package org.elasticsearch.xpack.security.authz;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.SortedMap;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.StepListener;
import org.elasticsearch.action.admin.indices.alias.Alias;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.action.support.GroupedActionListener;
import org.elasticsearch.action.support.replication.TransportReplicationAction;
import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesResponse;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
import org.elasticsearch.xpack.core.security.authc.esnative.ClientReservedRealm;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
import org.elasticsearch.xpack.core.security.authz.ResolvedIndices;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.BwcXPackUser;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.security.user.XPackSecurityUser;
import org.elasticsearch.xpack.core.security.user.XPackUser;
import org.elasticsearch.xpack.security.audit.AuditLevel;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.AuditUtil;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/AuthorizationService.class */
public class AuthorizationService extends AbstractComponent {
    public static final Setting<Boolean> ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING;
    private static final AuthorizationEngine.AuthorizationInfo SYSTEM_AUTHZ_INFO;
    private static final Logger logger;
    private final Settings settings;
    private final ClusterService clusterService;
    private final AuditTrailService auditTrail;
    private final IndicesAndAliasesResolver indicesAndAliasesResolver;
    private final AuthenticationFailureHandler authcFailureHandler;
    private final ThreadContext threadContext;
    private final AnonymousUser anonymousUser;
    private final AuthorizationEngine rbacEngine;
    private final AuthorizationEngine authorizationEngine;
    private final Set<RequestInterceptor> requestInterceptors;
    private final XPackLicenseState licenseState;
    private final boolean isAnonymousEnabled;
    private final boolean anonymousAuthzExceptionEnabled;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.elasticsearch.xpack.security.authz.AuthorizationService$1, reason: invalid class name */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/AuthorizationService$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType = new int[DocWriteRequest.OpType.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.INDEX.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.CREATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.UPDATE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.DELETE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/AuthorizationService$AuthorizationResultListener.class */
    public class AuthorizationResultListener<T extends AuthorizationEngine.AuthorizationResult> implements ActionListener<T> {
        private final Consumer<T> responseConsumer;
        private final Consumer<Exception> failureConsumer;
        private final AuthorizationEngine.RequestInfo requestInfo;
        private final String requestId;
        private final AuthorizationEngine.AuthorizationInfo authzInfo;

        private AuthorizationResultListener(Consumer<T> consumer, Consumer<Exception> consumer2, AuthorizationEngine.RequestInfo requestInfo, String str, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
            this.responseConsumer = consumer;
            this.failureConsumer = consumer2;
            this.requestInfo = requestInfo;
            this.requestId = str;
            this.authzInfo = authorizationInfo;
        }

        public void onResponse(T t) {
            if (!t.isGranted()) {
                handleFailure(t.isAuditable(), null);
                return;
            }
            if (t.isAuditable()) {
                AuthorizationService.this.auditTrail.accessGranted(this.requestId, this.requestInfo.getAuthentication(), this.requestInfo.getAction(), this.requestInfo.getRequest(), this.authzInfo);
            }
            try {
                this.responseConsumer.accept(t);
            } catch (Exception e) {
                this.failureConsumer.accept(e);
            }
        }

        public void onFailure(Exception exc) {
            handleFailure(true, exc);
        }

        private void handleFailure(boolean z, @Nullable Exception exc) {
            if (z) {
                AuthorizationService.this.auditTrail.accessDenied(this.requestId, this.requestInfo.getAuthentication(), this.requestInfo.getAction(), this.requestInfo.getRequest(), this.authzInfo);
            }
            this.failureConsumer.accept(AuthorizationService.this.denialException(this.requestInfo.getAuthentication(), this.requestInfo.getAction(), exc));
        }

        /* synthetic */ AuthorizationResultListener(AuthorizationService authorizationService, Consumer consumer, Consumer consumer2, AuthorizationEngine.RequestInfo requestInfo, String str, AuthorizationEngine.AuthorizationInfo authorizationInfo, AnonymousClass1 anonymousClass1) {
            this(consumer, consumer2, requestInfo, str, authorizationInfo);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/AuthorizationService$CachingAsyncSupplier.class */
    public static class CachingAsyncSupplier<V> implements AuthorizationEngine.AsyncSupplier<V> {
        private final AuthorizationEngine.AsyncSupplier<V> asyncSupplier;
        private V value;

        private CachingAsyncSupplier(AuthorizationEngine.AsyncSupplier<V> asyncSupplier) {
            this.value = null;
            this.asyncSupplier = asyncSupplier;
        }

        public synchronized void getAsync(ActionListener<V> actionListener) {
            if (this.value != null) {
                actionListener.onResponse(this.value);
                return;
            }
            AuthorizationEngine.AsyncSupplier<V> asyncSupplier = this.asyncSupplier;
            CheckedConsumer checkedConsumer = obj -> {
                this.value = obj;
                actionListener.onResponse(this.value);
            };
            Objects.requireNonNull(actionListener);
            asyncSupplier.getAsync(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }

