package org.elasticsearch.xpack.ccr;

import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.function.BiConsumer;
import java.util.function.BooleanSupplier;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.ActionType;
import org.elasticsearch.action.RemoteClusterActionType;
import org.elasticsearch.action.admin.cluster.state.ClusterStateAction;
import org.elasticsearch.action.admin.cluster.state.ClusterStateRequest;
import org.elasticsearch.action.admin.cluster.state.ClusterStateResponse;
import org.elasticsearch.action.admin.indices.stats.IndexShardStats;
import org.elasticsearch.action.admin.indices.stats.IndexStats;
import org.elasticsearch.action.admin.indices.stats.IndicesStatsAction;
import org.elasticsearch.action.admin.indices.stats.IndicesStatsRequest;
import org.elasticsearch.action.admin.indices.stats.ShardStats;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.client.internal.FilterClient;
import org.elasticsearch.client.internal.RemoteClusterClient;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.metadata.DataStream;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.engine.CommitStats;
import org.elasticsearch.indices.IndexClosedException;
import org.elasticsearch.license.RemoteClusterLicenseChecker;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.transport.RemoteClusterService;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.xpack.ccr.action.CcrRequests;
import org.elasticsearch.xpack.ccr.action.ShardChangesAction;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.XPackPlugin;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.ccr.CcrConstants;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivileges;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/ccr/CcrLicenseChecker.class */
public class CcrLicenseChecker {
    private final BooleanSupplier isCcrAllowed;
    private final BooleanSupplier isAuthAllowed;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CcrLicenseChecker(Settings settings) {
        this(() -> {
            return CcrConstants.CCR_FEATURE.check(XPackPlugin.getSharedLicenseState());
        }, () -> {
            return ((Boolean) XPackSettings.SECURITY_ENABLED.get(settings)).booleanValue();
        });
    }

    public CcrLicenseChecker(BooleanSupplier booleanSupplier, BooleanSupplier booleanSupplier2) {
        this.isCcrAllowed = (BooleanSupplier) Objects.requireNonNull(booleanSupplier, "isCcrAllowed");
        this.isAuthAllowed = (BooleanSupplier) Objects.requireNonNull(booleanSupplier2, "isAuthAllowed");
    }

    public boolean isCcrAllowed() {
        return this.isCcrAllowed.getAsBoolean();
    }

    public void checkRemoteClusterLicenseAndFetchLeaderIndexMetadataAndHistoryUUIDs(Client client, String str, String str2, Consumer<Exception> consumer, BiConsumer<String[], Tuple<IndexMetadata, DataStream>> biConsumer) {
        RemoteClusterClient remoteClusterClient = client.getRemoteClusterClient(str, client.threadPool().executor("ccr"), RemoteClusterService.DisconnectedStrategy.RECONNECT_IF_DISCONNECTED);
        checkRemoteClusterLicenseAndFetchClusterState(client, str, remoteClusterClient, CcrRequests.metadataRequest(str2), consumer, clusterStateResponse -> {
            ClusterState state = clusterStateResponse.getState();
            IndexMetadata index = state.getMetadata().index(str2);
            if (index == null) {
                IndexAbstraction indexAbstraction = (IndexAbstraction) state.getMetadata().getIndicesLookup().get(str2);
                consumer.accept(indexAbstraction == null ? new IndexNotFoundException(str2) : new IllegalArgumentException(String.format(Locale.ROOT, "cannot follow [%s], because it is a %s", str2, indexAbstraction.getType())));
            } else {
                if (index.getState() == IndexMetadata.State.CLOSE) {
                    consumer.accept(new IndexClosedException(index.getIndex()));
                    return;
                }
                IndexAbstraction indexAbstraction2 = (IndexAbstraction) state.getMetadata().getIndicesLookup().get(str2);
                DataStream parentDataStream = indexAbstraction2.getParentDataStream() != null ? indexAbstraction2.getParentDataStream() : null;
                hasPrivilegesToFollowIndices(client.threadPool().getThreadContext(), remoteClusterClient, new String[]{str2}, exc -> {
                    if (exc == null) {
                        fetchLeaderHistoryUUIDs(remoteClusterClient, index, consumer, strArr -> {
                            biConsumer.accept(strArr, Tuple.tuple(index, parentDataStream));
                        });
                    } else {
                        consumer.accept(exc);
                    }
                });
            }
        }, licenseCheck -> {
            return indexMetadataNonCompliantRemoteLicense(str2, licenseCheck);
        }, exc -> {
            return indexMetadataUnknownRemoteLicense(str2, str, exc);
        });
    }

