package org.elasticsearch.xpack.security.authc.esnative;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Consumer;
import java.util.function.Supplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionType;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.search.TransportSearchAction;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.action.support.TransportActions;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.action.update.UpdateResponse;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.client.internal.Requests;
import org.elasticsearch.common.ValidationException;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.engine.DocumentMissingException;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.SearchService;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.security.ScrollHelper;
import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheAction;
import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheRequest;
import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheResponse;
import org.elasticsearch.xpack.core.security.action.user.ChangePasswordRequest;
import org.elasticsearch.xpack.core.security.action.user.DeleteUserRequest;
import org.elasticsearch.xpack.core.security.action.user.PutUserRequest;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.esnative.ClientReservedRealm;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.class */
public class NativeUsersStore {
    public static final String USER_DOC_TYPE = "user";
    public static final String RESERVED_USER_TYPE = "reserved-user";
    private static final Logger logger;
    private final Settings settings;
    private final Client client;
    private final SecurityIndexManager securityIndex;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResult.class */
    public static final class QueryUserResult extends Record {
        private final User user;
        private final Object[] sortValues;

        public QueryUserResult(User user, Object[] objArr) {
            this.user = user;
            this.sortValues = objArr;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, QueryUserResult.class), QueryUserResult.class, "user;sortValues", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResult;->user:Lorg/elasticsearch/xpack/core/security/user/User;", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResult;->sortValues:[Ljava/lang/Object;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, QueryUserResult.class), QueryUserResult.class, "user;sortValues", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResult;->user:Lorg/elasticsearch/xpack/core/security/user/User;", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResult;->sortValues:[Ljava/lang/Object;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, QueryUserResult.class, Object.class), QueryUserResult.class, "user;sortValues", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResult;->user:Lorg/elasticsearch/xpack/core/security/user/User;", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResult;->sortValues:[Ljava/lang/Object;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public User user() {
            return this.user;
        }

        public Object[] sortValues() {
            return this.sortValues;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResults.class */
    public static final class QueryUserResults extends Record {
        private final List<QueryUserResult> userQueryResult;
        private final long total;
        public static final QueryUserResults EMPTY = new QueryUserResults(List.of(), 0);

        public QueryUserResults(List<QueryUserResult> list, long j) {
            this.userQueryResult = list;
            this.total = j;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, QueryUserResults.class), QueryUserResults.class, "userQueryResult;total", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResults;->userQueryResult:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResults;->total:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, QueryUserResults.class), QueryUserResults.class, "userQueryResult;total", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResults;->userQueryResult:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResults;->total:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, QueryUserResults.class, Object.class), QueryUserResults.class, "userQueryResult;total", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResults;->userQueryResult:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$QueryUserResults;->total:J").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public List<QueryUserResult> userQueryResult() {
            return this.userQueryResult;
        }

        public long total() {
            return this.total;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$ReservedUserInfo.class */
    public static final class ReservedUserInfo {
        public final char[] passwordHash;
        public final boolean enabled;
        private final Hasher hasher;

        /* JADX INFO: Access modifiers changed from: package-private */
        public ReservedUserInfo(char[] cArr, boolean z) {
            this.passwordHash = cArr;
            this.enabled = z;
            this.hasher = Hasher.resolveFromHash(this.passwordHash);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean hasEmptyPassword() {
            return this.passwordHash.length == 0;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean verifyPassword(SecureString secureString) {
            return this.hasher.verify(secureString, this.passwordHash);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static ReservedUserInfo defaultEnabledUserInfo() {
            return new ReservedUserInfo(new char[0], true);
        }

        static ReservedUserInfo defaultDisabledUserInfo() {
            return new ReservedUserInfo(new char[0], false);
        }
    }

    public NativeUsersStore(Settings settings, Client client, SecurityIndexManager securityIndexManager) {
        this.settings = settings;
        this.client = client;
        this.securityIndex = securityIndexManager;
    }

