package org.elasticsearch.xpack.security;

import io.netty.handler.codec.http.HttpMethod;
import io.netty.handler.codec.http.HttpUtil;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.time.Clock;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.Executor;
import java.util.function.BiConsumer;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.search.IndexSearcher;
import org.apache.lucene.util.SetOnce;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.bootstrap.BootstrapCheck;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.IndexTemplateMetadata;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.node.DiscoveryNodes;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.CheckedBiConsumer;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.network.NetworkModule;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.ClusterSettings;
import org.elasticsearch.common.settings.IndexScopedSettings;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsFilter;
import org.elasticsearch.common.ssl.KeyStoreUtil;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.common.util.PageCacheRecycler;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Strings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.NodeMetadata;
import org.elasticsearch.features.FeatureService;
import org.elasticsearch.http.HttpPreRequest;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.http.netty4.Netty4HttpServerTransport;
import org.elasticsearch.http.netty4.internal.HttpHeadersAuthenticatorUtils;
import org.elasticsearch.http.netty4.internal.HttpValidator;
import org.elasticsearch.index.IndexModule;
import org.elasticsearch.indices.SystemIndexDescriptor;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.ingest.Processor;
import org.elasticsearch.license.ClusterStateLicenseService;
import org.elasticsearch.license.License;
import org.elasticsearch.license.LicenseService;
import org.elasticsearch.license.LicensedFeature;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.plugins.ActionPlugin;
import org.elasticsearch.plugins.ClusterCoordinationPlugin;
import org.elasticsearch.plugins.ClusterPlugin;
import org.elasticsearch.plugins.ExtensiblePlugin;
import org.elasticsearch.plugins.IngestPlugin;
import org.elasticsearch.plugins.MapperPlugin;
import org.elasticsearch.plugins.NetworkPlugin;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.plugins.ReloadablePlugin;
import org.elasticsearch.plugins.SearchPlugin;
import org.elasticsearch.plugins.SystemIndexPlugin;
import org.elasticsearch.plugins.interceptor.RestServerActionPlugin;
import org.elasticsearch.reservedstate.ReservedClusterStateHandler;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestHeaderDefinition;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.search.internal.ShardSearchRequest;
import org.elasticsearch.telemetry.tracing.Tracer;
import org.elasticsearch.threadpool.ExecutorBuilder;
import org.elasticsearch.threadpool.FixedExecutorBuilder;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.RemoteClusterService;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.netty4.AcceptChannelHandler;
import org.elasticsearch.transport.netty4.SharedGroupFactory;
import org.elasticsearch.transport.netty4.TLSConfig;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xpack.core.XPackPlugin;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.action.XPackInfoFeatureAction;
import org.elasticsearch.xpack.core.action.XPackUsageFeatureAction;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.SecurityExtension;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.SecuritySettings;
import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheAction;
import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationAction;
import org.elasticsearch.xpack.core.security.action.apikey.BulkUpdateApiKeyAction;
import org.elasticsearch.xpack.core.security.action.apikey.CreateApiKeyAction;
import org.elasticsearch.xpack.core.security.action.apikey.CreateCrossClusterApiKeyAction;
import org.elasticsearch.xpack.core.security.action.apikey.GetApiKeyAction;
import org.elasticsearch.xpack.core.security.action.apikey.GrantApiKeyAction;
import org.elasticsearch.xpack.core.security.action.apikey.InvalidateApiKeyAction;
import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyAction;
import org.elasticsearch.xpack.core.security.action.apikey.UpdateApiKeyAction;
import org.elasticsearch.xpack.core.security.action.apikey.UpdateCrossClusterApiKeyAction;
import org.elasticsearch.xpack.core.security.action.enrollment.KibanaEnrollmentAction;
import org.elasticsearch.xpack.core.security.action.enrollment.NodeEnrollmentAction;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectAuthenticateAction;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutAction;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationAction;
import org.elasticsearch.xpack.core.security.action.privilege.ClearPrivilegesCacheAction;
import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesAction;
import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.privilege.GetPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.privilege.PutPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.profile.ActivateProfileAction;
import org.elasticsearch.xpack.core.security.action.profile.GetProfilesAction;
import org.elasticsearch.xpack.core.security.action.profile.SetProfileEnabledAction;
import org.elasticsearch.xpack.core.security.action.profile.SuggestProfilesAction;
import org.elasticsearch.xpack.core.security.action.profile.UpdateProfileDataAction;
import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheAction;
import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheAction;
import org.elasticsearch.xpack.core.security.action.role.DeleteRoleAction;
import org.elasticsearch.xpack.core.security.action.role.GetRolesAction;
import org.elasticsearch.xpack.core.security.action.role.PutRoleAction;
import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingAction;
import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsAction;
import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlCompleteLogoutAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlInvalidateSessionAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlLogoutAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlPrepareAuthenticationAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlSpMetadataAction;
import org.elasticsearch.xpack.core.security.action.service.CreateServiceAccountTokenAction;
import org.elasticsearch.xpack.core.security.action.service.DeleteServiceAccountTokenAction;
import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountAction;
import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountCredentialsAction;
import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountNodesCredentialsAction;
import org.elasticsearch.xpack.core.security.action.settings.GetSecuritySettingsAction;
import org.elasticsearch.xpack.core.security.action.settings.UpdateSecuritySettingsAction;
import org.elasticsearch.xpack.core.security.action.token.CreateTokenAction;
import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenAction;
import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction;
import org.elasticsearch.xpack.core.security.action.user.AuthenticateAction;
import org.elasticsearch.xpack.core.security.action.user.ChangePasswordAction;
import org.elasticsearch.xpack.core.security.action.user.DeleteUserAction;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.GetUsersAction;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.ProfileHasPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.PutUserAction;
import org.elasticsearch.xpack.core.security.action.user.SetEnabledAction;
import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
import org.elasticsearch.xpack.core.security.authc.AuthenticationServiceField;
import org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler;
import org.elasticsearch.xpack.core.security.authc.InternalRealmsSettings;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.DocumentSubsetBitsetCache;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexReaderWrapper;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.core.security.authz.permission.SimpleRole;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.core.security.support.Automatons;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.core.ssl.TransportTLSBootstrapCheck;
import org.elasticsearch.xpack.core.ssl.action.GetCertificateInfoAction;
import org.elasticsearch.xpack.core.ssl.action.TransportGetCertificateInfoAction;
import org.elasticsearch.xpack.core.ssl.rest.RestGetCertificateInfoAction;
import org.elasticsearch.xpack.security.action.TransportClearSecurityCacheAction;
import org.elasticsearch.xpack.security.action.TransportDelegatePkiAuthenticationAction;
import org.elasticsearch.xpack.security.action.apikey.TransportBulkUpdateApiKeyAction;
import org.elasticsearch.xpack.security.action.apikey.TransportCreateApiKeyAction;
import org.elasticsearch.xpack.security.action.apikey.TransportCreateCrossClusterApiKeyAction;
import org.elasticsearch.xpack.security.action.apikey.TransportGetApiKeyAction;
import org.elasticsearch.xpack.security.action.apikey.TransportGrantApiKeyAction;
import org.elasticsearch.xpack.security.action.apikey.TransportInvalidateApiKeyAction;
import org.elasticsearch.xpack.security.action.apikey.TransportQueryApiKeyAction;
import org.elasticsearch.xpack.security.action.apikey.TransportUpdateApiKeyAction;
import org.elasticsearch.xpack.security.action.apikey.TransportUpdateCrossClusterApiKeyAction;
import org.elasticsearch.xpack.security.action.enrollment.TransportKibanaEnrollmentAction;
import org.elasticsearch.xpack.security.action.enrollment.TransportNodeEnrollmentAction;
import org.elasticsearch.xpack.security.action.filter.SecurityActionFilter;
import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectAuthenticateAction;
import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectLogoutAction;
import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectPrepareAuthenticationAction;
import org.elasticsearch.xpack.security.action.privilege.TransportClearPrivilegesCacheAction;
import org.elasticsearch.xpack.security.action.privilege.TransportDeletePrivilegesAction;
import org.elasticsearch.xpack.security.action.privilege.TransportGetBuiltinPrivilegesAction;
import org.elasticsearch.xpack.security.action.privilege.TransportGetPrivilegesAction;
import org.elasticsearch.xpack.security.action.privilege.TransportPutPrivilegesAction;
import org.elasticsearch.xpack.security.action.profile.TransportActivateProfileAction;
import org.elasticsearch.xpack.security.action.profile.TransportGetProfilesAction;
import org.elasticsearch.xpack.security.action.profile.TransportProfileHasPrivilegesAction;
import org.elasticsearch.xpack.security.action.profile.TransportSetProfileEnabledAction;
import org.elasticsearch.xpack.security.action.profile.TransportSuggestProfilesAction;
import org.elasticsearch.xpack.security.action.profile.TransportUpdateProfileDataAction;
import org.elasticsearch.xpack.security.action.realm.TransportClearRealmCacheAction;
import org.elasticsearch.xpack.security.action.role.TransportClearRolesCacheAction;
import org.elasticsearch.xpack.security.action.role.TransportDeleteRoleAction;
import org.elasticsearch.xpack.security.action.role.TransportGetRolesAction;
import org.elasticsearch.xpack.security.action.role.TransportPutRoleAction;
import org.elasticsearch.xpack.security.action.rolemapping.ReservedRoleMappingAction;
import org.elasticsearch.xpack.security.action.rolemapping.TransportDeleteRoleMappingAction;
import org.elasticsearch.xpack.security.action.rolemapping.TransportGetRoleMappingsAction;
import org.elasticsearch.xpack.security.action.rolemapping.TransportPutRoleMappingAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlAuthenticateAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlCompleteLogoutAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlInvalidateSessionAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlLogoutAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlPrepareAuthenticationAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlSpMetadataAction;
import org.elasticsearch.xpack.security.action.service.TransportCreateServiceAccountTokenAction;
import org.elasticsearch.xpack.security.action.service.TransportDeleteServiceAccountTokenAction;
import org.elasticsearch.xpack.security.action.service.TransportGetServiceAccountAction;
import org.elasticsearch.xpack.security.action.service.TransportGetServiceAccountCredentialsAction;
import org.elasticsearch.xpack.security.action.service.TransportGetServiceAccountNodesCredentialsAction;
import org.elasticsearch.xpack.security.action.settings.TransportGetSecuritySettingsAction;
import org.elasticsearch.xpack.security.action.settings.TransportUpdateSecuritySettingsAction;
import org.elasticsearch.xpack.security.action.token.TransportCreateTokenAction;
import org.elasticsearch.xpack.security.action.token.TransportInvalidateTokenAction;
import org.elasticsearch.xpack.security.action.token.TransportRefreshTokenAction;
import org.elasticsearch.xpack.security.action.user.TransportAuthenticateAction;
import org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction;
import org.elasticsearch.xpack.security.action.user.TransportDeleteUserAction;
import org.elasticsearch.xpack.security.action.user.TransportGetUserPrivilegesAction;
import org.elasticsearch.xpack.security.action.user.TransportGetUsersAction;
import org.elasticsearch.xpack.security.action.user.TransportHasPrivilegesAction;
import org.elasticsearch.xpack.security.action.user.TransportPutUserAction;
import org.elasticsearch.xpack.security.action.user.TransportSetEnabledAction;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.CrossClusterAccessAuthenticationService;
import org.elasticsearch.xpack.security.authc.InternalRealms;
import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.security.authc.jwt.JwtRealm;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;
import org.elasticsearch.xpack.security.authc.service.CachingServiceAccountTokenStore;
import org.elasticsearch.xpack.security.authc.service.FileServiceAccountTokenStore;
import org.elasticsearch.xpack.security.authc.service.IndexServiceAccountTokenStore;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountService;
import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator;
import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.DlsFlsRequestCacheDifferentiator;
import org.elasticsearch.xpack.security.authz.SecuritySearchOperationListener;
import org.elasticsearch.xpack.security.authz.accesscontrol.OptOutQueryCache;
import org.elasticsearch.xpack.security.authz.interceptor.BulkShardRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.DlsFlsLicenseRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.IndicesAliasesRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.ResizeRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.SearchRequestCacheDisablingInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.SearchRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.ShardSearchRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.UpdateRequestInterceptor;
import org.elasticsearch.xpack.security.authz.restriction.WorkflowService;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
import org.elasticsearch.xpack.security.authz.store.DeprecationRoleDescriptorConsumer;
import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
import org.elasticsearch.xpack.security.authz.store.NativePrivilegeStore;
import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
import org.elasticsearch.xpack.security.authz.store.RoleProviders;
import org.elasticsearch.xpack.security.ingest.SetSecurityUserProcessor;
import org.elasticsearch.xpack.security.operator.DefaultOperatorOnlyRegistry;
import org.elasticsearch.xpack.security.operator.FileOperatorUsersStore;
import org.elasticsearch.xpack.security.operator.OperatorOnlyRegistry;
import org.elasticsearch.xpack.security.operator.OperatorPrivileges;
import org.elasticsearch.xpack.security.profile.ProfileService;
import org.elasticsearch.xpack.security.rest.RemoteHostHeader;
import org.elasticsearch.xpack.security.rest.SecurityRestFilter;
import org.elasticsearch.xpack.security.rest.action.RestAuthenticateAction;
import org.elasticsearch.xpack.security.rest.action.RestDelegatePkiAuthenticationAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestBulkUpdateApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestClearApiKeyCacheAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestCreateApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestCreateCrossClusterApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestGetApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestGrantApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestInvalidateApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestQueryApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestUpdateApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestUpdateCrossClusterApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.enrollment.RestKibanaEnrollAction;
import org.elasticsearch.xpack.security.rest.action.enrollment.RestNodeEnrollmentAction;
import org.elasticsearch.xpack.security.rest.action.oauth2.RestGetTokenAction;
import org.elasticsearch.xpack.security.rest.action.oauth2.RestInvalidateTokenAction;
import org.elasticsearch.xpack.security.rest.action.oidc.RestOpenIdConnectAuthenticateAction;
import org.elasticsearch.xpack.security.rest.action.oidc.RestOpenIdConnectLogoutAction;
import org.elasticsearch.xpack.security.rest.action.oidc.RestOpenIdConnectPrepareAuthenticationAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestClearPrivilegesCacheAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestDeletePrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestGetBuiltinPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestGetPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestPutPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.profile.RestActivateProfileAction;
import org.elasticsearch.xpack.security.rest.action.profile.RestDisableProfileAction;
import org.elasticsearch.xpack.security.rest.action.profile.RestEnableProfileAction;
import org.elasticsearch.xpack.security.rest.action.profile.RestGetProfilesAction;
import org.elasticsearch.xpack.security.rest.action.profile.RestSuggestProfilesAction;
import org.elasticsearch.xpack.security.rest.action.profile.RestUpdateProfileDataAction;
import org.elasticsearch.xpack.security.rest.action.realm.RestClearRealmCacheAction;
import org.elasticsearch.xpack.security.rest.action.role.RestClearRolesCacheAction;
import org.elasticsearch.xpack.security.rest.action.role.RestDeleteRoleAction;
import org.elasticsearch.xpack.security.rest.action.role.RestGetRolesAction;
import org.elasticsearch.xpack.security.rest.action.role.RestPutRoleAction;
import org.elasticsearch.xpack.security.rest.action.rolemapping.RestDeleteRoleMappingAction;
import org.elasticsearch.xpack.security.rest.action.rolemapping.RestGetRoleMappingsAction;
import org.elasticsearch.xpack.security.rest.action.rolemapping.RestPutRoleMappingAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlAuthenticateAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlCompleteLogoutAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlInvalidateSessionAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlLogoutAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlPrepareAuthenticationAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlSpMetadataAction;
import org.elasticsearch.xpack.security.rest.action.service.RestClearServiceAccountTokenStoreCacheAction;
import org.elasticsearch.xpack.security.rest.action.service.RestCreateServiceAccountTokenAction;
import org.elasticsearch.xpack.security.rest.action.service.RestDeleteServiceAccountTokenAction;
import org.elasticsearch.xpack.security.rest.action.service.RestGetServiceAccountAction;
import org.elasticsearch.xpack.security.rest.action.service.RestGetServiceAccountCredentialsAction;
import org.elasticsearch.xpack.security.rest.action.settings.RestGetSecuritySettingsAction;
import org.elasticsearch.xpack.security.rest.action.settings.RestUpdateSecuritySettingsAction;
import org.elasticsearch.xpack.security.rest.action.user.RestChangePasswordAction;
import org.elasticsearch.xpack.security.rest.action.user.RestDeleteUserAction;
import org.elasticsearch.xpack.security.rest.action.user.RestGetUserPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.user.RestGetUsersAction;
import org.elasticsearch.xpack.security.rest.action.user.RestHasPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.user.RestProfileHasPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.user.RestPutUserAction;
import org.elasticsearch.xpack.security.rest.action.user.RestSetEnabledAction;
import org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry;
import org.elasticsearch.xpack.security.support.ExtensionComponents;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;
import org.elasticsearch.xpack.security.transport.RemoteClusterCredentialsResolver;
import org.elasticsearch.xpack.security.transport.SSLEngineUtils;
import org.elasticsearch.xpack.security.transport.SecurityHttpSettings;
import org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4ServerTransport;

