package org.elasticsearch.xpack.security.transport;

import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.common.util.concurrent.RunOnce;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.SendRequestTransportException;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.TransportRequestOptions;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.transport.TransportResponseHandler;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.transport.ProfileConfigurations;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.AuthorizationUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.class */
public class SecurityServerTransportInterceptor implements TransportInterceptor {
    private static final Logger logger;
    private final AuthenticationService authcService;
    private final AuthorizationService authzService;
    private final SSLService sslService;
    private final Map<String, ServerTransportFilter> profileFilters;
    private final ThreadPool threadPool;
    private final Settings settings;
    private final SecurityContext securityContext;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$AbstractFilterListener.class */
    public static abstract class AbstractFilterListener implements ActionListener<Void> {
        protected final AbstractRunnable receiveMessage;

        protected AbstractFilterListener(AbstractRunnable abstractRunnable) {
            this.receiveMessage = abstractRunnable;
        }

        public void onFailure(Exception exc) {
            try {
                this.receiveMessage.onFailure(exc);
            } finally {
                this.receiveMessage.onAfter();
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.class */
    public static class ProfileSecuredRequestHandler<T extends TransportRequest> implements TransportRequestHandler<T> {
        private final String action;
        private final TransportRequestHandler<T> handler;
        private final Map<String, ServerTransportFilter> profileFilters;
        private final ThreadContext threadContext;
        private final String executorName;
        private final ThreadPool threadPool;
        private final boolean forceExecution;
        private final Logger logger;
        static final /* synthetic */ boolean $assertionsDisabled;

        ProfileSecuredRequestHandler(Logger logger, String str, boolean z, String str2, TransportRequestHandler<T> transportRequestHandler, Map<String, ServerTransportFilter> map, ThreadPool threadPool) {
            this.logger = logger;
            this.action = str;
            this.executorName = str2;
            this.handler = transportRequestHandler;
            this.profileFilters = map;
            this.threadContext = threadPool.getThreadContext();
            this.threadPool = threadPool;
            this.forceExecution = z;
        }

        AbstractRunnable getReceiveRunnable(final T t, final TransportChannel transportChannel, final Task task) {
            Objects.requireNonNull(t);
            final RunOnce runOnce = new RunOnce(t::decRef);
            t.incRef();
            return new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.1
                public boolean isForceExecution() {
                    return ProfileSecuredRequestHandler.this.forceExecution;
                }

                public void onFailure(Exception exc) {
                    try {
                        transportChannel.sendResponse(exc);
                    } catch (Exception e) {
                        e.addSuppressed(exc);
                        ProfileSecuredRequestHandler.this.logger.warn("failed to send exception response for action [" + ProfileSecuredRequestHandler.this.action + "]", e);
                    }
                }

                protected void doRun() throws Exception {
                    ProfileSecuredRequestHandler.this.handler.messageReceived(t, transportChannel, task);
                }

                public void onAfter() {
                    runOnce.run();
                }
            };
        }

        public String toString() {
            return "ProfileSecuredRequestHandler{action='" + this.action + "', executorName='" + this.executorName + "', forceExecution=" + this.forceExecution + "}";
        }

        public void messageReceived(T t, TransportChannel transportChannel, Task task) {
            AbstractFilterListener abstractFilterListener;
            ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext(true);
            try {
                String profileName = transportChannel.getProfileName();
                ServerTransportFilter serverTransportFilter = this.profileFilters.get(profileName);
                if (serverTransportFilter == null) {
                    if (!".direct".equals(profileName)) {
                        throw new IllegalStateException("transport profile [" + profileName + "] is not associated with a transport filter");
                    }
                    serverTransportFilter = this.profileFilters.get("default");
                }
                if (!$assertionsDisabled && serverTransportFilter == null) {
                    throw new AssertionError();
                }
                AbstractRunnable receiveRunnable = getReceiveRunnable(t, transportChannel, task);
                if ("same".equals(this.executorName)) {
                    abstractFilterListener = new AbstractFilterListener(receiveRunnable) { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.2
                        public void onResponse(Void r3) {
                            this.receiveMessage.run();
                        }
                    };
                } else {
                    final Thread currentThread = Thread.currentThread();
                    abstractFilterListener = new AbstractFilterListener(receiveRunnable) { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.3
                        public void onResponse(Void r4) {
                            if (currentThread == Thread.currentThread()) {
                                this.receiveMessage.run();
                                return;
                            }
                            try {
                                ProfileSecuredRequestHandler.this.threadPool.executor(ProfileSecuredRequestHandler.this.executorName).execute(this.receiveMessage);
                            } catch (Exception e) {
                                onFailure(e);
                            }
                        }
                    };
                }
                serverTransportFilter.inbound(this.action, t, transportChannel, abstractFilterListener);
                if (newStoredContext != null) {
                    newStoredContext.close();
                }
            } catch (Throwable th) {
                if (newStoredContext != null) {
                    try {
                        newStoredContext.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        static {
            $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
        }
    }

