package org.elasticsearch.xpack.security;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingResponse;
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateResponse;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.cluster.metadata.IndexMetaData;
import org.elasticsearch.cluster.metadata.IndexTemplateMetaData;
import org.elasticsearch.cluster.metadata.MappingMetaData;
import org.elasticsearch.cluster.routing.IndexRoutingTable;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.compress.CompressedXContent;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ConcurrentCollections;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.common.xcontent.json.JsonXContent;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.xpack.security.authc.esnative.NativeRealmMigrator;
import org.elasticsearch.xpack.template.TemplateUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/SecurityTemplateService.class */
public class SecurityTemplateService extends AbstractComponent implements ClusterStateListener {
    public static final String SECURITY_INDEX_NAME = ".security";
    public static final String SECURITY_TEMPLATE_NAME = "security-index-template";
    private static final String SECURITY_VERSION_STRING = "security-version";
    static final String SECURITY_INDEX_TEMPLATE_VERSION_PATTERN;
    static final Version MIN_READ_VERSION;
    private final InternalClient client;
    final AtomicBoolean templateCreationPending;
    final AtomicBoolean updateMappingPending;
    final AtomicReference upgradeDataState;
    private final NativeRealmMigrator nativeRealmMigrator;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/SecurityTemplateService$UpgradeState.class */
    public enum UpgradeState {
        NOT_STARTED,
        IN_PROGRESS,
        COMPLETE,
        FAILED
    }

    public SecurityTemplateService(Settings settings, InternalClient internalClient, NativeRealmMigrator nativeRealmMigrator) {
        super(settings);
        this.templateCreationPending = new AtomicBoolean(false);
        this.updateMappingPending = new AtomicBoolean(false);
        this.upgradeDataState = new AtomicReference(UpgradeState.NOT_STARTED);
        this.client = internalClient;
        this.nativeRealmMigrator = nativeRealmMigrator;
    }

    public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
        if (clusterChangedEvent.localNodeMaster()) {
            ClusterState state = clusterChangedEvent.state();
            if (state.blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
                this.logger.debug("template service waiting until state has been recovered");
                return;
            }
            if (!securityTemplateExistsAndIsUpToDate(state, this.logger)) {
                updateSecurityTemplate();
            }
            if (state.metaData().getIndices() == null || securityIndexMappingUpToDate(state, this.logger) || !securityIndexAvailable(state, this.logger)) {
                return;
            }
            upgradeSecurityData(state, this::updateSecurityMapping);
        }
    }

    private boolean securityIndexAvailable(ClusterState clusterState, Logger logger) {
        IndexRoutingTable securityIndexRoutingTable = getSecurityIndexRoutingTable(clusterState);
        if (securityIndexRoutingTable == null) {
            throw new IllegalStateException("Security index does not exist");
        }
        if (securityIndexRoutingTable.allPrimaryShardsActive()) {
            return true;
        }
        logger.debug("Security index is not yet active");
        return false;
    }

    private void updateSecurityTemplate() {
        if (this.templateCreationPending.compareAndSet(false, true)) {
            putSecurityTemplate();
        }
    }

    private boolean upgradeSecurityData(ClusterState clusterState, final Runnable runnable) {
        if (this.upgradeDataState.compareAndSet(UpgradeState.NOT_STARTED, UpgradeState.IN_PROGRESS)) {
            final Version oldestSecurityIndexMappingVersion = oldestSecurityIndexMappingVersion(clusterState, this.logger);
            this.nativeRealmMigrator.performUpgrade(oldestSecurityIndexMappingVersion, new ActionListener<Boolean>() { // from class: org.elasticsearch.xpack.security.SecurityTemplateService.1
                public void onResponse(Boolean bool) {
                    SecurityTemplateService.this.upgradeDataState.set(UpgradeState.COMPLETE);
                    runnable.run();
                }

                public void onFailure(Exception exc) {
                    SecurityTemplateService.this.upgradeDataState.set(UpgradeState.FAILED);
                    Logger logger = SecurityTemplateService.this.logger;
                    Version version = oldestSecurityIndexMappingVersion;
                    logger.error(() -> {
                        return new ParameterizedMessage("failed to upgrade security data from version [{}] ", version);
                    }, exc);
                }
            });
            return true;
        }
        if (this.upgradeDataState.get() != UpgradeState.COMPLETE) {
            return false;
        }
        runnable.run();
        return false;
    }

