package org.elasticsearch.xpack.security.authz.store;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.Supplier;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.TransportVersions;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.action.ActionType;
import org.elasticsearch.action.DelegatingActionListener;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.ValidateActions;
import org.elasticsearch.action.bulk.BulkItemResponse;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkResponse;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.delete.DeleteResponse;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.get.MultiGetItemResponse;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.MultiSearchResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.TransportSearchAction;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.features.FeatureService;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.index.query.TermQueryBuilder;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.search.SearchService;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.transport.RemoteClusterPortSettings;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.security.ScrollHelper;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.action.role.BulkRolesResponse;
import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheAction;
import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheRequest;
import org.elasticsearch.xpack.core.security.action.role.ClearRolesCacheResponse;
import org.elasticsearch.xpack.core.security.action.role.DeleteRoleRequest;
import org.elasticsearch.xpack.core.security.action.role.QueryRoleResponse;
import org.elasticsearch.xpack.core.security.action.role.RoleDescriptorRequestValidator;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions;
import org.elasticsearch.xpack.core.security.authz.store.RoleRetrievalResult;
import org.elasticsearch.xpack.core.security.authz.support.DLSRoleQueryValidator;
import org.elasticsearch.xpack.core.security.support.NativeRealmValidationUtil;
import org.elasticsearch.xpack.security.authz.ReservedRoleNameChecker;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.support.SecurityMigrations;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/NativeRolesStore.class */
public class NativeRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> {
    public static final String NATIVE_ROLES_ENABLED = "xpack.security.authc.native_roles.enabled";
    private static final Logger logger;
    private static final RoleDescriptor.Parser ROLE_DESCRIPTOR_PARSER;
    private static final Set<DocWriteResponse.Result> UPDATE_ROLES_REFRESH_CACHE_RESULTS;
    private final Settings settings;
    private final Client client;
    private final XPackLicenseState licenseState;
    private final boolean enabled;
    private final SecurityIndexManager securityIndex;
    private final ClusterService clusterService;
    private final FeatureService featureService;
    private final ReservedRoleNameChecker reservedRoleNameChecker;
    private final NamedXContentRegistry xContentRegistry;
    static final /* synthetic */ boolean $assertionsDisabled;

    public NativeRolesStore(Settings settings, Client client, XPackLicenseState xPackLicenseState, SecurityIndexManager securityIndexManager, ClusterService clusterService, FeatureService featureService, ReservedRoleNameChecker reservedRoleNameChecker, NamedXContentRegistry namedXContentRegistry) {
        this.settings = settings;
        this.client = client;
        this.licenseState = xPackLicenseState;
        this.securityIndex = securityIndexManager;
        this.clusterService = clusterService;
        this.featureService = featureService;
        this.reservedRoleNameChecker = reservedRoleNameChecker;
        this.xContentRegistry = namedXContentRegistry;
        this.enabled = settings.getAsBoolean(NATIVE_ROLES_ENABLED, true).booleanValue();
    }

    @Override // java.util.function.BiConsumer
    public void accept(Set<String> set, ActionListener<RoleRetrievalResult> actionListener) {
        getRoleDescriptors(set, actionListener);
    }