    public void getUser(String str, ActionListener<User> actionListener) {
        CheckedConsumer checkedConsumer = userAndPassword -> {
            actionListener.onResponse(userAndPassword == null ? null : userAndPassword.user());
        };
        Objects.requireNonNull(actionListener);
        getUserAndPassword(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void getUsers(String[] strArr, ActionListener<Collection<User>> actionListener) {
        Consumer consumer = exc -> {
            if (TransportActions.isShardNotAvailableException(exc)) {
                logger.trace("could not retrieve users because of a shard not available exception", exc);
                if (exc instanceof IndexNotFoundException) {
                    actionListener.onResponse(Collections.emptyList());
                } else {
                    actionListener.onFailure(exc);
                }
            }
            actionListener.onFailure(exc);
        };
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            actionListener.onResponse(Collections.emptyList());
            return;
        }
        if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.PRIMARY_SHARDS)) {
            actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.PRIMARY_SHARDS));
        } else {
            if (strArr.length == 1) {
                getUserAndPassword(strArr[0], ActionListener.wrap(userAndPassword -> {
                    actionListener.onResponse(userAndPassword == null ? Collections.emptyList() : Collections.singletonList(userAndPassword.user()));
                }, consumer));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                BoolQueryBuilder termQuery = (strArr == null || strArr.length == 0) ? QueryBuilders.termQuery(User.Fields.TYPE.getPreferredName(), USER_DOC_TYPE) : QueryBuilders.boolQuery().filter(QueryBuilders.idsQuery().addIds((String[]) Arrays.stream(strArr).map(str -> {
                    return getIdForUser(USER_DOC_TYPE, str);
                }).toArray(i -> {
                    return new String[i];
                })));
                Supplier newRestorableContext = this.client.threadPool().getThreadContext().newRestorableContext(false);
                ThreadContext.StoredContext stashWithOrigin = this.client.threadPool().getThreadContext().stashWithOrigin("security");
                try {
                    SearchRequest request = this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setScroll((TimeValue) SearchService.DEFAULT_KEEPALIVE_SETTING.get(this.settings)).setQuery(termQuery).setSize(1000).setFetchSource(true).request();
                    request.indicesOptions().ignoreUnavailable();
                    ScrollHelper.fetchAllByEntity(this.client, request, new ContextPreservingActionListener(newRestorableContext, actionListener), searchHit -> {
                        UserAndPassword transformUser = transformUser(searchHit.getId(), searchHit.getSourceAsMap());
                        if (transformUser != null) {
                            return transformUser.user();
                        }
                        return null;
                    });
                    if (stashWithOrigin != null) {
                        stashWithOrigin.close();
                    }
                } catch (Throwable th) {
                    if (stashWithOrigin != null) {
                        try {
                            stashWithOrigin.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            });
        }
    }

    public void queryUsers(SearchRequest searchRequest, ActionListener<QueryUserResults> actionListener) {
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            logger.debug("security index does not exist");
            actionListener.onResponse(QueryUserResults.EMPTY);
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.SEARCH_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.SEARCH_SHARDS));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Client client = this.client;
                ActionType actionType = TransportSearchAction.TYPE;
                CheckedConsumer checkedConsumer = searchResponse -> {
                    long value = searchResponse.getHits().getTotalHits().value();
                    if (value != 0) {
                        actionListener.onResponse(new QueryUserResults(Arrays.stream(searchResponse.getHits().getHits()).map(searchHit -> {
                            UserAndPassword transformUser = transformUser(searchHit.getId(), searchHit.getSourceAsMap());
                            if (transformUser != null) {
                                return new QueryUserResult(transformUser.user(), searchHit.getSortValues());
                            }
                            return null;
                        }).filter((v0) -> {
                            return Objects.nonNull(v0);
                        }).toList(), value));
                    } else {
                        logger.debug("No users found for query [{}]", searchRequest.source().query());
                        actionListener.onResponse(QueryUserResults.EMPTY);
                    }
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, "security", actionType, searchRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void getUserCount(ActionListener<Long> actionListener) {
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            actionListener.onResponse(0L);
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.SEARCH_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.SEARCH_SHARDS));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                SearchRequest request = this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setQuery(QueryBuilders.termQuery(User.Fields.TYPE.getPreferredName(), USER_DOC_TYPE)).setSize(0).setTrackTotalHits(true).request();
                ActionListener safeMap = actionListener.safeMap(searchResponse -> {
                    return Long.valueOf(searchResponse.getHits().getTotalHits().value());
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, safeMap, client::search);
            });
        }
    }

