package org.elasticsearch.xpack.security.audit.index;

import java.io.ByteArrayOutputStream;
import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import java.util.function.Function;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequestBuilder;
import org.elasticsearch.action.admin.cluster.state.ClusterStateResponse;
import org.elasticsearch.action.admin.indices.exists.indices.IndicesExistsRequestBuilder;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequestBuilder;
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
import org.elasticsearch.action.bulk.BulkProcessor;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.IndicesAdminClient;
import org.elasticsearch.client.transport.TransportClient;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.io.Streams;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.XContentFactory;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.node.Node;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.xpack.XPackPlugin;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditLevel;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditUtil;
import org.elasticsearch.xpack.security.audit.index.IndexNameResolver;
import org.elasticsearch.xpack.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authz.privilege.SystemPrivilege;
import org.elasticsearch.xpack.security.rest.RemoteHostHeader;
import org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule;
import org.elasticsearch.xpack.security.user.SystemUser;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.security.user.XPackUser;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;

/* loaded from: input_file:org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.class */
public class IndexAuditTrail extends AbstractComponent implements AuditTrail, ClusterStateListener {
    public static final String NAME = "index";
    public static final String INDEX_NAME_PREFIX = ".security_audit_log";
    public static final String DOC_TYPE = "event";
    public static final String INDEX_TEMPLATE_NAME = "security_audit_log";
    private static final int DEFAULT_BULK_SIZE = 1000;
    private static final int MAX_BULK_SIZE = 10000;
    private static final int DEFAULT_MAX_QUEUE_SIZE = 1000;
    private static final TimeValue DEFAULT_FLUSH_INTERVAL;
    private static final IndexNameResolver.Rollover DEFAULT_ROLLOVER;
    private static final Setting<IndexNameResolver.Rollover> ROLLOVER_SETTING;
    private static final Setting<Integer> QUEUE_SIZE_SETTING;
    private static final String DEFAULT_CLIENT_NAME = "security-audit-client";
    private static final List<String> DEFAULT_EVENT_INCLUDES;
    private static final String FORBIDDEN_INDEX_SETTING = "index.mapper.dynamic";
    private static final Setting<Settings> INDEX_SETTINGS;
    private static final Setting<List<String>> INCLUDE_EVENT_SETTINGS;
    private static final Setting<List<String>> EXCLUDE_EVENT_SETTINGS;
    private static final Setting<Boolean> INCLUDE_REQUEST_BODY;
    private static final Setting<Settings> REMOTE_CLIENT_SETTINGS;
    private static final Setting<Integer> BULK_SIZE_SETTING;
    private static final Setting<TimeValue> FLUSH_TIMEOUT_SETTING;
    private final AtomicReference<State> state;
    private final String nodeName;
    private final Client client;
    private final QueueConsumer queueConsumer;
    private final ThreadPool threadPool;
    private final AtomicBoolean putTemplatePending;
    private final ClusterService clusterService;
    private final boolean indexToRemoteCluster;
    private final EnumSet<AuditLevel> events;
    private final IndexNameResolver.Rollover rollover;
    private final boolean includeRequestBody;
    private BulkProcessor bulkProcessor;
    private String nodeHostName;
    private String nodeHostAddress;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/audit/index/IndexAuditTrail$Field.class */
    interface Field {
        public static final String TIMESTAMP = "@timestamp";
        public static final String NODE_NAME = "node_name";
        public static final String NODE_HOST_NAME = "node_host_name";
        public static final String NODE_HOST_ADDRESS = "node_host_address";
        public static final String LAYER = "layer";
        public static final String TYPE = "event_type";
        public static final String ORIGIN_ADDRESS = "origin_address";
        public static final String ORIGIN_TYPE = "origin_type";
        public static final String PRINCIPAL = "principal";
        public static final String RUN_AS_PRINCIPAL = "run_as_principal";
        public static final String RUN_BY_PRINCIPAL = "run_by_principal";
        public static final String ACTION = "action";
        public static final String INDICES = "indices";
        public static final String REQUEST = "request";
        public static final String REQUEST_BODY = "request_body";
        public static final String URI = "uri";
        public static final String REALM = "realm";
        public static final String TRANSPORT_PROFILE = "transport_profile";
        public static final String RULE = "rule";
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/audit/index/IndexAuditTrail$Message.class */
    public static class Message {
        final DateTime timestamp = DateTime.now(DateTimeZone.UTC);
        final XContentBuilder builder = XContentFactory.jsonBuilder();

        Message() throws IOException {
        }

        Message start() throws IOException {
            this.builder.startObject();
            this.builder.field(Field.TIMESTAMP, this.timestamp);
            return this;
        }

        Message end() throws IOException {
            this.builder.endObject();
            return this;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/audit/index/IndexAuditTrail$QueueConsumer.class */
    public final class QueueConsumer extends Thread implements Closeable {
        private final AtomicBoolean open;
        private final BlockingQueue<Message> eventQueue;
        private final Message shutdownSentinelMessage;

