package com.floragunn.searchguard.privileges.extended_action_handling;

import com.floragunn.searchguard.SearchGuardPlugin;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.support.PrivilegedConfigClient;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.indices.IndexCleanupAgent;
import com.google.common.base.Objects;
import java.time.Instant;
import java.util.Arrays;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.delete.DeleteResponse;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/privileges/extended_action_handling/ResourceOwnerService.class */
public class ResourceOwnerService {
    public static final Setting<Integer> MAX_CHECK_RETRIES = Setting.intSetting("searchguard.resource_owner_handling.retry_owner_check.max", 1, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
    public static final Setting<Integer> CHECK_RETRY_DELAY = Setting.intSetting("searchguard.resource_owner_handling.retry_owner_check.delay_ms", 10, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
    public static final Setting<TimeValue> CLEANUP_INTERVAL = Setting.timeSetting("searchguard.resource_owner_handling.cleanup_interval", TimeValue.timeValueHours(1), TimeValue.timeValueMinutes(1), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
    public static final Setting<TimeValue> DEFAULT_RESOURCE_LIFETIME = Setting.timeSetting("searchguard.resource_owner_handling.resource.default_lifetime", TimeValue.timeValueDays(7), TimeValue.timeValueMinutes(1), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
    public static final Setting<String> REFRESH_POLICY = Setting.simpleString("searchguard.resource_owner_handling.index.refresh_on_write", WriteRequest.RefreshPolicy.IMMEDIATE.getValue(), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
    public static final List<Setting<?>> SUPPORTED_SETTINGS = Arrays.asList(MAX_CHECK_RETRIES, CHECK_RETRY_DELAY, CLEANUP_INTERVAL, DEFAULT_RESOURCE_LIFETIME, REFRESH_POLICY);
    private static final Logger log = LogManager.getLogger(ResourceOwnerService.class);
    private final String index = ".searchguard_resource_owner";
    private final PrivilegedConfigClient privilegedConfigClient;
    private IndexCleanupAgent indexCleanupAgent;
    private final PrivilegesEvaluator privilegesEvaluator;
    private final int maxCheckRetries;
    private final long checkRetryDelay;
    private final TimeValue defaultResourceLifetime;
    private final WriteRequest.RefreshPolicy refreshPolicy;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/privileges/extended_action_handling/ResourceOwnerService$CheckOwnerResponse.class */
    public static class CheckOwnerResponse {
        private GetResponse getResponse;

        CheckOwnerResponse(GetResponse getResponse) {
            this.getResponse = getResponse;
        }

        public GetResponse getGetResponse() {
            return this.getResponse;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/privileges/extended_action_handling/ResourceOwnerService$OwnerCheckPreAction.class */
    public class OwnerCheckPreAction<Request extends ActionRequest, Response extends ActionResponse> extends PreAction<Request, Response> {
        private final Action.WellKnownAction.Resource resource;
        private final Object resourceId;
        private final User currentUser;

        OwnerCheckPreAction(Action.WellKnownAction.Resource resource, Object obj, User user, ActionFilterChain<Request, Response> actionFilterChain) {
            super(actionFilterChain);
            this.currentUser = user;
            this.resource = resource;
            this.resourceId = obj;
        }

        public void proceed(final Task task, final String str, final Request request, final ActionListener<Response> actionListener) {
            ResourceOwnerService.this.checkOwner(this.resource.getType(), this.resourceId, this.currentUser, new ActionListener<CheckOwnerResponse>() { // from class: com.floragunn.searchguard.privileges.extended_action_handling.ResourceOwnerService.OwnerCheckPreAction.1
                public void onResponse(CheckOwnerResponse checkOwnerResponse) {
                    OwnerCheckPreAction.this.next.proceed(task, str, request, actionListener);
                }

                public void onFailure(Exception exc) {
                    actionListener.onFailure(exc);
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/privileges/extended_action_handling/ResourceOwnerService$PreAction.class */
    public abstract class PreAction<Request extends ActionRequest, Response extends ActionResponse> implements ActionFilterChain<Request, Response> {
        protected final ActionFilterChain<Request, Response> next;

