package org.elasticsearch.xpack.security.audit.logfile;

import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Set;
import java.util.function.Function;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditLevel;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditUtil;
import org.elasticsearch.xpack.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authz.privilege.SystemPrivilege;
import org.elasticsearch.xpack.security.rest.RemoteHostHeader;
import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
import org.elasticsearch.xpack.security.user.SystemUser;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.security.user.XPackUser;

/* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.class */
public class LoggingAuditTrail extends AbstractComponent implements AuditTrail {
    public static final String NAME = "logfile";
    public static final Setting<Boolean> HOST_ADDRESS_SETTING = Setting.boolSetting(Security.setting("audit.logfile.prefix.emit_node_host_address"), false, Setting.Property.NodeScope);
    public static final Setting<Boolean> HOST_NAME_SETTING = Setting.boolSetting(Security.setting("audit.logfile.prefix.emit_node_host_name"), false, Setting.Property.NodeScope);
    public static final Setting<Boolean> NODE_NAME_SETTING = Setting.boolSetting(Security.setting("audit.logfile.prefix.emit_node_name"), true, Setting.Property.NodeScope);
    private static final List<String> DEFAULT_EVENT_INCLUDES = Arrays.asList(AuditLevel.ACCESS_DENIED.toString(), AuditLevel.ACCESS_GRANTED.toString(), AuditLevel.ANONYMOUS_ACCESS_DENIED.toString(), AuditLevel.AUTHENTICATION_FAILED.toString(), AuditLevel.CONNECTION_DENIED.toString(), AuditLevel.TAMPERED_REQUEST.toString(), AuditLevel.RUN_AS_DENIED.toString(), AuditLevel.RUN_AS_GRANTED.toString());
    private static final Setting<List<String>> INCLUDE_EVENT_SETTINGS = Setting.listSetting(Security.setting("audit.logfile.events.include"), DEFAULT_EVENT_INCLUDES, Function.identity(), Setting.Property.NodeScope);
    private static final Setting<List<String>> EXCLUDE_EVENT_SETTINGS = Setting.listSetting(Security.setting("audit.logfile.events.exclude"), (List<String>) Collections.emptyList(), Function.identity(), Setting.Property.NodeScope);
    private static final Setting<Boolean> INCLUDE_REQUEST_BODY = Setting.boolSetting(Security.setting("audit.logfile.events.emit_request_body"), false, Setting.Property.NodeScope);
    private final Logger logger;
    private final ClusterService clusterService;
    private final ThreadContext threadContext;
    private final EnumSet<AuditLevel> events;
    private final boolean includeRequestBody;
    private String prefix;

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public String name() {
        return NAME;
    }

    public LoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) {
        this(settings, clusterService, Loggers.getLogger((Class<?>) LoggingAuditTrail.class), threadPool.getThreadContext());
    }

    LoggingAuditTrail(Settings settings, ClusterService clusterService, Logger logger, ThreadContext threadContext) {
        super(settings);
        this.logger = logger;
        this.clusterService = clusterService;
        this.threadContext = threadContext;
        this.events = AuditLevel.parse(INCLUDE_EVENT_SETTINGS.get(settings), EXCLUDE_EVENT_SETTINGS.get(settings));
        this.includeRequestBody = INCLUDE_REQUEST_BODY.get(settings).booleanValue();
    }

