package org.elasticsearch.xpack.security.authz;

import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Stream;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.admin.indices.alias.Alias;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesAction;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.bulk.BulkAction;
import org.elasticsearch.action.delete.DeleteAction;
import org.elasticsearch.action.get.MultiGetAction;
import org.elasticsearch.action.index.IndexAction;
import org.elasticsearch.action.search.ClearScrollAction;
import org.elasticsearch.action.search.MultiSearchAction;
import org.elasticsearch.action.search.SearchScrollAction;
import org.elasticsearch.action.search.SearchTransportService;
import org.elasticsearch.action.support.replication.TransportReplicationAction;
import org.elasticsearch.action.termvectors.MultiTermVectorsAction;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.index.reindex.ReindexAction;
import org.elasticsearch.percolator.MultiPercolateAction;
import org.elasticsearch.script.mustache.MultiSearchTemplateAction;
import org.elasticsearch.script.mustache.SearchTemplateAction;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.common.action.XPackDeleteByQueryAction;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.SecurityTemplateService;
import org.elasticsearch.xpack.security.action.user.AuthenticateAction;
import org.elasticsearch.xpack.security.action.user.ChangePasswordAction;
import org.elasticsearch.xpack.security.action.user.HasPrivilegesAction;
import org.elasticsearch.xpack.security.action.user.UserRequest;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.authc.AuthenticationFailureHandler;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege;
import org.elasticsearch.xpack.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
import org.elasticsearch.xpack.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.security.support.Automatons;
import org.elasticsearch.xpack.security.support.Exceptions;
import org.elasticsearch.xpack.security.user.AnonymousUser;
import org.elasticsearch.xpack.security.user.SystemUser;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.security.user.XPackUser;

/* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/authz/AuthorizationService.class */
public class AuthorizationService extends AbstractComponent {
    public static final Setting<Boolean> ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING;
    public static final String INDICES_PERMISSIONS_KEY = "_indices_permissions";
    public static final String ORIGINATING_ACTION_KEY = "_originating_action_name";
    private static final Predicate<String> MONITOR_INDEX_PREDICATE;
    private static final Predicate<String> SAME_USER_PRIVILEGE;
    private static final String INDEX_SUB_REQUEST_PRIMARY = "indices:data/write/index[p]";
    private static final String INDEX_SUB_REQUEST_REPLICA = "indices:data/write/index[r]";
    private static final String DELETE_SUB_REQUEST_PRIMARY = "indices:data/write/delete[p]";
    private static final String DELETE_SUB_REQUEST_REPLICA = "indices:data/write/delete[r]";
    private final ClusterService clusterService;
    private final CompositeRolesStore rolesStore;
    private final AuditTrailService auditTrail;
    private final IndicesAndAliasesResolver indicesAndAliasesResolver;
    private final AuthenticationFailureHandler authcFailureHandler;
    private final ThreadContext threadContext;
    private final AnonymousUser anonymousUser;
    private final FieldPermissionsCache fieldPermissionsCache;
    private final boolean isAnonymousEnabled;
    private final boolean anonymousAuthzExceptionEnabled;
    static final /* synthetic */ boolean $assertionsDisabled;

    public AuthorizationService(Settings settings, CompositeRolesStore compositeRolesStore, ClusterService clusterService, AuditTrailService auditTrailService, AuthenticationFailureHandler authenticationFailureHandler, ThreadPool threadPool, AnonymousUser anonymousUser) {
        super(settings);
        this.rolesStore = compositeRolesStore;
        this.clusterService = clusterService;
        this.auditTrail = auditTrailService;
        this.indicesAndAliasesResolver = new IndicesAndAliasesResolver(new IndexNameExpressionResolver(settings));
        this.authcFailureHandler = authenticationFailureHandler;
        this.threadContext = threadPool.getThreadContext();
        this.anonymousUser = anonymousUser;
        this.isAnonymousEnabled = AnonymousUser.isAnonymousEnabled(settings);
        this.anonymousAuthzExceptionEnabled = ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING.get(settings).booleanValue();
        this.fieldPermissionsCache = new FieldPermissionsCache(settings);
    }

