package com.amazon.opendistroforelasticsearch.security.compliance;

import com.amazon.opendistroforelasticsearch.security.DefaultObjectMapper;
import com.amazon.opendistroforelasticsearch.security.auditlog.config.AuditConfig;
import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import com.amazon.opendistroforelasticsearch.security.support.WildcardMatcher;
import com.fasterxml.jackson.annotation.JacksonInject;
import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.core.JsonLocation;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;

@JsonInclude(JsonInclude.Include.NON_NULL)
@JsonAutoDetect(getterVisibility = JsonAutoDetect.Visibility.NONE)
/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/compliance/ComplianceConfig.class */
public class ComplianceConfig {
    private static final int CACHE_SIZE = 1000;
    private static final String INTERNAL_ELASTICSEARCH = "internal_elasticsearch";
    private final boolean logExternalConfig;
    private final boolean logInternalConfig;
    private final boolean logReadMetadataOnly;
    private final boolean logWriteMetadataOnly;

    @JsonProperty("write_log_diffs")
    private final boolean logDiffsForWrite;

    @JsonProperty("read_watched_fields")
    private final Map<String, List<String>> watchedReadFields;

    @JsonProperty("read_ignore_users")
    private final Set<String> ignoredComplianceUsersForRead;

    @JsonProperty("write_watched_indices")
    private final List<String> watchedWriteIndicesPatterns;

    @JsonProperty("write_ignore_users")
    private final Set<String> ignoredComplianceUsersForWrite;
    private final WildcardMatcher watchedWriteIndicesMatcher;
    private final WildcardMatcher ignoredComplianceUsersForReadMatcher;
    private final WildcardMatcher ignoredComplianceUsersForWriteMatcher;
    private final String opendistrosecurityIndex;
    private final Map<WildcardMatcher, Set<String>> readEnabledFields;
    private final LoadingCache<String, WildcardMatcher> readEnabledFieldsCache;
    private final DateTimeFormatter auditLogPattern;
    private final String auditLogIndex;
    private final boolean enabled;
    private static final Logger log = LogManager.getLogger(ComplianceConfig.class);
    public static final ComplianceConfig DEFAULT = from(Settings.EMPTY);
    public static Set<String> FIELDS = DefaultObjectMapper.getFields(ComplianceConfig.class);

    private ComplianceConfig(boolean z, boolean z2, boolean z3, boolean z4, Map<String, List<String>> map, Set<String> set, boolean z5, boolean z6, List<String> list, Set<String> set2, String str, String str2, String str3) {
        this.enabled = z;
        this.logExternalConfig = z2;
        this.logInternalConfig = z3;
        this.logReadMetadataOnly = z4;
        this.logWriteMetadataOnly = z5;
        this.logDiffsForWrite = z6;
        this.watchedWriteIndicesMatcher = WildcardMatcher.from(list);
        this.ignoredComplianceUsersForReadMatcher = WildcardMatcher.from(set);
        this.ignoredComplianceUsersForWriteMatcher = WildcardMatcher.from(set2);
        this.opendistrosecurityIndex = str;
        this.watchedReadFields = map;
        this.ignoredComplianceUsersForRead = set;
        this.watchedWriteIndicesPatterns = list;
        this.ignoredComplianceUsersForWrite = set2;
        this.readEnabledFields = (Map) map.entrySet().stream().filter(entry -> {
            return !Strings.isNullOrEmpty((String) entry.getKey());
        }).collect(ImmutableMap.toImmutableMap(entry2 -> {
            return WildcardMatcher.from((String) entry2.getKey());
        }, entry3 -> {
            return ImmutableSet.copyOf((Collection) entry3.getValue());
        }));
        DateTimeFormatter dateTimeFormatter = null;
        String str4 = null;
        if (INTERNAL_ELASTICSEARCH.equalsIgnoreCase(str2)) {
            try {
                dateTimeFormatter = DateTimeFormat.forPattern(str3);
            } catch (IllegalArgumentException e) {
                str4 = str3;
            } catch (Exception e2) {
                log.error("Unable to check if auditlog index {} is part of compliance setup", str3, e2);
            }
        }
        this.auditLogPattern = dateTimeFormatter;
        this.auditLogIndex = str4;
        this.readEnabledFieldsCache = CacheBuilder.newBuilder().maximumSize(1000L).build(new CacheLoader<String, WildcardMatcher>() { // from class: com.amazon.opendistroforelasticsearch.security.compliance.ComplianceConfig.1
            public WildcardMatcher load(String str5) throws Exception {
                return WildcardMatcher.from(ComplianceConfig.this.getFieldsForIndex(str5));
            }
        });
    }