    private String getPrefix() {
        if (this.prefix == null) {
            this.prefix = resolvePrefix(this.settings, this.clusterService.localNode());
        }
        return this.prefix;
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationSuccess(String str, User user, RestRequest restRequest) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_SUCCESS)) {
            if (this.includeRequestBody) {
                this.logger.info("{}[rest] [authentication_success]\t{}, realm=[{}], uri=[{}], params=[{}], request_body=[{}]", getPrefix(), principal(user), str, restRequest.uri(), restRequest.params(), AuditUtil.restRequestContent(restRequest));
            } else {
                this.logger.info("{}[rest] [authentication_success]\t{}, realm=[{}], uri=[{}], params=[{}]", getPrefix(), principal(user), str, restRequest.uri(), restRequest.params());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationSuccess(String str, User user, String str2, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_SUCCESS)) {
            this.logger.info("{}[transport] [authentication_success]\t{}, {}, realm=[{}], action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), principal(user), str, str2, transportMessage.getClass().getSimpleName());
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void anonymousAccessDenied(String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.ANONYMOUS_ACCESS_DENIED)) {
            String indicesString = indicesString(transportMessage);
            if (indicesString != null) {
                this.logger.info("{}[transport] [anonymous_access_denied]\t{}, action=[{}], indices=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), str, indicesString, transportMessage.getClass().getSimpleName());
            } else {
                this.logger.info("{}[transport] [anonymous_access_denied]\t{}, action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), str, transportMessage.getClass().getSimpleName());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void anonymousAccessDenied(RestRequest restRequest) {
        if (this.events.contains(AuditLevel.ANONYMOUS_ACCESS_DENIED)) {
            if (this.includeRequestBody) {
                this.logger.info("{}[rest] [anonymous_access_denied]\t{}, uri=[{}], request_body=[{}]", getPrefix(), hostAttributes(restRequest), restRequest.uri(), AuditUtil.restRequestContent(restRequest));
            } else {
                this.logger.info("{}[rest] [anonymous_access_denied]\t{}, uri=[{}]", getPrefix(), hostAttributes(restRequest), restRequest.uri());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(AuthenticationToken authenticationToken, String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_FAILED)) {
            String indicesString = indicesString(transportMessage);
            if (indicesString != null) {
                this.logger.info("{}[transport] [authentication_failed]\t{}, principal=[{}], action=[{}], indices=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), authenticationToken.principal(), str, indicesString, transportMessage.getClass().getSimpleName());
            } else {
                this.logger.info("{}[transport] [authentication_failed]\t{}, principal=[{}], action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), authenticationToken.principal(), str, transportMessage.getClass().getSimpleName());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(RestRequest restRequest) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_FAILED)) {
            if (this.includeRequestBody) {
                this.logger.info("{}[rest] [authentication_failed]\t{}, uri=[{}], request_body=[{}]", getPrefix(), hostAttributes(restRequest), restRequest.uri(), AuditUtil.restRequestContent(restRequest));
            } else {
                this.logger.info("{}[rest] [authentication_failed]\t{}, uri=[{}]", getPrefix(), hostAttributes(restRequest), restRequest.uri());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_FAILED)) {
            String indicesString = indicesString(transportMessage);
            if (indicesString != null) {
                this.logger.info("{}[transport] [authentication_failed]\t{}, action=[{}], indices=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), str, indicesString, transportMessage.getClass().getSimpleName());
            } else {
                this.logger.info("{}[transport] [authentication_failed]\t{}, action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), str, transportMessage.getClass().getSimpleName());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(AuthenticationToken authenticationToken, RestRequest restRequest) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_FAILED)) {
            if (this.includeRequestBody) {
                this.logger.info("{}[rest] [authentication_failed]\t{}, principal=[{}], uri=[{}], request_body=[{}]", getPrefix(), hostAttributes(restRequest), authenticationToken.principal(), restRequest.uri(), AuditUtil.restRequestContent(restRequest));
            } else {
                this.logger.info("{}[rest] [authentication_failed]\t{}, principal=[{}], uri=[{}]", getPrefix(), hostAttributes(restRequest), authenticationToken.principal(), restRequest.uri());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, AuthenticationToken authenticationToken, String str2, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.REALM_AUTHENTICATION_FAILED)) {
            String indicesString = indicesString(transportMessage);
            if (indicesString != null) {
                this.logger.info("{}[transport] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], action=[{}], indices=[{}], request=[{}]", getPrefix(), str, originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), authenticationToken.principal(), str2, indicesString, transportMessage.getClass().getSimpleName());
            } else {
                this.logger.info("{}[transport] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], action=[{}], request=[{}]", getPrefix(), str, originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), authenticationToken.principal(), str2, transportMessage.getClass().getSimpleName());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, AuthenticationToken authenticationToken, RestRequest restRequest) {
        if (this.events.contains(AuditLevel.REALM_AUTHENTICATION_FAILED)) {
            if (this.includeRequestBody) {
