package org.elasticsearch.xpack.security.transport;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.common.util.concurrent.RunOnce;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.RemoteClusterPortSettings;
import org.elasticsearch.transport.RemoteConnectionManager;
import org.elasticsearch.transport.SendRequestTransportException;
import org.elasticsearch.transport.TcpTransport;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.TransportRequestOptions;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.transport.TransportResponseHandler;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.RemoteAccessAuthentication;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
import org.elasticsearch.xpack.core.security.transport.ProfileConfigurations;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.AuthorizationUtils;
import org.elasticsearch.xpack.security.authz.PreAuthorizationUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.class */
public class SecurityServerTransportInterceptor implements TransportInterceptor {
    public static final String REMOTE_ACCESS_CLUSTER_CREDENTIAL_HEADER_KEY = "_remote_access_cluster_credential";
    private static final TransportVersion VERSION_REMOTE_ACCESS_HEADERS;
    private static final Logger logger;
    static final Set<String> REMOTE_ACCESS_ACTION_ALLOWLIST;
    private final AuthenticationService authcService;
    private final AuthorizationService authzService;
    private final SSLService sslService;
    private final Map<String, ServerTransportFilter> profileFilters;
    private final ThreadPool threadPool;
    private final Settings settings;
    private final SecurityContext securityContext;
    private final RemoteClusterAuthorizationResolver remoteClusterAuthorizationResolver;
    private final Function<Transport.Connection, Optional<String>> remoteClusterAliasResolver;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$AbstractFilterListener.class */
    public static abstract class AbstractFilterListener implements ActionListener<Void> {
        protected final AbstractRunnable receiveMessage;

        protected AbstractFilterListener(AbstractRunnable abstractRunnable) {
            this.receiveMessage = abstractRunnable;
        }

        public void onFailure(Exception exc) {
            try {
                this.receiveMessage.onFailure(exc);
            } finally {
                this.receiveMessage.onAfter();
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.class */
    public static class ProfileSecuredRequestHandler<T extends TransportRequest> implements TransportRequestHandler<T> {
        private final String action;
        private final TransportRequestHandler<T> handler;
        private final Map<String, ServerTransportFilter> profileFilters;
        private final ThreadContext threadContext;
        private final String executorName;
        private final ThreadPool threadPool;
        private final boolean forceExecution;
        private final Logger logger;
        static final /* synthetic */ boolean $assertionsDisabled;

        ProfileSecuredRequestHandler(Logger logger, String str, boolean z, String str2, TransportRequestHandler<T> transportRequestHandler, Map<String, ServerTransportFilter> map, ThreadPool threadPool) {
            this.logger = logger;
            this.action = str;
            this.executorName = str2;
            this.handler = transportRequestHandler;
            this.profileFilters = map;
            this.threadContext = threadPool.getThreadContext();
            this.threadPool = threadPool;
            this.forceExecution = z;
        }

        AbstractRunnable getReceiveRunnable(final T t, final TransportChannel transportChannel, final Task task) {
            Objects.requireNonNull(t);
            final RunOnce runOnce = new RunOnce(t::decRef);
            t.incRef();
            return new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.1
                public boolean isForceExecution() {
                    return ProfileSecuredRequestHandler.this.forceExecution;
                }

                public void onFailure(Exception exc) {
                    try {
                        transportChannel.sendResponse(exc);
                    } catch (Exception e) {
                        e.addSuppressed(exc);
                        ProfileSecuredRequestHandler.this.logger.warn("failed to send exception response for action [" + ProfileSecuredRequestHandler.this.action + "]", e);
                    }
                }

                protected void doRun() throws Exception {
                    ProfileSecuredRequestHandler.this.handler.messageReceived(t, transportChannel, task);
                }

                public void onAfter() {
                    runOnce.run();
                }
            };
        }

        public String toString() {
            return "ProfileSecuredRequestHandler{action='" + this.action + "', executorName='" + this.executorName + "', forceExecution=" + this.forceExecution + "}";
        }

