package com.huawei.es.security.index;

import com.huawei.es.security.author.bean.OpType;
import com.huawei.es.security.author.bean.RolePermissionInfo;
import com.huawei.es.security.author.tool.AuthorityConstants;
import com.huawei.es.security.ssl.HwSecurityConstants;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.ResourceAlreadyExistsException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.admin.indices.alias.Alias;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.bulk.BackoffPolicy;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkResponse;
import org.elasticsearch.action.bulk.Retry;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.support.master.AcknowledgedResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.Requests;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.cluster.block.ClusterBlockException;
import org.elasticsearch.cluster.health.ClusterHealthStatus;
import org.elasticsearch.cluster.health.ClusterIndexHealth;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.SearchHits;

/* loaded from: input_file:com/huawei/es/security/index/SecurityIndexManager.class */
public class SecurityIndexManager implements ClusterStateListener {
    private final Client client;
    private final ClusterService clusterService;
    private boolean securityIndexAvailable = false;
    private boolean isLocalMaster = false;
    private final List<IndexObserverBase> indexObserverList = new ArrayList();
    public static final String SECURITY_INDEX = ".security_info";
    public static final String SECURITY_INDEX_ALIASES = "security_info";
    private static final Logger logger = Loggers.getLogger(SecurityIndexManager.class, new String[]{"SecurityIndexManager"});
    private static final Map<String, String> ID2USER = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.huawei.es.security.index.SecurityIndexManager$4, reason: invalid class name */
    /* loaded from: input_file:com/huawei/es/security/index/SecurityIndexManager$4.class */
    public static /* synthetic */ class AnonymousClass4 {
        static final /* synthetic */ int[] $SwitchMap$com$huawei$es$security$index$SecurityIndexManager$IndexEvent;
        static final /* synthetic */ int[] $SwitchMap$com$huawei$es$security$author$bean$OpType = new int[OpType.values().length];

        static {
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.CREATE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.CREATE_TEMPLATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.CREATE_PIPELINE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.CREATE_TEMPLATE_SCRIPTS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.SUBMIT_ROLLUP.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.DELETE.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.DELETE_TEMPLATE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.DELETE_TEMPLATE_SCRIPTS.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.DELETE_PIPELINE.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$com$huawei$es$security$author$bean$OpType[OpType.DELETE_ROLLUP.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            $SwitchMap$com$huawei$es$security$index$SecurityIndexManager$IndexEvent = new int[IndexEvent.values().length];
            try {
                $SwitchMap$com$huawei$es$security$index$SecurityIndexManager$IndexEvent[IndexEvent.SECURITY_AVAILABLE.ordinal()] = 1;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$com$huawei$es$security$index$SecurityIndexManager$IndexEvent[IndexEvent.INDEX_COUNT_CHANGED.ordinal()] = 2;
            } catch (NoSuchFieldError e12) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/huawei/es/security/index/SecurityIndexManager$IndexEvent.class */
    public enum IndexEvent {
        SECURITY_AVAILABLE,
        INDEX_COUNT_CHANGED
    }

    public SecurityIndexManager(Client client, ClusterService clusterService) {
        this.client = client;
        this.clusterService = clusterService;
    }

    public void write2SecurityIndex(String str, Map<String, OpType> map) {
        try {
            write(str, map);
        } catch (Exception e) {
            logger.info("Write  to Security Index occur error {}, we ignore it, user:{}, optype:{}", e.getMessage(), str, map);
        }
    }

    public String getUser(String str, String str2) {
        String str3 = ID2USER.get(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str, str2));
        if (!StringUtils.isEmpty(str3)) {
            return str3;
        }
        handleCache(getHits(str2));
        return ID2USER.get(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str, str2));
    }

    public List<String> getNamesByType(String str) {
        handleCache(getHits(str));
        return (List) ID2USER.keySet().stream().filter(str2 -> {
            return str2.substring(str2.indexOf(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID) + 1).equals(str);
        }).map(str3 -> {
            return str3.substring(0, str3.indexOf(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID));
        }).collect(Collectors.toList());
    }

    public SearchHits getHits(String str) {
        try {
            return ((SearchResponse) this.client.prepareSearch(new String[]{SECURITY_INDEX_ALIASES}).setQuery(!StringUtils.isEmpty(str) ? QueryBuilders.termQuery(AuthorityConstants.SECURITY_INDEX_FIELD_TYPE, str) : QueryBuilders.matchAllQuery()).execute().actionGet()).getHits();
        } catch (IllegalStateException | ClusterBlockException e) {
            return SearchHits.empty();
        }
    }

