package org.elasticsearch.xpack.security.support;

import java.time.Instant;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.ResourceAlreadyExistsException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.UnavailableShardsException;
import org.elasticsearch.action.admin.indices.alias.Alias;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.support.ActiveShardCount;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.IndicesAdminClient;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.cluster.health.ClusterHealthStatus;
import org.elasticsearch.cluster.health.ClusterIndexHealth;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.cluster.metadata.MappingMetadata;
import org.elasticsearch.cluster.metadata.Metadata;
import org.elasticsearch.cluster.routing.IndexRoutingTable;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.index.Index;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.indices.IndexClosedException;
import org.elasticsearch.indices.SystemIndexDescriptor;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.ClientHelper;

/* loaded from: input_file:org/elasticsearch/xpack/security/support/SecurityIndexManager.class */
public class SecurityIndexManager implements ClusterStateListener {
    public static final int INTERNAL_MAIN_INDEX_FORMAT = 6;
    public static final int INTERNAL_TOKENS_INDEX_FORMAT = 7;
    public static final String SECURITY_VERSION_STRING = "security-version";
    public static final String TEMPLATE_VERSION_VARIABLE = "security.template.version";
    private static final Logger logger;
    private final Client client;
    private final SystemIndexDescriptor systemIndexDescriptor;
    private final List<BiConsumer<State, State>> stateChangeListeners = new CopyOnWriteArrayList();
    private volatile State state;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/support/SecurityIndexManager$State.class */
    public static class State {
        public static final State UNRECOVERED_STATE = new State(null, false, false, false, null, null, null, null, null, null);
        public final Instant creationTime;
        public final boolean isIndexUpToDate;
        public final boolean indexAvailable;
        public final boolean mappingUpToDate;
        public final Version mappingVersion;
        public final String concreteIndexName;
        public final ClusterHealthStatus indexHealth;
        public final IndexMetadata.State indexState;
        public final Version minimumNodeVersion;
        public final String indexUUID;

        public State(Instant instant, boolean z, boolean z2, boolean z3, Version version, String str, ClusterHealthStatus clusterHealthStatus, IndexMetadata.State state, Version version2, String str2) {
            this.creationTime = instant;
            this.isIndexUpToDate = z;
            this.indexAvailable = z2;
            this.mappingUpToDate = z3;
            this.mappingVersion = version;
            this.concreteIndexName = str;
            this.indexHealth = clusterHealthStatus;
            this.indexState = state;
            this.minimumNodeVersion = version2;
            this.indexUUID = str2;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            State state = (State) obj;
            return Objects.equals(this.creationTime, state.creationTime) && this.isIndexUpToDate == state.isIndexUpToDate && this.indexAvailable == state.indexAvailable && this.mappingUpToDate == state.mappingUpToDate && Objects.equals(this.mappingVersion, state.mappingVersion) && Objects.equals(this.concreteIndexName, state.concreteIndexName) && this.indexHealth == state.indexHealth && this.indexState == state.indexState && Objects.equals(this.minimumNodeVersion, state.minimumNodeVersion);
        }

        public boolean indexExists() {
            return this.creationTime != null;
        }

        public int hashCode() {
            return Objects.hash(this.creationTime, Boolean.valueOf(this.isIndexUpToDate), Boolean.valueOf(this.indexAvailable), Boolean.valueOf(this.mappingUpToDate), this.mappingVersion, this.concreteIndexName, this.indexHealth, this.minimumNodeVersion);
        }
    }

    public static SecurityIndexManager buildSecurityIndexManager(Client client, ClusterService clusterService, SystemIndexDescriptor systemIndexDescriptor) {
        SecurityIndexManager securityIndexManager = new SecurityIndexManager(client, systemIndexDescriptor, State.UNRECOVERED_STATE);
        clusterService.addListener(securityIndexManager);
        return securityIndexManager;
    }

    private SecurityIndexManager(Client client, SystemIndexDescriptor systemIndexDescriptor, State state) {
        this.client = client;
        this.state = state;
        this.systemIndexDescriptor = systemIndexDescriptor;
    }

    public SecurityIndexManager freeze() {
        return new SecurityIndexManager(null, this.systemIndexDescriptor, this.state);
    }

    public String aliasName() {
        return this.systemIndexDescriptor.getAliasName();
    }

