package org.elasticsearch.xpack.security.authz;

import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.shard.SearchOperationListener;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.search.SearchContextMissingException;
import org.elasticsearch.search.internal.SearchContext;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.AuditUtil;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.class */
public final class SecuritySearchOperationListener implements SearchOperationListener {
    private final ThreadContext threadContext;
    private final XPackLicenseState licenseState;
    private final AuditTrailService auditTrailService;

    public SecuritySearchOperationListener(ThreadContext threadContext, XPackLicenseState xPackLicenseState, AuditTrailService auditTrailService) {
        this.threadContext = threadContext;
        this.licenseState = xPackLicenseState;
        this.auditTrailService = auditTrailService;
    }

    public void onNewScrollContext(SearchContext searchContext) {
        if (this.licenseState.isAuthAllowed()) {
            searchContext.scrollContext().putInContext("_xpack_security_authentication", Authentication.getAuthentication(this.threadContext));
        }
    }

    public void validateSearchContext(SearchContext searchContext, TransportRequest transportRequest) {
        if (!this.licenseState.isAuthAllowed() || searchContext.scrollContext() == null) {
            return;
        }
        ensureAuthenticatedUserIsSame((Authentication) searchContext.scrollContext().getFromContext("_xpack_security_authentication"), Authentication.getAuthentication(this.threadContext), this.auditTrailService, searchContext.id(), (String) this.threadContext.getTransient(AuthorizationService.ORIGINATING_ACTION_KEY), transportRequest, AuditUtil.extractRequestId(this.threadContext), (AuthorizationEngine.AuthorizationInfo) this.threadContext.getTransient(AuthorizationService.AUTHORIZATION_INFO_KEY));
    }

    static void ensureAuthenticatedUserIsSame(Authentication authentication, Authentication authentication2, AuditTrailService auditTrailService, long j, String str, TransportRequest transportRequest, String str2, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (authentication.getUser().principal().equals(authentication2.getUser().principal()) && (authentication.getUser().isRunAs() ? authentication2.getUser().isRunAs() ? authentication.getLookedUpBy().getType().equals(authentication2.getLookedUpBy().getType()) : authentication.getLookedUpBy().getType().equals(authentication2.getAuthenticatedBy().getType()) : authentication2.getUser().isRunAs() ? authentication.getAuthenticatedBy().getType().equals(authentication2.getLookedUpBy().getType()) : authentication.getAuthenticatedBy().getType().equals(authentication2.getAuthenticatedBy().getType()))) {
            return;
        }
        auditTrailService.accessDenied(str2, authentication2, str, transportRequest, authorizationInfo);
        throw new SearchContextMissingException(j);
    }
}