    public void getRoleDescriptors(Set<String> set, ActionListener<RoleRetrievalResult> actionListener) {
        if (!this.enabled) {
            actionListener.onResponse(RoleRetrievalResult.success(Set.of()));
            return;
        }
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            actionListener.onResponse(RoleRetrievalResult.success(Collections.emptySet()));
            return;
        }
        if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.SEARCH_SHARDS)) {
            actionListener.onResponse(RoleRetrievalResult.failure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.SEARCH_SHARDS)));
            return;
        }
        if (set == null || set.isEmpty()) {
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                TermQueryBuilder termQuery = QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), "role");
                Supplier newRestorableContext = this.client.threadPool().getThreadContext().newRestorableContext(false);
                ThreadContext.StoredContext stashWithOrigin = this.client.threadPool().getThreadContext().stashWithOrigin("security");
                try {
                    SearchRequest request = this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setScroll((TimeValue) SearchService.DEFAULT_KEEPALIVE_SETTING.get(this.settings)).setQuery(termQuery).setSize(1000).setFetchSource(true).request();
                    request.indicesOptions().ignoreUnavailable();
                    ScrollHelper.fetchAllByEntity(this.client, request, new ContextPreservingActionListener(newRestorableContext, ActionListener.wrap(collection -> {
                        actionListener.onResponse(RoleRetrievalResult.success(new HashSet(collection)));
                    }, exc -> {
                        actionListener.onResponse(RoleRetrievalResult.failure(exc));
                    })), searchHit -> {
                        return transformRole(searchHit.getId(), searchHit.getSourceRef(), logger, this.licenseState);
                    });
                    if (stashWithOrigin != null) {
                        stashWithOrigin.close();
                    }
                } catch (Throwable th) {
                    if (stashWithOrigin != null) {
                        try {
                            stashWithOrigin.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            });
        } else {
            if (set.size() == 1) {
                getRoleDescriptor((String) Objects.requireNonNull(set.iterator().next()), actionListener);
                return;
            }
            SecurityIndexManager securityIndexManager2 = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager2.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                MultiGetRequest request = this.client.prepareMultiGet().addIds(SecuritySystemIndices.SECURITY_MAIN_ALIAS, (String[]) set.stream().map(NativeRolesStore::getIdForRole).toArray(i -> {
                    return new String[i];
                })).request();
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                ActionListener wrap = ActionListener.wrap(multiGetResponse -> {
                    MultiGetItemResponse[] responses = multiGetResponse.getResponses();
                    HashSet hashSet = new HashSet();
                    for (int i2 = 0; i2 < responses.length; i2++) {
                        MultiGetItemResponse multiGetItemResponse = responses[i2];
                        if (multiGetItemResponse.isFailed()) {
                            Exception failure = multiGetItemResponse.getFailure().getFailure();
                            for (int i3 = i2 + 1; i3 < responses.length; i3++) {
                                if (responses[i3].isFailed()) {
                                    failure.addSuppressed(failure);
                                }
                            }
                            actionListener.onResponse(RoleRetrievalResult.failure(failure));
                            return;
                        }
                        if (multiGetItemResponse.getResponse().isExists()) {
                            hashSet.add(transformRole(multiGetItemResponse.getResponse()));
                        }
                    }
                    actionListener.onResponse(RoleRetrievalResult.success(hashSet));
                }, exc -> {
                    actionListener.onResponse(RoleRetrievalResult.failure(exc));
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::multiGet);
            });
        }
    }

    public boolean isMetadataSearchable() {
        return this.securityIndex.defensiveCopy().isCreatedOnLatestVersion() || this.securityIndex.isMigrationsVersionAtLeast(SecurityMigrations.ROLE_METADATA_FLATTENED_MIGRATION_VERSION);
    }

    public void queryRoleDescriptors(SearchSourceBuilder searchSourceBuilder, ActionListener<QueryRoleResponse.QueryRoleResult> actionListener) {
        SearchRequest searchRequest = new SearchRequest(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}, searchSourceBuilder);
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            logger.debug("security index does not exist");
            actionListener.onResponse(QueryRoleResponse.QueryRoleResult.EMPTY);
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.SEARCH_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.SEARCH_SHARDS));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Client client = this.client;
                ActionType actionType = TransportSearchAction.TYPE;
                CheckedConsumer checkedConsumer = searchResponse -> {
                    long j = searchResponse.getHits().getTotalHits().value;
                    if (j != 0) {
                        actionListener.onResponse(new QueryRoleResponse.QueryRoleResult(j, Arrays.stream(searchResponse.getHits().getHits()).map(searchHit -> {
                            RoleDescriptor transformRole = transformRole(searchHit.getId(), searchHit.getSourceRef(), logger, this.licenseState);
                            if (transformRole == null) {
                                return null;
                            }
                            return new QueryRoleResponse.Item(transformRole, searchHit.getSortValues());
                        }).filter((v0) -> {
                            return Objects.nonNull(v0);
                        }).toList()));
                    } else {
                        logger.debug("No roles found for query [{}]", searchRequest.source().query());
                        actionListener.onResponse(QueryRoleResponse.QueryRoleResult.EMPTY);
                    }
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, "security", actionType, searchRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        }
    }

