package org.elasticsearch.xpack.security.audit.logfile;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.TreeMap;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.Marker;
import org.apache.logging.log4j.MarkerManager;
import org.apache.logging.log4j.core.Filter;
import org.apache.logging.log4j.core.LoggerContext;
import org.apache.logging.log4j.core.filter.MarkerFilter;
import org.apache.logging.log4j.message.StringMapMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.component.Lifecycle;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.node.Node;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.json.JsonStringEncoder;
import org.elasticsearch.xcontent.json.JsonXContent;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.action.Grant;
import org.elasticsearch.xpack.core.security.action.apikey.CreateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.GrantApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.InvalidateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.privilege.DeletePrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.privilege.PutPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.profile.ActivateProfileRequest;
import org.elasticsearch.xpack.core.security.action.profile.SetProfileEnabledRequest;
import org.elasticsearch.xpack.core.security.action.profile.UpdateProfileDataRequest;
import org.elasticsearch.xpack.core.security.action.role.DeleteRoleRequest;
import org.elasticsearch.xpack.core.security.action.role.PutRoleRequest;
import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingRequest;
import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingRequest;
import org.elasticsearch.xpack.core.security.action.service.CreateServiceAccountTokenRequest;
import org.elasticsearch.xpack.core.security.action.service.DeleteServiceAccountTokenRequest;
import org.elasticsearch.xpack.core.security.action.user.ChangePasswordRequest;
import org.elasticsearch.xpack.core.security.action.user.DeleteUserRequest;
import org.elasticsearch.xpack.core.security.action.user.PutUserRequest;
import org.elasticsearch.xpack.core.security.action.user.SetEnabledRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivileges;
import org.elasticsearch.xpack.core.security.support.Automatons;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditLevel;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditUtil;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountToken;
import org.elasticsearch.xpack.security.rest.RemoteHostHeader;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;

/* loaded from: input_file:org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.class */
public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
    private static final Logger LOGGER;
    public static final String REST_ORIGIN_FIELD_VALUE = "rest";
    public static final String LOCAL_ORIGIN_FIELD_VALUE = "local_node";
    public static final String TRANSPORT_ORIGIN_FIELD_VALUE = "transport";
    public static final String IP_FILTER_ORIGIN_FIELD_VALUE = "ip_filter";
    public static final String SECURITY_CHANGE_ORIGIN_FIELD_VALUE = "security_config_change";
    public static final String LOG_TYPE = "type";
    public static final String TIMESTAMP = "timestamp";
    public static final String ORIGIN_TYPE_FIELD_NAME = "origin.type";
    public static final String ORIGIN_ADDRESS_FIELD_NAME = "origin.address";
    public static final String NODE_NAME_FIELD_NAME = "node.name";
    public static final String NODE_ID_FIELD_NAME = "node.id";
    public static final String HOST_ADDRESS_FIELD_NAME = "host.ip";
    public static final String HOST_NAME_FIELD_NAME = "host.name";
    public static final String CLUSTER_NAME_FIELD_NAME = "cluster.name";
    public static final String CLUSTER_UUID_FIELD_NAME = "cluster.uuid";
    public static final String EVENT_TYPE_FIELD_NAME = "event.type";
    public static final String EVENT_ACTION_FIELD_NAME = "event.action";
    public static final String PRINCIPAL_FIELD_NAME = "user.name";
    public static final String PRINCIPAL_RUN_BY_FIELD_NAME = "user.run_by.name";
    public static final String PRINCIPAL_RUN_AS_FIELD_NAME = "user.run_as.name";
    public static final String PRINCIPAL_REALM_FIELD_NAME = "user.realm";
    public static final String PRINCIPAL_RUN_BY_REALM_FIELD_NAME = "user.run_by.realm";
    public static final String PRINCIPAL_RUN_AS_REALM_FIELD_NAME = "user.run_as.realm";
    public static final String API_KEY_ID_FIELD_NAME = "apikey.id";
    public static final String API_KEY_NAME_FIELD_NAME = "apikey.name";
    public static final String SERVICE_TOKEN_NAME_FIELD_NAME = "authentication.token.name";
    public static final String SERVICE_TOKEN_TYPE_FIELD_NAME = "authentication.token.type";
    public static final String PRINCIPAL_ROLES_FIELD_NAME = "user.roles";
    public static final String AUTHENTICATION_TYPE_FIELD_NAME = "authentication.type";
    public static final String REALM_FIELD_NAME = "realm";
    public static final String URL_PATH_FIELD_NAME = "url.path";
    public static final String URL_QUERY_FIELD_NAME = "url.query";
    public static final String REQUEST_METHOD_FIELD_NAME = "request.method";
    public static final String REQUEST_BODY_FIELD_NAME = "request.body";
    public static final String REQUEST_ID_FIELD_NAME = "request.id";
    public static final String ACTION_FIELD_NAME = "action";
    public static final String INDICES_FIELD_NAME = "indices";
    public static final String REQUEST_NAME_FIELD_NAME = "request.name";
    public static final String TRANSPORT_PROFILE_FIELD_NAME = "transport.profile";
    public static final String RULE_FIELD_NAME = "rule";
    public static final String OPAQUE_ID_FIELD_NAME = "opaque_id";
    public static final String TRACE_ID_FIELD_NAME = "trace.id";
    public static final String X_FORWARDED_FOR_FIELD_NAME = "x_forwarded_for";
    public static final String PUT_CONFIG_FIELD_NAME = "put";
    public static final String DELETE_CONFIG_FIELD_NAME = "delete";
    public static final String CHANGE_CONFIG_FIELD_NAME = "change";
    public static final String CREATE_CONFIG_FIELD_NAME = "create";
    public static final String INVALIDATE_API_KEYS_FIELD_NAME = "invalidate";
    public static final String NAME = "logfile";
    public static final Setting<Boolean> EMIT_HOST_ADDRESS_SETTING;
    public static final Setting<Boolean> EMIT_HOST_NAME_SETTING;
    public static final Setting<Boolean> EMIT_NODE_NAME_SETTING;
    public static final Setting<Boolean> EMIT_NODE_ID_SETTING;
    public static final Setting<Boolean> EMIT_CLUSTER_NAME_SETTING;
    public static final Setting<Boolean> EMIT_CLUSTER_UUID_SETTING;
    private static final List<String> DEFAULT_EVENT_INCLUDES;
    public static final Setting<List<String>> INCLUDE_EVENT_SETTINGS;
    public static final Setting<List<String>> EXCLUDE_EVENT_SETTINGS;
    public static final Setting<Boolean> INCLUDE_REQUEST_BODY;
    public static final Set<String> SECURITY_CHANGE_ACTIONS;
    private static final String FILTER_POLICY_PREFIX;
    protected static final Setting.AffixSetting<List<String>> FILTER_POLICY_IGNORE_PRINCIPALS;
    protected static final Setting.AffixSetting<List<String>> FILTER_POLICY_IGNORE_REALMS;
    protected static final Setting.AffixSetting<List<String>> FILTER_POLICY_IGNORE_ROLES;
    protected static final Setting.AffixSetting<List<String>> FILTER_POLICY_IGNORE_INDICES;
    protected static final Setting.AffixSetting<List<String>> FILTER_POLICY_IGNORE_ACTIONS;
    private static final Marker AUDIT_MARKER;
    private final Logger logger;
    private final ThreadContext threadContext;
    final EventFilterPolicyRegistry eventFilterPolicyRegistry;
    volatile EnumSet<AuditLevel> events;
    boolean includeRequestBody;
    EntryCommonFields entryCommonFields;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail$AuditEventMetaInfo.class */
    public static final class AuditEventMetaInfo {
        final String principal;
        final String realm;
        final String action;
        final Supplier<Stream<String>> roles;
        final Supplier<Stream<String>> indices;
        static final AuditEventMetaInfo EMPTY = new AuditEventMetaInfo(Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty());

        AuditEventMetaInfo(Optional<User> optional, Optional<String> optional2, Optional<AuthorizationEngine.AuthorizationInfo> optional3, Optional<String[]> optional4, Optional<String> optional5) {
            this.principal = (String) optional.map(user -> {
                return user.principal();
            }).orElse("");
            this.realm = optional2.orElse("");
            this.action = optional5.orElse("");
            this.roles = () -> {
                return (Stream) optional3.filter(authorizationInfo -> {
                    Object obj = authorizationInfo.asMap().get(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME);
                    return (obj instanceof String[]) && ((String[]) obj).length != 0 && Arrays.stream((String[]) obj).anyMatch((v0) -> {
                        return Objects.nonNull(v0);
                    });
                }).map(authorizationInfo2 -> {
                    return Arrays.stream((String[]) authorizationInfo2.asMap().get(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME));
                }).orElse(Stream.of(""));
            };
            this.indices = () -> {
                return (Stream) optional4.filter(strArr -> {
                    return strArr.length > 0;
                }).filter(strArr2 -> {
                    return Arrays.stream(strArr2).anyMatch((v0) -> {
                        return Objects.nonNull(v0);
                    });
                }).map((v0) -> {
                    return Arrays.stream(v0);
                }).orElse(Stream.of(""));
            };
        }

