package org.elasticsearch.xpack.security.authc.esnative;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.LatchedActionListener;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.delete.DeleteResponse;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.search.ClearScrollResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.update.UpdateResponse;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.ValidationException;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.engine.DocumentMissingException;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.xpack.security.InternalClient;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.SecurityTemplateService;
import org.elasticsearch.xpack.security.action.realm.ClearRealmCacheRequest;
import org.elasticsearch.xpack.security.action.realm.ClearRealmCacheResponse;
import org.elasticsearch.xpack.security.action.user.ChangePasswordRequest;
import org.elasticsearch.xpack.security.action.user.DeleteUserRequest;
import org.elasticsearch.xpack.security.action.user.PutUserRequest;
import org.elasticsearch.xpack.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.client.SecurityClient;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.security.user.XPackUser;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore.class */
public class NativeUsersStore extends AbstractComponent implements ClusterStateListener {
    private static final Setting<Integer> SCROLL_SIZE_SETTING;
    private static final Setting<TimeValue> SCROLL_KEEP_ALIVE_SETTING;
    private static final String USER_DOC_TYPE = "user";
    private static final String RESERVED_USER_DOC_TYPE = "reserved-user";
    private final Hasher hasher;
    private final AtomicReference<State> state;
    private final InternalClient client;
    private final boolean isTribeNode;
    private int scrollSize;
    private TimeValue scrollKeepAlive;
    private volatile boolean securityIndexExists;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$ReservedUserInfo.class */
    public static class ReservedUserInfo {
        final char[] passwordHash;
        final boolean enabled;

        /* JADX INFO: Access modifiers changed from: package-private */
        public ReservedUserInfo(char[] cArr, boolean z) {
            this.passwordHash = cArr;
            this.enabled = z;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/NativeUsersStore$State.class */
    public enum State {
        INITIALIZED,
        STARTING,
        STARTED,
        STOPPING,
        STOPPED,
        FAILED
    }

    public NativeUsersStore(Settings settings, InternalClient internalClient) {
        super(settings);
        this.hasher = Hasher.BCRYPT;
        this.state = new AtomicReference<>(State.INITIALIZED);
        this.securityIndexExists = false;
        this.client = internalClient;
        this.isTribeNode = !settings.getGroups("tribe", true).isEmpty();
    }

    public User getUser(String str) {
        if (state() != State.STARTED) {
            this.logger.trace("attempted to get user [{}] before service was started", str);
            return null;
        }
        UserAndPassword userAndPassword = getUserAndPassword(str);
        if (userAndPassword == null) {
            return null;
        }
        return userAndPassword.user();
    }

    public void getUser(final String str, final ActionListener<User> actionListener) {
        if (state() == State.STARTED) {
            getUserAndPassword(str, new ActionListener<UserAndPassword>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.1
                public void onResponse(UserAndPassword userAndPassword) {
                    actionListener.onResponse(userAndPassword == null ? null : userAndPassword.user());
                }

                public void onFailure(Exception exc) {
                    if (exc instanceof IndexNotFoundException) {
                        NativeUsersStore.this.logger.trace("failed to retrieve user [{}] since security index does not exist", str);
                        actionListener.onResponse((Object) null);
                    } else {
                        Logger logger = NativeUsersStore.this.logger;
                        String str2 = str;
                        logger.debug(() -> {
                            return new ParameterizedMessage("failed to retrieve user [{}]", str2);
                        }, exc);
                        actionListener.onFailure(exc);
                    }
                }
            });
        } else {
            this.logger.trace("attempted to get user [{}] before service was started", str);
            actionListener.onFailure(new IllegalStateException("user cannot be retrieved as native user service has not been started"));
        }
    }

    public void getUsers(String[] strArr, final ActionListener<List<User>> actionListener) {
        if (state() != State.STARTED) {
            this.logger.trace("attempted to get users before service was started");
            actionListener.onFailure(new IllegalStateException("users cannot be retrieved as native user service has not been started"));
            return;
        }
        try {
            final ArrayList arrayList = new ArrayList();
            SearchRequest request = this.client.prepareSearch(new String[]{SecurityTemplateService.SECURITY_INDEX_NAME}).setScroll(this.scrollKeepAlive).setTypes(new String[]{"user"}).setQuery((strArr == null || strArr.length == 0) ? QueryBuilders.matchAllQuery() : QueryBuilders.boolQuery().filter(QueryBuilders.idsQuery(new String[]{"user"}).addIds(strArr))).setSize(this.scrollSize).setFetchSource(true).request();
            request.indicesOptions().ignoreUnavailable();
            this.client.search(request, new ActionListener<SearchResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.2
                private SearchResponse lastResponse = null;