    public boolean indexExists() {
        return this.state.indexExists();
    }

    public Instant getCreationTime() {
        return this.state.creationTime;
    }

    public boolean isIndexUpToDate() {
        return this.state.isIndexUpToDate;
    }

    public boolean isAvailable() {
        return this.state.indexAvailable;
    }

    public boolean isMappingUpToDate() {
        return this.state.mappingUpToDate;
    }

    public boolean isStateRecovered() {
        return this.state != State.UNRECOVERED_STATE;
    }

    public ElasticsearchException getUnavailableReason() {
        State state = this.state;
        if (state.indexAvailable) {
            throw new IllegalStateException("caller must make sure to use a frozen state and check indexAvailable");
        }
        return state.indexState == IndexMetadata.State.CLOSE ? new IndexClosedException(new Index(state.concreteIndexName, "_na_")) : state.indexExists() ? new UnavailableShardsException((ShardId) null, "at least one primary shard for the index [" + state.concreteIndexName + "] is unavailable", new Object[0]) : new IndexNotFoundException(state.concreteIndexName);
    }

    public void addStateListener(BiConsumer<State, State> biConsumer) {
        this.stateChangeListeners.add(biConsumer);
    }

    public void removeStateListener(BiConsumer<State, State> biConsumer) {
        this.stateChangeListeners.remove(biConsumer);
    }

    public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
        IndexMetadata.State state;
        ClusterHealthStatus status;
        if (clusterChangedEvent.state().blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
            logger.debug("security index manager waiting until state has been recovered");
            return;
        }
        State state2 = this.state;
        IndexMetadata resolveConcreteIndex = resolveConcreteIndex(this.systemIndexDescriptor.getAliasName(), clusterChangedEvent.state().metadata());
        Instant ofEpochMilli = resolveConcreteIndex != null ? Instant.ofEpochMilli(resolveConcreteIndex.getCreationDate()) : null;
        boolean z = resolveConcreteIndex == null || ((Integer) IndexMetadata.INDEX_FORMAT_SETTING.get(resolveConcreteIndex.getSettings())).intValue() == this.systemIndexDescriptor.getIndexFormat();
        boolean checkIndexAvailable = checkIndexAvailable(clusterChangedEvent.state());
        boolean z2 = resolveConcreteIndex == null || checkIndexMappingUpToDate(clusterChangedEvent.state());
        Version oldestIndexMappingVersion = oldestIndexMappingVersion(clusterChangedEvent.state());
        String primaryIndex = resolveConcreteIndex == null ? this.systemIndexDescriptor.getPrimaryIndex() : resolveConcreteIndex.getIndex().getName();
        if (resolveConcreteIndex == null) {
            state = null;
            status = null;
        } else if (resolveConcreteIndex.getState() == IndexMetadata.State.CLOSE) {
            state = IndexMetadata.State.CLOSE;
            status = null;
            logger.warn("Index [{}] is closed. This is likely to prevent security from functioning correctly", primaryIndex);
        } else {
            state = IndexMetadata.State.OPEN;
            status = new ClusterIndexHealth(resolveConcreteIndex, clusterChangedEvent.state().getRoutingTable().index(resolveConcreteIndex.getIndex())).getStatus();
        }
        State state3 = new State(ofEpochMilli, z, checkIndexAvailable, z2, oldestIndexMappingVersion, primaryIndex, status, state, clusterChangedEvent.state().nodes().getSmallestNonClientNodeVersion(), resolveConcreteIndex != null ? resolveConcreteIndex.getIndexUUID() : null);
        this.state = state3;
        if (state3.equals(state2)) {
            return;
        }
        Iterator<BiConsumer<State, State>> it = this.stateChangeListeners.iterator();
        while (it.hasNext()) {
            it.next().accept(state2, state3);
        }
    }

    private boolean checkIndexAvailable(ClusterState clusterState) {
        String aliasName = this.systemIndexDescriptor.getAliasName();
        IndexMetadata resolveConcreteIndex = resolveConcreteIndex(aliasName, clusterState.metadata());
        if (resolveConcreteIndex == null) {
            logger.debug("Index [{}] is not available - no metadata", aliasName);
            return false;
        }
        if (resolveConcreteIndex.getState() == IndexMetadata.State.CLOSE) {
            logger.warn("Index [{}] is closed", aliasName);
            return false;
        }
        IndexRoutingTable index = clusterState.routingTable().index(resolveConcreteIndex.getIndex());
        if (index != null && index.allPrimaryShardsActive()) {
            return true;
        }
        logger.debug("Index [{}] is not yet active", aliasName);
        return false;
    }