    @VisibleForTesting
    public ComplianceConfig(boolean z, boolean z2, boolean z3, boolean z4, Map<String, List<String>> map, Set<String> set, boolean z5, boolean z6, List<String> list, Set<String> set2, Settings settings) {
        this(z, z2, z3, z4, map, set, z5, z6, list, set2, settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX), settings.get(ConfigConstants.OPENDISTRO_SECURITY_AUDIT_TYPE_DEFAULT, (String) null), settings.get("opendistro_security.audit.config.index", "'security-auditlog-'YYYY.MM.dd"));
    }

    public void log(Logger logger) {
        logger.info("Auditing of external configuration is {}.", this.logExternalConfig ? "enabled" : "disabled");
        logger.info("Auditing of internal configuration is {}.", this.logInternalConfig ? "enabled" : "disabled");
        logger.info("Auditing only metadata information for read request is {}.", this.logReadMetadataOnly ? "enabled" : "disabled");
        logger.info("Auditing will watch {} for read requests.", this.readEnabledFields);
        logger.info("Auditing read operation requests from {} users is disabled.", this.ignoredComplianceUsersForReadMatcher);
        logger.info("Auditing only metadata information for write request is {}.", this.logWriteMetadataOnly ? "enabled" : "disabled");
        logger.info("Auditing diffs for write requests is {}.", this.logDiffsForWrite ? "enabled" : "disabled");
        logger.info("Auditing write operation requests from {} users is disabled.", this.ignoredComplianceUsersForWriteMatcher);
        logger.info("Auditing will watch {} for write requests.", this.watchedWriteIndicesMatcher);
        logger.info("{} is used as internal security index.", this.opendistrosecurityIndex);
        logger.info("Internal index used for posting audit logs is {}", this.auditLogIndex);
    }

    @VisibleForTesting
    @JsonCreator
    public static ComplianceConfig from(Map<String, Object> map, @JacksonInject Settings settings) throws JsonProcessingException {
        if (FIELDS.containsAll(map.keySet())) {
            return new ComplianceConfig(DefaultObjectMapper.getOrDefault(map, "enabled", true), DefaultObjectMapper.getOrDefault(map, "external_config", false), DefaultObjectMapper.getOrDefault(map, "internal_config", false), DefaultObjectMapper.getOrDefault(map, "read_metadata_only", false), (Map) DefaultObjectMapper.getOrDefault(map, "read_watched_fields", Collections.emptyMap()), ImmutableSet.copyOf((Collection) DefaultObjectMapper.getOrDefault(map, "read_ignore_users", AuditConfig.DEFAULT_IGNORED_USERS)), DefaultObjectMapper.getOrDefault(map, "write_metadata_only", false), DefaultObjectMapper.getOrDefault(map, "write_log_diffs", false), (List) DefaultObjectMapper.getOrDefault(map, "write_watched_indices", Collections.emptyList()), ImmutableSet.copyOf((Collection) DefaultObjectMapper.getOrDefault(map, "write_ignore_users", AuditConfig.DEFAULT_IGNORED_USERS)), settings);
        }
        throw new UnrecognizedPropertyException((JsonParser) null, "Invalid property present in the input data for compliance config", (JsonLocation) null, ComplianceConfig.class, (String) null, (Collection) null);
    }

    public static ComplianceConfig from(Settings settings) {
        boolean booleanValue = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_EXTERNAL_CONFIG_ENABLED, false).booleanValue();
        boolean booleanValue2 = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_INTERNAL_CONFIG_ENABLED, false).booleanValue();
        boolean booleanValue3 = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_METADATA_ONLY, false).booleanValue();
        boolean booleanValue4 = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_METADATA_ONLY, false).booleanValue();
        boolean booleanValue5 = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_LOG_DIFFS, false).booleanValue();
        return new ComplianceConfig(true, booleanValue, booleanValue2, booleanValue3, (Map) settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_WATCHED_FIELDS, Collections.emptyList(), false).stream().map(str -> {
            return str.split(",");
        }).filter(strArr -> {
            return (strArr.length == 0 || Strings.isNullOrEmpty(strArr[0])) ? false : true;
        }).collect(ImmutableMap.toImmutableMap(strArr2 -> {
            return strArr2[0];
        }, strArr3 -> {
            return strArr3.length == 1 ? ImmutableList.of("*") : (List) Arrays.stream(strArr3).skip(1L).collect(ImmutableList.toImmutableList());
        })), ConfigConstants.getSettingAsSet(settings, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_READ_IGNORE_USERS, AuditConfig.DEFAULT_IGNORED_USERS, false), booleanValue4, booleanValue5, settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_WATCHED_INDICES, Collections.emptyList()), ConfigConstants.getSettingAsSet(settings, ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_HISTORY_WRITE_IGNORE_USERS, AuditConfig.DEFAULT_IGNORED_USERS, false), settings);
    }