                public void onResponse(SearchResponse searchResponse) {
                    this.lastResponse = searchResponse;
                    if (!(searchResponse.getHits().getHits().length > 0)) {
                        if (searchResponse.getScrollId() != null) {
                            NativeUsersStore.this.clearScrollResponse(searchResponse.getScrollId());
                        }
                        actionListener.onResponse(Collections.unmodifiableList(arrayList));
                        return;
                    }
                    for (SearchHit searchHit : searchResponse.getHits().getHits()) {
                        UserAndPassword transformUser = NativeUsersStore.this.transformUser(searchHit.getId(), searchHit.getSource());
                        if (transformUser != null) {
                            arrayList.add(transformUser.user());
                        }
                    }
                    NativeUsersStore.this.client.searchScroll(NativeUsersStore.this.client.prepareSearchScroll(searchResponse.getScrollId()).setScroll(NativeUsersStore.this.scrollKeepAlive).request(), this);
                }

                public void onFailure(Exception exc) {
                    if (this.lastResponse != null && this.lastResponse.getScrollId() != null) {
                        NativeUsersStore.this.clearScrollResponse(this.lastResponse.getScrollId());
                    }
                    if (!(exc instanceof IndexNotFoundException)) {
                        actionListener.onFailure(exc);
                    } else {
                        NativeUsersStore.this.logger.trace("could not retrieve users because security index does not exist");
                        actionListener.onResponse(Collections.emptyList());
                    }
                }
            });
        } catch (Exception e) {
            this.logger.error(() -> {
                return new ParameterizedMessage("unable to retrieve users {}", Arrays.toString(strArr));
            }, e);
            actionListener.onFailure(e);
        }
    }

    private UserAndPassword getUserAndPassword(final String str) {
        final AtomicReference atomicReference = new AtomicReference(null);
        CountDownLatch countDownLatch = new CountDownLatch(1);
        getUserAndPassword(str, new LatchedActionListener(new ActionListener<UserAndPassword>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.3
            public void onResponse(UserAndPassword userAndPassword) {
                atomicReference.set(userAndPassword);
            }

            public void onFailure(Exception exc) {
                if (exc instanceof IndexNotFoundException) {
                    Logger logger = NativeUsersStore.this.logger;
                    String str2 = str;
                    logger.trace(() -> {
                        return new ParameterizedMessage("failed to retrieve user [{}] since security index does not exist", str2);
                    }, exc);
                } else {
                    Logger logger2 = NativeUsersStore.this.logger;
                    String str3 = str;
                    logger2.error(() -> {
                        return new ParameterizedMessage("failed to retrieve user [{}]", str3);
                    }, exc);
                }
            }
        }, countDownLatch));
        try {
            countDownLatch.await(30L, TimeUnit.SECONDS);
            return (UserAndPassword) atomicReference.get();
        } catch (InterruptedException e) {
            this.logger.error("timed out retrieving user [{}]", str);
            return null;
        }
    }

    private void getUserAndPassword(final String str, final ActionListener<UserAndPassword> actionListener) {
        try {
            this.client.get(this.client.prepareGet(SecurityTemplateService.SECURITY_INDEX_NAME, "user", str).request(), new ActionListener<GetResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.4
                public void onResponse(GetResponse getResponse) {
                    actionListener.onResponse(NativeUsersStore.this.transformUser(getResponse.getId(), getResponse.getSource()));
                }

                public void onFailure(Exception exc) {
                    if (exc instanceof IndexNotFoundException) {
                        Logger logger = NativeUsersStore.this.logger;
                        String str2 = str;
                        logger.trace(() -> {
                            return new ParameterizedMessage("could not retrieve user [{}] because security index does not exist", str2);
                        }, exc);
                    } else {
                        Logger logger2 = NativeUsersStore.this.logger;
                        String str3 = str;
                        logger2.error(() -> {
                            return new ParameterizedMessage("failed to retrieve user [{}]", str3);
                        }, exc);
                    }
                    actionListener.onResponse((Object) null);
                }
            });
        } catch (Exception e) {
            this.logger.error(() -> {
                return new ParameterizedMessage("unable to retrieve user [{}]", str);
            }, e);
            actionListener.onFailure(e);
        } catch (IndexNotFoundException e2) {
            this.logger.trace("could not retrieve user [{}] because security index does not exist", str);
            actionListener.onResponse((Object) null);
        }
    }

