package org.elasticsearch.xpack.security.support;

import java.nio.charset.StandardCharsets;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.ResourceAlreadyExistsException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.UnavailableShardsException;
import org.elasticsearch.action.admin.indices.alias.Alias;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
import org.elasticsearch.action.support.ActiveShardCount;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.IndicesAdminClient;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.cluster.health.ClusterHealthStatus;
import org.elasticsearch.cluster.health.ClusterIndexHealth;
import org.elasticsearch.cluster.metadata.AliasOrIndex;
import org.elasticsearch.cluster.metadata.IndexMetaData;
import org.elasticsearch.cluster.metadata.MappingMetaData;
import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.cluster.routing.IndexRoutingTable;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.template.TemplateUtils;
import org.elasticsearch.xpack.security.audit.index.IndexAuditTrail;

/* loaded from: input_file:org/elasticsearch/xpack/security/support/SecurityIndexManager.class */
public class SecurityIndexManager implements ClusterStateListener {
    public static final String INTERNAL_SECURITY_INDEX = ".security-6";
    public static final int INTERNAL_INDEX_FORMAT = 6;
    public static final String SECURITY_VERSION_STRING = "security-version";
    public static final String SECURITY_TEMPLATE_NAME = "security-index-template";
    public static final String SECURITY_INDEX_NAME = ".security";
    private final String indexName;
    private final Client client;
    private final List<BiConsumer<State, State>> stateChangeListeners;
    private volatile State indexState;
    public static final String TEMPLATE_VERSION_PATTERN = Pattern.quote("${security.template.version}");
    private static final Logger LOGGER = LogManager.getLogger(SecurityIndexManager.class);

    /* loaded from: input_file:org/elasticsearch/xpack/security/support/SecurityIndexManager$State.class */
    public static class State {
        public static final State UNRECOVERED_STATE = new State(false, false, false, false, null, null, null);
        public final boolean indexExists;
        public final boolean isIndexUpToDate;
        public final boolean indexAvailable;
        public final boolean mappingUpToDate;
        public final Version mappingVersion;
        public final String concreteIndexName;
        public final ClusterHealthStatus indexStatus;

        public State(boolean z, boolean z2, boolean z3, boolean z4, Version version, String str, ClusterHealthStatus clusterHealthStatus) {
            this.indexExists = z;
            this.isIndexUpToDate = z2;
            this.indexAvailable = z3;
            this.mappingUpToDate = z4;
            this.mappingVersion = version;
            this.concreteIndexName = str;
            this.indexStatus = clusterHealthStatus;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            State state = (State) obj;
            return this.indexExists == state.indexExists && this.isIndexUpToDate == state.isIndexUpToDate && this.indexAvailable == state.indexAvailable && this.mappingUpToDate == state.mappingUpToDate && Objects.equals(this.mappingVersion, state.mappingVersion) && Objects.equals(this.concreteIndexName, state.concreteIndexName) && this.indexStatus == state.indexStatus;
        }

        public int hashCode() {
            return Objects.hash(Boolean.valueOf(this.indexExists), Boolean.valueOf(this.isIndexUpToDate), Boolean.valueOf(this.indexAvailable), Boolean.valueOf(this.mappingUpToDate), this.mappingVersion, this.concreteIndexName, this.indexStatus);
        }
    }

    public SecurityIndexManager(Client client, String str, ClusterService clusterService) {
        this(client, str, State.UNRECOVERED_STATE);
        clusterService.addListener(this);
    }

    private SecurityIndexManager(Client client, String str, State state) {
        this.stateChangeListeners = new CopyOnWriteArrayList();
        this.client = client;
        this.indexName = str;
        this.indexState = state;
    }

    public SecurityIndexManager freeze() {
        return new SecurityIndexManager((Client) null, this.indexName, this.indexState);
    }

    public boolean checkMappingVersion(Predicate<Version> predicate) {
        State state = this.indexState;
        return state.mappingVersion == null || predicate.test(state.mappingVersion);
    }

    public boolean indexExists() {
        return this.indexState.indexExists;
    }

    public boolean isIndexUpToDate() {
        return this.indexState.isIndexUpToDate;
    }

    public boolean isAvailable() {
        return this.indexState.indexAvailable;
    }

    public boolean isMappingUpToDate() {
        return this.indexState.mappingUpToDate;
    }

    public boolean isStateRecovered() {
        return this.indexState != State.UNRECOVERED_STATE;
    }

    public ElasticsearchException getUnavailableReason() {
        State state = this.indexState;
        if (state.indexAvailable) {
            throw new IllegalStateException("caller must make sure to use a frozen state and check indexAvailable");
        }
        return state.indexExists ? new UnavailableShardsException((ShardId) null, "at least one primary shard for the security index is unavailable", new Object[0]) : new IndexNotFoundException(SECURITY_INDEX_NAME);
    }

    public void addIndexStateListener(BiConsumer<State, State> biConsumer) {
        this.stateChangeListeners.add(biConsumer);
    }

