package org.elasticsearch.shield.transport.filter;

import com.carrotsearch.hppc.ObjectObjectHashMap;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Maps;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.collect.HppcMaps;
import org.elasticsearch.common.component.AbstractLifecycleComponent;
import org.elasticsearch.common.component.Lifecycle;
import org.elasticsearch.common.component.LifecycleListener;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.inject.internal.Nullable;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.node.settings.NodeSettingsService;
import org.elasticsearch.shield.audit.AuditTrail;
import org.elasticsearch.shield.license.ShieldLicenseState;
import org.elasticsearch.transport.Transport;

/* loaded from: input_file:lib/shield.jar:org/elasticsearch/shield/transport/filter/IPFilter.class */
public class IPFilter extends AbstractLifecycleComponent<IPFilter> {
    public static final String HTTP_PROFILE_NAME = ".http";
    public static final String IP_FILTER_ENABLED_SETTING = "shield.transport.filter.enabled";
    public static final String IP_FILTER_ENABLED_HTTP_SETTING = "shield.http.filter.enabled";
    public static final ShieldIpFilterRule DEFAULT_PROFILE_ACCEPT_ALL;
    private final LifecycleListener parseSettingsListener;
    private NodeSettingsService nodeSettingsService;
    private final AuditTrail auditTrail;
    private final Transport transport;
    private final ShieldLicenseState licenseState;
    private final boolean alwaysAllowBoundAddresses;
    private Map<String, ShieldIpFilterRule[]> rules;
    private HttpServerTransport httpServerTransport;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:lib/shield.jar:org/elasticsearch/shield/transport/filter/IPFilter$ApplySettings.class */
    private class ApplySettings implements NodeSettingsService.Listener {
        String[] allowed;
        String[] denied;
        String[] httpAllowed;
        String[] httpDenied;
        ObjectObjectHashMap<String, String[]> profileAllowed;
        ObjectObjectHashMap<String, String[]> profileDenied;
        private boolean enabled;
        private boolean httpEnabled;

        public ApplySettings(Settings settings) {
            loadValuesFromSettings(settings);
        }

        private void loadValuesFromSettings(Settings settings) {
            this.enabled = settings.getAsBoolean(IPFilter.IP_FILTER_ENABLED_SETTING, Boolean.valueOf(this.enabled)).booleanValue();
            this.httpEnabled = settings.getAsBoolean(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING, Boolean.valueOf(this.httpEnabled)).booleanValue();
            this.allowed = settings.getAsArray("shield.transport.filter.allow", this.allowed);
            this.denied = settings.getAsArray("shield.transport.filter.deny", this.denied);
            this.httpAllowed = settings.getAsArray("shield.http.filter.allow", this.httpAllowed);
            this.httpDenied = settings.getAsArray("shield.http.filter.deny", this.httpDenied);
            if (settings.getGroups("transport.profiles.").size() == 0) {
                this.profileAllowed = HppcMaps.newMap(0);
                this.profileDenied = HppcMaps.newMap(0);
            }
            this.profileAllowed = HppcMaps.newNoNullKeysMap(settings.getGroups("transport.profiles.").size());
            this.profileDenied = HppcMaps.newNoNullKeysMap(settings.getGroups("transport.profiles.").size());
            for (Map.Entry entry : settings.getGroups("transport.profiles.").entrySet()) {
                this.profileAllowed.put(entry.getKey(), ((Settings) entry.getValue()).getAsArray("shield.filter.allow"));
                this.profileDenied.put(entry.getKey(), ((Settings) entry.getValue()).getAsArray("shield.filter.deny"));
            }
        }

        public void onRefreshSettings(Settings settings) {
            if (ipFilterSettingsInvolved(settings) && settingsChanged(settings)) {
                IPFilter.this.rules = IPFilter.this.parseSettings(settings);
                loadValuesFromSettings(settings);
            }
        }

