package org.elasticsearch.xpack.security;

import java.nio.file.Path;
import java.time.Clock;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.search.IndexSearcher;
import org.apache.lucene.util.SetOnce;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.bootstrap.BootstrapCheck;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.IndexTemplateMetadata;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.node.DiscoveryNodes;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.inject.Module;
import org.elasticsearch.common.inject.util.Providers;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.NetworkModule;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.ClusterSettings;
import org.elasticsearch.common.settings.IndexScopedSettings;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsFilter;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.common.util.PageCacheRecycler;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.NodeEnvironment;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.index.IndexModule;
import org.elasticsearch.indices.SystemIndexDescriptor;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.ingest.Processor;
import org.elasticsearch.license.License;
import org.elasticsearch.license.LicenseService;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.plugins.ActionPlugin;
import org.elasticsearch.plugins.ClusterPlugin;
import org.elasticsearch.plugins.DiscoveryPlugin;
import org.elasticsearch.plugins.ExtensiblePlugin;
import org.elasticsearch.plugins.IngestPlugin;
import org.elasticsearch.plugins.MapperPlugin;
import org.elasticsearch.plugins.NetworkPlugin;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.plugins.SystemIndexPlugin;
import org.elasticsearch.repositories.RepositoriesService;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestHeaderDefinition;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.threadpool.ExecutorBuilder;
import org.elasticsearch.threadpool.FixedExecutorBuilder;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.SharedGroupFactory;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.nio.NioGroupFactory;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.XPackPlugin;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.SecurityExtension;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.SecuritySettings;
import org.elasticsearch.xpack.core.security.action.CreateApiKeyAction;
import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationAction;
import org.elasticsearch.xpack.core.security.action.GetApiKeyAction;
import org.elasticsearch.xpack.core.security.action.GrantApiKeyAction;
import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyAction;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectAuthenticateAction;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutAction;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationAction;
import org.elasticsearch.xpack.core.security.action.privilege.ClearPrivilegesCacheAction;
import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesAction;
import org.elasticsearch.xpack.core.security.action.privilege.GetBuiltinPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.privilege.GetPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.privilege.PutPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.realm.ClearRealmCacheAction;
import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheAction;
import org.elasticsearch.xpack.core.security.action.role.DeleteRoleAction;
import org.elasticsearch.xpack.core.security.action.role.GetRolesAction;
import org.elasticsearch.xpack.core.security.action.role.PutRoleAction;
import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingAction;
import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsAction;
import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlCompleteLogoutAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlInvalidateSessionAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlLogoutAction;
import org.elasticsearch.xpack.core.security.action.saml.SamlPrepareAuthenticationAction;
import org.elasticsearch.xpack.core.security.action.token.CreateTokenAction;
import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenAction;
import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction;
import org.elasticsearch.xpack.core.security.action.user.AuthenticateAction;
import org.elasticsearch.xpack.core.security.action.user.ChangePasswordAction;
import org.elasticsearch.xpack.core.security.action.user.DeleteUserAction;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.GetUsersAction;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.PutUserAction;
import org.elasticsearch.xpack.core.security.action.user.SetEnabledAction;
import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
import org.elasticsearch.xpack.core.security.authc.AuthenticationServiceField;
import org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler;
import org.elasticsearch.xpack.core.security.authc.InternalRealmsSettings;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.DocumentSubsetBitsetCache;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.SecurityIndexReaderWrapper;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.core.security.support.Automatons;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.core.ssl.TLSLicenseBootstrapCheck;
import org.elasticsearch.xpack.core.ssl.action.GetCertificateInfoAction;
import org.elasticsearch.xpack.core.ssl.action.TransportGetCertificateInfoAction;
import org.elasticsearch.xpack.core.ssl.rest.RestGetCertificateInfoAction;
import org.elasticsearch.xpack.security.action.TransportCreateApiKeyAction;
import org.elasticsearch.xpack.security.action.TransportDelegatePkiAuthenticationAction;
import org.elasticsearch.xpack.security.action.TransportGetApiKeyAction;
import org.elasticsearch.xpack.security.action.TransportGrantApiKeyAction;
import org.elasticsearch.xpack.security.action.TransportInvalidateApiKeyAction;
import org.elasticsearch.xpack.security.action.filter.SecurityActionFilter;
import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectAuthenticateAction;
import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectLogoutAction;
import org.elasticsearch.xpack.security.action.oidc.TransportOpenIdConnectPrepareAuthenticationAction;
import org.elasticsearch.xpack.security.action.privilege.TransportClearPrivilegesCacheAction;
import org.elasticsearch.xpack.security.action.privilege.TransportDeletePrivilegesAction;
import org.elasticsearch.xpack.security.action.privilege.TransportGetBuiltinPrivilegesAction;
import org.elasticsearch.xpack.security.action.privilege.TransportGetPrivilegesAction;
import org.elasticsearch.xpack.security.action.privilege.TransportPutPrivilegesAction;
import org.elasticsearch.xpack.security.action.realm.TransportClearRealmCacheAction;
import org.elasticsearch.xpack.security.action.role.TransportClearRolesCacheAction;
import org.elasticsearch.xpack.security.action.role.TransportDeleteRoleAction;
import org.elasticsearch.xpack.security.action.role.TransportGetRolesAction;
import org.elasticsearch.xpack.security.action.role.TransportPutRoleAction;
import org.elasticsearch.xpack.security.action.rolemapping.TransportDeleteRoleMappingAction;
import org.elasticsearch.xpack.security.action.rolemapping.TransportGetRoleMappingsAction;
import org.elasticsearch.xpack.security.action.rolemapping.TransportPutRoleMappingAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlAuthenticateAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlCompleteLogoutAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlInvalidateSessionAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlLogoutAction;
import org.elasticsearch.xpack.security.action.saml.TransportSamlPrepareAuthenticationAction;
import org.elasticsearch.xpack.security.action.token.TransportCreateTokenAction;
import org.elasticsearch.xpack.security.action.token.TransportInvalidateTokenAction;
import org.elasticsearch.xpack.security.action.token.TransportRefreshTokenAction;
import org.elasticsearch.xpack.security.action.user.TransportAuthenticateAction;
import org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction;
import org.elasticsearch.xpack.security.action.user.TransportDeleteUserAction;
import org.elasticsearch.xpack.security.action.user.TransportGetUserPrivilegesAction;
import org.elasticsearch.xpack.security.action.user.TransportGetUsersAction;
import org.elasticsearch.xpack.security.action.user.TransportHasPrivilegesAction;
import org.elasticsearch.xpack.security.action.user.TransportPutUserAction;
import org.elasticsearch.xpack.security.action.user.TransportSetEnabledAction;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.InternalRealms;
import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;
import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator;
import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.SecuritySearchOperationListener;
import org.elasticsearch.xpack.security.authz.accesscontrol.OptOutQueryCache;
import org.elasticsearch.xpack.security.authz.interceptor.BulkShardRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.IndicesAliasesRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.ResizeRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.SearchRequestInterceptor;
import org.elasticsearch.xpack.security.authz.interceptor.UpdateRequestInterceptor;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
import org.elasticsearch.xpack.security.authz.store.DeprecationRoleDescriptorConsumer;
import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
import org.elasticsearch.xpack.security.authz.store.NativePrivilegeStore;
import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
import org.elasticsearch.xpack.security.ingest.SetSecurityUserProcessor;
import org.elasticsearch.xpack.security.rest.SecurityRestFilter;
import org.elasticsearch.xpack.security.rest.action.RestAuthenticateAction;
import org.elasticsearch.xpack.security.rest.action.RestDelegatePkiAuthenticationAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestCreateApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestGetApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestGrantApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.apikey.RestInvalidateApiKeyAction;
import org.elasticsearch.xpack.security.rest.action.oauth2.RestGetTokenAction;
import org.elasticsearch.xpack.security.rest.action.oauth2.RestInvalidateTokenAction;
import org.elasticsearch.xpack.security.rest.action.oidc.RestOpenIdConnectAuthenticateAction;
import org.elasticsearch.xpack.security.rest.action.oidc.RestOpenIdConnectLogoutAction;
import org.elasticsearch.xpack.security.rest.action.oidc.RestOpenIdConnectPrepareAuthenticationAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestClearPrivilegesCacheAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestDeletePrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestGetBuiltinPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestGetPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.privilege.RestPutPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.realm.RestClearRealmCacheAction;
import org.elasticsearch.xpack.security.rest.action.role.RestClearRolesCacheAction;
import org.elasticsearch.xpack.security.rest.action.role.RestDeleteRoleAction;
import org.elasticsearch.xpack.security.rest.action.role.RestGetRolesAction;
import org.elasticsearch.xpack.security.rest.action.role.RestPutRoleAction;
import org.elasticsearch.xpack.security.rest.action.rolemapping.RestDeleteRoleMappingAction;
import org.elasticsearch.xpack.security.rest.action.rolemapping.RestGetRoleMappingsAction;
import org.elasticsearch.xpack.security.rest.action.rolemapping.RestPutRoleMappingAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlAuthenticateAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlCompleteLogoutAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlInvalidateSessionAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlLogoutAction;
import org.elasticsearch.xpack.security.rest.action.saml.RestSamlPrepareAuthenticationAction;
import org.elasticsearch.xpack.security.rest.action.user.RestChangePasswordAction;
import org.elasticsearch.xpack.security.rest.action.user.RestDeleteUserAction;
import org.elasticsearch.xpack.security.rest.action.user.RestGetUserPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.user.RestGetUsersAction;
import org.elasticsearch.xpack.security.rest.action.user.RestHasPrivilegesAction;
import org.elasticsearch.xpack.security.rest.action.user.RestPutUserAction;
import org.elasticsearch.xpack.security.rest.action.user.RestSetEnabledAction;
import org.elasticsearch.xpack.security.support.ExtensionComponents;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.support.SecurityStatusChangeListener;
import org.elasticsearch.xpack.security.transport.SecurityHttpSettings;
import org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4HttpServerTransport;
import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4ServerTransport;
import org.elasticsearch.xpack.security.transport.nio.SecurityNioHttpServerTransport;
import org.elasticsearch.xpack.security.transport.nio.SecurityNioTransport;