        QueueConsumer(String str, BlockingQueue blockingQueue) {
            super(str);
            this.open = new AtomicBoolean(true);
            this.eventQueue = blockingQueue;
            try {
                this.shutdownSentinelMessage = new Message();
            } catch (IOException e) {
                throw new AssertionError(e);
            }
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() {
            if (this.open.compareAndSet(true, false)) {
                try {
                    this.eventQueue.put(this.shutdownSentinelMessage);
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                }
            }
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            Message take;
            while (this.open.get()) {
                try {
                    take = this.eventQueue.take();
                } catch (InterruptedException e) {
                    IndexAuditTrail.this.logger.debug("index audit queue consumer interrupted", e);
                    close();
                } catch (Exception e2) {
                    IndexAuditTrail.this.logger.warn("failed to index audit message from queue", e2);
                }
                if (take == this.shutdownSentinelMessage || !this.open.get()) {
                    break;
                }
                IndexAuditTrail.this.bulkProcessor.add(IndexAuditTrail.this.client.prepareIndex().setIndex(IndexNameResolver.resolve(IndexAuditTrail.INDEX_NAME_PREFIX, take.timestamp, IndexAuditTrail.this.rollover)).setType(IndexAuditTrail.DOC_TYPE).setSource(take.builder).request());
            }
            this.eventQueue.clear();
        }

        public boolean offer(Message message) {
            if (this.open.get()) {
                return this.eventQueue.offer(message);
            }
            return false;
        }

        public Message peek() {
            return this.eventQueue.peek();
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/audit/index/IndexAuditTrail$State.class */
    public enum State {
        INITIALIZED,
        STARTING,
        STARTED,
        STOPPING,
        STOPPED,
        FAILED
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public String name() {
        return "index";
    }

    public IndexAuditTrail(Settings settings, InternalClient internalClient, ThreadPool threadPool, ClusterService clusterService) {
        super(settings);
        this.state = new AtomicReference<>(State.INITIALIZED);
        this.putTemplatePending = new AtomicBoolean(false);
        this.threadPool = threadPool;
        this.clusterService = clusterService;
        this.nodeName = settings.get("name");
        this.queueConsumer = new QueueConsumer(EsExecutors.threadName(settings, "audit-queue-consumer"), createQueue(((Integer) QUEUE_SIZE_SETTING.get(settings)).intValue()));
        this.rollover = (IndexNameResolver.Rollover) ROLLOVER_SETTING.get(settings);
        this.events = AuditLevel.parse((List) INCLUDE_EVENT_SETTINGS.get(settings), (List) EXCLUDE_EVENT_SETTINGS.get(settings));
        this.indexToRemoteCluster = ((Settings) REMOTE_CLIENT_SETTINGS.get(settings)).names().size() > 0;
        this.includeRequestBody = ((Boolean) INCLUDE_REQUEST_BODY.get(settings)).booleanValue();
        if (this.indexToRemoteCluster) {
            this.client = initializeRemoteClient(settings, this.logger);
        } else {
            this.client = internalClient;
        }
    }

    public State state() {
        return this.state.get();
    }

    public boolean canStart(ClusterChangedEvent clusterChangedEvent, boolean z) {
        boolean canStart;
        if (this.indexToRemoteCluster) {
            return true;
        }
        synchronized (this) {
            canStart = canStart(clusterChangedEvent.state(), z);
        }
        return canStart;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canStart(ClusterState clusterState, boolean z) {
        if (clusterState.blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
            this.logger.debug("index audit trail waiting until gateway has recovered from disk");
            return false;
        }
        if (!z && clusterState.metaData().templates().get(INDEX_TEMPLATE_NAME) == null) {
            this.logger.debug("security audit index template [{}] does not exist, so service cannot start", INDEX_TEMPLATE_NAME);
            return false;
        }
        String indexName = getIndexName();
        if (clusterState.metaData().index(indexName) == null) {
            this.logger.debug("security audit index [{}] does not exist, so service can start", indexName);
            return true;
        }
        if (clusterState.routingTable().index(indexName).allPrimaryShardsActive()) {
            this.logger.debug("security audit index [{}] all primary shards started, so service can start", indexName);
            return true;
        }
        this.logger.debug("security audit index [{}] does not have all primary shards started, so service cannot start", indexName);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getIndexName() {
        return IndexNameResolver.resolve(INDEX_NAME_PREFIX, DateTime.now(DateTimeZone.UTC), this.rollover);
    }

