics.areEqual(getUserTenant(user), str)) {
            return false;
        }
        if (canAdminViewAllItems(user)) {
            return true;
        }
        switch (PluginSettings.INSTANCE.getFilterBy()) {
            case NoFilter:
                return true;
            case User:
                return list.contains(USER_TAG + user.getName());
            case Roles:
                return user.getRoles().stream().filter(new Predicate<String>() { // from class: com.amazon.opendistroforelasticsearch.reportsscheduler.security.UserAccessManager$doesUserHasAccess$1
                    @Override // java.util.function.Predicate
                    public final boolean test(String str2) {
                        return !PluginSettings.INSTANCE.getIgnoredRoles().contains(str2);
                    }
                }).map(new Function<String, String>() { // from class: com.amazon.opendistroforelasticsearch.reportsscheduler.security.UserAccessManager$doesUserHasAccess$2
                    @Override // java.util.function.Function
                    public final String apply(String str2) {
                        return "Role:" + str2;
                    }
                }).anyMatch(new Predicate<String>() { // from class: com.amazon.opendistroforelasticsearch.reportsscheduler.security.UserAccessManager$doesUserHasAccess$3
                    @Override // java.util.function.Predicate
                    public final boolean test(String str2) {
                        return list.contains(str2);
                    }
                });
            case BackendRoles:
                List backendRoles = user.getBackendRoles();
                Intrinsics.checkNotNullExpressionValue(backendRoles, "user.backendRoles");
                List list2 = backendRoles;
                ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(list2, 10));
                Iterator it = list2.iterator();
                while (it.hasNext()) {
                    arrayList.add(BACKEND_ROLE_TAG + ((String) it.next()));
                }
                ArrayList arrayList2 = arrayList;
                if ((arrayList2 instanceof Collection) && arrayList2.isEmpty()) {
                    return false;
                }
                Iterator it2 = arrayList2.iterator();
                while (it2.hasNext()) {
                    if (list.contains((String) it2.next())) {
                        return true;
                    }
                }
                return false;
            default:
                throw new NoWhenBranchMatchedException();
        }
    }

    public final boolean hasAllInfoAccess(@Nullable User user) {
        if (user == null) {
            return true;
        }
        return isAdminUser(user);
    }

    private final boolean canAdminViewAllItems(User user) {
        return PluginSettings.INSTANCE.getAdminAccess() == PluginSettings.AdminAccess.AllReports && isAdminUser(user);
    }

    private final boolean isAdminUser(User user) {
        return user.getRoles().contains(ALL_ACCESS_ROLE);
    }

    private final boolean isUserPrivateTenant(User user) {
        return Intrinsics.areEqual(getUserTenant(user), PRIVATE_TENANT);
    }

    private UserAccessManager() {
    }
}
