package org.elasticsearch.xpack.security.authc;

import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Strings;
import org.elasticsearch.transport.RemoteClusterPortSettings;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.security.action.apikey.ApiKey;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authc.Authenticator;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/CrossClusterAccessAuthenticationService.class */
public class CrossClusterAccessAuthenticationService {
    private static final Logger logger;
    private final ClusterService clusterService;
    private final ApiKeyService apiKeyService;
    private final AuthenticationService authenticationService;
    static final /* synthetic */ boolean $assertionsDisabled;

    public CrossClusterAccessAuthenticationService(ClusterService clusterService, ApiKeyService apiKeyService, AuthenticationService authenticationService) {
        this.clusterService = clusterService;
        this.apiKeyService = apiKeyService;
        this.authenticationService = authenticationService;
    }

    public void authenticate(String str, TransportRequest transportRequest, ActionListener<Authentication> actionListener) {
        Authenticator.Context newContext = this.authenticationService.newContext(str, transportRequest, false);
        ThreadContext threadContext = newContext.getThreadContext();
        try {
            CrossClusterAccessHeaders readFromContext = CrossClusterAccessHeaders.readFromContext(threadContext);
            ApiKeyService.ApiKeyCredentials credentials = readFromContext.credentials();
            if (!$assertionsDisabled && ApiKey.Type.CROSS_CLUSTER != credentials.getExpectedType()) {
                throw new AssertionError();
            }
            newContext.addAuthenticationToken(credentials);
            this.apiKeyService.ensureEnabled();
            if (getMinTransportVersion().before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY_CCR)) {
                withRequestProcessingFailure(newContext, new IllegalArgumentException("all nodes must have transport version [" + RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY_CCR + "] or higher to support cross cluster requests through the dedicated remote cluster port"), actionListener);
                return;
            }
            if (!$assertionsDisabled) {
                Stream stream = threadContext.getHeaders().keySet().stream();
                Set set = ClientHelper.SECURITY_HEADER_FILTERS;
                Objects.requireNonNull(set);
                if (!stream.noneMatch((v1) -> {
                    return r1.contains(v1);
                })) {
                    throw new AssertionError();
                }
            }
            ThreadContext.StoredContext newStoredContext = threadContext.newStoredContext(Collections.emptyList(), List.of(CrossClusterAccessHeaders.CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY, "_cross_cluster_access_subject_info"));
            try {
                Supplier newRestorableContext = threadContext.newRestorableContext(false);
                AuthenticationService authenticationService = this.authenticationService;
                CheckedConsumer checkedConsumer = authentication -> {
                    if (!$assertionsDisabled && !authentication.isApiKey()) {
                        throw new AssertionError("initial authentication for cross cluster access must be by API key");
                    }
                    if (!$assertionsDisabled && false != authentication.isRunAs()) {
                        throw new AssertionError("initial authentication for cross cluster access cannot be run-as");
                    }
                    try {
                        writeAuthToContext(newContext, authentication.toCrossClusterAccess(readFromContext.getCleanAndValidatedSubjectInfo()), actionListener);
                    } catch (Exception e) {
                        withRequestProcessingFailure(newContext, e, actionListener);
                    }
                };
                Objects.requireNonNull(actionListener);
                authenticationService.authenticate(newContext, (ActionListener<Authentication>) new ContextPreservingActionListener(newRestorableContext, ActionListener.wrap(checkedConsumer, actionListener::onFailure)));
                if (newStoredContext != null) {
                    newStoredContext.close();
                }
            } catch (Throwable th) {
                if (newStoredContext != null) {
                    try {
                        newStoredContext.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Exception e) {
            withRequestProcessingFailure(newContext, e, actionListener);
        }
    }

    public AuthenticationService getAuthenticationService() {
        return this.authenticationService;
    }

    private TransportVersion getMinTransportVersion() {
        return this.clusterService.state().getMinTransportVersion();
    }

    private static void withRequestProcessingFailure(Authenticator.Context context, Exception exc, ActionListener<Authentication> actionListener) {
        logger.debug(() -> {
            return Strings.format("Failed to authenticate cross cluster access for request [%s]", new Object[]{context.getRequest()});
        }, exc);
        ElasticsearchSecurityException exceptionProcessingRequest = context.getRequest().exceptionProcessingRequest(exc, context.getMostRecentAuthenticationToken());
        context.addUnsuccessfulMessageToMetadata(exceptionProcessingRequest);
        actionListener.onFailure(exceptionProcessingRequest);
    }

    private void writeAuthToContext(Authenticator.Context context, Authentication authentication, ActionListener<Authentication> actionListener) {
        try {
            authentication.writeToContext(context.getThreadContext());
            context.getRequest().authenticationSuccess(authentication);
            logger.trace("Established authentication [{}] for cross cluster request [{}]", authentication, context.getRequest());
            actionListener.onResponse(authentication);
        } catch (Exception e) {
            logger.debug(() -> {
                return Strings.format("Failed to store authentication [%s] for cross cluster request [%s]", new Object[]{authentication, context.getRequest()});
            }, e);
            withRequestProcessingFailure(context, e, actionListener);
        }
    }

    static {
        $assertionsDisabled = !CrossClusterAccessAuthenticationService.class.desiredAssertionStatus();
        logger = LogManager.getLogger(CrossClusterAccessAuthenticationService.class);
    }
}
