package com.huawei.es.security.author.tool;

import com.google.common.collect.Sets;
import com.huawei.es.security.author.bean.AuthorizationException;
import com.huawei.es.security.author.bean.IndexOwner;
import com.huawei.es.security.author.bean.IndicesPermission;
import com.huawei.es.security.author.cache.GroupMappingCache;
import com.huawei.es.security.author.cache.IndexOwnerCache;
import com.huawei.es.security.author.cache.PermissionMappingCache;
import com.huawei.es.security.author.cache.PipelineOwnerCache;
import com.huawei.es.security.author.cache.RollupOwnerCache;
import com.huawei.es.security.author.cache.ScriptOwnerCache;
import com.huawei.es.security.author.cache.TemplateOwnerCache;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/huawei/es/security/author/tool/PermissionChecker.class */
public class PermissionChecker {
    private static final Logger LOGGER = LogManager.getLogger(PermissionChecker.class);
    private static final GroupMappingCache GROUP_MAPPING_CACHE = new GroupMappingCache();
    private final boolean isSuper;
    private final String user;
    private final Set<String> groups;
    private final Set<String> systemIndex = Sets.newHashSet(new String[]{".tasks"});

    public PermissionChecker(String str, String str2) {
        this.user = str2;
        this.groups = Collections.unmodifiableSet(new HashSet(GROUP_MAPPING_CACHE.getGroups(str2)));
        this.isSuper = str.equals(str2) || isSuperGroup(this.groups);
    }

    public String getUser() {
        return this.user;
    }

    public boolean isSuper() {
        return this.isSuper;
    }

    public boolean containerGroup(String str) {
        return this.groups.contains(str);
    }

    public void checkPermission(Set<String> set, IndicesPermission.IndexPermission indexPermission) throws AuthorizationException {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            checkPermission(it.next(), indexPermission);
        }
    }

    public void checkPermissionForWriteAction(String str, IndicesPermission.IndexPermission indexPermission) throws AuthorizationException {
        try {
            checkPermission(str, indexPermission);
        } catch (AuthorizationException e) {
            if (null != IndexOwnerCache.getOwner(str) || !containerGroup(AuthorityConstants.ES_GROUP_DEFAULT)) {
                throw e;
            }
        }
    }

    public void checkPermission(String str, IndicesPermission.IndexPermission indexPermission) throws AuthorizationException {
        if (null == str || this.systemIndex.contains(str) || this.isSuper) {
            return;
        }
        IndexOwner owner = IndexOwnerCache.getOwner(str);
        if (checkOwner(owner) || checkGroup(str, indexPermission)) {
            return;
        }
        throw new AuthorizationException("permission information for user [" + this.user + "] is exception, index [" + str + "] ,this index owner is [" + (null == owner ? "NA" : owner.getUser()) + "], your group is [" + this.groups + "]");
    }

    public void checkTemplateOwnerPrivilege(String str) throws AuthorizationException {
        if (null != str && !this.isSuper && !checkTemplateOwner(str)) {
            throw new AuthorizationException("permission denied for template [" + str + "] but user [" + this.user + "]");
        }
    }

    public void checkTemplateOwnerPrivilege(Set<String> set) throws AuthorizationException {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            checkTemplateOwnerPrivilege(it.next());
        }
    }

    public void checkScriptOwnerPrivilege(String str) throws AuthorizationException {
        if (null != str && !this.isSuper && !checkScriptOwner(str)) {
            throw new AuthorizationException("permission denied for script [" + str + "] but user [" + this.user + "]");
        }
    }

    public void checkScriptOwnerPrivilege(Set<String> set) throws AuthorizationException {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            checkScriptOwnerPrivilege(it.next());
        }
    }

    public void checkPipelineOwnerPrivilege(String str) throws AuthorizationException {
        if (null != str && !this.isSuper && !checkPipelineOwner(str)) {
            throw new AuthorizationException("permission denied for pipeline [" + str + "] but user [" + this.user + "]");
        }
    }