/* loaded from: input_file:org/elasticsearch/xpack/security/Security.class */
public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin, NetworkPlugin, ClusterPlugin, ClusterCoordinationPlugin, MapperPlugin, ExtensiblePlugin, SearchPlugin, RestServerActionPlugin, ReloadablePlugin {
    public static final String SECURITY_CRYPTO_THREAD_POOL_NAME = "security-crypto";
    public static final LicensedFeature.Momentary IP_FILTERING_FEATURE;
    public static final LicensedFeature.Momentary AUDITING_FEATURE;
    public static final LicensedFeature.Momentary TOKEN_SERVICE_FEATURE;
    private static final String REALMS_FEATURE_FAMILY = "security-realms";
    public static final LicensedFeature.Persistent LDAP_REALM_FEATURE;
    public static final LicensedFeature.Persistent AD_REALM_FEATURE;
    public static final LicensedFeature.Persistent PKI_REALM_FEATURE;
    public static final LicensedFeature.Persistent SAML_REALM_FEATURE;
    public static final LicensedFeature.Persistent OIDC_REALM_FEATURE;
    public static final LicensedFeature.Persistent JWT_REALM_FEATURE;
    public static final LicensedFeature.Persistent KERBEROS_REALM_FEATURE;
    public static final LicensedFeature.Persistent CUSTOM_REALMS_FEATURE;
    public static final LicensedFeature.Momentary DELEGATED_AUTHORIZATION_FEATURE;
    public static final LicensedFeature.Momentary AUTHORIZATION_ENGINE_FEATURE;
    public static final LicensedFeature.Persistent CUSTOM_ROLE_PROVIDERS_FEATURE;
    public static final LicensedFeature.Momentary OPERATOR_PRIVILEGES_FEATURE;
    public static final LicensedFeature.Momentary USER_PROFILE_COLLABORATION_FEATURE;
    public static final LicensedFeature.Momentary ADVANCED_REMOTE_CLUSTER_SECURITY_FEATURE;
    private static final Logger logger;
    private Settings settings;
    private final boolean enabled;
    private final SecuritySystemIndices systemIndices;
    private final ListenableFuture<Void> nodeStartedListenable;
    private final SetOnce<TransportInterceptor> securityInterceptor;
    private final SetOnce<IPFilter> ipFilter;
    private final SetOnce<AuthenticationService> authcService;
    private final SetOnce<SecondaryAuthenticator> secondayAuthc;
    private final SetOnce<AuditTrailService> auditTrailService;
    private final SetOnce<SecurityContext> securityContext;
    private final SetOnce<ThreadContext> threadContext;
    private final SetOnce<TokenService> tokenService;
    private final SetOnce<SecurityActionFilter> securityActionFilter;
    private final SetOnce<CrossClusterAccessAuthenticationService> crossClusterAccessAuthcService;
    private final SetOnce<SharedGroupFactory> sharedGroupFactory;
    private final SetOnce<DocumentSubsetBitsetCache> dlsBitsetCache;
    private final SetOnce<List<BootstrapCheck>> bootstrapChecks;
    private final List<SecurityExtension> securityExtensions;
    private final SetOnce<Transport> transportReference;
    private final SetOnce<ScriptService> scriptServiceReference;
    private final SetOnce<OperatorOnlyRegistry> operatorOnlyRegistry;
    private final SetOnce<OperatorPrivileges.OperatorPrivilegesService> operatorPrivilegesService;
    private final SetOnce<ReservedRoleMappingAction> reservedRoleMappingAction;
    private final SetOnce<WorkflowService> workflowService;
    private final SetOnce<Realms> realms;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/Security$ValidateLicenseForFIPS.class */
    static final class ValidateLicenseForFIPS implements BiConsumer<DiscoveryNode, ClusterState> {
        private final boolean inFipsMode;
        private final LicenseService licenseService;