    public void deleteRole(DeleteRoleRequest deleteRoleRequest, ActionListener<Boolean> actionListener) {
        if (!this.enabled) {
            actionListener.onFailure(new IllegalStateException("Native role management is disabled"));
            return;
        }
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            actionListener.onResponse(false);
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.PRIMARY_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.PRIMARY_SHARDS));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                DeleteRequest createRoleDeleteRequest = createRoleDeleteRequest(deleteRoleRequest.name());
                createRoleDeleteRequest.setRefreshPolicy(deleteRoleRequest.getRefreshPolicy());
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                ActionListener<DeleteResponse> actionListener2 = new ActionListener<DeleteResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.1
                    public void onResponse(DeleteResponse deleteResponse) {
                        NativeRolesStore.this.clearRoleCache(deleteRoleRequest.name(), (ActionListener<ActionListener>) actionListener, (ActionListener) Boolean.valueOf(deleteResponse.getResult() == DocWriteResponse.Result.DELETED));
                    }

                    public void onFailure(Exception exc) {
                        NativeRolesStore.logger.error("failed to delete role from the index", exc);
                        actionListener.onFailure(exc);
                    }
                };
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", createRoleDeleteRequest, actionListener2, client::delete);
            });
        }
    }

    public void deleteRoles(List<String> list, WriteRequest.RefreshPolicy refreshPolicy, ActionListener<BulkRolesResponse> actionListener) {
        if (!this.enabled) {
            actionListener.onFailure(new IllegalStateException("Native role management is disabled"));
            return;
        }
        BulkRequest refreshPolicy2 = new BulkRequest().setRefreshPolicy(refreshPolicy);
        HashMap hashMap = new HashMap();
        for (String str : list) {
            if (this.reservedRoleNameChecker.isReserved(str)) {
                hashMap.put(str, new IllegalArgumentException("role [" + str + "] is reserved and cannot be deleted"));
            } else {
                refreshPolicy2.add(createRoleDeleteRequest(str));
            }
        }
        if (refreshPolicy2.numberOfActions() == 0) {
            bulkResponseWithOnlyValidationErrors(list, hashMap, actionListener);
            return;
        }
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            logger.debug("security index does not exist");
            actionListener.onResponse(new BulkRolesResponse(List.of()));
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.PRIMARY_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.PRIMARY_SHARDS));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                ActionListener<BulkResponse> actionListener2 = new ActionListener<BulkResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.2
                    public void onResponse(BulkResponse bulkResponse) {
                        NativeRolesStore.this.bulkResponseAndRefreshRolesCache(list, bulkResponse, hashMap, actionListener);
                    }

                    public void onFailure(Exception exc) {
                        NativeRolesStore.logger.error(() -> {
                            return "failed to delete roles";
                        }, exc);
                        actionListener.onFailure(exc);
                    }
                };
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", refreshPolicy2, actionListener2, client::bulk);
            });
        }
    }

    private void bulkResponseAndRefreshRolesCache(List<String> list, BulkResponse bulkResponse, Map<String, Exception> map, ActionListener<BulkRolesResponse> actionListener) {
        Iterator it = bulkResponse.iterator();
        BulkRolesResponse.Builder builder = new BulkRolesResponse.Builder();
        ArrayList arrayList = new ArrayList(list.size());
        Stream<R> map2 = list.stream().map(str -> {
            if (map.containsKey(str)) {
                return BulkRolesResponse.Item.failure(str, (Exception) map.get(str));
            }
            BulkItemResponse bulkItemResponse = (BulkItemResponse) it.next();
            if (bulkItemResponse.isFailed()) {
                return BulkRolesResponse.Item.failure(str, bulkItemResponse.getFailure().getCause());
            }
            if (UPDATE_ROLES_REFRESH_CACHE_RESULTS.contains(bulkItemResponse.getResponse().getResult())) {
                arrayList.add(str);
            }
            return BulkRolesResponse.Item.success(str, bulkItemResponse.getResponse().getResult());
        });
        Objects.requireNonNull(builder);
        map2.forEach(builder::addItem);
        String[] strArr = (String[]) arrayList.toArray(i -> {
            return new String[i];
        });
        CheckedConsumer checkedConsumer = bulkResponse2 -> {
            actionListener.onResponse(builder.build());
        };
        Objects.requireNonNull(actionListener);
        clearRoleCache(strArr, (ActionListener<ActionListener>) ActionListener.wrap(checkedConsumer, actionListener::onFailure), (ActionListener) bulkResponse);
    }

    private void bulkResponseWithOnlyValidationErrors(List<String> list, Map<String, Exception> map, ActionListener<BulkRolesResponse> actionListener) {
        BulkRolesResponse.Builder builder = new BulkRolesResponse.Builder();
        Stream<R> map2 = list.stream().map(str -> {
            return BulkRolesResponse.Item.failure(str, (Exception) map.get(str));
        });
        Objects.requireNonNull(builder);
        map2.forEach(builder::addItem);
        actionListener.onResponse(builder.build());
    }

