package org.elasticsearch.xpack.security.profile;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.time.Clock;
import java.time.Instant;
import java.util.Arrays;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.bulk.BulkAction;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.TransportSingleItemBulkWriteAction;
import org.elasticsearch.action.get.GetAction;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.search.SearchAction;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.support.master.AcknowledgedResponse;
import org.elasticsearch.action.update.UpdateAction;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.action.update.UpdateRequestBuilder;
import org.elasticsearch.action.update.UpdateResponse;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentParserConfiguration;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.security.action.profile.Profile;
import org.elasticsearch.xpack.core.security.action.profile.UpdateProfileDataRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationContext;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.profile.ProfileDocument;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;

/* loaded from: input_file:org/elasticsearch/xpack/security/profile/ProfileService.class */
public class ProfileService {
    private static final Logger logger;
    private static final String DOC_ID_PREFIX = "profile_";
    private final Settings settings;
    private final Clock clock;
    private final Client client;
    private final SecurityIndexManager profileIndex;
    private final ThreadPool threadPool;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument.class */
    public static final class VersionedDocument extends Record {
        private final ProfileDocument doc;
        private final long primaryTerm;
        private final long seqNo;

        VersionedDocument(ProfileDocument profileDocument, long j, long j2) {
            this.doc = profileDocument;
            this.primaryTerm = j;
            this.seqNo = j2;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Profile toProfile(@Nullable String str) {
            return toProfile(str, Set.of());
        }

        Profile toProfile(@Nullable String str, @Nullable Set<String> set) {
            return new Profile(this.doc.uid(), this.doc.enabled(), this.doc.lastSynchronized(), this.doc.user().toProfileUser(str), this.doc.access(), (set == null || set.isEmpty()) ? Map.of() : (Map) XContentHelper.convertToMap(this.doc.applicationData(), false, XContentType.JSON, set, (Set) null).v2(), new Profile.VersionControl(this.primaryTerm, this.seqNo));
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, VersionedDocument.class), VersionedDocument.class, "doc;primaryTerm;seqNo", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->doc:Lorg/elasticsearch/xpack/security/profile/ProfileDocument;", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->primaryTerm:J", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->seqNo:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, VersionedDocument.class), VersionedDocument.class, "doc;primaryTerm;seqNo", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->doc:Lorg/elasticsearch/xpack/security/profile/ProfileDocument;", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->primaryTerm:J", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->seqNo:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, VersionedDocument.class, Object.class), VersionedDocument.class, "doc;primaryTerm;seqNo", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->doc:Lorg/elasticsearch/xpack/security/profile/ProfileDocument;", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->primaryTerm:J", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->seqNo:J").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public ProfileDocument doc() {
            return this.doc;
        }

        public long primaryTerm() {
            return this.primaryTerm;
        }

        public long seqNo() {
            return this.seqNo;
        }
    }

    public ProfileService(Settings settings, Clock clock, Client client, SecurityIndexManager securityIndexManager, ThreadPool threadPool) {
        this.settings = settings;
        this.clock = clock;
        this.client = client;
        this.profileIndex = securityIndexManager;
        this.threadPool = threadPool;
    }

    public void getProfile(String str, @Nullable Set<String> set, ActionListener<Profile> actionListener) {
        getVersionedDocument(str, actionListener.map(versionedDocument -> {
            if (versionedDocument != null) {
                return versionedDocument.toProfile(null, set);
            }
            return null;
        }));
    }

    public void activateProfile(Authentication authentication, ActionListener<Profile> actionListener) {
        Subject effectiveSubject = AuthenticationContext.fromAuthentication(authentication).getEffectiveSubject();
        if (Subject.Type.USER != effectiveSubject.getType()) {
            actionListener.onFailure(new IllegalArgumentException("profile is supported for user only, but subject is a [" + effectiveSubject.getType().name().toLowerCase(Locale.ROOT) + "]"));
        } else {
            if (User.isInternal(effectiveSubject.getUser())) {
                actionListener.onFailure(new IllegalStateException("profile should not be created for internal user [" + effectiveSubject.getUser().principal() + "]"));
                return;
            }
            CheckedConsumer checkedConsumer = versionedDocument -> {
                if (versionedDocument == null) {
                    createNewProfile(effectiveSubject, actionListener);
                } else {
                    updateProfileForActivate(effectiveSubject, versionedDocument, actionListener);
                }
            };
            Objects.requireNonNull(actionListener);
            getVersionedDocument(authentication, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }
    }