        ValidateLicenseForFIPS(boolean z, LicenseService licenseService) {
            this.inFipsMode = z;
            this.licenseService = licenseService;
        }

        @Override // java.util.function.BiConsumer
        public void accept(DiscoveryNode discoveryNode, ClusterState clusterState) {
            if (this.inFipsMode) {
                ClusterStateLicenseService clusterStateLicenseService = this.licenseService;
                License license = clusterStateLicenseService instanceof ClusterStateLicenseService ? clusterStateLicenseService.getLicense(clusterState.metadata()) : this.licenseService.getLicense();
                if (license != null && !XPackLicenseState.isFipsAllowedForOperationMode(license.operationMode())) {
                    throw new IllegalStateException("FIPS mode cannot be used with a [" + license.operationMode() + "] license. It is only allowed with a Platinum or Trial license.");
                }
            }
        }
    }

    public Security(Settings settings) {
        this(settings, Collections.emptyList());
    }

    Security(Settings settings, List<SecurityExtension> list) {
        this.securityInterceptor = new SetOnce<>();
        this.ipFilter = new SetOnce<>();
        this.authcService = new SetOnce<>();
        this.secondayAuthc = new SetOnce<>();
        this.auditTrailService = new SetOnce<>();
        this.securityContext = new SetOnce<>();
        this.threadContext = new SetOnce<>();
        this.tokenService = new SetOnce<>();
        this.securityActionFilter = new SetOnce<>();
        this.crossClusterAccessAuthcService = new SetOnce<>();
        this.sharedGroupFactory = new SetOnce<>();
        this.dlsBitsetCache = new SetOnce<>();
        this.bootstrapChecks = new SetOnce<>();
        this.securityExtensions = new ArrayList();
        this.transportReference = new SetOnce<>();
        this.scriptServiceReference = new SetOnce<>();
        this.operatorOnlyRegistry = new SetOnce<>();
        this.operatorPrivilegesService = new SetOnce<>();
        this.reservedRoleMappingAction = new SetOnce<>();
        this.workflowService = new SetOnce<>();
        this.realms = new SetOnce<>();
        this.settings = settings;
        this.enabled = ((Boolean) XPackSettings.SECURITY_ENABLED.get(settings)).booleanValue();
        this.systemIndices = new SecuritySystemIndices(settings);
        this.nodeStartedListenable = new ListenableFuture<>();
        if (this.enabled) {
            runStartupChecks(settings);
            Automatons.updateConfiguration(settings);
        } else {
            List list2 = RemoteClusterService.REMOTE_CLUSTER_CREDENTIALS.getAllConcreteSettings(settings).map((v0) -> {
                return v0.getKey();
            }).sorted().toList();
            if (false == list2.isEmpty()) {
                throw new IllegalArgumentException(Strings.format("Found [%s] remote clusters with credentials [%s]. Security [%s] must be enabled to connect to them. Please either enable security or remove these settings from the keystore.", new Object[]{Integer.valueOf(list2.size()), org.elasticsearch.common.Strings.collectionToCommaDelimitedString(list2), XPackSettings.SECURITY_ENABLED.getKey()}));
            }
            this.bootstrapChecks.set(Collections.emptyList());
        }
        this.securityExtensions.addAll(list);
    }

    private static void runStartupChecks(Settings settings) {
        validateRealmSettings(settings);
        if (((Boolean) XPackSettings.FIPS_MODE_ENABLED.get(settings)).booleanValue()) {
            validateForFips(settings);
        }
    }

    protected Clock getClock() {
        return Clock.systemUTC();
    }

    protected SSLService getSslService() {
        return XPackPlugin.getSharedSslService();
    }

    protected LicenseService getLicenseService() {
        return XPackPlugin.getSharedLicenseService();
    }

    protected XPackLicenseState getLicenseState() {
        return XPackPlugin.getSharedLicenseState();
    }

    public Collection<?> createComponents(Plugin.PluginServices pluginServices) {
        try {
            return createComponents(pluginServices.client(), pluginServices.threadPool(), pluginServices.clusterService(), pluginServices.featureService(), pluginServices.resourceWatcherService(), pluginServices.scriptService(), pluginServices.xContentRegistry(), pluginServices.environment(), pluginServices.nodeEnvironment().nodeMetadata(), pluginServices.indexNameExpressionResolver());
        } catch (Exception e) {
            throw new IllegalStateException("security initialization failed", e);
        }
    }