    @JsonProperty("external_config")
    public boolean shouldLogExternalConfig() {
        return this.logExternalConfig;
    }

    @JsonProperty("internal_config")
    public boolean shouldLogInternalConfig() {
        return this.logInternalConfig;
    }

    @JsonProperty
    public boolean isEnabled() {
        return this.enabled;
    }

    public boolean shouldLogDiffsForWrite() {
        return !shouldLogWriteMetadataOnly() && this.logDiffsForWrite;
    }

    @JsonProperty("write_metadata_only")
    public boolean shouldLogWriteMetadataOnly() {
        return this.logWriteMetadataOnly;
    }

    @JsonProperty("read_metadata_only")
    public boolean shouldLogReadMetadataOnly() {
        return this.logReadMetadataOnly;
    }

    @VisibleForTesting
    public WildcardMatcher getIgnoredComplianceUsersForReadMatcher() {
        return this.ignoredComplianceUsersForReadMatcher;
    }

    public boolean isComplianceReadAuditDisabled(String str) {
        return this.ignoredComplianceUsersForReadMatcher.test(str);
    }

    @VisibleForTesting
    public WildcardMatcher getIgnoredComplianceUsersForWriteMatcher() {
        return this.ignoredComplianceUsersForWriteMatcher;
    }

    public boolean isComplianceWriteAuditDisabled(String str) {
        return this.ignoredComplianceUsersForWriteMatcher.test(str);
    }

    @VisibleForTesting
    public Map<WildcardMatcher, Set<String>> getReadEnabledFields() {
        return this.readEnabledFields;
    }

    @VisibleForTesting
    public WildcardMatcher getWatchedWriteIndicesMatcher() {
        return this.watchedWriteIndicesMatcher;
    }

    @VisibleForTesting
    public String getOpendistrosecurityIndex() {
        return this.opendistrosecurityIndex;
    }

    @VisibleForTesting
    public String getAuditLogIndex() {
        return this.auditLogIndex;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<String> getFieldsForIndex(String str) {
        return str == null ? Collections.emptySet() : (this.auditLogIndex == null || !this.auditLogIndex.equalsIgnoreCase(str)) ? (this.auditLogPattern == null || !str.equalsIgnoreCase(getExpandedIndexName(this.auditLogPattern, null))) ? (Set) this.readEnabledFields.entrySet().stream().filter(entry -> {
            return ((WildcardMatcher) entry.getKey()).test(str);
        }).flatMap(entry2 -> {
            return ((Set) entry2.getValue()).stream();
        }).collect(ImmutableSet.toImmutableSet()) : Collections.emptySet() : Collections.emptySet();
    }

    private String getExpandedIndexName(DateTimeFormatter dateTimeFormatter, String str) {
        return dateTimeFormatter == null ? str : dateTimeFormatter.print(DateTime.now(DateTimeZone.UTC));
    }

    public boolean writeHistoryEnabledForIndex(String str) {
        if (str == null || !isEnabled()) {
            return false;
        }
        if (this.opendistrosecurityIndex.equals(str)) {
            return this.logInternalConfig;
        }
        if (this.auditLogIndex != null && this.auditLogIndex.equalsIgnoreCase(str)) {
            return false;
        }
        if (this.auditLogPattern == null || !str.equalsIgnoreCase(getExpandedIndexName(this.auditLogPattern, null))) {
            return this.watchedWriteIndicesMatcher.test(str);
        }
        return false;
    }

    public boolean readHistoryEnabledForIndex(String str) {
        if (!isEnabled()) {
            return false;
        }
        if (this.opendistrosecurityIndex.equals(str)) {
            return this.logInternalConfig;
        }
        try {
            return this.readEnabledFieldsCache.get(str) != WildcardMatcher.NONE;
        } catch (ExecutionException e) {
            log.warn("Failed to get index {} fields enabled for read from cache. Bypassing cache.", str, e);
            return getFieldsForIndex(str).isEmpty();
        }
    }

    public boolean readHistoryEnabledForField(String str, String str2) {
        WildcardMatcher from;
        if (!isEnabled()) {
            return false;
        }
        if (this.opendistrosecurityIndex.equals(str)) {
            return this.logInternalConfig;
        }
        try {
            from = (WildcardMatcher) this.readEnabledFieldsCache.get(str);
        } catch (ExecutionException e) {
            log.warn("Failed to get index {} fields enabled for read from cache. Bypassing cache.", str, e);
            from = WildcardMatcher.from(getFieldsForIndex(str));
        }
        return from.test(str2);
    }
}