    private void executeAsyncRolesBulkRequest(BulkRequest bulkRequest, ActionListener<BulkResponse> actionListener) {
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", bulkRequest, actionListener, client::bulk);
        });
    }

    private Exception validateRoleDescriptor(RoleDescriptor roleDescriptor) {
        ActionRequestValidationException validate = RoleDescriptorRequestValidator.validate(roleDescriptor, (ActionRequestValidationException) null);
        if (this.reservedRoleNameChecker.isReserved(roleDescriptor.getName())) {
            throw ValidateActions.addValidationError("Role [" + roleDescriptor.getName() + "] is reserved and may not be used.", validate);
        }
        if (roleDescriptor.isUsingDocumentOrFieldLevelSecurity() && !SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.checkWithoutTracking(this.licenseState)) {
            return LicenseUtils.newComplianceException("field and document level security");
        }
        if (roleDescriptor.hasRemoteIndicesPrivileges() && this.clusterService.state().getMinTransportVersion().before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY)) {
            return new IllegalStateException("all nodes must have version [" + RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY.toReleaseVersion() + "] or higher to support remote indices privileges");
        }
        if (roleDescriptor.hasRemoteClusterPermissions() && this.clusterService.state().getMinTransportVersion().before(TransportVersions.ROLE_REMOTE_CLUSTER_PRIVS)) {
            return new IllegalStateException("all nodes must have version [" + TransportVersions.ROLE_REMOTE_CLUSTER_PRIVS + "] or higher to support remote cluster privileges");
        }
        if (roleDescriptor.hasDescription() && this.clusterService.state().getMinTransportVersion().before(TransportVersions.SECURITY_ROLE_DESCRIPTION)) {
            return new IllegalStateException("all nodes must have version [" + TransportVersions.SECURITY_ROLE_DESCRIPTION.toReleaseVersion() + "] or higher to support specifying role description");
        }
        try {
            DLSRoleQueryValidator.validateQueryField(roleDescriptor.getIndicesPrivileges(), this.xContentRegistry);
            return validate;
        } catch (ElasticsearchException | IllegalArgumentException e) {
            return e;
        }
    }

    public void putRole(WriteRequest.RefreshPolicy refreshPolicy, RoleDescriptor roleDescriptor, ActionListener<Boolean> actionListener) {
        if (!this.enabled) {
            actionListener.onFailure(new IllegalStateException("Native role management is disabled"));
            return;
        }
        Exception validateRoleDescriptor = validateRoleDescriptor(roleDescriptor);
        if (validateRoleDescriptor != null) {
            actionListener.onFailure(validateRoleDescriptor);
            return;
        }
        try {
            IndexRequest createRoleIndexRequest = createRoleIndexRequest(roleDescriptor);
            createRoleIndexRequest.setRefreshPolicy(refreshPolicy);
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                ActionListener<DocWriteResponse> actionListener2 = new ActionListener<DocWriteResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.3
                    public void onResponse(DocWriteResponse docWriteResponse) {
                        boolean z = docWriteResponse.getResult() == DocWriteResponse.Result.CREATED;
                        NativeRolesStore.logger.trace("Created role: [{}]", createRoleIndexRequest);
                        NativeRolesStore.this.clearRoleCache(roleDescriptor.getName(), (ActionListener<ActionListener>) actionListener, (ActionListener) Boolean.valueOf(z));
                    }

                    public void onFailure(Exception exc) {
                        Logger logger2 = NativeRolesStore.logger;
                        RoleDescriptor roleDescriptor2 = roleDescriptor;
                        logger2.error(() -> {
                            return "failed to put role [" + roleDescriptor2.getName() + "]";
                        }, exc);
                        actionListener.onFailure(exc);
                    }
                };
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", createRoleIndexRequest, actionListener2, client::index);
            });
        } catch (IOException e) {
            actionListener.onFailure(e);
        }
    }