    public void start(final boolean z) {
        if (this.state.compareAndSet(State.INITIALIZED, State.STARTING)) {
            this.nodeHostName = this.clusterService.localNode().getHostName();
            this.nodeHostAddress = this.clusterService.localNode().getHostAddress();
            if (this.indexToRemoteCluster) {
                this.client.admin().cluster().prepareState().execute(new ActionListener<ClusterStateResponse>() { // from class: org.elasticsearch.xpack.security.audit.index.IndexAuditTrail.1
                    public void onResponse(ClusterStateResponse clusterStateResponse) {
                        boolean isLocalNodeElectedMaster = IndexAuditTrail.this.clusterService.state().getNodes().isLocalNodeElectedMaster();
                        if (IndexAuditTrail.this.canStart(clusterStateResponse.getState(), isLocalNodeElectedMaster)) {
                            if (isLocalNodeElectedMaster) {
                                IndexAuditTrail.this.putTemplate(IndexAuditTrail.this.customAuditIndexSettings(IndexAuditTrail.this.settings), ActionListener.wrap(r3 -> {
                                    IndexAuditTrail.this.innerStart();
                                }, exc -> {
                                    IndexAuditTrail.this.state.set(State.FAILED);
                                }));
                                return;
                            } else {
                                IndexAuditTrail.this.innerStart();
                                return;
                            }
                        }
                        if (!IndexAuditTrail.this.state.compareAndSet(State.STARTING, State.INITIALIZED)) {
                            throw new IllegalStateException("state transition from starting to initialized failed, current value: " + IndexAuditTrail.this.state.get());
                        }
                        String indexName = IndexAuditTrail.this.getIndexName();
                        ClusterHealthRequestBuilder waitForYellowStatus = IndexAuditTrail.this.client.admin().cluster().prepareHealth(new String[0]).setIndices(new String[0]).setWaitForYellowStatus();
                        boolean z2 = z;
                        waitForYellowStatus.execute(ActionListener.wrap(clusterHealthResponse -> {
                            IndexAuditTrail.this.start(z2);
                        }, exc2 -> {
                            IndexAuditTrail.this.logger.error("failed to get wait for yellow status on index [" + indexName + "]", exc2);
                        }));
                    }

                    public void onFailure(Exception exc) {
                        IndexAuditTrail.this.logger.error("failed to get remote cluster state", exc);
                    }
                });
            } else if (z) {
                putTemplate(customAuditIndexSettings(this.settings), ActionListener.wrap(r3 -> {
                    innerStart();
                }, exc -> {
                    this.state.set(State.FAILED);
                }));
            } else {
                innerStart();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void innerStart() {
        if (!this.indexToRemoteCluster) {
            this.clusterService.add(this);
        }
        initializeBulkProcessor();
        this.queueConsumer.start();
        this.state.set(State.STARTED);
    }