        /* synthetic */ CachingAsyncSupplier(AuthorizationEngine.AsyncSupplier asyncSupplier, AnonymousClass1 anonymousClass1) {
            this(asyncSupplier);
        }
    }

    public AuthorizationService(Settings settings, CompositeRolesStore compositeRolesStore, ClusterService clusterService, AuditTrailService auditTrailService, AuthenticationFailureHandler authenticationFailureHandler, ThreadPool threadPool, AnonymousUser anonymousUser, @Nullable AuthorizationEngine authorizationEngine, Set<RequestInterceptor> set, XPackLicenseState xPackLicenseState) {
        this.clusterService = clusterService;
        this.auditTrail = auditTrailService;
        this.indicesAndAliasesResolver = new IndicesAndAliasesResolver(settings, clusterService);
        this.authcFailureHandler = authenticationFailureHandler;
        this.threadContext = threadPool.getThreadContext();
        this.anonymousUser = anonymousUser;
        this.isAnonymousEnabled = AnonymousUser.isAnonymousEnabled(settings);
        this.anonymousAuthzExceptionEnabled = ((Boolean) ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING.get(settings)).booleanValue();
        this.rbacEngine = new RBACEngine(settings, compositeRolesStore);
        this.authorizationEngine = authorizationEngine == null ? this.rbacEngine : authorizationEngine;
        this.requestInterceptors = set;
        this.settings = settings;
        this.licenseState = xPackLicenseState;
    }

    public void checkPrivileges(Authentication authentication, HasPrivilegesRequest hasPrivilegesRequest, Collection<ApplicationPrivilegeDescriptor> collection, ActionListener<HasPrivilegesResponse> actionListener) {
        getAuthorizationEngine(authentication).checkPrivileges(authentication, getAuthorizationInfoFromContext(), hasPrivilegesRequest, collection, ContextPreservingActionListener.wrapPreservingContext(actionListener, this.threadContext));
    }

    public void retrieveUserPrivileges(Authentication authentication, GetUserPrivilegesRequest getUserPrivilegesRequest, ActionListener<GetUserPrivilegesResponse> actionListener) {
        getAuthorizationEngine(authentication).getUserPrivileges(authentication, getAuthorizationInfoFromContext(), getUserPrivilegesRequest, actionListener);
    }

    private AuthorizationEngine.AuthorizationInfo getAuthorizationInfoFromContext() {
        return (AuthorizationEngine.AuthorizationInfo) Objects.requireNonNull((AuthorizationEngine.AuthorizationInfo) this.threadContext.getTransient("_authz_info"), "authorization info is missing from context");
    }