    public void putRoles(WriteRequest.RefreshPolicy refreshPolicy, List<RoleDescriptor> list, ActionListener<BulkRolesResponse> actionListener) {
        Exception exc;
        if (!this.enabled) {
            actionListener.onFailure(new IllegalStateException("Native role management is disabled"));
            return;
        }
        BulkRequest refreshPolicy2 = new BulkRequest().setRefreshPolicy(refreshPolicy);
        HashMap hashMap = new HashMap();
        for (RoleDescriptor roleDescriptor : list) {
            try {
                exc = validateRoleDescriptor(roleDescriptor);
            } catch (Exception e) {
                exc = e;
            }
            if (exc != null) {
                hashMap.put(roleDescriptor.getName(), exc);
            } else {
                try {
                    refreshPolicy2.add(createRoleUpsertRequest(roleDescriptor));
                } catch (IOException e2) {
                    actionListener.onFailure(e2);
                }
            }
        }
        List<String> list2 = list.stream().map((v0) -> {
            return v0.getName();
        }).toList();
        if (refreshPolicy2.numberOfActions() == 0) {
            bulkResponseWithOnlyValidationErrors(list2, hashMap, actionListener);
            return;
        }
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            ActionListener<BulkResponse> actionListener2 = new ActionListener<BulkResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.4
                public void onResponse(BulkResponse bulkResponse) {
                    NativeRolesStore.this.bulkResponseAndRefreshRolesCache(list2, bulkResponse, hashMap, actionListener);
                }

                public void onFailure(Exception exc2) {
                    NativeRolesStore.logger.error(() -> {
                        return "failed to put roles";
                    }, exc2);
                    actionListener.onFailure(exc2);
                }
            };
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", refreshPolicy2, actionListener2, client::bulk);
        });
    }

    private IndexRequest createRoleIndexRequest(RoleDescriptor roleDescriptor) throws IOException {
        return this.client.prepareIndex(SecuritySystemIndices.SECURITY_MAIN_ALIAS).setId(getIdForRole(roleDescriptor.getName())).setSource(createRoleXContentBuilder(roleDescriptor)).request();
    }

    private UpdateRequest createRoleUpsertRequest(RoleDescriptor roleDescriptor) throws IOException {
        return this.client.prepareUpdate(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForRole(roleDescriptor.getName())).setDoc(createRoleXContentBuilder(roleDescriptor)).setDocAsUpsert(true).request();
    }

    private DeleteRequest createRoleDeleteRequest(String str) {
        return this.client.prepareDelete(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForRole(str)).request();
    }

