package org.elasticsearch.xpack.security.support;

import java.util.Collection;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.Executor;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.ResourceAlreadyExistsException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.TransportActions;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.cluster.ClusterStateTaskListener;
import org.elasticsearch.cluster.NotMasterException;
import org.elasticsearch.cluster.SimpleBatchedExecutor;
import org.elasticsearch.cluster.coordination.FailedToCommitClusterStateException;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.cluster.metadata.Metadata;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.cluster.service.MasterServiceTaskQueue;
import org.elasticsearch.common.Priority;
import org.elasticsearch.common.collect.ImmutableOpenMap;
import org.elasticsearch.common.component.LifecycleListener;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.features.FeatureService;
import org.elasticsearch.features.NodeFeature;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.engine.DocumentMissingException;
import org.elasticsearch.index.engine.VersionConflictEngineException;
import org.elasticsearch.indices.IndexClosedException;
import org.elasticsearch.indices.IndexPrimaryShardNotAllocatedException;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
import org.elasticsearch.xpack.security.support.QueryableBuiltInRoles;

/* loaded from: input_file:org/elasticsearch/xpack/security/support/QueryableBuiltInRolesSynchronizer.class */
public final class QueryableBuiltInRolesSynchronizer implements ClusterStateListener {
    private static final Logger logger;
    public static final boolean QUERYABLE_BUILT_IN_ROLES_ENABLED;
    public static final NodeFeature QUERYABLE_BUILT_IN_ROLES_FEATURE;
    public static final String METADATA_QUERYABLE_BUILT_IN_ROLES_DIGEST_KEY = "queryable_built_in_roles_digest";
    private static final SimpleBatchedExecutor<MarkRolesAsSyncedTask, Map<String, String>> MARK_ROLES_AS_SYNCED_TASK_EXECUTOR;
    private final MasterServiceTaskQueue<MarkRolesAsSyncedTask> markRolesAsSyncedTaskQueue;
    private final ClusterService clusterService;
    private final FeatureService featureService;
    private final QueryableBuiltInRoles.Provider rolesProvider;
    private final NativeRolesStore nativeRolesStore;
    private final Executor executor;
    static final int MAX_FAILED_SYNC_ATTEMPTS = 10;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final AtomicBoolean synchronizationInProgress = new AtomicBoolean(false);
    private volatile boolean securityIndexDeleted = false;
    private final AtomicInteger failedSyncAttempts = new AtomicInteger(0);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/support/QueryableBuiltInRolesSynchronizer$BulkDeleteRolesResponseException.class */
    public static class BulkDeleteRolesResponseException extends BulkRolesResponseException {
        BulkDeleteRolesResponseException(Map<String, Exception> map) {
            super("Failed to bulk delete built-in roles", map);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/support/QueryableBuiltInRolesSynchronizer$BulkIndexRolesResponseException.class */
    public static class BulkIndexRolesResponseException extends BulkRolesResponseException {
        BulkIndexRolesResponseException(Map<String, Exception> map) {
            super("Failed to bulk create/update built-in roles", map);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/support/QueryableBuiltInRolesSynchronizer$BulkRolesResponseException.class */
    public static abstract class BulkRolesResponseException extends RuntimeException {
        private final Map<String, Exception> failures;
        static final /* synthetic */ boolean $assertionsDisabled;

        BulkRolesResponseException(String str, Map<String, Exception> map) {
            super(str);
            if (!$assertionsDisabled && (map == null || map.isEmpty())) {
                throw new AssertionError();
            }
            this.failures = map;
            map.values().forEach((v1) -> {
                addSuppressed(v1);
            });
        }

        Map<String, Exception> getFailures() {
            return this.failures;
        }

        static {
            $assertionsDisabled = !QueryableBuiltInRolesSynchronizer.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/support/QueryableBuiltInRolesSynchronizer$FailedToMarkBuiltInRolesAsSyncedException.class */
    public static class FailedToMarkBuiltInRolesAsSyncedException extends RuntimeException {
        FailedToMarkBuiltInRolesAsSyncedException(String str) {
            super(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/support/QueryableBuiltInRolesSynchronizer$MarkRolesAsSyncedTask.class */
    public static class MarkRolesAsSyncedTask implements ClusterStateTaskListener {
        private final ActionListener<Map<String, String>> listener;
        private final String concreteSecurityIndexName;
        private final Map<String, String> expectedRoleDigests;
        private final Map<String, String> newRoleDigests;

