package org.elasticsearch.xpack.core.security;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Consumer;
import java.util.function.Function;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.node.Node;
import org.elasticsearch.search.internal.ReaderContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationField;
import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
import org.elasticsearch.xpack.core.security.authc.support.SecondaryAuthentication;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.user.InternalUser;
import org.elasticsearch.xpack.core.security.user.InternalUsers;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/SecurityContext.class */
public class SecurityContext {
    private static final Logger logger;
    private final ThreadContext threadContext;
    private final AuthenticationContextSerializer authenticationSerializer = new AuthenticationContextSerializer();
    private final String nodeName;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SecurityContext(Settings settings, ThreadContext threadContext) {
        this.threadContext = threadContext;
        this.nodeName = (String) Node.NODE_NAME_SETTING.get(settings);
    }

    public User requireUser() {
        User user = getUser();
        if (user == null) {
            throw new ElasticsearchSecurityException("there is no user available in the current context", new Object[0]);
        }
        return user;
    }

    @Nullable
    public User getUser() {
        Authentication authentication = getAuthentication();
        if (authentication != null && authentication.isCrossClusterAccess()) {
            authentication = Authentication.getAuthenticationFromCrossClusterAccessMetadata(authentication);
        }
        if (authentication == null) {
            return null;
        }
        return authentication.getEffectiveSubject().getUser();
    }

    @Nullable
    public Authentication getAuthentication() {
        try {
            return this.authenticationSerializer.readFromContext(this.threadContext);
        } catch (IOException e) {
            logger.error("failed to read authentication", e);
            throw new UncheckedIOException(e);
        }
    }

    public AuthorizationEngine.AuthorizationInfo getAuthorizationInfoFromContext() {
        return (AuthorizationEngine.AuthorizationInfo) Objects.requireNonNull((AuthorizationEngine.AuthorizationInfo) this.threadContext.getTransient(AuthorizationServiceField.AUTHORIZATION_INFO_KEY), "authorization info is missing from context");
    }

    @Nullable
    public AuthorizationEngine.ParentActionAuthorization getParentAuthorization() {
        try {
            return AuthorizationEngine.ParentActionAuthorization.readFromThreadContext(this.threadContext);
        } catch (IOException e) {
            logger.error("failed to read parent authorization from thread context", e);
            throw new UncheckedIOException(e);
        }
    }

    public void setParentAuthorization(AuthorizationEngine.ParentActionAuthorization parentActionAuthorization) {
        try {
            parentActionAuthorization.writeToThreadContext(this.threadContext);
        } catch (IOException e) {
            throw new AssertionError("failed to write parent authorization to the thread context", e);
        }
    }

    public SecondaryAuthentication getSecondaryAuthentication() {
        try {
            return SecondaryAuthentication.readFromContext(this);
        } catch (IOException e) {
            logger.error("failed to read secondary authentication", e);
            throw new UncheckedIOException(e);
        }
    }

    public ThreadContext getThreadContext() {
        return this.threadContext;
    }

    public void putIndicesAccessControl(@Nullable IndicesAccessControl indicesAccessControl) {
        if (indicesAccessControl != null) {
            if (!indicesAccessControl.isGranted()) {
                throw new IllegalStateException("Unexpected unauthorized access control :" + indicesAccessControl);
            }
            this.threadContext.putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
        }
    }

    public void copyIndicesAccessControlToReaderContext(ReaderContext readerContext) {
        IndicesAccessControl indicesAccessControl = (IndicesAccessControl) getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
        if (!$assertionsDisabled && indicesAccessControl == null) {
            throw new AssertionError("thread context does not contain index access control");
        }
        readerContext.putInContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
    }

    public void copyIndicesAccessControlFromReaderContext(ReaderContext readerContext) {
        IndicesAccessControl indicesAccessControl = (IndicesAccessControl) readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
        if (!$assertionsDisabled && indicesAccessControl == null) {
            throw new AssertionError("scroll does not contain index access control");
        }
        getThreadContext().putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, indicesAccessControl);
    }

    public void setInternalUser(InternalUser internalUser, TransportVersion transportVersion) {
        setAuthentication(Authentication.newInternalAuthentication(internalUser, transportVersion, this.nodeName));
    }

