package org.elasticsearch.xpack.security.authz.store;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.delete.DeleteResponse;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.search.MultiSearchResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.TransportActions;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.XContentFactory;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.get.GetResult;
import org.elasticsearch.index.query.MatchAllQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.SecurityTemplateService;
import org.elasticsearch.xpack.security.action.role.ClearRolesCacheRequest;
import org.elasticsearch.xpack.security.action.role.ClearRolesCacheResponse;
import org.elasticsearch.xpack.security.action.role.DeleteRoleRequest;
import org.elasticsearch.xpack.security.action.role.PutRoleRequest;
import org.elasticsearch.xpack.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.security.client.SecurityClient;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/NativeRolesStore.class */
public class NativeRolesStore extends AbstractComponent implements ClusterStateListener {
    private static final Setting<Integer> CACHE_SIZE_SETTING = Setting.intSetting(Security.setting("authz.store.roles.index.cache.max_size"), 10000, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Deprecated});
    private static final Setting<TimeValue> CACHE_TTL_SETTING = Setting.timeSetting(Security.setting("authz.store.roles.index.cache.ttl"), TimeValue.timeValueMinutes(20), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Deprecated});
    private static final String ROLE_DOC_TYPE = "role";
    private final InternalClient client;
    private final XPackLicenseState licenseState;
    private final AtomicReference<State> state;
    private final boolean isTribeNode;
    private SecurityClient securityClient;
    private volatile boolean securityIndexExists;
    private volatile boolean canWrite;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/NativeRolesStore$State.class */
    public enum State {
        INITIALIZED,
        STARTING,
        STARTED,
        STOPPING,
        STOPPED,
        FAILED
    }

    public NativeRolesStore(Settings settings, InternalClient internalClient, XPackLicenseState xPackLicenseState) {
        super(settings);
        this.state = new AtomicReference<>(State.INITIALIZED);
        this.securityIndexExists = false;
        this.canWrite = false;
        this.client = internalClient;
        this.isTribeNode = !settings.getGroups("tribe", true).isEmpty();
        this.securityClient = new SecurityClient(internalClient);
        this.licenseState = xPackLicenseState;
    }

    public boolean canStart(ClusterState clusterState, boolean z) {
        if (state() != State.INITIALIZED) {
            return false;
        }
        if (clusterState.blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
            this.logger.debug("native roles store waiting until gateway has recovered from disk");
            return false;
        }
        if (this.isTribeNode) {
            return true;
        }
        if (SecurityTemplateService.securityIndexMappingAndTemplateUpToDate(clusterState, this.logger)) {
            this.canWrite = true;
        } else {
            if (!SecurityTemplateService.securityIndexMappingAndTemplateSufficientToRead(clusterState, this.logger)) {
                this.canWrite = false;
                return false;
            }
            this.canWrite = false;
        }
        if (clusterState.metaData().index(SecurityTemplateService.SECURITY_INDEX_NAME) == null) {
            this.logger.debug("security index [{}] does not exist, so service can start", SecurityTemplateService.SECURITY_INDEX_NAME);
            return true;
        }
        if (!clusterState.routingTable().index(SecurityTemplateService.SECURITY_INDEX_NAME).allPrimaryShardsActive()) {
            return false;
        }
        this.logger.debug("security index [{}] all primary shards started, so service can start", SecurityTemplateService.SECURITY_INDEX_NAME);
        this.securityIndexExists = true;
        return true;
    }

    public void start() {
        try {
            if (this.state.compareAndSet(State.INITIALIZED, State.STARTING)) {
                this.state.set(State.STARTED);
            }
        } catch (Exception e) {
            this.logger.error("failed to start ESNativeRolesStore", e);
            this.state.set(State.FAILED);
        }
    }

    public void stop() {
        if (this.state.compareAndSet(State.STARTED, State.STOPPING)) {
            this.state.set(State.STOPPED);
        }
    }