    XContentBuilder createRoleXContentBuilder(RoleDescriptor roleDescriptor) throws IOException {
        if (!$assertionsDisabled && NativeRealmValidationUtil.validateRoleName(roleDescriptor.getName(), false) != null) {
            throw new AssertionError("Role name was invalid or reserved: " + roleDescriptor.getName());
        }
        if (!$assertionsDisabled && false != roleDescriptor.hasRestriction()) {
            throw new AssertionError("restriction is not supported for native roles");
        }
        XContentBuilder startObject = XContentFactory.jsonBuilder().startObject();
        roleDescriptor.innerToXContent(startObject, ToXContent.EMPTY_PARAMS, true);
        if (this.featureService.clusterHasFeature(this.clusterService.state(), SecuritySystemIndices.SECURITY_ROLES_METADATA_FLATTENED)) {
            startObject.field(RoleDescriptor.Fields.METADATA_FLATTENED.getPreferredName(), roleDescriptor.getMetadata());
        }
        if (!roleDescriptor.hasConfigurableClusterPrivileges()) {
            startObject.startObject(RoleDescriptor.Fields.GLOBAL.getPreferredName()).endObject();
        }
        if (!roleDescriptor.hasRemoteIndicesPrivileges()) {
            startObject.field(RoleDescriptor.Fields.REMOTE_INDICES.getPreferredName(), RoleDescriptor.RemoteIndicesPrivileges.NONE);
        }
        if (!roleDescriptor.hasRemoteClusterPermissions() && this.clusterService.state().getMinTransportVersion().onOrAfter(TransportVersions.ROLE_REMOTE_CLUSTER_PRIVS)) {
            startObject.array(RoleDescriptor.Fields.REMOTE_CLUSTER.getPreferredName(), new Object[]{RemoteClusterPermissions.NONE});
        }
        if (!roleDescriptor.hasDescription() && this.clusterService.state().getMinTransportVersion().onOrAfter(TransportVersions.SECURITY_ROLE_DESCRIPTION)) {
            startObject.field(RoleDescriptor.Fields.DESCRIPTION.getPreferredName(), "");
        }
        startObject.endObject();
        return startObject;
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        Map newMapWithExpectedSize = Maps.newMapWithExpectedSize(3);
        if (this.securityIndex.isAvailable(SecurityIndexManager.Availability.SEARCH_SHARDS)) {
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                MultiSearchRequest request = this.client.prepareMultiSearch().add(this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setQuery(QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), "role")).setTrackTotalHits(true).setSize(0)).add(this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setQuery(QueryBuilders.boolQuery().must(QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), "role")).must(QueryBuilders.boolQuery().should(QueryBuilders.existsQuery("indices.field_security.grant")).should(QueryBuilders.existsQuery("indices.field_security.except")).should(QueryBuilders.existsQuery("indices.fields")))).setTrackTotalHits(true).setSize(0).setTerminateAfter(1)).add(this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setQuery(QueryBuilders.boolQuery().must(QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), "role")).filter(QueryBuilders.existsQuery("indices.query"))).setTrackTotalHits(true).setSize(0).setTerminateAfter(1)).add(this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setQuery(QueryBuilders.boolQuery().must(QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), "role")).filter(QueryBuilders.existsQuery("remote_indices"))).setTrackTotalHits(true).setSize(0)).add(this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setQuery(QueryBuilders.boolQuery().must(QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), "role")).filter(QueryBuilders.existsQuery("remote_cluster"))).setTrackTotalHits(true).setSize(0)).request();
                DelegatingActionListener<MultiSearchResponse, Map<String, Object>> delegatingActionListener = new DelegatingActionListener<MultiSearchResponse, Map<String, Object>>(actionListener) { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.5
                    public void onResponse(MultiSearchResponse multiSearchResponse) {
                        MultiSearchResponse.Item[] responses = multiSearchResponse.getResponses();
                        if (responses[0].isFailure()) {
                            newMapWithExpectedSize.put("size", 0);
                        } else {
                            newMapWithExpectedSize.put("size", Long.valueOf(responses[0].getResponse().getHits().getTotalHits().value));
                        }
                        if (responses[1].isFailure()) {
                            newMapWithExpectedSize.put("fls", false);
                        } else {
                            newMapWithExpectedSize.put("fls", Boolean.valueOf(responses[1].getResponse().getHits().getTotalHits().value > 0));
                        }
                        if (responses[2].isFailure()) {
                            newMapWithExpectedSize.put("dls", false);
                        } else {
                            newMapWithExpectedSize.put("dls", Boolean.valueOf(responses[2].getResponse().getHits().getTotalHits().value > 0));
                        }
                        if (responses[3].isFailure()) {
                            newMapWithExpectedSize.put("remote_indices", 0);
                        } else {
                            newMapWithExpectedSize.put("remote_indices", Long.valueOf(responses[3].getResponse().getHits().getTotalHits().value));
                        }
                        if (responses[4].isFailure()) {
                            newMapWithExpectedSize.put("remote_cluster", 0);
                        } else {
                            newMapWithExpectedSize.put("remote_cluster", Long.valueOf(responses[4].getResponse().getHits().getTotalHits().value));
                        }
                        this.delegate.onResponse(newMapWithExpectedSize);
                    }
                };
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, delegatingActionListener, client::multiSearch);
            });
        } else {
            newMapWithExpectedSize.put("size", 0L);
            newMapWithExpectedSize.put("fls", false);
            newMapWithExpectedSize.put("dls", false);
            actionListener.onResponse(newMapWithExpectedSize);
        }
    }

    public String toString() {
        return "native roles store";
    }

    private void getRoleDescriptor(String str, ActionListener<RoleRetrievalResult> actionListener) {
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            actionListener.onResponse(RoleRetrievalResult.success(Collections.emptySet()));
        } else if (defensiveCopy.isAvailable(SecurityIndexManager.Availability.PRIMARY_SHARDS)) {
            this.securityIndex.checkIndexVersionThenExecute(exc -> {
                actionListener.onResponse(RoleRetrievalResult.failure(exc));
            }, () -> {
                executeGetRoleRequest(str, new ActionListener<GetResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.6
                    public void onResponse(GetResponse getResponse) {
                        RoleDescriptor transformRole = NativeRolesStore.this.transformRole(getResponse);
                        actionListener.onResponse(RoleRetrievalResult.success(transformRole == null ? Collections.emptySet() : Collections.singleton(transformRole)));
                    }