                this.logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}], request_body=[{}]", getPrefix(), str, hostAttributes(restRequest), authenticationToken.principal(), restRequest.uri(), AuditUtil.restRequestContent(restRequest));
            } else {
                this.logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}]", getPrefix(), str, hostAttributes(restRequest), authenticationToken.principal(), restRequest.uri());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void accessGranted(User user, String str, TransportMessage transportMessage) {
        boolean z = (SystemUser.is(user) && SystemPrivilege.INSTANCE.predicate().test(str)) || XPackUser.is(user);
        if ((z && this.events.contains(AuditLevel.SYSTEM_ACCESS_GRANTED)) || (!z && this.events.contains(AuditLevel.ACCESS_GRANTED))) {
            String indicesString = indicesString(transportMessage);
            if (indicesString != null) {
                this.logger.info("{}[transport] [access_granted]\t{}, {}, action=[{}], indices=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), principal(user), str, indicesString, transportMessage.getClass().getSimpleName());
            } else {
                this.logger.info("{}[transport] [access_granted]\t{}, {}, action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), principal(user), str, transportMessage.getClass().getSimpleName());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void accessDenied(User user, String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.ACCESS_DENIED)) {
            String indicesString = indicesString(transportMessage);
            if (indicesString != null) {
                this.logger.info("{}[transport] [access_denied]\t{}, {}, action=[{}], indices=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), principal(user), str, indicesString, transportMessage.getClass().getSimpleName());
            } else {
                this.logger.info("{}[transport] [access_denied]\t{}, {}, action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), principal(user), str, transportMessage.getClass().getSimpleName());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void tamperedRequest(RestRequest restRequest) {
        if (this.events.contains(AuditLevel.TAMPERED_REQUEST)) {
            if (this.includeRequestBody) {
                this.logger.info("{}[rest] [tampered_request]\t{}, uri=[{}], request_body=[{}]", getPrefix(), hostAttributes(restRequest), restRequest.uri(), AuditUtil.restRequestContent(restRequest));
            } else {
                this.logger.info("{}[rest] [tampered_request]\t{}, uri=[{}]", getPrefix(), hostAttributes(restRequest), restRequest.uri());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void tamperedRequest(String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.TAMPERED_REQUEST)) {
            String indicesString = indicesString(transportMessage);
            if (indicesString != null) {
                this.logger.info("{}[transport] [tampered_request]\t{}, action=[{}], indices=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), str, indicesString, transportMessage.getClass().getSimpleName());
            } else {
                this.logger.info("{}[transport] [tampered_request]\t{}, action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), str, transportMessage.getClass().getSimpleName());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void tamperedRequest(User user, String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.TAMPERED_REQUEST)) {
            String indicesString = indicesString(transportMessage);
            if (indicesString != null) {
                this.logger.info("{}[transport] [tampered_request]\t{}, {}, action=[{}], indices=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), principal(user), str, indicesString, transportMessage.getClass().getSimpleName());
            } else {
                this.logger.info("{}[transport] [tampered_request]\t{}, {}, action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), principal(user), str, transportMessage.getClass().getSimpleName());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void connectionGranted(InetAddress inetAddress, String str, SecurityIpFilterRule securityIpFilterRule) {
        if (this.events.contains(AuditLevel.CONNECTION_GRANTED)) {
            this.logger.info("{}[ip_filter] [connection_granted]\torigin_address=[{}], transport_profile=[{}], rule=[{}]", getPrefix(), NetworkAddress.format(inetAddress), str, securityIpFilterRule);
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void connectionDenied(InetAddress inetAddress, String str, SecurityIpFilterRule securityIpFilterRule) {
        if (this.events.contains(AuditLevel.CONNECTION_DENIED)) {
            this.logger.info("{}[ip_filter] [connection_denied]\torigin_address=[{}], transport_profile=[{}], rule=[{}]", getPrefix(), NetworkAddress.format(inetAddress), str, securityIpFilterRule);
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void runAsGranted(User user, String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.RUN_AS_GRANTED)) {
            this.logger.info("{}[transport] [run_as_granted]\t{}, principal=[{}], run_as_principal=[{}], action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), user.authenticatedUser().principal(), user.principal(), str, transportMessage.getClass().getSimpleName());
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void runAsDenied(User user, String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.RUN_AS_DENIED)) {
            this.logger.info("{}[transport] [run_as_denied]\t{}, principal=[{}], run_as_principal=[{}], action=[{}], request=[{}]", getPrefix(), originAttributes(transportMessage, this.clusterService.localNode(), this.threadContext), user.authenticatedUser().principal(), user.principal(), str, transportMessage.getClass().getSimpleName());
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void runAsDenied(User user, RestRequest restRequest) {
        if (this.events.contains(AuditLevel.RUN_AS_DENIED)) {
            if (this.includeRequestBody) {
                this.logger.info("{}[rest] [run_as_denied]\t{}, principal=[{}], uri=[{}], request_body=[{}]", getPrefix(), hostAttributes(restRequest), user.principal(), restRequest.uri(), AuditUtil.restRequestContent(restRequest));
            } else {
                this.logger.info("{}[rest] [run_as_denied]\t{}, principal=[{}], uri=[{}]", getPrefix(), hostAttributes(restRequest), user.principal(), restRequest.uri());
            }
        }
    }