    private void updateSecurityMapping() {
        if (this.updateMappingPending.compareAndSet(false, true)) {
            putSecurityMappings();
        }
    }

    private void putSecurityMappings() {
        try {
            Map convertToMap = XContentHelper.convertToMap(JsonXContent.jsonXContent, TemplateUtils.loadTemplate("/security-index-template.json", Version.CURRENT.toString(), SECURITY_INDEX_TEMPLATE_VERSION_PATTERN), false);
            ConcurrentMap newConcurrentMap = ConcurrentCollections.newConcurrentMap();
            Map map = (Map) convertToMap.get("mappings");
            int size = map.size();
            for (String str : map.keySet()) {
                putSecurityMapping(newConcurrentMap, size, str, (Map) map.get(str));
            }
        } catch (ElasticsearchParseException e) {
            this.updateMappingPending.set(false);
            this.logger.error("failed to parse the security index template", e);
            throw new ElasticsearchException("failed to parse the security index template", e, new Object[0]);
        }
    }

    private void putSecurityMapping(final Map<String, PutMappingResponse> map, final int i, final String str, Map<String, Object> map2) {
        this.logger.debug("updating mapping of the security index for type [{}]", str);
        this.client.admin().indices().putMapping(this.client.admin().indices().preparePutMapping(new String[]{SECURITY_INDEX_NAME}).setSource(map2).setType(str).request(), new ActionListener<PutMappingResponse>() { // from class: org.elasticsearch.xpack.security.SecurityTemplateService.2
            public void onResponse(PutMappingResponse putMappingResponse) {
                if (!putMappingResponse.isAcknowledged()) {
                    SecurityTemplateService.this.updateMappingPending.set(false);
                    throw new ElasticsearchException("update mapping for [{}] security index was not acknowledged", new Object[]{str});
                }
                map.put(str, putMappingResponse);
                if (map.size() == i) {
                    SecurityTemplateService.this.updateMappingPending.set(false);
                }
            }

            public void onFailure(Exception exc) {
                SecurityTemplateService.this.updateMappingPending.set(false);
                Logger logger = SecurityTemplateService.this.logger;
                String str2 = str;
                logger.warn(() -> {
                    return new ParameterizedMessage("failed to update mapping for [{}] on security index", str2);
                }, exc);
            }
        });
    }

    private void putSecurityTemplate() {
        this.logger.debug("putting the security index template");
        this.client.admin().indices().putTemplate(this.client.admin().indices().preparePutTemplate(SECURITY_TEMPLATE_NAME).setSource(new BytesArray(TemplateUtils.loadTemplate("/security-index-template.json", Version.CURRENT.toString(), SECURITY_INDEX_TEMPLATE_VERSION_PATTERN).getBytes(StandardCharsets.UTF_8)), XContentType.JSON).request(), new ActionListener<PutIndexTemplateResponse>() { // from class: org.elasticsearch.xpack.security.SecurityTemplateService.3
            public void onResponse(PutIndexTemplateResponse putIndexTemplateResponse) {
                SecurityTemplateService.this.templateCreationPending.set(false);
                if (!putIndexTemplateResponse.isAcknowledged()) {
                    throw new ElasticsearchException("put template for security index was not acknowledged", new Object[0]);
                }
            }

            public void onFailure(Exception exc) {
                SecurityTemplateService.this.templateCreationPending.set(false);
                SecurityTemplateService.this.logger.warn("failed to put security index template", exc);
            }
        });
    }

    static boolean securityIndexMappingUpToDate(ClusterState clusterState, Logger logger) {
        Version version = Version.CURRENT;
        version.getClass();
        return securityIndexMappingVersionMatches(clusterState, logger, (v1) -> {
            return r2.equals(v1);
        });
    }

    static boolean securityIndexMappingVersionMatches(ClusterState clusterState, Logger logger, Predicate<Version> predicate) {
        return securityIndexMappingVersions(clusterState, logger).stream().allMatch(predicate);
    }

    public static Version oldestSecurityIndexMappingVersion(ClusterState clusterState, Logger logger) {
        return securityIndexMappingVersions(clusterState, logger).stream().min((version, version2) -> {
            if (version.before(version2)) {
                return -1;
            }
            return version.after(version2) ? 1 : 0;
        }).orElse(null);
    }