    public void checkPipelineOwnerPrivilege(Set<String> set) throws AuthorizationException {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            checkPipelineOwnerPrivilege(it.next());
        }
    }

    public void checkRollupOwnerPrivilege(String str) throws AuthorizationException {
        if (null == str || this.isSuper || checkRollupOwner(str)) {
            return;
        }
        try {
            checkAccessPrivilege();
        } catch (AuthorizationException e) {
            throw new AuthorizationException("permission denied for user [" + this.user + "], rollup job[" + str + "], you are belong to [" + this.groups + "] , but this request needs at least in [" + AuthorityConstants.ES_GROUP_DEFAULT + "] group.");
        }
    }

    private boolean checkTemplateOwner(String str) {
        IndexOwner owner = TemplateOwnerCache.getOwner(str);
        if (null != owner && this.user.equals(owner.getUser()) && containerGroup(AuthorityConstants.ES_GROUP_DEFAULT)) {
            return true;
        }
        if (owner != null) {
            loggerIndexInfo(owner);
            return false;
        }
        LOGGER.warn("Failed to check template {} owner.", str);
        return false;
    }

    private boolean checkScriptOwner(String str) {
        IndexOwner owner = ScriptOwnerCache.getOwner(str);
        if (null != owner && this.user.equals(owner.getUser()) && containerGroup(AuthorityConstants.ES_GROUP_DEFAULT)) {
            return true;
        }
        if (owner != null) {
            loggerIndexInfo(owner);
            return false;
        }
        LOGGER.warn("Failed to check script {} owner.", str);
        return false;
    }

    private boolean checkPipelineOwner(String str) {
        IndexOwner owner = PipelineOwnerCache.getOwner(str);
        if (null != owner && this.user.equals(owner.getUser()) && containerGroup(AuthorityConstants.ES_GROUP_DEFAULT)) {
            return true;
        }
        if (owner != null) {
            loggerIndexInfo(owner);
            return false;
        }
        LOGGER.warn("Failed to check pipeline {} owner.", str);
        return false;
    }

    private boolean checkRollupOwner(String str) {
        IndexOwner owner = RollupOwnerCache.getOwner(str);
        if (null != owner && this.user.equals(owner.getUser()) && containerGroup(AuthorityConstants.ES_GROUP_DEFAULT)) {
            return true;
        }
        if (owner != null) {
            loggerIndexInfo(owner);
            return false;
        }
        LOGGER.warn("Failed to check rollup job {} owner.", str);
        return false;
    }

    public void checkIndexWriteOrReadPrivilege(String str) throws AuthorizationException {
        if (null != str && !this.systemIndex.contains(str) && !this.isSuper && !containerGroup(AuthorityConstants.ES_GROUP_DEFAULT) && !checkGroup(str, IndicesPermission.IndexPermission.WRITE) && !checkGroup(str, IndicesPermission.IndexPermission.READ)) {
            throw new AuthorizationException("permission denied for user [" + this.user + "], index [" + str + "]");
        }
    }

    public void checkIndexWriteOrReadPrivilege(Set<String> set) throws AuthorizationException {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            checkIndexWriteOrReadPrivilege(it.next());
        }
    }

    public void checkIndexJustWriteOrReadPrivilege(String str) throws AuthorizationException {
        if (null != str && !this.systemIndex.contains(str) && !this.isSuper && !checkOwner(str) && !checkGroup(str, IndicesPermission.IndexPermission.WRITE) && !checkGroup(str, IndicesPermission.IndexPermission.READ)) {
            throw new AuthorizationException("permission denied for user [" + this.user + "], index [" + str + "]");
        }
    }

    public void checkIndexJustWriteOrReadPrivilege(Set<String> set) throws AuthorizationException {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            checkIndexJustWriteOrReadPrivilege(it.next());
        }
    }