        MarkRolesAsSyncedTask(ActionListener<Map<String, String>> actionListener, String str, @Nullable Map<String, String> map, @Nullable Map<String, String> map2) {
            this.listener = actionListener;
            this.concreteSecurityIndexName = str;
            this.expectedRoleDigests = map;
            this.newRoleDigests = map2;
        }

        public Map<String, String> getNewRoleDigests() {
            return this.newRoleDigests;
        }

        Tuple<ClusterState, Map<String, String>> execute(ClusterState clusterState) {
            IndexMetadata index = clusterState.metadata().index(this.concreteSecurityIndexName);
            if (index == null) {
                throw new IndexNotFoundException(this.concreteSecurityIndexName);
            }
            Map customData = index.getCustomData(QueryableBuiltInRolesSynchronizer.METADATA_QUERYABLE_BUILT_IN_ROLES_DIGEST_KEY);
            if (!Objects.equals(this.expectedRoleDigests, customData)) {
                return new Tuple<>(clusterState, customData);
            }
            IndexMetadata.Builder builder = IndexMetadata.builder(index);
            if (this.newRoleDigests != null) {
                builder.putCustom(QueryableBuiltInRolesSynchronizer.METADATA_QUERYABLE_BUILT_IN_ROLES_DIGEST_KEY, this.newRoleDigests);
            } else {
                builder.removeCustom(QueryableBuiltInRolesSynchronizer.METADATA_QUERYABLE_BUILT_IN_ROLES_DIGEST_KEY);
            }
            builder.version(builder.version() + 1);
            ImmutableOpenMap.Builder builder2 = ImmutableOpenMap.builder(clusterState.metadata().indices());
            builder2.put(this.concreteSecurityIndexName, builder.build());
            return new Tuple<>(ClusterState.builder(clusterState).metadata(Metadata.builder(clusterState.metadata()).indices(builder2.build()).build()).build(), this.newRoleDigests);
        }

        void success(Map<String, String> map) {
            this.listener.onResponse(map);
        }

        public void onFailure(Exception exc) {
            this.listener.onFailure(exc);
        }
    }

    public QueryableBuiltInRolesSynchronizer(final ClusterService clusterService, FeatureService featureService, QueryableBuiltInRolesProviderFactory queryableBuiltInRolesProviderFactory, NativeRolesStore nativeRolesStore, ReservedRolesStore reservedRolesStore, FileRolesStore fileRolesStore, ThreadPool threadPool) {
        this.clusterService = clusterService;
        this.featureService = featureService;
        this.rolesProvider = queryableBuiltInRolesProviderFactory.createProvider(reservedRolesStore, fileRolesStore);
        this.nativeRolesStore = nativeRolesStore;
        this.executor = threadPool.generic();
        this.markRolesAsSyncedTaskQueue = clusterService.createTaskQueue("mark-built-in-roles-as-synced-task-queue", Priority.LOW, MARK_ROLES_AS_SYNCED_TASK_EXECUTOR);
        this.rolesProvider.addListener(this::builtInRolesChanged);
        this.clusterService.addLifecycleListener(new LifecycleListener() { // from class: org.elasticsearch.xpack.security.support.QueryableBuiltInRolesSynchronizer.2
            public void beforeStop() {
                clusterService.removeListener(QueryableBuiltInRolesSynchronizer.this);
            }

            public void beforeStart() {
                clusterService.addListener(QueryableBuiltInRolesSynchronizer.this);
            }
        });
    }

    private void builtInRolesChanged(QueryableBuiltInRoles queryableBuiltInRoles) {
        logger.debug("Built-in roles changed, attempting to sync to .security index");
        if (shouldSyncBuiltInRoles(this.clusterService.state())) {
            syncBuiltInRoles(queryableBuiltInRoles);
        }
    }

    public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
        ClusterState state = clusterChangedEvent.state();
        if (isSecurityIndexDeleted(clusterChangedEvent)) {
            this.securityIndexDeleted = true;
            logger.trace("Received security index deletion event, skipping built-in roles synchronization");
            return;
        }
        if (isSecurityIndexCreatedOrRecovered(clusterChangedEvent)) {
            this.securityIndexDeleted = false;
            logger.trace("Security index has been created/recovered, attempting to sync built-in roles");
        }
        if (shouldSyncBuiltInRoles(state)) {
            syncBuiltInRoles(this.rolesProvider.getRoles());
        }
    }

    public boolean isSynchronizationInProgress() {
        return this.synchronizationInProgress.get();
    }