    public void changePassword(final ChangePasswordRequest changePasswordRequest, final ActionListener<Void> actionListener) {
        final String username = changePasswordRequest.username();
        if (!$assertionsDisabled && ("_system".equals(username) || XPackUser.NAME.equals(username))) {
            throw new AssertionError(username + "is internal!");
        }
        if (this.isTribeNode) {
            actionListener.onFailure(new UnsupportedOperationException("users may not be created or modified using a tribe node"));
            return;
        }
        String str = ReservedRealm.isReserved(username, this.settings) ? RESERVED_USER_DOC_TYPE : "user";
        final String str2 = str;
        this.client.prepareUpdate(SecurityTemplateService.SECURITY_INDEX_NAME, str, username).setDoc(User.Fields.PASSWORD.getPreferredName(), String.valueOf(changePasswordRequest.passwordHash())).setRefreshPolicy(changePasswordRequest.getRefreshPolicy()).execute(new ActionListener<UpdateResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.5
            static final /* synthetic */ boolean $assertionsDisabled;

            public void onResponse(UpdateResponse updateResponse) {
                if (!$assertionsDisabled && updateResponse.getResult() != DocWriteResponse.Result.UPDATED) {
                    throw new AssertionError();
                }
                NativeUsersStore.this.clearRealmCache(changePasswordRequest.username(), actionListener, null);
            }

            public void onFailure(Exception exc) {
                if (!NativeUsersStore.isIndexNotFoundOrDocumentMissing(exc)) {
                    actionListener.onFailure(exc);
                    return;
                }
                if (str2.equals(NativeUsersStore.RESERVED_USER_DOC_TYPE)) {
                    NativeUsersStore.this.createReservedUser(username, changePasswordRequest.passwordHash(), changePasswordRequest.getRefreshPolicy(), actionListener);
                    return;
                }
                Logger logger = NativeUsersStore.this.logger;
                ChangePasswordRequest changePasswordRequest2 = changePasswordRequest;
                logger.debug(() -> {
                    return new ParameterizedMessage("failed to change password for user [{}]", changePasswordRequest2.username());
                }, exc);
                ValidationException validationException = new ValidationException();
                validationException.addValidationError("user must exist in order to change password");
                actionListener.onFailure(validationException);
            }

            static {
                $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void createReservedUser(final String str, char[] cArr, WriteRequest.RefreshPolicy refreshPolicy, final ActionListener<Void> actionListener) {
        this.client.prepareIndex(SecurityTemplateService.SECURITY_INDEX_NAME, RESERVED_USER_DOC_TYPE, str).setSource(User.Fields.PASSWORD.getPreferredName(), String.valueOf(cArr), User.Fields.ENABLED.getPreferredName(), true).setRefreshPolicy(refreshPolicy).execute(new ActionListener<IndexResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.6
            public void onResponse(IndexResponse indexResponse) {
                NativeUsersStore.this.clearRealmCache(str, actionListener, null);
            }

            public void onFailure(Exception exc) {
                actionListener.onFailure(exc);
            }
        });
    }

    public void putUser(PutUserRequest putUserRequest, ActionListener<Boolean> actionListener) {
        if (state() != State.STARTED) {
            actionListener.onFailure(new IllegalStateException("user cannot be added as native user service has not been started"));
            return;
        }
        if (this.isTribeNode) {
            actionListener.onFailure(new UnsupportedOperationException("users may not be created or modified using a tribe node"));
            return;
        }
        try {
            if (putUserRequest.passwordHash() == null) {
                updateUserWithoutPassword(putUserRequest, actionListener);
            } else {
                indexUser(putUserRequest, actionListener);
            }
        } catch (Exception e) {
            this.logger.error(() -> {
                return new ParameterizedMessage("unable to put user [{}]", putUserRequest.username());
            }, e);
            actionListener.onFailure(e);
        }
    }

    private void updateUserWithoutPassword(final PutUserRequest putUserRequest, final ActionListener<Boolean> actionListener) {
        if (!$assertionsDisabled && putUserRequest.passwordHash() != null) {
            throw new AssertionError();
        }
        this.client.prepareUpdate(SecurityTemplateService.SECURITY_INDEX_NAME, "user", putUserRequest.username()).setDoc(new Object[]{User.Fields.USERNAME.getPreferredName(), putUserRequest.username(), User.Fields.ROLES.getPreferredName(), putUserRequest.roles(), User.Fields.FULL_NAME.getPreferredName(), putUserRequest.fullName(), User.Fields.EMAIL.getPreferredName(), putUserRequest.email(), User.Fields.METADATA.getPreferredName(), putUserRequest.metadata(), User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(putUserRequest.enabled())}).setRefreshPolicy(putUserRequest.getRefreshPolicy()).execute(new ActionListener<UpdateResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.7
            static final /* synthetic */ boolean $assertionsDisabled;

            public void onResponse(UpdateResponse updateResponse) {
                if (!$assertionsDisabled && updateResponse.getResult() != DocWriteResponse.Result.UPDATED) {
                    throw new AssertionError();
                }
                NativeUsersStore.this.clearRealmCache(putUserRequest.username(), actionListener, false);
            }