    private static String hostAttributes(RestRequest restRequest) {
        SocketAddress remoteAddress = restRequest.getRemoteAddress();
        return "origin_address=[" + (remoteAddress instanceof InetSocketAddress ? NetworkAddress.format(((InetSocketAddress) remoteAddress).getAddress()) : remoteAddress.toString()) + "]";
    }

    static String originAttributes(TransportMessage transportMessage, DiscoveryNode discoveryNode, ThreadContext threadContext) {
        StringBuilder sb = new StringBuilder();
        InetSocketAddress restRemoteAddress = RemoteHostHeader.restRemoteAddress(threadContext);
        if (restRemoteAddress != null) {
            sb.append("origin_type=[rest], origin_address=[").append(NetworkAddress.format(restRemoteAddress.getAddress())).append("]");
            return sb.toString();
        }
        TransportAddress remoteAddress = transportMessage.remoteAddress();
        if (remoteAddress == null) {
            return sb.append("origin_type=[local_node], origin_address=[").append(discoveryNode.getHostAddress()).append("]").toString();
        }
        sb.append("origin_type=[transport], ");
        if (remoteAddress instanceof InetSocketTransportAddress) {
            sb.append("origin_address=[").append(NetworkAddress.format(((InetSocketTransportAddress) remoteAddress).address().getAddress())).append("]");
        } else {
            sb.append("origin_address=[").append(remoteAddress).append("]");
        }
        return sb.toString();
    }

    static String resolvePrefix(Settings settings, DiscoveryNode discoveryNode) {
        String str;
        String hostName;
        String hostAddress;
        StringBuilder sb = new StringBuilder();
        if (HOST_ADDRESS_SETTING.get(settings).booleanValue() && (hostAddress = discoveryNode.getHostAddress()) != null) {
            sb.append("[").append(hostAddress).append("] ");
        }
        if (HOST_NAME_SETTING.get(settings).booleanValue() && (hostName = discoveryNode.getHostName()) != null) {
            sb.append("[").append(hostName).append("] ");
        }
        if (NODE_NAME_SETTING.get(settings).booleanValue() && (str = settings.get("name")) != null) {
            sb.append("[").append(str).append("] ");
        }
        return sb.toString();
    }

    static String indicesString(TransportMessage transportMessage) {
        Set<String> indices = AuditUtil.indices(transportMessage);
        if (indices == null) {
            return null;
        }
        return Strings.collectionToCommaDelimitedString(indices);
    }

    static String principal(User user) {
        StringBuilder sb = new StringBuilder("principal=[");
        sb.append(user.principal());
        if (user.isRunAs()) {
            sb.append("], run_by_principal=[").append(user.authenticatedUser().principal());
        }
        return sb.append("]").toString();
    }

    public static void registerSettings(List<Setting<?>> list) {
        list.add(HOST_ADDRESS_SETTING);
        list.add(HOST_NAME_SETTING);
        list.add(NODE_NAME_SETTING);
        list.add(INCLUDE_EVENT_SETTINGS);
        list.add(EXCLUDE_EVENT_SETTINGS);
        list.add(INCLUDE_REQUEST_BODY);
    }
}