    public void updateProfileData(UpdateProfileDataRequest updateProfileDataRequest, ActionListener<AcknowledgedResponse> actionListener) {
        try {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            jsonBuilder.startObject();
            jsonBuilder.field("user_profile");
            jsonBuilder.startObject();
            if (false == updateProfileDataRequest.getAccess().isEmpty()) {
                jsonBuilder.field("access", updateProfileDataRequest.getAccess());
            }
            if (false == updateProfileDataRequest.getData().isEmpty()) {
                jsonBuilder.field("application_data", updateProfileDataRequest.getData());
            }
            jsonBuilder.endObject();
            jsonBuilder.endObject();
            doUpdate(buildUpdateRequest(updateProfileDataRequest.getUid(), jsonBuilder, updateProfileDataRequest.getRefreshPolicy(), updateProfileDataRequest.getIfPrimaryTerm(), updateProfileDataRequest.getIfSeqNo()), actionListener.map(updateResponse -> {
                return AcknowledgedResponse.TRUE;
            }));
        } catch (IOException e) {
            actionListener.onFailure(e);
        }
    }

    private void getVersionedDocument(String str, ActionListener<VersionedDocument> actionListener) {
        tryFreezeAndCheckIndex(actionListener).ifPresent(securityIndexManager -> {
            GetRequest getRequest = new GetRequest(SecuritySystemIndices.SECURITY_PROFILE_ALIAS, uidToDocId(str));
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Client client = this.client;
                GetAction getAction = GetAction.INSTANCE;
                CheckedConsumer checkedConsumer = getResponse -> {
                    if (false != getResponse.isExists()) {
                        actionListener.onResponse(new VersionedDocument(buildProfileDocument(getResponse.getSourceAsBytesRef()), getResponse.getPrimaryTerm(), getResponse.getSeqNo()));
                    } else {
                        logger.debug("profile with uid [{}] does not exist", str);
                        actionListener.onResponse((Object) null);
                    }
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, "security", getAction, getRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        });
    }

    void getVersionedDocument(Authentication authentication, ActionListener<VersionedDocument> actionListener) {
        tryFreezeAndCheckIndex(actionListener).ifPresent(securityIndexManager -> {
            SearchRequest request = this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_PROFILE_ALIAS}).setQuery(QueryBuilders.boolQuery().must(QueryBuilders.termQuery("user_profile.user.username", authentication.getUser().principal())).must(QueryBuilders.termQuery("user_profile.user.realm.name", authentication.getSourceRealm().getName()))).request();
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Client client = this.client;
                SearchAction searchAction = SearchAction.INSTANCE;
                CheckedConsumer checkedConsumer = searchResponse -> {
                    SearchHit[] hits = searchResponse.getHits().getHits();
                    if (hits.length < 1) {
                        logger.debug("profile does not exist for username [{}] and realm name [{}]", authentication.getUser().principal(), authentication.getSourceRealm().getName());
                        actionListener.onResponse((Object) null);
                    } else if (hits.length == 1) {
                        SearchHit searchHit = hits[0];
                        actionListener.onResponse(new VersionedDocument(buildProfileDocument(searchHit.getSourceRef()), searchHit.getPrimaryTerm(), searchHit.getSeqNo()));
                    } else {
                        ParameterizedMessage parameterizedMessage = new ParameterizedMessage("multiple [{}] profiles [{}] found for user [{}]", new Object[]{Integer.valueOf(hits.length), Arrays.stream(hits).map((v0) -> {
                            return v0.getId();
                        }).map(this::docIdToUid).sorted().collect(Collectors.joining(",")), authentication.getUser().principal()});
                        logger.error(parameterizedMessage);
                        actionListener.onFailure(new ElasticsearchException(parameterizedMessage.getFormattedMessage(), new Object[0]));
                    }
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, "security", searchAction, request, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        });
    }

    private void createNewProfile(Subject subject, ActionListener<Profile> actionListener) throws IOException {
        ProfileDocument fromSubject = ProfileDocument.fromSubject(subject);
        String uidToDocId = uidToDocId(fromSubject.uid());
        BulkRequest singleItemBulkRequest = TransportSingleItemBulkWriteAction.toSingleItemBulkRequest(this.client.prepareIndex(SecuritySystemIndices.SECURITY_PROFILE_ALIAS).setId(uidToDocId).setSource(wrapProfileDocument(fromSubject)).setRefreshPolicy(WriteRequest.RefreshPolicy.WAIT_UNTIL).request());
        SecurityIndexManager securityIndexManager = this.profileIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            Client client = this.client;
            BulkAction bulkAction = BulkAction.INSTANCE;
            CheckedConsumer checkedConsumer = indexResponse -> {
                if (!$assertionsDisabled && !uidToDocId.equals(indexResponse.getId())) {
                    throw new AssertionError();
                }
                actionListener.onResponse(new VersionedDocument(fromSubject, indexResponse.getPrimaryTerm(), indexResponse.getSeqNo()).toProfile(null));
            };
            Objects.requireNonNull(actionListener);
            ClientHelper.executeAsyncWithOrigin(client, "security", bulkAction, singleItemBulkRequest, TransportSingleItemBulkWriteAction.wrapBulkResponse(ActionListener.wrap(checkedConsumer, actionListener::onFailure)));
        });
    }