        public void messageReceived(T t, TransportChannel transportChannel, Task task) {
            AbstractFilterListener abstractFilterListener;
            ThreadContext.StoredContext newStoredContextPreservingResponseHeaders = this.threadContext.newStoredContextPreservingResponseHeaders();
            try {
                String profileName = transportChannel.getProfileName();
                ServerTransportFilter serverTransportFilter = this.profileFilters.get(profileName);
                if (serverTransportFilter == null) {
                    if (!".direct".equals(profileName)) {
                        throw new IllegalStateException("transport profile [" + profileName + "] is not associated with a transport filter");
                    }
                    serverTransportFilter = this.profileFilters.get("default");
                }
                if (!$assertionsDisabled && serverTransportFilter == null) {
                    throw new AssertionError();
                }
                AbstractRunnable receiveRunnable = getReceiveRunnable(t, transportChannel, task);
                if ("same".equals(this.executorName)) {
                    abstractFilterListener = new AbstractFilterListener(receiveRunnable) { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.2
                        public void onResponse(Void r3) {
                            this.receiveMessage.run();
                        }
                    };
                } else {
                    final Thread currentThread = Thread.currentThread();
                    abstractFilterListener = new AbstractFilterListener(receiveRunnable) { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.3
                        public void onResponse(Void r4) {
                            if (currentThread == Thread.currentThread()) {
                                this.receiveMessage.run();
                                return;
                            }
                            try {
                                ProfileSecuredRequestHandler.this.threadPool.executor(ProfileSecuredRequestHandler.this.executorName).execute(this.receiveMessage);
                            } catch (Exception e) {
                                onFailure(e);
                            }
                        }
                    };
                }
                serverTransportFilter.inbound(this.action, t, transportChannel, abstractFilterListener);
                if (newStoredContextPreservingResponseHeaders != null) {
                    newStoredContextPreservingResponseHeaders.close();
                }
            } catch (Throwable th) {
                if (newStoredContextPreservingResponseHeaders != null) {
                    try {
                        newStoredContextPreservingResponseHeaders.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        static {
            $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
        }
    }

    public SecurityServerTransportInterceptor(Settings settings, ThreadPool threadPool, AuthenticationService authenticationService, AuthorizationService authorizationService, SSLService sSLService, SecurityContext securityContext, DestructiveOperations destructiveOperations, RemoteClusterAuthorizationResolver remoteClusterAuthorizationResolver) {
        this(settings, threadPool, authenticationService, authorizationService, sSLService, securityContext, destructiveOperations, remoteClusterAuthorizationResolver, RemoteConnectionManager::resolveRemoteClusterAlias);
    }

    SecurityServerTransportInterceptor(Settings settings, ThreadPool threadPool, AuthenticationService authenticationService, AuthorizationService authorizationService, SSLService sSLService, SecurityContext securityContext, DestructiveOperations destructiveOperations, RemoteClusterAuthorizationResolver remoteClusterAuthorizationResolver, Function<Transport.Connection, Optional<String>> function) {
        this.settings = settings;
        this.threadPool = threadPool;
        this.authcService = authenticationService;
        this.authzService = authorizationService;
        this.sslService = sSLService;
        this.securityContext = securityContext;
        this.profileFilters = initializeProfileFilters(destructiveOperations);
        this.remoteClusterAuthorizationResolver = remoteClusterAuthorizationResolver;
        this.remoteClusterAliasResolver = function;
    }

    public TransportInterceptor.AsyncSender interceptSender(TransportInterceptor.AsyncSender asyncSender) {
        return interceptForAllRequests(TcpTransport.isUntrustedRemoteClusterEnabled() ? interceptForRemoteAccessRequests(asyncSender) : asyncSender);
    }

    private TransportInterceptor.AsyncSender interceptForAllRequests(final TransportInterceptor.AsyncSender asyncSender) {
        return new TransportInterceptor.AsyncSender() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.1
            static final /* synthetic */ boolean $assertionsDisabled;

            public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                assertNoRemoteAccessHeadersInContext();
                if (!PreAuthorizationUtils.shouldRemoveParentAuthorizationFromThreadContext(SecurityServerTransportInterceptor.this.remoteClusterAliasResolver.apply(connection), str, SecurityServerTransportInterceptor.this.securityContext)) {
                    SecurityServerTransportInterceptor.this.sendRequestInner(asyncSender, connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
                    return;
                }
                SecurityContext securityContext = SecurityServerTransportInterceptor.this.securityContext;
                TransportInterceptor.AsyncSender asyncSender2 = asyncSender;
                securityContext.executeAfterRemovingParentAuthorization(storedContext -> {
                    SecurityServerTransportInterceptor.this.sendRequestInner(asyncSender2, connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(SecurityServerTransportInterceptor.this.threadPool.getThreadContext().wrapRestorable(storedContext), transportResponseHandler));
                });
            }