    public void getRoleDescriptors(String[] strArr, ActionListener<Collection<RoleDescriptor>> actionListener) {
        MatchAllQueryBuilder filter;
        if (state() != State.STARTED) {
            this.logger.trace("attempted to get roles before service was started");
            actionListener.onResponse(Collections.emptySet());
            return;
        }
        if (strArr != null && strArr.length == 1) {
            String str = (String) Objects.requireNonNull(strArr[0]);
            CheckedConsumer checkedConsumer = roleDescriptor -> {
                actionListener.onResponse(roleDescriptor == null ? Collections.emptyList() : Collections.singletonList(roleDescriptor));
            };
            actionListener.getClass();
            getRoleDescriptor(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            return;
        }
        if (strArr != null) {
            try {
                if (strArr.length != 0) {
                    filter = QueryBuilders.boolQuery().filter(QueryBuilders.idsQuery(new String[]{ROLE_DOC_TYPE}).addIds(strArr));
                    SearchRequest request = this.client.prepareSearch(new String[]{SecurityTemplateService.SECURITY_INDEX_NAME}).setTypes(new String[]{ROLE_DOC_TYPE}).setScroll(TimeValue.timeValueSeconds(10L)).setQuery(filter).setSize(1000).setFetchSource(true).request();
                    request.indicesOptions().ignoreUnavailable();
                    InternalClient.fetchAllByEntity(this.client, request, actionListener, searchHit -> {
                        return transformRole(searchHit.getId(), searchHit.getSourceRef(), this.logger, this.licenseState);
                    });
                }
            } catch (Exception e) {
                this.logger.error(() -> {
                    return new ParameterizedMessage("unable to retrieve roles {}", Arrays.toString(strArr));
                }, e);
                actionListener.onFailure(e);
                return;
            }
        }
        filter = QueryBuilders.matchAllQuery();
        SearchRequest request2 = this.client.prepareSearch(new String[]{SecurityTemplateService.SECURITY_INDEX_NAME}).setTypes(new String[]{ROLE_DOC_TYPE}).setScroll(TimeValue.timeValueSeconds(10L)).setQuery(filter).setSize(1000).setFetchSource(true).request();
        request2.indicesOptions().ignoreUnavailable();
        InternalClient.fetchAllByEntity(this.client, request2, actionListener, searchHit2 -> {
            return transformRole(searchHit2.getId(), searchHit2.getSourceRef(), this.logger, this.licenseState);
        });
    }

    public void deleteRole(final DeleteRoleRequest deleteRoleRequest, final ActionListener<Boolean> actionListener) {
        if (state() != State.STARTED) {
            this.logger.trace("attempted to delete role [{}] before service was started", deleteRoleRequest.name());
            actionListener.onResponse(false);
        } else if (this.isTribeNode) {
            actionListener.onFailure(new UnsupportedOperationException("roles may not be deleted using a tribe node"));
            return;
        } else if (!this.canWrite) {
            actionListener.onFailure(new IllegalStateException("role cannot be deleted as service cannot write until template and mappings are up to date"));
            return;
        }
        try {
            DeleteRequest request = this.client.prepareDelete(SecurityTemplateService.SECURITY_INDEX_NAME, ROLE_DOC_TYPE, deleteRoleRequest.name()).request();
            request.setRefreshPolicy(deleteRoleRequest.getRefreshPolicy());
            this.client.delete(request, new ActionListener<DeleteResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.1
                public void onResponse(DeleteResponse deleteResponse) {
                    NativeRolesStore.this.clearRoleCache(deleteRoleRequest.name(), actionListener, Boolean.valueOf(deleteResponse.getResult() == DocWriteResponse.Result.DELETED));
                }

                public void onFailure(Exception exc) {
                    NativeRolesStore.this.logger.error("failed to delete role from the index", exc);
                    actionListener.onFailure(exc);
                }
            });
        } catch (IndexNotFoundException e) {
            this.logger.trace("security index does not exist", e);
            actionListener.onResponse(false);
        } catch (Exception e2) {
            this.logger.error("unable to remove role", e2);
            actionListener.onFailure(e2);
        }
    }

    public void putRole(PutRoleRequest putRoleRequest, RoleDescriptor roleDescriptor, ActionListener<Boolean> actionListener) {
        if (state() != State.STARTED) {
            this.logger.trace("attempted to put role [{}] before service was started", putRoleRequest.name());
            actionListener.onResponse(false);
            return;
        }
        if (this.isTribeNode) {
            actionListener.onFailure(new UnsupportedOperationException("roles may not be created or modified using a tribe node"));
            return;
        }
        if (!this.canWrite) {
            actionListener.onFailure(new IllegalStateException("role cannot be created or modified as service cannot write until template and mappings are up to date"));
            return;
        }
        if (this.licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
            innerPutRole(putRoleRequest, roleDescriptor, actionListener);
        } else if (roleDescriptor.isUsingDocumentOrFieldLevelSecurity()) {
            actionListener.onFailure(LicenseUtils.newComplianceException("field and document level security"));
        } else {
            innerPutRole(putRoleRequest, roleDescriptor, actionListener);
        }
    }