    Collection<Object> createComponents(Client client, ThreadPool threadPool, ClusterService clusterService, FeatureService featureService, ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry namedXContentRegistry, Environment environment, NodeMetadata nodeMetadata, IndexNameExpressionResolver indexNameExpressionResolver) throws Exception {
        logger.info("Security is {}", this.enabled ? "enabled" : "disabled");
        if (!this.enabled) {
            return Collections.singletonList(new SecurityUsageServices(null, null, null, null, null, null));
        }
        this.settings = environment.settings();
        this.systemIndices.init(client, clusterService);
        this.scriptServiceReference.set(scriptService);
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(Arrays.asList(new TokenSSLBootstrapCheck(), new PkiRealmBootstrapCheck(getSslService()), new SecurityImplicitBehaviorBootstrapCheck(nodeMetadata, getLicenseService()), new TransportTLSBootstrapCheck()));
        arrayList.addAll(InternalRealms.getBootstrapChecks(this.settings, environment));
        this.bootstrapChecks.set(Collections.unmodifiableList(arrayList));
        this.threadContext.set(threadPool.getThreadContext());
        ArrayList arrayList2 = new ArrayList();
        this.securityContext.set(new SecurityContext(this.settings, threadPool.getThreadContext()));
        arrayList2.add(this.securityContext.get());
        this.workflowService.set(new WorkflowService());
        RestrictedIndices restrictedIndices = new RestrictedIndices(indexNameExpressionResolver);
        AuditTrailService auditTrailService = new AuditTrailService(((Boolean) XPackSettings.AUDIT_ENABLED.get(this.settings)).booleanValue() ? new LoggingAuditTrail(this.settings, clusterService, threadPool) : null, getLicenseState());
        arrayList2.add(auditTrailService);
        this.auditTrailService.set(auditTrailService);
        TokenService tokenService = new TokenService(this.settings, Clock.systemUTC(), client, getLicenseState(), (SecurityContext) this.securityContext.get(), this.systemIndices.getMainIndexManager(), this.systemIndices.getTokenIndexManager(), clusterService);
        this.tokenService.set(tokenService);
        arrayList2.add(tokenService);
        NativeUsersStore nativeUsersStore = new NativeUsersStore(this.settings, client, this.systemIndices.getMainIndexManager());
        NativeRoleMappingStore nativeRoleMappingStore = new NativeRoleMappingStore(this.settings, client, this.systemIndices.getMainIndexManager(), scriptService);
        AnonymousUser anonymousUser = new AnonymousUser(this.settings);
        arrayList2.add(anonymousUser);
        ReservedRealm reservedRealm = new ReservedRealm(environment, this.settings, nativeUsersStore, anonymousUser, threadPool);
        ExtensionComponents extensionComponents = new ExtensionComponents(environment, client, clusterService, resourceWatcherService, nativeRoleMappingStore);
        HashMap hashMap = new HashMap(InternalRealms.getFactories(threadPool, this.settings, resourceWatcherService, getSslService(), nativeUsersStore, nativeRoleMappingStore, this.systemIndices.getMainIndexManager()));
        Iterator<SecurityExtension> it = this.securityExtensions.iterator();
        while (it.hasNext()) {
            for (Map.Entry entry : it.next().getRealms(extensionComponents).entrySet()) {
                if (hashMap.put((String) entry.getKey(), (Realm.Factory) entry.getValue()) != null) {
                    throw new IllegalArgumentException("Realm type [" + ((String) entry.getKey()) + "] is already registered");
                }
            }
        }
        Realms realms = new Realms(this.settings, environment, hashMap, getLicenseState(), threadPool.getThreadContext(), reservedRealm);
        arrayList2.add(nativeUsersStore);
        arrayList2.add(nativeRoleMappingStore);
        arrayList2.add(realms);
        arrayList2.add(reservedRealm);
        this.realms.set(realms);
        SecurityIndexManager mainIndexManager = this.systemIndices.getMainIndexManager();
        Objects.requireNonNull(nativeRoleMappingStore);
        mainIndexManager.addStateListener(nativeRoleMappingStore::onSecurityIndexStateChange);
        CacheInvalidatorRegistry cacheInvalidatorRegistry = new CacheInvalidatorRegistry();
        cacheInvalidatorRegistry.registerAlias("service", Set.of("file_service_account_token", "index_service_account_token"));
        arrayList2.add(cacheInvalidatorRegistry);
        SecurityIndexManager mainIndexManager2 = this.systemIndices.getMainIndexManager();
        Objects.requireNonNull(cacheInvalidatorRegistry);
        mainIndexManager2.addStateListener(cacheInvalidatorRegistry::onSecurityIndexStateChange);
        NativePrivilegeStore nativePrivilegeStore = new NativePrivilegeStore(this.settings, client, this.systemIndices.getMainIndexManager(), cacheInvalidatorRegistry, clusterService);
        arrayList2.add(nativePrivilegeStore);
        ReservedRolesStore reservedRolesStore = new ReservedRolesStore(Set.copyOf((Collection) ReservedRolesStore.INCLUDED_RESERVED_ROLES_SETTING.get(this.settings)));
        this.dlsBitsetCache.set(new DocumentSubsetBitsetCache(this.settings, threadPool));
        FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(this.settings);
        FileRolesStore fileRolesStore = new FileRolesStore(this.settings, environment, resourceWatcherService, getLicenseState(), namedXContentRegistry);
        NativeRolesStore nativeRolesStore = new NativeRolesStore(this.settings, client, getLicenseState(), this.systemIndices.getMainIndexManager(), clusterService);
        RoleDescriptor.setFieldPermissionsCache(fieldPermissionsCache);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (SecurityExtension securityExtension : this.securityExtensions) {
            List rolesProviders = securityExtension.getRolesProviders(extensionComponents);
            if (rolesProviders != null && !rolesProviders.isEmpty()) {
                linkedHashMap.put(securityExtension.extensionName(), rolesProviders);
            }
        }
        ApiKeyService apiKeyService = new ApiKeyService(this.settings, Clock.systemUTC(), client, this.systemIndices.getMainIndexManager(), clusterService, cacheInvalidatorRegistry, threadPool);
        arrayList2.add(apiKeyService);
        IndexServiceAccountTokenStore indexServiceAccountTokenStore = new IndexServiceAccountTokenStore(this.settings, threadPool, getClock(), client, this.systemIndices.getMainIndexManager(), clusterService, cacheInvalidatorRegistry);
        arrayList2.add(indexServiceAccountTokenStore);
        FileServiceAccountTokenStore fileServiceAccountTokenStore = new FileServiceAccountTokenStore(environment, resourceWatcherService, threadPool, clusterService, cacheInvalidatorRegistry);
        arrayList2.add(fileServiceAccountTokenStore);
        ServiceAccountService serviceAccountService = new ServiceAccountService(client, fileServiceAccountTokenStore, indexServiceAccountTokenStore);
        arrayList2.add(serviceAccountService);
        CompositeRolesStore compositeRolesStore = new CompositeRolesStore(this.settings, new RoleProviders(reservedRolesStore, fileRolesStore, nativeRolesStore, linkedHashMap, getLicenseState()), nativePrivilegeStore, threadPool.getThreadContext(), getLicenseState(), fieldPermissionsCache, apiKeyService, serviceAccountService, (DocumentSubsetBitsetCache) this.dlsBitsetCache.get(), restrictedIndices, new DeprecationRoleDescriptorConsumer(clusterService, threadPool), (WorkflowService) this.workflowService.get());
        SecurityIndexManager mainIndexManager3 = this.systemIndices.getMainIndexManager();
        Objects.requireNonNull(compositeRolesStore);
        mainIndexManager3.addStateListener(compositeRolesStore::onSecurityIndexStateChange);
        Settings settings = this.settings;
        Clock clock = getClock();
        SecurityIndexManager profileIndexManager = this.systemIndices.getProfileIndexManager();
        Objects.requireNonNull(realms);
        ProfileService profileService = new ProfileService(settings, clock, client, profileIndexManager, clusterService, featureService, realms::getDomainConfig);
        arrayList2.add(profileService);
        InitialNodeSecurityAutoConfiguration.maybeGenerateEnrollmentTokensAndElasticCredentialsOnNodeStartup(nativeUsersStore, this.systemIndices.getMainIndexManager(), getSslService(), client, environment, runnable -> {
            this.nodeStartedListenable.addListener(ActionListener.running(runnable));
        }, threadPool);
        XPackLicenseState licenseState = getLicenseState();
        Objects.requireNonNull(compositeRolesStore);
        licenseState.addListener(compositeRolesStore::invalidateAll);
        AuthenticationFailureHandler createAuthenticationFailureHandler = createAuthenticationFailureHandler(realms, extensionComponents);
        if (((Boolean) OperatorPrivileges.OPERATOR_PRIVILEGES_ENABLED.get(this.settings)).booleanValue()) {
            logger.info("operator privileges are enabled");
            if (this.operatorOnlyRegistry.get() == null) {
                this.operatorOnlyRegistry.set(new DefaultOperatorOnlyRegistry(clusterService.getClusterSettings()));
            }
            this.operatorPrivilegesService.set(new OperatorPrivileges.DefaultOperatorPrivilegesService(getLicenseState(), new FileOperatorUsersStore(environment, resourceWatcherService), (OperatorOnlyRegistry) this.operatorOnlyRegistry.get()));
        } else {
            this.operatorPrivilegesService.set(OperatorPrivileges.NOOP_OPERATOR_PRIVILEGES_SERVICE);
        }
        this.authcService.set(new AuthenticationService(this.settings, realms, auditTrailService, createAuthenticationFailureHandler, threadPool, anonymousUser, tokenService, apiKeyService, serviceAccountService, (OperatorPrivileges.OperatorPrivilegesService) this.operatorPrivilegesService.get()));
        arrayList2.add(this.authcService.get());
        SecurityIndexManager mainIndexManager4 = this.systemIndices.getMainIndexManager();
        AuthenticationService authenticationService = (AuthenticationService) this.authcService.get();
        Objects.requireNonNull(authenticationService);
        mainIndexManager4.addStateListener(authenticationService::onSecurityIndexStateChange);
        HashSet newHashSet = Sets.newHashSet(new RequestInterceptor[]{new ResizeRequestInterceptor(threadPool, getLicenseState(), auditTrailService), new IndicesAliasesRequestInterceptor(threadPool.getThreadContext(), getLicenseState(), auditTrailService)});
        if (((Boolean) XPackSettings.DLS_FLS_ENABLED.get(this.settings)).booleanValue()) {
            newHashSet.addAll(Arrays.asList(new SearchRequestInterceptor(threadPool, getLicenseState(), clusterService), new ShardSearchRequestInterceptor(threadPool, getLicenseState(), clusterService), new UpdateRequestInterceptor(threadPool, getLicenseState()), new BulkShardRequestInterceptor(threadPool, getLicenseState()), new DlsFlsLicenseRequestInterceptor(threadPool.getThreadContext(), getLicenseState()), new SearchRequestCacheDisablingInterceptor(threadPool, getLicenseState())));
        }
        AuthorizationService authorizationService = new AuthorizationService(this.settings, compositeRolesStore, fieldPermissionsCache, clusterService, auditTrailService, createAuthenticationFailureHandler, threadPool, anonymousUser, getAuthorizationEngine(), Collections.unmodifiableSet(newHashSet), getLicenseState(), indexNameExpressionResolver, (OperatorPrivileges.OperatorPrivilegesService) this.operatorPrivilegesService.get(), restrictedIndices);
        arrayList2.add(nativeRolesStore);
        arrayList2.add(reservedRolesStore);
        arrayList2.add(compositeRolesStore);
        arrayList2.add(authorizationService);
        SecondaryAuthenticator secondaryAuthenticator = new SecondaryAuthenticator((SecurityContext) this.securityContext.get(), (AuthenticationService) this.authcService.get(), auditTrailService);
        this.secondayAuthc.set(secondaryAuthenticator);
        arrayList2.add(secondaryAuthenticator);
        this.ipFilter.set(new IPFilter(this.settings, auditTrailService, clusterService.getClusterSettings(), getLicenseState()));
        arrayList2.add(this.ipFilter.get());
        RemoteClusterCredentialsResolver remoteClusterCredentialsResolver = new RemoteClusterCredentialsResolver(this.settings);
        DestructiveOperations destructiveOperations = new DestructiveOperations(this.settings, clusterService.getClusterSettings());
        this.crossClusterAccessAuthcService.set(new CrossClusterAccessAuthenticationService(clusterService, apiKeyService, (AuthenticationService) this.authcService.get()));
        arrayList2.add(this.crossClusterAccessAuthcService.get());
        this.securityInterceptor.set(new SecurityServerTransportInterceptor(this.settings, threadPool, (AuthenticationService) this.authcService.get(), authorizationService, getSslService(), (SecurityContext) this.securityContext.get(), destructiveOperations, (CrossClusterAccessAuthenticationService) this.crossClusterAccessAuthcService.get(), remoteClusterCredentialsResolver, getLicenseState()));
        this.securityActionFilter.set(new SecurityActionFilter((AuthenticationService) this.authcService.get(), authorizationService, auditTrailService, getLicenseState(), threadPool, (SecurityContext) this.securityContext.get(), destructiveOperations));
        arrayList2.add(new SecurityUsageServices(realms, compositeRolesStore, nativeRoleMappingStore, (IPFilter) this.ipFilter.get(), profileService, apiKeyService));
        this.reservedRoleMappingAction.set(new ReservedRoleMappingAction(nativeRoleMappingStore));
        this.systemIndices.getMainIndexManager().onStateRecovered(state -> {
            ((ReservedRoleMappingAction) this.reservedRoleMappingAction.get()).securityIndexRecovered();
        });
        cacheInvalidatorRegistry.validate();
        return arrayList2;
    }

    private AuthorizationEngine getAuthorizationEngine() {
        return (AuthorizationEngine) findValueFromExtensions("authorization engine", securityExtension -> {
            return securityExtension.getAuthorizationEngine(this.settings);
        });
    }

    private AuthenticationFailureHandler createAuthenticationFailureHandler(Realms realms, SecurityExtension.SecurityComponents securityComponents) {
        DefaultAuthenticationFailureHandler defaultAuthenticationFailureHandler = (AuthenticationFailureHandler) findValueFromExtensions("authentication failure handler", securityExtension -> {
            return securityExtension.getAuthenticationFailureHandler(securityComponents);
        });
        if (defaultAuthenticationFailureHandler == null) {
            logger.debug("Using default authentication failure handler");
            Supplier supplier = () -> {
                HashMap hashMap = new HashMap();
                realms.getActiveRealms().forEach(realm -> {
                    realm.getAuthenticationFailureHeaders().forEach((str, list) -> {
                        list.stream().filter(str -> {
                            return !((List) hashMap.computeIfAbsent(str, str -> {
                                return new ArrayList();
                            })).contains(str);
                        }).forEach(str2 -> {
                            ((List) hashMap.get(str)).add(str2);
                        });
                    });
                });
                if (TokenService.isTokenServiceEnabled(this.settings).booleanValue() && !((List) hashMap.computeIfAbsent(KerberosAuthenticationToken.WWW_AUTHENTICATE, str -> {
                    return new ArrayList();
                })).contains("Bearer realm=\"security\"")) {
                    ((List) hashMap.get(KerberosAuthenticationToken.WWW_AUTHENTICATE)).add("Bearer realm=\"security\"");
                }
                if (((Boolean) XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.get(this.settings)).booleanValue() && !((List) hashMap.computeIfAbsent(KerberosAuthenticationToken.WWW_AUTHENTICATE, str2 -> {
                    return new ArrayList();
                })).contains("ApiKey")) {
                    ((List) hashMap.get(KerberosAuthenticationToken.WWW_AUTHENTICATE)).add("ApiKey");
                }
                return hashMap;
            };
            DefaultAuthenticationFailureHandler defaultAuthenticationFailureHandler2 = new DefaultAuthenticationFailureHandler((Map) supplier.get());
            defaultAuthenticationFailureHandler = defaultAuthenticationFailureHandler2;
            getLicenseState().addListener(() -> {
                defaultAuthenticationFailureHandler2.setHeaders((Map) supplier.get());
            });
        }
        return defaultAuthenticationFailureHandler;
    }