    private void getUserAndPassword(String str, ActionListener<UserAndPassword> actionListener) {
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (defensiveCopy.isAvailable(SecurityIndexManager.Availability.PRIMARY_SHARDS)) {
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                GetRequest request = this.client.prepareGet(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForUser(USER_DOC_TYPE, str)).request();
                ActionListener<GetResponse> actionListener2 = new ActionListener<GetResponse>(this) { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.1
                    public void onResponse(GetResponse getResponse) {
                        NativeUsersStore.logger.trace("user [{}] is doc [{}] in index [{}] with primTerm [{}] and seqNo [{}]", str, getResponse.getId(), getResponse.getIndex(), Long.valueOf(getResponse.getPrimaryTerm()), Long.valueOf(getResponse.getSeqNo()));
                        actionListener.onResponse(NativeUsersStore.transformUser(getResponse.getId(), getResponse.getSource()));
                    }

                    public void onFailure(Exception exc) {
                        if (exc instanceof IndexNotFoundException) {
                            Logger logger2 = NativeUsersStore.logger;
                            String str2 = str;
                            logger2.trace(() -> {
                                return "could not retrieve user [" + str2 + "] because security index does not exist";
                            }, exc);
                        } else {
                            Logger logger3 = NativeUsersStore.logger;
                            String str3 = str;
                            logger3.error(() -> {
                                return "failed to retrieve user [" + str3 + "]";
                            }, exc);
                        }
                        actionListener.onResponse((Object) null);
                    }
                };
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, client::get);
            });
        } else {
            if (defensiveCopy.indexExists()) {
                logger.warn("could not retrieve user [{}] because security index is not available", str);
            } else {
                logger.trace("could not retrieve user [{}] because security index does not exist", str);
            }
            actionListener.onResponse((Object) null);
        }
    }

    public void changePassword(ChangePasswordRequest changePasswordRequest, ActionListener<Void> actionListener) {
        String username = changePasswordRequest.username();
        String str = ClientReservedRealm.isReserved(username, this.settings) ? RESERVED_USER_TYPE : USER_DOC_TYPE;
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        String str2 = str;
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            UpdateRequest request = this.client.prepareUpdate(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForUser(str2, username)).setDoc(Requests.INDEX_CONTENT_TYPE, new Object[]{User.Fields.PASSWORD.getPreferredName(), String.valueOf(changePasswordRequest.passwordHash())}).setRefreshPolicy(changePasswordRequest.getRefreshPolicy()).request();
            ActionListener<UpdateResponse> actionListener2 = new ActionListener<UpdateResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.2
                static final /* synthetic */ boolean $assertionsDisabled;

                public void onResponse(UpdateResponse updateResponse) {
                    if (!$assertionsDisabled && updateResponse.getResult() != DocWriteResponse.Result.UPDATED && updateResponse.getResult() != DocWriteResponse.Result.NOOP) {
                        throw new AssertionError();
                    }
                    NativeUsersStore.this.clearRealmCache(changePasswordRequest.username(), actionListener, null);
                }

                public void onFailure(Exception exc) {
                    if (!NativeUsersStore.isIndexNotFoundOrDocumentMissing(exc)) {
                        actionListener.onFailure(exc);
                        return;
                    }
                    if (str2.equals(NativeUsersStore.RESERVED_USER_TYPE)) {
                        NativeUsersStore.this.updateReservedUser(username, changePasswordRequest.passwordHash(), DocWriteRequest.OpType.INDEX, changePasswordRequest.getRefreshPolicy(), actionListener);
                        return;
                    }
                    Logger logger2 = NativeUsersStore.logger;
                    ChangePasswordRequest changePasswordRequest2 = changePasswordRequest;
                    logger2.debug(() -> {
                        return Strings.format("failed to change password for user [%s]", new Object[]{changePasswordRequest2.username()});
                    }, exc);
                    ValidationException validationException = new ValidationException();
                    validationException.addValidationError("user must exist in order to change password");
                    actionListener.onFailure(validationException);
                }

                static {
                    $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
                }
            };
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, client::update);
        });
    }

    public void createElasticUser(char[] cArr, ActionListener<Void> actionListener) {
        updateReservedUser("elastic", cArr, DocWriteRequest.OpType.CREATE, WriteRequest.RefreshPolicy.IMMEDIATE, actionListener);
    }