    public static void checkRemoteClusterLicenseAndFetchClusterState(Client client, String str, ClusterStateRequest clusterStateRequest, Consumer<Exception> consumer, Consumer<ClusterStateResponse> consumer2) {
        try {
            checkRemoteClusterLicenseAndFetchClusterState(client, str, systemClient(client.threadPool().getThreadContext(), client.getRemoteClusterClient(str, client.threadPool().executor("ccr"), RemoteClusterService.DisconnectedStrategy.RECONNECT_IF_DISCONNECTED)), clusterStateRequest, consumer, consumer2, CcrLicenseChecker::clusterStateNonCompliantRemoteLicense, exc -> {
                return clusterStateUnknownRemoteLicense(str, exc);
            });
        } catch (Exception e) {
            consumer.accept(e);
        }
    }

    private static void checkRemoteClusterLicenseAndFetchClusterState(Client client, String str, final RemoteClusterClient remoteClusterClient, final ClusterStateRequest clusterStateRequest, final Consumer<Exception> consumer, final Consumer<ClusterStateResponse> consumer2, final Function<RemoteClusterLicenseChecker.LicenseCheck, ElasticsearchStatusException> function, final Function<Exception, ElasticsearchStatusException> function2) {
        new RemoteClusterLicenseChecker(client, CcrConstants.CCR_FEATURE).checkRemoteClusterLicenses(Collections.singletonList(str), new ActionListener<RemoteClusterLicenseChecker.LicenseCheck>() { // from class: org.elasticsearch.xpack.ccr.CcrLicenseChecker.1
            public void onResponse(RemoteClusterLicenseChecker.LicenseCheck licenseCheck) {
                if (!licenseCheck.isSuccess()) {
                    consumer.accept((Exception) function.apply(licenseCheck));
                    return;
                }
                Consumer consumer3 = consumer2;
                Objects.requireNonNull(consumer3);
                remoteClusterClient.execute(ClusterStateAction.REMOTE_TYPE, clusterStateRequest, ActionListener.wrap((v1) -> {
                    r0.accept(v1);
                }, consumer));
            }

            public void onFailure(Exception exc) {
                consumer.accept((Exception) function2.apply(exc));
            }
        });
    }

    public static void fetchLeaderHistoryUUIDs(RemoteClusterClient remoteClusterClient, IndexMetadata indexMetadata, Consumer<Exception> consumer, Consumer<String[]> consumer2) {
        String name = indexMetadata.getIndex().getName();
        CheckedConsumer checkedConsumer = indicesStatsResponse -> {
            IndexStats indexStats = (IndexStats) indicesStatsResponse.getIndices().get(name);
            if (indexStats == null) {
                consumer.accept(new IllegalArgumentException("no index stats available for the leader index"));
                return;
            }
            String[] strArr = new String[indexMetadata.getNumberOfShards()];
            Iterator it = indexStats.iterator();
            while (it.hasNext()) {
                Iterator it2 = ((IndexShardStats) it.next()).iterator();
                while (it2.hasNext()) {
                    ShardStats shardStats = (ShardStats) it2.next();
                    if (shardStats.getShardRouting().primary()) {
                        CommitStats commitStats = shardStats.getCommitStats();
                        if (commitStats == null) {
                            consumer.accept(new IllegalArgumentException("leader index's commit stats are missing"));
                            return;
                        }
                        strArr[shardStats.getShardRouting().shardId().id()] = (String) commitStats.getUserData().get("history_uuid");
                    }
                }
            }
            for (int i = 0; i < strArr.length; i++) {
                if (strArr[i] == null) {
                    consumer.accept(new IllegalArgumentException("no history uuid for [" + name + "][" + i + "]"));
                    return;
                }
            }
            consumer2.accept(strArr);
        };
        IndicesStatsRequest indicesStatsRequest = new IndicesStatsRequest();
        indicesStatsRequest.clear();
        indicesStatsRequest.indices(new String[]{name});
        remoteClusterClient.execute(IndicesStatsAction.REMOTE_TYPE, indicesStatsRequest, ActionListener.wrap(checkedConsumer, consumer));
    }

