package org.elasticsearch.xpack.security.action.filter;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.function.Predicate;
import java.util.function.Supplier;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.search.ClearScrollRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.search.SearchScrollRequest;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.security.SecurityContext;
import org.elasticsearch.xpack.security.action.SecurityActionMapper;
import org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.AuthorizationUtils;
import org.elasticsearch.xpack.security.authz.privilege.HealthAndStatsPrivilege;
import org.elasticsearch.xpack.security.crypto.CryptoService;
import org.elasticsearch.xpack.security.support.Automatons;
import org.elasticsearch.xpack.security.support.Exceptions;
import org.elasticsearch.xpack.security.user.SystemUser;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/filter/SecurityActionFilter.class */
public class SecurityActionFilter extends AbstractComponent implements ActionFilter {
    private static final Predicate<String> LICENSE_EXPIRATION_ACTION_MATCHER = HealthAndStatsPrivilege.INSTANCE.predicate();
    private static final Predicate<String> SECURITY_ACTION_MATCHER = Automatons.predicate("cluster:admin/xpack/security*");
    private final AuthenticationService authcService;
    private final AuthorizationService authzService;
    private final CryptoService cryptoService;
    private final AuditTrail auditTrail;
    private final SecurityActionMapper actionMapper;
    private final Set<RequestInterceptor> requestInterceptors;
    private final XPackLicenseState licenseState;
    private final ThreadContext threadContext;
    private final SecurityContext securityContext;
    private final DestructiveOperations destructiveOperations;
    private final ClusterService clusterService;

    @Inject
    public SecurityActionFilter(Settings settings, AuthenticationService authenticationService, AuthorizationService authorizationService, CryptoService cryptoService, AuditTrailService auditTrailService, XPackLicenseState xPackLicenseState, Set<RequestInterceptor> set, ThreadPool threadPool, SecurityContext securityContext, DestructiveOperations destructiveOperations, ClusterService clusterService) {
        super(settings);
        this.actionMapper = new SecurityActionMapper();
        this.authcService = authenticationService;
        this.authzService = authorizationService;
        this.cryptoService = cryptoService;
        this.auditTrail = auditTrailService;
        this.licenseState = xPackLicenseState;
        this.requestInterceptors = set;
        this.threadContext = threadPool.getThreadContext();
        this.securityContext = securityContext;
        this.destructiveOperations = destructiveOperations;
        this.clusterService = clusterService;
    }

    public void apply(Task task, String str, ActionRequest actionRequest, ActionListener actionListener, ActionFilterChain actionFilterChain) {
        if (!this.licenseState.isStatsAndHealthAllowed() && LICENSE_EXPIRATION_ACTION_MATCHER.test(str)) {
            this.logger.error("blocking [{}] operation due to expired license. Cluster health, cluster stats and indices stats \noperations are blocked on license expiration. All data operations (read and write) continue to work. \nIf you have a new license, please update it. Otherwise, please reach out to your support contact.", str);
            throw LicenseUtils.newComplianceException(XPackPlugin.SECURITY);
        }
        if (!this.licenseState.isAuthAllowed()) {
            if (SECURITY_ACTION_MATCHER.test(str)) {
                actionListener.onFailure(LicenseUtils.newComplianceException(XPackPlugin.SECURITY));
                return;
            } else {
                actionFilterChain.proceed(task, str, actionRequest, actionListener);
                return;
            }
        }
        boolean shouldReplaceUserWithSystem = AuthorizationUtils.shouldReplaceUserWithSystem(this.threadContext, str);
        Supplier newRestorableContext = this.threadContext.newRestorableContext(true);
        CheckedConsumer checkedConsumer = actionResponse -> {
            try {
                actionListener.onResponse(sign(actionResponse));
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        };
        actionListener.getClass();
        ContextPreservingActionListener contextPreservingActionListener = new ContextPreservingActionListener(newRestorableContext, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        CheckedConsumer checkedConsumer2 = r11 -> {
            actionFilterChain.proceed(task, str, actionRequest, contextPreservingActionListener);
        };
        contextPreservingActionListener.getClass();
        ActionListener<Void> wrap = ActionListener.wrap(checkedConsumer2, contextPreservingActionListener::onFailure);
        try {
            if (shouldReplaceUserWithSystem) {
                this.securityContext.executeAsUser(SystemUser.INSTANCE, storedContext -> {
                    try {
                        applyInternal(str, actionRequest, wrap);
                    } catch (IOException e) {
                        actionListener.onFailure(e);
                    }
                }, Version.CURRENT);
            } else {
                ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext(true);
                Throwable th = null;
                try {
                    try {
                        applyInternal(str, actionRequest, wrap);
                        if (newStoredContext != null) {
                            if (0 != 0) {
                                try {
                                    newStoredContext.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                newStoredContext.close();
                            }
                        }
                    } finally {
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            }
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    public int order() {
        return Integer.MIN_VALUE;
    }