    public synchronized void stop() {
        if (this.state.compareAndSet(State.STARTED, State.STOPPING)) {
            this.queueConsumer.close();
        }
        try {
            if (state() != State.STOPPED) {
                try {
                    if (this.bulkProcessor != null && !this.bulkProcessor.awaitClose(10L, TimeUnit.SECONDS)) {
                        this.logger.warn("index audit trail failed to store all pending events after waiting for 10s");
                    }
                    if (this.indexToRemoteCluster) {
                        this.client.close();
                    }
                    this.state.set(State.STOPPED);
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    if (this.indexToRemoteCluster) {
                        this.client.close();
                    }
                    this.state.set(State.STOPPED);
                }
            }
        } catch (Throwable th) {
            if (this.indexToRemoteCluster) {
                this.client.close();
            }
            this.state.set(State.STOPPED);
            throw th;
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationSuccess(String str, User user, RestRequest restRequest) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_SUCCESS)) {
            try {
                enqueue(message("authentication_success", str, user, restRequest), "authentication_success");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [authentication_success]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationSuccess(String str, User user, String str2, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_SUCCESS)) {
            try {
                enqueue(message("authentication_success", str2, user, str, (Set<String>) null, transportMessage), "authentication_success");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [authentication_success]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void anonymousAccessDenied(String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.ANONYMOUS_ACCESS_DENIED)) {
            try {
                enqueue(message("anonymous_access_denied", str, (User) null, (String) null, AuditUtil.indices(transportMessage), transportMessage), "anonymous_access_denied");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [anonymous_access_denied]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void anonymousAccessDenied(RestRequest restRequest) {
        if (this.events.contains(AuditLevel.ANONYMOUS_ACCESS_DENIED)) {
            try {
                enqueue(message("anonymous_access_denied", (String) null, (AuthenticationToken) null, (String) null, (Set<String>) null, restRequest), "anonymous_access_denied");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [anonymous_access_denied]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_FAILED)) {
            try {
                enqueue(message("authentication_failed", str, (User) null, (String) null, AuditUtil.indices(transportMessage), transportMessage), "authentication_failed");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [authentication_failed]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(RestRequest restRequest) {
        if (this.events.contains(AuditLevel.AUTHENTICATION_FAILED)) {
            try {
                enqueue(message("authentication_failed", (String) null, (AuthenticationToken) null, (String) null, (Set<String>) null, restRequest), "authentication_failed");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [authentication_failed]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(AuthenticationToken authenticationToken, String str, TransportMessage transportMessage) {
        if (!this.events.contains(AuditLevel.AUTHENTICATION_FAILED) || XPackUser.is(authenticationToken.principal())) {
            return;
        }
        try {
            enqueue(message("authentication_failed", str, authenticationToken, (String) null, AuditUtil.indices(transportMessage), transportMessage), "authentication_failed");
        } catch (Exception e) {
            this.logger.warn("failed to index audit event: [authentication_failed]", e);
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(AuthenticationToken authenticationToken, RestRequest restRequest) {
        if (!this.events.contains(AuditLevel.AUTHENTICATION_FAILED) || XPackUser.is(authenticationToken.principal())) {
            return;
        }
        try {
            enqueue(message("authentication_failed", (String) null, authenticationToken, (String) null, (Set<String>) null, restRequest), "authentication_failed");
        } catch (Exception e) {
            this.logger.warn("failed to index audit event: [authentication_failed]", e);
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, AuthenticationToken authenticationToken, String str2, TransportMessage transportMessage) {
        if (!this.events.contains(AuditLevel.REALM_AUTHENTICATION_FAILED) || XPackUser.is(authenticationToken.principal())) {
            return;
        }
        try {
            enqueue(message("authentication_failed", str2, authenticationToken, str, AuditUtil.indices(transportMessage), transportMessage), "authentication_failed");
        } catch (Exception e) {
            this.logger.warn("failed to index audit event: [authentication_failed]", e);
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void authenticationFailed(String str, AuthenticationToken authenticationToken, RestRequest restRequest) {
        if (!this.events.contains(AuditLevel.REALM_AUTHENTICATION_FAILED) || XPackUser.is(authenticationToken.principal())) {
            return;
        }
        try {
            enqueue(message("authentication_failed", (String) null, authenticationToken, str, (Set<String>) null, restRequest), "authentication_failed");
        } catch (Exception e) {
            this.logger.warn("failed to index audit event: [authentication_failed]", e);
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void accessGranted(User user, String str, TransportMessage transportMessage) {
        if (SystemUser.is(user) && SystemPrivilege.INSTANCE.predicate().test(str)) {
            if (this.events.contains(AuditLevel.SYSTEM_ACCESS_GRANTED)) {
                try {
                    enqueue(message("access_granted", str, user, (String) null, AuditUtil.indices(transportMessage), transportMessage), "access_granted");
                    return;
                } catch (Exception e) {
                    this.logger.warn("failed to index audit event: [access_granted]", e);
                    return;
                }
            }
            return;
        }
        if (!this.events.contains(AuditLevel.ACCESS_GRANTED) || XPackUser.is(user)) {
            return;
        }
        try {
            enqueue(message("access_granted", str, user, (String) null, AuditUtil.indices(transportMessage), transportMessage), "access_granted");
        } catch (Exception e2) {
            this.logger.warn("failed to index audit event: [access_granted]", e2);
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void accessDenied(User user, String str, TransportMessage transportMessage) {
        if (!this.events.contains(AuditLevel.ACCESS_DENIED) || XPackUser.is(user)) {
            return;
        }
        try {
            enqueue(message("access_denied", str, user, (String) null, AuditUtil.indices(transportMessage), transportMessage), "access_denied");
        } catch (Exception e) {
            this.logger.warn("failed to index audit event: [access_denied]", e);
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void tamperedRequest(RestRequest restRequest) {
        if (this.events.contains(AuditLevel.TAMPERED_REQUEST)) {
            try {
                enqueue(message("tampered_request", (String) null, (AuthenticationToken) null, (String) null, (Set<String>) null, restRequest), "tampered_request");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [tampered_request]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void tamperedRequest(String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.TAMPERED_REQUEST)) {
            try {
                enqueue(message("tampered_request", str, (User) null, (String) null, AuditUtil.indices(transportMessage), transportMessage), "tampered_request");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [tampered_request]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void tamperedRequest(User user, String str, TransportMessage transportMessage) {
        if (!this.events.contains(AuditLevel.TAMPERED_REQUEST) || XPackUser.is(user)) {
            return;
        }
        try {
            enqueue(message("tampered_request", str, user, (String) null, AuditUtil.indices(transportMessage), transportMessage), "tampered_request");
        } catch (Exception e) {
            this.logger.warn("failed to index audit event: [tampered_request]", e);
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void connectionGranted(InetAddress inetAddress, String str, SecurityIpFilterRule securityIpFilterRule) {
        if (this.events.contains(AuditLevel.CONNECTION_GRANTED)) {
            try {
                enqueue(message("ip_filter", "connection_granted", inetAddress, str, securityIpFilterRule), "connection_granted");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [connection_granted]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void connectionDenied(InetAddress inetAddress, String str, SecurityIpFilterRule securityIpFilterRule) {
        if (this.events.contains(AuditLevel.CONNECTION_DENIED)) {
            try {
                enqueue(message("ip_filter", "connection_denied", inetAddress, str, securityIpFilterRule), "connection_denied");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [connection_denied]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void runAsGranted(User user, String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.RUN_AS_GRANTED)) {
            try {
                enqueue(message("run_as_granted", str, user, (String) null, (Set<String>) null, transportMessage), "run_as_granted");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [run_as_granted]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void runAsDenied(User user, String str, TransportMessage transportMessage) {
        if (this.events.contains(AuditLevel.RUN_AS_DENIED)) {
            try {
                enqueue(message("run_as_denied", str, user, (String) null, (Set<String>) null, transportMessage), "run_as_denied");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [run_as_denied]", e);
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.audit.AuditTrail
    public void runAsDenied(User user, RestRequest restRequest) {
        if (this.events.contains(AuditLevel.RUN_AS_DENIED)) {
            try {
                enqueue(message("run_as_denied", null, user, restRequest), "run_as_denied");
            } catch (Exception e) {
                this.logger.warn("failed to index audit event: [run_as_denied]", e);
            }
        }
    }