/* loaded from: input_file:org/elasticsearch/xpack/security/Security.class */
public class Security extends Plugin implements SystemIndexPlugin, IngestPlugin, NetworkPlugin, ClusterPlugin, DiscoveryPlugin, MapperPlugin, ExtensiblePlugin {
    public static final String SECURITY_CRYPTO_THREAD_POOL_NAME = "security-crypto";
    private static final Logger logger;
    private final Settings settings;
    private final boolean enabled;
    private final boolean transportClientMode;
    private final SetOnce<TransportInterceptor> securityInterceptor;
    private final SetOnce<IPFilter> ipFilter;
    private final SetOnce<AuthenticationService> authcService;
    private final SetOnce<SecondaryAuthenticator> secondayAuthc;
    private final SetOnce<AuditTrailService> auditTrailService;
    private final SetOnce<SecurityContext> securityContext;
    private final SetOnce<ThreadContext> threadContext;
    private final SetOnce<TokenService> tokenService;
    private final SetOnce<SecurityActionFilter> securityActionFilter;
    private final SetOnce<SecurityIndexManager> securityIndex;
    private final SetOnce<SharedGroupFactory> sharedGroupFactory;
    private final SetOnce<NioGroupFactory> nioGroupFactory;
    private final SetOnce<DocumentSubsetBitsetCache> dlsBitsetCache;
    private final SetOnce<List<BootstrapCheck>> bootstrapChecks;
    private final List<SecurityExtension> securityExtensions;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/Security$ValidateLicenseCanBeDeserialized.class */
    static final class ValidateLicenseCanBeDeserialized implements BiConsumer<DiscoveryNode, ClusterState> {
        ValidateLicenseCanBeDeserialized() {
        }

        @Override // java.util.function.BiConsumer
        public void accept(DiscoveryNode discoveryNode, ClusterState clusterState) {
            License license = LicenseService.getLicense(clusterState.metadata());
            if (license != null && license.version() >= 4 && discoveryNode.getVersion().before(Version.V_6_4_0)) {
                throw new IllegalStateException("node " + discoveryNode + " is on version [" + discoveryNode.getVersion() + "] that cannot deserialize the license format [" + license.version() + "], upgrade node to at least 6.4.0");
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/Security$ValidateLicenseForFIPS.class */
    static final class ValidateLicenseForFIPS implements BiConsumer<DiscoveryNode, ClusterState> {
        private final boolean inFipsMode;

        ValidateLicenseForFIPS(boolean z) {
            this.inFipsMode = z;
        }

        @Override // java.util.function.BiConsumer
        public void accept(DiscoveryNode discoveryNode, ClusterState clusterState) {
            License license;
            if (this.inFipsMode && (license = LicenseService.getLicense(clusterState.metadata())) != null && !XPackLicenseState.isFipsAllowedForOperationMode(license.operationMode())) {
                throw new IllegalStateException("FIPS mode cannot be used with a [" + license.operationMode() + "] license. It is only allowed with a Platinum or Trial license.");
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/Security$ValidateUpgradedSecurityIndex.class */
    static final class ValidateUpgradedSecurityIndex implements BiConsumer<DiscoveryNode, ClusterState> {
        ValidateUpgradedSecurityIndex() {
        }

        @Override // java.util.function.BiConsumer
        public void accept(DiscoveryNode discoveryNode, ClusterState clusterState) {
            IndexMetadata indexMetadata;
            if (clusterState.getNodes().getMinNodeVersion().before(Version.V_7_0_0) && (indexMetadata = (IndexMetadata) clusterState.getMetadata().getIndices().get(".security")) != null && ((Integer) IndexMetadata.INDEX_FORMAT_SETTING.get(indexMetadata.getSettings())).intValue() < 6) {
                throw new IllegalStateException("Security index is not on the current version [6] - The Upgrade API must be run for 7.x nodes to join the cluster");
            }
        }
    }

    public Security(Settings settings, Path path) {
        this(settings, path, Collections.emptyList());
    }