        AuditEventMetaInfo(Optional<AuthenticationToken> optional, Optional<String> optional2, Optional<String[]> optional3, Optional<String> optional4) {
            this.principal = (String) optional.map(authenticationToken -> {
                return authenticationToken.principal();
            }).orElse("");
            this.realm = optional2.orElse("");
            this.action = optional4.orElse("");
            this.roles = () -> {
                return Stream.of("");
            };
            this.indices = () -> {
                return (Stream) optional3.filter(strArr -> {
                    return strArr.length != 0;
                }).map(strArr2 -> {
                    return Arrays.stream(strArr2);
                }).orElse(Stream.of(""));
            };
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail$EntryCommonFields.class */
    public static class EntryCommonFields {
        private final Settings settings;
        private final DiscoveryNode localNode;
        private final ClusterService clusterService;
        final Map<String, String> commonFields;

        EntryCommonFields(Settings settings, @Nullable DiscoveryNode discoveryNode, ClusterService clusterService) {
            this.settings = settings;
            this.localNode = discoveryNode;
            this.clusterService = clusterService;
            HashMap hashMap = new HashMap();
            if (((Boolean) LoggingAuditTrail.EMIT_NODE_NAME_SETTING.get(settings)).booleanValue()) {
                String str = (String) Node.NODE_NAME_SETTING.get(settings);
                if (Strings.hasLength(str)) {
                    hashMap.put(LoggingAuditTrail.NODE_NAME_FIELD_NAME, str);
                }
            }
            if (discoveryNode != null && discoveryNode.getAddress() != null) {
                if (((Boolean) LoggingAuditTrail.EMIT_HOST_ADDRESS_SETTING.get(settings)).booleanValue()) {
                    hashMap.put(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME, discoveryNode.getAddress().getAddress());
                }
                if (((Boolean) LoggingAuditTrail.EMIT_HOST_NAME_SETTING.get(settings)).booleanValue()) {
                    hashMap.put(LoggingAuditTrail.HOST_NAME_FIELD_NAME, discoveryNode.getAddress().address().getHostString());
                }
                if (((Boolean) LoggingAuditTrail.EMIT_NODE_ID_SETTING.get(settings)).booleanValue()) {
                    hashMap.put(LoggingAuditTrail.NODE_ID_FIELD_NAME, discoveryNode.getId());
                }
                hashMap.put(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, discoveryNode.getAddress().toString());
            }
            hashMap.put(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME, LoggingAuditTrail.LOCAL_ORIGIN_FIELD_VALUE);
            if (Lifecycle.State.STARTED.equals(clusterService.lifecycleState())) {
                ClusterState state = this.clusterService.state();
                if (state == null) {
                    LoggingAuditTrail.LOGGER.trace("Cluster state not available");
                } else {
                    if (((Boolean) LoggingAuditTrail.EMIT_CLUSTER_NAME_SETTING.get(settings)).booleanValue()) {
                        String value = state.getClusterName().value();
                        if (Strings.hasLength(value)) {
                            hashMap.put(LoggingAuditTrail.CLUSTER_NAME_FIELD_NAME, value);
                        }
                    }
                    if (((Boolean) LoggingAuditTrail.EMIT_CLUSTER_UUID_SETTING.get(settings)).booleanValue()) {
                        String clusterUUID = state.metadata().clusterUUID();
                        if (Strings.hasLength(clusterUUID)) {
                            hashMap.put(LoggingAuditTrail.CLUSTER_UUID_FIELD_NAME, clusterUUID);
                        }
                    }
                }
            }
            hashMap.putIfAbsent(LoggingAuditTrail.NODE_NAME_FIELD_NAME, null);
            hashMap.putIfAbsent(LoggingAuditTrail.NODE_ID_FIELD_NAME, null);
            hashMap.putIfAbsent(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME, null);
            hashMap.putIfAbsent(LoggingAuditTrail.HOST_NAME_FIELD_NAME, null);
            hashMap.putIfAbsent(LoggingAuditTrail.CLUSTER_NAME_FIELD_NAME, null);
            hashMap.putIfAbsent(LoggingAuditTrail.CLUSTER_UUID_FIELD_NAME, null);
            this.commonFields = Collections.unmodifiableMap(hashMap);
        }

        EntryCommonFields withNewSettings(Settings settings) {
            return new EntryCommonFields(Settings.builder().put(this.settings).put(settings, false).build(), this.localNode, this.clusterService);
        }

        EntryCommonFields withNewLocalNode(DiscoveryNode discoveryNode) {
            return new EntryCommonFields(this.settings, discoveryNode, this.clusterService);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail$EventFilterPolicy.class */
    public static final class EventFilterPolicy {
        private final String name;
        private final Predicate<String> ignorePrincipalsPredicate;
        private final Predicate<String> ignoreRealmsPredicate;
        private final Predicate<String> ignoreRolesPredicate;
        private final Predicate<String> ignoreIndicesPredicate;
        private final Predicate<String> ignoreActionsPredicate;

        EventFilterPolicy(String str, Settings settings) {
            this(str, parsePredicate((List) LoggingAuditTrail.FILTER_POLICY_IGNORE_PRINCIPALS.getConcreteSettingForNamespace(str).get(settings)), parsePredicate((List) LoggingAuditTrail.FILTER_POLICY_IGNORE_REALMS.getConcreteSettingForNamespace(str).get(settings)), parsePredicate((List) LoggingAuditTrail.FILTER_POLICY_IGNORE_ROLES.getConcreteSettingForNamespace(str).get(settings)), parsePredicate((List) LoggingAuditTrail.FILTER_POLICY_IGNORE_INDICES.getConcreteSettingForNamespace(str).get(settings)), parsePredicate((List) LoggingAuditTrail.FILTER_POLICY_IGNORE_ACTIONS.getConcreteSettingForNamespace(str).get(settings)));
        }

        EventFilterPolicy(String str, Predicate<String> predicate, Predicate<String> predicate2, Predicate<String> predicate3, Predicate<String> predicate4, Predicate<String> predicate5) {
            this.name = str;
            this.ignorePrincipalsPredicate = predicate;
            this.ignoreRealmsPredicate = predicate2;
            this.ignoreRolesPredicate = predicate3;
            this.ignoreIndicesPredicate = predicate4;
            this.ignoreActionsPredicate = predicate5;
        }

        private EventFilterPolicy changePrincipalsFilter(List<String> list) {
            return new EventFilterPolicy(this.name, parsePredicate(list), this.ignoreRealmsPredicate, this.ignoreRolesPredicate, this.ignoreIndicesPredicate, this.ignoreActionsPredicate);
        }

        private EventFilterPolicy changeRealmsFilter(List<String> list) {
            return new EventFilterPolicy(this.name, this.ignorePrincipalsPredicate, parsePredicate(list), this.ignoreRolesPredicate, this.ignoreIndicesPredicate, this.ignoreActionsPredicate);
        }

        private EventFilterPolicy changeRolesFilter(List<String> list) {
            return new EventFilterPolicy(this.name, this.ignorePrincipalsPredicate, this.ignoreRealmsPredicate, parsePredicate(list), this.ignoreIndicesPredicate, this.ignoreActionsPredicate);
        }

        private EventFilterPolicy changeIndicesFilter(List<String> list) {
            return new EventFilterPolicy(this.name, this.ignorePrincipalsPredicate, this.ignoreRealmsPredicate, this.ignoreRolesPredicate, parsePredicate(list), this.ignoreActionsPredicate);
        }

        private EventFilterPolicy changeActionsFilter(List<String> list) {
            return new EventFilterPolicy(this.name, this.ignorePrincipalsPredicate, this.ignoreRealmsPredicate, this.ignoreRolesPredicate, this.ignoreIndicesPredicate, parsePredicate(list));
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static Predicate<String> parsePredicate(List<String> list) {
            return Automatons.predicate(emptyStringBuildsEmptyAutomaton(list));
        }

        private static List<String> emptyStringBuildsEmptyAutomaton(List<String> list) {
            return list.isEmpty() ? Collections.singletonList("//") : list.stream().map(str -> {
                return str.isEmpty() ? "//" : str;
            }).toList();
        }