    public void checkIndexOwnerPrivilege(String str) throws AuthorizationException {
        if (null != str && !this.systemIndex.contains(str) && !this.isSuper && !checkOwner(str)) {
            throw new AuthorizationException("permission denied for user [" + this.user + "], index [" + str + "]");
        }
    }

    public void checkIndexOwnerPrivilege(Set<String> set) throws AuthorizationException {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            checkIndexOwnerPrivilege(it.next());
        }
    }

    public void checkAccessPrivilege() throws AuthorizationException {
        if (!this.isSuper && !containerGroup(AuthorityConstants.ES_GROUP_DEFAULT) && !containerGroup(AuthorityConstants.ES_SUPERGROUP_DEFAULT)) {
            throw new AuthorizationException("permission denied for user [" + this.user + "] , you are belong to [" + this.groups + "] , but this request needs at least in [" + AuthorityConstants.ES_GROUP_DEFAULT + "] group.");
        }
    }

    public void checkSuperPrivilege() throws AuthorizationException {
        if (!this.isSuper) {
            throw new AuthorizationException("permission denied for user [" + this.user + "] , this request needs super group.");
        }
    }

    private boolean checkGroup(String str, IndicesPermission.IndexPermission indexPermission) {
        for (String str2 : this.groups) {
            List<IndicesPermission> indexPermission2 = PermissionMappingCache.getIndexPermission(str2);
            LOGGER.debug("Index:{},group:{},permissionList:{}", str, str2, indexPermission2);
            if (null != indexPermission2) {
                for (IndicesPermission indicesPermission : indexPermission2) {
                    if (str.equals(indicesPermission.getIndex())) {
                        IndicesPermission.IndexPermission indexPermission3 = indicesPermission.getIndexPermission();
                        if (indexPermission3.implies(indexPermission)) {
                            return true;
                        }
                        LOGGER.info("Index:{},group:{},indexPermission:{},need permission:{}", str, str2, indexPermission3, indexPermission);
                    }
                }
            }
        }
        return false;
    }

    private boolean checkOwner(String str) {
        return checkOwner(IndexOwnerCache.getOwner(str));
    }

    private boolean checkOwner(IndexOwner indexOwner) {
        if (null == indexOwner) {
            LOGGER.warn("Get a wrong index owner, the index owner was null.");
            return false;
        }
        if (this.user.equals(indexOwner.getUser()) && containerGroup(AuthorityConstants.ES_GROUP_DEFAULT)) {
            return true;
        }
        loggerIndexInfo(indexOwner);
        return false;
    }

    private void loggerIndexInfo(IndexOwner indexOwner) {
        LOGGER.info("Index owner for [{}] is [{}],current user is [{}].The default es group is[{}],current is in the default es group[{}].", indexOwner.getIndex(), indexOwner.getUser(), this.user, AuthorityConstants.ES_GROUP_DEFAULT, Boolean.valueOf(containerGroup(AuthorityConstants.ES_GROUP_DEFAULT)));
    }

    protected static boolean isSuperGroup(Set<String> set) {
        for (String str : set) {
            if (AuthorityConstants.ES_SUPERGROUP_DEFAULT.equals(str) || AuthorityConstants.ADMIN_GROUP_NAME.equalsIgnoreCase(str)) {
                return true;
            }
            List<IndicesPermission> indexPermission = PermissionMappingCache.getIndexPermission(str);
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("List the group and index, group:{}, index permission:{}", new Object[]{str, indexPermission});
            }
            if (null != indexPermission) {
                Iterator<IndicesPermission> it = indexPermission.iterator();
                while (it.hasNext()) {
                    if (AuthorityConstants.PATTERN_STAR.equals(it.next().getIndex())) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    public void checkReadIndexPermission(String str) throws AuthorizationException {
        if (Alias2IndexTurner.isHitAll(str)) {
            checkSuperPrivilege();
        } else {
            checkPermission(str, IndicesPermission.IndexPermission.READ);
        }
    }
}