    @Nullable
    private <T> T findValueFromExtensions(String str, Function<SecurityExtension, T> function) {
        T t = null;
        String str2 = null;
        for (SecurityExtension securityExtension : this.securityExtensions) {
            T apply = function.apply(securityExtension);
            if (apply != null) {
                if (t != null) {
                    throw new IllegalStateException("Extensions [" + str2 + "] and [" + securityExtension.extensionName() + "]  both attempted to provide a value for [" + str + "]");
                }
                t = apply;
                str2 = securityExtension.extensionName();
            }
        }
        if (t == null) {
            return null;
        }
        logger.debug("Using [{}] [{}] from extension [{}]", str, t, str2);
        return t;
    }

    public Settings additionalSettings() {
        return additionalSettings(this.settings, this.enabled);
    }

    static Settings additionalSettings(Settings settings, boolean z) {
        if (!z) {
            return Settings.EMPTY;
        }
        Settings.Builder builder = Settings.builder();
        builder.put(SecuritySettings.addTransportSettings(settings));
        if (NetworkModule.HTTP_TYPE_SETTING.exists(settings)) {
            String str = (String) NetworkModule.HTTP_TYPE_SETTING.get(settings);
            if (!str.equals("security4")) {
                throw new IllegalArgumentException(String.format(Locale.ROOT, "http type setting [%s] must be [%s] but is [%s]", "http.type", "security4", str));
            }
            SecurityHttpSettings.overrideSettings(builder, settings);
        } else {
            builder.put("http.type", "security4");
            SecurityHttpSettings.overrideSettings(builder, settings);
        }
        builder.put(SecuritySettings.addUserSettings(settings));
        return builder.build();
    }

    public List<Setting<?>> getSettings() {
        return getSettings(this.securityExtensions);
    }

    public static List<Setting<?>> getSettings(List<SecurityExtension> list) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(XPackSettings.FIPS_MODE_ENABLED);
        SSLService.registerSettings(arrayList);
        IPFilter.addSettings(arrayList);
        LoggingAuditTrail.registerSettings(arrayList);
        AnonymousUser.addSettings(arrayList);
        arrayList.addAll(InternalRealmsSettings.getSettings());
        ReservedRealm.addSettings(arrayList);
        AuthenticationService.addSettings(arrayList);
        AuthorizationService.addSettings(arrayList);
        Automatons.addSettings(arrayList);
        arrayList.addAll(CompositeRolesStore.getSettings());
        arrayList.addAll(DocumentSubsetBitsetCache.getSettings());
        arrayList.add(FieldPermissionsCache.CACHE_SIZE_SETTING);
        arrayList.add(TokenService.TOKEN_EXPIRATION);
        arrayList.add(TokenService.DELETE_INTERVAL);
        arrayList.add(TokenService.DELETE_TIMEOUT);
        arrayList.addAll(SSLConfigurationSettings.getProfileSettings());
        arrayList.add(ApiKeyService.PASSWORD_HASHING_ALGORITHM);
        arrayList.add(ApiKeyService.DELETE_TIMEOUT);
        arrayList.add(ApiKeyService.DELETE_INTERVAL);
        arrayList.add(ApiKeyService.DELETE_RETENTION_PERIOD);
        arrayList.add(ApiKeyService.CACHE_HASH_ALGO_SETTING);
        arrayList.add(ApiKeyService.CACHE_MAX_KEYS_SETTING);
        arrayList.add(ApiKeyService.CACHE_TTL_SETTING);
        arrayList.add(ApiKeyService.DOC_CACHE_TTL_SETTING);
        arrayList.add(NativePrivilegeStore.CACHE_MAX_APPLICATIONS_SETTING);
        arrayList.add(NativePrivilegeStore.CACHE_TTL_SETTING);
        arrayList.add(OperatorPrivileges.OPERATOR_PRIVILEGES_ENABLED);
        arrayList.add(CachingServiceAccountTokenStore.CACHE_TTL_SETTING);
        arrayList.add(CachingServiceAccountTokenStore.CACHE_HASH_ALGO_SETTING);
        arrayList.add(CachingServiceAccountTokenStore.CACHE_MAX_TOKENS_SETTING);
        arrayList.add(SimpleRole.CACHE_SIZE_SETTING);
        arrayList.add(NativeRoleMappingStore.LAST_LOAD_CACHE_ENABLED_SETTING);
        arrayList.add(Setting.stringListSetting(SecurityField.setting("hide_settings"), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        return arrayList;
    }

    public Collection<RestHeaderDefinition> getRestHeaders() {
        HashSet hashSet = new HashSet();
        hashSet.add(new RestHeaderDefinition("Authorization", false));
        hashSet.add(new RestHeaderDefinition(SecondaryAuthenticator.SECONDARY_AUTH_HEADER_NAME, false));
        if (((Boolean) XPackSettings.AUDIT_ENABLED.get(this.settings)).booleanValue()) {
            hashSet.add(new RestHeaderDefinition(AuditTrail.X_FORWARDED_FOR_HEADER, true));
        }
        if (((Boolean) AuthenticationServiceField.RUN_AS_ENABLED.get(this.settings)).booleanValue()) {
            hashSet.add(new RestHeaderDefinition("es-security-runas-user", false));
        }
        hashSet.add(new RestHeaderDefinition(JwtRealm.HEADER_CLIENT_AUTHENTICATION, false));
        return hashSet;
    }

    public List<String> getSettingsFilter() {
        ArrayList arrayList = new ArrayList(this.settings.getAsList(SecurityField.setting("hide_settings")));
        arrayList.add("transport.profiles.*." + SecurityField.setting("*"));
        return arrayList;
    }

    public List<BootstrapCheck> getBootstrapChecks() {
        return (List) this.bootstrapChecks.get();
    }

    public void onIndexModule(IndexModule indexModule) {
        if (this.enabled) {
            if (!$assertionsDisabled && getLicenseState() == null) {
                throw new AssertionError();
            }
            if (((Boolean) XPackSettings.DLS_FLS_ENABLED.get(this.settings)).booleanValue()) {
                if (!$assertionsDisabled && this.dlsBitsetCache.get() == null) {
                    throw new AssertionError();
                }
                indexModule.setReaderWrapper(indexService -> {
                    return new SecurityIndexReaderWrapper(shardId -> {
                        return indexService.newSearchExecutionContext(shardId.id(), 0, (IndexSearcher) null, () -> {
                            throw new IllegalArgumentException("permission filters are not allowed to use the current timestamp");
                        }, (String) null, Collections.emptyMap());
                    }, (DocumentSubsetBitsetCache) this.dlsBitsetCache.get(), (SecurityContext) this.securityContext.get(), getLicenseState(), indexService.getScriptService());
                });
                indexModule.forceQueryCacheProvider((indexSettings, indicesQueryCache) -> {
                    return new OptOutQueryCache(indexSettings.getIndex(), indicesQueryCache, (ThreadContext) this.threadContext.get());
                });
            }
            indexModule.addSearchOperationListener(new SecuritySearchOperationListener((SecurityContext) this.securityContext.get(), (AuditTrailService) this.auditTrailService.get()));
        }
    }

