package org.elasticsearch.xpack.security.support;

import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeMap;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.GroupedActionListener;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.client.internal.ClusterAdminClient;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.features.NodeFeature;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.index.reindex.UpdateByQueryAction;
import org.elasticsearch.index.reindex.UpdateByQueryRequest;
import org.elasticsearch.script.Script;
import org.elasticsearch.script.ScriptType;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingAction;
import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingRequestBuilder;
import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsAction;
import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsRequestBuilder;
import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsResponse;
import org.elasticsearch.xpack.core.security.authc.support.mapper.ExpressionRoleMapping;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;

/* loaded from: input_file:org/elasticsearch/xpack/security/support/SecurityMigrations.class */
public class SecurityMigrations {
    public static final Integer ROLE_METADATA_FLATTENED_MIGRATION_VERSION = 1;
    public static final Integer CLEANUP_ROLE_MAPPING_DUPLICATES_MIGRATION_VERSION = 2;
    private static final Logger logger = LogManager.getLogger(SecurityMigration.class);
    public static final TreeMap<Integer, SecurityMigration> MIGRATIONS_BY_VERSION = new TreeMap<>(Map.of(ROLE_METADATA_FLATTENED_MIGRATION_VERSION, new RoleMetadataFlattenedMigration(), CLEANUP_ROLE_MAPPING_DUPLICATES_MIGRATION_VERSION, new CleanupRoleMappingDuplicatesMigration()));

    /* loaded from: input_file:org/elasticsearch/xpack/security/support/SecurityMigrations$CleanupRoleMappingDuplicatesMigration.class */
    public static class CleanupRoleMappingDuplicatesMigration implements SecurityMigration {
        static final /* synthetic */ boolean $assertionsDisabled;

        @Override // org.elasticsearch.xpack.security.support.SecurityMigrations.SecurityMigration
        public void migrate(SecurityIndexManager securityIndexManager, Client client, ActionListener<Void> actionListener) {
            if (securityIndexManager.getRoleMappingsCleanupMigrationStatus() == SecurityIndexManager.RoleMappingsCleanupMigrationStatus.SKIP) {
                actionListener.onResponse((Object) null);
            } else {
                if (!$assertionsDisabled && securityIndexManager.getRoleMappingsCleanupMigrationStatus() != SecurityIndexManager.RoleMappingsCleanupMigrationStatus.READY) {
                    throw new AssertionError();
                }
                CheckedConsumer checkedConsumer = getRoleMappingsResponse -> {
                    List<String> duplicateRoleMappingNames = getDuplicateRoleMappingNames(getRoleMappingsResponse.mappings());
                    if (duplicateRoleMappingNames.isEmpty()) {
                        actionListener.onResponse((Object) null);
                    } else {
                        SecurityMigrations.logger.info("Found [" + duplicateRoleMappingNames.size() + "] role mapping(s) to cleanup in .security index.");
                        deleteNativeRoleMappings(client, duplicateRoleMappingNames, actionListener);
                    }
                };
                Objects.requireNonNull(actionListener);
                getRoleMappings(client, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            }
        }

        private void getRoleMappings(Client client, ActionListener<GetRoleMappingsResponse> actionListener) {
            ClientHelper.executeAsyncWithOrigin(client, "security", GetRoleMappingsAction.INSTANCE, new GetRoleMappingsRequestBuilder(client).request(), actionListener);
        }

        private void deleteNativeRoleMappings(Client client, List<String> list, ActionListener<Void> actionListener) {
            if (!$assertionsDisabled && list.isEmpty()) {
                throw new AssertionError();
            }
            int size = list.size();
            CheckedConsumer checkedConsumer = collection -> {
                long count = collection.stream().filter((v0) -> {
                    return v0.isFound();
                }).count();
                if (collection.size() > count) {
                    SecurityMigrations.logger.warn("[" + (collection.size() - count) + "] Role mapping(s) not found during role mapping clean up.");
                }
                if (count > 0) {
                    SecurityMigrations.logger.info("Deleted [" + count + "] duplicated role mapping(s) from .security index");
                }
                actionListener.onResponse((Object) null);
            };
            Objects.requireNonNull(actionListener);
            GroupedActionListener groupedActionListener = new GroupedActionListener(size, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                ClientHelper.executeAsyncWithOrigin(client, "security", DeleteRoleMappingAction.INSTANCE, new DeleteRoleMappingRequestBuilder(client).name(it.next()).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).request(), groupedActionListener);
            }
        }

        @Override // org.elasticsearch.xpack.security.support.SecurityMigrations.SecurityMigration
        public boolean checkPreConditions(SecurityIndexManager.State state) {
            return state.roleMappingsCleanupMigrationStatus == SecurityIndexManager.RoleMappingsCleanupMigrationStatus.READY || state.roleMappingsCleanupMigrationStatus == SecurityIndexManager.RoleMappingsCleanupMigrationStatus.SKIP;
        }