    private boolean checkIndexMappingUpToDate(ClusterState clusterState) {
        SystemIndexDescriptor descriptorCompatibleWith = this.systemIndexDescriptor.getDescriptorCompatibleWith(clusterState.nodes().getSmallestNonClientNodeVersion());
        if (descriptorCompatibleWith == null) {
            return false;
        }
        Version mappingVersion = descriptorCompatibleWith.getMappingVersion();
        Objects.requireNonNull(mappingVersion);
        return checkIndexMappingVersionMatches(clusterState, mappingVersion::onOrBefore);
    }

    private boolean checkIndexMappingVersionMatches(ClusterState clusterState, Predicate<Version> predicate) {
        return checkIndexMappingVersionMatches(this.systemIndexDescriptor.getAliasName(), clusterState, logger, predicate);
    }

    public static boolean checkIndexMappingVersionMatches(String str, ClusterState clusterState, Logger logger2, Predicate<Version> predicate) {
        return loadIndexMappingVersions(str, clusterState, logger2).stream().allMatch(predicate);
    }

    private Version oldestIndexMappingVersion(ClusterState clusterState) {
        return loadIndexMappingVersions(this.systemIndexDescriptor.getAliasName(), clusterState, logger).stream().min((v0, v1) -> {
            return v0.compareTo(v1);
        }).orElse(null);
    }

    private static Set<Version> loadIndexMappingVersions(String str, ClusterState clusterState, Logger logger2) {
        MappingMetadata mapping;
        HashSet hashSet = new HashSet();
        IndexMetadata resolveConcreteIndex = resolveConcreteIndex(str, clusterState.metadata());
        if (resolveConcreteIndex != null && (mapping = resolveConcreteIndex.mapping()) != null) {
            hashSet.add(readMappingVersion(str, mapping, logger2));
        }
        return hashSet;
    }

    private static IndexMetadata resolveConcreteIndex(String str, Metadata metadata) {
        IndexAbstraction indexAbstraction = (IndexAbstraction) metadata.getIndicesLookup().get(str);
        if (indexAbstraction == null) {
            return null;
        }
        List indices = indexAbstraction.getIndices();
        if (indexAbstraction.getType() == IndexAbstraction.Type.CONCRETE_INDEX || indices.size() <= 1) {
            return (IndexMetadata) indices.get(0);
        }
        throw new IllegalStateException("Alias [" + str + "] points to more than one index: " + indices.stream().map(indexMetadata -> {
            return indexMetadata.getIndex().getName();
        }).collect(Collectors.toList()));
    }

    private static Version readMappingVersion(String str, MappingMetadata mappingMetadata, Logger logger2) {
        try {
            Map map = (Map) mappingMetadata.sourceAsMap().get("_meta");
            if (map != null) {
                return Version.fromString((String) map.get(SECURITY_VERSION_STRING));
            }
            logger2.info("Missing _meta field in mapping [{}] of index [{}]", mappingMetadata.type(), str);
            throw new IllegalStateException("Cannot read security-version string in index " + str);
        } catch (ElasticsearchParseException e) {
            logger2.error(new ParameterizedMessage("Cannot parse the mapping for index [{}]", str), e);
            throw new ElasticsearchException("Cannot parse the mapping for index [{}]", e, new Object[]{str});
        }
    }

    public void checkIndexVersionThenExecute(Consumer<Exception> consumer, Runnable runnable) {
        State state = this.state;
        if (!state.indexExists() || state.isIndexUpToDate) {
            runnable.run();
        } else {
            consumer.accept(new IllegalStateException("Index [" + state.concreteIndexName + "] is not on the current version. Security features relying on the index will not be available until the upgrade API is run on the index"));
        }
    }

