package org.elasticsearch.xpack.security.operator;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.operator.OperatorOnlyRegistry;

/* loaded from: input_file:org/elasticsearch/xpack/security/operator/OperatorPrivileges.class */
public class OperatorPrivileges {
    private static final Logger logger = LogManager.getLogger(OperatorPrivileges.class);
    public static final Setting<Boolean> OPERATOR_PRIVILEGES_ENABLED = Setting.boolSetting("xpack.security.operator_privileges.enabled", false, new Setting.Property[]{Setting.Property.NodeScope});
    public static final OperatorPrivilegesService NOOP_OPERATOR_PRIVILEGES_SERVICE = new OperatorPrivilegesService() { // from class: org.elasticsearch.xpack.security.operator.OperatorPrivileges.1
        @Override // org.elasticsearch.xpack.security.operator.OperatorPrivileges.OperatorPrivilegesService
        public void maybeMarkOperatorUser(Authentication authentication, ThreadContext threadContext) {
        }

        @Override // org.elasticsearch.xpack.security.operator.OperatorPrivileges.OperatorPrivilegesService
        public ElasticsearchSecurityException check(Authentication authentication, String str, TransportRequest transportRequest, ThreadContext threadContext) {
            return null;
        }

        @Override // org.elasticsearch.xpack.security.operator.OperatorPrivileges.OperatorPrivilegesService
        public void maybeInterceptRequest(ThreadContext threadContext, TransportRequest transportRequest) {
            if (transportRequest instanceof RestoreSnapshotRequest) {
                ((RestoreSnapshotRequest) transportRequest).skipOperatorOnlyState(false);
            }
        }
    };

    /* loaded from: input_file:org/elasticsearch/xpack/security/operator/OperatorPrivileges$DefaultOperatorPrivilegesService.class */
    public static final class DefaultOperatorPrivilegesService implements OperatorPrivilegesService {
        private final FileOperatorUsersStore fileOperatorUsersStore;
        private final OperatorOnlyRegistry operatorOnlyRegistry;
        private final XPackLicenseState licenseState;

        public DefaultOperatorPrivilegesService(XPackLicenseState xPackLicenseState, FileOperatorUsersStore fileOperatorUsersStore, OperatorOnlyRegistry operatorOnlyRegistry) {
            this.fileOperatorUsersStore = fileOperatorUsersStore;
            this.operatorOnlyRegistry = operatorOnlyRegistry;
            this.licenseState = xPackLicenseState;
        }

        @Override // org.elasticsearch.xpack.security.operator.OperatorPrivileges.OperatorPrivilegesService
        public void maybeMarkOperatorUser(Authentication authentication, ThreadContext threadContext) {
            User user = authentication.getUser();
            if (!(User.isInternal(user) && false == user.isRunAs()) && threadContext.getHeader("_security_privilege_category") == null) {
                if (false != user.isRunAs() || !this.fileOperatorUsersStore.isOperatorUser(authentication)) {
                    threadContext.putHeader("_security_privilege_category", "__empty");
                } else {
                    OperatorPrivileges.logger.debug("Marking user [{}] as an operator", user);
                    threadContext.putHeader("_security_privilege_category", "operator");
                }
            }
        }

        @Override // org.elasticsearch.xpack.security.operator.OperatorPrivileges.OperatorPrivilegesService
        public ElasticsearchSecurityException check(Authentication authentication, String str, TransportRequest transportRequest, ThreadContext threadContext) {
            if (false == shouldProcess()) {
                return null;
            }
            User user = authentication.getUser();
            if ((User.isInternal(user) && false == user.isRunAs()) || false != "operator".equals(threadContext.getHeader("_security_privilege_category"))) {
                return null;
            }
            OperatorPrivileges.logger.trace("Checking operator-only violation for user [{}] and action [{}]", user, str);
            OperatorOnlyRegistry.OperatorPrivilegesViolation check = this.operatorOnlyRegistry.check(str, transportRequest);
            if (check != null) {
                return new ElasticsearchSecurityException("Operator privileges are required for " + check.message(), new Object[0]);
            }
            return null;
        }

        @Override // org.elasticsearch.xpack.security.operator.OperatorPrivileges.OperatorPrivilegesService
        public void maybeInterceptRequest(ThreadContext threadContext, TransportRequest transportRequest) {
            if (transportRequest instanceof RestoreSnapshotRequest) {
                OperatorPrivileges.logger.debug("Intercepting [{}] for operator privileges", transportRequest);
                ((RestoreSnapshotRequest) transportRequest).skipOperatorOnlyState(shouldProcess());
            }
        }

        private boolean shouldProcess() {
            return Security.OPERATOR_PRIVILEGES_FEATURE.check(this.licenseState);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/operator/OperatorPrivileges$OperatorPrivilegesService.class */
    public interface OperatorPrivilegesService {
        void maybeMarkOperatorUser(Authentication authentication, ThreadContext threadContext);

        ElasticsearchSecurityException check(Authentication authentication, String str, TransportRequest transportRequest, ThreadContext threadContext);

        void maybeInterceptRequest(ThreadContext threadContext, TransportRequest transportRequest);
    }
}