        Predicate<AuditEventMetaInfo> ignorePredicate() {
            return auditEventMetaInfo -> {
                return auditEventMetaInfo.principal != null && this.ignorePrincipalsPredicate.test(auditEventMetaInfo.principal) && auditEventMetaInfo.realm != null && this.ignoreRealmsPredicate.test(auditEventMetaInfo.realm) && auditEventMetaInfo.action != null && this.ignoreActionsPredicate.test(auditEventMetaInfo.action) && auditEventMetaInfo.roles.get().allMatch(str -> {
                    return str != null && this.ignoreRolesPredicate.test(str);
                }) && auditEventMetaInfo.indices.get().allMatch(str2 -> {
                    return str2 != null && this.ignoreIndicesPredicate.test(str2);
                });
            };
        }

        public String toString() {
            return "[users]:" + this.ignorePrincipalsPredicate.toString() + "&[realms]:" + this.ignoreRealmsPredicate.toString() + "&[roles]:" + this.ignoreRolesPredicate.toString() + "&[indices]:" + this.ignoreIndicesPredicate.toString() + "&[actions]:" + this.ignoreActionsPredicate.toString();
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail$EventFilterPolicyRegistry.class */
    static final class EventFilterPolicyRegistry {
        private volatile Map<String, EventFilterPolicy> policyMap;
        private volatile Predicate<AuditEventMetaInfo> predicate;

        private EventFilterPolicyRegistry(Settings settings) {
            ArrayList arrayList = new ArrayList();
            for (String str : settings.getGroups(LoggingAuditTrail.FILTER_POLICY_PREFIX, true).keySet()) {
                arrayList.add(Map.entry(str, new EventFilterPolicy(str, settings)));
            }
            this.policyMap = Maps.ofEntries(arrayList);
            this.predicate = buildIgnorePredicate(this.policyMap);
        }

        private Optional<EventFilterPolicy> get(String str) {
            return Optional.ofNullable(this.policyMap.get(str));
        }

        private synchronized void set(String str, EventFilterPolicy eventFilterPolicy) {
            this.policyMap = Maps.copyMapWithAddedOrReplacedEntry(this.policyMap, str, eventFilterPolicy);
            this.predicate = buildIgnorePredicate(this.policyMap);
        }

        Predicate<AuditEventMetaInfo> ignorePredicate() {
            return this.predicate;
        }

        private static Predicate<AuditEventMetaInfo> buildIgnorePredicate(Map<String, EventFilterPolicy> map) {
            return (Predicate) map.values().stream().map((v0) -> {
                return v0.ignorePredicate();
            }).reduce(auditEventMetaInfo -> {
                return false;
            }, (predicate, predicate2) -> {
                return predicate.or(predicate2);
            });
        }

        public String toString() {
            TreeMap treeMap = new TreeMap(this.policyMap);
            StringBuilder sb = new StringBuilder();
            for (Map.Entry entry : treeMap.entrySet()) {
                sb.append((String) entry.getKey()).append(":").append(((EventFilterPolicy) entry.getValue()).toString());
            }
            return sb.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail$LogEntryBuilder.class */
    public class LogEntryBuilder {
        private final StringMapMessage logEntry;
        static final /* synthetic */ boolean $assertionsDisabled;

        LogEntryBuilder(LoggingAuditTrail loggingAuditTrail) {
            this(true);
        }

        LogEntryBuilder(boolean z) {
            this.logEntry = new StringMapMessage(LoggingAuditTrail.this.entryCommonFields.commonFields);
            if (false == z) {
                this.logEntry.remove(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME);
                this.logEntry.remove(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME);
            }
        }

        LogEntryBuilder withRequestBody(PutUserRequest putUserRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "put_user");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("user").field("name", putUserRequest.username()).field("enabled", putUserRequest.enabled()).array("roles", putUserRequest.roles());
            if (putUserRequest.fullName() != null) {
                humanReadable.field("full_name", putUserRequest.fullName());
            }
            if (putUserRequest.email() != null) {
                humanReadable.field("email", putUserRequest.email());
            }
            humanReadable.field("has_password", putUserRequest.passwordHash() != null);
            if (putUserRequest.metadata() != null && false == putUserRequest.metadata().isEmpty()) {
                humanReadable.field("metadata", putUserRequest.metadata());
            }
            humanReadable.endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.PUT_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(ChangePasswordRequest changePasswordRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "change_password");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("password").startObject("user").field("name", changePasswordRequest.username()).endObject().endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.CHANGE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(PutRoleRequest putRoleRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "put_role");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("role").field("name", putRoleRequest.name()).field("role_descriptor");
            withRoleDescriptor(humanReadable, putRoleRequest.roleDescriptor());
            humanReadable.endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.PUT_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(PutRoleMappingRequest putRoleMappingRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "put_role_mapping");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("role_mapping").field("name", putRoleMappingRequest.getName());
            if (putRoleMappingRequest.getRoles() != null && false == putRoleMappingRequest.getRoles().isEmpty()) {
                humanReadable.field("roles", putRoleMappingRequest.getRoles());
            }
            if (putRoleMappingRequest.getRoleTemplates() != null && false == putRoleMappingRequest.getRoleTemplates().isEmpty()) {
                humanReadable.field("role_templates", putRoleMappingRequest.getRoleTemplates());
            }
            humanReadable.field("rules", putRoleMappingRequest.getRules()).field("enabled", putRoleMappingRequest.isEnabled());
            if (putRoleMappingRequest.getMetadata() != null && false == putRoleMappingRequest.getMetadata().isEmpty()) {
                humanReadable.field("metadata", putRoleMappingRequest.getMetadata());
            }
            humanReadable.endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.PUT_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(SetEnabledRequest setEnabledRequest) throws IOException {
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            if (setEnabledRequest.enabled() == null || !setEnabledRequest.enabled().booleanValue()) {
                humanReadable.startObject().startObject("disable").startObject("user").field("name", setEnabledRequest.username()).endObject().endObject().endObject();
                this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "change_disable_user");
            } else {
                humanReadable.startObject().startObject("enable").startObject("user").field("name", setEnabledRequest.username()).endObject().endObject().endObject();
                this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "change_enable_user");
            }
            this.logEntry.with(LoggingAuditTrail.CHANGE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(PutPrivilegesRequest putPrivilegesRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "put_privileges");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().field("privileges", putPrivilegesRequest.getPrivileges()).endObject();
            this.logEntry.with(LoggingAuditTrail.PUT_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(CreateApiKeyRequest createApiKeyRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "create_apikey");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject();
            withRequestBody(humanReadable, createApiKeyRequest);
            humanReadable.endObject();
            this.logEntry.with(LoggingAuditTrail.CREATE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(GrantApiKeyRequest grantApiKeyRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "create_apikey");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject();
            withRequestBody(humanReadable, grantApiKeyRequest.getApiKeyRequest());
            withGrant(humanReadable, grantApiKeyRequest.getGrant());
            humanReadable.endObject();
            this.logEntry.with(LoggingAuditTrail.CREATE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        private void withRequestBody(XContentBuilder xContentBuilder, CreateApiKeyRequest createApiKeyRequest) throws IOException {
            TimeValue expiration = createApiKeyRequest.getExpiration();
            xContentBuilder.startObject("apikey").field("name", createApiKeyRequest.getName()).field("expiration", expiration != null ? expiration.toString() : null).startArray("role_descriptors");
            Iterator it = createApiKeyRequest.getRoleDescriptors().iterator();
            while (it.hasNext()) {
                withRoleDescriptor(xContentBuilder, (RoleDescriptor) it.next());
            }
            xContentBuilder.endArray().endObject();
        }

        private void withRoleDescriptor(XContentBuilder xContentBuilder, RoleDescriptor roleDescriptor) throws IOException {
            xContentBuilder.startObject().array(RoleDescriptor.Fields.CLUSTER.getPreferredName(), roleDescriptor.getClusterPrivileges());
            if (roleDescriptor.getConditionalClusterPrivileges() != null && roleDescriptor.getConditionalClusterPrivileges().length > 0) {
                xContentBuilder.field(RoleDescriptor.Fields.GLOBAL.getPreferredName());
                ConfigurableClusterPrivileges.toXContent(xContentBuilder, ToXContent.EMPTY_PARAMS, Arrays.asList(roleDescriptor.getConditionalClusterPrivileges()));
            }
            xContentBuilder.startArray(RoleDescriptor.Fields.INDICES.getPreferredName());
            for (RoleDescriptor.IndicesPrivileges indicesPrivileges : roleDescriptor.getIndicesPrivileges()) {
                withIndicesPrivileges(xContentBuilder, indicesPrivileges);
            }
            xContentBuilder.endArray();
            xContentBuilder.xContentList(RoleDescriptor.Fields.APPLICATIONS.getPreferredName(), roleDescriptor.getApplicationPrivileges());
            xContentBuilder.array(RoleDescriptor.Fields.RUN_AS.getPreferredName(), roleDescriptor.getRunAs());
            if (roleDescriptor.getMetadata() != null && false == roleDescriptor.getMetadata().isEmpty()) {
                xContentBuilder.field(RoleDescriptor.Fields.METADATA.getPreferredName(), roleDescriptor.getMetadata());
            }
            xContentBuilder.endObject();
        }