    public List<RolePermissionInfo> searchHits2RolePermissionInfoList(SearchHits searchHits) {
        ArrayList arrayList = new ArrayList();
        if (searchHits.getHits().length > 0) {
            for (SearchHit searchHit : searchHits.getHits()) {
                String id = searchHit.getId();
                List emptyList = Collections.emptyList();
                if (searchHit.getSourceAsMap().containsKey(AuthorityConstants.SECURITY_INDEX_FIELD_SOURCE) && (searchHit.getSourceAsMap().get(AuthorityConstants.SECURITY_INDEX_FIELD_SOURCE) instanceof List)) {
                    emptyList = (List) searchHit.getSourceAsMap().get(AuthorityConstants.SECURITY_INDEX_FIELD_SOURCE);
                }
                arrayList.add(new RolePermissionInfo(id, AuthorityConstants.TYPE_ROLE, emptyList));
            }
        }
        return arrayList;
    }

    public void registerIndexObserver(IndexObserverBase indexObserverBase) {
        this.indexObserverList.add(indexObserverBase);
    }

    public void removeIndexObserver(IndexObserverBase indexObserverBase) {
        this.indexObserverList.remove(indexObserverBase);
    }

    public void notifyIndexObservers(IndexEvent indexEvent) {
        switch (AnonymousClass4.$SwitchMap$com$huawei$es$security$index$SecurityIndexManager$IndexEvent[indexEvent.ordinal()]) {
            case HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT /* 1 */:
                Iterator<IndexObserverBase> it = this.indexObserverList.iterator();
                while (it.hasNext()) {
                    it.next().securityIndexAvailableNotify();
                }
                return;
            case AuthorityConstants.CODE_2XX_DIVIDE_BY_100 /* 2 */:
            default:
                return;
        }
    }

    private void initId2User() {
        SearchHits hits = getHits(AuthorityConstants.EMPYT_STRING);
        if (hits.getHits().length != 0) {
            hits.forEach(searchHit -> {
                if (AuthorityConstants.TYPE_ROLE.equals(searchHit.getSourceAsMap().get(AuthorityConstants.SECURITY_INDEX_FIELD_TYPE))) {
                    return;
                }
                ID2USER.put(searchHit.getId(), searchHit.getSourceAsMap().get("user").toString());
            });
        }
    }

    private void checkAndUpdateSecurityIndex(final ActionListener<AcknowledgedResponse> actionListener) {
        if (securityIndexExists()) {
            actionListener.onResponse((Object) null);
        } else {
            logger.info("The index .security_info does not exist ,go to create it.");
            this.client.admin().indices().create(getCreateIndexRequest(), new ActionListener<CreateIndexResponse>() { // from class: com.huawei.es.security.index.SecurityIndexManager.1
                public void onResponse(CreateIndexResponse createIndexResponse) {
                    actionListener.onResponse(createIndexResponse);
                }

                public void onFailure(Exception exc) {
                    if (ExceptionsHelper.unwrapCause(exc) instanceof ResourceAlreadyExistsException) {
                        actionListener.onResponse((Object) null);
                    } else {
                        actionListener.onFailure(exc);
                    }
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public CreateIndexRequest getCreateIndexRequest() {
        return new CreateIndexRequest(SECURITY_INDEX).settings(Settings.builder().put("index.hidden", true).put("index.priority", "100").put("index.max_result_window", 100000).put("index.refresh_interval", "1s").build()).mapping("_doc", new Object[]{AuthorityConstants.SECURITY_INDEX_FIELD_SOURCE, "type=keyword", "user", "type=keyword", AuthorityConstants.SECURITY_INDEX_FIELD_TYPE, "type=keyword"}).alias(new Alias(SECURITY_INDEX_ALIASES));
    }

    private boolean securityIndexExists() {
        return this.clusterService.state().routingTable().hasIndex(SECURITY_INDEX);
    }

    public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
        if (!clusterChangedEvent.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK) && clusterChangedEvent.metadataChanged()) {
            IndexMetadata indexMetadata = getIndexMetadata(clusterChangedEvent, SECURITY_INDEX);
            ClusterIndexHealth clusterIndexHealth = null;
            IndexMetadata.State state = null;
            if (indexMetadata != null) {
                clusterIndexHealth = new ClusterIndexHealth(indexMetadata, clusterChangedEvent.state().getRoutingTable().index(indexMetadata.getIndex()));
                state = indexMetadata.getState();
            }
            this.isLocalMaster = clusterChangedEvent.localNodeMaster();
            updateSecurityIndexState(clusterIndexHealth, state, this.isLocalMaster);
        }
    }

