package com.amazon.opendistroforelasticsearch.security.auditlog.config;

import com.amazon.opendistroforelasticsearch.security.DefaultObjectMapper;
import com.amazon.opendistroforelasticsearch.security.auditlog.impl.AuditCategory;
import com.amazon.opendistroforelasticsearch.security.compliance.ComplianceConfig;
import com.amazon.opendistroforelasticsearch.security.dlic.rest.support.Utils;
import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import com.amazon.opendistroforelasticsearch.security.support.WildcardMatcher;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.core.JsonLocation;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.Settings;

@JsonInclude(JsonInclude.Include.NON_NULL)
/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/auditlog/config/AuditConfig.class */
public class AuditConfig {

    @JsonProperty("enabled")
    private final boolean auditLogEnabled;

    @JsonProperty("audit")
    private final Filter filter;
    private final ComplianceConfig compliance;
    public static final List<String> DEFAULT_IGNORED_USERS = Collections.singletonList("kibanaserver");
    private static Set<String> FIELDS = DefaultObjectMapper.getFields(AuditConfig.class);
    public static final List<String> DEPRECATED_KEYS = ImmutableList.of(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, new String[]{ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES});
    public static final Set<String> FIELD_PATHS = Sets.union(Utils.generateFieldResourcePaths(FIELDS, "/"), Sets.union(Utils.generateFieldResourcePaths(Filter.FIELDS, "/audit/"), Utils.generateFieldResourcePaths(ComplianceConfig.FIELDS, "/compliance/")));

    @JsonInclude(JsonInclude.Include.NON_NULL)
    /* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/auditlog/config/AuditConfig$Filter.class */
    public static class Filter {

        @VisibleForTesting
        public static final Filter DEFAULT = from(Settings.EMPTY);
        private static Set<String> FIELDS = DefaultObjectMapper.getFields(Filter.class);
        private final boolean isRestApiAuditEnabled;
        private final boolean isTransportApiAuditEnabled;
        private final boolean resolveBulkRequests;
        private final boolean logRequestBody;
        private final boolean resolveIndices;
        private final boolean excludeSensitiveHeaders;

        @JsonProperty("ignore_users")
        private final Set<String> ignoredAuditUsers;

        @JsonProperty("ignore_requests")
        private final Set<String> ignoredAuditRequests;
        private final WildcardMatcher ignoredAuditUsersMatcher;
        private final WildcardMatcher ignoredAuditRequestsMatcher;
        private final Set<AuditCategory> disabledRestCategories;
        private final Set<AuditCategory> disabledTransportCategories;

        @VisibleForTesting
        Filter(boolean z, boolean z2, boolean z3, boolean z4, boolean z5, boolean z6, Set<String> set, Set<String> set2, Set<AuditCategory> set3, Set<AuditCategory> set4) {
            this.isRestApiAuditEnabled = z;
            this.isTransportApiAuditEnabled = z2;
            this.resolveBulkRequests = z3;
            this.logRequestBody = z4;
            this.resolveIndices = z5;
            this.excludeSensitiveHeaders = z6;
            this.ignoredAuditUsers = set;
            this.ignoredAuditUsersMatcher = WildcardMatcher.from(set);
            this.ignoredAuditRequests = set2;
            this.ignoredAuditRequestsMatcher = WildcardMatcher.from(set2);
            this.disabledRestCategories = set3;
            this.disabledTransportCategories = set4;
        }

        @VisibleForTesting
        @JsonCreator
        public static Filter from(Map<String, Object> map) throws JsonProcessingException {
            if (!FIELDS.containsAll(map.keySet())) {
                throw new UnrecognizedPropertyException((JsonParser) null, "Unrecognized field(s) present in the input data for audit filter config", (JsonLocation) null, Filter.class, (String) null, (Collection) null);
            }
            return new Filter(DefaultObjectMapper.getOrDefault(map, "enable_rest", true), DefaultObjectMapper.getOrDefault(map, "enable_transport", true), DefaultObjectMapper.getOrDefault(map, "resolve_bulk_requests", false), DefaultObjectMapper.getOrDefault(map, "log_request_body", true), DefaultObjectMapper.getOrDefault(map, "resolve_indices", true), DefaultObjectMapper.getOrDefault(map, "exclude_sensitive_headers", true), ImmutableSet.copyOf((Collection) DefaultObjectMapper.getOrDefault(map, "ignore_users", AuditConfig.DEFAULT_IGNORED_USERS)), ImmutableSet.copyOf((Collection) DefaultObjectMapper.getOrDefault(map, "ignore_requests", Collections.emptyList())), AuditCategory.parse((Collection) DefaultObjectMapper.getOrDefault(map, "disabled_rest_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)), AuditCategory.parse((Collection) DefaultObjectMapper.getOrDefault(map, "disabled_transport_categories", ConfigConstants.OPENDISTRO_SECURITY_AUDIT_DISABLED_CATEGORIES_DEFAULT)));
        }

        public static Filter from(Settings settings) {
            return new Filter(settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_REST, true).booleanValue(), settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_ENABLE_TRANSPORT, true).booleanValue(), settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_BULK_REQUESTS, false).booleanValue(), settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_LOG_REQUEST_BODY, true).booleanValue(), settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_RESOLVE_INDICES, true).booleanValue(), settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_EXCLUDE_SENSITIVE_HEADERS, true).booleanValue(), ConfigConstants.getSettingAsSet(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_USERS, AuditConfig.DEFAULT_IGNORED_USERS, false), ImmutableSet.copyOf(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_IGNORE_REQUESTS, Collections.emptyList())), AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_REST_CATEGORIES), AuditCategory.from(settings, ConfigConstants.OPENDISTRO_SECURITY_AUDIT_CONFIG_DISABLED_TRANSPORT_CATEGORIES));
        }

