package org.elasticsearch.xpack.security.authz.store;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.delete.DeleteResponse;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.search.MultiSearchResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchRequestBuilder;
import org.elasticsearch.action.support.TransportActions;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.XContentFactory;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.get.GetResult;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.ml.action.util.PageParams;
import org.elasticsearch.xpack.ml.job.process.autodetect.params.TimeRange;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.security.InternalSecurityClient;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.SecurityLifecycleService;
import org.elasticsearch.xpack.security.action.role.ClearRolesCacheRequest;
import org.elasticsearch.xpack.security.action.role.ClearRolesCacheResponse;
import org.elasticsearch.xpack.security.action.role.DeleteRoleRequest;
import org.elasticsearch.xpack.security.action.role.PutRoleRequest;
import org.elasticsearch.xpack.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.security.client.SecurityClient;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/NativeRolesStore.class */
public class NativeRolesStore extends AbstractComponent {
    private static final Setting<Integer> CACHE_SIZE_SETTING;
    private static final Setting<TimeValue> CACHE_TTL_SETTING;
    private static final String ROLE_DOC_TYPE = "doc";
    private final InternalSecurityClient client;
    private final XPackLicenseState licenseState;
    private final boolean isTribeNode;
    private SecurityClient securityClient;
    private final SecurityLifecycleService securityLifecycleService;
    static final /* synthetic */ boolean $assertionsDisabled;

    public NativeRolesStore(Settings settings, InternalSecurityClient internalSecurityClient, XPackLicenseState xPackLicenseState, SecurityLifecycleService securityLifecycleService) {
        super(settings);
        this.client = internalSecurityClient;
        this.isTribeNode = XPackPlugin.isTribeNode(settings);
        this.securityClient = new SecurityClient(internalSecurityClient);
        this.licenseState = xPackLicenseState;
        this.securityLifecycleService = securityLifecycleService;
    }

    public void getRoleDescriptors(String[] strArr, ActionListener<Collection<RoleDescriptor>> actionListener) {
        if (strArr != null && strArr.length == 1) {
            String str = (String) Objects.requireNonNull(strArr[0]);
            CheckedConsumer checkedConsumer = roleDescriptor -> {
                actionListener.onResponse(roleDescriptor == null ? Collections.emptyList() : Collections.singletonList(roleDescriptor));
            };
            actionListener.getClass();
            getRoleDescriptor(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            return;
        }
        try {
            boolean isSecurityIndexOnNewVersion = this.securityLifecycleService.isSecurityIndexOnNewVersion();
            BoolQueryBuilder termQuery = isSecurityIndexOnNewVersion ? (strArr == null || strArr.length == 0) ? QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), RoleDescriptor.ROLE_TYPE) : QueryBuilders.boolQuery().filter(QueryBuilders.idsQuery(new String[]{"doc"}).addIds((String[]) Arrays.asList(strArr).stream().map(str2 -> {
                return getIdForUser(str2);
            }).toArray(i -> {
                return new String[i];
            }))) : (strArr == null || strArr.length == 0) ? QueryBuilders.matchAllQuery() : QueryBuilders.boolQuery().filter(QueryBuilders.idsQuery(new String[]{RoleDescriptor.ROLE_TYPE}).addIds(strArr));
            SearchRequestBuilder prepareSearch = this.client.prepareSearch(new String[]{".security"});
            String[] strArr2 = new String[1];
            strArr2[0] = isSecurityIndexOnNewVersion ? "doc" : RoleDescriptor.ROLE_TYPE;
            SearchRequest request = prepareSearch.setTypes(strArr2).setScroll(TimeValue.timeValueSeconds(10L)).setQuery(termQuery).setSize(TimeRange.MILLISECONDS_IN_SECOND).setFetchSource(true).request();
            request.indicesOptions().ignoreUnavailable();
            InternalClient.fetchAllByEntity(this.client, request, actionListener, searchHit -> {
                String id;
                if (isSecurityIndexOnNewVersion) {
                    String id2 = searchHit.getId();
                    if (!$assertionsDisabled && !id2.startsWith(RoleDescriptor.ROLE_TYPE)) {
                        throw new AssertionError("[" + id2 + "] does not have role prefix");
                    }
                    id = id2.substring(RoleDescriptor.ROLE_TYPE.length() + 1);
                } else {
                    id = searchHit.getId();
                }
                return transformRole(id, searchHit.getSourceRef(), this.logger, this.licenseState);
            });
        } catch (Exception e) {
            this.logger.error(() -> {
                return new ParameterizedMessage("unable to retrieve roles {}", Arrays.toString(strArr));
            }, e);
            actionListener.onFailure(e);
        }
    }