    public SecurityServerTransportInterceptor(Settings settings, ThreadPool threadPool, AuthenticationService authenticationService, AuthorizationService authorizationService, SSLService sSLService, SecurityContext securityContext, DestructiveOperations destructiveOperations) {
        this.settings = settings;
        this.threadPool = threadPool;
        this.authcService = authenticationService;
        this.authzService = authorizationService;
        this.sslService = sSLService;
        this.securityContext = securityContext;
        this.profileFilters = initializeProfileFilters(destructiveOperations);
    }

    public TransportInterceptor.AsyncSender interceptSender(final TransportInterceptor.AsyncSender asyncSender) {
        return new TransportInterceptor.AsyncSender() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.1
            public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                Version min = Version.min(connection.getVersion(), Version.CURRENT);
                if (AuthorizationUtils.shouldReplaceUserWithSystem(SecurityServerTransportInterceptor.this.threadPool.getThreadContext(), str)) {
                    SecurityContext securityContext = SecurityServerTransportInterceptor.this.securityContext;
                    TransportInterceptor.AsyncSender asyncSender2 = asyncSender;
                    securityContext.executeAsSystemUser(min, storedContext -> {
                        SecurityServerTransportInterceptor.this.sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(SecurityServerTransportInterceptor.this.threadPool.getThreadContext().wrapRestorable(storedContext), transportResponseHandler), asyncSender2);
                    });
                } else {
                    if (AuthorizationUtils.shouldSetUserBasedOnActionOrigin(SecurityServerTransportInterceptor.this.threadPool.getThreadContext())) {
                        ThreadContext threadContext = SecurityServerTransportInterceptor.this.threadPool.getThreadContext();
                        SecurityContext securityContext2 = SecurityServerTransportInterceptor.this.securityContext;
                        TransportInterceptor.AsyncSender asyncSender3 = asyncSender;
                        AuthorizationUtils.switchUserBasedOnActionOriginAndExecute(threadContext, securityContext2, min, storedContext2 -> {
                            SecurityServerTransportInterceptor.this.sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(SecurityServerTransportInterceptor.this.threadPool.getThreadContext().wrapRestorable(storedContext2), transportResponseHandler), asyncSender3);
                        });
                        return;
                    }
                    if (SecurityServerTransportInterceptor.this.securityContext.getAuthentication() == null || SecurityServerTransportInterceptor.this.securityContext.getAuthentication().getVersion().equals(min)) {
                        SecurityServerTransportInterceptor.this.sendWithUser(connection, str, transportRequest, transportRequestOptions, transportResponseHandler, asyncSender);
                        return;
                    }
                    SecurityContext securityContext3 = SecurityServerTransportInterceptor.this.securityContext;
                    TransportInterceptor.AsyncSender asyncSender4 = asyncSender;
                    securityContext3.executeAfterRewritingAuthentication(storedContext3 -> {
                        SecurityServerTransportInterceptor.this.sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(SecurityServerTransportInterceptor.this.threadPool.getThreadContext().wrapRestorable(storedContext3), transportResponseHandler), asyncSender4);
                    }, min);
                }
            }
        };
    }

    private <T extends TransportResponse> void sendWithUser(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler, TransportInterceptor.AsyncSender asyncSender) {
        if (this.securityContext.getAuthentication() == null) {
            assertNoAuthentication(str);
            throw new IllegalStateException("there should always be a user when sending a message for action [" + str + "]");
        }
        try {
            asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
        } catch (Exception e) {
            transportResponseHandler.handleException(new SendRequestTransportException(connection.getNode(), str, e));
        }
    }

    void assertNoAuthentication(String str) {
        if (!$assertionsDisabled) {
            throw new AssertionError("there should always be a user when sending a message for action [" + str + "]");
        }
    }

    public <T extends TransportRequest> TransportRequestHandler<T> interceptHandler(String str, String str2, boolean z, TransportRequestHandler<T> transportRequestHandler) {
        return new ProfileSecuredRequestHandler(logger, str, z, str2, transportRequestHandler, this.profileFilters, this.threadPool);
    }

    private Map<String, ServerTransportFilter> initializeProfileFilters(DestructiveOperations destructiveOperations) {
        Map<String, SslConfiguration> map = ProfileConfigurations.get(this.settings, this.sslService, this.sslService.getSSLConfiguration(SecurityField.setting("transport.ssl")));
        Map newMapWithExpectedSize = Maps.newMapWithExpectedSize(map.size() + 1);
        boolean booleanValue = ((Boolean) XPackSettings.TRANSPORT_SSL_ENABLED.get(this.settings)).booleanValue();
        for (Map.Entry<String, SslConfiguration> entry : map.entrySet()) {
            newMapWithExpectedSize.put(entry.getKey(), new ServerTransportFilter(this.authcService, this.authzService, this.threadPool.getThreadContext(), booleanValue && SSLService.isSSLClientAuthEnabled(entry.getValue()), destructiveOperations, this.securityContext));
        }
        return Collections.unmodifiableMap(newMapWithExpectedSize);
    }

    static {
        $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
        logger = LogManager.getLogger(SecurityServerTransportInterceptor.class);
    }
}