    public void authorize(Authentication authentication, String str, TransportRequest transportRequest, ActionListener<Void> actionListener) throws ElasticsearchSecurityException {
        ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext(false, AuthorizationServiceField.ACTION_SCOPE_AUTHORIZATION_KEYS);
        try {
            putTransientIfNonExisting("_originating_action_name", str);
            String extractRequestId = AuditUtil.extractRequestId(this.threadContext);
            if (extractRequestId == null) {
                if (isInternalUser(authentication.getUser(), authentication.getVersion())) {
                    extractRequestId = AuditUtil.getOrGenerateRequestId(this.threadContext);
                } else {
                    this.auditTrail.tamperedRequest(null, authentication.getUser(), str, transportRequest);
                    String str2 = "Attempt to authorize action [" + str + "] for [" + authentication.getUser().principal() + "] without an existing request-id";
                    if (!$assertionsDisabled) {
                        throw new AssertionError(str2);
                    }
                    actionListener.onFailure(new ElasticsearchSecurityException(str2, new Object[0]));
                }
            }
            TransportRequest maybeUnwrapRequest = maybeUnwrapRequest(authentication, transportRequest, str, extractRequestId);
            if (SystemUser.is(authentication.getUser())) {
                authorizeSystemUser(authentication, str, extractRequestId, maybeUnwrapRequest, actionListener);
            } else {
                String str3 = extractRequestId;
                AuthorizationEngine.RequestInfo requestInfo = new AuthorizationEngine.RequestInfo(authentication, maybeUnwrapRequest, str);
                CheckedConsumer checkedConsumer = authorizationInfo -> {
                    this.threadContext.putTransient("_authz_info", authorizationInfo);
                    maybeAuthorizeRunAs(requestInfo, str3, authorizationInfo, actionListener);
                };
                Objects.requireNonNull(actionListener);
                getAuthorizationEngine(authentication).resolveAuthorizationInfo(requestInfo, ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(checkedConsumer, actionListener::onFailure), this.threadContext));
            }
            if (newStoredContext != null) {
                newStoredContext.close();
            }
        } catch (Throwable th) {
            if (newStoredContext != null) {
                try {
                    newStoredContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void maybeAuthorizeRunAs(AuthorizationEngine.RequestInfo requestInfo, String str, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<Void> actionListener) {
        Authentication authentication = requestInfo.getAuthentication();
        TransportRequest request = requestInfo.getRequest();
        String action = requestInfo.getAction();
        if (authentication.getUser().isRunAs()) {
            authorizeRunAs(requestInfo, authorizationInfo, ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(authorizationResult -> {
                if (authorizationResult.isGranted()) {
                    if (authorizationResult.isAuditable()) {
                        this.auditTrail.runAsGranted(str, authentication, action, request, authorizationInfo.getAuthenticatedUserAuthorizationInfo());
                    }
                    authorizeAction(requestInfo, str, authorizationInfo, actionListener);
                } else {
                    if (authorizationResult.isAuditable()) {
                        this.auditTrail.runAsDenied(str, authentication, action, request, authorizationInfo.getAuthenticatedUserAuthorizationInfo());
                    }
                    actionListener.onFailure(denialException(authentication, action, null));
                }
            }, exc -> {
                this.auditTrail.runAsDenied(str, authentication, action, request, authorizationInfo.getAuthenticatedUserAuthorizationInfo());
                actionListener.onFailure(denialException(authentication, action, null));
            }), this.threadContext));
        } else {
            authorizeAction(requestInfo, str, authorizationInfo, actionListener);
        }
    }

    private void authorizeAction(AuthorizationEngine.RequestInfo requestInfo, String str, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<Void> actionListener) {
        Authentication authentication = requestInfo.getAuthentication();
        TransportMessage request = requestInfo.getRequest();
        String action = requestInfo.getAction();
        AuthorizationEngine authorizationEngine = getAuthorizationEngine(authentication);
        if (ClusterPrivilege.ACTION_MATCHER.test(action)) {
            Consumer consumer = authorizationResult -> {
                this.threadContext.putTransient("_indices_permissions", IndicesAccessControl.ALLOW_ALL);
                actionListener.onResponse((Object) null);
            };
            Objects.requireNonNull(actionListener);
            authorizationEngine.authorizeClusterAction(requestInfo, authorizationInfo, ContextPreservingActionListener.wrapPreservingContext(new AuthorizationResultListener(this, consumer, actionListener::onFailure, requestInfo, str, authorizationInfo, null), this.threadContext));
        } else {
            if (!IndexPrivilege.ACTION_MATCHER.test(action)) {
                logger.warn("denying access as action [{}] is not an index or cluster action", action);
                this.auditTrail.accessDenied(str, authentication, action, request, authorizationInfo);
                actionListener.onFailure(denialException(authentication, action, null));
                return;
            }
            MetaData metaData = this.clusterService.state().metaData();
            CachingAsyncSupplier cachingAsyncSupplier = new CachingAsyncSupplier(actionListener2 -> {
                authorizationEngine.loadAuthorizedIndices(requestInfo, authorizationInfo, metaData.getAliasAndIndexLookup(), actionListener2);
            }, null);
            CachingAsyncSupplier cachingAsyncSupplier2 = new CachingAsyncSupplier(actionListener3 -> {
                cachingAsyncSupplier.getAsync(ActionListener.wrap(list -> {
                    resolveIndexNames(request, metaData, list, actionListener3);
                }, exc -> {
                    this.auditTrail.accessDenied(str, authentication, action, request, authorizationInfo);
                    if (exc instanceof IndexNotFoundException) {
                        actionListener.onFailure(exc);
                    } else {
                        actionListener.onFailure(denialException(authentication, action, exc));
                    }
                }));
            }, null);
            SortedMap aliasAndIndexLookup = metaData.getAliasAndIndexLookup();
            Consumer consumer2 = indexAuthorizationResult -> {
                handleIndexActionAuthorizationResult(indexAuthorizationResult, requestInfo, str, authorizationInfo, authorizationEngine, cachingAsyncSupplier, cachingAsyncSupplier2, metaData, actionListener);
            };
            Objects.requireNonNull(actionListener);
            authorizationEngine.authorizeIndexAction(requestInfo, authorizationInfo, cachingAsyncSupplier2, aliasAndIndexLookup, ContextPreservingActionListener.wrapPreservingContext(new AuthorizationResultListener(this, consumer2, actionListener::onFailure, requestInfo, str, authorizationInfo, null), this.threadContext));
        }
    }