        private static void withIndicesPrivileges(XContentBuilder xContentBuilder, RoleDescriptor.IndicesPrivileges indicesPrivileges) throws IOException {
            xContentBuilder.startObject();
            xContentBuilder.array("names", indicesPrivileges.getIndices());
            xContentBuilder.array("privileges", indicesPrivileges.getPrivileges());
            if (indicesPrivileges.isUsingFieldLevelSecurity()) {
                xContentBuilder.startObject(RoleDescriptor.Fields.FIELD_PERMISSIONS.getPreferredName());
                xContentBuilder.array(RoleDescriptor.Fields.GRANT_FIELDS.getPreferredName(), indicesPrivileges.getGrantedFields());
                if (indicesPrivileges.hasDeniedFields()) {
                    xContentBuilder.array(RoleDescriptor.Fields.EXCEPT_FIELDS.getPreferredName(), indicesPrivileges.getDeniedFields());
                }
                xContentBuilder.endObject();
            }
            if (indicesPrivileges.isUsingDocumentLevelSecurity()) {
                xContentBuilder.field("query", indicesPrivileges.getQuery().utf8ToString());
            }
            if (indicesPrivileges.allowRestrictedIndices()) {
                xContentBuilder.field("allow_restricted_indices", indicesPrivileges.allowRestrictedIndices());
            }
            xContentBuilder.endObject();
        }

        LogEntryBuilder withRequestBody(DeleteUserRequest deleteUserRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_user");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("user").field("name", deleteUserRequest.username()).endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.DELETE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(DeleteRoleRequest deleteRoleRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_role");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("role").field("name", deleteRoleRequest.name()).endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.DELETE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(DeleteRoleMappingRequest deleteRoleMappingRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_role_mapping");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("role_mapping").field("name", deleteRoleMappingRequest.getName()).endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.DELETE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(InvalidateApiKeyRequest invalidateApiKeyRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "invalidate_apikeys");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("apikeys");
            if (invalidateApiKeyRequest.getIds() != null && invalidateApiKeyRequest.getIds().length > 0) {
                humanReadable.array("ids", invalidateApiKeyRequest.getIds());
            }
            if (Strings.hasLength(invalidateApiKeyRequest.getName())) {
                humanReadable.field("name", invalidateApiKeyRequest.getName());
            }
            humanReadable.field("owned_by_authenticated_user", invalidateApiKeyRequest.ownedByAuthenticatedUser());
            if (Strings.hasLength(invalidateApiKeyRequest.getUserName()) || Strings.hasLength(invalidateApiKeyRequest.getRealmName())) {
                humanReadable.startObject("user").field("name", invalidateApiKeyRequest.getUserName()).field(LoggingAuditTrail.REALM_FIELD_NAME, invalidateApiKeyRequest.getRealmName()).endObject();
            }
            humanReadable.endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.INVALIDATE_API_KEYS_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(DeletePrivilegesRequest deletePrivilegesRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_privileges");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("privileges").field("application", deletePrivilegesRequest.application()).array("privileges", deletePrivilegesRequest.privileges()).endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.DELETE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(CreateServiceAccountTokenRequest createServiceAccountTokenRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "create_service_token");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("service_token").field("namespace", createServiceAccountTokenRequest.getNamespace()).field("service", createServiceAccountTokenRequest.getServiceName()).field("name", createServiceAccountTokenRequest.getTokenName()).endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.CREATE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(DeleteServiceAccountTokenRequest deleteServiceAccountTokenRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_service_token");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().startObject("service_token").field("namespace", deleteServiceAccountTokenRequest.getNamespace()).field("service", deleteServiceAccountTokenRequest.getServiceName()).field("name", deleteServiceAccountTokenRequest.getTokenName()).endObject().endObject();
            this.logEntry.with(LoggingAuditTrail.DELETE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(ActivateProfileRequest activateProfileRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "activate_user_profile");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject();
            withGrant(humanReadable, activateProfileRequest.getGrant());
            humanReadable.endObject();
            this.logEntry.with(LoggingAuditTrail.PUT_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(UpdateProfileDataRequest updateProfileDataRequest) throws IOException {
            this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "update_user_profile_data");
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            humanReadable.startObject().field("uid", updateProfileDataRequest.getUid()).field("labels", updateProfileDataRequest.getLabels()).field("data", updateProfileDataRequest.getData()).endObject();
            this.logEntry.with(LoggingAuditTrail.PUT_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        LogEntryBuilder withRequestBody(SetProfileEnabledRequest setProfileEnabledRequest) throws IOException {
            XContentBuilder humanReadable = JsonXContent.contentBuilder().humanReadable(true);
            if (setProfileEnabledRequest.isEnabled()) {
                humanReadable.startObject().startObject("enable").field("uid", setProfileEnabledRequest.getUid()).endObject().endObject();
                this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "change_enable_user_profile");
            } else {
                humanReadable.startObject().startObject("disable").field("uid", setProfileEnabledRequest.getUid()).endObject().endObject();
                this.logEntry.with(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "change_disable_user_profile");
            }
            this.logEntry.with(LoggingAuditTrail.CHANGE_CONFIG_FIELD_NAME, Strings.toString(humanReadable));
            return this;
        }

        static void withGrant(XContentBuilder xContentBuilder, Grant grant) throws IOException {
            xContentBuilder.startObject("grant").field(LoggingAuditTrail.LOG_TYPE, grant.getType());
            if (grant.getUsername() != null) {
                xContentBuilder.startObject("user").field("name", grant.getUsername()).field("has_password", grant.getPassword() != null).endObject();
            }
            if (grant.getAccessToken() != null) {
                xContentBuilder.field("has_access_token", grant.getAccessToken() != null);
            }
            xContentBuilder.endObject();
        }

        LogEntryBuilder withRestUriAndMethod(RestRequest restRequest) {
            int indexOf = restRequest.uri().indexOf(63);
            int indexOf2 = restRequest.uri().indexOf(35);
            if (indexOf2 < 0) {
                indexOf2 = restRequest.uri().length();
            }
            if (indexOf < 0) {
                this.logEntry.with(LoggingAuditTrail.URL_PATH_FIELD_NAME, restRequest.uri().substring(0, indexOf2));
            } else {
                this.logEntry.with(LoggingAuditTrail.URL_PATH_FIELD_NAME, restRequest.uri().substring(0, indexOf));
            }
            if (indexOf > -1) {
                this.logEntry.with(LoggingAuditTrail.URL_QUERY_FIELD_NAME, restRequest.uri().substring(indexOf + 1, indexOf2));
            }
            this.logEntry.with(LoggingAuditTrail.REQUEST_METHOD_FIELD_NAME, restRequest.method().toString());
            return this;
        }

        LogEntryBuilder withRunAsSubject(Authentication authentication) {
            this.logEntry.with(LoggingAuditTrail.PRINCIPAL_FIELD_NAME, authentication.getAuthenticatingSubject().getUser().principal()).with(LoggingAuditTrail.PRINCIPAL_REALM_FIELD_NAME, authentication.getAuthenticatedBy().getName()).with(LoggingAuditTrail.PRINCIPAL_RUN_AS_FIELD_NAME, authentication.getUser().principal());
            if (authentication.getLookedUpBy() != null) {
                this.logEntry.with(LoggingAuditTrail.PRINCIPAL_RUN_AS_REALM_FIELD_NAME, authentication.getLookedUpBy().getName());
            }
            return this;
        }

        LogEntryBuilder withRestOrigin(RestRequest restRequest) {
            if (!$assertionsDisabled && !LoggingAuditTrail.LOCAL_ORIGIN_FIELD_VALUE.equals(this.logEntry.get(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME))) {
                throw new AssertionError();
            }
            InetSocketAddress remoteAddress = restRequest.getHttpChannel().getRemoteAddress();
            if (remoteAddress != null) {
                this.logEntry.with(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME, LoggingAuditTrail.REST_ORIGIN_FIELD_VALUE).with(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(remoteAddress));
            }
            return this;
        }