        private boolean settingsChanged(Settings settings) {
            if (this.enabled != settings.getAsBoolean(IPFilter.IP_FILTER_ENABLED_SETTING, Boolean.valueOf(this.enabled)).booleanValue() || this.httpEnabled != settings.getAsBoolean(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING, Boolean.valueOf(this.httpEnabled)).booleanValue() || !Arrays.equals(this.allowed, settings.getAsArray("shield.transport.filter.allow")) || !Arrays.equals(this.denied, settings.getAsArray("shield.transport.filter.deny")) || !Arrays.equals(this.httpAllowed, settings.getAsArray("shield.http.filter.allow")) || !Arrays.equals(this.httpDenied, settings.getAsArray("shield.http.filter.deny"))) {
                return true;
            }
            ObjectObjectHashMap newNoNullKeysMap = HppcMaps.newNoNullKeysMap(settings.getGroups("transport.profiles.").size());
            ObjectObjectHashMap newNoNullKeysMap2 = HppcMaps.newNoNullKeysMap(settings.getGroups("transport.profiles.").size());
            for (Map.Entry entry : settings.getGroups("transport.profiles.").entrySet()) {
                newNoNullKeysMap.put(entry.getKey(), ((Settings) entry.getValue()).getAsArray("shield.filter.allow"));
                newNoNullKeysMap2.put(entry.getKey(), ((Settings) entry.getValue()).getAsArray("shield.filter.deny"));
            }
            return (!newNoNullKeysMap.equals(this.profileAllowed)) || (!newNoNullKeysMap2.equals(this.profileDenied));
        }

        private boolean ipFilterSettingsInvolved(Settings settings) {
            if ((settings.get("shield.transport.filter.allow") == null && settings.get("shield.transport.filter.deny") == null && settings.get("shield.http.filter.allow") == null && settings.get("shield.http.filter.deny") == null && settings.get(IPFilter.IP_FILTER_ENABLED_SETTING) == null && settings.get(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING) == null) ? false : true) {
                return true;
            }
            for (Map.Entry entry : settings.getGroups("transport.profiles.").entrySet()) {
                if (((Settings) entry.getValue()).get("shield.filter.allow") != null || ((Settings) entry.getValue()).get("shield.filter.deny") != null) {
                    return true;
                }
            }
            return false;
        }
    }

    @Inject
    public IPFilter(Settings settings, AuditTrail auditTrail, NodeSettingsService nodeSettingsService, Transport transport, ShieldLicenseState shieldLicenseState) {
        super(settings);
        this.parseSettingsListener = new LifecycleListener() { // from class: org.elasticsearch.shield.transport.filter.IPFilter.2
            public void afterStart() {
                IPFilter.this.rules = IPFilter.this.parseSettings(IPFilter.this.settings);
            }
        };
        this.rules = Collections.EMPTY_MAP;
        this.httpServerTransport = null;
        this.nodeSettingsService = nodeSettingsService;
        this.auditTrail = auditTrail;
        this.transport = transport;
        this.licenseState = shieldLicenseState;
        this.alwaysAllowBoundAddresses = settings.getAsBoolean("shield.filter.always_allow_bound_address", true).booleanValue();
    }

    protected void doStart() throws ElasticsearchException {
        this.nodeSettingsService.addListener(new ApplySettings(this.settings));
        if (this.transport.lifecycleState() == Lifecycle.State.STARTED) {
            this.rules = parseSettings(this.settings);
        } else {
            this.transport.addLifecycleListener(this.parseSettingsListener);
        }
    }

    protected void doStop() throws ElasticsearchException {
    }

    protected void doClose() throws ElasticsearchException {
    }

    @Inject(optional = true)
    public void setHttpServerTransport(@Nullable HttpServerTransport httpServerTransport) {
        if (httpServerTransport == null) {
            return;
        }
        this.httpServerTransport = httpServerTransport;
        if (httpServerTransport.lifecycleState() == Lifecycle.State.STARTED) {
            this.rules = parseSettings(this.settings);
        } else {
            httpServerTransport.addLifecycleListener(this.parseSettingsListener);
        }
    }