    private void syncBuiltInRoles(QueryableBuiltInRoles queryableBuiltInRoles) {
        if (this.synchronizationInProgress.compareAndSet(false, true)) {
            try {
                Map<String, String> readIndexedBuiltInRolesDigests = readIndexedBuiltInRolesDigests(this.clusterService.state());
                if (queryableBuiltInRoles.rolesDigest().equals(readIndexedBuiltInRolesDigests)) {
                    logger.debug("Security index already contains the latest built-in roles indexed, skipping roles synchronization");
                    resetFailedSyncAttempts();
                    this.synchronizationInProgress.set(false);
                } else {
                    this.executor.execute(() -> {
                        doSyncBuiltinRoles(readIndexedBuiltInRolesDigests, queryableBuiltInRoles, ActionListener.wrap(r6 -> {
                            logger.info("Successfully synced [{}] built-in roles to .security index", Integer.valueOf(queryableBuiltInRoles.roleDescriptors().size()));
                            resetFailedSyncAttempts();
                            this.synchronizationInProgress.set(false);
                        }, exc -> {
                            handleException(exc);
                            this.synchronizationInProgress.set(false);
                        }));
                    });
                }
            } catch (Exception e) {
                logger.error("Failed to sync built-in roles", e);
                this.failedSyncAttempts.incrementAndGet();
                this.synchronizationInProgress.set(false);
            }
        }
    }

    private void handleException(Exception exc) {
        boolean z = false;
        if (exc instanceof BulkRolesResponseException) {
            BulkRolesResponseException bulkRolesResponseException = (BulkRolesResponseException) exc;
            boolean z2 = bulkRolesResponseException instanceof BulkDeleteRolesResponseException;
            for (Map.Entry<String, Exception> entry : bulkRolesResponseException.getFailures().entrySet()) {
                Object[] objArr = new Object[2];
                objArr[0] = z2 ? LoggingAuditTrail.DELETE_CONFIG_FIELD_NAME : "create/update";
                objArr[1] = entry.getKey();
                String format = Strings.format("Failed to [%s] built-in role [%s]", objArr);
                if (isExpectedFailure(entry.getValue())) {
                    logger.info(format, entry.getValue());
                } else {
                    z = true;
                    logger.warn(format, entry.getValue());
                }
            }
        } else if (isExpectedFailure(exc)) {
            logger.info("Failed to sync built-in roles to .security index", exc);
        } else {
            z = true;
            logger.warn("Failed to sync built-in roles to .security index due to unexpected exception", exc);
        }
        if (z) {
            this.failedSyncAttempts.incrementAndGet();
        }
    }

    private void resetFailedSyncAttempts() {
        if (this.failedSyncAttempts.get() > 0) {
            logger.trace("resetting failed sync attempts to 0");
            this.failedSyncAttempts.set(0);
        }
    }

    int getFailedSyncAttempts() {
        return this.failedSyncAttempts.get();
    }

    private static boolean isExpectedFailure(Exception exc) {
        Throwable unwrapCause = ExceptionsHelper.unwrapCause(exc);
        return ExceptionsHelper.isNodeOrShardUnavailableTypeException(unwrapCause) || TransportActions.isShardNotAvailableException(unwrapCause) || (unwrapCause instanceof IndexClosedException) || (unwrapCause instanceof IndexPrimaryShardNotAllocatedException) || (unwrapCause instanceof NotMasterException) || (unwrapCause instanceof ResourceAlreadyExistsException) || (unwrapCause instanceof VersionConflictEngineException) || (unwrapCause instanceof DocumentMissingException) || (unwrapCause instanceof FailedToMarkBuiltInRolesAsSyncedException) || ((exc instanceof FailedToCommitClusterStateException) && "node closed".equals(unwrapCause.getMessage()));
    }