    public void hasPrivilegesToFollowIndices(ThreadContext threadContext, RemoteClusterClient remoteClusterClient, String[] strArr, Consumer<Exception> consumer) {
        Objects.requireNonNull(remoteClusterClient, "remoteClient");
        Objects.requireNonNull(strArr, "indices");
        if (strArr.length == 0) {
            throw new IllegalArgumentException("indices must not be empty");
        }
        Objects.requireNonNull(consumer, "handler");
        if (!this.isAuthAllowed.getAsBoolean()) {
            consumer.accept(null);
            return;
        }
        User user = getUser(threadContext);
        if (user == null) {
            consumer.accept(new IllegalStateException("missing or unable to read authentication info on request"));
            return;
        }
        String principal = user.principal();
        RoleDescriptor.IndicesPrivileges build = RoleDescriptor.IndicesPrivileges.builder().indices(strArr).privileges(new String[]{"indices:monitor/stats", ShardChangesAction.NAME}).build();
        HasPrivilegesRequest hasPrivilegesRequest = new HasPrivilegesRequest();
        hasPrivilegesRequest.username(principal);
        hasPrivilegesRequest.clusterPrivileges(Strings.EMPTY_ARRAY);
        hasPrivilegesRequest.indexPrivileges(new RoleDescriptor.IndicesPrivileges[]{build});
        hasPrivilegesRequest.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[0]);
        remoteClusterClient.execute(HasPrivilegesAction.REMOTE_TYPE, hasPrivilegesRequest, ActionListener.wrap(hasPrivilegesResponse -> {
            if (hasPrivilegesResponse.isCompleteMatch()) {
                consumer.accept(null);
                return;
            }
            StringBuilder sb = new StringBuilder("insufficient privileges to follow");
            sb.append(strArr.length == 1 ? " index " : " indices ");
            sb.append(Arrays.toString(strArr));
            for (Map.Entry entry : ((ResourcePrivileges) hasPrivilegesResponse.getIndexPrivileges().iterator().next()).getPrivileges().entrySet()) {
                if (!((Boolean) entry.getValue()).booleanValue()) {
                    sb.append(", privilege for action [");
                    sb.append((String) entry.getKey());
                    sb.append("] is missing");
                }
            }
            consumer.accept(Exceptions.authorizationError(sb.toString(), new Object[0]));
        }, consumer));
    }

    User getUser(ThreadContext threadContext) {
        return new SecurityContext(Settings.EMPTY, threadContext).getUser();
    }

    public static RemoteClusterClient wrapRemoteClusterClient(final ThreadContext threadContext, final RemoteClusterClient remoteClusterClient, Map<String, String> map, ClusterState clusterState) {
        if (map.isEmpty()) {
            return remoteClusterClient;
        }
        final Map persistableSafeSecurityHeaders = ClientHelper.getPersistableSafeSecurityHeaders(map, clusterState);
        return persistableSafeSecurityHeaders.isEmpty() ? remoteClusterClient : new RemoteClusterClient() { // from class: org.elasticsearch.xpack.ccr.CcrLicenseChecker.2
            public <Request extends ActionRequest, Response extends TransportResponse> void execute(RemoteClusterActionType<Response> remoteClusterActionType, Request request, ActionListener<Response> actionListener) {
                ThreadContext threadContext2 = threadContext;
                Map map2 = persistableSafeSecurityHeaders;
                RemoteClusterClient remoteClusterClient2 = remoteClusterClient;
                ClientHelper.executeWithHeadersAsync(threadContext2, map2, (String) null, request, actionListener, (actionRequest, actionListener2) -> {
                    remoteClusterClient2.execute(remoteClusterActionType, actionRequest, actionListener2);
                });
            }
        };
    }