    private void updateProfileForActivate(Subject subject, VersionedDocument versionedDocument, ActionListener<Profile> actionListener) throws IOException {
        ProfileDocument updateWithSubject = updateWithSubject(versionedDocument.doc, subject);
        doUpdate(buildUpdateRequest(updateWithSubject.uid(), wrapProfileDocumentWithoutApplicationData(updateWithSubject), WriteRequest.RefreshPolicy.WAIT_UNTIL, versionedDocument.primaryTerm, versionedDocument.seqNo), actionListener.map(updateResponse -> {
            return new VersionedDocument(updateWithSubject, updateResponse.getPrimaryTerm(), updateResponse.getSeqNo()).toProfile(null);
        }));
    }

    private UpdateRequest buildUpdateRequest(String str, XContentBuilder xContentBuilder, WriteRequest.RefreshPolicy refreshPolicy, long j, long j2) {
        UpdateRequestBuilder refreshPolicy2 = this.client.prepareUpdate(SecuritySystemIndices.SECURITY_PROFILE_ALIAS, uidToDocId(str)).setDoc(xContentBuilder).setRefreshPolicy(refreshPolicy);
        if (j >= 0) {
            refreshPolicy2.setIfPrimaryTerm(j);
        }
        if (j2 >= 0) {
            refreshPolicy2.setIfSeqNo(j2);
        }
        return refreshPolicy2.request();
    }

    private void doUpdate(UpdateRequest updateRequest, ActionListener<UpdateResponse> actionListener) {
        SecurityIndexManager securityIndexManager = this.profileIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            Client client = this.client;
            UpdateAction updateAction = UpdateAction.INSTANCE;
            CheckedConsumer checkedConsumer = updateResponse -> {
                if (!$assertionsDisabled && updateResponse.getResult() != DocWriteResponse.Result.UPDATED && updateResponse.getResult() != DocWriteResponse.Result.NOOP) {
                    throw new AssertionError();
                }
                actionListener.onResponse(updateResponse);
            };
            Objects.requireNonNull(actionListener);
            ClientHelper.executeAsyncWithOrigin(client, "security", updateAction, updateRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        });
    }

    private String uidToDocId(String str) {
        return "profile_" + str;
    }

    private String docIdToUid(String str) {
        if (str == null || false == str.startsWith(DOC_ID_PREFIX)) {
            throw new IllegalStateException("profile document ID [" + str + "] has unexpected value");
        }
        return str.substring(DOC_ID_PREFIX.length());
    }

    ProfileDocument buildProfileDocument(BytesReference bytesReference) throws IOException {
        if (bytesReference == null) {
            throw new IllegalStateException("profile document did not have source but source should have been fetched");
        }
        XContentParser createParser = XContentHelper.createParser(XContentParserConfiguration.EMPTY, bytesReference, XContentType.JSON);
        try {
            ProfileDocument fromXContent = ProfileDocument.fromXContent(createParser);
            if (createParser != null) {
                createParser.close();
            }
            return fromXContent;
        } catch (Throwable th) {
            if (createParser != null) {
                try {
                    createParser.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private XContentBuilder wrapProfileDocument(ProfileDocument profileDocument) throws IOException {
        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
        jsonBuilder.startObject();
        jsonBuilder.field("user_profile", profileDocument);
        jsonBuilder.endObject();
        return jsonBuilder;
    }

    private XContentBuilder wrapProfileDocumentWithoutApplicationData(ProfileDocument profileDocument) throws IOException {
        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
        jsonBuilder.startObject();
        jsonBuilder.field("user_profile", profileDocument, new ToXContent.MapParams(Map.of("include_access", Boolean.FALSE.toString(), "include_data", Boolean.FALSE.toString())));
        jsonBuilder.endObject();
        return jsonBuilder;
    }

    private <T> Optional<SecurityIndexManager> tryFreezeAndCheckIndex(ActionListener<T> actionListener) {
        SecurityIndexManager freeze = this.profileIndex.freeze();
        if (false == freeze.indexExists()) {
            logger.debug("profile index does not exist");
            actionListener.onResponse((Object) null);
            return Optional.empty();
        }
        if (false != freeze.isAvailable()) {
            return Optional.of(freeze);
        }
        actionListener.onFailure(freeze.getUnavailableReason());
        return Optional.empty();
    }

    private ProfileDocument updateWithSubject(ProfileDocument profileDocument, Subject subject) {
        User user = subject.getUser();
        return new ProfileDocument(profileDocument.uid(), true, Instant.now().toEpochMilli(), new ProfileDocument.ProfileDocumentUser(user.principal(), Arrays.asList(user.roles()), subject.getRealm(), user.email(), user.fullName(), profileDocument.user().displayName(), user.enabled()), profileDocument.access(), profileDocument.applicationData());
    }

    static {
        $assertionsDisabled = !ProfileService.class.desiredAssertionStatus();
        logger = LogManager.getLogger(ProfileService.class);
    }
}