        LogEntryBuilder withRestOrTransportOrigin(TransportRequest transportRequest, ThreadContext threadContext) {
            if (!$assertionsDisabled && !LoggingAuditTrail.LOCAL_ORIGIN_FIELD_VALUE.equals(this.logEntry.get(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME))) {
                throw new AssertionError();
            }
            InetSocketAddress restRemoteAddress = RemoteHostHeader.restRemoteAddress(threadContext);
            if (restRemoteAddress != null) {
                this.logEntry.with(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME, LoggingAuditTrail.REST_ORIGIN_FIELD_VALUE).with(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(restRemoteAddress));
            } else {
                InetSocketAddress remoteAddress = transportRequest.remoteAddress();
                if (remoteAddress != null) {
                    this.logEntry.with(LoggingAuditTrail.ORIGIN_TYPE_FIELD_NAME, LoggingAuditTrail.TRANSPORT_ORIGIN_FIELD_VALUE).with(LoggingAuditTrail.ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(remoteAddress));
                }
            }
            return this;
        }

        LogEntryBuilder withRequestBody(RestRequest restRequest) {
            if (LoggingAuditTrail.this.includeRequestBody) {
                String restRequestContent = AuditUtil.restRequestContent(restRequest);
                if (Strings.hasLength(restRequestContent)) {
                    this.logEntry.with(LoggingAuditTrail.REQUEST_BODY_FIELD_NAME, restRequestContent);
                }
            }
            return this;
        }

        LogEntryBuilder withRequestId(String str) {
            if (str != null) {
                this.logEntry.with(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, str);
            }
            return this;
        }

        LogEntryBuilder withThreadContext(ThreadContext threadContext) {
            setThreadContextField(threadContext, AuditTrail.X_FORWARDED_FOR_HEADER, LoggingAuditTrail.X_FORWARDED_FOR_FIELD_NAME);
            setThreadContextField(threadContext, "X-Opaque-Id", LoggingAuditTrail.OPAQUE_ID_FIELD_NAME);
            setThreadContextField(threadContext, LoggingAuditTrail.TRACE_ID_FIELD_NAME, LoggingAuditTrail.TRACE_ID_FIELD_NAME);
            return this;
        }

        private void setThreadContextField(ThreadContext threadContext, String str, String str2) {
            String header = threadContext.getHeader(str);
            if (header != null) {
                this.logEntry.with(str2, header);
            }
        }

        LogEntryBuilder withAuthentication(Authentication authentication) {
            this.logEntry.with(LoggingAuditTrail.PRINCIPAL_FIELD_NAME, authentication.getUser().principal());
            this.logEntry.with(LoggingAuditTrail.AUTHENTICATION_TYPE_FIELD_NAME, authentication.getAuthenticationType().toString());
            if (authentication.isApiKey()) {
                this.logEntry.with(LoggingAuditTrail.API_KEY_ID_FIELD_NAME, (String) authentication.getMetadata().get("_security_api_key_id"));
                String str = (String) authentication.getMetadata().get("_security_api_key_name");
                if (str != null) {
                    this.logEntry.with(LoggingAuditTrail.API_KEY_NAME_FIELD_NAME, str);
                }
                String creatorRealmName = ApiKeyService.getCreatorRealmName(authentication);
                if (creatorRealmName != null) {
                    this.logEntry.with(LoggingAuditTrail.PRINCIPAL_REALM_FIELD_NAME, creatorRealmName);
                }
            } else if (authentication.isRunAs()) {
                this.logEntry.with(LoggingAuditTrail.PRINCIPAL_REALM_FIELD_NAME, authentication.getLookedUpBy().getName()).with(LoggingAuditTrail.PRINCIPAL_RUN_BY_FIELD_NAME, authentication.getAuthenticatingSubject().getUser().principal()).with(LoggingAuditTrail.PRINCIPAL_RUN_BY_REALM_FIELD_NAME, authentication.getAuthenticatedBy().getName());
            } else {
                this.logEntry.with(LoggingAuditTrail.PRINCIPAL_REALM_FIELD_NAME, authentication.getAuthenticatedBy().getName());
            }
            if (authentication.isAuthenticatedWithServiceAccount()) {
                this.logEntry.with(LoggingAuditTrail.SERVICE_TOKEN_NAME_FIELD_NAME, (String) authentication.getMetadata().get("_token_name")).with(LoggingAuditTrail.SERVICE_TOKEN_TYPE_FIELD_NAME, "_service_account_" + authentication.getMetadata().get("_token_source"));
            }
            return this;
        }

        LogEntryBuilder with(String str, String str2) {
            if (str2 != null) {
                this.logEntry.with(str, str2);
            }
            return this;
        }

        LogEntryBuilder with(String str, String[] strArr) {
            if (strArr != null) {
                this.logEntry.with(str, toQuotedJsonArray(strArr));
            }
            return this;
        }

        LogEntryBuilder with(Map<String, Object> map) {
            for (Map.Entry<String, Object> entry : map.entrySet()) {
                Object value = entry.getValue();
                if (value.getClass().isArray()) {
                    this.logEntry.with(entry.getKey(), toQuotedJsonArray((Object[]) value));
                } else {
                    this.logEntry.with(entry.getKey(), value);
                }
            }
            return this;
        }

        void build() {
            LoggingAuditTrail.this.logger.info(LoggingAuditTrail.AUDIT_MARKER, this.logEntry);
        }

        static String toQuotedJsonArray(Object[] objArr) {
            if (!$assertionsDisabled && objArr == null) {
                throw new AssertionError();
            }
            StringBuilder sb = new StringBuilder();
            JsonStringEncoder jsonStringEncoder = JsonStringEncoder.getInstance();
            sb.append("[");
            for (Object obj : objArr) {
                if (obj != null) {
                    if (sb.length() > 1) {
                        sb.append(",");
                    }
                    sb.append("\"");
                    jsonStringEncoder.quoteAsString(obj.toString(), sb);
                    sb.append("\"");
                }
            }
            sb.append("]");
            return sb.toString();
        }

        static {
            $assertionsDisabled = !LoggingAuditTrail.class.desiredAssertionStatus();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public String name() {
        return NAME;
    }

    public LoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) {
        this(settings, clusterService, LogManager.getLogger(LoggingAuditTrail.class), threadPool.getThreadContext());
    }