    public void deleteRole(final DeleteRoleRequest deleteRoleRequest, final ActionListener<Boolean> actionListener) {
        if (this.isTribeNode) {
            actionListener.onFailure(new UnsupportedOperationException("roles may not be deleted using a tribe node"));
            return;
        }
        if (!this.securityLifecycleService.isSecurityIndexWriteable()) {
            actionListener.onFailure(new IllegalStateException("role cannot be deleted as service cannot write until template and mappings are up to date"));
            return;
        }
        try {
            DeleteRequest request = this.securityLifecycleService.isSecurityIndexOnNewVersion() ? (DeleteRequest) this.client.prepareDelete(".security", "doc", getIdForUser(deleteRoleRequest.name())).request() : this.client.prepareDelete(".security", RoleDescriptor.ROLE_TYPE, deleteRoleRequest.name()).request();
            request.setRefreshPolicy(deleteRoleRequest.getRefreshPolicy());
            this.client.delete(request, new ActionListener<DeleteResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.1
                public void onResponse(DeleteResponse deleteResponse) {
                    NativeRolesStore.this.clearRoleCache(deleteRoleRequest.name(), actionListener, Boolean.valueOf(deleteResponse.getResult() == DocWriteResponse.Result.DELETED));
                }

                public void onFailure(Exception exc) {
                    NativeRolesStore.this.logger.error("failed to delete role from the index", exc);
                    actionListener.onFailure(exc);
                }
            });
        } catch (Exception e) {
            this.logger.error("unable to remove role", e);
            actionListener.onFailure(e);
        } catch (IndexNotFoundException e2) {
            this.logger.trace("security index does not exist", e2);
            actionListener.onResponse(false);
        }
    }

    public void putRole(PutRoleRequest putRoleRequest, RoleDescriptor roleDescriptor, ActionListener<Boolean> actionListener) {
        if (this.isTribeNode) {
            actionListener.onFailure(new UnsupportedOperationException("roles may not be created or modified using a tribe node"));
            return;
        }
        if (!this.securityLifecycleService.isSecurityIndexWriteable()) {
            actionListener.onFailure(new IllegalStateException("role cannot be created or modified as service cannot write until template and mappings are up to date"));
            return;
        }
        if (this.licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
            innerPutRole(putRoleRequest, roleDescriptor, actionListener);
        } else if (roleDescriptor.isUsingDocumentOrFieldLevelSecurity()) {
            actionListener.onFailure(LicenseUtils.newComplianceException("field and document level security"));
        } else {
            innerPutRole(putRoleRequest, roleDescriptor, actionListener);
        }
    }

    void innerPutRole(final PutRoleRequest putRoleRequest, final RoleDescriptor roleDescriptor, final ActionListener<Boolean> actionListener) {
        try {
            boolean isSecurityIndexOnNewVersion = this.securityLifecycleService.isSecurityIndexOnNewVersion();
            (isSecurityIndexOnNewVersion ? this.client.prepareIndex(".security", "doc", getIdForUser(roleDescriptor.getName())) : this.client.prepareIndex(".security", RoleDescriptor.ROLE_TYPE, roleDescriptor.getName())).setSource(roleDescriptor.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS, false, isSecurityIndexOnNewVersion)).setRefreshPolicy(putRoleRequest.getRefreshPolicy()).execute(new ActionListener<IndexResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.2
                public void onResponse(IndexResponse indexResponse) {
                    NativeRolesStore.this.clearRoleCache(roleDescriptor.getName(), actionListener, Boolean.valueOf(indexResponse.getResult() == DocWriteResponse.Result.CREATED));
                }

                public void onFailure(Exception exc) {
                    Logger logger = NativeRolesStore.this.logger;
                    PutRoleRequest putRoleRequest2 = putRoleRequest;
                    logger.error(() -> {
                        return new ParameterizedMessage("failed to put role [{}]", putRoleRequest2.name());
                    }, exc);
                    actionListener.onFailure(exc);
                }
            });
        } catch (Exception e) {
            this.logger.error(() -> {
                return new ParameterizedMessage("unable to put role [{}]", putRoleRequest.name());
            }, e);
            actionListener.onFailure(e);
        }
    }