    private void updateReservedUser(String str, char[] cArr, DocWriteRequest.OpType opType, WriteRequest.RefreshPolicy refreshPolicy, ActionListener<Void> actionListener) {
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            IndexRequest request = this.client.prepareIndex(SecuritySystemIndices.SECURITY_MAIN_ALIAS).setOpType(opType).setId(getIdForUser(RESERVED_USER_TYPE, str)).setSource(new Object[]{User.Fields.PASSWORD.getPreferredName(), String.valueOf(cArr), User.Fields.ENABLED.getPreferredName(), true, User.Fields.TYPE.getPreferredName(), RESERVED_USER_TYPE}).setRefreshPolicy(refreshPolicy).request();
            ActionListener delegateFailure = actionListener.delegateFailure((actionListener2, docWriteResponse) -> {
                clearRealmCache(str, actionListener2, null);
            });
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, delegateFailure, client::index);
        });
    }

    public void putUser(PutUserRequest putUserRequest, ActionListener<Boolean> actionListener) {
        if (putUserRequest.passwordHash() == null) {
            updateUserWithoutPassword(putUserRequest, actionListener);
        } else {
            indexUser(putUserRequest, actionListener);
        }
    }

    private void updateUserWithoutPassword(PutUserRequest putUserRequest, ActionListener<Boolean> actionListener) {
        if (!$assertionsDisabled && putUserRequest.passwordHash() != null) {
            throw new AssertionError();
        }
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            UpdateRequest request = this.client.prepareUpdate(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForUser(USER_DOC_TYPE, putUserRequest.username())).setDoc(Requests.INDEX_CONTENT_TYPE, new Object[]{User.Fields.USERNAME.getPreferredName(), putUserRequest.username(), User.Fields.ROLES.getPreferredName(), putUserRequest.roles(), User.Fields.FULL_NAME.getPreferredName(), putUserRequest.fullName(), User.Fields.EMAIL.getPreferredName(), putUserRequest.email(), User.Fields.METADATA.getPreferredName(), putUserRequest.metadata(), User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(putUserRequest.enabled()), User.Fields.TYPE.getPreferredName(), USER_DOC_TYPE}).setRefreshPolicy(putUserRequest.getRefreshPolicy()).request();
            ActionListener<UpdateResponse> actionListener2 = new ActionListener<UpdateResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.3
                static final /* synthetic */ boolean $assertionsDisabled;

                public void onResponse(UpdateResponse updateResponse) {
                    if (!$assertionsDisabled && updateResponse.getResult() != DocWriteResponse.Result.UPDATED && updateResponse.getResult() != DocWriteResponse.Result.NOOP) {
                        throw new AssertionError("Expected 'UPDATED' or 'NOOP' result [" + String.valueOf(updateResponse) + "] for request [" + String.valueOf(putUserRequest) + "]");
                    }
                    NativeUsersStore.this.clearRealmCache(putUserRequest.username(), actionListener, false);
                }

                public void onFailure(Exception exc) {
                    Exception exc2 = exc;
                    if (NativeUsersStore.isIndexNotFoundOrDocumentMissing(exc)) {
                        Logger logger2 = NativeUsersStore.logger;
                        PutUserRequest putUserRequest2 = putUserRequest;
                        logger2.debug(() -> {
                            return Strings.format("failed to update user document with username [%s]", new Object[]{putUserRequest2.username()});
                        }, exc);
                        Exception validationException = new ValidationException();
                        validationException.addValidationError("password must be specified unless you are updating an existing user");
                        exc2 = validationException;
                    }
                    actionListener.onFailure(exc2);
                }

                static {
                    $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
                }
            };
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, client::update);
        });
    }