    private void handleIndexActionAuthorizationResult(AuthorizationEngine.IndexAuthorizationResult indexAuthorizationResult, AuthorizationEngine.RequestInfo requestInfo, String str, AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine authorizationEngine, AuthorizationEngine.AsyncSupplier<List<String>> asyncSupplier, AuthorizationEngine.AsyncSupplier<ResolvedIndices> asyncSupplier2, MetaData metaData, ActionListener<Void> actionListener) {
        Authentication authentication = requestInfo.getAuthentication();
        CreateIndexRequest request = requestInfo.getRequest();
        String action = requestInfo.getAction();
        if (indexAuthorizationResult.getIndicesAccessControl() != null) {
            this.threadContext.putTransient("_indices_permissions", indexAuthorizationResult.getIndicesAccessControl());
        }
        if (!IndexPrivilege.CREATE_INDEX_MATCHER.test(action)) {
            if (!action.equals("indices:data/write/bulk[s]")) {
                runRequestInterceptors(requestInfo, authorizationInfo, this.authorizationEngine, actionListener);
                return;
            } else {
                if (!$assertionsDisabled && !(request instanceof BulkShardRequest)) {
                    throw new AssertionError("Action " + action + " requires " + BulkShardRequest.class + " but was " + request.getClass());
                }
                CheckedConsumer checkedConsumer = r10 -> {
                    runRequestInterceptors(requestInfo, authorizationInfo, this.authorizationEngine, actionListener);
                };
                Objects.requireNonNull(actionListener);
                authorizeBulkItems(requestInfo, authorizationInfo, authorizationEngine, asyncSupplier2, asyncSupplier, metaData, str, ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(checkedConsumer, actionListener::onFailure), this.threadContext));
                return;
            }
        }
        if (!$assertionsDisabled && !(request instanceof CreateIndexRequest)) {
            throw new AssertionError();
        }
        Set aliases = request.aliases();
        if (aliases.isEmpty()) {
            runRequestInterceptors(requestInfo, authorizationInfo, this.authorizationEngine, actionListener);
            return;
        }
        AuthorizationEngine.RequestInfo requestInfo2 = new AuthorizationEngine.RequestInfo(authentication, request, "indices:admin/aliases");
        AuthorizationEngine.AsyncSupplier asyncSupplier3 = actionListener2 -> {
            CheckedConsumer checkedConsumer2 = resolvedIndices -> {
                ArrayList arrayList = new ArrayList(resolvedIndices.getLocal());
                Iterator it = aliases.iterator();
                while (it.hasNext()) {
                    arrayList.add(((Alias) it.next()).name());
                }
                actionListener2.onResponse(new ResolvedIndices(arrayList, Collections.emptyList()));
            };
            Objects.requireNonNull(actionListener2);
            asyncSupplier2.getAsync(ActionListener.wrap(checkedConsumer2, actionListener2::onFailure));
        };
        SortedMap aliasAndIndexLookup = metaData.getAliasAndIndexLookup();
        Consumer consumer = indexAuthorizationResult2 -> {
            runRequestInterceptors(requestInfo, authorizationInfo, this.authorizationEngine, actionListener);
        };
        Objects.requireNonNull(actionListener);
        authorizationEngine.authorizeIndexAction(requestInfo2, authorizationInfo, asyncSupplier3, aliasAndIndexLookup, ContextPreservingActionListener.wrapPreservingContext(new AuthorizationResultListener(this, consumer, actionListener::onFailure, requestInfo2, str, authorizationInfo, null), this.threadContext));
    }

