package org.elasticsearch.xpack.security.transport;

import java.util.Map;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportException;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.TransportRequestOptions;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.transport.TransportResponseHandler;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.security.SecurityContext;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.AuthorizationUtils;
import org.elasticsearch.xpack.security.user.KibanaUser;
import org.elasticsearch.xpack.security.user.SystemUser;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.class */
public class SecurityServerTransportInterceptor extends AbstractComponent implements TransportInterceptor {
    private static final String SETTING_NAME = "xpack.security.type";
    private final AuthenticationService authcService;
    private final AuthorizationService authzService;
    private final SSLService sslService;
    private final Map<String, ServerTransportFilter> profileFilters;
    private final XPackLicenseState licenseState;
    private final ThreadPool threadPool;
    private final Settings settings;
    private final SecurityContext securityContext;
    private final boolean reservedRealmEnabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.class */
    public static class ProfileSecuredRequestHandler<T extends TransportRequest> implements TransportRequestHandler<T> {
        private final String action;
        private final TransportRequestHandler<T> handler;
        private final Map<String, ServerTransportFilter> profileFilters;
        private final XPackLicenseState licenseState;
        private final ThreadContext threadContext;
        private final String executorName;
        private final ThreadPool threadPool;
        private final boolean forceExecution;
        private final Logger logger;
        static final /* synthetic */ boolean $assertionsDisabled;

        ProfileSecuredRequestHandler(Logger logger, String str, boolean z, String str2, TransportRequestHandler<T> transportRequestHandler, Map<String, ServerTransportFilter> map, XPackLicenseState xPackLicenseState, ThreadPool threadPool) {
            this.logger = logger;
            this.action = str;
            this.executorName = str2;
            this.handler = transportRequestHandler;
            this.profileFilters = map;
            this.licenseState = xPackLicenseState;
            this.threadContext = threadPool.getThreadContext();
            this.threadPool = threadPool;
            this.forceExecution = z;
        }

        AbstractRunnable getReceiveRunnable(final T t, final TransportChannel transportChannel, final Task task) {
            return new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.1
                public boolean isForceExecution() {
                    return ProfileSecuredRequestHandler.this.forceExecution;
                }

                public void onFailure(Exception exc) {
                    try {
                        transportChannel.sendResponse(exc);
                    } catch (Exception e) {
                        e.addSuppressed(exc);
                        ProfileSecuredRequestHandler.this.logger.warn("failed to send exception response for action [" + ProfileSecuredRequestHandler.this.action + "]", e);
                    }
                }

                protected void doRun() throws Exception {
                    ProfileSecuredRequestHandler.this.handler.messageReceived(t, transportChannel, task);
                }
            };
        }

        public String toString() {
            return "ProfileSecuredRequestHandler{action='" + this.action + "', executorName='" + this.executorName + "', forceExecution=" + this.forceExecution + '}';
        }

        public void messageReceived(T t, TransportChannel transportChannel, Task task) throws Exception {
            AbstractRunnable receiveRunnable = getReceiveRunnable(t, transportChannel, task);
            ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext(true);
            Throwable th = null;
            try {
                if (this.licenseState.isAuthAllowed()) {
                    String profileName = transportChannel.getProfileName();
                    ServerTransportFilter serverTransportFilter = this.profileFilters.get(profileName);
                    if (serverTransportFilter == null) {
                        if (!".direct".equals(profileName)) {
                            throw new IllegalStateException("transport profile [" + profileName + "] is not associated with a transport filter");
                        }
                        serverTransportFilter = this.profileFilters.get("default");
                    }
                    if (!$assertionsDisabled && serverTransportFilter == null) {
                        throw new AssertionError();
                    }
                    Thread currentThread = Thread.currentThread();
                    CheckedConsumer checkedConsumer = r6 -> {
                        try {
                            (currentThread == Thread.currentThread() ? this.threadPool.executor("same") : this.threadPool.executor(this.executorName)).execute(receiveRunnable);
                        } catch (Exception e) {
                            receiveRunnable.onFailure(e);
                        }
                    };
                    receiveRunnable.getClass();
                    serverTransportFilter.inbound(this.action, t, transportChannel, ActionListener.wrap(checkedConsumer, receiveRunnable::onFailure));
                } else {
                    receiveRunnable.run();
                }
                if (newStoredContext != null) {
                    if (0 == 0) {
                        newStoredContext.close();
                        return;
                    }
                    try {
                        newStoredContext.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                if (newStoredContext != null) {
                    if (0 != 0) {
                        try {
                            newStoredContext.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newStoredContext.close();
                    }
                }
                throw th3;
            }
        }