    Security(Settings settings, Path path, List<SecurityExtension> list) {
        this.securityInterceptor = new SetOnce<>();
        this.ipFilter = new SetOnce<>();
        this.authcService = new SetOnce<>();
        this.secondayAuthc = new SetOnce<>();
        this.auditTrailService = new SetOnce<>();
        this.securityContext = new SetOnce<>();
        this.threadContext = new SetOnce<>();
        this.tokenService = new SetOnce<>();
        this.securityActionFilter = new SetOnce<>();
        this.securityIndex = new SetOnce<>();
        this.sharedGroupFactory = new SetOnce<>();
        this.nioGroupFactory = new SetOnce<>();
        this.dlsBitsetCache = new SetOnce<>();
        this.bootstrapChecks = new SetOnce<>();
        this.securityExtensions = new ArrayList();
        this.settings = settings;
        this.transportClientMode = XPackPlugin.transportClientMode(settings);
        this.enabled = ((Boolean) XPackSettings.SECURITY_ENABLED.get(settings)).booleanValue();
        if (!this.enabled || this.transportClientMode) {
            this.bootstrapChecks.set(Collections.emptyList());
        } else {
            runStartupChecks(settings);
            Automatons.updateConfiguration(settings);
        }
        this.securityExtensions.addAll(list);
    }

    private static void runStartupChecks(Settings settings) {
        validateRealmSettings(settings);
        if (((Boolean) XPackSettings.FIPS_MODE_ENABLED.get(settings)).booleanValue()) {
            validateForFips(settings);
        }
    }

    public Collection<Module> createGuiceModules() {
        ArrayList arrayList = new ArrayList();
        if (!this.enabled || this.transportClientMode) {
            arrayList.add(binder -> {
                binder.bind(IPFilter.class).toProvider(Providers.of((Object) null));
            });
        }
        if (this.transportClientMode) {
            if (!this.enabled) {
                return arrayList;
            }
            arrayList.add(binder2 -> {
                binder2.bind(SSLService.class).toProvider(this::getSslService);
            });
            return arrayList;
        }
        arrayList.add(binder3 -> {
            XPackPlugin.bindFeatureSet(binder3, SecurityFeatureSet.class);
        });
        if (this.enabled) {
            return arrayList;
        }
        arrayList.add(binder4 -> {
            binder4.bind(Realms.class).toProvider(Providers.of((Object) null));
            binder4.bind(CompositeRolesStore.class).toProvider(Providers.of((Object) null));
            binder4.bind(NativeRoleMappingStore.class).toProvider(Providers.of((Object) null));
            binder4.bind(AuditTrailService.class).toInstance(new AuditTrailService(Collections.emptyList(), getLicenseState()));
        });
        return arrayList;
    }

    protected Clock getClock() {
        return Clock.systemUTC();
    }

    protected SSLService getSslService() {
        return XPackPlugin.getSharedSslService();
    }

    protected XPackLicenseState getLicenseState() {
        return XPackPlugin.getSharedLicenseState();
    }

    public Collection<Object> createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry namedXContentRegistry, Environment environment, NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry, IndexNameExpressionResolver indexNameExpressionResolver, Supplier<RepositoriesService> supplier) {
        try {
            return createComponents(client, threadPool, clusterService, resourceWatcherService, scriptService, namedXContentRegistry, environment, indexNameExpressionResolver);
        } catch (Exception e) {
            throw new IllegalStateException("security initialization failed", e);
        }
    }