    public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
        if (clusterChangedEvent.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
            LOGGER.debug("security index manager waiting until state has been recovered");
            return;
        }
        State state = this.indexState;
        IndexMetaData resolveConcreteIndex = resolveConcreteIndex(this.indexName, clusterChangedEvent.state().metaData());
        boolean z = resolveConcreteIndex != null;
        State state2 = new State(z, !z || ((Integer) IndexMetaData.INDEX_FORMAT_SETTING.get(resolveConcreteIndex.getSettings())).intValue() == 6, checkIndexAvailable(clusterChangedEvent.state()), !z || checkIndexMappingUpToDate(clusterChangedEvent.state()), oldestIndexMappingVersion(clusterChangedEvent.state()), resolveConcreteIndex == null ? INTERNAL_SECURITY_INDEX : resolveConcreteIndex.getIndex().getName(), resolveConcreteIndex == null ? null : new ClusterIndexHealth(resolveConcreteIndex, clusterChangedEvent.state().getRoutingTable().index(resolveConcreteIndex.getIndex())).getStatus());
        this.indexState = state2;
        if (state2.equals(state)) {
            return;
        }
        Iterator<BiConsumer<State, State>> it = this.stateChangeListeners.iterator();
        while (it.hasNext()) {
            it.next().accept(state, state2);
        }
    }

    private boolean checkIndexAvailable(ClusterState clusterState) {
        IndexRoutingTable indexRoutingTable = getIndexRoutingTable(clusterState);
        if (indexRoutingTable != null && indexRoutingTable.allPrimaryShardsActive()) {
            return true;
        }
        LOGGER.debug("Security index [{}] is not yet active", this.indexName);
        return false;
    }

    private IndexRoutingTable getIndexRoutingTable(ClusterState clusterState) {
        IndexMetaData resolveConcreteIndex = resolveConcreteIndex(this.indexName, clusterState.metaData());
        if (resolveConcreteIndex == null) {
            return null;
        }
        return clusterState.routingTable().index(resolveConcreteIndex.getIndex());
    }

    public static boolean checkTemplateExistsAndVersionMatches(String str, ClusterState clusterState, Logger logger, Predicate<Version> predicate) {
        return TemplateUtils.checkTemplateExistsAndVersionMatches(str, SECURITY_VERSION_STRING, clusterState, logger, predicate);
    }

    private boolean checkIndexMappingUpToDate(ClusterState clusterState) {
        Version version = Version.CURRENT;
        Objects.requireNonNull(version);
        return checkIndexMappingVersionMatches(clusterState, (v1) -> {
            return r2.equals(v1);
        });
    }

    private boolean checkIndexMappingVersionMatches(ClusterState clusterState, Predicate<Version> predicate) {
        return checkIndexMappingVersionMatches(this.indexName, clusterState, LOGGER, predicate);
    }

    public static boolean checkIndexMappingVersionMatches(String str, ClusterState clusterState, Logger logger, Predicate<Version> predicate) {
        return loadIndexMappingVersions(str, clusterState, logger).stream().allMatch(predicate);
    }

    private Version oldestIndexMappingVersion(ClusterState clusterState) {
        return loadIndexMappingVersions(this.indexName, clusterState, LOGGER).stream().min((v0, v1) -> {
            return v0.compareTo(v1);
        }).orElse(null);
    }

    private static Set<Version> loadIndexMappingVersions(String str, ClusterState clusterState, Logger logger) {
        HashSet hashSet = new HashSet();
        IndexMetaData resolveConcreteIndex = resolveConcreteIndex(str, clusterState.metaData());
        if (resolveConcreteIndex != null) {
            for (Object obj : resolveConcreteIndex.getMappings().values().toArray()) {
                MappingMetaData mappingMetaData = (MappingMetaData) obj;
                if (!mappingMetaData.type().equals("_default_")) {
                    hashSet.add(readMappingVersion(str, mappingMetaData, logger));
                }
            }
        }
        return hashSet;
    }

    private static IndexMetaData resolveConcreteIndex(String str, MetaData metaData) {
        AliasOrIndex aliasOrIndex = (AliasOrIndex) metaData.getAliasAndIndexLookup().get(str);
        if (aliasOrIndex == null) {
            return null;
        }
        List indices = aliasOrIndex.getIndices();
        if (!aliasOrIndex.isAlias() || indices.size() <= 1) {
            return (IndexMetaData) indices.get(0);
        }
        throw new IllegalStateException("Alias [" + str + "] points to more than one index: " + indices.stream().map(indexMetaData -> {
            return indexMetaData.getIndex().getName();
        }).collect(Collectors.toList()));
    }

    private static Version readMappingVersion(String str, MappingMetaData mappingMetaData, Logger logger) {
        try {
            Map map = (Map) mappingMetaData.sourceAsMap().get("_meta");
            if (map != null) {
                return Version.fromString((String) map.get(SECURITY_VERSION_STRING));
            }
            logger.info("Missing _meta field in mapping [{}] of index [{}]", mappingMetaData.type(), str);
            throw new IllegalStateException("Cannot read security-version string in index " + str);
        } catch (ElasticsearchParseException e) {
            logger.error(new ParameterizedMessage("Cannot parse the mapping for index [{}]", str), e);
            throw new ElasticsearchException("Cannot parse the mapping for index [{}]", e, new Object[]{str});
        }
    }