    public void usageStats(final ActionListener<Map<String, Object>> actionListener) {
        final HashMap hashMap = new HashMap();
        if (this.securityLifecycleService.isSecurityIndexExisting()) {
            (this.securityLifecycleService.isSecurityIndexOnNewVersion() ? this.client.prepareMultiSearch().add(this.client.prepareSearch(new String[]{".security"}).setQuery(QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), RoleDescriptor.ROLE_TYPE)).setSize(0)).add(this.client.prepareSearch(new String[]{".security"}).setQuery(QueryBuilders.boolQuery().must(QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), RoleDescriptor.ROLE_TYPE)).must(QueryBuilders.boolQuery().should(QueryBuilders.existsQuery("indices.field_security.grant")).should(QueryBuilders.existsQuery("indices.field_security.except")).should(QueryBuilders.existsQuery("indices.fields")))).setSize(0).setTerminateAfter(1)).add(this.client.prepareSearch(new String[]{".security"}).setQuery(QueryBuilders.boolQuery().must(QueryBuilders.termQuery(RoleDescriptor.Fields.TYPE.getPreferredName(), RoleDescriptor.ROLE_TYPE)).filter(QueryBuilders.existsQuery("indices.query"))).setSize(0).setTerminateAfter(1)) : this.client.prepareMultiSearch().add(this.client.prepareSearch(new String[]{".security"}).setTypes(new String[]{RoleDescriptor.ROLE_TYPE}).setQuery(QueryBuilders.matchAllQuery()).setSize(0)).add(this.client.prepareSearch(new String[]{".security"}).setTypes(new String[]{RoleDescriptor.ROLE_TYPE}).setQuery(QueryBuilders.boolQuery().should(QueryBuilders.existsQuery("indices.field_security.grant")).should(QueryBuilders.existsQuery("indices.field_security.except")).should(QueryBuilders.existsQuery("indices.fields"))).setSize(0).setTerminateAfter(1)).add(this.client.prepareSearch(new String[]{".security"}).setTypes(new String[]{RoleDescriptor.ROLE_TYPE}).setQuery(QueryBuilders.existsQuery("indices.query")).setSize(0).setTerminateAfter(1))).execute(new ActionListener<MultiSearchResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.3
                public void onResponse(MultiSearchResponse multiSearchResponse) {
                    MultiSearchResponse.Item[] responses = multiSearchResponse.getResponses();
                    if (responses[0].isFailure()) {
                        hashMap.put("size", 0);
                    } else {
                        hashMap.put("size", Long.valueOf(responses[0].getResponse().getHits().getTotalHits()));
                    }
                    if (responses[1].isFailure()) {
                        hashMap.put("fls", false);
                    } else {
                        hashMap.put("fls", Boolean.valueOf(responses[1].getResponse().getHits().getTotalHits() > 0));
                    }
                    if (responses[2].isFailure()) {
                        hashMap.put("dls", false);
                    } else {
                        hashMap.put("dls", Boolean.valueOf(responses[2].getResponse().getHits().getTotalHits() > 0));
                    }
                    actionListener.onResponse(hashMap);
                }

                public void onFailure(Exception exc) {
                    actionListener.onFailure(exc);
                }
            });
            return;
        }
        hashMap.put("size", 0L);
        hashMap.put("fls", false);
        hashMap.put("dls", false);
        actionListener.onResponse(hashMap);
    }

    private void getRoleDescriptor(final String str, final ActionListener<RoleDescriptor> actionListener) {
        if (this.securityLifecycleService.isSecurityIndexExisting()) {
            executeGetRoleRequest(str, new ActionListener<GetResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.4
                static final /* synthetic */ boolean $assertionsDisabled;

                public void onResponse(GetResponse getResponse) {
                    RoleDescriptor roleDescriptor;
                    String id;
                    if (getResponse.isExists()) {
                        if (NativeRolesStore.this.securityLifecycleService.isSecurityIndexOnNewVersion()) {
                            String id2 = getResponse.getId();
                            if (!$assertionsDisabled && !id2.startsWith(RoleDescriptor.ROLE_TYPE)) {
                                throw new AssertionError("[" + id2 + "] does not have role prefix");
                            }
                            id = id2.substring(RoleDescriptor.ROLE_TYPE.length() + 1);
                        } else {
                            id = getResponse.getId();
                        }
                        roleDescriptor = NativeRolesStore.transformRole(id, getResponse.getSourceAsBytesRef(), NativeRolesStore.this.logger, NativeRolesStore.this.licenseState);
                    } else {
                        roleDescriptor = null;
                    }
                    actionListener.onResponse(roleDescriptor);
                }