    Collection<Object> createComponents(Client client, ThreadPool threadPool, ClusterService clusterService, ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry namedXContentRegistry, Environment environment, IndexNameExpressionResolver indexNameExpressionResolver) throws Exception {
        if (!this.enabled) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(Arrays.asList(new ApiKeySSLBootstrapCheck(), new TokenSSLBootstrapCheck(), new PkiRealmBootstrapCheck(getSslService()), new TLSLicenseBootstrapCheck()));
        arrayList.addAll(InternalRealms.getBootstrapChecks(this.settings, environment));
        this.bootstrapChecks.set(Collections.unmodifiableList(arrayList));
        this.threadContext.set(threadPool.getThreadContext());
        ArrayList arrayList2 = new ArrayList();
        this.securityContext.set(new SecurityContext(this.settings, threadPool.getThreadContext()));
        arrayList2.add(this.securityContext.get());
        AuditTrailService auditTrailService = new AuditTrailService(((Boolean) XPackSettings.AUDIT_ENABLED.get(this.settings)).booleanValue() ? Collections.singletonList(new LoggingAuditTrail(this.settings, clusterService, threadPool)) : Collections.emptyList(), getLicenseState());
        arrayList2.add(auditTrailService);
        this.auditTrailService.set(auditTrailService);
        this.securityIndex.set(SecurityIndexManager.buildSecurityMainIndexManager(client, clusterService));
        TokenService tokenService = new TokenService(this.settings, Clock.systemUTC(), client, getLicenseState(), (SecurityContext) this.securityContext.get(), (SecurityIndexManager) this.securityIndex.get(), SecurityIndexManager.buildSecurityTokensIndexManager(client, clusterService), clusterService);
        this.tokenService.set(tokenService);
        arrayList2.add(tokenService);
        NativeUsersStore nativeUsersStore = new NativeUsersStore(this.settings, client, (SecurityIndexManager) this.securityIndex.get());
        NativeRoleMappingStore nativeRoleMappingStore = new NativeRoleMappingStore(this.settings, client, (SecurityIndexManager) this.securityIndex.get(), scriptService);
        AnonymousUser anonymousUser = new AnonymousUser(this.settings);
        ReservedRealm reservedRealm = new ReservedRealm(environment, this.settings, nativeUsersStore, anonymousUser, (SecurityIndexManager) this.securityIndex.get(), threadPool);
        ExtensionComponents extensionComponents = new ExtensionComponents(environment, client, clusterService, resourceWatcherService, nativeRoleMappingStore);
        HashMap hashMap = new HashMap(InternalRealms.getFactories(threadPool, resourceWatcherService, getSslService(), nativeUsersStore, nativeRoleMappingStore, (SecurityIndexManager) this.securityIndex.get()));
        Iterator<SecurityExtension> it = this.securityExtensions.iterator();
        while (it.hasNext()) {
            for (Map.Entry entry : it.next().getRealms(extensionComponents).entrySet()) {
                if (hashMap.put((String) entry.getKey(), (Realm.Factory) entry.getValue()) != null) {
                    throw new IllegalArgumentException("Realm type [" + ((String) entry.getKey()) + "] is already registered");
                }
            }
        }
        Realms realms = new Realms(this.settings, environment, hashMap, getLicenseState(), threadPool.getThreadContext(), reservedRealm);
        arrayList2.add(nativeUsersStore);
        arrayList2.add(nativeRoleMappingStore);
        arrayList2.add(realms);
        arrayList2.add(reservedRealm);
        SecurityIndexManager securityIndexManager = (SecurityIndexManager) this.securityIndex.get();
        Objects.requireNonNull(nativeRoleMappingStore);
        securityIndexManager.addIndexStateListener(nativeRoleMappingStore::onSecurityIndexStateChange);
        NativePrivilegeStore nativePrivilegeStore = new NativePrivilegeStore(this.settings, client, (SecurityIndexManager) this.securityIndex.get());
        arrayList2.add(nativePrivilegeStore);
        SecurityIndexManager securityIndexManager2 = (SecurityIndexManager) this.securityIndex.get();
        Objects.requireNonNull(nativePrivilegeStore);
        securityIndexManager2.addIndexStateListener(nativePrivilegeStore::onSecurityIndexStateChange);
        this.dlsBitsetCache.set(new DocumentSubsetBitsetCache(this.settings, threadPool));
        FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(this.settings);
        FileRolesStore fileRolesStore = new FileRolesStore(this.settings, environment, resourceWatcherService, getLicenseState(), namedXContentRegistry);
        NativeRolesStore nativeRolesStore = new NativeRolesStore(this.settings, client, getLicenseState(), (SecurityIndexManager) this.securityIndex.get());
        ReservedRolesStore reservedRolesStore = new ReservedRolesStore();
        ArrayList arrayList3 = new ArrayList();
        Iterator<SecurityExtension> it2 = this.securityExtensions.iterator();
        while (it2.hasNext()) {
            arrayList3.addAll(it2.next().getRolesProviders(extensionComponents));
        }
        ApiKeyService apiKeyService = new ApiKeyService(this.settings, Clock.systemUTC(), client, getLicenseState(), (SecurityIndexManager) this.securityIndex.get(), clusterService, threadPool);
        arrayList2.add(apiKeyService);
        CompositeRolesStore compositeRolesStore = new CompositeRolesStore(this.settings, fileRolesStore, nativeRolesStore, reservedRolesStore, nativePrivilegeStore, arrayList3, threadPool.getThreadContext(), getLicenseState(), fieldPermissionsCache, apiKeyService, (DocumentSubsetBitsetCache) this.dlsBitsetCache.get(), new DeprecationRoleDescriptorConsumer(clusterService, threadPool));
        SecurityIndexManager securityIndexManager3 = (SecurityIndexManager) this.securityIndex.get();
        Objects.requireNonNull(compositeRolesStore);
        securityIndexManager3.addIndexStateListener(compositeRolesStore::onSecurityIndexStateChange);
        XPackLicenseState licenseState = getLicenseState();
        Objects.requireNonNull(compositeRolesStore);
        licenseState.addListener(compositeRolesStore::invalidateAll);
        getLicenseState().addListener(new SecurityStatusChangeListener(getLicenseState()));
        AuthenticationFailureHandler createAuthenticationFailureHandler = createAuthenticationFailureHandler(realms, extensionComponents);
        this.authcService.set(new AuthenticationService(this.settings, realms, auditTrailService, createAuthenticationFailureHandler, threadPool, anonymousUser, tokenService, apiKeyService));
        arrayList2.add(this.authcService.get());
        SecurityIndexManager securityIndexManager4 = (SecurityIndexManager) this.securityIndex.get();
        AuthenticationService authenticationService = (AuthenticationService) this.authcService.get();
        Objects.requireNonNull(authenticationService);
        securityIndexManager4.addIndexStateListener(authenticationService::onSecurityIndexStateChange);
        HashSet newHashSet = Sets.newHashSet(new RequestInterceptor[]{new ResizeRequestInterceptor(threadPool, getLicenseState(), auditTrailService), new IndicesAliasesRequestInterceptor(threadPool.getThreadContext(), getLicenseState(), auditTrailService)});
        if (((Boolean) XPackSettings.DLS_FLS_ENABLED.get(this.settings)).booleanValue()) {
            newHashSet.addAll(Arrays.asList(new SearchRequestInterceptor(threadPool, getLicenseState()), new UpdateRequestInterceptor(threadPool, getLicenseState()), new BulkShardRequestInterceptor(threadPool, getLicenseState())));
        }
        AuthorizationService authorizationService = new AuthorizationService(this.settings, compositeRolesStore, clusterService, auditTrailService, createAuthenticationFailureHandler, threadPool, anonymousUser, getAuthorizationEngine(), Collections.unmodifiableSet(newHashSet), getLicenseState(), indexNameExpressionResolver);
        arrayList2.add(nativeRolesStore);
        arrayList2.add(reservedRolesStore);
        arrayList2.add(compositeRolesStore);
        arrayList2.add(authorizationService);
        SecondaryAuthenticator secondaryAuthenticator = new SecondaryAuthenticator((SecurityContext) this.securityContext.get(), (AuthenticationService) this.authcService.get());
        this.secondayAuthc.set(secondaryAuthenticator);
        arrayList2.add(secondaryAuthenticator);
        this.ipFilter.set(new IPFilter(this.settings, auditTrailService, clusterService.getClusterSettings(), getLicenseState()));
        arrayList2.add(this.ipFilter.get());
        DestructiveOperations destructiveOperations = new DestructiveOperations(this.settings, clusterService.getClusterSettings());
        this.securityInterceptor.set(new SecurityServerTransportInterceptor(this.settings, threadPool, (AuthenticationService) this.authcService.get(), authorizationService, getLicenseState(), getSslService(), (SecurityContext) this.securityContext.get(), destructiveOperations, clusterService));
        this.securityActionFilter.set(new SecurityActionFilter((AuthenticationService) this.authcService.get(), authorizationService, getLicenseState(), threadPool, (SecurityContext) this.securityContext.get(), destructiveOperations));
        return arrayList2;
    }

    private AuthorizationEngine getAuthorizationEngine() {
        AuthorizationEngine authorizationEngine = null;
        String str = null;
        for (SecurityExtension securityExtension : this.securityExtensions) {
            AuthorizationEngine authorizationEngine2 = securityExtension.getAuthorizationEngine(this.settings);
            if (authorizationEngine2 != null && authorizationEngine != null) {
                throw new IllegalStateException("Extensions [" + str + "] and [" + securityExtension.toString() + "] both set an authorization engine");
            }
            authorizationEngine = authorizationEngine2;
            str = securityExtension.toString();
        }
        if (authorizationEngine != null) {
            logger.debug("Using authorization engine from extension [" + str + "]");
        }
        return authorizationEngine;
    }