    public static Client wrapClient(final Client client, Map<String, String> map, ClusterState clusterState) {
        if (map.isEmpty()) {
            return client;
        }
        final Map persistableSafeSecurityHeaders = ClientHelper.getPersistableSafeSecurityHeaders(map, clusterState);
        return persistableSafeSecurityHeaders.isEmpty() ? client : new FilterClient(client) { // from class: org.elasticsearch.xpack.ccr.CcrLicenseChecker.3
            protected <Request extends ActionRequest, Response extends ActionResponse> void doExecute(ActionType<Response> actionType, Request request, ActionListener<Response> actionListener) {
                ClientHelper.executeWithHeadersAsync(persistableSafeSecurityHeaders, (String) null, client, actionType, request, actionListener);
            }
        };
    }

    private static RemoteClusterClient systemClient(final ThreadContext threadContext, final RemoteClusterClient remoteClusterClient) {
        return new RemoteClusterClient() { // from class: org.elasticsearch.xpack.ccr.CcrLicenseChecker.4
            public <Request extends ActionRequest, Response extends TransportResponse> void execute(RemoteClusterActionType<Response> remoteClusterActionType, Request request, ActionListener<Response> actionListener) {
                Supplier newRestorableContext = threadContext.newRestorableContext(false);
                ThreadContext.StoredContext stashContext = threadContext.stashContext();
                try {
                    threadContext.markAsSystemContext();
                    remoteClusterClient.execute(remoteClusterActionType, request, new ContextPreservingActionListener(newRestorableContext, actionListener));
                    if (stashContext != null) {
                        stashContext.close();
                    }
                } catch (Throwable th) {
                    if (stashContext != null) {
                        try {
                            stashContext.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static ElasticsearchStatusException indexMetadataNonCompliantRemoteLicense(String str, RemoteClusterLicenseChecker.LicenseCheck licenseCheck) {
        String clusterAlias = licenseCheck.remoteClusterLicenseInfo().clusterAlias();
        return new ElasticsearchStatusException(String.format(Locale.ROOT, "can not fetch remote index [%s:%s] metadata as the remote cluster [%s] is not licensed for [ccr]; %s", clusterAlias, str, clusterAlias, RemoteClusterLicenseChecker.buildErrorMessage(CcrConstants.CCR_FEATURE, licenseCheck.remoteClusterLicenseInfo())), RestStatus.BAD_REQUEST, new Object[0]);
    }

    private static ElasticsearchStatusException clusterStateNonCompliantRemoteLicense(RemoteClusterLicenseChecker.LicenseCheck licenseCheck) {
        return new ElasticsearchStatusException(String.format(Locale.ROOT, "can not fetch remote cluster state as the remote cluster [%s] is not licensed for [ccr]; %s", licenseCheck.remoteClusterLicenseInfo().clusterAlias(), RemoteClusterLicenseChecker.buildErrorMessage(CcrConstants.CCR_FEATURE, licenseCheck.remoteClusterLicenseInfo())), RestStatus.BAD_REQUEST, new Object[0]);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static ElasticsearchStatusException indexMetadataUnknownRemoteLicense(String str, String str2, Exception exc) {
        return new ElasticsearchStatusException(String.format(Locale.ROOT, "can not fetch remote index [%s:%s] metadata as the license state of the remote cluster [%s] could not be determined", str2, str, str2), RestStatus.BAD_REQUEST, exc, new Object[0]);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static ElasticsearchStatusException clusterStateUnknownRemoteLicense(String str, Exception exc) {
        return new ElasticsearchStatusException(String.format(Locale.ROOT, "can not fetch remote cluster state as the license state of the remote cluster [%s] could not be determined", str), RestStatus.BAD_REQUEST, exc, new Object[0]);
    }
}