        PreAction(ActionFilterChain<Request, Response> actionFilterChain) {
            this.next = actionFilterChain;
        }
    }

    public ResourceOwnerService(Client client, ClusterService clusterService, ThreadPool threadPool, SearchGuardPlugin.ProtectedIndices protectedIndices, PrivilegesEvaluator privilegesEvaluator, Settings settings) {
        this.privilegedConfigClient = PrivilegedConfigClient.adapt(client);
        this.maxCheckRetries = ((Integer) MAX_CHECK_RETRIES.get(settings)).intValue();
        this.checkRetryDelay = ((Integer) CHECK_RETRY_DELAY.get(settings)).intValue();
        this.defaultResourceLifetime = (TimeValue) DEFAULT_RESOURCE_LIFETIME.get(settings);
        this.refreshPolicy = WriteRequest.RefreshPolicy.parse((String) REFRESH_POLICY.get(settings));
        this.privilegesEvaluator = privilegesEvaluator;
        this.indexCleanupAgent = new IndexCleanupAgent(".searchguard_resource_owner", (TimeValue) CLEANUP_INTERVAL.get(settings), this.privilegedConfigClient, clusterService, threadPool);
        protectedIndices.add(".searchguard_resource_owner");
    }

    public void storeOwner(String str, Object obj, User user, long j, ActionListener<IndexResponse> actionListener) {
        if (log.isTraceEnabled()) {
            log.trace("storeOwner(" + str + ", " + obj + ", " + user + ", " + j + ")");
        }
        this.privilegedConfigClient.prepareIndex(".searchguard_resource_owner", null, str + "_" + obj).setSource(new Object[]{"user_name", user.getName(), "expires", Long.valueOf(j)}).setRefreshPolicy(this.refreshPolicy).execute(actionListener);
    }

    public void deleteOwner(String str, Object obj) {
        final String str2 = str + "_" + obj;
        this.privilegedConfigClient.prepareDelete(".searchguard_resource_owner", null, str2).execute(new ActionListener<DeleteResponse>() { // from class: com.floragunn.searchguard.privileges.extended_action_handling.ResourceOwnerService.1
            public void onResponse(DeleteResponse deleteResponse) {
                if (ResourceOwnerService.log.isTraceEnabled()) {
                    ResourceOwnerService.log.trace("Resource owner document deleted: " + str2 + "; " + deleteResponse);
                }
            }

            public void onFailure(Exception exc) {
                ResourceOwnerService.log.error("Error while deleting resource owner document " + str2, exc);
            }
        });
    }

    public void checkOwner(String str, Object obj, User user, ActionListener<CheckOwnerResponse> actionListener) {
        checkOwner(str, obj, user, actionListener, 0);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkOwner(final String str, final Object obj, final User user, final ActionListener<CheckOwnerResponse> actionListener, final int i) {
        this.privilegedConfigClient.prepareGet(".searchguard_resource_owner", null, str + "_" + obj).execute(new ActionListener<GetResponse>() { // from class: com.floragunn.searchguard.privileges.extended_action_handling.ResourceOwnerService.2
            public void onResponse(GetResponse getResponse) {
                if (getResponse.isExists()) {
                    Object obj2 = getResponse.getSourceAsMap().get("user_name");
                    if (ResourceOwnerService.log.isTraceEnabled()) {
                        ResourceOwnerService.log.trace("checkOwner for " + str + ":" + obj + ": " + obj2 + " - " + user);
                    }
                    if (ResourceOwnerService.this.isUserEqual(user, obj2)) {
                        actionListener.onResponse(new CheckOwnerResponse(getResponse));
                        return;
                    } else {
                        actionListener.onFailure(new ElasticsearchSecurityException("Resource " + str + ":" + obj + " is not owned by user " + user.getName(), RestStatus.FORBIDDEN, new Object[0]));
                        return;
                    }
                }
                if (i >= ResourceOwnerService.this.maxCheckRetries) {
                    if (ResourceOwnerService.log.isTraceEnabled()) {
                        ResourceOwnerService.log.trace("checkOwner for " + str + ":" + obj + " failed: " + getResponse);
                    }
                    actionListener.onFailure(new ElasticsearchSecurityException("Owner information of " + str + ":" + obj + " could not be found", RestStatus.NOT_FOUND, new Object[0]));
                } else {
                    if (ResourceOwnerService.log.isDebugEnabled()) {
                        ResourceOwnerService.log.debug("Retrying checkOwner(" + str + ":" + obj + ")");
                    }
                    if (ResourceOwnerService.this.checkRetryDelay > 0) {
                        try {
                            Thread.sleep(ResourceOwnerService.this.checkRetryDelay);
                        } catch (InterruptedException e) {
                        }
                    }
                    ResourceOwnerService.this.checkOwner(str, obj, user, actionListener, i + 1);
                }
            }