    public List<ActionPlugin.ActionHandler<? extends ActionRequest, ? extends ActionResponse>> getActions() {
        ActionPlugin.ActionHandler actionHandler = new ActionPlugin.ActionHandler(XPackUsageFeatureAction.SECURITY, SecurityUsageTransportAction.class);
        ActionPlugin.ActionHandler actionHandler2 = new ActionPlugin.ActionHandler(XPackInfoFeatureAction.SECURITY, SecurityInfoTransportAction.class);
        return !this.enabled ? Arrays.asList(actionHandler, actionHandler2) : Stream.of((Object[]) new ActionPlugin.ActionHandler[]{new ActionPlugin.ActionHandler(ClearRealmCacheAction.INSTANCE, TransportClearRealmCacheAction.class), new ActionPlugin.ActionHandler(ClearRolesCacheAction.INSTANCE, TransportClearRolesCacheAction.class), new ActionPlugin.ActionHandler(ClearPrivilegesCacheAction.INSTANCE, TransportClearPrivilegesCacheAction.class), new ActionPlugin.ActionHandler(ClearSecurityCacheAction.INSTANCE, TransportClearSecurityCacheAction.class), new ActionPlugin.ActionHandler(GetUsersAction.INSTANCE, TransportGetUsersAction.class), new ActionPlugin.ActionHandler(PutUserAction.INSTANCE, TransportPutUserAction.class), new ActionPlugin.ActionHandler(DeleteUserAction.INSTANCE, TransportDeleteUserAction.class), new ActionPlugin.ActionHandler(GetRolesAction.INSTANCE, TransportGetRolesAction.class), new ActionPlugin.ActionHandler(PutRoleAction.INSTANCE, TransportPutRoleAction.class), new ActionPlugin.ActionHandler(DeleteRoleAction.INSTANCE, TransportDeleteRoleAction.class), new ActionPlugin.ActionHandler(ChangePasswordAction.INSTANCE, TransportChangePasswordAction.class), new ActionPlugin.ActionHandler(AuthenticateAction.INSTANCE, TransportAuthenticateAction.class), new ActionPlugin.ActionHandler(SetEnabledAction.INSTANCE, TransportSetEnabledAction.class), new ActionPlugin.ActionHandler(HasPrivilegesAction.INSTANCE, TransportHasPrivilegesAction.class), new ActionPlugin.ActionHandler(GetUserPrivilegesAction.INSTANCE, TransportGetUserPrivilegesAction.class), new ActionPlugin.ActionHandler(GetRoleMappingsAction.INSTANCE, TransportGetRoleMappingsAction.class), new ActionPlugin.ActionHandler(PutRoleMappingAction.INSTANCE, TransportPutRoleMappingAction.class), new ActionPlugin.ActionHandler(DeleteRoleMappingAction.INSTANCE, TransportDeleteRoleMappingAction.class), new ActionPlugin.ActionHandler(CreateTokenAction.INSTANCE, TransportCreateTokenAction.class), new ActionPlugin.ActionHandler(InvalidateTokenAction.INSTANCE, TransportInvalidateTokenAction.class), new ActionPlugin.ActionHandler(GetCertificateInfoAction.INSTANCE, TransportGetCertificateInfoAction.class), new ActionPlugin.ActionHandler(RefreshTokenAction.INSTANCE, TransportRefreshTokenAction.class), new ActionPlugin.ActionHandler(SamlPrepareAuthenticationAction.INSTANCE, TransportSamlPrepareAuthenticationAction.class), new ActionPlugin.ActionHandler(SamlAuthenticateAction.INSTANCE, TransportSamlAuthenticateAction.class), new ActionPlugin.ActionHandler(SamlLogoutAction.INSTANCE, TransportSamlLogoutAction.class), new ActionPlugin.ActionHandler(SamlInvalidateSessionAction.INSTANCE, TransportSamlInvalidateSessionAction.class), new ActionPlugin.ActionHandler(SamlCompleteLogoutAction.INSTANCE, TransportSamlCompleteLogoutAction.class), new ActionPlugin.ActionHandler(SamlSpMetadataAction.INSTANCE, TransportSamlSpMetadataAction.class), new ActionPlugin.ActionHandler(OpenIdConnectPrepareAuthenticationAction.INSTANCE, TransportOpenIdConnectPrepareAuthenticationAction.class), new ActionPlugin.ActionHandler(OpenIdConnectAuthenticateAction.INSTANCE, TransportOpenIdConnectAuthenticateAction.class), new ActionPlugin.ActionHandler(OpenIdConnectLogoutAction.INSTANCE, TransportOpenIdConnectLogoutAction.class), new ActionPlugin.ActionHandler(GetBuiltinPrivilegesAction.INSTANCE, TransportGetBuiltinPrivilegesAction.class), new ActionPlugin.ActionHandler(GetPrivilegesAction.INSTANCE, TransportGetPrivilegesAction.class), new ActionPlugin.ActionHandler(PutPrivilegesAction.INSTANCE, TransportPutPrivilegesAction.class), new ActionPlugin.ActionHandler(DeletePrivilegesAction.INSTANCE, TransportDeletePrivilegesAction.class), new ActionPlugin.ActionHandler(CreateApiKeyAction.INSTANCE, TransportCreateApiKeyAction.class), new ActionPlugin.ActionHandler(CreateCrossClusterApiKeyAction.INSTANCE, TransportCreateCrossClusterApiKeyAction.class), new ActionPlugin.ActionHandler(GrantApiKeyAction.INSTANCE, TransportGrantApiKeyAction.class), new ActionPlugin.ActionHandler(InvalidateApiKeyAction.INSTANCE, TransportInvalidateApiKeyAction.class), new ActionPlugin.ActionHandler(GetApiKeyAction.INSTANCE, TransportGetApiKeyAction.class), new ActionPlugin.ActionHandler(QueryApiKeyAction.INSTANCE, TransportQueryApiKeyAction.class), new ActionPlugin.ActionHandler(UpdateApiKeyAction.INSTANCE, TransportUpdateApiKeyAction.class), new ActionPlugin.ActionHandler(BulkUpdateApiKeyAction.INSTANCE, TransportBulkUpdateApiKeyAction.class), new ActionPlugin.ActionHandler(UpdateCrossClusterApiKeyAction.INSTANCE, TransportUpdateCrossClusterApiKeyAction.class), new ActionPlugin.ActionHandler(DelegatePkiAuthenticationAction.INSTANCE, TransportDelegatePkiAuthenticationAction.class), new ActionPlugin.ActionHandler(CreateServiceAccountTokenAction.INSTANCE, TransportCreateServiceAccountTokenAction.class), new ActionPlugin.ActionHandler(DeleteServiceAccountTokenAction.INSTANCE, TransportDeleteServiceAccountTokenAction.class), new ActionPlugin.ActionHandler(GetServiceAccountCredentialsAction.INSTANCE, TransportGetServiceAccountCredentialsAction.class), new ActionPlugin.ActionHandler(GetServiceAccountNodesCredentialsAction.INSTANCE, TransportGetServiceAccountNodesCredentialsAction.class), new ActionPlugin.ActionHandler(GetServiceAccountAction.INSTANCE, TransportGetServiceAccountAction.class), new ActionPlugin.ActionHandler(KibanaEnrollmentAction.INSTANCE, TransportKibanaEnrollmentAction.class), new ActionPlugin.ActionHandler(NodeEnrollmentAction.INSTANCE, TransportNodeEnrollmentAction.class), new ActionPlugin.ActionHandler(ProfileHasPrivilegesAction.INSTANCE, TransportProfileHasPrivilegesAction.class), new ActionPlugin.ActionHandler(GetProfilesAction.INSTANCE, TransportGetProfilesAction.class), new ActionPlugin.ActionHandler(ActivateProfileAction.INSTANCE, TransportActivateProfileAction.class), new ActionPlugin.ActionHandler(UpdateProfileDataAction.INSTANCE, TransportUpdateProfileDataAction.class), new ActionPlugin.ActionHandler(SuggestProfilesAction.INSTANCE, TransportSuggestProfilesAction.class), new ActionPlugin.ActionHandler(SetProfileEnabledAction.INSTANCE, TransportSetProfileEnabledAction.class), new ActionPlugin.ActionHandler(GetSecuritySettingsAction.INSTANCE, TransportGetSecuritySettingsAction.class), new ActionPlugin.ActionHandler(UpdateSecuritySettingsAction.INSTANCE, TransportUpdateSecuritySettingsAction.class), actionHandler, actionHandler2}).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toList();
    }

    public List<ActionFilter> getActionFilters() {
        return !this.enabled ? Collections.emptyList() : Collections.singletonList((ActionFilter) this.securityActionFilter.get());
    }

    public List<RestHandler> getRestHandlers(Settings settings, RestController restController, ClusterSettings clusterSettings, IndexScopedSettings indexScopedSettings, SettingsFilter settingsFilter, IndexNameExpressionResolver indexNameExpressionResolver, Supplier<DiscoveryNodes> supplier) {
        return !this.enabled ? Collections.emptyList() : Stream.of((Object[]) new RestHandler[]{new RestAuthenticateAction(settings, (SecurityContext) this.securityContext.get(), getLicenseState()), new RestClearRealmCacheAction(settings, getLicenseState()), new RestClearRolesCacheAction(settings, getLicenseState()), new RestClearPrivilegesCacheAction(settings, getLicenseState()), new RestClearApiKeyCacheAction(settings, getLicenseState()), new RestClearServiceAccountTokenStoreCacheAction(settings, getLicenseState()), new RestGetUsersAction(settings, getLicenseState()), new RestPutUserAction(settings, getLicenseState()), new RestDeleteUserAction(settings, getLicenseState()), new RestGetRolesAction(settings, getLicenseState()), new RestPutRoleAction(settings, getLicenseState()), new RestDeleteRoleAction(settings, getLicenseState()), new RestChangePasswordAction(settings, (SecurityContext) this.securityContext.get(), getLicenseState()), new RestSetEnabledAction(settings, getLicenseState()), new RestHasPrivilegesAction(settings, (SecurityContext) this.securityContext.get(), getLicenseState()), new RestGetUserPrivilegesAction(settings, (SecurityContext) this.securityContext.get(), getLicenseState()), new RestGetRoleMappingsAction(settings, getLicenseState()), new RestPutRoleMappingAction(settings, getLicenseState()), new RestDeleteRoleMappingAction(settings, getLicenseState()), new RestGetTokenAction(settings, getLicenseState()), new RestInvalidateTokenAction(settings, getLicenseState()), new RestGetCertificateInfoAction(), new RestSamlPrepareAuthenticationAction(settings, getLicenseState()), new RestSamlAuthenticateAction(settings, getLicenseState()), new RestSamlLogoutAction(settings, getLicenseState()), new RestSamlInvalidateSessionAction(settings, getLicenseState()), new RestSamlCompleteLogoutAction(settings, getLicenseState()), new RestSamlSpMetadataAction(settings, getLicenseState()), new RestOpenIdConnectPrepareAuthenticationAction(settings, getLicenseState()), new RestOpenIdConnectAuthenticateAction(settings, getLicenseState()), new RestOpenIdConnectLogoutAction(settings, getLicenseState()), new RestGetBuiltinPrivilegesAction(settings, getLicenseState()), new RestGetPrivilegesAction(settings, getLicenseState()), new RestPutPrivilegesAction(settings, getLicenseState()), new RestDeletePrivilegesAction(settings, getLicenseState()), new RestCreateApiKeyAction(settings, getLicenseState()), new RestCreateCrossClusterApiKeyAction(settings, getLicenseState()), new RestUpdateApiKeyAction(settings, getLicenseState()), new RestBulkUpdateApiKeyAction(settings, getLicenseState()), new RestUpdateCrossClusterApiKeyAction(settings, getLicenseState()), new RestGrantApiKeyAction(settings, getLicenseState()), new RestInvalidateApiKeyAction(settings, getLicenseState()), new RestGetApiKeyAction(settings, getLicenseState()), new RestQueryApiKeyAction(settings, getLicenseState()), new RestDelegatePkiAuthenticationAction(settings, getLicenseState()), new RestCreateServiceAccountTokenAction(settings, getLicenseState()), new RestDeleteServiceAccountTokenAction(settings, getLicenseState()), new RestGetServiceAccountCredentialsAction(settings, getLicenseState()), new RestGetServiceAccountAction(settings, getLicenseState()), new RestKibanaEnrollAction(settings, getLicenseState()), new RestNodeEnrollmentAction(settings, getLicenseState()), new RestProfileHasPrivilegesAction(settings, (SecurityContext) this.securityContext.get(), getLicenseState()), new RestGetProfilesAction(settings, getLicenseState()), new RestActivateProfileAction(settings, getLicenseState()), new RestUpdateProfileDataAction(settings, getLicenseState()), new RestSuggestProfilesAction(settings, getLicenseState()), new RestEnableProfileAction(settings, getLicenseState()), new RestDisableProfileAction(settings, getLicenseState()), new RestGetSecuritySettingsAction(settings, getLicenseState()), new RestUpdateSecuritySettingsAction(settings, getLicenseState())}).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toList();
    }