    public void authorize(Authentication authentication, String str, TransportRequest transportRequest, Role role, Role role2) throws ElasticsearchSecurityException {
        if (transportRequest instanceof TransportReplicationAction.ConcreteShardRequest) {
            transportRequest = ((TransportReplicationAction.ConcreteShardRequest) transportRequest).getRequest();
        }
        TransportRequest unwrapRequest = TransportActionProxy.unwrapRequest(transportRequest);
        setOriginatingAction(str);
        if (SystemUser.is(authentication.getUser())) {
            if (!SystemUser.isAuthorized(str) || !SystemUser.is(authentication.getUser())) {
                throw denial(authentication, str, unwrapRequest);
            }
            setIndicesAccessControl(IndicesAccessControl.ALLOW_ALL);
            grant(authentication, str, unwrapRequest);
            return;
        }
        Role role3 = role;
        if (authentication.getUser().isRunAs()) {
            if (authentication.getLookedUpBy() == null) {
                throw denyRunAs(authentication, str, unwrapRequest);
            }
            if (!role3.runAs().check(authentication.getUser().principal())) {
                throw denyRunAs(authentication, str, unwrapRequest);
            }
            grantRunAs(authentication, str, unwrapRequest);
            role3 = role2;
        }
        if (ClusterPrivilege.ACTION_MATCHER.test(str)) {
            if (!role3.cluster().check(str) && !checkSameUserPermissions(str, unwrapRequest, authentication)) {
                throw denial(authentication, str, unwrapRequest);
            }
            setIndicesAccessControl(IndicesAccessControl.ALLOW_ALL);
            grant(authentication, str, unwrapRequest);
            return;
        }
        if (!IndexPrivilege.ACTION_MATCHER.test(str)) {
            throw denial(authentication, str, unwrapRequest);
        }
        if (isCompositeAction(str)) {
            if (!(unwrapRequest instanceof CompositeIndicesRequest)) {
                throw new IllegalStateException("Composite actions must implement " + CompositeIndicesRequest.class.getSimpleName() + ", " + unwrapRequest.getClass().getSimpleName() + " doesn't");
            }
            if (!role3.indices().check(str)) {
                throw denial(authentication, str, unwrapRequest);
            }
            grant(authentication, str, unwrapRequest);
            return;
        }
        if (isTranslatedToBulkAction(str)) {
            if (!(unwrapRequest instanceof CompositeIndicesRequest)) {
                throw new IllegalStateException("Bulk translated actions must implement " + CompositeIndicesRequest.class.getSimpleName() + ", " + unwrapRequest.getClass().getSimpleName() + " doesn't");
            }
            if (!role3.indices().check(str)) {
                throw denial(authentication, str, unwrapRequest);
            }
            grant(authentication, str, unwrapRequest);
            return;
        }
        if (XPackDeleteByQueryAction.NAME.equals(str) && !XPackUser.is(authentication.getUser())) {
            throw denial(authentication, str, unwrapRequest);
        }
        if (!(unwrapRequest instanceof IndicesRequest) && !(unwrapRequest instanceof IndicesAliasesRequest)) {
            if (isScrollRelatedAction(str)) {
                grant(authentication, str, unwrapRequest);
                return;
            } else {
                if (!$assertionsDisabled) {
                    throw new AssertionError("only scroll related requests are known indices api that don't support retrieving the indices they relate to");
                }
                throw denial(authentication, str, unwrapRequest);
            }
        }
        if (!role3.indices().check(str)) {
            throw denial(authentication, str, unwrapRequest);
        }
        MetaData metaData = this.clusterService.state().metaData();
        Set<String> resolveIndexNames = resolveIndexNames(authentication, str, unwrapRequest, metaData, new AuthorizedIndices(authentication.getUser(), role3, str, metaData));
        if (!$assertionsDisabled && resolveIndexNames.isEmpty()) {
            throw new AssertionError("every indices request needs to have its indices set thus the resolved indices must not be empty");
        }
        if (resolveIndexNames.size() == 1 && resolveIndexNames.contains(IndicesAndAliasesResolver.NO_INDEX_PLACEHOLDER)) {
            setIndicesAccessControl(IndicesAccessControl.ALLOW_NO_INDICES);
            grant(authentication, str, unwrapRequest);
            return;
        }
        IndicesAccessControl authorize = role3.authorize(str, resolveIndexNames, metaData, this.fieldPermissionsCache);
        if (!authorize.isGranted()) {
            throw denial(authentication, str, unwrapRequest);
        }
        if (authorize.getIndexPermissions(SecurityTemplateService.SECURITY_INDEX_NAME) != null && authorize.getIndexPermissions(SecurityTemplateService.SECURITY_INDEX_NAME).isGranted() && !XPackUser.is(authentication.getUser()) && !MONITOR_INDEX_PREDICATE.test(str) && !isSuperuser(authentication.getUser())) {
            this.logger.debug("user [{}] attempted to directly perform [{}] against the security index [{}]", authentication.getUser().principal(), str, SecurityTemplateService.SECURITY_INDEX_NAME);
            throw denial(authentication, str, unwrapRequest);
        }
        setIndicesAccessControl(authorize);
        if (IndexPrivilege.CREATE_INDEX_MATCHER.test(str)) {
            if (!$assertionsDisabled && !(unwrapRequest instanceof CreateIndexRequest)) {
                throw new AssertionError();
            }
            Set<Alias> aliases = ((CreateIndexRequest) unwrapRequest).aliases();
            if (!aliases.isEmpty()) {
                HashSet newHashSet = Sets.newHashSet(resolveIndexNames);
                Iterator<Alias> it = aliases.iterator();
                while (it.hasNext()) {
                    newHashSet.add(it.next().name());
                }
                if (!role3.authorize(IndicesAliasesAction.NAME, newHashSet, metaData, this.fieldPermissionsCache).isGranted()) {
                    throw denial(authentication, IndicesAliasesAction.NAME, unwrapRequest);
                }
            }
        }
        grant(authentication, str, transportRequest);
    }