    public void prepareIndexIfNeededThenExecute(final Consumer<Exception> consumer, final Runnable runnable) {
        State state = this.state;
        try {
            if (state == State.UNRECOVERED_STATE) {
                throw new ElasticsearchStatusException("Cluster state has not been recovered yet, cannot write to the [" + state.concreteIndexName + "] index", RestStatus.SERVICE_UNAVAILABLE, new Object[0]);
            }
            if (state.indexExists() && !state.isIndexUpToDate) {
                throw new IllegalStateException("Index [" + state.concreteIndexName + "] is not on the current version.Security features relying on the index will not be available until the upgrade API is run on the index");
            }
            if (state.indexExists()) {
                if (state.mappingUpToDate) {
                    runnable.run();
                } else {
                    SystemIndexDescriptor descriptorCompatibleWith = this.systemIndexDescriptor.getDescriptorCompatibleWith(state.minimumNodeVersion);
                    if (descriptorCompatibleWith == null) {
                        consumer.accept(new IllegalStateException(this.systemIndexDescriptor.getMinimumNodeVersionMessage("updating mapping")));
                    } else {
                        logger.info("Index [{}] (alias [{}]) is not up to date. Updating mapping", state.concreteIndexName, descriptorCompatibleWith.getAliasName());
                        PutMappingRequest origin = new PutMappingRequest(new String[]{state.concreteIndexName}).source(descriptorCompatibleWith.getMappings(), XContentType.JSON).origin(descriptorCompatibleWith.getOrigin());
                        ThreadContext threadContext = this.client.threadPool().getThreadContext();
                        String origin2 = descriptorCompatibleWith.getOrigin();
                        ActionListener wrap = ActionListener.wrap(acknowledgedResponse -> {
                            if (acknowledgedResponse.isAcknowledged()) {
                                runnable.run();
                            } else {
                                consumer.accept(new IllegalStateException("put mapping request was not acknowledged"));
                            }
                        }, consumer);
                        IndicesAdminClient indices = this.client.admin().indices();
                        Objects.requireNonNull(indices);
                        ClientHelper.executeAsyncWithOrigin(threadContext, origin2, origin, wrap, indices::putMapping);
                    }
                }
            } else {
                if (!$assertionsDisabled && state.concreteIndexName == null) {
                    throw new AssertionError();
                }
                SystemIndexDescriptor descriptorCompatibleWith2 = this.systemIndexDescriptor.getDescriptorCompatibleWith(state.minimumNodeVersion);
                if (descriptorCompatibleWith2 == null) {
                    consumer.accept(new IllegalStateException(this.systemIndexDescriptor.getMinimumNodeVersionMessage("create index")));
                } else {
                    logger.info("security index does not exist, creating [{}] with alias [{}]", state.concreteIndexName, descriptorCompatibleWith2.getAliasName());
                    CreateIndexRequest waitForActiveShards = new CreateIndexRequest(state.concreteIndexName).origin(descriptorCompatibleWith2.getOrigin()).mapping(descriptorCompatibleWith2.getMappings()).settings(descriptorCompatibleWith2.getSettings()).alias(new Alias(descriptorCompatibleWith2.getAliasName())).waitForActiveShards(ActiveShardCount.ALL);
                    ThreadContext threadContext2 = this.client.threadPool().getThreadContext();
                    String origin3 = descriptorCompatibleWith2.getOrigin();
                    ActionListener<CreateIndexResponse> actionListener = new ActionListener<CreateIndexResponse>() { // from class: org.elasticsearch.xpack.security.support.SecurityIndexManager.1
                        public void onResponse(CreateIndexResponse createIndexResponse) {
                            if (createIndexResponse.isAcknowledged()) {
                                runnable.run();
                            } else {
                                consumer.accept(new ElasticsearchException("Failed to create security index", new Object[0]));
                            }
                        }

                        public void onFailure(Exception exc) {
                            if (ExceptionsHelper.unwrapCause(exc) instanceof ResourceAlreadyExistsException) {
                                runnable.run();
                            } else {
                                consumer.accept(exc);
                            }
                        }
                    };
                    IndicesAdminClient indices2 = this.client.admin().indices();
                    Objects.requireNonNull(indices2);
                    ClientHelper.executeAsyncWithOrigin(threadContext2, origin3, waitForActiveShards, actionListener, indices2::create);
                }
            }
        } catch (Exception e) {
            consumer.accept(e);
        }
    }

    public static boolean isMoveFromRedToNonRed(State state, State state2) {
        return ((state.indexHealth != null && state.indexHealth != ClusterHealthStatus.RED) || state2.indexHealth == null || state2.indexHealth == ClusterHealthStatus.RED) ? false : true;
    }

    public static boolean isIndexDeleted(State state, State state2) {
        return state.indexHealth != null && state2.indexHealth == null;
    }

    static {
        $assertionsDisabled = !SecurityIndexManager.class.desiredAssertionStatus();
        logger = LogManager.getLogger(SecurityIndexManager.class);
    }
}