    private AuthenticationFailureHandler createAuthenticationFailureHandler(Realms realms, SecurityExtension.SecurityComponents securityComponents) {
        AuthenticationFailureHandler authenticationFailureHandler = null;
        String str = null;
        for (SecurityExtension securityExtension : this.securityExtensions) {
            AuthenticationFailureHandler authenticationFailureHandler2 = securityExtension.getAuthenticationFailureHandler(securityComponents);
            if (authenticationFailureHandler2 != null && authenticationFailureHandler != null) {
                throw new IllegalStateException("Extensions [" + str + "] and [" + securityExtension.toString() + "] both set an authentication failure handler");
            }
            authenticationFailureHandler = authenticationFailureHandler2;
            str = securityExtension.toString();
        }
        if (authenticationFailureHandler == null) {
            logger.debug("Using default authentication failure handler");
            Supplier supplier = () -> {
                HashMap hashMap = new HashMap();
                realms.asList().stream().forEach(realm -> {
                    realm.getAuthenticationFailureHeaders().entrySet().stream().forEach(entry -> {
                        String str2 = (String) entry.getKey();
                        ((List) entry.getValue()).stream().filter(str3 -> {
                            return !((List) hashMap.computeIfAbsent(str2, str3 -> {
                                return new ArrayList();
                            })).contains(str3);
                        }).forEach(str4 -> {
                            ((List) hashMap.get(str2)).add(str4);
                        });
                    });
                });
                if (TokenService.isTokenServiceEnabled(this.settings).booleanValue() && !((List) hashMap.computeIfAbsent(KerberosAuthenticationToken.WWW_AUTHENTICATE, str2 -> {
                    return new ArrayList();
                })).contains("Bearer realm=\"security\"")) {
                    ((List) hashMap.get(KerberosAuthenticationToken.WWW_AUTHENTICATE)).add("Bearer realm=\"security\"");
                }
                if (((Boolean) XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.get(this.settings)).booleanValue() && !((List) hashMap.computeIfAbsent(KerberosAuthenticationToken.WWW_AUTHENTICATE, str3 -> {
                    return new ArrayList();
                })).contains("ApiKey")) {
                    ((List) hashMap.get(KerberosAuthenticationToken.WWW_AUTHENTICATE)).add("ApiKey");
                }
                return hashMap;
            };
            AuthenticationFailureHandler defaultAuthenticationFailureHandler = new DefaultAuthenticationFailureHandler((Map) supplier.get());
            authenticationFailureHandler = defaultAuthenticationFailureHandler;
            getLicenseState().addListener(() -> {
                defaultAuthenticationFailureHandler.setHeaders((Map) supplier.get());
            });
        } else {
            logger.debug("Using authentication failure handler from extension [" + str + "]");
        }
        return authenticationFailureHandler;
    }

    public Settings additionalSettings() {
        return additionalSettings(this.settings, this.enabled, this.transportClientMode);
    }

    static Settings additionalSettings(Settings settings, boolean z, boolean z2) {
        if (!z || z2) {
            return Settings.EMPTY;
        }
        Settings.Builder builder = Settings.builder();
        builder.put(SecuritySettings.addTransportSettings(settings));
        if (NetworkModule.HTTP_TYPE_SETTING.exists(settings)) {
            String str = (String) NetworkModule.HTTP_TYPE_SETTING.get(settings);
            if (!str.equals("security4") && !str.equals("security-nio")) {
                throw new IllegalArgumentException(String.format(Locale.ROOT, "http type setting [%s] must be [%s] or [%s] but is [%s]", "http.type", "security4", "security-nio", str));
            }
            SecurityHttpSettings.overrideSettings(builder, settings);
        } else {
            builder.put("http.type", "security4");
            SecurityHttpSettings.overrideSettings(builder, settings);
        }
        builder.put(SecuritySettings.addUserSettings(settings));
        return builder.build();
    }

    public List<Setting<?>> getSettings() {
        return getSettings(this.transportClientMode, this.securityExtensions);
    }

    public static List<Setting<?>> getSettings(boolean z, List<SecurityExtension> list) {
        ArrayList arrayList = new ArrayList();
        if (z) {
            return arrayList;
        }
        IPFilter.addSettings(arrayList);
        LoggingAuditTrail.registerSettings(arrayList);
        AnonymousUser.addSettings(arrayList);
        arrayList.addAll(InternalRealmsSettings.getSettings());
        NativeRolesStore.addSettings(arrayList);
        ReservedRealm.addSettings(arrayList);
        AuthenticationService.addSettings(arrayList);
        AuthorizationService.addSettings(arrayList);
        Automatons.addSettings(arrayList);
        arrayList.addAll(CompositeRolesStore.getSettings());
        arrayList.addAll(DocumentSubsetBitsetCache.getSettings());
        arrayList.add(FieldPermissionsCache.CACHE_SIZE_SETTING);
        arrayList.add(TokenService.TOKEN_EXPIRATION);
        arrayList.add(TokenService.DELETE_INTERVAL);
        arrayList.add(TokenService.DELETE_TIMEOUT);
        arrayList.add(SecurityServerTransportInterceptor.TRANSPORT_TYPE_PROFILE_SETTING);
        arrayList.addAll(SSLConfigurationSettings.getProfileSettings());
        arrayList.add(ApiKeyService.PASSWORD_HASHING_ALGORITHM);
        arrayList.add(ApiKeyService.DELETE_TIMEOUT);
        arrayList.add(ApiKeyService.DELETE_INTERVAL);
        arrayList.add(ApiKeyService.CACHE_HASH_ALGO_SETTING);
        arrayList.add(ApiKeyService.CACHE_MAX_KEYS_SETTING);
        arrayList.add(ApiKeyService.CACHE_TTL_SETTING);
        arrayList.add(NativePrivilegeStore.CACHE_MAX_APPLICATIONS_SETTING);
        arrayList.add(NativePrivilegeStore.CACHE_TTL_SETTING);
        arrayList.add(Setting.listSetting(SecurityField.setting("hide_settings"), Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        return arrayList;
    }

    public Collection<RestHeaderDefinition> getRestHeaders() {
        if (this.transportClientMode) {
            return Collections.emptyList();
        }
        HashSet hashSet = new HashSet();
        hashSet.add(new RestHeaderDefinition(KerberosAuthenticationToken.AUTH_HEADER, false));
        hashSet.add(new RestHeaderDefinition(SecondaryAuthenticator.SECONDARY_AUTH_HEADER_NAME, false));
        if (((Boolean) XPackSettings.AUDIT_ENABLED.get(this.settings)).booleanValue()) {
            hashSet.add(new RestHeaderDefinition(AuditTrail.X_FORWARDED_FOR_HEADER, true));
        }
        if (((Boolean) AuthenticationServiceField.RUN_AS_ENABLED.get(this.settings)).booleanValue()) {
            hashSet.add(new RestHeaderDefinition("es-security-runas-user", false));
        }
        return hashSet;
    }

    public List<String> getSettingsFilter() {
        ArrayList arrayList = new ArrayList(this.settings.getAsList(SecurityField.setting("hide_settings")));
        arrayList.add("transport.profiles.*." + SecurityField.setting("*"));
        return arrayList;
    }

    public List<BootstrapCheck> getBootstrapChecks() {
        return (List) this.bootstrapChecks.get();
    }