    private Message message(String str, @Nullable String str2, @Nullable User user, @Nullable String str3, @Nullable Set<String> set, TransportMessage transportMessage) throws Exception {
        Message start = new Message().start();
        common("transport", str, start.builder);
        originAttributes(transportMessage, start.builder, this.clusterService.localNode(), this.threadPool.getThreadContext());
        if (str2 != null) {
            start.builder.field(Field.ACTION, str2);
        }
        if (user != null) {
            if (user.runAs() == null) {
                start.builder.field(Field.PRINCIPAL, user.principal());
            } else if ("run_as_granted".equals(str) || "run_as_denied".equals(str)) {
                start.builder.field(Field.PRINCIPAL, user.principal());
                start.builder.field(Field.RUN_AS_PRINCIPAL, user.runAs().principal());
            } else {
                start.builder.field(Field.PRINCIPAL, user.runAs().principal());
                start.builder.field(Field.RUN_BY_PRINCIPAL, user.principal());
            }
        }
        if (set != null) {
            start.builder.array(Field.INDICES, (String[]) set.toArray(Strings.EMPTY_ARRAY));
        }
        if (str3 != null) {
            start.builder.field(Field.REALM, str3);
        }
        start.builder.field(Field.REQUEST, transportMessage.getClass().getSimpleName());
        return start.end();
    }

    private Message message(String str, @Nullable String str2, @Nullable AuthenticationToken authenticationToken, @Nullable String str3, @Nullable Set<String> set, TransportMessage transportMessage) throws Exception {
        Message start = new Message().start();
        common("transport", str, start.builder);
        originAttributes(transportMessage, start.builder, this.clusterService.localNode(), this.threadPool.getThreadContext());
        if (str2 != null) {
            start.builder.field(Field.ACTION, str2);
        }
        if (authenticationToken != null) {
            start.builder.field(Field.PRINCIPAL, authenticationToken.principal());
        }
        if (str3 != null) {
            start.builder.field(Field.REALM, str3);
        }
        if (set != null) {
            start.builder.array(Field.INDICES, (String[]) set.toArray(Strings.EMPTY_ARRAY));
        }
        start.builder.field(Field.REQUEST, transportMessage.getClass().getSimpleName());
        return start.end();
    }

    private Message message(String str, @Nullable String str2, @Nullable AuthenticationToken authenticationToken, @Nullable String str3, @Nullable Set<String> set, RestRequest restRequest) throws Exception {
        Message start = new Message().start();
        common("rest", str, start.builder);
        if (str2 != null) {
            start.builder.field(Field.ACTION, str2);
        }
        if (authenticationToken != null) {
            start.builder.field(Field.PRINCIPAL, authenticationToken.principal());
        }
        if (str3 != null) {
            start.builder.field(Field.REALM, str3);
        }
        if (set != null) {
            start.builder.array(Field.INDICES, (String[]) set.toArray(Strings.EMPTY_ARRAY));
        }
        if (this.includeRequestBody) {
            start.builder.field(Field.REQUEST_BODY, AuditUtil.restRequestContent(restRequest));
        }
        start.builder.field(Field.ORIGIN_TYPE, "rest");
        SocketAddress remoteAddress = restRequest.getRemoteAddress();
        if (remoteAddress instanceof InetSocketAddress) {
            start.builder.field(Field.ORIGIN_ADDRESS, NetworkAddress.format(((InetSocketAddress) restRequest.getRemoteAddress()).getAddress()));
        } else {
            start.builder.field(Field.ORIGIN_ADDRESS, remoteAddress);
        }
        start.builder.field(Field.URI, restRequest.uri());
        return start.end();
    }

    private Message message(String str, String str2, User user, RestRequest restRequest) throws Exception {
        Message start = new Message().start();
        common("rest", str, start.builder);
        if (user != null) {
            if (user.runAs() != null) {
                start.builder.field(Field.PRINCIPAL, user.runAs().principal());
                start.builder.field(Field.RUN_BY_PRINCIPAL, user.principal());
            } else {
                start.builder.field(Field.PRINCIPAL, user.principal());
            }
        }
        if (str2 != null) {
            start.builder.field(Field.REALM, str2);
        }
        if (this.includeRequestBody) {
            start.builder.field(Field.REQUEST_BODY, AuditUtil.restRequestContent(restRequest));
        }
        start.builder.field(Field.ORIGIN_TYPE, "rest");
        SocketAddress remoteAddress = restRequest.getRemoteAddress();
        if (remoteAddress instanceof InetSocketAddress) {
            start.builder.field(Field.ORIGIN_ADDRESS, NetworkAddress.format(((InetSocketAddress) restRequest.getRemoteAddress()).getAddress()));
        } else {
            start.builder.field(Field.ORIGIN_ADDRESS, remoteAddress);
        }
        start.builder.field(Field.URI, restRequest.uri());
        return start.end();
    }

