package org.elasticsearch.xpack.security.action.filter;

import java.util.Objects;
import java.util.function.Predicate;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.privilege.HealthAndStatsPrivilege;
import org.elasticsearch.xpack.core.security.support.Automatons;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.action.SecurityActionMapper;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.AuditUtil;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.AuthorizationUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.class */
public class SecurityActionFilter implements ActionFilter {
    private static final Predicate<String> LICENSE_EXPIRATION_ACTION_MATCHER;
    private static final Predicate<String> SECURITY_ACTION_MATCHER;
    private static final Logger logger;
    private final AuthenticationService authcService;
    private final AuthorizationService authzService;
    private final AuditTrailService auditTrailService;
    private final SecurityActionMapper actionMapper = new SecurityActionMapper();
    private final XPackLicenseState licenseState;
    private final ThreadContext threadContext;
    private final SecurityContext securityContext;
    private final DestructiveOperations destructiveOperations;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SecurityActionFilter(AuthenticationService authenticationService, AuthorizationService authorizationService, AuditTrailService auditTrailService, XPackLicenseState xPackLicenseState, ThreadPool threadPool, SecurityContext securityContext, DestructiveOperations destructiveOperations) {
        this.authcService = authenticationService;
        this.authzService = authorizationService;
        this.auditTrailService = auditTrailService;
        this.licenseState = xPackLicenseState;
        this.threadContext = threadPool.getThreadContext();
        this.securityContext = securityContext;
        this.destructiveOperations = destructiveOperations;
    }

    public <Request extends ActionRequest, Response extends ActionResponse> void apply(Task task, String str, Request request, ActionListener<Response> actionListener, ActionFilterChain<Request, Response> actionFilterChain) {
        if (!this.licenseState.isActive() && LICENSE_EXPIRATION_ACTION_MATCHER.test(str)) {
            logger.error("blocking [{}] operation due to expired license. Cluster health, cluster stats and indices stats \noperations are blocked on license expiration. All data operations (read and write) continue to work. \nIf you have a new license, please update it. Otherwise, please reach out to your support contact.", str);
            throw LicenseUtils.newComplianceException("security");
        }
        if (!this.licenseState.isSecurityEnabled()) {
            if (!SECURITY_ACTION_MATCHER.test(str)) {
                actionFilterChain.proceed(task, str, request, actionListener);
                return;
            } else if (this.licenseState.isSecurityEnabled()) {
                actionListener.onFailure(LicenseUtils.newComplianceException("security"));
                return;
            } else {
                actionListener.onFailure(new ElasticsearchException("Security must be explicitly enabled when using a [" + this.licenseState.getOperationMode().description() + "] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node.", new Object[0]));
                return;
            }
        }
        ContextPreservingActionListener wrapPreservingContext = ContextPreservingActionListener.wrapPreservingContext(actionListener, this.threadContext);
        try {
            if (AuthorizationUtils.shouldReplaceUserWithSystem(this.threadContext, str)) {
                this.securityContext.executeAsUser(SystemUser.INSTANCE, storedContext -> {
                    applyInternal(task, actionFilterChain, str, request, wrapPreservingContext);
                }, Version.CURRENT);
            } else if (AuthorizationUtils.shouldSetUserBasedOnActionOrigin(this.threadContext)) {
                AuthorizationUtils.switchUserBasedOnActionOriginAndExecute(this.threadContext, this.securityContext, storedContext2 -> {
                    applyInternal(task, actionFilterChain, str, request, wrapPreservingContext);
                });
            } else {
                ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext(true);
                try {
                    applyInternal(task, actionFilterChain, str, request, wrapPreservingContext);
                    if (newStoredContext != null) {
                        newStoredContext.close();
                    }
                } finally {
                }
            }
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    public int order() {
        return Integer.MIN_VALUE;
    }

    private <Request extends ActionRequest, Response extends ActionResponse> void applyInternal(Task task, ActionFilterChain<Request, Response> actionFilterChain, String str, Request request, ActionListener<Response> actionListener) {
        if ("indices:admin/close".equals(str) || "indices:admin/open".equals(str) || "indices:admin/delete".equals(str)) {
            try {
                this.destructiveOperations.failDestructive(((IndicesRequest) request).indices());
            } catch (IllegalArgumentException e) {
                actionListener.onFailure(e);
                return;
            }
        }
        String action = this.actionMapper.action(str, request);
        AuthenticationService authenticationService = this.authcService;
        User user = SystemUser.INSTANCE;
        CheckedConsumer checkedConsumer = authentication -> {
            if (authentication == null) {
                if (this.licenseState.isSecurityEnabled()) {
                    actionListener.onFailure(new IllegalStateException("no authentication present but auth is allowed"));
                    return;
                } else {
                    actionListener.onResponse((Object) null);
                    return;
                }
            }
            String extractRequestId = AuditUtil.extractRequestId(this.threadContext);
            if (!$assertionsDisabled && !Strings.hasText(extractRequestId)) {
                throw new AssertionError();
            }
            authorizeRequest(authentication, action, request, actionListener.delegateFailure((actionListener2, r19) -> {
                actionFilterChain.proceed(task, str, request, actionListener2.delegateFailure((actionListener2, actionResponse) -> {
                    this.auditTrailService.get().coordinatingActionResponse(extractRequestId, authentication, str, request, actionResponse);
                    actionListener2.onResponse(actionResponse);
                }));
            }));
        };
        Objects.requireNonNull(actionListener);
        authenticationService.authenticate(action, (TransportRequest) request, user, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private <Request extends ActionRequest> void authorizeRequest(Authentication authentication, String str, Request request, ActionListener<Void> actionListener) {
        if (authentication == null) {
            actionListener.onFailure(new IllegalArgumentException("authentication must be non null for authorization"));
        } else {
            this.authzService.authorize(authentication, str, request, actionListener);
        }
    }

    static {
        $assertionsDisabled = !SecurityActionFilter.class.desiredAssertionStatus();
        LICENSE_EXPIRATION_ACTION_MATCHER = HealthAndStatsPrivilege.INSTANCE.predicate();
        SECURITY_ACTION_MATCHER = Automatons.predicate(new String[]{"cluster:admin/xpack/security*"});
        logger = LogManager.getLogger(SecurityActionFilter.class);
    }
}