            private void assertNoRemoteAccessHeadersInContext() {
                if (!$assertionsDisabled && SecurityServerTransportInterceptor.this.securityContext.getThreadContext().getHeader(SecurityServerTransportInterceptor.REMOTE_ACCESS_CLUSTER_CREDENTIAL_HEADER_KEY) != null) {
                    throw new AssertionError("remote access headers should not be in security context");
                }
                if (!$assertionsDisabled && SecurityServerTransportInterceptor.this.securityContext.getThreadContext().getHeader("_remote_access_authentication") != null) {
                    throw new AssertionError("remote access headers should not be in security context");
                }
            }

            static {
                $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
            }
        };
    }

    public <T extends TransportResponse> void sendRequestInner(TransportInterceptor.AsyncSender asyncSender, Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
        TransportVersion min = TransportVersion.min(connection.getTransportVersion(), TransportVersion.CURRENT);
        if (AuthorizationUtils.shouldReplaceUserWithSystem(this.threadPool.getThreadContext(), str)) {
            this.securityContext.executeAsSystemUser(min, storedContext -> {
                sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(this.threadPool.getThreadContext().wrapRestorable(storedContext), transportResponseHandler), asyncSender);
            });
            return;
        }
        if (AuthorizationUtils.shouldSetUserBasedOnActionOrigin(this.threadPool.getThreadContext())) {
            AuthorizationUtils.switchUserBasedOnActionOriginAndExecute(this.threadPool.getThreadContext(), this.securityContext, min, storedContext2 -> {
                sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(this.threadPool.getThreadContext().wrapRestorable(storedContext2), transportResponseHandler), asyncSender);
            });
        } else if (this.securityContext.getAuthentication() == null || this.securityContext.getAuthentication().getEffectiveSubject().getTransportVersion().equals(min)) {
            sendWithUser(connection, str, transportRequest, transportRequestOptions, transportResponseHandler, asyncSender);
        } else {
            this.securityContext.executeAfterRewritingAuthentication(storedContext3 -> {
                sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(this.threadPool.getThreadContext().wrapRestorable(storedContext3), transportResponseHandler), asyncSender);
            }, min);
        }
    }

    Map<String, ServerTransportFilter> getProfileFilters() {
        return this.profileFilters;
    }

    private TransportInterceptor.AsyncSender interceptForRemoteAccessRequests(final TransportInterceptor.AsyncSender asyncSender) {
        return new TransportInterceptor.AsyncSender() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.2
            static final /* synthetic */ boolean $assertionsDisabled;

            /* JADX INFO: Access modifiers changed from: package-private */
            /* renamed from: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$2$RemoteAccessCredentials */
            /* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$2$RemoteAccessCredentials.class */
            public static final class RemoteAccessCredentials extends Record {
                private final String clusterAlias;
                private final String credentials;

                RemoteAccessCredentials(String str, String str2) {
                    this.clusterAlias = str;
                    this.credentials = str2;
                }

                void writeToContext(ThreadContext threadContext) {
                    threadContext.putHeader(SecurityServerTransportInterceptor.REMOTE_ACCESS_CLUSTER_CREDENTIAL_HEADER_KEY, withApiKeyPrefix(this.credentials));
                }

                private String withApiKeyPrefix(String str) {
                    return "ApiKey " + str;
                }

                @Override // java.lang.Record
                public final String toString() {
                    return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, RemoteAccessCredentials.class), RemoteAccessCredentials.class, "clusterAlias;credentials", "FIELD:Lorg/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$2$RemoteAccessCredentials;->clusterAlias:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$2$RemoteAccessCredentials;->credentials:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
                }

                @Override // java.lang.Record
                public final int hashCode() {
                    return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, RemoteAccessCredentials.class), RemoteAccessCredentials.class, "clusterAlias;credentials", "FIELD:Lorg/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$2$RemoteAccessCredentials;->clusterAlias:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$2$RemoteAccessCredentials;->credentials:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
                }

                @Override // java.lang.Record
                public final boolean equals(Object obj) {
                    return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, RemoteAccessCredentials.class, Object.class), RemoteAccessCredentials.class, "clusterAlias;credentials", "FIELD:Lorg/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$2$RemoteAccessCredentials;->clusterAlias:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$2$RemoteAccessCredentials;->credentials:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
                }

                public String clusterAlias() {
                    return this.clusterAlias;
                }

                public String credentials() {
                    return this.credentials;
                }
            }

            public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                Optional<RemoteAccessCredentials> remoteAccessCredentials = getRemoteAccessCredentials(connection, str);
                if (remoteAccessCredentials.isPresent()) {
                    sendWithRemoteAccessHeaders(remoteAccessCredentials.get(), connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
                    return;
                }
                try {
                    asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
                } catch (Exception e) {
                    transportResponseHandler.handleException(new SendRequestTransportException(connection.getNode(), str, e));
                }
            }