            public void onFailure(Exception exc) {
                if (i >= ResourceOwnerService.this.maxCheckRetries) {
                    if (ResourceOwnerService.log.isWarnEnabled()) {
                        ResourceOwnerService.log.warn("checkOwner for " + str + ":" + obj + " failed: ", exc);
                    }
                    actionListener.onFailure(new ElasticsearchException("Checking owner of " + str + ":" + obj + " failed", exc, new Object[0]));
                } else {
                    if (ResourceOwnerService.log.isDebugEnabled()) {
                        ResourceOwnerService.log.debug("Retrying checkOwner(" + str + ":" + obj + ") after " + exc, exc);
                    }
                    if (ResourceOwnerService.this.checkRetryDelay > 0) {
                        try {
                            Thread.sleep(ResourceOwnerService.this.checkRetryDelay);
                        } catch (InterruptedException e) {
                        }
                    }
                    ResourceOwnerService.this.checkOwner(str, obj, user, actionListener, i + 1);
                }
            }
        });
    }

    public <Request extends ActionRequest, Response extends ActionResponse> ActionFilterChain<Request, Response> applyOwnerCheckPreAction(Action.WellKnownAction<Request, ?, ?> wellKnownAction, PrivilegesEvaluationContext privilegesEvaluationContext, Request request, ActionListener<Response> actionListener, ActionFilterChain<Request, Response> actionFilterChain) {
        ActionFilterChain<Request, Response> actionFilterChain2 = actionFilterChain;
        for (Action.WellKnownAction.Resource resource : wellKnownAction.getResources().getUsesResources()) {
            if (resource.getOwnerCheckBypassPermission() != null) {
                try {
                } catch (PrivilegesEvaluationException e) {
                    log.error("Error while evaluating owner check bypass permission of " + resource, e);
                }
                if (this.privilegesEvaluator.hasClusterPermissions(resource.getOwnerCheckBypassPermission(), privilegesEvaluationContext)) {
                }
            }
            actionFilterChain2 = new OwnerCheckPreAction(resource, resource.getId().apply(request), privilegesEvaluationContext.getUser(), actionFilterChain2);
        }
        return actionFilterChain2;
    }

    public <R extends ActionResponse> ActionListener<R> applyCreatePostAction(final Action.WellKnownAction<?, ?, ?> wellKnownAction, final User user, final ActionListener<R> actionListener) {
        return (ActionListener<R>) new ActionListener<R>() { // from class: com.floragunn.searchguard.privileges.extended_action_handling.ResourceOwnerService.3
            /* JADX WARN: Incorrect types in method signature: (TR;)V */
            public void onResponse(final ActionResponse actionResponse) {
                Instant apply;
                final Action.WellKnownAction.NewResource createsResource = wellKnownAction.getResources().getCreatesResource();
                final Object apply2 = createsResource.getId().apply(actionResponse);
                if (ResourceOwnerService.log.isTraceEnabled()) {
                    ResourceOwnerService.log.trace("Id for new resource " + createsResource + ": " + apply2);
                }
                if (apply2 == null) {
                    actionListener.onResponse(actionResponse);
                    return;
                }
                long currentTimeMillis = System.currentTimeMillis() + ResourceOwnerService.this.defaultResourceLifetime.millis();
                if (createsResource.getExpiresAfter() != null && (apply = createsResource.getExpiresAfter().apply(actionResponse)) != null) {
                    currentTimeMillis = apply.toEpochMilli();
                }
                ResourceOwnerService.this.storeOwner(createsResource.getType(), apply2, user, currentTimeMillis, new ActionListener<IndexResponse>() { // from class: com.floragunn.searchguard.privileges.extended_action_handling.ResourceOwnerService.3.1
                    public void onResponse(IndexResponse indexResponse) {
                        actionListener.onResponse(actionResponse);
                    }

                    public void onFailure(Exception exc) {
                        actionListener.onFailure(new ElasticsearchException("Failed to store owner of " + createsResource.getType() + ":" + apply2, exc, new Object[0]));
                    }
                });
            }

            public void onFailure(Exception exc) {
                actionListener.onFailure(exc);
            }
        };
    }

    public <Request extends ActionRequest, R extends ActionResponse> ActionListener<R> applyDeletePostAction(Action.WellKnownAction<?, ?, ?> wellKnownAction, final Action.WellKnownAction.Resource resource, User user, final Request request, final ActionListener<R> actionListener) {
        return (ActionListener<R>) new ActionListener<R>() { // from class: com.floragunn.searchguard.privileges.extended_action_handling.ResourceOwnerService.4
            /* JADX WARN: Incorrect types in method signature: (TR;)V */
            public void onResponse(ActionResponse actionResponse) {
                Object apply = resource.getId().apply(request);
                if (apply != null) {
                    ResourceOwnerService.this.deleteOwner(resource.getType(), apply);
                }
                actionListener.onResponse(actionResponse);
            }

            public void onFailure(Exception exc) {
                actionListener.onFailure(exc);
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isUserEqual(User user, Object obj) {
        return Objects.equal(user.getName(), obj);
    }

    public void shutdown() {
        this.indexCleanupAgent.shutdown();
    }
}