    LoggingAuditTrail(Settings settings, ClusterService clusterService, Logger logger, ThreadContext threadContext) {
        this.logger = logger;
        this.events = AuditLevel.parse((List) INCLUDE_EVENT_SETTINGS.get(settings), (List) EXCLUDE_EVENT_SETTINGS.get(settings));
        this.includeRequestBody = ((Boolean) INCLUDE_REQUEST_BODY.get(settings)).booleanValue();
        this.threadContext = threadContext;
        this.entryCommonFields = new EntryCommonFields(settings, null, clusterService);
        this.eventFilterPolicyRegistry = new EventFilterPolicyRegistry(settings);
        clusterService.addListener(this);
        clusterService.getClusterSettings().addSettingsUpdateConsumer(settings2 -> {
            this.entryCommonFields = this.entryCommonFields.withNewSettings(settings2);
            this.includeRequestBody = ((Boolean) INCLUDE_REQUEST_BODY.get(settings2)).booleanValue();
            this.events = AuditLevel.parse((List) INCLUDE_EVENT_SETTINGS.get(settings2), (List) EXCLUDE_EVENT_SETTINGS.get(settings2));
        }, Arrays.asList(EMIT_HOST_ADDRESS_SETTING, EMIT_HOST_NAME_SETTING, EMIT_NODE_NAME_SETTING, EMIT_NODE_ID_SETTING, EMIT_CLUSTER_NAME_SETTING, EMIT_CLUSTER_UUID_SETTING, INCLUDE_EVENT_SETTINGS, EXCLUDE_EVENT_SETTINGS, INCLUDE_REQUEST_BODY));
        clusterService.getClusterSettings().addAffixUpdateConsumer(FILTER_POLICY_IGNORE_PRINCIPALS, (str, list) -> {
            this.eventFilterPolicyRegistry.set(str, this.eventFilterPolicyRegistry.get(str).orElse(new EventFilterPolicy(str, settings)).changePrincipalsFilter(list));
        }, (str2, list2) -> {
            EventFilterPolicy.parsePredicate(list2);
        });
        clusterService.getClusterSettings().addAffixUpdateConsumer(FILTER_POLICY_IGNORE_REALMS, (str3, list3) -> {
            this.eventFilterPolicyRegistry.set(str3, this.eventFilterPolicyRegistry.get(str3).orElse(new EventFilterPolicy(str3, settings)).changeRealmsFilter(list3));
        }, (str4, list4) -> {
            EventFilterPolicy.parsePredicate(list4);
        });
        clusterService.getClusterSettings().addAffixUpdateConsumer(FILTER_POLICY_IGNORE_ROLES, (str5, list5) -> {
            this.eventFilterPolicyRegistry.set(str5, this.eventFilterPolicyRegistry.get(str5).orElse(new EventFilterPolicy(str5, settings)).changeRolesFilter(list5));
        }, (str6, list6) -> {
            EventFilterPolicy.parsePredicate(list6);
        });
        clusterService.getClusterSettings().addAffixUpdateConsumer(FILTER_POLICY_IGNORE_INDICES, (str7, list7) -> {
            this.eventFilterPolicyRegistry.set(str7, this.eventFilterPolicyRegistry.get(str7).orElse(new EventFilterPolicy(str7, settings)).changeIndicesFilter(list7));
        }, (str8, list8) -> {
            EventFilterPolicy.parsePredicate(list8);
        });
        clusterService.getClusterSettings().addAffixUpdateConsumer(FILTER_POLICY_IGNORE_ACTIONS, (str9, list9) -> {
            this.eventFilterPolicyRegistry.set(str9, this.eventFilterPolicyRegistry.get(str9).orElse(new EventFilterPolicy(str9, settings)).changeActionsFilter(list9));
        }, (str10, list10) -> {
            EventFilterPolicy.parsePredicate(list10);
        });
        LoggerContext context = LoggerContext.getContext(false);
        context.addFilter(MarkerFilter.createFilter(AUDIT_MARKER.getName(), Filter.Result.ACCEPT, Filter.Result.NEUTRAL));
        context.updateLoggers();
        clusterService.getClusterSettings().addSettingsUpdateConsumer(settings3 -> {
            LogManager.getLogger(Security.class).warn("Changing log level for [" + LoggingAuditTrail.class.getName() + "] has no effect");
        }, List.of(Loggers.LOG_LEVEL_SETTING.getConcreteSettingForNamespace(LoggingAuditTrail.class.getName())));
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationSuccess(String str, Authentication authentication, RestRequest restRequest) {
        if (!this.events.contains(AuditLevel.AUTHENTICATION_SUCCESS) || this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authentication.getUser()), Optional.ofNullable(ApiKeyService.getCreatorRealmName(authentication)), Optional.empty(), Optional.empty(), Optional.empty()))) {
            return;
        }
        new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, REST_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "authentication_success").with(REALM_FIELD_NAME, authentication.getAuthenticatedBy().getName()).withRestUriAndMethod(restRequest).withRequestId(str).withAuthentication(authentication).withRestOrigin(restRequest).withRequestBody(restRequest).withThreadContext(this.threadContext).build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationSuccess(String str, Authentication authentication, String str2, TransportRequest transportRequest) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_SUCCESS)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authentication.getUser()), Optional.ofNullable(ApiKeyService.getCreatorRealmName(authentication)), Optional.empty(), indices, Optional.of(str2)))) {
                return;
            }
            new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "authentication_success").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withAuthentication(authentication).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).withThreadContext(this.threadContext).build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void anonymousAccessDenied(String str, String str2, TransportRequest transportRequest) {
        if (this.events.contains(AuditLevel.ANONYMOUS_ACCESS_DENIED)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.empty(), Optional.empty(), indices, Optional.of(str2)))) {
                return;
            }
            new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "anonymous_access_denied").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).withThreadContext(this.threadContext).build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void anonymousAccessDenied(String str, RestRequest restRequest) {
        if (!this.events.contains(AuditLevel.ANONYMOUS_ACCESS_DENIED) || this.eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY)) {
            return;
        }
        new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, REST_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "anonymous_access_denied").withRestUriAndMethod(restRequest).withRestOrigin(restRequest).withRequestBody(restRequest).withRequestId(str).withThreadContext(this.threadContext).build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, AuthenticationToken authenticationToken, String str2, TransportRequest transportRequest) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_FAILED)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authenticationToken), Optional.empty(), indices, Optional.of(str2)))) {
                return;
            }
            LogEntryBuilder withThreadContext = new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "authentication_failed").with(ACTION_FIELD_NAME, str2).with(PRINCIPAL_FIELD_NAME, authenticationToken.principal()).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).withThreadContext(this.threadContext);
            if (authenticationToken instanceof ServiceAccountToken) {
                withThreadContext.with(SERVICE_TOKEN_NAME_FIELD_NAME, ((ServiceAccountToken) authenticationToken).getTokenName());
            }
            withThreadContext.build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, RestRequest restRequest) {
        if (!this.events.contains(AuditLevel.AUTHENTICATION_FAILED) || this.eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY)) {
            return;
        }
        new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, REST_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "authentication_failed").withRestUriAndMethod(restRequest).withRestOrigin(restRequest).withRequestBody(restRequest).withRequestId(str).withThreadContext(this.threadContext).build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, String str2, TransportRequest transportRequest) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_FAILED)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.empty(), Optional.empty(), indices, Optional.of(str2)))) {
                return;
            }
            new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "authentication_failed").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).withThreadContext(this.threadContext).build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, AuthenticationToken authenticationToken, RestRequest restRequest) {
        if (!this.events.contains(AuditLevel.AUTHENTICATION_FAILED) || this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authenticationToken), Optional.empty(), Optional.empty(), Optional.empty()))) {
            return;
        }
        LogEntryBuilder withThreadContext = new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, REST_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "authentication_failed").with(PRINCIPAL_FIELD_NAME, authenticationToken.principal()).withRestUriAndMethod(restRequest).withRestOrigin(restRequest).withRequestBody(restRequest).withRequestId(str).withThreadContext(this.threadContext);
        if (authenticationToken instanceof ServiceAccountToken) {
            withThreadContext.with(SERVICE_TOKEN_NAME_FIELD_NAME, ((ServiceAccountToken) authenticationToken).getTokenName());
        }
        withThreadContext.build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, String str2, AuthenticationToken authenticationToken, String str3, TransportRequest transportRequest) {
        if (this.events.contains(AuditLevel.REALM_AUTHENTICATION_FAILED)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authenticationToken), Optional.of(str2), indices, Optional.of(str3)))) {
                return;
            }
            new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "realm_authentication_failed").with(REALM_FIELD_NAME, str2).with(PRINCIPAL_FIELD_NAME, authenticationToken.principal()).with(ACTION_FIELD_NAME, str3).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).withThreadContext(this.threadContext).build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, String str2, AuthenticationToken authenticationToken, RestRequest restRequest) {
        if (!this.events.contains(AuditLevel.REALM_AUTHENTICATION_FAILED) || this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authenticationToken), Optional.of(str2), Optional.empty(), Optional.empty()))) {
            return;
        }
        new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, REST_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "realm_authentication_failed").with(REALM_FIELD_NAME, str2).with(PRINCIPAL_FIELD_NAME, authenticationToken.principal()).withRestUriAndMethod(restRequest).withRestOrigin(restRequest).withRequestBody(restRequest).withRequestId(str).withThreadContext(this.threadContext).build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void accessGranted(String str, Authentication authentication, String str2, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        User user = authentication.getUser();
        boolean isInternal = User.isInternal(user);
        if ((isInternal && this.events.contains(AuditLevel.SYSTEM_ACCESS_GRANTED)) || (!isInternal && this.events.contains(AuditLevel.ACCESS_GRANTED))) {
            Optional<String[]> indices = indices(transportRequest);
            if (!this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(user), Optional.ofNullable(ApiKeyService.getCreatorRealmName(authentication)), Optional.of(authorizationInfo), indices, Optional.of(str2)))) {
                new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "access_granted").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withAuthentication(authentication).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).withThreadContext(this.threadContext).with(authorizationInfo.asMap()).build();
            }
        }
        if (this.events.contains(AuditLevel.SECURITY_CONFIG_CHANGE) && SECURITY_CHANGE_ACTIONS.contains(str2)) {
            try {
                if (transportRequest instanceof PutUserRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/user/put".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((PutUserRequest) transportRequest).build();
                } else if (transportRequest instanceof PutRoleRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/role/put".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((PutRoleRequest) transportRequest).build();
                } else if (transportRequest instanceof PutRoleMappingRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/role_mapping/put".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((PutRoleMappingRequest) transportRequest).build();
                } else if (transportRequest instanceof SetEnabledRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/user/set_enabled".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((SetEnabledRequest) transportRequest).build();
                } else if (transportRequest instanceof ChangePasswordRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/user/change_password".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((ChangePasswordRequest) transportRequest).build();