    private Message message(String str, String str2, InetAddress inetAddress, String str3, SecurityIpFilterRule securityIpFilterRule) throws IOException {
        Message start = new Message().start();
        common(str, str2, start.builder);
        start.builder.field(Field.ORIGIN_ADDRESS, NetworkAddress.format(inetAddress));
        start.builder.field(Field.TRANSPORT_PROFILE, str3);
        start.builder.field(Field.RULE, securityIpFilterRule);
        return start.end();
    }

    private XContentBuilder common(String str, String str2, XContentBuilder xContentBuilder) throws IOException {
        xContentBuilder.field(Field.NODE_NAME, this.nodeName);
        xContentBuilder.field(Field.NODE_HOST_NAME, this.nodeHostName);
        xContentBuilder.field(Field.NODE_HOST_ADDRESS, this.nodeHostAddress);
        xContentBuilder.field(Field.LAYER, str);
        xContentBuilder.field(Field.TYPE, str2);
        return xContentBuilder;
    }

    private static XContentBuilder originAttributes(TransportMessage transportMessage, XContentBuilder xContentBuilder, DiscoveryNode discoveryNode, ThreadContext threadContext) throws IOException {
        InetSocketAddress restRemoteAddress = RemoteHostHeader.restRemoteAddress(threadContext);
        if (restRemoteAddress != null) {
            xContentBuilder.field(Field.ORIGIN_TYPE, "rest");
            xContentBuilder.field(Field.ORIGIN_ADDRESS, NetworkAddress.format(restRemoteAddress.getAddress()));
            return xContentBuilder;
        }
        InetSocketTransportAddress remoteAddress = transportMessage.remoteAddress();
        if (remoteAddress == null) {
            xContentBuilder.field(Field.ORIGIN_TYPE, "local_node");
            xContentBuilder.field(Field.ORIGIN_ADDRESS, discoveryNode.getHostAddress());
            return xContentBuilder;
        }
        xContentBuilder.field(Field.ORIGIN_TYPE, "transport");
        if (remoteAddress instanceof InetSocketTransportAddress) {
            xContentBuilder.field(Field.ORIGIN_ADDRESS, NetworkAddress.format(remoteAddress.address().getAddress()));
        } else {
            xContentBuilder.field(Field.ORIGIN_ADDRESS, remoteAddress);
        }
        return xContentBuilder;
    }

    void enqueue(Message message, String str) {
        State state = state();
        if (state == State.STOPPING || state == State.STOPPED || this.queueConsumer.offer(message)) {
            return;
        }
        this.logger.warn("failed to index audit event: [{}]. internal queue is full, which may be caused by a high indexing rate or issue with the destination", str);
    }

    Message peek() {
        return this.queueConsumer.peek();
    }

    private static Client initializeRemoteClient(Settings settings, Logger logger) {
        Settings settings2 = (Settings) REMOTE_CLIENT_SETTINGS.get(settings);
        String[] asArray = settings2.getAsArray("hosts");
        if (asArray.length == 0) {
            throw new ElasticsearchException("missing required setting [" + REMOTE_CLIENT_SETTINGS.getKey() + ".hosts] for remote audit log indexing", new Object[0]);
        }
        if (settings2.get("cluster.name", "").isEmpty()) {
            throw new ElasticsearchException("missing required setting [" + REMOTE_CLIENT_SETTINGS.getKey() + ".cluster.name] for remote audit log indexing", new Object[0]);
        }
        ArrayList<Tuple> arrayList = new ArrayList();
        for (String str : asArray) {
            List asList = Arrays.asList(str.trim().split(":"));
            if (asList.size() != 1 && asList.size() != 2) {
                logger.warn("invalid host:port specified: [{}] for setting [{}.hosts]", REMOTE_CLIENT_SETTINGS.getKey(), str);
            }
            arrayList.add(new Tuple(asList.get(0), Integer.valueOf(asList.size() == 2 ? Integer.valueOf((String) asList.get(1)).intValue() : 9300)));
        }
        if (arrayList.size() == 0) {
            throw new ElasticsearchException("no valid host:port pairs specified for setting [" + REMOTE_CLIENT_SETTINGS.getKey() + ".hosts]", new Object[0]);
        }
        TransportClient transportClient = new TransportClient(Settings.builder().put("node.name", "security-audit-client-" + ((String) Node.NODE_NAME_SETTING.get(settings))).put(settings2.filter(str2 -> {
            return !str2.startsWith("hosts");
        })).build(), Settings.EMPTY, Collections.singletonList(XPackPlugin.class), null) { // from class: org.elasticsearch.xpack.security.audit.index.IndexAuditTrail.2
        };
        for (Tuple tuple : arrayList) {
            try {
                transportClient.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName((String) tuple.v1()), ((Integer) tuple.v2()).intValue()));
            } catch (UnknownHostException e) {
                throw new ElasticsearchException("could not find host {}", e, new Object[]{tuple.v1()});
            }
        }
        logger.info("forwarding audit events to remote cluster [{}] using hosts [{}]", settings2.get("cluster.name", ""), arrayList.toString());
        return transportClient;
    }