        public void messageReceived(T t, TransportChannel transportChannel) throws Exception {
            throw new UnsupportedOperationException("task parameter is required for this operation");
        }

        static {
            $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
        }
    }

    public SecurityServerTransportInterceptor(Settings settings, ThreadPool threadPool, AuthenticationService authenticationService, AuthorizationService authorizationService, XPackLicenseState xPackLicenseState, SSLService sSLService, SecurityContext securityContext, DestructiveOperations destructiveOperations) {
        super(settings);
        this.settings = settings;
        this.threadPool = threadPool;
        this.authcService = authenticationService;
        this.authzService = authorizationService;
        this.licenseState = xPackLicenseState;
        this.sslService = sSLService;
        this.securityContext = securityContext;
        this.profileFilters = initializeProfileFilters(destructiveOperations);
        this.reservedRealmEnabled = ((Boolean) XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings)).booleanValue();
    }

    public TransportInterceptor.AsyncSender interceptSender(final TransportInterceptor.AsyncSender asyncSender) {
        return new TransportInterceptor.AsyncSender() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.1
            public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                if (!SecurityServerTransportInterceptor.this.licenseState.isAuthAllowed()) {
                    asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
                    return;
                }
                if (AuthorizationUtils.shouldReplaceUserWithSystem(SecurityServerTransportInterceptor.this.threadPool.getThreadContext(), str)) {
                    SecurityContext securityContext = SecurityServerTransportInterceptor.this.securityContext;
                    User user = SystemUser.INSTANCE;
                    TransportInterceptor.AsyncSender asyncSender2 = asyncSender;
                    securityContext.executeAsUser(user, storedContext -> {
                        SecurityServerTransportInterceptor.this.sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(SecurityServerTransportInterceptor.this.threadPool.getThreadContext().wrapRestorable(storedContext), transportResponseHandler), asyncSender2);
                    });
                    return;
                }
                if (!SecurityServerTransportInterceptor.this.reservedRealmEnabled || !connection.getVersion().before(Version.V_5_2_0_UNRELEASED) || !KibanaUser.NAME.equals(SecurityServerTransportInterceptor.this.securityContext.getUser().principal())) {
                    SecurityServerTransportInterceptor.this.sendWithUser(connection, str, transportRequest, transportRequestOptions, transportResponseHandler, asyncSender);
                    return;
                }
                User user2 = SecurityServerTransportInterceptor.this.securityContext.getUser();
                User user3 = new User(user2.principal(), new String[]{KibanaUser.NAME}, user2.fullName(), user2.email(), user2.metadata(), user2.enabled());
                SecurityContext securityContext2 = SecurityServerTransportInterceptor.this.securityContext;
                TransportInterceptor.AsyncSender asyncSender3 = asyncSender;
                securityContext2.executeAsUser(user3, storedContext2 -> {
                    SecurityServerTransportInterceptor.this.sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(SecurityServerTransportInterceptor.this.threadPool.getThreadContext().wrapRestorable(storedContext2), transportResponseHandler), asyncSender3);
                });
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public <T extends TransportResponse> void sendWithUser(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler, TransportInterceptor.AsyncSender asyncSender) {
        if (this.securityContext.getAuthentication() == null) {
            throw new IllegalStateException("there should always be a user when sending a message");
        }
        try {
            asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
        } catch (Exception e) {
            transportResponseHandler.handleException(new TransportException("failed sending request", e));
        }
    }

    public <T extends TransportRequest> TransportRequestHandler<T> interceptHandler(String str, String str2, boolean z, TransportRequestHandler<T> transportRequestHandler) {
        return new ProfileSecuredRequestHandler(this.logger, str, z, str2, transportRequestHandler, this.profileFilters, this.licenseState, this.threadPool);
    }

    /* JADX WARN: Removed duplicated region for block: B:16:0x0112 A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:20:0x00e0 A[SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected java.util.Map<java.lang.String, org.elasticsearch.xpack.security.transport.ServerTransportFilter> initializeProfileFilters(org.elasticsearch.action.support.DestructiveOperations r13) {
        /*
            Method dump skipped, instructions count: 428
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.initializeProfileFilters(org.elasticsearch.action.support.DestructiveOperations):java.util.Map");
    }

    ServerTransportFilter transportFilter(String str) {
        return this.profileFilters.get(str);
    }
}