    private void indexUser(PutUserRequest putUserRequest, ActionListener<Boolean> actionListener) {
        if (!$assertionsDisabled && putUserRequest.passwordHash() == null) {
            throw new AssertionError();
        }
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            IndexRequest request = this.client.prepareIndex(SecuritySystemIndices.SECURITY_MAIN_ALIAS).setId(getIdForUser(USER_DOC_TYPE, putUserRequest.username())).setSource(new Object[]{User.Fields.USERNAME.getPreferredName(), putUserRequest.username(), User.Fields.PASSWORD.getPreferredName(), String.valueOf(putUserRequest.passwordHash()), User.Fields.ROLES.getPreferredName(), putUserRequest.roles(), User.Fields.FULL_NAME.getPreferredName(), putUserRequest.fullName(), User.Fields.EMAIL.getPreferredName(), putUserRequest.email(), User.Fields.METADATA.getPreferredName(), putUserRequest.metadata(), User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(putUserRequest.enabled()), User.Fields.TYPE.getPreferredName(), USER_DOC_TYPE}).setRefreshPolicy(putUserRequest.getRefreshPolicy()).request();
            ActionListener delegateFailure = actionListener.delegateFailure((actionListener2, docWriteResponse) -> {
                clearRealmCache(putUserRequest.username(), actionListener2, Boolean.valueOf(docWriteResponse.getResult() == DocWriteResponse.Result.CREATED));
            });
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, delegateFailure, client::index);
        });
    }

    public void setEnabled(String str, boolean z, WriteRequest.RefreshPolicy refreshPolicy, ActionListener<Void> actionListener) {
        if (ClientReservedRealm.isReserved(str, this.settings)) {
            setReservedUserEnabled(str, z, refreshPolicy, true, actionListener);
        } else {
            setRegularUserEnabled(str, z, refreshPolicy, actionListener);
        }
    }

    private void setRegularUserEnabled(String str, boolean z, WriteRequest.RefreshPolicy refreshPolicy, ActionListener<Void> actionListener) {
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            UpdateRequest request = this.client.prepareUpdate(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForUser(USER_DOC_TYPE, str)).setDoc(Requests.INDEX_CONTENT_TYPE, new Object[]{User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(z)}).setRefreshPolicy(refreshPolicy).request();
            ActionListener<UpdateResponse> actionListener2 = new ActionListener<UpdateResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.4
                public void onResponse(UpdateResponse updateResponse) {
                    NativeUsersStore.this.clearRealmCache(str, actionListener, null);
                }

                public void onFailure(Exception exc) {
                    Exception exc2 = exc;
                    if (NativeUsersStore.isIndexNotFoundOrDocumentMissing(exc)) {
                        Logger logger2 = NativeUsersStore.logger;
                        boolean z2 = z;
                        String str2 = str;
                        logger2.debug(() -> {
                            Object[] objArr = new Object[2];
                            objArr[0] = z2 ? "enable" : "disable";
                            objArr[1] = str2;
                            return Strings.format("failed to %s user [%s]", objArr);
                        }, exc);
                        Exception validationException = new ValidationException();
                        validationException.addValidationError("only existing users can be " + (z ? "enabled" : "disabled"));
                        exc2 = validationException;
                    }
                    actionListener.onFailure(exc2);
                }
            };
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, client::update);
        });
    }

    private void setReservedUserEnabled(String str, boolean z, WriteRequest.RefreshPolicy refreshPolicy, boolean z2, ActionListener<Void> actionListener) {
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            UpdateRequest request = this.client.prepareUpdate(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForUser(RESERVED_USER_TYPE, str)).setDoc(Requests.INDEX_CONTENT_TYPE, new Object[]{User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(z)}).setUpsert(XContentType.JSON, new Object[]{User.Fields.PASSWORD.getPreferredName(), "", User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(z), User.Fields.TYPE.getPreferredName(), RESERVED_USER_TYPE}).setRefreshPolicy(refreshPolicy).request();
            ActionListener delegateFailure = actionListener.delegateFailure((actionListener2, updateResponse) -> {
                if (z2) {
                    clearRealmCache(str, actionListener2, null);
                } else {
                    actionListener2.onResponse((Object) null);
                }
            });
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, delegateFailure, client::update);
        });
    }