                } else if (transportRequest instanceof CreateApiKeyRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/api_key/create".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((CreateApiKeyRequest) transportRequest).build();
                } else if (transportRequest instanceof GrantApiKeyRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/api_key/grant".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((GrantApiKeyRequest) transportRequest).build();
                } else if (transportRequest instanceof PutPrivilegesRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/privilege/put".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((PutPrivilegesRequest) transportRequest).build();
                } else if (transportRequest instanceof DeleteUserRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/user/delete".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((DeleteUserRequest) transportRequest).build();
                } else if (transportRequest instanceof DeleteRoleRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/role/delete".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((DeleteRoleRequest) transportRequest).build();
                } else if (transportRequest instanceof DeleteRoleMappingRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/role_mapping/delete".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((DeleteRoleMappingRequest) transportRequest).build();
                } else if (transportRequest instanceof InvalidateApiKeyRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/api_key/invalidate".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((InvalidateApiKeyRequest) transportRequest).build();
                } else if (transportRequest instanceof DeletePrivilegesRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/privilege/delete".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((DeletePrivilegesRequest) transportRequest).build();
                } else if (transportRequest instanceof CreateServiceAccountTokenRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/service_account/token/create".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((CreateServiceAccountTokenRequest) transportRequest).build();
                } else if (transportRequest instanceof DeleteServiceAccountTokenRequest) {
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/service_account/token/delete".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody((DeleteServiceAccountTokenRequest) transportRequest).build();
                } else if (transportRequest instanceof ActivateProfileRequest) {
                    ActivateProfileRequest activateProfileRequest = (ActivateProfileRequest) transportRequest;
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/profile/activate".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody(activateProfileRequest).build();
                } else if (transportRequest instanceof UpdateProfileDataRequest) {
                    UpdateProfileDataRequest updateProfileDataRequest = (UpdateProfileDataRequest) transportRequest;
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/profile/put/data".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody(updateProfileDataRequest).build();
                } else {
                    if (!(transportRequest instanceof SetProfileEnabledRequest)) {
                        throw new IllegalStateException("Unknown message class type [" + transportRequest.getClass().getSimpleName() + "] for the \"security change\" action [" + str2 + "]");
                    }
                    SetProfileEnabledRequest setProfileEnabledRequest = (SetProfileEnabledRequest) transportRequest;
                    if (!$assertionsDisabled && !"cluster:admin/xpack/security/profile/set_enabled".equals(str2)) {
                        throw new AssertionError();
                    }
                    securityChangeLogEntryBuilder(str).withRequestBody(setProfileEnabledRequest).build();
                }
            } catch (IOException e) {
                throw new ElasticsearchSecurityException("Unexpected error while serializing event data", e, new Object[0]);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void explicitIndexAccessEvent(String str, AuditLevel auditLevel, Authentication authentication, String str2, String str3, String str4, InetSocketAddress inetSocketAddress, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (!$assertionsDisabled && auditLevel != AuditLevel.ACCESS_DENIED && auditLevel != AuditLevel.ACCESS_GRANTED && auditLevel != AuditLevel.SYSTEM_ACCESS_GRANTED) {
            throw new AssertionError();
        }
        String[] strArr = str3 == null ? null : new String[]{str3};
        User user = authentication.getUser();
        if (User.isInternal(user) && auditLevel == AuditLevel.ACCESS_GRANTED) {
            auditLevel = AuditLevel.SYSTEM_ACCESS_GRANTED;
        }
        if (!this.events.contains(auditLevel) || this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(user), Optional.ofNullable(ApiKeyService.getCreatorRealmName(authentication)), Optional.of(authorizationInfo), Optional.ofNullable(strArr), Optional.of(str2)))) {
            return;
        }
        LogEntryBuilder with = new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, auditLevel == AuditLevel.ACCESS_DENIED ? "access_denied" : "access_granted").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, str4).withRequestId(str).withAuthentication(authentication).with(INDICES_FIELD_NAME, strArr).withThreadContext(this.threadContext).with(authorizationInfo.asMap());
        InetSocketAddress restRemoteAddress = RemoteHostHeader.restRemoteAddress(this.threadContext);
        if (restRemoteAddress != null) {
            with.with(ORIGIN_TYPE_FIELD_NAME, REST_ORIGIN_FIELD_VALUE).with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(restRemoteAddress));
        } else if (inetSocketAddress != null) {
            with.with(ORIGIN_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetSocketAddress));
        }
        with.build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void accessDenied(String str, Authentication authentication, String str2, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (this.events.contains(AuditLevel.ACCESS_DENIED)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authentication.getUser()), Optional.ofNullable(ApiKeyService.getCreatorRealmName(authentication)), Optional.of(authorizationInfo), indices, Optional.of(str2)))) {
                return;
            }
            new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "access_denied").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withAuthentication(authentication).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).with(authorizationInfo.asMap()).withThreadContext(this.threadContext).build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void tamperedRequest(String str, RestRequest restRequest) {
        if (!this.events.contains(AuditLevel.TAMPERED_REQUEST) || this.eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY)) {
            return;
        }
        new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, REST_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "tampered_request").withRestUriAndMethod(restRequest).withRestOrigin(restRequest).withRequestBody(restRequest).withRequestId(str).withThreadContext(this.threadContext).build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void tamperedRequest(String str, String str2, TransportRequest transportRequest) {
        if (this.events.contains(AuditLevel.TAMPERED_REQUEST)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.empty(), Optional.empty(), indices, Optional.of(str2)))) {
                return;
            }
            new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "tampered_request").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).withThreadContext(this.threadContext).build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void tamperedRequest(String str, Authentication authentication, String str2, TransportRequest transportRequest) {
        if (this.events.contains(AuditLevel.TAMPERED_REQUEST)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authentication.getUser()), Optional.ofNullable(ApiKeyService.getCreatorRealmName(authentication)), Optional.empty(), indices, Optional.of(str2)))) {
                return;
            }
            new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "tampered_request").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withRestOrTransportOrigin(transportRequest, this.threadContext).withAuthentication(authentication).with(INDICES_FIELD_NAME, indices.orElse(null)).withThreadContext(this.threadContext).build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void connectionGranted(InetSocketAddress inetSocketAddress, String str, SecurityIpFilterRule securityIpFilterRule) {
        if (!this.events.contains(AuditLevel.CONNECTION_GRANTED) || this.eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY)) {
            return;
        }
        new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "connection_granted").with(ORIGIN_TYPE_FIELD_NAME, IPFilter.HTTP_PROFILE_NAME.equals(str) ? REST_ORIGIN_FIELD_VALUE : TRANSPORT_ORIGIN_FIELD_VALUE).with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetSocketAddress)).with(TRANSPORT_PROFILE_FIELD_NAME, str).with(RULE_FIELD_NAME, securityIpFilterRule.toString()).withThreadContext(this.threadContext).build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void connectionDenied(InetSocketAddress inetSocketAddress, String str, SecurityIpFilterRule securityIpFilterRule) {
        if (!this.events.contains(AuditLevel.CONNECTION_DENIED) || this.eventFilterPolicyRegistry.ignorePredicate().test(AuditEventMetaInfo.EMPTY)) {
            return;
        }
        new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, IP_FILTER_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "connection_denied").with(ORIGIN_TYPE_FIELD_NAME, IPFilter.HTTP_PROFILE_NAME.equals(str) ? REST_ORIGIN_FIELD_VALUE : TRANSPORT_ORIGIN_FIELD_VALUE).with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetSocketAddress)).with(TRANSPORT_PROFILE_FIELD_NAME, str).with(RULE_FIELD_NAME, securityIpFilterRule.toString()).withThreadContext(this.threadContext).build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void runAsGranted(String str, Authentication authentication, String str2, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (this.events.contains(AuditLevel.RUN_AS_GRANTED)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authentication.getUser()), Optional.ofNullable(ApiKeyService.getCreatorRealmName(authentication)), Optional.of(authorizationInfo), indices, Optional.of(str2)))) {
                return;
            }
            new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "run_as_granted").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withRunAsSubject(authentication).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).with(authorizationInfo.asMap()).withThreadContext(this.threadContext).build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void runAsDenied(String str, Authentication authentication, String str2, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (this.events.contains(AuditLevel.RUN_AS_DENIED)) {
            Optional<String[]> indices = indices(transportRequest);
            if (this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authentication.getUser()), Optional.ofNullable(ApiKeyService.getCreatorRealmName(authentication)), Optional.of(authorizationInfo), indices, Optional.of(str2)))) {
                return;
            }
            new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "run_as_denied").with(ACTION_FIELD_NAME, str2).with(REQUEST_NAME_FIELD_NAME, transportRequest.getClass().getSimpleName()).withRequestId(str).withRunAsSubject(authentication).withRestOrTransportOrigin(transportRequest, this.threadContext).with(INDICES_FIELD_NAME, indices.orElse(null)).with(authorizationInfo.asMap()).withThreadContext(this.threadContext).build();
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void runAsDenied(String str, Authentication authentication, RestRequest restRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (!this.events.contains(AuditLevel.RUN_AS_DENIED) || this.eventFilterPolicyRegistry.ignorePredicate().test(new AuditEventMetaInfo(Optional.of(authentication.getUser()), Optional.ofNullable(ApiKeyService.getCreatorRealmName(authentication)), Optional.of(authorizationInfo), Optional.empty(), Optional.empty()))) {
            return;
        }
        new LogEntryBuilder(this).with(EVENT_TYPE_FIELD_NAME, REST_ORIGIN_FIELD_VALUE).with(EVENT_ACTION_FIELD_NAME, "run_as_denied").with(authorizationInfo.asMap()).withRestUriAndMethod(restRequest).withRunAsSubject(authentication).withRestOrigin(restRequest).withRequestBody(restRequest).withRequestId(str).withThreadContext(this.threadContext).build();
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void coordinatingActionResponse(String str, Authentication authentication, String str2, TransportRequest transportRequest, TransportResponse transportResponse) {
    }