    private void applyInternal(String str, ActionRequest actionRequest, ActionListener<Void> actionListener) throws IOException {
        if ("indices:admin/close".equals(str) || "indices:admin/open".equals(str) || "indices:admin/delete".equals(str)) {
            try {
                this.destructiveOperations.failDestructive(((IndicesRequest) actionRequest).indices());
            } catch (IllegalArgumentException e) {
                actionListener.onFailure(e);
                return;
            }
        }
        String action = this.actionMapper.action(str, actionRequest);
        AuthenticationService authenticationService = this.authcService;
        User user = SystemUser.INSTANCE;
        Version version = Version.CURRENT;
        CheckedConsumer checkedConsumer = authentication -> {
            authorizeRequest(authentication, action, actionRequest, actionListener);
        };
        actionListener.getClass();
        authenticationService.authenticate(action, (TransportMessage) actionRequest, user, version, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    void authorizeRequest(Authentication authentication, String str, ActionRequest actionRequest, ActionListener actionListener) {
        if (authentication == null) {
            actionListener.onFailure(new IllegalArgumentException("authentication must be non null for authorization"));
        } else {
            new AuthorizationUtils.AsyncAuthorizer(authentication, actionListener, (role, role2) -> {
                this.authzService.authorize(authentication, str, actionRequest, role, role2);
                User user = authentication.getUser();
                TransportRequest unsign = unsign(user, str, actionRequest);
                for (RequestInterceptor requestInterceptor : this.requestInterceptors) {
                    if (requestInterceptor.supports(unsign)) {
                        requestInterceptor.intercept(unsign, user);
                    }
                }
                actionListener.onResponse((Object) null);
            }).authorize(this.authzService);
        }
    }

    ActionRequest unsign(User user, String str, ActionRequest actionRequest) {
        try {
            ClusterState state = this.clusterService.state();
            boolean z = state.nodes().getMinNodeVersion().before(Version.V_5_5_0_UNRELEASED) && this.cryptoService.isSystemKeyPresent();
            if (actionRequest instanceof SearchScrollRequest) {
                SearchScrollRequest searchScrollRequest = (SearchScrollRequest) actionRequest;
                String scrollId = searchScrollRequest.scrollId();
                if (z) {
                    if (!this.cryptoService.isSigned(scrollId)) {
                        this.logger.error("scroll id [{}] is not signed but is expected to be. nodes [{}], minimum node version [{}]", scrollId, state.nodes(), state.nodes().getMinNodeVersion());
                        this.auditTrail.tamperedRequest(user, str, actionRequest);
                        throw Exceptions.authorizationError("invalid request", new Object[0]);
                    }
                    searchScrollRequest.scrollId(this.cryptoService.unsignAndVerify(scrollId, null));
                } else if (this.cryptoService.isSigned(scrollId)) {
                    searchScrollRequest.scrollId(this.cryptoService.unsignAndVerify(scrollId, null));
                }
            } else if (actionRequest instanceof ClearScrollRequest) {
                ClearScrollRequest clearScrollRequest = (ClearScrollRequest) actionRequest;
                if (!clearScrollRequest.scrollIds().contains("_all")) {
                    List<String> scrollIds = clearScrollRequest.scrollIds();
                    ArrayList arrayList = new ArrayList(scrollIds.size());
                    for (String str2 : scrollIds) {
                        if (z) {
                            if (!this.cryptoService.isSigned(str2)) {
                                this.logger.error("scroll id [{}] is not signed but is expected to be. nodes [{}], minimum node version [{}]", str2, state.nodes(), state.nodes().getMinNodeVersion());
                                this.auditTrail.tamperedRequest(user, str, actionRequest);
                                throw Exceptions.authorizationError("invalid request", new Object[0]);
                            }
                            arrayList.add(this.cryptoService.unsignAndVerify(str2, null));
                        } else if (this.cryptoService.isSigned(str2)) {
                            arrayList.add(this.cryptoService.unsignAndVerify(str2, null));
                        } else {
                            arrayList.add(str2);
                        }
                    }
                    clearScrollRequest.scrollIds(arrayList);
                }
            }
            return actionRequest;
        } catch (IllegalArgumentException | IllegalStateException e) {
            this.auditTrail.tamperedRequest(user, str, actionRequest);
            throw Exceptions.authorizationError("invalid request. {}", e.getMessage());
        }
    }

    private <Response extends ActionResponse> Response sign(Response response) throws IOException {
        SearchResponse searchResponse;
        String scrollId;
        if ((response instanceof SearchResponse) && this.clusterService.state().nodes().getMinNodeVersion().before(Version.V_5_5_0_UNRELEASED) && (scrollId = (searchResponse = (SearchResponse) response).getScrollId()) != null && !this.cryptoService.isSigned(scrollId)) {
            searchResponse.scrollId(this.cryptoService.sign(scrollId, Version.CURRENT));
        }
        return response;
    }
}