        @Override // org.elasticsearch.xpack.security.support.SecurityMigrations.SecurityMigration
        public Set<NodeFeature> nodeFeaturesRequired() {
            return Set.of();
        }

        @Override // org.elasticsearch.xpack.security.support.SecurityMigrations.SecurityMigration
        public int minMappingVersion() {
            return SecuritySystemIndices.SecurityMainIndexMappingVersion.ADD_MANAGE_ROLES_PRIVILEGE.id();
        }

        protected static List<String> getDuplicateRoleMappingNames(ExpressionRoleMapping... expressionRoleMappingArr) {
            Map map = (Map) Arrays.stream(expressionRoleMappingArr).collect(Collectors.partitioningBy((v0) -> {
                return v0.isReadOnly();
            }));
            Set set = (Set) ((List) map.get(true)).stream().map((v0) -> {
                return v0.getName();
            }).map(ExpressionRoleMapping::removeReadOnlySuffixIfPresent).collect(Collectors.toSet());
            Stream map2 = ((List) map.get(false)).stream().map((v0) -> {
                return v0.getName();
            });
            Objects.requireNonNull(set);
            return map2.filter((v1) -> {
                return r1.contains(v1);
            }).toList();
        }

        static {
            $assertionsDisabled = !SecurityMigrations.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/support/SecurityMigrations$RoleMetadataFlattenedMigration.class */
    public static class RoleMetadataFlattenedMigration implements SecurityMigration {
        @Override // org.elasticsearch.xpack.security.support.SecurityMigrations.SecurityMigration
        public void migrate(SecurityIndexManager securityIndexManager, Client client, ActionListener<Void> actionListener) {
            BoolQueryBuilder mustNot = new BoolQueryBuilder().filter(QueryBuilders.termQuery(LoggingAuditTrail.LOG_TYPE, "role")).mustNot(QueryBuilders.existsQuery(FieldNameTranslators.FLATTENED_METADATA_INDEX_FIELD_NAME));
            SearchSourceBuilder trackTotalHits = new SearchSourceBuilder().query(mustNot).size(0).trackTotalHits(true);
            SearchRequest searchRequest = new SearchRequest(new String[]{securityIndexManager.getConcreteIndexName()});
            searchRequest.source(trackTotalHits);
            CheckedConsumer checkedConsumer = searchResponse -> {
                if (searchResponse.getHits().getTotalHits().value() <= 0) {
                    actionListener.onResponse((Object) null);
                } else {
                    SecurityMigrations.logger.info("Preparing to migrate [" + searchResponse.getHits().getTotalHits().value() + "] roles");
                    updateRolesByQuery(securityIndexManager, client, mustNot, actionListener);
                }
            };
            Objects.requireNonNull(actionListener);
            client.search(searchRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }

        private void updateRolesByQuery(SecurityIndexManager securityIndexManager, Client client, BoolQueryBuilder boolQueryBuilder, ActionListener<Void> actionListener) {
            UpdateByQueryRequest updateByQueryRequest = new UpdateByQueryRequest(new String[]{securityIndexManager.getConcreteIndexName()});
            updateByQueryRequest.setQuery(boolQueryBuilder);
            updateByQueryRequest.setScript(new Script(ScriptType.INLINE, "painless", "ctx._source.metadata_flattened = ctx._source.metadata", Collections.emptyMap()));
            ClusterAdminClient cluster = client.admin().cluster();
            UpdateByQueryAction updateByQueryAction = UpdateByQueryAction.INSTANCE;
            CheckedConsumer checkedConsumer = bulkByScrollResponse -> {
                SecurityMigrations.logger.info("Migrated [" + bulkByScrollResponse.getTotal() + "] roles");
                actionListener.onResponse((Object) null);
            };
            Objects.requireNonNull(actionListener);
            cluster.execute(updateByQueryAction, updateByQueryRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }

        @Override // org.elasticsearch.xpack.security.support.SecurityMigrations.SecurityMigration
        public Set<NodeFeature> nodeFeaturesRequired() {
            return Set.of();
        }

        @Override // org.elasticsearch.xpack.security.support.SecurityMigrations.SecurityMigration
        public int minMappingVersion() {
            return SecuritySystemIndices.SecurityMainIndexMappingVersion.ADD_REMOTE_CLUSTER_AND_DESCRIPTION_FIELDS.id();
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/support/SecurityMigrations$SecurityMigration.class */
    public interface SecurityMigration {
        void migrate(SecurityIndexManager securityIndexManager, Client client, ActionListener<Void> actionListener);

        Set<NodeFeature> nodeFeaturesRequired();

        default boolean checkPreConditions(SecurityIndexManager.State state) {
            return true;
        }

        int minMappingVersion();
    }
}