    private boolean shouldSyncBuiltInRoles(ClusterState clusterState) {
        if (false == clusterState.nodes().isLocalNodeElectedMaster()) {
            logger.trace("Local node is not the master, skipping built-in roles synchronization");
            return false;
        }
        if (this.failedSyncAttempts.get() >= MAX_FAILED_SYNC_ATTEMPTS) {
            logger.debug("Failed to sync built-in roles to .security index [{}] times. Skipping built-in roles synchronization.", Integer.valueOf(this.failedSyncAttempts.get()));
            return false;
        }
        if (false == clusterState.clusterRecovered()) {
            logger.trace("Cluster state has not recovered yet, skipping built-in roles synchronization");
            return false;
        }
        if (!this.nativeRolesStore.isEnabled()) {
            logger.trace("Native roles store is not enabled, skipping built-in roles synchronization");
            return false;
        }
        if (clusterState.nodes().getDataNodes().isEmpty()) {
            logger.trace("No data nodes in the cluster, skipping built-in roles synchronization");
            return false;
        }
        if (clusterState.nodes().isMixedVersionCluster()) {
            logger.trace("Not all nodes are on the same version, skipping built-in roles synchronization");
            return false;
        }
        if (false == this.featureService.clusterHasFeature(clusterState, QUERYABLE_BUILT_IN_ROLES_FEATURE)) {
            logger.trace("Not all nodes support queryable built-in roles feature, skipping built-in roles synchronization");
            return false;
        }
        if (this.securityIndexDeleted) {
            logger.trace("Security index is deleted, skipping built-in roles synchronization");
            return false;
        }
        if (!isSecurityIndexClosed(clusterState)) {
            return true;
        }
        logger.trace("Security index is closed, skipping built-in roles synchronization");
        return false;
    }

    private void doSyncBuiltinRoles(Map<String, String> map, QueryableBuiltInRoles queryableBuiltInRoles, ActionListener<Void> actionListener) {
        Set<RoleDescriptor> determineRolesToUpsert = QueryableBuiltInRolesUtils.determineRolesToUpsert(queryableBuiltInRoles, map);
        Set<String> determineRolesToDelete = QueryableBuiltInRolesUtils.determineRolesToDelete(queryableBuiltInRoles, map);
        if (!$assertionsDisabled && !Sets.intersection((Set) determineRolesToUpsert.stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()), determineRolesToDelete).isEmpty()) {
            throw new AssertionError("The roles to upsert and delete should not have any common roles");
        }
        if (!determineRolesToUpsert.isEmpty() || !determineRolesToDelete.isEmpty()) {
            indexRoles(determineRolesToUpsert, actionListener.delegateFailureAndWrap((actionListener2, r12) -> {
                deleteRoles(determineRolesToDelete, actionListener2.delegateFailureAndWrap((actionListener2, r9) -> {
                    markRolesAsSynced(map, queryableBuiltInRoles.rolesDigest(), actionListener2);
                }));
            }));
        } else {
            logger.debug("No changes to built-in roles to sync to .security index");
            actionListener.onResponse((Object) null);
        }
    }

    private void deleteRoles(Set<String> set, ActionListener<Void> actionListener) {
        if (set.isEmpty()) {
            actionListener.onResponse((Object) null);
            return;
        }
        NativeRolesStore nativeRolesStore = this.nativeRolesStore;
        WriteRequest.RefreshPolicy refreshPolicy = WriteRequest.RefreshPolicy.IMMEDIATE;
        CheckedConsumer checkedConsumer = bulkRolesResponse -> {
            Map map = (Map) bulkRolesResponse.getItems().stream().filter((v0) -> {
                return v0.isFailed();
            }).collect(Collectors.toMap((v0) -> {
                return v0.getRoleName();
            }, (v0) -> {
                return v0.getCause();
            }));
            if (map.isEmpty()) {
                actionListener.onResponse((Object) null);
            } else {
                actionListener.onFailure(new BulkDeleteRolesResponseException(map));
            }
        };
        Objects.requireNonNull(actionListener);
        nativeRolesStore.deleteRoles(set, refreshPolicy, false, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void indexRoles(Collection<RoleDescriptor> collection, ActionListener<Void> actionListener) {
        if (collection.isEmpty()) {
            actionListener.onResponse((Object) null);
            return;
        }
        NativeRolesStore nativeRolesStore = this.nativeRolesStore;
        WriteRequest.RefreshPolicy refreshPolicy = WriteRequest.RefreshPolicy.IMMEDIATE;
        CheckedConsumer checkedConsumer = bulkRolesResponse -> {
            Map map = (Map) bulkRolesResponse.getItems().stream().filter((v0) -> {
                return v0.isFailed();
            }).collect(Collectors.toMap((v0) -> {
                return v0.getRoleName();
            }, (v0) -> {
                return v0.getCause();
            }));
            if (map.isEmpty()) {
                actionListener.onResponse((Object) null);
            } else {
                actionListener.onFailure(new BulkIndexRolesResponseException(map));
            }
        };
        Objects.requireNonNull(actionListener);
        nativeRolesStore.putRoles(refreshPolicy, collection, false, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private boolean isSecurityIndexDeleted(ClusterChangedEvent clusterChangedEvent) {
        return resolveSecurityIndexMetadata(clusterChangedEvent.previousState().metadata()) != null && resolveSecurityIndexMetadata(clusterChangedEvent.state().metadata()) == null;
    }