    Settings customAuditIndexSettings(Settings settings) {
        Settings build = Settings.builder().put((Settings) INDEX_SETTINGS.get(settings)).build();
        if (build.names().isEmpty()) {
            return Settings.EMPTY;
        }
        Settings.Builder builder = Settings.builder();
        for (Map.Entry entry : build.getAsMap().entrySet()) {
            String str = "index." + ((String) entry.getKey());
            if (FORBIDDEN_INDEX_SETTING.equals(str)) {
                this.logger.warn("overriding the default [{}} setting is forbidden. ignoring...", str);
            } else {
                builder.put(str, (String) entry.getValue());
            }
        }
        return builder.build();
    }

    void putTemplate(Settings settings, ActionListener<Void> actionListener) {
        try {
            InputStream resourceAsStream = getClass().getResourceAsStream("/security_audit_log.json");
            Throwable th = null;
            try {
                try {
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    Streams.copy(resourceAsStream, byteArrayOutputStream);
                    PutIndexTemplateRequest source = new PutIndexTemplateRequest(INDEX_TEMPLATE_NAME).source(byteArrayOutputStream.toByteArray());
                    if (settings != null && settings.names().size() > 0) {
                        source.settings(Settings.builder().put(source.settings()).put(settings).build());
                    }
                    IndicesAdminClient indices = this.client.admin().indices();
                    Consumer consumer = putIndexTemplateResponse -> {
                        if (!putIndexTemplateResponse.isAcknowledged()) {
                            actionListener.onFailure(new IllegalStateException("failed to put index template for audit logging"));
                        } else {
                            Message peek = this.queueConsumer.peek();
                            checkIfCurrentIndexExists(IndexNameResolver.resolve(INDEX_NAME_PREFIX, peek != null ? peek.timestamp : DateTime.now(DateTimeZone.UTC), this.rollover), source, actionListener);
                        }
                    };
                    actionListener.getClass();
                    indices.putTemplate(source, ActionListener.wrap(consumer, actionListener::onFailure));
                    if (resourceAsStream != null) {
                        if (0 != 0) {
                            try {
                                resourceAsStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            resourceAsStream.close();
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } finally {
            }
        } catch (Exception e) {
            this.logger.debug("unexpected exception while putting index template", e);
            actionListener.onFailure(e);
        }
    }

    private void checkIfCurrentIndexExists(String str, PutIndexTemplateRequest putIndexTemplateRequest, ActionListener<Void> actionListener) {
        IndicesExistsRequestBuilder prepareExists = this.client.admin().indices().prepareExists(new String[]{str});
        Consumer consumer = indicesExistsResponse -> {
            if (indicesExistsResponse.isExists()) {
                this.logger.debug("index [{}] exists so we need to update mappings", str);
                putAuditIndexMappings(str, putIndexTemplateRequest, actionListener);
            } else {
                this.logger.debug("index [{}] does not exist so we do not need to update mappings", str);
                actionListener.onResponse((Object) null);
            }
        };
        actionListener.getClass();
        prepareExists.execute(ActionListener.wrap(consumer, actionListener::onFailure));
    }

    private void putAuditIndexMappings(String str, PutIndexTemplateRequest putIndexTemplateRequest, ActionListener<Void> actionListener) {
        PutMappingRequestBuilder source = this.client.admin().indices().preparePutMapping(new String[]{str}).setType(DOC_TYPE).setSource((String) putIndexTemplateRequest.mappings().get(DOC_TYPE));
        Consumer consumer = putMappingResponse -> {
            if (putMappingResponse.isAcknowledged()) {
                actionListener.onResponse((Object) null);
            } else {
                actionListener.onFailure(new IllegalStateException("failed to put mappings for audit logging index [" + str + "]"));
            }
        };
        actionListener.getClass();
        source.execute(ActionListener.wrap(consumer, actionListener::onFailure));
    }

    BlockingQueue<Message> createQueue(int i) {
        return new LinkedBlockingQueue(i);
    }

    private void initializeBulkProcessor() {
        int intValue = ((Integer) BULK_SIZE_SETTING.get(this.settings)).intValue();
        this.bulkProcessor = BulkProcessor.builder(this.client, new BulkProcessor.Listener() { // from class: org.elasticsearch.xpack.security.audit.index.IndexAuditTrail.3
            public void beforeBulk(long j, BulkRequest bulkRequest) {
            }

            public void afterBulk(long j, BulkRequest bulkRequest, BulkResponse bulkResponse) {
                if (bulkResponse.hasFailures()) {
                    IndexAuditTrail.this.logger.info("failed to bulk index audit events: [{}]", bulkResponse.buildFailureMessage());
                }
            }