    public void onIndexModule(IndexModule indexModule) {
        if (this.enabled) {
            if (!$assertionsDisabled && getLicenseState() == null) {
                throw new AssertionError();
            }
            if (((Boolean) XPackSettings.DLS_FLS_ENABLED.get(this.settings)).booleanValue()) {
                if (!$assertionsDisabled && this.dlsBitsetCache.get() == null) {
                    throw new AssertionError();
                }
                indexModule.setReaderWrapper(indexService -> {
                    return new SecurityIndexReaderWrapper(shardId -> {
                        return indexService.newQueryShardContext(shardId.id(), (IndexSearcher) null, () -> {
                            throw new IllegalArgumentException("permission filters are not allowed to use the current timestamp");
                        }, (String) null);
                    }, (DocumentSubsetBitsetCache) this.dlsBitsetCache.get(), (SecurityContext) this.securityContext.get(), getLicenseState(), indexService.getScriptService());
                });
                indexModule.forceQueryCacheProvider((indexSettings, indicesQueryCache) -> {
                    OptOutQueryCache optOutQueryCache = new OptOutQueryCache(indexSettings, indicesQueryCache, (ThreadContext) this.threadContext.get(), getLicenseState());
                    optOutQueryCache.listenForLicenseStateChanges();
                    return optOutQueryCache;
                });
            }
            indexModule.addSearchOperationListener(new SecuritySearchOperationListener((SecurityContext) this.securityContext.get(), getLicenseState(), (AuditTrailService) this.auditTrailService.get()));
        }
    }

    public List<ActionPlugin.ActionHandler<? extends ActionRequest, ? extends ActionResponse>> getActions() {
        return !this.enabled ? Collections.emptyList() : Arrays.asList(new ActionPlugin.ActionHandler(ClearRealmCacheAction.INSTANCE, TransportClearRealmCacheAction.class, new Class[0]), new ActionPlugin.ActionHandler(ClearRolesCacheAction.INSTANCE, TransportClearRolesCacheAction.class, new Class[0]), new ActionPlugin.ActionHandler(ClearPrivilegesCacheAction.INSTANCE, TransportClearPrivilegesCacheAction.class, new Class[0]), new ActionPlugin.ActionHandler(GetUsersAction.INSTANCE, TransportGetUsersAction.class, new Class[0]), new ActionPlugin.ActionHandler(PutUserAction.INSTANCE, TransportPutUserAction.class, new Class[0]), new ActionPlugin.ActionHandler(DeleteUserAction.INSTANCE, TransportDeleteUserAction.class, new Class[0]), new ActionPlugin.ActionHandler(GetRolesAction.INSTANCE, TransportGetRolesAction.class, new Class[0]), new ActionPlugin.ActionHandler(PutRoleAction.INSTANCE, TransportPutRoleAction.class, new Class[0]), new ActionPlugin.ActionHandler(DeleteRoleAction.INSTANCE, TransportDeleteRoleAction.class, new Class[0]), new ActionPlugin.ActionHandler(ChangePasswordAction.INSTANCE, TransportChangePasswordAction.class, new Class[0]), new ActionPlugin.ActionHandler(AuthenticateAction.INSTANCE, TransportAuthenticateAction.class, new Class[0]), new ActionPlugin.ActionHandler(SetEnabledAction.INSTANCE, TransportSetEnabledAction.class, new Class[0]), new ActionPlugin.ActionHandler(HasPrivilegesAction.INSTANCE, TransportHasPrivilegesAction.class, new Class[0]), new ActionPlugin.ActionHandler(GetUserPrivilegesAction.INSTANCE, TransportGetUserPrivilegesAction.class, new Class[0]), new ActionPlugin.ActionHandler(GetRoleMappingsAction.INSTANCE, TransportGetRoleMappingsAction.class, new Class[0]), new ActionPlugin.ActionHandler(PutRoleMappingAction.INSTANCE, TransportPutRoleMappingAction.class, new Class[0]), new ActionPlugin.ActionHandler(DeleteRoleMappingAction.INSTANCE, TransportDeleteRoleMappingAction.class, new Class[0]), new ActionPlugin.ActionHandler(CreateTokenAction.INSTANCE, TransportCreateTokenAction.class, new Class[0]), new ActionPlugin.ActionHandler(InvalidateTokenAction.INSTANCE, TransportInvalidateTokenAction.class, new Class[0]), new ActionPlugin.ActionHandler(GetCertificateInfoAction.INSTANCE, TransportGetCertificateInfoAction.class, new Class[0]), new ActionPlugin.ActionHandler(RefreshTokenAction.INSTANCE, TransportRefreshTokenAction.class, new Class[0]), new ActionPlugin.ActionHandler(SamlPrepareAuthenticationAction.INSTANCE, TransportSamlPrepareAuthenticationAction.class, new Class[0]), new ActionPlugin.ActionHandler(SamlAuthenticateAction.INSTANCE, TransportSamlAuthenticateAction.class, new Class[0]), new ActionPlugin.ActionHandler(SamlLogoutAction.INSTANCE, TransportSamlLogoutAction.class, new Class[0]), new ActionPlugin.ActionHandler(SamlInvalidateSessionAction.INSTANCE, TransportSamlInvalidateSessionAction.class, new Class[0]), new ActionPlugin.ActionHandler(SamlCompleteLogoutAction.INSTANCE, TransportSamlCompleteLogoutAction.class, new Class[0]), new ActionPlugin.ActionHandler(OpenIdConnectPrepareAuthenticationAction.INSTANCE, TransportOpenIdConnectPrepareAuthenticationAction.class, new Class[0]), new ActionPlugin.ActionHandler(OpenIdConnectAuthenticateAction.INSTANCE, TransportOpenIdConnectAuthenticateAction.class, new Class[0]), new ActionPlugin.ActionHandler(OpenIdConnectLogoutAction.INSTANCE, TransportOpenIdConnectLogoutAction.class, new Class[0]), new ActionPlugin.ActionHandler(GetBuiltinPrivilegesAction.INSTANCE, TransportGetBuiltinPrivilegesAction.class, new Class[0]), new ActionPlugin.ActionHandler(GetPrivilegesAction.INSTANCE, TransportGetPrivilegesAction.class, new Class[0]), new ActionPlugin.ActionHandler(PutPrivilegesAction.INSTANCE, TransportPutPrivilegesAction.class, new Class[0]), new ActionPlugin.ActionHandler(DeletePrivilegesAction.INSTANCE, TransportDeletePrivilegesAction.class, new Class[0]), new ActionPlugin.ActionHandler(CreateApiKeyAction.INSTANCE, TransportCreateApiKeyAction.class, new Class[0]), new ActionPlugin.ActionHandler(GrantApiKeyAction.INSTANCE, TransportGrantApiKeyAction.class, new Class[0]), new ActionPlugin.ActionHandler(InvalidateApiKeyAction.INSTANCE, TransportInvalidateApiKeyAction.class, new Class[0]), new ActionPlugin.ActionHandler(GetApiKeyAction.INSTANCE, TransportGetApiKeyAction.class, new Class[0]), new ActionPlugin.ActionHandler(DelegatePkiAuthenticationAction.INSTANCE, TransportDelegatePkiAuthenticationAction.class, new Class[0]));
    }