                    public void onFailure(Exception exc2) {
                        actionListener.onResponse(RoleRetrievalResult.failure(exc2));
                    }
                });
            });
        } else {
            actionListener.onResponse(RoleRetrievalResult.failure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.PRIMARY_SHARDS)));
        }
    }

    private void executeGetRoleRequest(String str, ActionListener<GetResponse> actionListener) {
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            GetRequest request = this.client.prepareGet(SecuritySystemIndices.SECURITY_MAIN_ALIAS, getIdForRole(str)).request();
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener, client::get);
        });
    }

    private <Response> void clearRoleCache(String str, ActionListener<Response> actionListener, Response response) {
        clearRoleCache(new String[]{str}, (ActionListener<ActionListener<Response>>) actionListener, (ActionListener<Response>) response);
    }

    private <Response> void clearRoleCache(final String[] strArr, final ActionListener<Response> actionListener, final Response response) {
        ClientHelper.executeAsyncWithOrigin(this.client, "security", ClearRolesCacheAction.INSTANCE, new ClearRolesCacheRequest().names(strArr), new ActionListener<ClearRolesCacheResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.7
            public void onResponse(ClearRolesCacheResponse clearRolesCacheResponse) {
                actionListener.onResponse(response);
            }

            public void onFailure(Exception exc) {
                Logger logger2 = NativeRolesStore.logger;
                String[] strArr2 = strArr;
                logger2.error(() -> {
                    return "unable to clear cache for roles [" + Arrays.toString(strArr2) + "]";
                }, exc);
                actionListener.onFailure(new ElasticsearchException("clearing the cache for [" + Arrays.toString(strArr) + "] failed. please clear the role cache manually", exc, new Object[0]));
            }
        });
    }

    @Nullable
    private RoleDescriptor transformRole(GetResponse getResponse) {
        if (getResponse.isExists()) {
            return transformRole(getResponse.getId(), getResponse.getSourceAsBytesRef(), logger, this.licenseState);
        }
        return null;
    }

    @Nullable
    static RoleDescriptor transformRole(String str, BytesReference bytesReference, Logger logger2, XPackLicenseState xPackLicenseState) {
        if (!$assertionsDisabled && !str.startsWith("role")) {
            throw new AssertionError("[" + str + "] does not have role prefix");
        }
        String substring = str.substring("role".length() + 1);
        try {
            RoleDescriptor parse = ROLE_DESCRIPTOR_PARSER.parse(substring, bytesReference, XContentType.JSON);
            boolean anyMatch = Arrays.stream(parse.getIndicesPrivileges()).anyMatch((v0) -> {
                return v0.isUsingDocumentLevelSecurity();
            });
            boolean anyMatch2 = Arrays.stream(parse.getIndicesPrivileges()).anyMatch((v0) -> {
                return v0.isUsingFieldLevelSecurity();
            });
            if ((!anyMatch && !anyMatch2) || SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.checkWithoutTracking(xPackLicenseState)) {
                return parse;
            }
            ArrayList arrayList = new ArrayList(2);
            if (anyMatch2) {
                arrayList.add("fls");
            }
            if (anyMatch) {
                arrayList.add("dls");
            }
            Map newMapWithExpectedSize = Maps.newMapWithExpectedSize(2);
            newMapWithExpectedSize.put("unlicensed_features", arrayList);
            newMapWithExpectedSize.put("enabled", false);
            return new RoleDescriptor(parse.getName(), parse.getClusterPrivileges(), parse.getIndicesPrivileges(), parse.getApplicationPrivileges(), parse.getConditionalClusterPrivileges(), parse.getRunAs(), parse.getMetadata(), newMapWithExpectedSize, parse.getRemoteIndicesPrivileges(), parse.getRemoteClusterPermissions(), parse.getRestriction(), parse.getDescription());
        } catch (Exception e) {
            logger2.error("error in the format of data for role [" + substring + "]", e);
            return null;
        }
    }

    private static String getIdForRole(String str) {
        return "role-" + str;
    }

    static {
        $assertionsDisabled = !NativeRolesStore.class.desiredAssertionStatus();
        logger = LogManager.getLogger(NativeRolesStore.class);
        ROLE_DESCRIPTOR_PARSER = RoleDescriptor.parserBuilder().allow2xFormat(true).allowDescription(true).build();
        UPDATE_ROLES_REFRESH_CACHE_RESULTS = Set.of(DocWriteResponse.Result.CREATED, DocWriteResponse.Result.UPDATED, DocWriteResponse.Result.DELETED);
    }
}