    public void deleteUser(DeleteUserRequest deleteUserRequest, ActionListener<Boolean> actionListener) {
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            actionListener.onResponse(false);
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.PRIMARY_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.PRIMARY_SHARDS));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                DeleteRequest request = this.client.prepareDelete(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForUser(USER_DOC_TYPE, deleteUserRequest.username())).request();
                request.setRefreshPolicy(deleteUserRequest.getRefreshPolicy());
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                ActionListener delegateFailure = actionListener.delegateFailure((actionListener2, deleteResponse) -> {
                    clearRealmCache(deleteUserRequest.username(), actionListener2, Boolean.valueOf(deleteResponse.getResult() == DocWriteResponse.Result.DELETED));
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, delegateFailure, client::delete);
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void verifyPassword(String str, SecureString secureString, ActionListener<AuthenticationResult<User>> actionListener) {
        CheckedConsumer checkedConsumer = userAndPassword -> {
            if (userAndPassword == null) {
                logger.trace("user [{}] does not exist in index [{}], cannot authenticate against the native realm", str, this.securityIndex.aliasName());
                actionListener.onResponse(AuthenticationResult.notHandled());
            } else if (userAndPassword.passwordHash() == null) {
                logger.debug("user [{}] in index [{}] does not have a password, cannot authenticate", str, this.securityIndex.aliasName());
                actionListener.onResponse(AuthenticationResult.notHandled());
            } else if (userAndPassword.verifyPassword(secureString)) {
                logger.trace("successfully authenticated user [{}] (security index [{}])", userAndPassword, this.securityIndex.aliasName());
                actionListener.onResponse(AuthenticationResult.success(userAndPassword.user()));
            } else {
                logger.trace("password mismatch for user [{}] (security index [{}])", userAndPassword, this.securityIndex.aliasName());
                actionListener.onResponse(AuthenticationResult.unsuccessful("Password authentication failed for " + str, (Exception) null));
            }
        };
        Objects.requireNonNull(actionListener);
        getUserAndPassword(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void getReservedUserInfo(String str, ActionListener<ReservedUserInfo> actionListener) {
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            actionListener.onResponse((Object) null);
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.PRIMARY_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.PRIMARY_SHARDS));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                GetRequest request = this.client.prepareGet(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForUser(RESERVED_USER_TYPE, str)).request();
                ActionListener<GetResponse> actionListener2 = new ActionListener<GetResponse>(this) { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.5
                    public void onResponse(GetResponse getResponse) {
                        if (!getResponse.isExists()) {
                            actionListener.onResponse((Object) null);
                            return;
                        }
                        Map sourceAsMap = getResponse.getSourceAsMap();
                        String str2 = (String) sourceAsMap.get(User.Fields.PASSWORD.getPreferredName());
                        Boolean bool = (Boolean) sourceAsMap.get(User.Fields.ENABLED.getPreferredName());
                        if (str2 == null) {
                            actionListener.onFailure(new IllegalStateException("password hash must not be null!"));
                            return;
                        }
                        if (bool == null) {
                            actionListener.onFailure(new IllegalStateException("enabled must not be null!"));
                        } else if (str2.isEmpty()) {
                            actionListener.onResponse(bool.booleanValue() ? ReservedUserInfo.defaultEnabledUserInfo() : ReservedUserInfo.defaultDisabledUserInfo());
                        } else {
                            actionListener.onResponse(new ReservedUserInfo(str2.toCharArray(), bool.booleanValue()));
                        }
                    }

                    public void onFailure(Exception exc) {
                        if (TransportActions.isShardNotAvailableException(exc)) {
                            Logger logger2 = NativeUsersStore.logger;
                            String str2 = str;
                            logger2.trace(() -> {
                                return Strings.format("could not retrieve built in user [%s] info since security index unavailable", new Object[]{str2});
                            }, exc);
                        }
                        actionListener.onFailure(exc);
                    }
                };
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, client::get);
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void getAllReservedUserInfo(ActionListener<Map<String, ReservedUserInfo>> actionListener) {
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            actionListener.onResponse(Collections.emptyMap());
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.SEARCH_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.SEARCH_SHARDS));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                SearchRequest request = this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setTrackTotalHits(true).setQuery(QueryBuilders.termQuery(User.Fields.TYPE.getPreferredName(), RESERVED_USER_TYPE)).setFetchSource(true).request();
                ActionListener<SearchResponse> actionListener2 = new ActionListener<SearchResponse>(this) { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.6
                    static final /* synthetic */ boolean $assertionsDisabled;