    public List<ActionFilter> getActionFilters() {
        if (this.enabled && !this.transportClientMode) {
            return Collections.singletonList((ActionFilter) this.securityActionFilter.get());
        }
        return Collections.emptyList();
    }

    public List<RestHandler> getRestHandlers(Settings settings, RestController restController, ClusterSettings clusterSettings, IndexScopedSettings indexScopedSettings, SettingsFilter settingsFilter, IndexNameExpressionResolver indexNameExpressionResolver, Supplier<DiscoveryNodes> supplier) {
        return !this.enabled ? Collections.emptyList() : Arrays.asList(new RestAuthenticateAction(settings, (SecurityContext) this.securityContext.get(), getLicenseState()), new RestClearRealmCacheAction(settings, getLicenseState()), new RestClearRolesCacheAction(settings, getLicenseState()), new RestClearPrivilegesCacheAction(settings, getLicenseState()), new RestGetUsersAction(settings, getLicenseState()), new RestPutUserAction(settings, getLicenseState()), new RestDeleteUserAction(settings, getLicenseState()), new RestGetRolesAction(settings, getLicenseState()), new RestPutRoleAction(settings, getLicenseState()), new RestDeleteRoleAction(settings, getLicenseState()), new RestChangePasswordAction(settings, (SecurityContext) this.securityContext.get(), getLicenseState()), new RestSetEnabledAction(settings, getLicenseState()), new RestHasPrivilegesAction(settings, (SecurityContext) this.securityContext.get(), getLicenseState()), new RestGetUserPrivilegesAction(settings, (SecurityContext) this.securityContext.get(), getLicenseState()), new RestGetRoleMappingsAction(settings, getLicenseState()), new RestPutRoleMappingAction(settings, getLicenseState()), new RestDeleteRoleMappingAction(settings, getLicenseState()), new RestGetTokenAction(settings, getLicenseState()), new RestInvalidateTokenAction(settings, getLicenseState()), new RestGetCertificateInfoAction(), new RestSamlPrepareAuthenticationAction(settings, getLicenseState()), new RestSamlAuthenticateAction(settings, getLicenseState()), new RestSamlLogoutAction(settings, getLicenseState()), new RestSamlInvalidateSessionAction(settings, getLicenseState()), new RestSamlCompleteLogoutAction(settings, getLicenseState()), new RestOpenIdConnectPrepareAuthenticationAction(settings, getLicenseState()), new RestOpenIdConnectAuthenticateAction(settings, getLicenseState()), new RestOpenIdConnectLogoutAction(settings, getLicenseState()), new RestGetBuiltinPrivilegesAction(settings, getLicenseState()), new RestGetPrivilegesAction(settings, getLicenseState()), new RestPutPrivilegesAction(settings, getLicenseState()), new RestDeletePrivilegesAction(settings, getLicenseState()), new RestCreateApiKeyAction(settings, getLicenseState()), new RestGrantApiKeyAction(settings, getLicenseState()), new RestInvalidateApiKeyAction(settings, getLicenseState()), new RestGetApiKeyAction(settings, getLicenseState()), new RestDelegatePkiAuthenticationAction(settings, getLicenseState()));
    }

    public Map<String, Processor.Factory> getProcessors(Processor.Parameters parameters) {
        SetOnce<SecurityContext> setOnce = this.securityContext;
        Objects.requireNonNull(setOnce);
        return Collections.singletonMap(SetSecurityUserProcessor.TYPE, new SetSecurityUserProcessor.Factory(setOnce::get, this::getLicenseState));
    }

    static void validateRealmSettings(Settings settings) {
        Set set = (Set) settings.keySet().stream().filter(str -> {
            return str.startsWith("xpack.security.authc.realms.");
        }).filter(str2 -> {
            String substring = str2.substring("xpack.security.authc.realms.".length());
            return substring.indexOf(46) == substring.lastIndexOf(46);
        }).collect(Collectors.toSet());
        if (set.isEmpty()) {
            return;
        }
        throw new IllegalArgumentException("Incorrect realm settings found. Realm settings have been changed to include the type as part of the setting key.\nFor example '" + (RealmSettings.realmSettingPrefix(new RealmConfig.RealmIdentifier("file", "my_file")) + "order") + "'\nFound invalid config: " + Strings.collectionToDelimitedString(set, ", ") + "\nPlease see the breaking changes documentation.");
    }

    static void validateForFips(Settings settings) {
        ArrayList arrayList = new ArrayList();
        Settings filter = settings.filter(str -> {
            return str.endsWith("keystore.type");
        }).filter(str2 -> {
            return settings.get(str2).equalsIgnoreCase("jks");
        });
        if (!filter.isEmpty()) {
            arrayList.add("JKS Keystores cannot be used in a FIPS 140 compliant JVM. Please revisit [" + filter.toDelimitedString(',') + "] settings");
        }
        Settings filter2 = settings.filter(str3 -> {
            return str3.endsWith("keystore.path");
        }).filter(str4 -> {
            return !settings.hasValue(str4.replace(".path", ".type"));
        });
        if (!filter2.isEmpty() && SSLConfigurationSettings.inferKeyStoreType((String) null).equals("jks")) {
            arrayList.add("JKS Keystores cannot be used in a FIPS 140 compliant JVM. Please revisit [" + filter2.toDelimitedString(',') + "] settings");
        }
        if (!((String) XPackSettings.PASSWORD_HASHING_ALGORITHM.get(settings)).toLowerCase(Locale.ROOT).startsWith("pbkdf2")) {
            arrayList.add("Only PBKDF2 is allowed for password hashing in a FIPS 140 JVM. Please set the appropriate value for [ " + XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey() + " ] setting.");
        }
        if (arrayList.isEmpty()) {
            return;
        }
        StringBuilder sb = new StringBuilder();
        sb.append("Validation for FIPS 140 mode failed: \n");
        int i = 0;
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            i++;
            sb.append(i).append(": ").append((String) it.next()).append(";\n");
        }
        throw new IllegalArgumentException(sb.toString());
    }

    public List<TransportInterceptor> getTransportInterceptors(NamedWriteableRegistry namedWriteableRegistry, ThreadContext threadContext) {
        return (this.transportClientMode || !this.enabled) ? Collections.emptyList() : Collections.singletonList(new TransportInterceptor() { // from class: org.elasticsearch.xpack.security.Security.1
            static final /* synthetic */ boolean $assertionsDisabled;

            public <T extends TransportRequest> TransportRequestHandler<T> interceptHandler(String str, String str2, boolean z, TransportRequestHandler<T> transportRequestHandler) {
                if ($assertionsDisabled || Security.this.securityInterceptor.get() != null) {
                    return ((TransportInterceptor) Security.this.securityInterceptor.get()).interceptHandler(str, str2, z, transportRequestHandler);
                }
                throw new AssertionError();
            }

