package org.elasticsearch.xpack.security.authz;

import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.shard.SearchOperationListener;
import org.elasticsearch.search.SearchContextMissingException;
import org.elasticsearch.search.internal.ReaderContext;
import org.elasticsearch.search.internal.SearchContext;
import org.elasticsearch.search.internal.ShardSearchContextId;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.AuditUtil;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.class */
public final class SecuritySearchOperationListener implements SearchOperationListener {
    private final SecurityContext securityContext;
    private final AuditTrailService auditTrailService;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SecuritySearchOperationListener(SecurityContext securityContext, AuditTrailService auditTrailService) {
        this.securityContext = securityContext;
        this.auditTrailService = auditTrailService;
    }

    public void onNewScrollContext(ReaderContext readerContext) {
        readerContext.putInContext("_xpack_security_authentication", this.securityContext.getAuthentication());
        IndicesAccessControl indicesAccessControl = (IndicesAccessControl) this.securityContext.getThreadContext().getTransient("_indices_permissions");
        if (!$assertionsDisabled && indicesAccessControl == null) {
            throw new AssertionError("thread context does not contain index access control");
        }
        readerContext.putInContext("_indices_permissions", indicesAccessControl);
    }

    public void validateReaderContext(ReaderContext readerContext, TransportRequest transportRequest) {
        if (readerContext.scrollContext() != null) {
            Authentication authentication = (Authentication) readerContext.getFromContext("_xpack_security_authentication");
            Authentication authentication2 = this.securityContext.getAuthentication();
            ThreadContext threadContext = this.securityContext.getThreadContext();
            ensureAuthenticatedUserIsSame(authentication, authentication2, this.auditTrailService, readerContext.id(), (String) threadContext.getTransient("_originating_action_name"), transportRequest, AuditUtil.extractRequestId(threadContext), (AuthorizationEngine.AuthorizationInfo) threadContext.getTransient("_authz_info"));
            if (null == this.securityContext.getThreadContext().getTransient("_indices_permissions")) {
                IndicesAccessControl indicesAccessControl = (IndicesAccessControl) readerContext.getFromContext("_indices_permissions");
                if (!$assertionsDisabled && indicesAccessControl == null) {
                    throw new AssertionError("scroll does not contain index access control");
                }
                this.securityContext.getThreadContext().putTransient("_indices_permissions", indicesAccessControl);
            }
        }
    }

    public void onPreFetchPhase(SearchContext searchContext) {
        ensureIndicesAccessControlForScrollThreadContext(searchContext);
    }

    public void onPreQueryPhase(SearchContext searchContext) {
        ensureIndicesAccessControlForScrollThreadContext(searchContext);
    }

    void ensureIndicesAccessControlForScrollThreadContext(SearchContext searchContext) {
        if (searchContext.readerContext().scrollContext() != null && null == ((IndicesAccessControl) this.securityContext.getThreadContext().getTransient("_indices_permissions"))) {
            throw new ElasticsearchSecurityException("Unexpected null indices access control for search context [" + searchContext.id() + "] for request [" + searchContext.request().getDescription() + "] with source [" + searchContext.source() + "]", new Object[0]);
        }
    }

    static void ensureAuthenticatedUserIsSame(Authentication authentication, Authentication authentication2, AuditTrailService auditTrailService, ShardSearchContextId shardSearchContextId, String str, TransportRequest transportRequest, String str2, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (authentication.canAccessResourcesOf(authentication2)) {
            return;
        }
        auditTrailService.get().accessDenied(str2, authentication2, str, transportRequest, authorizationInfo);
        throw new SearchContextMissingException(shardSearchContextId);
    }

    static {
        $assertionsDisabled = !SecuritySearchOperationListener.class.desiredAssertionStatus();
    }
}