    private void runRequestInterceptors(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine authorizationEngine, ActionListener<Void> actionListener) {
        if (this.requestInterceptors.isEmpty()) {
            actionListener.onResponse((Object) null);
            return;
        }
        Iterator<RequestInterceptor> it = this.requestInterceptors.iterator();
        StepListener stepListener = new StepListener();
        RequestInterceptor next = it.next();
        StepListener stepListener2 = stepListener;
        while (true) {
            StepListener stepListener3 = stepListener2;
            if (!it.hasNext()) {
                CheckedConsumer checkedConsumer = r4 -> {
                    actionListener.onResponse((Object) null);
                };
                Objects.requireNonNull(actionListener);
                stepListener3.whenComplete(checkedConsumer, actionListener::onFailure);
                next.intercept(requestInfo, authorizationEngine, authorizationInfo, stepListener);
                return;
            }
            RequestInterceptor next2 = it.next();
            StepListener stepListener4 = new StepListener();
            CheckedConsumer checkedConsumer2 = r11 -> {
                next2.intercept(requestInfo, authorizationEngine, authorizationInfo, stepListener4);
            };
            Objects.requireNonNull(actionListener);
            stepListener3.whenComplete(checkedConsumer2, actionListener::onFailure);
            stepListener2 = stepListener4;
        }
    }

    AuthorizationEngine getRunAsAuthorizationEngine(Authentication authentication) {
        return getAuthorizationEngineForUser(authentication.getUser().authenticatedUser(), authentication.getVersion());
    }

    AuthorizationEngine getAuthorizationEngine(Authentication authentication) {
        return getAuthorizationEngineForUser(authentication.getUser(), authentication.getVersion());
    }

    private AuthorizationEngine getAuthorizationEngineForUser(User user, Version version) {
        return (this.rbacEngine == this.authorizationEngine || !this.licenseState.isAuthorizationEngineAllowed()) ? this.rbacEngine : (ClientReservedRealm.isReserved(user.principal(), this.settings) || isInternalUser(user, version)) ? this.rbacEngine : this.authorizationEngine;
    }

    private void authorizeSystemUser(Authentication authentication, String str, String str2, TransportRequest transportRequest, ActionListener<Void> actionListener) {
        if (!SystemUser.isAuthorized(str)) {
            this.auditTrail.accessDenied(str2, authentication, str, transportRequest, SYSTEM_AUTHZ_INFO);
            actionListener.onFailure(denialException(authentication, str, null));
        } else {
            this.threadContext.putTransient("_indices_permissions", IndicesAccessControl.ALLOW_ALL);
            this.threadContext.putTransient("_authz_info", SYSTEM_AUTHZ_INFO);
            this.auditTrail.accessGranted(str2, authentication, str, transportRequest, SYSTEM_AUTHZ_INFO);
            actionListener.onResponse((Object) null);
        }
    }

    private TransportRequest maybeUnwrapRequest(Authentication authentication, TransportRequest transportRequest, String str, String str2) {
        TransportRequest unwrapRequest;
        if (transportRequest instanceof TransportReplicationAction.ConcreteShardRequest) {
            unwrapRequest = ((TransportReplicationAction.ConcreteShardRequest) transportRequest).getRequest();
            if (!$assertionsDisabled && TransportActionProxy.isProxyRequest(unwrapRequest)) {
                throw new AssertionError("expected non-proxy request for action: " + str);
            }
        } else {
            unwrapRequest = TransportActionProxy.unwrapRequest(transportRequest);
            boolean isProxyRequest = TransportActionProxy.isProxyRequest(transportRequest);
            if (TransportActionProxy.isProxyAction(str) && !isProxyRequest) {
                IllegalStateException illegalStateException = new IllegalStateException("originalRequest is not a proxy request: [" + transportRequest + "] but action: [" + str + "] is a proxy action");
                this.auditTrail.accessDenied(str2, authentication, str, unwrapRequest, AuthorizationEngine.EmptyAuthorizationInfo.INSTANCE);
                throw denialException(authentication, str, illegalStateException);
            }
            if (TransportActionProxy.isProxyRequest(transportRequest) && !TransportActionProxy.isProxyAction(str)) {
                IllegalStateException illegalStateException2 = new IllegalStateException("originalRequest is a proxy request for: [" + unwrapRequest + "] but action: [" + str + "] isn't");
                this.auditTrail.accessDenied(str2, authentication, str, unwrapRequest, AuthorizationEngine.EmptyAuthorizationInfo.INSTANCE);
                throw denialException(authentication, str, illegalStateException2);
            }
        }
        return unwrapRequest;
    }