                    public void onResponse(SearchResponse searchResponse) {
                        HashMap hashMap = new HashMap();
                        if (!$assertionsDisabled && searchResponse.getHits().getTotalHits().value() > 10) {
                            throw new AssertionError("there are more than 10 reserved users we need to change this to retrieve them all!");
                        }
                        for (SearchHit searchHit : searchResponse.getHits().getHits()) {
                            Map sourceAsMap = searchHit.getSourceAsMap();
                            String str = (String) sourceAsMap.get(User.Fields.PASSWORD.getPreferredName());
                            Boolean bool = (Boolean) sourceAsMap.get(User.Fields.ENABLED.getPreferredName());
                            String id = searchHit.getId();
                            if (!$assertionsDisabled && (id == null || !id.startsWith(NativeUsersStore.RESERVED_USER_TYPE))) {
                                throw new AssertionError("id [" + id + "] does not start with reserved-user prefix");
                            }
                            String substring = id.substring(NativeUsersStore.RESERVED_USER_TYPE.length() + 1);
                            if (str == null) {
                                actionListener.onFailure(new IllegalStateException("password hash must not be null!"));
                                return;
                            } else {
                                if (bool == null) {
                                    actionListener.onFailure(new IllegalStateException("enabled must not be null!"));
                                    return;
                                }
                                hashMap.put(substring, new ReservedUserInfo(str.toCharArray(), bool.booleanValue()));
                            }
                        }
                        actionListener.onResponse(hashMap);
                    }

                    public void onFailure(Exception exc) {
                        if (exc instanceof IndexNotFoundException) {
                            NativeUsersStore.logger.trace("could not retrieve built in users since security index does not exist", exc);
                            actionListener.onResponse(Collections.emptyMap());
                        } else {
                            NativeUsersStore.logger.error("failed to retrieve built in users", exc);
                            actionListener.onFailure(exc);
                        }
                    }

                    static {
                        $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
                    }
                };
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, client::search);
            });
        }
    }

    private <Response> void clearRealmCache(final String str, final ActionListener<Response> actionListener, final Response response) {
        ClientHelper.executeAsyncWithOrigin(this.client, "security", ClearRealmCacheAction.INSTANCE, new ClearRealmCacheRequest().usernames(new String[]{str}), new ActionListener<ClearRealmCacheResponse>(this) { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.7
            public void onResponse(ClearRealmCacheResponse clearRealmCacheResponse) {
                actionListener.onResponse(response);
            }

            public void onFailure(Exception exc) {
                Logger logger2 = NativeUsersStore.logger;
                String str2 = str;
                logger2.error(() -> {
                    return "unable to clear realm cache for user [" + str2 + "]";
                }, exc);
                actionListener.onFailure(new ElasticsearchException("clearing the cache for [" + str + "] failed. please clear the realm cache manually", exc, new Object[0]));
            }
        });
    }

    @Nullable
    private static UserAndPassword transformUser(String str, Map<String, Object> map) {
        if (map == null) {
            return null;
        }
        if (!$assertionsDisabled && (str == null || !str.startsWith(USER_DOC_TYPE))) {
            throw new AssertionError("id [" + str + "] does not start with user prefix");
        }
        String substring = str.substring(USER_DOC_TYPE.length() + 1);
        try {
            String str2 = (String) map.get(User.Fields.PASSWORD.getPreferredName());
            String[] strArr = (String[]) ((List) map.get(User.Fields.ROLES.getPreferredName())).toArray(org.elasticsearch.common.Strings.EMPTY_ARRAY);
            String str3 = (String) map.get(User.Fields.FULL_NAME.getPreferredName());
            String str4 = (String) map.get(User.Fields.EMAIL.getPreferredName());
            Boolean bool = (Boolean) map.get(User.Fields.ENABLED.getPreferredName());
            if (bool == null) {
                bool = Boolean.TRUE;
            }
            return new UserAndPassword(new User(substring, strArr, str3, str4, (Map) map.get(User.Fields.METADATA.getPreferredName()), bool.booleanValue()), str2.toCharArray());
        } catch (Exception e) {
            logger.error(() -> {
                return "error in the format of data for user [" + substring + "]";
            }, e);
            return null;
        }
    }

    private static boolean isIndexNotFoundOrDocumentMissing(Exception exc) {
        if (!(exc instanceof ElasticsearchException)) {
            return false;
        }
        Throwable unwrapCause = ExceptionsHelper.unwrapCause(exc);
        return (unwrapCause instanceof IndexNotFoundException) || (unwrapCause instanceof DocumentMissingException);
    }

    public static String getIdForUser(String str, String str2) {
        return str + "-" + str2;
    }

    static {
        $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
        logger = LogManager.getLogger(NativeUsersStore.class);
    }
}