    public void checkIndexVersionThenExecute(Consumer<Exception> consumer, Runnable runnable) {
        State state = this.indexState;
        if (!state.indexExists || state.isIndexUpToDate) {
            runnable.run();
        } else {
            consumer.accept(new IllegalStateException("Security index is not on the current version. Security features relying on the index will not be available until the upgrade API is run on the security index"));
        }
    }

    public void prepareIndexIfNeededThenExecute(final Consumer<Exception> consumer, final Runnable runnable) {
        State state = this.indexState;
        if (state == State.UNRECOVERED_STATE) {
            consumer.accept(new ElasticsearchStatusException("Cluster state has not been recovered yet, cannot write to the security index", RestStatus.SERVICE_UNAVAILABLE, new Object[0]));
            return;
        }
        if (state.indexExists && !state.isIndexUpToDate) {
            consumer.accept(new IllegalStateException("Security index is not on the current version. Security features relying on the index will not be available until the upgrade API is run on the security index"));
            return;
        }
        if (!state.indexExists) {
            LOGGER.info("security index does not exist. Creating [{}] with alias [{}]", INTERNAL_SECURITY_INDEX, SECURITY_INDEX_NAME);
            Tuple<String, Settings> loadMappingAndSettingsSourceFromTemplate = loadMappingAndSettingsSourceFromTemplate();
            CreateIndexRequest createIndexRequest = new CreateIndexRequest(INTERNAL_SECURITY_INDEX).alias(new Alias(SECURITY_INDEX_NAME)).mapping(IndexAuditTrail.DOC_TYPE, (String) loadMappingAndSettingsSourceFromTemplate.v1(), XContentType.JSON).waitForActiveShards(ActiveShardCount.ALL).settings((Settings) loadMappingAndSettingsSourceFromTemplate.v2());
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            ActionListener<CreateIndexResponse> actionListener = new ActionListener<CreateIndexResponse>() { // from class: org.elasticsearch.xpack.security.support.SecurityIndexManager.1
                public void onResponse(CreateIndexResponse createIndexResponse) {
                    if (createIndexResponse.isAcknowledged()) {
                        runnable.run();
                    } else {
                        consumer.accept(new ElasticsearchException("Failed to create security index", new Object[0]));
                    }
                }

                public void onFailure(Exception exc) {
                    if (ExceptionsHelper.unwrapCause(exc) instanceof ResourceAlreadyExistsException) {
                        runnable.run();
                    } else {
                        consumer.accept(exc);
                    }
                }
            };
            IndicesAdminClient indices = this.client.admin().indices();
            Objects.requireNonNull(indices);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", createIndexRequest, actionListener, indices::create);
            return;
        }
        if (state.mappingUpToDate) {
            runnable.run();
            return;
        }
        LOGGER.info("security index [{}] (alias [{}]) is not up to date. Updating mapping", state.concreteIndexName, SECURITY_INDEX_NAME);
        PutMappingRequest type = new PutMappingRequest(new String[]{state.concreteIndexName}).source((String) loadMappingAndSettingsSourceFromTemplate().v1(), XContentType.JSON).type(IndexAuditTrail.DOC_TYPE);
        ThreadContext threadContext2 = this.client.threadPool().getThreadContext();
        ActionListener wrap = ActionListener.wrap(acknowledgedResponse -> {
            if (acknowledgedResponse.isAcknowledged()) {
                runnable.run();
            } else {
                consumer.accept(new IllegalStateException("put mapping request was not acknowledged"));
            }
        }, consumer);
        IndicesAdminClient indices2 = this.client.admin().indices();
        Objects.requireNonNull(indices2);
        ClientHelper.executeAsyncWithOrigin(threadContext2, "security", type, wrap, indices2::putMapping);
    }

    private Tuple<String, Settings> loadMappingAndSettingsSourceFromTemplate() {
        PutIndexTemplateRequest source = new PutIndexTemplateRequest(SECURITY_TEMPLATE_NAME).source(TemplateUtils.loadTemplate("/security-index-template.json", Version.CURRENT.toString(), TEMPLATE_VERSION_PATTERN).getBytes(StandardCharsets.UTF_8), XContentType.JSON);
        return new Tuple<>((String) source.mappings().get(IndexAuditTrail.DOC_TYPE), source.settings());
    }

    public static boolean isMoveFromRedToNonRed(State state, State state2) {
        return ((state.indexStatus != null && state.indexStatus != ClusterHealthStatus.RED) || state2.indexStatus == null || state2.indexStatus == ClusterHealthStatus.RED) ? false : true;
    }

    public static boolean isIndexDeleted(State state, State state2) {
        return state.indexStatus != null && state2.indexStatus == null;
    }
}