            private Optional<RemoteAccessCredentials> getRemoteAccessCredentials(Transport.Connection connection, String str) {
                Optional<String> apply = SecurityServerTransportInterceptor.this.remoteClusterAliasResolver.apply(connection);
                if (apply.isEmpty()) {
                    SecurityServerTransportInterceptor.logger.trace("Connection is not remote");
                    return Optional.empty();
                }
                String str2 = apply.get();
                String resolveAuthorization = SecurityServerTransportInterceptor.this.remoteClusterAuthorizationResolver.resolveAuthorization(str2);
                if (resolveAuthorization == null) {
                    SecurityServerTransportInterceptor.logger.trace("No cluster credential is configured for remote cluster [{}]", str2);
                    return Optional.empty();
                }
                if (false == SecurityServerTransportInterceptor.REMOTE_ACCESS_ACTION_ALLOWLIST.contains(str)) {
                    SecurityServerTransportInterceptor.logger.trace("Action [{}] towards remote cluster [{}] is not allow-listed", str, str2);
                    return Optional.empty();
                }
                Authentication authentication = SecurityServerTransportInterceptor.this.securityContext.getAuthentication();
                if (!$assertionsDisabled && authentication == null) {
                    throw new AssertionError("authentication must be present in security context");
                }
                Subject effectiveSubject = authentication.getEffectiveSubject();
                if (false != effectiveSubject.getType().equals(Subject.Type.USER)) {
                    return Optional.of(new RemoteAccessCredentials(str2, resolveAuthorization));
                }
                SecurityServerTransportInterceptor.logger.trace("Effective subject of request to remote cluster [{}] has an unsupported type [{}]", str2, effectiveSubject.getType());
                return Optional.empty();
            }

            private <T extends TransportResponse> void sendWithRemoteAccessHeaders(RemoteAccessCredentials remoteAccessCredentials, Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                String clusterAlias = remoteAccessCredentials.clusterAlias();
                if (connection.getTransportVersion().before(SecurityServerTransportInterceptor.VERSION_REMOTE_ACCESS_HEADERS)) {
                    throw new IllegalArgumentException("Settings for remote cluster [" + clusterAlias + "] indicate remote access headers should be sent but target cluster version [" + connection.getTransportVersion() + "] does not support receiving them");
                }
                SecurityServerTransportInterceptor.logger.debug("Sending [{}] request to [{}] with remote access headers for [{}] action", transportRequest.getClass(), clusterAlias, str);
                Authentication authentication = SecurityServerTransportInterceptor.this.securityContext.getAuthentication();
                if (!$assertionsDisabled && authentication == null) {
                    throw new AssertionError("authentication must be present in security context");
                }
                ThreadContext threadContext = SecurityServerTransportInterceptor.this.securityContext.getThreadContext();
                TransportService.ContextRestoreResponseHandler contextRestoreResponseHandler = new TransportService.ContextRestoreResponseHandler(threadContext.newRestorableContext(true), transportResponseHandler);
                User user = authentication.getEffectiveSubject().getUser();
                if (!SystemUser.is(user)) {
                    if (User.isInternal(user)) {
                        String str2 = "internal user [" + user.principal() + "] should not be used for cross cluster requests";
                        if (!$assertionsDisabled) {
                            throw new AssertionError(str2);
                        }
                        throw new IllegalArgumentException(str2);
                    }
                    AuthorizationService authorizationService = SecurityServerTransportInterceptor.this.authzService;
                    Subject effectiveSubject = authentication.getEffectiveSubject();
                    TransportInterceptor.AsyncSender asyncSender2 = asyncSender;
                    authorizationService.retrieveRemoteAccessRoleDescriptorsIntersection(clusterAlias, effectiveSubject, ActionListener.wrap(roleDescriptorsIntersection -> {
                        ThreadContext.StoredContext stashContext = threadContext.stashContext();
                        try {
                            remoteAccessCredentials.writeToContext(threadContext);
                            new RemoteAccessAuthentication(authentication, roleDescriptorsIntersection).writeToContext(threadContext);
                            asyncSender2.sendRequest(connection, str, transportRequest, transportRequestOptions, contextRestoreResponseHandler);
                            if (stashContext != null) {
                                stashContext.close();
                            }
                        } catch (Throwable th) {
                            if (stashContext != null) {
                                try {
                                    stashContext.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    }, exc -> {
                        contextRestoreResponseHandler.handleException(new SendRequestTransportException(connection.getNode(), str, exc));
                    }));
                    return;
                }
                try {
                    ThreadContext.StoredContext stashContext = threadContext.stashContext();
                    try {
                        remoteAccessCredentials.writeToContext(threadContext);
                        new RemoteAccessAuthentication(authentication, RoleDescriptorsIntersection.EMPTY).writeToContext(threadContext);
                        asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, contextRestoreResponseHandler);
                        if (stashContext != null) {
                            stashContext.close();
                        }
                    } finally {
                    }
                } catch (IOException e) {
                    contextRestoreResponseHandler.handleException(new SendRequestTransportException(connection.getNode(), str, e));
                }
            }

