package org.elasticsearch.xpack.security.transport;

import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.transport.TaskTransportChannel;
import org.elasticsearch.transport.TcpChannel;
import org.elasticsearch.transport.TcpTransportChannel;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.netty4.Netty4TcpChannel;
import org.elasticsearch.transport.nio.NioTcpChannel;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.security.action.SecurityActionMapper;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authz.AuthorizationService;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/ServerTransportFilter.class */
final class ServerTransportFilter {
    private static final Logger logger = LogManager.getLogger(ServerTransportFilter.class);
    private final AuthenticationService authcService;
    private final AuthorizationService authzService;
    private final SecurityActionMapper actionMapper = new SecurityActionMapper();
    private final ThreadContext threadContext;
    private final boolean extractClientCert;
    private final DestructiveOperations destructiveOperations;
    private final SecurityContext securityContext;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerTransportFilter(AuthenticationService authenticationService, AuthorizationService authorizationService, ThreadContext threadContext, boolean z, DestructiveOperations destructiveOperations, SecurityContext securityContext) {
        this.authcService = authenticationService;
        this.authzService = authorizationService;
        this.threadContext = threadContext;
        this.extractClientCert = z;
        this.destructiveOperations = destructiveOperations;
        this.securityContext = securityContext;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void inbound(String str, TransportRequest transportRequest, TransportChannel transportChannel, ActionListener<Void> actionListener) {
        if ("indices:admin/close".equals(str) || "indices:admin/open".equals(str) || "indices:admin/delete".equals(str)) {
            try {
                this.destructiveOperations.failDestructive(((IndicesRequest) transportRequest).indices());
            } catch (IllegalArgumentException e) {
                actionListener.onFailure(e);
                return;
            }
        }
        String action = SecurityActionMapper.action(str, transportRequest);
        TransportChannel transportChannel2 = transportChannel;
        if (transportChannel2 instanceof TaskTransportChannel) {
            transportChannel2 = ((TaskTransportChannel) transportChannel2).getChannel();
        }
        if (this.extractClientCert && (transportChannel2 instanceof TcpTransportChannel)) {
            TcpChannel channel = ((TcpTransportChannel) transportChannel2).getChannel();
            if (((channel instanceof Netty4TcpChannel) || (channel instanceof NioTcpChannel)) && channel.isOpen()) {
                SSLEngineUtils.extractClientCertificates(logger, this.threadContext, channel);
            }
        }
        Version version = transportChannel.getVersion();
        AuthenticationService authenticationService = this.authcService;
        CheckedConsumer checkedConsumer = authentication -> {
            if (authentication == null) {
                actionListener.onFailure(new IllegalStateException("no authentication present but auth is allowed"));
            } else if (!action.equals("internal:transport/handshake") || SystemUser.is(authentication.getUser())) {
                this.authzService.authorize(authentication, action, transportRequest, actionListener);
            } else {
                this.securityContext.executeAsSystemUser(version, storedContext -> {
                    this.authzService.authorize(this.securityContext.getAuthentication(), action, transportRequest, actionListener);
                });
            }
        };
        Objects.requireNonNull(actionListener);
        authenticationService.authenticate(action, transportRequest, true, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }
}