        @JsonProperty("enable_rest")
        public boolean isRestApiAuditEnabled() {
            return this.isRestApiAuditEnabled;
        }

        @JsonProperty("enable_transport")
        public boolean isTransportApiAuditEnabled() {
            return this.isTransportApiAuditEnabled;
        }

        @JsonProperty("resolve_bulk_requests")
        public boolean shouldResolveBulkRequests() {
            return this.resolveBulkRequests;
        }

        @JsonProperty("log_request_body")
        public boolean shouldLogRequestBody() {
            return this.logRequestBody;
        }

        @JsonProperty("resolve_indices")
        public boolean shouldResolveIndices() {
            return this.resolveIndices;
        }

        @JsonProperty("exclude_sensitive_headers")
        public boolean shouldExcludeSensitiveHeaders() {
            return this.excludeSensitiveHeaders;
        }

        @VisibleForTesting
        WildcardMatcher getIgnoredAuditUsersMatcher() {
            return this.ignoredAuditUsersMatcher;
        }

        public boolean isAuditDisabled(String str) {
            return this.ignoredAuditUsersMatcher.test(str);
        }

        @VisibleForTesting
        WildcardMatcher getIgnoredAuditRequestsMatcher() {
            return this.ignoredAuditRequestsMatcher;
        }

        public boolean isRequestAuditDisabled(String str) {
            return this.ignoredAuditRequestsMatcher.test(str);
        }

        @JsonProperty("disabled_rest_categories")
        public Set<AuditCategory> getDisabledRestCategories() {
            return this.disabledRestCategories;
        }

        @JsonProperty("disabled_transport_categories")
        public Set<AuditCategory> getDisabledTransportCategories() {
            return this.disabledTransportCategories;
        }

        public void log(Logger logger) {
            logger.info("Auditing on REST API is {}.", this.isRestApiAuditEnabled ? "enabled" : "disabled");
            logger.info("{} are excluded from REST API auditing.", this.disabledRestCategories);
            logger.info("Auditing on Transport API is {}.", this.isTransportApiAuditEnabled ? "enabled" : "disabled");
            logger.info("{} are excluded from Transport API auditing.", this.disabledTransportCategories);
            logger.info("Auditing of request body is {}.", this.logRequestBody ? "enabled" : "disabled");
            logger.info("Bulk requests resolution is {} during request auditing.", this.resolveBulkRequests ? "enabled" : "disabled");
            logger.info("Index resolution is {} during request auditing.", this.resolveIndices ? "enabled" : "disabled");
            logger.info("Sensitive headers auditing is {}.", this.excludeSensitiveHeaders ? "enabled" : "disabled");
            logger.info("Auditing requests from {} users is disabled.", this.ignoredAuditUsersMatcher);
        }

        public String toString() {
            return "Filter{isRestApiAuditEnabled=" + this.isRestApiAuditEnabled + ", disabledRestCategories=" + this.disabledRestCategories + ", isTransportApiAuditEnabled=" + this.isTransportApiAuditEnabled + ", disabledTransportCategories=" + this.disabledTransportCategories + ", resolveBulkRequests=" + this.resolveBulkRequests + ", logRequestBody=" + this.logRequestBody + ", resolveIndices=" + this.resolveIndices + ", excludeSensitiveHeaders=" + this.excludeSensitiveHeaders + ", ignoredAuditUsers=" + this.ignoredAuditUsersMatcher + ", ignoreAuditRequests=" + this.ignoredAuditRequestsMatcher + '}';
        }
    }

    private AuditConfig() {
        this(true, null, null);
    }

    public boolean isEnabled() {
        return this.auditLogEnabled;
    }

    public Filter getFilter() {
        return this.filter;
    }

    public ComplianceConfig getCompliance() {
        return this.compliance;
    }

    @VisibleForTesting
    public AuditConfig(boolean z, Filter filter, ComplianceConfig complianceConfig) {
        this.auditLogEnabled = z;
        this.filter = filter != null ? filter : Filter.DEFAULT;
        this.compliance = complianceConfig != null ? complianceConfig : ComplianceConfig.DEFAULT;
    }

    public static AuditConfig from(Settings settings) {
        return new AuditConfig(true, Filter.from(settings), ComplianceConfig.from(settings));
    }

    public static Set<String> getDeprecatedKeys(Settings settings) {
        Stream<String> stream = DEPRECATED_KEYS.stream();
        Objects.requireNonNull(settings);
        return (Set) stream.filter(settings::hasValue).collect(Collectors.toSet());
    }
}