    private Set<String> resolveIndexNames(Authentication authentication, String str, TransportRequest transportRequest, MetaData metaData, AuthorizedIndices authorizedIndices) {
        try {
            return this.indicesAndAliasesResolver.resolve(transportRequest, metaData, authorizedIndices);
        } catch (Exception e) {
            this.auditTrail.accessDenied(authentication.getUser(), str, transportRequest);
            throw e;
        }
    }

    private void setIndicesAccessControl(IndicesAccessControl indicesAccessControl) {
        if (this.threadContext.getTransient(INDICES_PERMISSIONS_KEY) == null) {
            this.threadContext.putTransient(INDICES_PERMISSIONS_KEY, indicesAccessControl);
        }
    }

    private void setOriginatingAction(String str) {
        if (((String) this.threadContext.getTransient(ORIGINATING_ACTION_KEY)) == null) {
            this.threadContext.putTransient(ORIGINATING_ACTION_KEY, str);
        }
    }

    public void roles(User user, ActionListener<Role> actionListener) {
        if (SystemUser.is(user)) {
            throw new IllegalArgumentException("the user [" + user.principal() + "] is the system user and we should never try to get its roles");
        }
        if (XPackUser.is(user)) {
            if (!$assertionsDisabled && (XPackUser.INSTANCE.roles().length != 1 || !ReservedRolesStore.SUPERUSER_ROLE.name().equals(XPackUser.INSTANCE.roles()[0]))) {
                throw new AssertionError();
            }
            actionListener.onResponse(ReservedRolesStore.SUPERUSER_ROLE);
            return;
        }
        HashSet hashSet = new HashSet();
        Collections.addAll(hashSet, user.roles());
        if (this.isAnonymousEnabled && !this.anonymousUser.equals(user)) {
            if (this.anonymousUser.roles().length == 0) {
                throw new IllegalStateException("anonymous is only enabled when the anonymous user has roles");
            }
            Collections.addAll(hashSet, this.anonymousUser.roles());
        }
        if (hashSet.isEmpty()) {
            actionListener.onResponse(Role.EMPTY);
        } else if (hashSet.contains(ReservedRolesStore.SUPERUSER_ROLE.name())) {
            actionListener.onResponse(ReservedRolesStore.SUPERUSER_ROLE);
        } else {
            this.rolesStore.roles(hashSet, this.fieldPermissionsCache, actionListener);
        }
    }

    private static boolean isCompositeAction(String str) {
        return str.equals(BulkAction.NAME) || str.equals(MultiGetAction.NAME) || str.equals(MultiTermVectorsAction.NAME) || str.equals(MultiSearchAction.NAME) || str.equals(MultiPercolateAction.NAME) || str.equals(MultiSearchTemplateAction.NAME) || str.equals(SearchTemplateAction.NAME) || str.equals(ReindexAction.NAME);
    }

    private static boolean isTranslatedToBulkAction(String str) {
        return str.equals(IndexAction.NAME) || str.equals(DeleteAction.NAME) || str.equals(INDEX_SUB_REQUEST_PRIMARY) || str.equals(INDEX_SUB_REQUEST_REPLICA) || str.equals(DELETE_SUB_REQUEST_PRIMARY) || str.equals(DELETE_SUB_REQUEST_REPLICA);
    }

    private static boolean isScrollRelatedAction(String str) {
        return str.equals(SearchScrollAction.NAME) || str.equals(SearchTransportService.FETCH_ID_SCROLL_ACTION_NAME) || str.equals(SearchTransportService.QUERY_FETCH_SCROLL_ACTION_NAME) || str.equals(SearchTransportService.QUERY_SCROLL_ACTION_NAME) || str.equals(SearchTransportService.FREE_CONTEXT_SCROLL_ACTION_NAME) || str.equals(ClearScrollAction.NAME) || str.equals(SearchTransportService.CLEAR_SCROLL_CONTEXTS_ACTION_NAME);
    }