    public boolean accept(String str, InetAddress inetAddress) {
        if (!this.licenseState.securityEnabled() || !this.rules.containsKey(str)) {
            return true;
        }
        for (ShieldIpFilterRule shieldIpFilterRule : this.rules.get(str)) {
            if (shieldIpFilterRule.contains(inetAddress)) {
                boolean isAllowRule = shieldIpFilterRule.isAllowRule();
                if (isAllowRule) {
                    this.auditTrail.connectionGranted(inetAddress, str, shieldIpFilterRule);
                } else {
                    this.auditTrail.connectionDenied(inetAddress, str, shieldIpFilterRule);
                }
                return isAllowRule;
            }
        }
        this.auditTrail.connectionGranted(inetAddress, str, DEFAULT_PROFILE_ACCEPT_ALL);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Map<String, ShieldIpFilterRule[]> parseSettings(Settings settings) {
        boolean booleanValue = settings.getAsBoolean(IP_FILTER_ENABLED_SETTING, true).booleanValue();
        boolean booleanValue2 = settings.getAsBoolean(IP_FILTER_ENABLED_HTTP_SETTING, Boolean.valueOf(booleanValue)).booleanValue();
        if (!booleanValue && !booleanValue2) {
            return Collections.EMPTY_MAP;
        }
        HashMap newHashMap = Maps.newHashMap();
        if (booleanValue2 && this.httpServerTransport != null && this.httpServerTransport.lifecycleState() == Lifecycle.State.STARTED) {
            newHashMap.put(HTTP_PROFILE_NAME, createRules(settings.getAsArray("shield.http.filter.allow", settings.getAsArray("transport.profiles.default.shield.filter.allow", settings.getAsArray("shield.transport.filter.allow"))), settings.getAsArray("shield.http.filter.deny", settings.getAsArray("transport.profiles.default.shield.filter.deny", settings.getAsArray("shield.transport.filter.deny"))), this.httpServerTransport.boundAddress().boundAddresses()));
        }
        if (booleanValue && this.transport.lifecycleState() == Lifecycle.State.STARTED) {
            newHashMap.put("default", createRules(settings.getAsArray("shield.transport.filter.allow"), settings.getAsArray("shield.transport.filter.deny"), this.transport.boundAddress().boundAddresses()));
            for (Map.Entry entry : settings.getGroups("transport.profiles.").entrySet()) {
                String str = (String) entry.getKey();
                BoundTransportAddress boundTransportAddress = (BoundTransportAddress) this.transport.profileBoundAddresses().get(str);
                if (boundTransportAddress == null) {
                    this.logger.warn("skipping ip filter rules for profile [{}] since the profile is not bound to any addresses", new Object[]{str});
                } else {
                    Settings byPrefix = ((Settings) entry.getValue()).getByPrefix("shield.filter.");
                    newHashMap.put(str, createRules(byPrefix.getAsArray("allow"), byPrefix.getAsArray("deny"), boundTransportAddress.boundAddresses()));
                }
            }
        }
        this.logger.debug("loaded ip filtering profiles: {}", new Object[]{newHashMap.keySet()});
        return ImmutableMap.copyOf(newHashMap);
    }

    private ShieldIpFilterRule[] createRules(String[] strArr, String[] strArr2, TransportAddress[] transportAddressArr) {
        ArrayList arrayList = new ArrayList();
        if (this.alwaysAllowBoundAddresses) {
            if (!$assertionsDisabled && (transportAddressArr == null || transportAddressArr.length <= 0)) {
                throw new AssertionError();
            }
            arrayList.add(new ShieldIpFilterRule(true, transportAddressArr));
        }
        for (String str : strArr) {
            arrayList.add(new ShieldIpFilterRule(true, str));
        }
        for (String str2 : strArr2) {
            arrayList.add(new ShieldIpFilterRule(false, str2));
        }
        return (ShieldIpFilterRule[]) arrayList.toArray(new ShieldIpFilterRule[arrayList.size()]);
    }

    static {
        $assertionsDisabled = !IPFilter.class.desiredAssertionStatus();
        DEFAULT_PROFILE_ACCEPT_ALL = new ShieldIpFilterRule(true, "default:accept_all") { // from class: org.elasticsearch.shield.transport.filter.IPFilter.1
            @Override // org.elasticsearch.shield.transport.filter.ShieldIpFilterRule
            public boolean contains(InetAddress inetAddress) {
                return true;
            }

            @Override // org.elasticsearch.shield.transport.filter.ShieldIpFilterRule
            public boolean isAllowRule() {
                return true;
            }

            @Override // org.elasticsearch.shield.transport.filter.ShieldIpFilterRule
            public boolean isDenyRule() {
                return false;
            }
        };
    }
}