    void innerPutRole(final PutRoleRequest putRoleRequest, final RoleDescriptor roleDescriptor, final ActionListener<Boolean> actionListener) {
        try {
            this.client.prepareIndex(SecurityTemplateService.SECURITY_INDEX_NAME, ROLE_DOC_TYPE, roleDescriptor.getName()).setSource(roleDescriptor.toXContent(XContentFactory.jsonBuilder(), ToXContent.EMPTY_PARAMS, false)).setRefreshPolicy(putRoleRequest.getRefreshPolicy()).execute(new ActionListener<IndexResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.2
                public void onResponse(IndexResponse indexResponse) {
                    NativeRolesStore.this.clearRoleCache(roleDescriptor.getName(), actionListener, Boolean.valueOf(indexResponse.getResult() == DocWriteResponse.Result.CREATED));
                }

                public void onFailure(Exception exc) {
                    Logger logger = NativeRolesStore.this.logger;
                    PutRoleRequest putRoleRequest2 = putRoleRequest;
                    logger.error(() -> {
                        return new ParameterizedMessage("failed to put role [{}]", putRoleRequest2.name());
                    }, exc);
                    actionListener.onFailure(exc);
                }
            });
        } catch (Exception e) {
            this.logger.error(() -> {
                return new ParameterizedMessage("unable to put role [{}]", putRoleRequest.name());
            }, e);
            actionListener.onFailure(e);
        }
    }

    public void usageStats(final ActionListener<Map<String, Object>> actionListener) {
        final HashMap hashMap = new HashMap();
        if (state() != State.STARTED) {
            actionListener.onResponse(Collections.emptyMap());
            return;
        }
        if (this.securityIndexExists) {
            this.client.prepareMultiSearch().add(this.client.prepareSearch(new String[]{SecurityTemplateService.SECURITY_INDEX_NAME}).setTypes(new String[]{ROLE_DOC_TYPE}).setQuery(QueryBuilders.matchAllQuery()).setSize(0)).add(this.client.prepareSearch(new String[]{SecurityTemplateService.SECURITY_INDEX_NAME}).setTypes(new String[]{ROLE_DOC_TYPE}).setQuery(QueryBuilders.boolQuery().should(QueryBuilders.existsQuery("indices.field_security.grant")).should(QueryBuilders.existsQuery("indices.field_security.except")).should(QueryBuilders.existsQuery("indices.fields"))).setSize(0).setTerminateAfter(1)).add(this.client.prepareSearch(new String[]{SecurityTemplateService.SECURITY_INDEX_NAME}).setTypes(new String[]{ROLE_DOC_TYPE}).setQuery(QueryBuilders.existsQuery("indices.query")).setSize(0).setTerminateAfter(1)).execute(new ActionListener<MultiSearchResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.3
                public void onResponse(MultiSearchResponse multiSearchResponse) {
                    MultiSearchResponse.Item[] responses = multiSearchResponse.getResponses();
                    if (responses[0].isFailure()) {
                        hashMap.put("size", 0);
                    } else {
                        hashMap.put("size", Long.valueOf(responses[0].getResponse().getHits().getTotalHits()));
                    }
                    if (responses[1].isFailure()) {
                        hashMap.put("fls", false);
                    } else {
                        hashMap.put("fls", Boolean.valueOf(responses[1].getResponse().getHits().getTotalHits() > 0));
                    }
                    if (responses[2].isFailure()) {
                        hashMap.put("dls", false);
                    } else {
                        hashMap.put("dls", Boolean.valueOf(responses[2].getResponse().getHits().getTotalHits() > 0));
                    }
                    actionListener.onResponse(hashMap);
                }

                public void onFailure(Exception exc) {
                    actionListener.onFailure(exc);
                }
            });
            return;
        }
        hashMap.put("size", 0L);
        hashMap.put("fls", false);
        hashMap.put("dls", false);
        actionListener.onResponse(hashMap);
    }

    private void getRoleDescriptor(final String str, final ActionListener<RoleDescriptor> actionListener) {
        if (this.securityIndexExists) {
            executeGetRoleRequest(str, new ActionListener<GetResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.4
                public void onResponse(GetResponse getResponse) {
                    actionListener.onResponse(NativeRolesStore.this.transformRole(getResponse));
                }