            public void afterBulk(long j, BulkRequest bulkRequest, Throwable th) {
                IndexAuditTrail.this.logger.error(() -> {
                    return new ParameterizedMessage("failed to bulk index audit events: [{}]", th.getMessage());
                }, th);
            }
        }).setBulkActions(intValue).setFlushInterval((TimeValue) FLUSH_TIMEOUT_SETTING.get(this.settings)).setConcurrentRequests(1).build();
    }

    public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
        if (!$assertionsDisabled && this.indexToRemoteCluster) {
            throw new AssertionError();
        }
        if (state() == State.STARTED && clusterChangedEvent.localNodeMaster() && clusterChangedEvent.state().metaData().templates().get(INDEX_TEMPLATE_NAME) == null && this.putTemplatePending.compareAndSet(false, true)) {
            this.logger.debug("security audit index template [{}] does not exist. it may have been deleted - putting the template", INDEX_TEMPLATE_NAME);
            putTemplate(customAuditIndexSettings(this.settings), new ActionListener<Void>() { // from class: org.elasticsearch.xpack.security.audit.index.IndexAuditTrail.4
                public void onResponse(Void r4) {
                    IndexAuditTrail.this.putTemplatePending.set(false);
                }

                public void onFailure(Exception exc) {
                    IndexAuditTrail.this.putTemplatePending.set(false);
                    IndexAuditTrail.this.logger.error(() -> {
                        return new ParameterizedMessage("failed to update security audit index template [{}]", IndexAuditTrail.INDEX_TEMPLATE_NAME);
                    }, exc);
                }
            });
        }
    }

    public static void registerSettings(List<Setting<?>> list) {
        list.add(INDEX_SETTINGS);
        list.add(EXCLUDE_EVENT_SETTINGS);
        list.add(INCLUDE_EVENT_SETTINGS);
        list.add(ROLLOVER_SETTING);
        list.add(BULK_SIZE_SETTING);
        list.add(FLUSH_TIMEOUT_SETTING);
        list.add(QUEUE_SIZE_SETTING);
        list.add(REMOTE_CLIENT_SETTINGS);
        list.add(INCLUDE_REQUEST_BODY);
    }

    static {
        $assertionsDisabled = !IndexAuditTrail.class.desiredAssertionStatus();
        DEFAULT_FLUSH_INTERVAL = TimeValue.timeValueSeconds(1L);
        DEFAULT_ROLLOVER = IndexNameResolver.Rollover.DAILY;
        ROLLOVER_SETTING = new Setting<>(Security.setting("audit.index.rollover"), settings -> {
            return DEFAULT_ROLLOVER.name();
        }, str -> {
            return IndexNameResolver.Rollover.valueOf(str.toUpperCase(Locale.ENGLISH));
        }, new Setting.Property[]{Setting.Property.NodeScope});
        QUEUE_SIZE_SETTING = Setting.intSetting(Security.setting("audit.index.queue_max_size"), 1000, 1, new Setting.Property[]{Setting.Property.NodeScope});
        DEFAULT_EVENT_INCLUDES = Arrays.asList(AuditLevel.ACCESS_DENIED.toString(), AuditLevel.ACCESS_GRANTED.toString(), AuditLevel.ANONYMOUS_ACCESS_DENIED.toString(), AuditLevel.AUTHENTICATION_FAILED.toString(), AuditLevel.REALM_AUTHENTICATION_FAILED.toString(), AuditLevel.CONNECTION_DENIED.toString(), AuditLevel.CONNECTION_GRANTED.toString(), AuditLevel.TAMPERED_REQUEST.toString(), AuditLevel.RUN_AS_DENIED.toString(), AuditLevel.RUN_AS_GRANTED.toString(), AuditLevel.AUTHENTICATION_SUCCESS.toString());
        INDEX_SETTINGS = Setting.groupSetting(Security.setting("audit.index.settings.index."), new Setting.Property[]{Setting.Property.NodeScope});
        INCLUDE_EVENT_SETTINGS = Setting.listSetting(Security.setting("audit.index.events.include"), DEFAULT_EVENT_INCLUDES, Function.identity(), new Setting.Property[]{Setting.Property.NodeScope});
        EXCLUDE_EVENT_SETTINGS = Setting.listSetting(Security.setting("audit.index.events.exclude"), Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope});
        INCLUDE_REQUEST_BODY = Setting.boolSetting(Security.setting("audit.index.events.emit_request_body"), false, new Setting.Property[]{Setting.Property.NodeScope});
        REMOTE_CLIENT_SETTINGS = Setting.groupSetting(Security.setting("audit.index.client."), new Setting.Property[]{Setting.Property.NodeScope});
        BULK_SIZE_SETTING = Setting.intSetting(Security.setting("audit.index.bulk_size"), 1000, 1, MAX_BULK_SIZE, new Setting.Property[]{Setting.Property.NodeScope});
        FLUSH_TIMEOUT_SETTING = Setting.timeSetting(Security.setting("audit.index.flush_interval"), DEFAULT_FLUSH_INTERVAL, TimeValue.timeValueMillis(1L), new Setting.Property[]{Setting.Property.NodeScope});
    }
}