    private static Set<Version> securityIndexMappingVersions(ClusterState clusterState, Logger logger) {
        HashSet hashSet = new HashSet();
        IndexMetaData indexMetaData = (IndexMetaData) clusterState.metaData().getIndices().get(SECURITY_INDEX_NAME);
        if (indexMetaData != null) {
            for (Object obj : indexMetaData.getMappings().values().toArray()) {
                MappingMetaData mappingMetaData = (MappingMetaData) obj;
                if (!mappingMetaData.type().equals("_default_")) {
                    hashSet.add(readMappingVersion(mappingMetaData, logger));
                }
            }
        }
        return hashSet;
    }

    private static Version readMappingVersion(MappingMetaData mappingMetaData, Logger logger) {
        try {
            Map map = (Map) mappingMetaData.sourceAsMap().get("_meta");
            return map == null ? Version.V_2_3_0 : Version.fromString((String) map.get(SECURITY_VERSION_STRING));
        } catch (IOException e) {
            logger.error("Cannot parse the mapping for security index.", e);
            throw new ElasticsearchException("Cannot parse the mapping for security index.", e, new Object[0]);
        }
    }

    static boolean securityTemplateExistsAndIsUpToDate(ClusterState clusterState, Logger logger) {
        Version version = Version.CURRENT;
        version.getClass();
        return securityTemplateExistsAndVersionMatches(clusterState, logger, (v1) -> {
            return r2.equals(v1);
        });
    }

    static boolean securityTemplateExistsAndVersionMatches(ClusterState clusterState, Logger logger, Predicate<Version> predicate) {
        IndexTemplateMetaData indexTemplateMetaData = (IndexTemplateMetaData) clusterState.metaData().templates().get(SECURITY_TEMPLATE_NAME);
        if (indexTemplateMetaData == null) {
            return false;
        }
        for (Object obj : indexTemplateMetaData.getMappings().values().toArray()) {
            try {
                Map map = (Map) XContentHelper.convertToMap(new BytesArray(((CompressedXContent) obj).uncompressed()), false, XContentType.JSON).v2();
                if (!$assertionsDisabled && map.size() != 1) {
                    throw new AssertionError();
                }
                if (!containsCorrectVersion((Map) map.get((String) map.keySet().iterator().next()), predicate)) {
                    return false;
                }
            } catch (ElasticsearchParseException e) {
                logger.error("Cannot parse the template for security index.", e);
                throw new IllegalStateException("Cannot parse the template for security index.", e);
            }
        }
        return true;
    }

    private static boolean containsCorrectVersion(Map<String, Object> map, Predicate<Version> predicate) {
        Map map2 = (Map) map.get("_meta");
        if (map2 == null) {
            return false;
        }
        return predicate.test(Version.fromString((String) map2.get(SECURITY_VERSION_STRING)));
    }

    public static IndexRoutingTable getSecurityIndexRoutingTable(ClusterState clusterState) {
        if (clusterState.metaData().index(SECURITY_INDEX_NAME) == null) {
            return null;
        }
        return clusterState.routingTable().index(SECURITY_INDEX_NAME);
    }

    public static boolean securityIndexMappingAndTemplateUpToDate(ClusterState clusterState, Logger logger) {
        if (!securityTemplateExistsAndIsUpToDate(clusterState, logger)) {
            logger.debug("security template [{}] does not exist or is not up to date, so service cannot start", SECURITY_TEMPLATE_NAME);
            return false;
        }
        if (securityIndexMappingUpToDate(clusterState, logger)) {
            return true;
        }
        logger.debug("mapping for security index not up to date, so service cannot start");
        return false;
    }

    public static boolean securityIndexMappingAndTemplateSufficientToRead(ClusterState clusterState, Logger logger) {
        Version version = MIN_READ_VERSION;
        version.getClass();
        if (!securityTemplateExistsAndVersionMatches(clusterState, logger, version::onOrBefore)) {
            logger.debug("security template [{}] does not exist or is not up to date, so service cannot start", SECURITY_TEMPLATE_NAME);
            return false;
        }
        Version version2 = MIN_READ_VERSION;
        version2.getClass();
        if (securityIndexMappingVersionMatches(clusterState, logger, version2::onOrBefore)) {
            return true;
        }
        logger.debug("mapping for security index not up to date, so service cannot start");
        return false;
    }

    static {
        $assertionsDisabled = !SecurityTemplateService.class.desiredAssertionStatus();
        SECURITY_INDEX_TEMPLATE_VERSION_PATTERN = Pattern.quote("${security.template.version}");
        MIN_READ_VERSION = Version.V_5_0_0;
    }
}
