package org.elasticsearch.xpack.security.transport;

import java.util.HashSet;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Strings;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditUtil;
import org.elasticsearch.xpack.security.authc.CrossClusterAccessAuthenticationService;
import org.elasticsearch.xpack.security.authc.CrossClusterAccessHeaders;
import org.elasticsearch.xpack.security.authz.AuthorizationService;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/CrossClusterAccessServerTransportFilter.class */
final class CrossClusterAccessServerTransportFilter extends ServerTransportFilter {
    private static final Logger logger = LogManager.getLogger(CrossClusterAccessServerTransportFilter.class);
    static final Set<String> ALLOWED_TRANSPORT_HEADERS;
    private final CrossClusterAccessAuthenticationService crossClusterAccessAuthcService;
    private final XPackLicenseState licenseState;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CrossClusterAccessServerTransportFilter(CrossClusterAccessAuthenticationService crossClusterAccessAuthenticationService, AuthorizationService authorizationService, ThreadContext threadContext, boolean z, DestructiveOperations destructiveOperations, SecurityContext securityContext, XPackLicenseState xPackLicenseState) {
        super(crossClusterAccessAuthenticationService.getAuthenticationService(), authorizationService, threadContext, z, destructiveOperations, securityContext);
        this.crossClusterAccessAuthcService = crossClusterAccessAuthenticationService;
        this.licenseState = xPackLicenseState;
    }

    @Override // org.elasticsearch.xpack.security.transport.ServerTransportFilter
    protected void authenticate(String str, TransportRequest transportRequest, ActionListener<Authentication> actionListener) {
        if (false == Security.ADVANCED_REMOTE_CLUSTER_SECURITY_FEATURE.check(this.licenseState)) {
            onFailureWithDebugLog(str, transportRequest, actionListener, LicenseUtils.newComplianceException(Security.ADVANCED_REMOTE_CLUSTER_SECURITY_FEATURE.getName()));
            return;
        }
        try {
            validateHeaders();
            this.crossClusterAccessAuthcService.authenticate(str, transportRequest, actionListener);
        } catch (Exception e) {
            onFailureWithDebugLog(str, transportRequest, actionListener, e);
        }
    }

    private void validateHeaders() {
        ThreadContext threadContext = getThreadContext();
        ensureRequiredHeaderInContext(threadContext, CrossClusterAccessHeaders.CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY);
        ensureRequiredHeaderInContext(threadContext, "_cross_cluster_access_subject_info");
        for (String str : threadContext.getHeaders().keySet()) {
            if (false == ALLOWED_TRANSPORT_HEADERS.contains(str)) {
                throw new IllegalArgumentException("Transport request header [" + str + "] is not allowed for cross cluster requests through the dedicated remote cluster server port");
            }
        }
    }

    private void ensureRequiredHeaderInContext(ThreadContext threadContext, String str) {
        if (threadContext.getHeader(str) == null) {
            throw new IllegalArgumentException("Cross cluster requests through the dedicated remote cluster server port require transport header [" + str + "] but none found. Please ensure you have configured remote cluster credentials on the cluster originating the request.");
        }
    }

    private static void onFailureWithDebugLog(String str, TransportRequest transportRequest, ActionListener<Authentication> actionListener, Exception exc) {
        logger.debug(() -> {
            return Strings.format("Cross cluster access request [%s] for action [%s] rejected before authentication", new Object[]{transportRequest.getClass(), str});
        }, exc);
        actionListener.onFailure(exc);
    }

    static {
        HashSet hashSet = new HashSet(Set.of(CrossClusterAccessHeaders.CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY, "_cross_cluster_access_subject_info"));
        hashSet.add(AuditUtil.AUDIT_REQUEST_ID);
        hashSet.addAll(Task.HEADERS_TO_COPY);
        ALLOWED_TRANSPORT_HEADERS = Set.copyOf(hashSet);
    }
}