    public void executeAsInternalUser(InternalUser internalUser, TransportVersion transportVersion, Consumer<ThreadContext.StoredContext> consumer) {
        ThreadContext.StoredContext newStoredContextPreservingResponseHeaders = this.threadContext.newStoredContextPreservingResponseHeaders();
        ThreadContext.StoredContext stashContext = this.threadContext.stashContext();
        try {
            setInternalUser(internalUser, transportVersion);
            consumer.accept(newStoredContextPreservingResponseHeaders);
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void executeAsSystemUser(Consumer<ThreadContext.StoredContext> consumer) {
        executeAsSystemUser(TransportVersion.current(), consumer);
    }

    public void executeAsSystemUser(TransportVersion transportVersion, Consumer<ThreadContext.StoredContext> consumer) {
        executeAsInternalUser(InternalUsers.SYSTEM_USER, transportVersion, consumer);
    }

    public <T> T executeWithAuthentication(Authentication authentication, Function<ThreadContext.StoredContext, T> function) {
        ThreadContext.StoredContext newStoredContextPreservingResponseHeaders = this.threadContext.newStoredContextPreservingResponseHeaders();
        ThreadContext.StoredContext stashContext = this.threadContext.stashContext();
        try {
            setAuthentication(authentication);
            T apply = function.apply(newStoredContextPreservingResponseHeaders);
            if (stashContext != null) {
                stashContext.close();
            }
            return apply;
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void executeAfterRewritingAuthentication(Consumer<ThreadContext.StoredContext> consumer, TransportVersion transportVersion) {
        Map requestHeadersOnly = this.threadContext.getRequestHeadersOnly();
        ThreadContext.StoredContext newStoredContextPreservingResponseHeaders = this.threadContext.newStoredContextPreservingResponseHeaders();
        Authentication authentication = getAuthentication();
        ThreadContext.StoredContext stashContext = this.threadContext.stashContext();
        try {
            setAuthentication(authentication.maybeRewriteForOlderVersion(transportVersion));
            requestHeadersOnly.forEach((str, str2) -> {
                if (this.threadContext.getHeader(str) == null) {
                    this.threadContext.putHeader(str, str2);
                }
            });
            consumer.accept(newStoredContextPreservingResponseHeaders);
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void executeAfterRemovingParentAuthorization(Consumer<ThreadContext.StoredContext> consumer) {
        ThreadContext.StoredContext newStoredContextPreservingResponseHeaders = this.threadContext.newStoredContextPreservingResponseHeaders(List.of(), List.of(AuthorizationEngine.ParentActionAuthorization.THREAD_CONTEXT_KEY));
        try {
            consumer.accept(newStoredContextPreservingResponseHeaders);
            if (newStoredContextPreservingResponseHeaders != null) {
                newStoredContextPreservingResponseHeaders.close();
            }
        } catch (Throwable th) {
            if (newStoredContextPreservingResponseHeaders != null) {
                try {
                    newStoredContextPreservingResponseHeaders.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public boolean canIAccessResourcesCreatedBy(@Nullable Authentication authentication) {
        if (authentication == null) {
            return true;
        }
        Authentication authentication2 = getAuthentication();
        if (authentication2 == null) {
            return false;
        }
        return authentication2.canAccessResourcesOf(authentication);
    }

    public boolean canIAccessResourcesCreatedWithHeaders(Map<String, String> map) throws IOException {
        Authentication authentication = null;
        if (map != null && map.containsKey(AuthenticationField.AUTHENTICATION_KEY)) {
            authentication = AuthenticationContextSerializer.decode(map.get(AuthenticationField.AUTHENTICATION_KEY));
        }
        return canIAccessResourcesCreatedBy(authentication);
    }

    private void setAuthentication(Authentication authentication) {
        try {
            authentication.writeToContext(this.threadContext);
        } catch (IOException e) {
            throw new AssertionError("how can we have a IOException with a user we set", e);
        }
    }

    static {
        $assertionsDisabled = !SecurityContext.class.desiredAssertionStatus();
        logger = LogManager.getLogger(SecurityContext.class);
    }
}