                public void onFailure(Exception exc) {
                    if (TransportActions.isShardNotAvailableException(exc)) {
                        Logger logger = NativeRolesStore.this.logger;
                        String str2 = str;
                        logger.warn(() -> {
                            return new ParameterizedMessage("failed to load role [{}] index not available", str2);
                        }, exc);
                        actionListener.onResponse((Object) null);
                        return;
                    }
                    Logger logger2 = NativeRolesStore.this.logger;
                    String str3 = str;
                    logger2.error(() -> {
                        return new ParameterizedMessage("failed to load role [{}]", str3);
                    }, exc);
                    actionListener.onFailure(exc);
                }

                static {
                    $assertionsDisabled = !NativeRolesStore.class.desiredAssertionStatus();
                }
            });
        } else {
            actionListener.onResponse((Object) null);
        }
    }

    private void executeGetRoleRequest(String str, ActionListener<GetResponse> actionListener) {
        boolean isSecurityIndexOnNewVersion = this.securityLifecycleService.isSecurityIndexOnNewVersion();
        String str2 = isSecurityIndexOnNewVersion ? "doc" : RoleDescriptor.ROLE_TYPE;
        String idForUser = isSecurityIndexOnNewVersion ? getIdForUser(str) : str;
        try {
            this.client.get(this.client.prepareGet(".security", str2, idForUser).request(), actionListener);
        } catch (IndexNotFoundException e) {
            this.logger.trace(() -> {
                return new ParameterizedMessage("unable to retrieve role [{}] since security index does not exist", str);
            }, e);
            actionListener.onResponse(new GetResponse(new GetResult(".security", str2, idForUser, -1L, false, (BytesReference) null, (Map) null)));
        } catch (Exception e2) {
            this.logger.error("unable to retrieve role", e2);
            actionListener.onFailure(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public <Response> void clearRoleCache(final String str, final ActionListener<Response> actionListener, final Response response) {
        this.securityClient.clearRolesCache(new ClearRolesCacheRequest().names(str), new ActionListener<ClearRolesCacheResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.5
            public void onResponse(ClearRolesCacheResponse clearRolesCacheResponse) {
                actionListener.onResponse(response);
            }

            public void onFailure(Exception exc) {
                Logger logger = NativeRolesStore.this.logger;
                String str2 = str;
                logger.error(() -> {
                    return new ParameterizedMessage("unable to clear cache for role [{}]", str2);
                }, exc);
                actionListener.onFailure(new ElasticsearchException("clearing the cache for [" + str + "] failed. please clear the role cache manually", exc, new Object[0]));
            }
        });
    }

    @Nullable
    static RoleDescriptor transformRole(String str, BytesReference bytesReference, Logger logger, XPackLicenseState xPackLicenseState) {
        try {
            RoleDescriptor parse = RoleDescriptor.parse(str, bytesReference, true, XContentType.JSON);
            if (xPackLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
                return parse;
            }
            boolean anyMatch = Arrays.stream(parse.getIndicesPrivileges()).anyMatch((v0) -> {
                return v0.isUsingDocumentLevelSecurity();
            });
            boolean anyMatch2 = Arrays.stream(parse.getIndicesPrivileges()).anyMatch((v0) -> {
                return v0.isUsingFieldLevelSecurity();
            });
            if (!anyMatch && !anyMatch2) {
                return parse;
            }
            ArrayList arrayList = new ArrayList(2);
            if (anyMatch2) {
                arrayList.add("fls");
            }
            if (anyMatch) {
                arrayList.add("dls");
            }
            HashMap hashMap = new HashMap(2);
            hashMap.put("unlicensed_features", arrayList);
            hashMap.put("enabled", false);
            return new RoleDescriptor(parse.getName(), parse.getClusterPrivileges(), parse.getIndicesPrivileges(), parse.getRunAs(), parse.getMetadata(), hashMap);
        } catch (Exception e) {
            logger.error(() -> {
                return new ParameterizedMessage("error in the format of data for role [{}]", str);
            }, e);
            return null;
        }
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(CACHE_SIZE_SETTING);
        list.add(CACHE_TTL_SETTING);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getIdForUser(String str) {
        return "role-" + str;
    }

    static {
        $assertionsDisabled = !NativeRolesStore.class.desiredAssertionStatus();
        CACHE_SIZE_SETTING = Setting.intSetting(Security.setting("authz.store.roles.index.cache.max_size"), PageParams.MAX_FROM_SIZE_SUM, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Deprecated});
        CACHE_TTL_SETTING = Setting.timeSetting(Security.setting("authz.store.roles.index.cache.ttl"), TimeValue.timeValueMinutes(20L), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Deprecated});
    }
}