    private void write(final String str, final Map<String, OpType> map) {
        if (this.isLocalMaster || map.containsKey(SECURITY_INDEX)) {
            return;
        }
        createSecurityIndexIfNeeded();
        BulkRequest bulkRequest = new BulkRequest();
        buildBulkItems(str, map, bulkRequest);
        if (!this.securityIndexAvailable) {
            logger.error("Security index is not available. current bulk request:{}", bulkRequest.requests());
            return;
        }
        Retry retry = new Retry(BackoffPolicy.constantBackoff(TimeValue.timeValueMillis(100L), 3), this.client.threadPool());
        Client client = this.client;
        Objects.requireNonNull(client);
        retry.withBackoff(client::bulk, bulkRequest, new ActionListener<BulkResponse>() { // from class: com.huawei.es.security.index.SecurityIndexManager.2
            public void onResponse(BulkResponse bulkResponse) {
                if (bulkResponse.hasFailures()) {
                    SecurityIndexManager.logger.warn("Update index security info contains some failures: {}", bulkResponse.buildFailureMessage());
                } else {
                    SecurityIndexManager.this.handleCache(map, str);
                }
            }

            public void onFailure(Exception exc) {
                SecurityIndexManager.logger.error("Failed to update index security info : {}", exc.getMessage());
            }
        });
    }

    private void createSecurityIndexIfNeeded() {
        checkAndUpdateSecurityIndex(new ActionListener<AcknowledgedResponse>() { // from class: com.huawei.es.security.index.SecurityIndexManager.3
            public void onResponse(AcknowledgedResponse acknowledgedResponse) {
                if (acknowledgedResponse != null) {
                    if (acknowledgedResponse.isAcknowledged()) {
                        SecurityIndexManager.logger.info("Successful create ：{} ", SecurityIndexManager.SECURITY_INDEX);
                        SecurityIndexManager.this.securityIndexAvailable = true;
                    } else {
                        SecurityIndexManager.logger.warn("Failed to create ：{} ", SecurityIndexManager.SECURITY_INDEX);
                        SecurityIndexManager.this.client.admin().indices().create(SecurityIndexManager.this.getCreateIndexRequest()).actionGet();
                    }
                }
            }

            public void onFailure(Exception exc) {
                SecurityIndexManager.logger.error("Failed to create ：{} , because :{}", SecurityIndexManager.SECURITY_INDEX, exc.getCause());
            }
        });
    }

    private void buildBulkItems(String str, Map<String, OpType> map, BulkRequest bulkRequest) {
        map.forEach((str2, opType) -> {
            switch (AnonymousClass4.$SwitchMap$com$huawei$es$security$author$bean$OpType[opType.ordinal()]) {
                case HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT /* 1 */:
                    buildAddDocRequest(str, bulkRequest, str2, "index");
                    return;
                case AuthorityConstants.CODE_2XX_DIVIDE_BY_100 /* 2 */:
                    buildAddDocRequest(str, bulkRequest, str2, AuthorityConstants.TYPE_TEMPLATE);
                    return;
                case 3:
                    buildAddDocRequest(str, bulkRequest, str2, AuthorityConstants.TYPE_PIPELINE);
                    return;
                case AuthorityConstants.ERROR4XX_DIVIDE_BY_100 /* 4 */:
                    buildAddDocRequest(str, bulkRequest, str2, AuthorityConstants.TYPE_SCRIPTS);
                    return;
                case AuthorityConstants.ERROR_5XX_DIVIDE_BY_100 /* 5 */:
                    buildAddDocRequest(str, bulkRequest, str2, AuthorityConstants.TYPE_ROLLUP);
                    return;
                case 6:
                    buildDeleteDocRequest(bulkRequest, str2, "index");
                    buildDeleteRoleDocRequest(bulkRequest, str2);
                    return;
                case 7:
                    buildDeleteDocRequest(bulkRequest, str2, AuthorityConstants.TYPE_TEMPLATE);
                    return;
                case 8:
                    buildDeleteDocRequest(bulkRequest, str2, AuthorityConstants.TYPE_SCRIPTS);
                    return;
                case 9:
                    buildDeleteDocRequest(bulkRequest, str2, AuthorityConstants.TYPE_PIPELINE);
                    return;
                case 10:
                    buildDeleteDocRequest(bulkRequest, str2, AuthorityConstants.TYPE_ROLLUP);
                    return;
                default:
                    return;
            }
        });
    }

    private void buildAddDocRequest(String str, BulkRequest bulkRequest, String str2, String str3) {
        bulkRequest.add(new IndexRequest(SECURITY_INDEX).opType(DocWriteRequest.OpType.INDEX).id(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, str3)).source(Requests.INDEX_CONTENT_TYPE, new Object[]{"user", str, AuthorityConstants.SECURITY_INDEX_FIELD_TYPE, str3, AuthorityConstants.SECURITY_INDEX_FIELD_SOURCE, str2}));
    }

    private void buildDeleteDocRequest(BulkRequest bulkRequest, String str, String str2) {
        bulkRequest.add(new DeleteRequest(SECURITY_INDEX).id(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str, str2)));
    }