            static {
                $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
            }
        };
    }

    private <T extends TransportResponse> void sendWithUser(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler, TransportInterceptor.AsyncSender asyncSender) {
        if (this.securityContext.getAuthentication() == null) {
            assertNoAuthentication(str);
            throw new IllegalStateException("there should always be a user when sending a message for action [" + str + "]");
        }
        if (!$assertionsDisabled && this.securityContext.getParentAuthorization() != null && this.remoteClusterAliasResolver.apply(connection).isPresent()) {
            throw new AssertionError("parent authorization header should not be set for remote cluster requests");
        }
        try {
            asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
        } catch (Exception e) {
            transportResponseHandler.handleException(new SendRequestTransportException(connection.getNode(), str, e));
        }
    }

    void assertNoAuthentication(String str) {
        if (!$assertionsDisabled) {
            throw new AssertionError("there should always be a user when sending a message for action [" + str + "]");
        }
    }

    public <T extends TransportRequest> TransportRequestHandler<T> interceptHandler(String str, String str2, boolean z, TransportRequestHandler<T> transportRequestHandler) {
        return new ProfileSecuredRequestHandler(logger, str, z, str2, transportRequestHandler, this.profileFilters, this.threadPool);
    }

    private Map<String, ServerTransportFilter> initializeProfileFilters(DestructiveOperations destructiveOperations) {
        Map<String, SslConfiguration> map = ProfileConfigurations.get(this.settings, this.sslService, false);
        Map newMapWithExpectedSize = Maps.newMapWithExpectedSize(map.size() + 1);
        boolean booleanValue = ((Boolean) XPackSettings.TRANSPORT_SSL_ENABLED.get(this.settings)).booleanValue();
        boolean booleanValue2 = ((Boolean) RemoteClusterPortSettings.REMOTE_CLUSTER_PORT_ENABLED.get(this.settings)).booleanValue();
        boolean z = booleanValue2 && ((Boolean) XPackSettings.REMOTE_CLUSTER_SSL_ENABLED.get(this.settings)).booleanValue();
        for (Map.Entry<String, SslConfiguration> entry : map.entrySet()) {
            SslConfiguration value = entry.getValue();
            String key = entry.getKey();
            newMapWithExpectedSize.put(key, new ServerTransportFilter(this.authcService, this.authzService, this.threadPool.getThreadContext(), (booleanValue2 && "_remote_cluster".equals(key)) ? z && SSLService.isSSLClientAuthEnabled(value) : booleanValue && SSLService.isSSLClientAuthEnabled(value), destructiveOperations, this.securityContext));
        }
        return Collections.unmodifiableMap(newMapWithExpectedSize);
    }

    static {
        $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
        VERSION_REMOTE_ACCESS_HEADERS = TransportVersion.V_8_7_0;
        logger = LogManager.getLogger(SecurityServerTransportInterceptor.class);
        REMOTE_ACCESS_ACTION_ALLOWLIST = (Set) Stream.of((Object[]) new String[]{"indices:data/read/search", "cluster:monitor/state", "indices:admin/shards/search_shards", "indices:data/read/search[free_context/scroll]", "indices:data/read/search[free_context]", "indices:data/read/search[clear_scroll_contexts]", "indices:data/read/search[phase/dfs]", "indices:data/read/search[phase/query]", "indices:data/read/search[phase/query/id]", "indices:data/read/search[phase/query/scroll]", "indices:data/read/search[phase/query+fetch/scroll]", "indices:data/read/search[phase/fetch/id/scroll]", "indices:data/read/search[phase/fetch/id]", "indices:data/read/search[can_match]", "indices:data/read/search[can_match][n]"}).flatMap(str -> {
            return Stream.of((Object[]) new String[]{str, TransportActionProxy.getProxyAction(str)});
        }).collect(Collectors.toUnmodifiableSet());
    }
}
