package org.elasticsearch.xpack.security.authz;

import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.shard.SearchOperationListener;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.search.SearchContextMissingException;
import org.elasticsearch.search.internal.SearchContext;
import org.elasticsearch.search.internal.SearchContextId;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.AuditUtil;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.class */
public final class SecuritySearchOperationListener implements SearchOperationListener {
    private final SecurityContext securityContext;
    private final XPackLicenseState licenseState;
    private final AuditTrailService auditTrailService;

    public SecuritySearchOperationListener(SecurityContext securityContext, XPackLicenseState xPackLicenseState, AuditTrailService auditTrailService) {
        this.securityContext = securityContext;
        this.licenseState = xPackLicenseState;
        this.auditTrailService = auditTrailService;
    }

    public void onNewScrollContext(SearchContext searchContext) {
        if (this.licenseState.isSecurityEnabled()) {
            searchContext.scrollContext().putInContext("_xpack_security_authentication", this.securityContext.getAuthentication());
        }
    }

    public void validateSearchContext(SearchContext searchContext, TransportRequest transportRequest) {
        if (!this.licenseState.isSecurityEnabled() || searchContext.scrollContext() == null) {
            return;
        }
        Authentication authentication = (Authentication) searchContext.scrollContext().getFromContext("_xpack_security_authentication");
        Authentication authentication2 = this.securityContext.getAuthentication();
        ThreadContext threadContext = this.securityContext.getThreadContext();
        ensureAuthenticatedUserIsSame(authentication, authentication2, this.auditTrailService, searchContext.id(), (String) threadContext.getTransient(AuthorizationService.ORIGINATING_ACTION_KEY), transportRequest, AuditUtil.extractRequestId(threadContext), (AuthorizationEngine.AuthorizationInfo) threadContext.getTransient(AuthorizationService.AUTHORIZATION_INFO_KEY));
    }

    static void ensureAuthenticatedUserIsSame(Authentication authentication, Authentication authentication2, AuditTrailService auditTrailService, SearchContextId searchContextId, String str, TransportRequest transportRequest, String str2, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (authentication.getUser().principal().equals(authentication2.getUser().principal()) && (authentication.getUser().isRunAs() ? authentication2.getUser().isRunAs() ? authentication.getLookedUpBy().getType().equals(authentication2.getLookedUpBy().getType()) : authentication.getLookedUpBy().getType().equals(authentication2.getAuthenticatedBy().getType()) : authentication2.getUser().isRunAs() ? authentication.getAuthenticatedBy().getType().equals(authentication2.getLookedUpBy().getType()) : authentication.getAuthenticatedBy().getType().equals(authentication2.getAuthenticatedBy().getType()))) {
            return;
        }
        auditTrailService.get().accessDenied(str2, authentication2, str, transportRequest, authorizationInfo);
        throw new SearchContextMissingException(searchContextId);
    }
}