    private LogEntryBuilder securityChangeLogEntryBuilder(String str) {
        return new LogEntryBuilder(false).with(EVENT_TYPE_FIELD_NAME, SECURITY_CHANGE_ORIGIN_FIELD_VALUE).withRequestId(str);
    }

    private static Optional<String[]> indices(TransportRequest transportRequest) {
        return (!(transportRequest instanceof IndicesRequest) || ((IndicesRequest) transportRequest).indices() == null) ? Optional.empty() : Optional.of(((IndicesRequest) transportRequest).indices());
    }

    public static void registerSettings(List<Setting<?>> list) {
        list.add(EMIT_HOST_ADDRESS_SETTING);
        list.add(EMIT_HOST_NAME_SETTING);
        list.add(EMIT_NODE_NAME_SETTING);
        list.add(EMIT_NODE_ID_SETTING);
        list.add(EMIT_CLUSTER_NAME_SETTING);
        list.add(EMIT_CLUSTER_UUID_SETTING);
        list.add(INCLUDE_EVENT_SETTINGS);
        list.add(EXCLUDE_EVENT_SETTINGS);
        list.add(INCLUDE_REQUEST_BODY);
        list.add(FILTER_POLICY_IGNORE_PRINCIPALS);
        list.add(FILTER_POLICY_IGNORE_INDICES);
        list.add(FILTER_POLICY_IGNORE_ROLES);
        list.add(FILTER_POLICY_IGNORE_REALMS);
        list.add(FILTER_POLICY_IGNORE_ACTIONS);
    }

    public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
        updateLocalNodeInfo(clusterChangedEvent.state().getNodes().getLocalNode());
    }

    void updateLocalNodeInfo(DiscoveryNode discoveryNode) {
        EntryCommonFields entryCommonFields = this.entryCommonFields;
        if (entryCommonFields.localNode == null || !entryCommonFields.localNode.equals(discoveryNode)) {
            this.entryCommonFields = this.entryCommonFields.withNewLocalNode(discoveryNode);
        }
    }

    static {
        $assertionsDisabled = !LoggingAuditTrail.class.desiredAssertionStatus();
        LOGGER = LogManager.getLogger(LoggingAuditTrail.class);
        EMIT_HOST_ADDRESS_SETTING = Setting.boolSetting(SecurityField.setting("audit.logfile.emit_node_host_address"), false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        EMIT_HOST_NAME_SETTING = Setting.boolSetting(SecurityField.setting("audit.logfile.emit_node_host_name"), false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        EMIT_NODE_NAME_SETTING = Setting.boolSetting(SecurityField.setting("audit.logfile.emit_node_name"), false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        EMIT_NODE_ID_SETTING = Setting.boolSetting(SecurityField.setting("audit.logfile.emit_node_id"), true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        EMIT_CLUSTER_NAME_SETTING = Setting.boolSetting(SecurityField.setting("audit.logfile.emit_cluster_name"), false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        EMIT_CLUSTER_UUID_SETTING = Setting.boolSetting(SecurityField.setting("audit.logfile.emit_cluster_uuid"), true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        DEFAULT_EVENT_INCLUDES = Arrays.asList(AuditLevel.ACCESS_DENIED.toString(), AuditLevel.ACCESS_GRANTED.toString(), AuditLevel.ANONYMOUS_ACCESS_DENIED.toString(), AuditLevel.AUTHENTICATION_FAILED.toString(), AuditLevel.CONNECTION_DENIED.toString(), AuditLevel.TAMPERED_REQUEST.toString(), AuditLevel.RUN_AS_DENIED.toString(), AuditLevel.RUN_AS_GRANTED.toString(), AuditLevel.SECURITY_CONFIG_CHANGE.toString());
        INCLUDE_EVENT_SETTINGS = Setting.listSetting(SecurityField.setting("audit.logfile.events.include"), DEFAULT_EVENT_INCLUDES, Function.identity(), list -> {
            AuditLevel.parse(list, List.of());
        }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        EXCLUDE_EVENT_SETTINGS = Setting.listSetting(SecurityField.setting("audit.logfile.events.exclude"), Collections.emptyList(), Function.identity(), list2 -> {
            AuditLevel.parse(List.of(), list2);
        }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        INCLUDE_REQUEST_BODY = Setting.boolSetting(SecurityField.setting("audit.logfile.events.emit_request_body"), false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        SECURITY_CHANGE_ACTIONS = Set.of((Object[]) new String[]{"cluster:admin/xpack/security/user/put", "cluster:admin/xpack/security/role/put", "cluster:admin/xpack/security/role_mapping/put", "cluster:admin/xpack/security/user/set_enabled", "cluster:admin/xpack/security/user/change_password", "cluster:admin/xpack/security/api_key/create", "cluster:admin/xpack/security/api_key/grant", "cluster:admin/xpack/security/privilege/put", "cluster:admin/xpack/security/user/delete", "cluster:admin/xpack/security/role/delete", "cluster:admin/xpack/security/role_mapping/delete", "cluster:admin/xpack/security/api_key/invalidate", "cluster:admin/xpack/security/privilege/delete", "cluster:admin/xpack/security/service_account/token/create", "cluster:admin/xpack/security/service_account/token/delete", "cluster:admin/xpack/security/profile/activate", "cluster:admin/xpack/security/profile/put/data", "cluster:admin/xpack/security/profile/set_enabled"});
        FILTER_POLICY_PREFIX = SecurityField.setting("audit.logfile.events.ignore_filters.");
        FILTER_POLICY_IGNORE_PRINCIPALS = Setting.affixKeySetting(FILTER_POLICY_PREFIX, "users", str -> {
            return Setting.listSetting(str, Collections.singletonList("*"), Function.identity(), list3 -> {
                EventFilterPolicy.parsePredicate(list3);
            }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        }, new Setting.AffixSettingDependency[0]);
        FILTER_POLICY_IGNORE_REALMS = Setting.affixKeySetting(FILTER_POLICY_PREFIX, "realms", str2 -> {
            return Setting.listSetting(str2, Collections.singletonList("*"), Function.identity(), list3 -> {
                EventFilterPolicy.parsePredicate(list3);
            }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        }, new Setting.AffixSettingDependency[0]);
        FILTER_POLICY_IGNORE_ROLES = Setting.affixKeySetting(FILTER_POLICY_PREFIX, "roles", str3 -> {
            return Setting.listSetting(str3, Collections.singletonList("*"), Function.identity(), list3 -> {
                EventFilterPolicy.parsePredicate(list3);
            }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        }, new Setting.AffixSettingDependency[0]);
        FILTER_POLICY_IGNORE_INDICES = Setting.affixKeySetting(FILTER_POLICY_PREFIX, INDICES_FIELD_NAME, str4 -> {
            return Setting.listSetting(str4, Collections.singletonList("*"), Function.identity(), list3 -> {
                EventFilterPolicy.parsePredicate(list3);
            }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        }, new Setting.AffixSettingDependency[0]);
        FILTER_POLICY_IGNORE_ACTIONS = Setting.affixKeySetting(FILTER_POLICY_PREFIX, "actions", str5 -> {
            return Setting.listSetting(str5, Collections.singletonList("*"), Function.identity(), list3 -> {
                EventFilterPolicy.parsePredicate(list3);
            }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        }, new Setting.AffixSettingDependency[0]);
        AUDIT_MARKER = MarkerManager.getMarker("org.elasticsearch.xpack.security.audit");
    }
}