    private boolean isInternalUser(User user, Version version) {
        return SystemUser.is(user) || XPackUser.is(user) || XPackSecurityUser.is(user) || (BwcXPackUser.is(user) && version.before(Version.V_5_6_1));
    }

    private void authorizeRunAs(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<AuthorizationEngine.AuthorizationResult> actionListener) {
        Authentication authentication = requestInfo.getAuthentication();
        if (authentication.getLookedUpBy() == null) {
            actionListener.onResponse(AuthorizationEngine.AuthorizationResult.deny());
        } else {
            getRunAsAuthorizationEngine(authentication).authorizeRunAs(requestInfo, authorizationInfo, actionListener);
        }
    }

    private void authorizeBulkItems(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine authorizationEngine, AuthorizationEngine.AsyncSupplier<ResolvedIndices> asyncSupplier, AuthorizationEngine.AsyncSupplier<List<String>> asyncSupplier2, MetaData metaData, String str, ActionListener<Void> actionListener) {
        Authentication authentication = requestInfo.getAuthentication();
        BulkShardRequest request = requestInfo.getRequest();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        CheckedConsumer checkedConsumer = list -> {
            CheckedConsumer checkedConsumer2 = resolvedIndices -> {
                HashSet hashSet = new HashSet(resolvedIndices.getLocal());
                for (BulkItemRequest bulkItemRequest : request.items()) {
                    String str2 = (String) hashMap.computeIfAbsent(bulkItemRequest.index(), str3 -> {
                        ResolvedIndices resolveIndicesAndAliases = this.indicesAndAliasesResolver.resolveIndicesAndAliases(bulkItemRequest.request(), metaData, list);
                        if (resolveIndicesAndAliases.getRemote().size() != 0) {
                            throw illegalArgument("Bulk item should not write to remote indices, but request writes to " + String.join(",", resolveIndicesAndAliases.getRemote()));
                        }
                        if (resolveIndicesAndAliases.getLocal().size() != 1) {
                            throw illegalArgument("Bulk item should write to exactly 1 index, but request writes to " + String.join(",", resolveIndicesAndAliases.getLocal()));
                        }
                        String str3 = (String) resolveIndicesAndAliases.getLocal().get(0);
                        if (hashSet.contains(str3)) {
                            return str3;
                        }
                        throw illegalArgument("Found bulk item that writes to index " + str3 + " but the request writes to " + hashSet);
                    });
                    hashMap2.compute(getAction(bulkItemRequest), (str4, set) -> {
                        Set hashSet2 = set != null ? set : new HashSet();
                        hashSet2.add(str2);
                        return hashSet2;
                    });
                }
                CheckedConsumer checkedConsumer3 = collection -> {
                    HashMap hashMap3 = new HashMap();
                    AtomicBoolean atomicBoolean = new AtomicBoolean(false);
                    collection.forEach(tuple -> {
                        if (((IndicesAccessControl) hashMap3.putIfAbsent((String) tuple.v1(), ((AuthorizationEngine.IndexAuthorizationResult) tuple.v2()).getIndicesAccessControl())) != null) {
                            throw new IllegalStateException("a value already exists for action " + ((String) tuple.v1()));
                        }
                        if (((AuthorizationEngine.IndexAuthorizationResult) tuple.v2()).isAuditable()) {
                            atomicBoolean.set(true);
                        }
                    });
                    for (BulkItemRequest bulkItemRequest2 : request.items()) {
                        String str5 = (String) hashMap.get(bulkItemRequest2.index());
                        String action = getAction(bulkItemRequest2);
                        IndicesAccessControl.IndexAccessControl indexPermissions = ((IndicesAccessControl) hashMap3.get(action)).getIndexPermissions(str5);
                        if (indexPermissions == null || !indexPermissions.isGranted()) {
                            this.auditTrail.explicitIndexAccessEvent(str, AuditLevel.ACCESS_DENIED, authentication, action, str5, bulkItemRequest2.getClass().getSimpleName(), request.remoteAddress(), authorizationInfo);
                            bulkItemRequest2.abort(str5, denialException(authentication, action, null));
                        }
                    }
                    actionListener.onResponse((Object) null);
                };
                Objects.requireNonNull(actionListener);
                ContextPreservingActionListener wrapPreservingContext = ContextPreservingActionListener.wrapPreservingContext(new GroupedActionListener(ActionListener.wrap(checkedConsumer3, actionListener::onFailure), hashMap2.size(), Collections.emptyList()), this.threadContext);
                hashMap2.forEach((str5, set2) -> {
                    AuthorizationEngine.RequestInfo requestInfo2 = new AuthorizationEngine.RequestInfo(requestInfo.getAuthentication(), requestInfo.getRequest(), str5);
                    AuthorizationEngine.AsyncSupplier asyncSupplier3 = actionListener2 -> {
                        actionListener2.onResponse(new ResolvedIndices(new ArrayList(set2), Collections.emptyList()));
                    };
                    SortedMap aliasAndIndexLookup = metaData.getAliasAndIndexLookup();
                    CheckedConsumer checkedConsumer4 = indexAuthorizationResult -> {
                        wrapPreservingContext.onResponse(new Tuple(str5, indexAuthorizationResult));
                    };
                    Objects.requireNonNull(wrapPreservingContext);
                    authorizationEngine.authorizeIndexAction(requestInfo2, authorizationInfo, asyncSupplier3, aliasAndIndexLookup, ActionListener.wrap(checkedConsumer4, wrapPreservingContext::onFailure));
                });
            };
            Objects.requireNonNull(actionListener);
            asyncSupplier.getAsync(ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
        };
        Objects.requireNonNull(actionListener);
        asyncSupplier2.getAsync(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private static IllegalArgumentException illegalArgument(String str) {
        if ($assertionsDisabled) {
            return new IllegalArgumentException(str);
        }
        throw new AssertionError(str);
    }