    public Map<String, Processor.Factory> getProcessors(Processor.Parameters parameters) {
        SetOnce<SecurityContext> setOnce = this.securityContext;
        Objects.requireNonNull(setOnce);
        return Map.of(SetSecurityUserProcessor.TYPE, new SetSecurityUserProcessor.Factory(setOnce::get, this.settings));
    }

    public void onNodeStarted() {
        this.nodeStartedListenable.onResponse((Object) null);
    }

    static void validateRealmSettings(Settings settings) {
        Set set = (Set) settings.keySet().stream().filter(str -> {
            return str.startsWith("xpack.security.authc.realms.");
        }).filter(str2 -> {
            String substring = str2.substring("xpack.security.authc.realms.".length());
            return substring.indexOf(46) == substring.lastIndexOf(46);
        }).collect(Collectors.toSet());
        if (!set.isEmpty()) {
            throw new IllegalArgumentException("Incorrect realm settings found. Realm settings have been changed to include the type as part of the setting key.\nFor example '" + (RealmSettings.realmSettingPrefix(new RealmConfig.RealmIdentifier("file", "my_file")) + "order") + "'\nFound invalid config: " + org.elasticsearch.common.Strings.collectionToDelimitedString(set, ", ") + "\nPlease see the breaking changes documentation.");
        }
    }

    static void validateForFips(Settings settings) {
        ArrayList arrayList = new ArrayList();
        Settings filter = settings.filter(str -> {
            return str.endsWith("keystore.type");
        }).filter(str2 -> {
            return settings.get(str2).equalsIgnoreCase("jks");
        });
        if (!filter.isEmpty()) {
            arrayList.add("JKS Keystores cannot be used in a FIPS 140 compliant JVM. Please revisit [" + filter.toDelimitedString(',') + "] settings");
        }
        Settings filter2 = settings.filter(str3 -> {
            return str3.endsWith("keystore.path");
        }).filter(str4 -> {
            return !settings.hasValue(str4.replace(".path", ".type"));
        }).filter(str5 -> {
            return KeyStoreUtil.inferKeyStoreType(settings.get(str5)).equals("jks");
        });
        if (!filter2.isEmpty()) {
            arrayList.add("JKS Keystores cannot be used in a FIPS 140 compliant JVM. Please revisit [" + filter2.toDelimitedString(',') + "] settings");
        }
        if (!((String) XPackSettings.PASSWORD_HASHING_ALGORITHM.get(settings)).toLowerCase(Locale.ROOT).startsWith("pbkdf2")) {
            arrayList.add("Only PBKDF2 is allowed for stored credential hashing in a FIPS 140 JVM. Please set the appropriate value for [ " + XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey() + " ] setting.");
        }
        Stream.of((Object[]) new Setting[]{ApiKeyService.PASSWORD_HASHING_ALGORITHM, XPackSettings.SERVICE_TOKEN_HASHING_ALGORITHM}).forEach(setting -> {
            if (((String) setting.get(settings)).toLowerCase(Locale.ROOT).startsWith("pbkdf2")) {
                return;
            }
            logger.warn("Only PBKDF2 is allowed for stored credential hashing in a FIPS 140 JVM. Please set the appropriate value for [{}] setting.", setting.getKey());
        });
        Settings filter3 = settings.filter(str6 -> {
            return str6.endsWith(".cache.hash_algo");
        });
        filter3.keySet().forEach(str7 -> {
            String str7 = filter3.get(str7);
            if (!$assertionsDisabled && str7 == null) {
                throw new AssertionError();
            }
            String lowerCase = str7.toLowerCase(Locale.ROOT);
            if (lowerCase.equals("ssha256") || lowerCase.startsWith("pbkdf2")) {
                return;
            }
            logger.warn("[{}] is not recommended for in-memory credential hashing in a FIPS 140 JVM. The recommended hasher for [{}] is SSHA256.", str7, str7);
        });
        if (arrayList.isEmpty()) {
            return;
        }
        StringBuilder sb = new StringBuilder();
        sb.append("Validation for FIPS 140 mode failed: \n");
        int i = 0;
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            i++;
            sb.append(i).append(": ").append((String) it.next()).append(";\n");
        }
        throw new IllegalArgumentException(sb.toString());
    }

    public List<TransportInterceptor> getTransportInterceptors(NamedWriteableRegistry namedWriteableRegistry, ThreadContext threadContext) {
        return !this.enabled ? Collections.emptyList() : Collections.singletonList(new TransportInterceptor() { // from class: org.elasticsearch.xpack.security.Security.1
            static final /* synthetic */ boolean $assertionsDisabled;

            public <T extends TransportRequest> TransportRequestHandler<T> interceptHandler(String str, Executor executor, boolean z, TransportRequestHandler<T> transportRequestHandler) {
                if ($assertionsDisabled || Security.this.securityInterceptor.get() != null) {
                    return ((TransportInterceptor) Security.this.securityInterceptor.get()).interceptHandler(str, executor, z, transportRequestHandler);
                }
                throw new AssertionError();
            }

            public TransportInterceptor.AsyncSender interceptSender(TransportInterceptor.AsyncSender asyncSender) {
                if ($assertionsDisabled || Security.this.securityInterceptor.get() != null) {
                    return ((TransportInterceptor) Security.this.securityInterceptor.get()).interceptSender(asyncSender);
                }
                throw new AssertionError();
            }

            static {
                $assertionsDisabled = !Security.class.desiredAssertionStatus();
            }
        });
    }

    public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool, PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService, NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) {
        if (!this.enabled) {
            return Collections.emptyMap();
        }
        IPFilter iPFilter = (IPFilter) this.ipFilter.get();
        return Map.of("security4", () -> {
            this.transportReference.set(new SecurityNetty4ServerTransport(settings, TransportVersion.current(), threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, iPFilter, getSslService(), getNettySharedGroupFactory(settings), (CrossClusterAccessAuthenticationService) this.crossClusterAccessAuthcService.get()));
            return (Transport) this.transportReference.get();
        });
    }

    public Map<String, Supplier<HttpServerTransport>> getHttpTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays, PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService, NamedXContentRegistry namedXContentRegistry, NetworkService networkService, HttpServerTransport.Dispatcher dispatcher, BiConsumer<HttpPreRequest, ThreadContext> biConsumer, ClusterSettings clusterSettings, Tracer tracer) {
        if (!this.enabled) {
            return Collections.emptyMap();
        }
        final IPFilter iPFilter = (IPFilter) this.ipFilter.get();
        AcceptChannelHandler.AcceptPredicate acceptPredicate = new AcceptChannelHandler.AcceptPredicate() { // from class: org.elasticsearch.xpack.security.Security.2
            public void setBoundAddress(BoundTransportAddress boundTransportAddress) {
                iPFilter.setBoundHttpTransportAddress(boundTransportAddress);
            }

            public boolean test(String str, InetSocketAddress inetSocketAddress) {
                return iPFilter.accept(str, inetSocketAddress);
            }
        };
        HashMap hashMap = new HashMap();
        hashMap.put("security4", () -> {
            SslConfiguration sslConfiguration;
            BiConsumer biConsumer2;
            boolean booleanValue = ((Boolean) XPackSettings.HTTP_SSL_ENABLED.get(settings)).booleanValue();
            SSLService sslService = getSslService();
            if (booleanValue) {
                sslConfiguration = sslService.getHttpTransportSSLConfiguration();
                if (!SSLService.isConfigurationValidForServerUsage(sslConfiguration)) {
                    throw new IllegalArgumentException("a key must be provided to run as a server. the key should be configured using the [xpack.security.http.ssl.key] or [xpack.security.http.ssl.keystore.path] setting");
                }
                biConsumer2 = SSLService.isSSLClientAuthEnabled(sslConfiguration) ? (channel, threadContext) -> {
                    SSLEngineUtils.extractClientCertificates(logger, threadContext, channel);
                } : (channel2, threadContext2) -> {
                };
            } else {
                sslConfiguration = null;
                biConsumer2 = (channel3, threadContext3) -> {
                };
            }
            AuthenticationService authenticationService = (AuthenticationService) this.authcService.get();
            ThreadContext threadContext4 = (ThreadContext) this.threadContext.get();
            SharedGroupFactory nettySharedGroupFactory = getNettySharedGroupFactory(settings);
            Objects.requireNonNull(sslService);
            BiConsumer biConsumer3 = biConsumer2;
            BiConsumer biConsumer4 = biConsumer2;
            return getHttpServerTransportWithHeadersValidator(settings, networkService, threadPool, namedXContentRegistry, dispatcher, clusterSettings, nettySharedGroupFactory, tracer, new TLSConfig(sslConfiguration, sslService::createSSLEngine), acceptPredicate, (httpRequest, channel4, actionListener) -> {
                HttpPreRequest asHttpPreRequest = HttpHeadersAuthenticatorUtils.asHttpPreRequest(httpRequest);
                biConsumer.accept(asHttpPreRequest, threadContext4);
                biConsumer3.accept(channel4, threadContext4);
                RemoteHostHeader.process(channel4, threadContext4);
                authenticationService.authenticate(asHttpPreRequest, actionListener.delegateFailureAndWrap((actionListener, authentication) -> {
                    actionListener.onResponse((Object) null);
                }));
            }, (httpRequest2, channel5, actionListener2) -> {
                biConsumer.accept(HttpHeadersAuthenticatorUtils.asHttpPreRequest(httpRequest2), threadContext4);
                biConsumer4.accept(channel5, threadContext4);
                RemoteHostHeader.process(channel5, threadContext4);
                actionListener2.onResponse((Object) null);
            });
        });
        return hashMap;
    }