    private void buildDeleteRoleDocRequest(BulkRequest bulkRequest, String str) {
        for (RolePermissionInfo rolePermissionInfo : searchHits2RolePermissionInfoList(getRolePermission(str))) {
            String docId = rolePermissionInfo.getDocId();
            List<String> permissionList = rolePermissionInfo.getPermissionList();
            if (permissionList != null && !permissionList.isEmpty()) {
                String join = String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str);
                bulkRequest.add(new IndexRequest(SECURITY_INDEX).opType(DocWriteRequest.OpType.INDEX).id(docId).source(Requests.INDEX_CONTENT_TYPE, new Object[]{AuthorityConstants.SECURITY_INDEX_FIELD_TYPE, AuthorityConstants.TYPE_ROLE, AuthorityConstants.SECURITY_INDEX_FIELD_SOURCE, permissionList.stream().filter(str2 -> {
                    return !str2.startsWith(join);
                }).collect(Collectors.toList())}));
            }
        }
    }

    private SearchHits getRolePermission(String str) {
        try {
            BoolQueryBuilder boolQuery = QueryBuilders.boolQuery();
            boolQuery.must(QueryBuilders.prefixQuery(AuthorityConstants.SECURITY_INDEX_FIELD_SOURCE, String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str)));
            boolQuery.must(QueryBuilders.termQuery(AuthorityConstants.SECURITY_INDEX_FIELD_TYPE, AuthorityConstants.TYPE_ROLE));
            return ((SearchResponse) this.client.prepareSearch(new String[]{SECURITY_INDEX}).setQuery(boolQuery).execute().actionGet()).getHits();
        } catch (IllegalStateException | ClusterBlockException e) {
            logger.error("Fail to query role permission which contain {}.", str);
            return SearchHits.empty();
        }
    }

    private void handleCache(SearchHits searchHits) {
        if (searchHits.getHits().length != 0) {
            searchHits.forEach(searchHit -> {
                ID2USER.put(searchHit.getId(), searchHit.getSourceAsMap().get("user").toString());
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleCache(Map<String, OpType> map, String str) {
        map.forEach((str2, opType) -> {
            switch (AnonymousClass4.$SwitchMap$com$huawei$es$security$author$bean$OpType[opType.ordinal()]) {
                case HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT /* 1 */:
                    ID2USER.put(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, "index"), str);
                    return;
                case AuthorityConstants.CODE_2XX_DIVIDE_BY_100 /* 2 */:
                    ID2USER.put(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, AuthorityConstants.TYPE_TEMPLATE), str);
                    return;
                case 3:
                    ID2USER.put(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, AuthorityConstants.TYPE_PIPELINE), str);
                    return;
                case AuthorityConstants.ERROR4XX_DIVIDE_BY_100 /* 4 */:
                    ID2USER.put(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, AuthorityConstants.TYPE_SCRIPTS), str);
                    return;
                case AuthorityConstants.ERROR_5XX_DIVIDE_BY_100 /* 5 */:
                    ID2USER.put(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, AuthorityConstants.TYPE_ROLLUP), str);
                    return;
                case 6:
                    ID2USER.remove(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, "index"));
                    return;
                case 7:
                    ID2USER.remove(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, AuthorityConstants.TYPE_TEMPLATE));
                    return;
                case 8:
                    ID2USER.remove(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, AuthorityConstants.TYPE_SCRIPTS));
                    return;
                case 9:
                    ID2USER.remove(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, AuthorityConstants.TYPE_PIPELINE));
                    return;
                case 10:
                    ID2USER.remove(String.join(AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID, str2, AuthorityConstants.TYPE_ROLLUP));
                    return;
                default:
                    return;
            }
        });
    }

    private IndexMetadata getIndexMetadata(ClusterChangedEvent clusterChangedEvent, String str) {
        IndexAbstraction indexAbstraction = (IndexAbstraction) clusterChangedEvent.state().metadata().getIndicesLookup().get(str);
        if (indexAbstraction == null) {
            return null;
        }
        return (IndexMetadata) indexAbstraction.getIndices().get(0);
    }

    private void updateSecurityIndexState(ClusterIndexHealth clusterIndexHealth, IndexMetadata.State state, boolean z) {
        if (clusterIndexHealth == null || state == null) {
            if (z) {
                logger.info("On cluster changed, .security_info does not exist, go to create it.");
                createSecurityIndexIfNeeded();
                return;
            }
            return;
        }
        if (IndexMetadata.State.CLOSE == state) {
            this.securityIndexAvailable = false;
            return;
        }
        boolean z2 = this.securityIndexAvailable;
        this.securityIndexAvailable = ClusterHealthStatus.RED != clusterIndexHealth.getStatus();
        if (z2 || !this.securityIndexAvailable) {
            return;
        }
        initId2User();
        notifyIndexObservers(IndexEvent.SECURITY_AVAILABLE);
    }
}