                public void onFailure(Exception exc) {
                    if (TransportActions.isShardNotAvailableException(exc)) {
                        Logger logger = NativeRolesStore.this.logger;
                        String str2 = str;
                        logger.warn(() -> {
                            return new ParameterizedMessage("failed to load role [{}] index not available", str2);
                        }, exc);
                        actionListener.onResponse((Object) null);
                        return;
                    }
                    Logger logger2 = NativeRolesStore.this.logger;
                    String str3 = str;
                    logger2.error(() -> {
                        return new ParameterizedMessage("failed to load role [{}]", str3);
                    }, exc);
                    actionListener.onFailure(exc);
                }
            });
        } else {
            actionListener.onResponse((Object) null);
        }
    }

    private void executeGetRoleRequest(String str, ActionListener<GetResponse> actionListener) {
        try {
            this.client.get(this.client.prepareGet(SecurityTemplateService.SECURITY_INDEX_NAME, ROLE_DOC_TYPE, str).request(), actionListener);
        } catch (Exception e) {
            this.logger.error("unable to retrieve role", e);
            actionListener.onFailure(e);
        } catch (IndexNotFoundException e2) {
            this.logger.trace(() -> {
                return new ParameterizedMessage("unable to retrieve role [{}] since security index does not exist", str);
            }, e2);
            actionListener.onResponse(new GetResponse(new GetResult(SecurityTemplateService.SECURITY_INDEX_NAME, ROLE_DOC_TYPE, str, -1L, false, (BytesReference) null, (Map) null)));
        }
    }

    public void reset() {
        State state = state();
        if (state != State.STOPPED && state != State.FAILED) {
            throw new IllegalStateException("can only reset if stopped!!!");
        }
        this.securityIndexExists = false;
        this.canWrite = false;
        this.state.set(State.INITIALIZED);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public <Response> void clearRoleCache(final String str, final ActionListener<Response> actionListener, final Response response) {
        this.securityClient.clearRolesCache(new ClearRolesCacheRequest().names(str), new ActionListener<ClearRolesCacheResponse>() { // from class: org.elasticsearch.xpack.security.authz.store.NativeRolesStore.5
            public void onResponse(ClearRolesCacheResponse clearRolesCacheResponse) {
                actionListener.onResponse(response);
            }

            public void onFailure(Exception exc) {
                Logger logger = NativeRolesStore.this.logger;
                String str2 = str;
                logger.error(() -> {
                    return new ParameterizedMessage("unable to clear cache for role [{}]", str2);
                }, exc);
                actionListener.onFailure(new ElasticsearchException("clearing the cache for [" + str + "] failed. please clear the role cache manually", exc, new Object[0]));
            }
        });
    }

    public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
        this.securityIndexExists = clusterChangedEvent.state().metaData().indices().get(SecurityTemplateService.SECURITY_INDEX_NAME) != null;
        this.canWrite = SecurityTemplateService.securityIndexMappingAndTemplateUpToDate(clusterChangedEvent.state(), this.logger);
    }

    public State state() {
        return this.state.get();
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Nullable
    public RoleDescriptor transformRole(GetResponse getResponse) {
        if (getResponse.isExists()) {
            return transformRole(getResponse.getId(), getResponse.getSourceAsBytesRef(), this.logger, this.licenseState);
        }
        return null;
    }

    @Nullable
    static RoleDescriptor transformRole(String str, BytesReference bytesReference, Logger logger, XPackLicenseState xPackLicenseState) {
        try {
            RoleDescriptor parse = RoleDescriptor.parse(str, bytesReference, true, XContentType.JSON);
            if (xPackLicenseState.isDocumentAndFieldLevelSecurityAllowed()) {
                return parse;
            }
            boolean anyMatch = Arrays.stream(parse.getIndicesPrivileges()).anyMatch((v0) -> {
                return v0.isUsingDocumentLevelSecurity();
            });
            boolean anyMatch2 = Arrays.stream(parse.getIndicesPrivileges()).anyMatch((v0) -> {
                return v0.isUsingFieldLevelSecurity();
            });
            if (!anyMatch && !anyMatch2) {
                return parse;
            }
            ArrayList arrayList = new ArrayList(2);
            if (anyMatch2) {
                arrayList.add("fls");
            }
            if (anyMatch) {
                arrayList.add("dls");
            }
            HashMap hashMap = new HashMap(2);
            hashMap.put("unlicensed_features", arrayList);
            hashMap.put("enabled", false);
            return new RoleDescriptor(parse.getName(), parse.getClusterPrivileges(), parse.getIndicesPrivileges(), parse.getRunAs(), parse.getMetadata(), hashMap);
        } catch (Exception e) {
            logger.error(() -> {
                return new ParameterizedMessage("error in the format of data for role [{}]", str);
            }, e);
            return null;
        }
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(CACHE_SIZE_SETTING);
        list.add(CACHE_TTL_SETTING);
    }
}