    /* JADX WARN: Multi-variable type inference failed */
    static boolean checkSameUserPermissions(String str, TransportRequest transportRequest, Authentication authentication) {
        if (!SAME_USER_PRIVILEGE.test(str)) {
            return false;
        }
        if (!(transportRequest instanceof UserRequest)) {
            if ($assertionsDisabled) {
                return false;
            }
            throw new AssertionError("right now only a user request should be allowed");
        }
        String[] usernames = ((UserRequest) transportRequest).usernames();
        if (usernames == null || usernames.length != 1 || usernames[0] == null) {
            if ($assertionsDisabled) {
                return false;
            }
            throw new AssertionError("this role should only be used for actions to apply to a single user");
        }
        boolean equals = authentication.getUser().principal().equals(usernames[0]);
        if (equals && ChangePasswordAction.NAME.equals(str)) {
            return checkChangePasswordAction(authentication);
        }
        if ($assertionsDisabled || AuthenticateAction.NAME.equals(str) || HasPrivilegesAction.NAME.equals(str) || !equals) {
            return equals;
        }
        throw new AssertionError("Action '" + str + "' should not be possible when sameUsername=" + equals);
    }

    private static boolean checkChangePasswordAction(Authentication authentication) {
        String type = authentication.getUser().isRunAs() ? authentication.getLookedUpBy().getType() : authentication.getAuthenticatedBy().getType();
        if ($assertionsDisabled || type != null) {
            return ReservedRealm.TYPE.equals(type) || "native".equals(type);
        }
        throw new AssertionError();
    }

    private ElasticsearchSecurityException denial(Authentication authentication, String str, TransportRequest transportRequest) {
        this.auditTrail.accessDenied(authentication.getUser(), str, transportRequest);
        return denialException(authentication, str);
    }

    private ElasticsearchSecurityException denyRunAs(Authentication authentication, String str, TransportRequest transportRequest) {
        this.auditTrail.runAsDenied(authentication.getUser(), str, transportRequest);
        return denialException(authentication, str);
    }

    private void grant(Authentication authentication, String str, TransportRequest transportRequest) {
        this.auditTrail.accessGranted(authentication.getUser(), str, transportRequest);
    }

    private void grantRunAs(Authentication authentication, String str, TransportRequest transportRequest) {
        this.auditTrail.runAsGranted(authentication.getUser(), str, transportRequest);
    }

    private ElasticsearchSecurityException denialException(Authentication authentication, String str) {
        User authenticatedUser = authentication.getUser().authenticatedUser();
        if (this.isAnonymousEnabled && this.anonymousUser.equals(authenticatedUser) && !this.anonymousAuthzExceptionEnabled) {
            throw this.authcFailureHandler.authenticationRequired(str, this.threadContext);
        }
        return authentication.getUser().isRunAs() ? Exceptions.authorizationError("action [{}] is unauthorized for user [{}] run as [{}]", str, authenticatedUser.principal(), authentication.getUser().principal()) : Exceptions.authorizationError("action [{}] is unauthorized for user [{}]", str, authenticatedUser.principal());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isSuperuser(User user) {
        Stream stream = Arrays.stream(user.roles());
        String name = ReservedRolesStore.SUPERUSER_ROLE.name();
        name.getClass();
        return stream.anyMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING);
    }

    static {
        $assertionsDisabled = !AuthorizationService.class.desiredAssertionStatus();
        ANONYMOUS_AUTHORIZATION_EXCEPTION_SETTING = Setting.boolSetting(Security.setting("authc.anonymous.authz_exception"), true, Setting.Property.NodeScope);
        MONITOR_INDEX_PREDICATE = IndexPrivilege.MONITOR.predicate();
        SAME_USER_PRIVILEGE = Automatons.predicate(ChangePasswordAction.NAME, AuthenticateAction.NAME, HasPrivilegesAction.NAME);
    }
}