    private static String getAction(BulkItemRequest bulkItemRequest) {
        DocWriteRequest request = bulkItemRequest.request();
        switch (AnonymousClass1.$SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[request.opType().ordinal()]) {
            case 1:
            case 2:
                return "indices:data/write/index";
            case 3:
                return "indices:data/write/update";
            case 4:
                return "indices:data/write/delete";
            default:
                throw new IllegalArgumentException("No equivalent action for opType [" + request.opType() + "]");
        }
    }

    private void resolveIndexNames(TransportRequest transportRequest, MetaData metaData, List<String> list, ActionListener<ResolvedIndices> actionListener) {
        actionListener.onResponse(this.indicesAndAliasesResolver.resolve(transportRequest, metaData, list));
    }

    private void putTransientIfNonExisting(String str, Object obj) {
        if (this.threadContext.getTransient(str) == null) {
            this.threadContext.putTransient(str, obj);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public ElasticsearchSecurityException denialException(Authentication authentication, String str, Exception exc) {
        User authenticatedUser = authentication.getUser().authenticatedUser();
        if (this.isAnonymousEnabled && this.anonymousUser.equals(authenticatedUser) && !this.anonymousAuthzExceptionEnabled) {
            return this.authcFailureHandler.authenticationRequired(str, this.threadContext);
        }
        if (authentication.getUser().isRunAs()) {
            logger.debug("action [{}] is unauthorized for user [{}] run as [{}]", str, authenticatedUser.principal(), authentication.getUser().principal());
            return Exceptions.authorizationError("action [{}] is unauthorized for user [{}] run as [{}]", exc, new Object[]{str, authenticatedUser.principal(), authentication.getUser().principal()});
        }
        logger.debug("action [{}] is unauthorized for user [{}]", str, authenticatedUser.principal());
        return Exceptions.authorizationError("action [{}] is unauthorized for user [{}]", exc, new Object[]{str, authenticatedUser.principal()});
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING);
    }

    static {
        $assertionsDisabled = !AuthorizationService.class.desiredAssertionStatus();
        ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING = Setting.boolSetting(SecurityField.setting("authc.anonymous.authz_exception"), true, new Setting.Property[]{Setting.Property.NodeScope});
        SYSTEM_AUTHZ_INFO = () -> {
            return Collections.singletonMap(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME, new String[]{"_system"});
        };
        logger = LogManager.getLogger(AuthorizationService.class);
    }
}
