package org.elasticsearch.xpack.security.authc.support;

import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.util.LDAPSDKUsageException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.lucene.util.automaton.CharacterRunAutomaton;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.ExpressionModel;
import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.FieldExpression;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/UserRoleMapper.class */
public interface UserRoleMapper {

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/UserRoleMapper$DistinguishedNamePredicate.class */
    public static class DistinguishedNamePredicate implements Predicate<FieldExpression.FieldValue> {
        private static final Logger LOGGER;
        private final String string;
        private final DN dn;
        static final /* synthetic */ boolean $assertionsDisabled;

        public DistinguishedNamePredicate(String str) {
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError("DN string should not be null. Use the dedicated NULL_PREDICATE for every user null field.");
            }
            this.string = str;
            this.dn = parseDn(str);
        }

        private static DN parseDn(String str) {
            try {
                return new DN(str);
            } catch (LDAPException | LDAPSDKUsageException e) {
                if (!LOGGER.isTraceEnabled()) {
                    return null;
                }
                LOGGER.trace(new ParameterizedMessage("failed to parse [{}] as a DN", str), e);
                return null;
            }
        }

        public String toString() {
            return this.string;
        }

        @Override // java.util.function.Predicate
        public boolean test(FieldExpression.FieldValue fieldValue) {
            DN parseDn;
            CharacterRunAutomaton automaton = fieldValue.getAutomaton();
            if (automaton == null) {
                if (!(fieldValue.getValue() instanceof String)) {
                    return false;
                }
                String str = (String) fieldValue.getValue();
                if (str.equalsIgnoreCase(this.string)) {
                    return true;
                }
                if (this.dn == null) {
                    return false;
                }
                DN parseDn2 = parseDn(str);
                return parseDn2 != null ? this.dn.equals(parseDn2) : str.equalsIgnoreCase(this.dn.toNormalizedString());
            }
            if (automaton.run(this.string)) {
                return true;
            }
            if ((this.dn != null && automaton.run(this.dn.toNormalizedString())) || automaton.run(this.string.toLowerCase(Locale.ROOT)) || automaton.run(this.string.toUpperCase(Locale.ROOT))) {
                return true;
            }
            if (this.dn == null) {
                return false;
            }
            if (!$assertionsDisabled && !(fieldValue.getValue() instanceof String)) {
                throw new AssertionError("FieldValue " + fieldValue + " has automaton but value is " + (fieldValue.getValue() == null ? "<null>" : fieldValue.getValue().getClass()));
            }
            String str2 = (String) fieldValue.getValue();
            if (!str2.startsWith("*,")) {
                return false;
            }
            String substring = str2.substring(2);
            return substring.indexOf(42) == -1 && (parseDn = parseDn(substring)) != null && this.dn.isDescendantOf(parseDn, false);
        }

        static {
            $assertionsDisabled = !UserRoleMapper.class.desiredAssertionStatus();
            LOGGER = LogManager.getLogger(DistinguishedNamePredicate.class);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/UserRoleMapper$UserData.class */
    public static class UserData {
        private final String username;

        @Nullable
        private final String dn;
        private final Set<String> groups;
        private final Map<String, Object> metadata;
        private final RealmConfig realm;

        public UserData(String str, @Nullable String str2, Collection<String> collection, Map<String, Object> map, RealmConfig realmConfig) {
            this.username = str;
            this.dn = str2;
            this.groups = (collection == null || collection.isEmpty()) ? Collections.emptySet() : Collections.unmodifiableSet(new HashSet(collection));
            this.metadata = (map == null || map.isEmpty()) ? Collections.emptyMap() : Collections.unmodifiableMap(map);
            this.realm = realmConfig;
        }

        public ExpressionModel asModel() {
            ExpressionModel expressionModel = new ExpressionModel();
            expressionModel.defineField("username", this.username);
            if (this.dn != null) {
                expressionModel.defineField("dn", this.dn, new DistinguishedNamePredicate(this.dn));
            }
            expressionModel.defineField("groups", this.groups, (Predicate) this.groups.stream().filter(str -> {
                return str != null;
            }).map(DistinguishedNamePredicate::new).reduce((v0, v1) -> {
                return v0.or(v1);
            }).orElse(fieldValue -> {
                return false;
            }));
            this.metadata.keySet().forEach(str2 -> {
                expressionModel.defineField("metadata." + str2, this.metadata.get(str2));
            });
            expressionModel.defineField("realm.name", this.realm.name());
            return expressionModel;
        }

        public String toString() {
            return "UserData{username:" + this.username + "; dn:" + this.dn + "; groups:" + this.groups + "; metadata:" + this.metadata + "; realm=" + this.realm.name() + '}';
        }

        public String getUsername() {
            return this.username;
        }

        @Nullable
        public String getDn() {
            return this.dn;
        }

        public Set<String> getGroups() {
            return this.groups;
        }

        public Map<String, Object> getMetadata() {
            return this.metadata;
        }

        public RealmConfig getRealm() {
            return this.realm;
        }
    }

    void resolveRoles(UserData userData, ActionListener<Set<String>> actionListener);

    void refreshRealmOnChange(CachingRealm cachingRealm);
}