    private boolean isSecurityIndexCreatedOrRecovered(ClusterChangedEvent clusterChangedEvent) {
        return resolveSecurityIndexMetadata(clusterChangedEvent.previousState().metadata()) == null && resolveSecurityIndexMetadata(clusterChangedEvent.state().metadata()) != null;
    }

    private boolean isSecurityIndexClosed(ClusterState clusterState) {
        IndexMetadata resolveSecurityIndexMetadata = resolveSecurityIndexMetadata(clusterState.metadata());
        return resolveSecurityIndexMetadata != null && resolveSecurityIndexMetadata.getState() == IndexMetadata.State.CLOSE;
    }

    private void markRolesAsSynced(Map<String, String> map, Map<String, String> map2, ActionListener<Void> actionListener) {
        IndexMetadata resolveSecurityIndexMetadata = resolveSecurityIndexMetadata(this.clusterService.state().metadata());
        if (resolveSecurityIndexMetadata == null) {
            actionListener.onFailure(new IndexNotFoundException(SecuritySystemIndices.SECURITY_MAIN_ALIAS));
        } else {
            this.markRolesAsSyncedTaskQueue.submitTask("mark built-in roles as synced task", new MarkRolesAsSyncedTask(actionListener.delegateFailureAndWrap((actionListener2, map3) -> {
                if (map2.equals(map3)) {
                    actionListener2.onResponse((Object) null);
                } else {
                    logger.debug(() -> {
                        return Strings.format("Another master node most probably indexed a newer versions of built-in roles in the meantime. Expected: [%s], Actual: [%s]", new Object[]{map2, map3});
                    });
                    actionListener2.onFailure(new FailedToMarkBuiltInRolesAsSyncedException("Failed to mark built-in roles as synced. The expected role digests have changed."));
                }
            }), resolveSecurityIndexMetadata.getIndex().getName(), map, map2), (TimeValue) null);
        }
    }

    private Map<String, String> readIndexedBuiltInRolesDigests(ClusterState clusterState) {
        IndexMetadata resolveSecurityIndexMetadata = resolveSecurityIndexMetadata(clusterState.metadata());
        if (resolveSecurityIndexMetadata == null) {
            return null;
        }
        return resolveSecurityIndexMetadata.getCustomData(METADATA_QUERYABLE_BUILT_IN_ROLES_DIGEST_KEY);
    }

    private static IndexMetadata resolveSecurityIndexMetadata(Metadata metadata) {
        return SecurityIndexManager.resolveConcreteIndex(SecuritySystemIndices.SECURITY_MAIN_ALIAS, metadata);
    }

    static {
        $assertionsDisabled = !QueryableBuiltInRolesSynchronizer.class.desiredAssertionStatus();
        logger = LogManager.getLogger(QueryableBuiltInRolesSynchronizer.class);
        String property = System.getProperty("es.queryable_built_in_roles_enabled");
        if ("false".equals(property)) {
            QUERYABLE_BUILT_IN_ROLES_ENABLED = false;
        } else {
            if (property != null && !property.isEmpty() && !"true".equals(property)) {
                throw new IllegalStateException("system property [es.queryable_built_in_roles_enabled] may only be set to [true] or [false], but was [" + property + "]");
            }
            QUERYABLE_BUILT_IN_ROLES_ENABLED = true;
        }
        QUERYABLE_BUILT_IN_ROLES_FEATURE = new NodeFeature("security.queryable_built_in_roles");
        MARK_ROLES_AS_SYNCED_TASK_EXECUTOR = new SimpleBatchedExecutor<MarkRolesAsSyncedTask, Map<String, String>>() { // from class: org.elasticsearch.xpack.security.support.QueryableBuiltInRolesSynchronizer.1
            public Tuple<ClusterState, Map<String, String>> executeTask(MarkRolesAsSyncedTask markRolesAsSyncedTask, ClusterState clusterState) {
                return markRolesAsSyncedTask.execute(clusterState);
            }

            public void taskSucceeded(MarkRolesAsSyncedTask markRolesAsSyncedTask, Map<String, String> map) {
                markRolesAsSyncedTask.success(map);
            }
        };
    }
}
