package org.elasticsearch.shield.action;

import com.google.common.base.Predicate;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.search.ClearScrollRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.search.SearchScrollRequest;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.license.plugin.core.LicenseUtils;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.shield.InternalSystemUser;
import org.elasticsearch.shield.ShieldPlugin;
import org.elasticsearch.shield.User;
import org.elasticsearch.shield.action.interceptor.RequestInterceptor;
import org.elasticsearch.shield.audit.AuditTrail;
import org.elasticsearch.shield.authc.AuthenticationService;
import org.elasticsearch.shield.authz.AuthorizationService;
import org.elasticsearch.shield.authz.Privilege;
import org.elasticsearch.shield.crypto.CryptoService;
import org.elasticsearch.shield.license.ShieldLicenseState;
import org.elasticsearch.shield.support.Exceptions;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:org/elasticsearch/shield/action/ShieldActionFilter.class */
public class ShieldActionFilter extends AbstractComponent implements ActionFilter {
    private static final Predicate<String> LICENSE_EXPIRATION_ACTION_MATCHER = Privilege.HEALTH_AND_STATS.predicate();
    private static final Predicate<String> SECURITY_ACTION_MATCHER = new Privilege.General("_security_matcher", "cluster:admin/xpack/security*", "cluster:admin/shield*").predicate();
    private final AuthenticationService authcService;
    private final AuthorizationService authzService;
    private final CryptoService cryptoService;
    private final AuditTrail auditTrail;
    private final ShieldActionMapper actionMapper;
    private final Set<RequestInterceptor> requestInterceptors;
    private final ShieldLicenseState licenseState;
    private final DestructiveOperations destructiveOperations;

    /* loaded from: input_file:org/elasticsearch/shield/action/ShieldActionFilter$SigningListener.class */
    static class SigningListener<Response extends ActionResponse> implements ActionListener<Response> {
        private final ShieldActionFilter filter;
        private final ActionListener innerListener;

        private SigningListener(ShieldActionFilter shieldActionFilter, ActionListener actionListener) {
            this.filter = shieldActionFilter;
            this.innerListener = actionListener;
        }

        public void onResponse(Response response) {
            try {
                this.innerListener.onResponse(this.filter.sign(response));
            } catch (IOException e) {
                onFailure(e);
            }
        }

        public void onFailure(Throwable th) {
            this.innerListener.onFailure(th);
        }
    }

    @Inject
    public ShieldActionFilter(Settings settings, AuthenticationService authenticationService, AuthorizationService authorizationService, CryptoService cryptoService, AuditTrail auditTrail, ShieldLicenseState shieldLicenseState, ShieldActionMapper shieldActionMapper, Set<RequestInterceptor> set, DestructiveOperations destructiveOperations) {
        super(settings);
        this.authcService = authenticationService;
        this.authzService = authorizationService;
        this.cryptoService = cryptoService;
        this.auditTrail = auditTrail;
        this.actionMapper = shieldActionMapper;
        this.licenseState = shieldLicenseState;
        this.requestInterceptors = set;
        this.destructiveOperations = destructiveOperations;
    }

    public void apply(Task task, String str, ActionRequest actionRequest, ActionListener actionListener, ActionFilterChain actionFilterChain) {
        if (!this.licenseState.statsAndHealthEnabled() && LICENSE_EXPIRATION_ACTION_MATCHER.apply(str)) {
            this.logger.error("blocking [{}] operation due to expired license. Cluster health, cluster stats and indices stats \noperations are blocked on shield license expiration. All data operations (read and write) continue to work. \nIf you have a new license, please update it. Otherwise, please reach out to your support contact.", new Object[]{str});
            throw LicenseUtils.newComplianceException(ShieldPlugin.NAME);
        }
        try {
            if (this.licenseState.securityEnabled()) {
                if ("indices:admin/close".equals(str) || "indices:admin/open".equals(str) || "indices:admin/delete".equals(str)) {
                    try {
                        this.destructiveOperations.failDestructive(((IndicesRequest) actionRequest).indices());
                    } catch (IllegalArgumentException e) {
                        actionListener.onFailure(e);
                        return;
                    }
                }
                String action = this.actionMapper.action(str, actionRequest);
                User authenticate = this.authcService.authenticate(action, actionRequest, InternalSystemUser.INSTANCE);
                this.authzService.authorize(authenticate, action, actionRequest);
                TransportRequest unsign = unsign(authenticate, action, actionRequest);
                for (RequestInterceptor requestInterceptor : this.requestInterceptors) {
                    if (requestInterceptor.supports(unsign)) {
                        requestInterceptor.intercept(unsign, authenticate);
                    }
                }
                actionFilterChain.proceed(task, str, unsign, new SigningListener(actionListener));
            } else if (SECURITY_ACTION_MATCHER.apply(str)) {
                actionListener.onFailure(new ElasticsearchSecurityException("{} is not licensed", RestStatus.BAD_REQUEST, new Object[]{ShieldPlugin.NAME}));
            } else {
                actionFilterChain.proceed(task, str, actionRequest, actionListener);
            }
        } catch (Throwable th) {
            actionListener.onFailure(th);
        }
    }

    public void apply(String str, ActionResponse actionResponse, ActionListener actionListener, ActionFilterChain actionFilterChain) {
        actionFilterChain.proceed(str, actionResponse, actionListener);
    }

    public int order() {
        return Integer.MIN_VALUE;
    }

    <Request extends ActionRequest> Request unsign(User user, String str, Request request) {
        try {
            if (request instanceof SearchScrollRequest) {
                SearchScrollRequest searchScrollRequest = (SearchScrollRequest) request;
                searchScrollRequest.scrollId(this.cryptoService.unsignAndVerify(searchScrollRequest.scrollId()));
                return request;
            }
            if (!(request instanceof ClearScrollRequest)) {
                return request;
            }
            ClearScrollRequest clearScrollRequest = (ClearScrollRequest) request;
            if (!clearScrollRequest.scrollIds().contains("_all")) {
                List scrollIds = clearScrollRequest.scrollIds();
                ArrayList arrayList = new ArrayList(scrollIds.size());
                Iterator it = scrollIds.iterator();
                while (it.hasNext()) {
                    arrayList.add(this.cryptoService.unsignAndVerify((String) it.next()));
                }
                clearScrollRequest.scrollIds(arrayList);
            }
            return request;
        } catch (IllegalArgumentException | IllegalStateException e) {
            this.auditTrail.tamperedRequest(user, str, request);
            throw Exceptions.authorizationError("invalid request. {}", e.getMessage());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public <Response extends ActionResponse> Response sign(Response response) throws IOException {
        if (!(response instanceof SearchResponse)) {
            return response;
        }
        SearchResponse searchResponse = (SearchResponse) response;
        String scrollId = searchResponse.getScrollId();
        if (scrollId != null && !this.cryptoService.signed(scrollId)) {
            searchResponse.scrollId(this.cryptoService.sign(scrollId));
        }
        return response;
    }
}