    public static Netty4HttpServerTransport getHttpServerTransportWithHeadersValidator(Settings settings, NetworkService networkService, ThreadPool threadPool, NamedXContentRegistry namedXContentRegistry, HttpServerTransport.Dispatcher dispatcher, ClusterSettings clusterSettings, SharedGroupFactory sharedGroupFactory, Tracer tracer, TLSConfig tLSConfig, @Nullable AcceptChannelHandler.AcceptPredicate acceptPredicate, HttpValidator httpValidator, HttpValidator httpValidator2) {
        return getHttpServerTransportWithHeadersValidator(settings, networkService, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory, tracer, tLSConfig, acceptPredicate, (httpRequest, channel, actionListener) -> {
            if (httpRequest.method() != HttpMethod.OPTIONS) {
                httpValidator.validate(httpRequest, channel, actionListener);
            } else if (HttpUtil.getContentLength(httpRequest, -1L) > 1 || HttpUtil.isTransferEncodingChunked(httpRequest)) {
                actionListener.onFailure(new ElasticsearchStatusException("OPTIONS requests with a payload body are not supported", RestStatus.BAD_REQUEST, new Object[0]));
            } else {
                httpValidator2.validate(httpRequest, channel, actionListener);
            }
        });
    }

    public static Netty4HttpServerTransport getHttpServerTransportWithHeadersValidator(Settings settings, NetworkService networkService, ThreadPool threadPool, NamedXContentRegistry namedXContentRegistry, HttpServerTransport.Dispatcher dispatcher, ClusterSettings clusterSettings, SharedGroupFactory sharedGroupFactory, Tracer tracer, TLSConfig tLSConfig, @Nullable AcceptChannelHandler.AcceptPredicate acceptPredicate, HttpValidator httpValidator) {
        return new Netty4HttpServerTransport(settings, networkService, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory, tracer, tLSConfig, acceptPredicate, (HttpValidator) Objects.requireNonNull(httpValidator)) { // from class: org.elasticsearch.xpack.security.Security.3
            protected void populatePerRequestThreadContext(RestRequest restRequest, ThreadContext threadContext) {
                ThreadContext.StoredContext extractAuthenticationContext = HttpHeadersAuthenticatorUtils.extractAuthenticationContext(restRequest.getHttpRequest());
                if (extractAuthenticationContext == null) {
                    throw new ElasticsearchSecurityException("Request is not authenticated", new Object[0]);
                }
                extractAuthenticationContext.restore();
            }
        };
    }

    public UnaryOperator<RestHandler> getRestHandlerInterceptor(ThreadContext threadContext) {
        return restHandler -> {
            return new SecurityRestFilter(this.enabled, threadContext, (SecondaryAuthenticator) this.secondayAuthc.get(), (AuditTrailService) this.auditTrailService.get(), restHandler, (OperatorPrivileges.OperatorPrivilegesService) this.operatorPrivilegesService.get());
        };
    }

    public List<ExecutorBuilder<?>> getExecutorBuilders(Settings settings) {
        if (!this.enabled) {
            return Collections.emptyList();
        }
        return List.of(new FixedExecutorBuilder(settings, TokenService.THREAD_POOL_NAME, 1, 1000, "xpack.security.authc.token.thread_pool", EsExecutors.TaskTrackingConfig.DO_NOT_TRACK), new FixedExecutorBuilder(settings, SECURITY_CRYPTO_THREAD_POOL_NAME, (EsExecutors.allocatedProcessors(settings) + 1) / 2, 1000, "xpack.security.crypto.thread_pool", EsExecutors.TaskTrackingConfig.DO_NOT_TRACK));
    }

    public UnaryOperator<Map<String, IndexTemplateMetadata>> getIndexTemplateMetadataUpgrader() {
        return map -> {
            map.remove("security_audit_log");
            map.remove("security-index-template");
            return map;
        };
    }

    public Function<String, Predicate<String>> getFieldFilter() {
        return this.enabled ? str -> {
            XPackLicenseState licenseState = getLicenseState();
            IndicesAccessControl indicesAccessControl = (IndicesAccessControl) ((ThreadContext) this.threadContext.get()).getTransient("_indices_permissions");
            if (indicesAccessControl == null) {
                return MapperPlugin.NOOP_FIELD_PREDICATE;
            }
            if (!$assertionsDisabled && !indicesAccessControl.isGranted()) {
                throw new AssertionError();
            }
            IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(str);
            if (indexPermissions == null) {
                return MapperPlugin.NOOP_FIELD_PREDICATE;
            }
            FieldPermissions fieldPermissions = indexPermissions.getFieldPermissions();
            if (fieldPermissions.hasFieldLevelSecurity() && SecurityField.FIELD_LEVEL_SECURITY_FEATURE.checkWithoutTracking(licenseState)) {
                Objects.requireNonNull(fieldPermissions);
                return fieldPermissions::grantsAccessTo;
            }
            return MapperPlugin.NOOP_FIELD_PREDICATE;
        } : super.getFieldFilter();
    }

    public BiConsumer<DiscoveryNode, ClusterState> getJoinValidator() {
        if (this.enabled) {
            return new ValidateLicenseForFIPS(((Boolean) XPackSettings.FIPS_MODE_ENABLED.get(this.settings)).booleanValue(), getLicenseService());
        }
        return null;
    }

    public void reload(Settings settings) throws Exception {
        if (this.enabled) {
            ((Realms) this.realms.get()).stream().filter(realm -> {
                return "jwt".equals(realm.realmRef().getType());
            }).forEach(realm2 -> {
                if (realm2 instanceof JwtRealm) {
                    ((JwtRealm) realm2).rotateClientSecret((SecureString) JwtRealmSettings.CLIENT_AUTHENTICATION_SHARED_SECRET.getConcreteSettingForNamespace(realm2.realmRef().getName()).get(settings));
                }
            });
        }
    }

    public void loadExtensions(ExtensiblePlugin.ExtensionLoader extensionLoader) {
        this.securityExtensions.addAll(extensionLoader.loadExtensions(SecurityExtension.class));
        List loadExtensions = extensionLoader.loadExtensions(OperatorOnlyRegistry.class);
        if (loadExtensions.size() > 1) {
            throw new IllegalStateException(OperatorOnlyRegistry.class + " may not have multiple implementations");
        }
        if (loadExtensions.size() == 1) {
            OperatorOnlyRegistry operatorOnlyRegistry = (OperatorOnlyRegistry) loadExtensions.get(0);
            this.operatorOnlyRegistry.set(operatorOnlyRegistry);
            logger.debug("Loaded implementation [{}] for interface OperatorOnlyRegistry", operatorOnlyRegistry.getClass().getCanonicalName());
        }
    }

    private synchronized SharedGroupFactory getNettySharedGroupFactory(Settings settings) {
        if (this.sharedGroupFactory.get() == null) {
            this.sharedGroupFactory.set(new SharedGroupFactory(settings));
            return (SharedGroupFactory) this.sharedGroupFactory.get();
        }
        if ($assertionsDisabled || ((SharedGroupFactory) this.sharedGroupFactory.get()).getSettings().equals(settings)) {
            return (SharedGroupFactory) this.sharedGroupFactory.get();
        }
        throw new AssertionError("Different settings than originally provided");
    }

    public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings settings) {
        return this.systemIndices.getSystemIndexDescriptors();
    }

    public String getFeatureName() {
        return "security";
    }

    public String getFeatureDescription() {
        return "Manages configuration for Security features, such as users and roles";
    }

    public CheckedBiConsumer<ShardSearchRequest, StreamOutput, IOException> getRequestCacheKeyDifferentiator() {
        if (this.enabled) {
            return new DlsFlsRequestCacheDifferentiator(getLicenseState(), this.securityContext, this.scriptServiceReference);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<ReservedClusterStateHandler<?>> reservedClusterStateHandlers() {
        return !this.enabled ? Collections.emptyList() : List.of((ReservedClusterStateHandler) this.reservedRoleMappingAction.get());
    }

    OperatorPrivileges.OperatorPrivilegesService getOperatorPrivilegesService() {
        return (OperatorPrivileges.OperatorPrivilegesService) this.operatorPrivilegesService.get();
    }

    static {
        $assertionsDisabled = !Security.class.desiredAssertionStatus();
        IP_FILTERING_FEATURE = LicensedFeature.momentaryLenient((String) null, "security-ip-filtering", License.OperationMode.GOLD);
        AUDITING_FEATURE = LicensedFeature.momentary((String) null, "security-auditing", License.OperationMode.GOLD);
        TOKEN_SERVICE_FEATURE = LicensedFeature.momentary((String) null, "security-token-service", License.OperationMode.STANDARD);
        LDAP_REALM_FEATURE = LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "ldap", License.OperationMode.GOLD);
        AD_REALM_FEATURE = LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "active-directory", License.OperationMode.GOLD);
        PKI_REALM_FEATURE = LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "pki", License.OperationMode.GOLD);
        SAML_REALM_FEATURE = LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "saml", License.OperationMode.PLATINUM);
        OIDC_REALM_FEATURE = LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "oidc", License.OperationMode.PLATINUM);
        JWT_REALM_FEATURE = LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "jwt", License.OperationMode.PLATINUM);
        KERBEROS_REALM_FEATURE = LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "kerberos", License.OperationMode.PLATINUM);
        CUSTOM_REALMS_FEATURE = LicensedFeature.persistent(REALMS_FEATURE_FAMILY, "custom", License.OperationMode.PLATINUM);
        DELEGATED_AUTHORIZATION_FEATURE = LicensedFeature.momentary((String) null, "security-delegated-authorization", License.OperationMode.PLATINUM);
        AUTHORIZATION_ENGINE_FEATURE = LicensedFeature.momentary((String) null, "security-authorization-engine", License.OperationMode.PLATINUM);
        CUSTOM_ROLE_PROVIDERS_FEATURE = LicensedFeature.persistent((String) null, "security-roles-provider", License.OperationMode.PLATINUM);
        OPERATOR_PRIVILEGES_FEATURE = LicensedFeature.momentary((String) null, "operator-privileges", License.OperationMode.ENTERPRISE);
        USER_PROFILE_COLLABORATION_FEATURE = LicensedFeature.momentary((String) null, "user-profile-collaboration", License.OperationMode.STANDARD);
        ADVANCED_REMOTE_CLUSTER_SECURITY_FEATURE = LicensedFeature.momentary((String) null, "advanced-remote-cluster-security", License.OperationMode.ENTERPRISE);
        logger = LogManager.getLogger(Security.class);
    }
}