            public TransportInterceptor.AsyncSender interceptSender(TransportInterceptor.AsyncSender asyncSender) {
                if ($assertionsDisabled || Security.this.securityInterceptor.get() != null) {
                    return ((TransportInterceptor) Security.this.securityInterceptor.get()).interceptSender(asyncSender);
                }
                throw new AssertionError();
            }

            static {
                $assertionsDisabled = !Security.class.desiredAssertionStatus();
            }
        });
    }

    public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool, PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService, NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) {
        if (this.transportClientMode || !this.enabled) {
            return Collections.emptyMap();
        }
        IPFilter iPFilter = (IPFilter) this.ipFilter.get();
        HashMap hashMap = new HashMap();
        hashMap.put("security4", () -> {
            return new SecurityNetty4ServerTransport(settings, Version.CURRENT, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, iPFilter, getSslService(), getNettySharedGroupFactory(settings));
        });
        hashMap.put("security-nio", () -> {
            return new SecurityNioTransport(settings, Version.CURRENT, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, iPFilter, getSslService(), getNioGroupFactory(settings));
        });
        return Collections.unmodifiableMap(hashMap);
    }

    public Map<String, Supplier<HttpServerTransport>> getHttpTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays, PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService, NamedXContentRegistry namedXContentRegistry, NetworkService networkService, HttpServerTransport.Dispatcher dispatcher, ClusterSettings clusterSettings) {
        if (!this.enabled) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        hashMap.put("security4", () -> {
            return new SecurityNetty4HttpServerTransport(settings, networkService, bigArrays, (IPFilter) this.ipFilter.get(), getSslService(), threadPool, namedXContentRegistry, dispatcher, clusterSettings, getNettySharedGroupFactory(settings));
        });
        hashMap.put("security-nio", () -> {
            return new SecurityNioHttpServerTransport(settings, networkService, bigArrays, pageCacheRecycler, threadPool, namedXContentRegistry, dispatcher, (IPFilter) this.ipFilter.get(), getSslService(), getNioGroupFactory(settings), clusterSettings);
        });
        return hashMap;
    }

    public UnaryOperator<RestHandler> getRestHandlerWrapper(ThreadContext threadContext) {
        if (!this.enabled || this.transportClientMode) {
            return null;
        }
        boolean z = ((Boolean) XPackSettings.HTTP_SSL_ENABLED.get(this.settings)).booleanValue() && getSslService().isSSLClientAuthEnabled(getSslService().getHttpTransportSSLConfiguration());
        return restHandler -> {
            return new SecurityRestFilter(getLicenseState(), threadContext, (AuthenticationService) this.authcService.get(), (SecondaryAuthenticator) this.secondayAuthc.get(), restHandler, z);
        };
    }

    public List<ExecutorBuilder<?>> getExecutorBuilders(Settings settings) {
        if (!this.enabled || this.transportClientMode) {
            return Collections.emptyList();
        }
        return org.elasticsearch.common.collect.List.of(new FixedExecutorBuilder(settings, TokenService.THREAD_POOL_NAME, 1, 1000, "xpack.security.authc.token.thread_pool", false), new FixedExecutorBuilder(settings, SECURITY_CRYPTO_THREAD_POOL_NAME, (EsExecutors.allocatedProcessors(settings) + 1) / 2, 1000, "xpack.security.crypto.thread_pool", false));
    }

    public UnaryOperator<Map<String, IndexTemplateMetadata>> getIndexTemplateMetadataUpgrader() {
        return map -> {
            map.remove(SecurityIndexManager.SECURITY_MAIN_TEMPLATE_7);
            map.remove("security_audit_log");
            return map;
        };
    }

    public Function<String, Predicate<String>> getFieldFilter() {
        return this.enabled ? str -> {
            IndicesAccessControl indicesAccessControl;
            IndicesAccessControl.IndexAccessControl indexPermissions;
            XPackLicenseState licenseState = getLicenseState();
            if (licenseState.isSecurityEnabled() && (indicesAccessControl = (IndicesAccessControl) ((ThreadContext) this.threadContext.get()).getTransient("_indices_permissions")) != null && (indexPermissions = indicesAccessControl.getIndexPermissions(str)) != null) {
                if (!indexPermissions.isGranted()) {
                    throw new IllegalStateException("unexpected call to getFieldFilter for index [" + str + "] which is not granted");
                }
                FieldPermissions fieldPermissions = indexPermissions.getFieldPermissions();
                if (fieldPermissions.hasFieldLevelSecurity() && licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_DLS_FLS)) {
                    Objects.requireNonNull(fieldPermissions);
                    return fieldPermissions::grantsAccessTo;
                }
                return MapperPlugin.NOOP_FIELD_PREDICATE;
            }
            return MapperPlugin.NOOP_FIELD_PREDICATE;
        } : super.getFieldFilter();
    }

    public BiConsumer<DiscoveryNode, ClusterState> getJoinValidator() {
        if (this.enabled) {
            return new ValidateUpgradedSecurityIndex().andThen(new ValidateLicenseForFIPS(((Boolean) XPackSettings.FIPS_MODE_ENABLED.get(this.settings)).booleanValue()));
        }
        return null;
    }

    public void loadExtensions(ExtensiblePlugin.ExtensionLoader extensionLoader) {
        this.securityExtensions.addAll(extensionLoader.loadExtensions(SecurityExtension.class));
    }

    private synchronized NioGroupFactory getNioGroupFactory(Settings settings) {
        if (this.nioGroupFactory.get() == null) {
            this.nioGroupFactory.set(new NioGroupFactory(settings, logger));
            return (NioGroupFactory) this.nioGroupFactory.get();
        }
        if ($assertionsDisabled || ((NioGroupFactory) this.nioGroupFactory.get()).getSettings().equals(settings)) {
            return (NioGroupFactory) this.nioGroupFactory.get();
        }
        throw new AssertionError("Different settings than originally provided");
    }

    private synchronized SharedGroupFactory getNettySharedGroupFactory(Settings settings) {
        if (this.sharedGroupFactory.get() == null) {
            this.sharedGroupFactory.set(new SharedGroupFactory(settings));
            return (SharedGroupFactory) this.sharedGroupFactory.get();
        }
        if ($assertionsDisabled || ((SharedGroupFactory) this.sharedGroupFactory.get()).getSettings().equals(settings)) {
            return (SharedGroupFactory) this.sharedGroupFactory.get();
        }
        throw new AssertionError("Different settings than originally provided");
    }

    public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings settings) {
        return Collections.unmodifiableList(Arrays.asList(new SystemIndexDescriptor(".security", "Contains Security configuration"), new SystemIndexDescriptor(".security-6", "Contains Security configuration"), new SystemIndexDescriptor(".security-7", "Contains Security configuration"), new SystemIndexDescriptor(".security-tokens", "Contains auth token data"), new SystemIndexDescriptor(".security-tokens-7", "Contains auth token data")));
    }

    static {
        $assertionsDisabled = !Security.class.desiredAssertionStatus();
        logger = LogManager.getLogger(Security.class);
    }
}