            public void onFailure(Exception exc) {
                Exception exc2 = exc;
                if (NativeUsersStore.isIndexNotFoundOrDocumentMissing(exc)) {
                    Logger logger = NativeUsersStore.this.logger;
                    PutUserRequest putUserRequest2 = putUserRequest;
                    logger.debug(() -> {
                        return new ParameterizedMessage("failed to update user document with username [{}]", putUserRequest2.username());
                    }, exc);
                    Exception validationException = new ValidationException();
                    validationException.addValidationError("password must be specified unless you are updating an existing user");
                    exc2 = validationException;
                }
                actionListener.onFailure(exc2);
            }

            static {
                $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
            }
        });
    }

    private void indexUser(final PutUserRequest putUserRequest, final ActionListener<Boolean> actionListener) {
        if (!$assertionsDisabled && putUserRequest.passwordHash() == null) {
            throw new AssertionError();
        }
        this.client.prepareIndex(SecurityTemplateService.SECURITY_INDEX_NAME, "user", putUserRequest.username()).setSource(new Object[]{User.Fields.USERNAME.getPreferredName(), putUserRequest.username(), User.Fields.PASSWORD.getPreferredName(), String.valueOf(putUserRequest.passwordHash()), User.Fields.ROLES.getPreferredName(), putUserRequest.roles(), User.Fields.FULL_NAME.getPreferredName(), putUserRequest.fullName(), User.Fields.EMAIL.getPreferredName(), putUserRequest.email(), User.Fields.METADATA.getPreferredName(), putUserRequest.metadata(), User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(putUserRequest.enabled())}).setRefreshPolicy(putUserRequest.getRefreshPolicy()).execute(new ActionListener<IndexResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.8
            public void onResponse(IndexResponse indexResponse) {
                NativeUsersStore.this.clearRealmCache(putUserRequest.username(), actionListener, Boolean.valueOf(indexResponse.getResult() == DocWriteResponse.Result.CREATED));
            }

            public void onFailure(Exception exc) {
                actionListener.onFailure(exc);
            }
        });
    }

    public void setEnabled(String str, boolean z, WriteRequest.RefreshPolicy refreshPolicy, ActionListener<Void> actionListener) {
        if (state() != State.STARTED) {
            actionListener.onFailure(new IllegalStateException("enabled status cannot be changed as native user service has not been started"));
            return;
        }
        if (this.isTribeNode) {
            actionListener.onFailure(new UnsupportedOperationException("users may not be created or modified using a tribe node"));
        } else if (ReservedRealm.isReserved(str, this.settings)) {
            setReservedUserEnabled(str, z, refreshPolicy, actionListener);
        } else {
            setRegularUserEnabled(str, z, refreshPolicy, actionListener);
        }
    }

    private void setRegularUserEnabled(final String str, final boolean z, WriteRequest.RefreshPolicy refreshPolicy, final ActionListener<Void> actionListener) {
        try {
            this.client.prepareUpdate(SecurityTemplateService.SECURITY_INDEX_NAME, "user", str).setDoc(User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(z)).setRefreshPolicy(refreshPolicy).execute(new ActionListener<UpdateResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.9
                static final /* synthetic */ boolean $assertionsDisabled;

                public void onResponse(UpdateResponse updateResponse) {
                    if (!$assertionsDisabled && updateResponse.getResult() != DocWriteResponse.Result.UPDATED) {
                        throw new AssertionError();
                    }
                    NativeUsersStore.this.clearRealmCache(str, actionListener, null);
                }

                public void onFailure(Exception exc) {
                    Exception exc2 = exc;
                    if (NativeUsersStore.isIndexNotFoundOrDocumentMissing(exc)) {
                        Logger logger = NativeUsersStore.this.logger;
                        boolean z2 = z;
                        String str2 = str;
                        logger.debug(() -> {
                            return new ParameterizedMessage("failed to {} user [{}]", z2 ? "enable" : "disable", str2);
                        }, exc);
                        Exception validationException = new ValidationException();
                        validationException.addValidationError("only existing users can be " + (z ? "enabled" : "disabled"));
                        exc2 = validationException;
                    }
                    actionListener.onFailure(exc2);
                }

                static {
                    $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
                }
            });
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    private void setReservedUserEnabled(final String str, boolean z, WriteRequest.RefreshPolicy refreshPolicy, final ActionListener<Void> actionListener) {
        try {
            this.client.prepareUpdate(SecurityTemplateService.SECURITY_INDEX_NAME, RESERVED_USER_DOC_TYPE, str).setDoc(User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(z)).setUpsert(new Object[]{User.Fields.PASSWORD.getPreferredName(), String.valueOf(ReservedRealm.DEFAULT_PASSWORD_HASH), User.Fields.ENABLED.getPreferredName(), Boolean.valueOf(z)}).setRefreshPolicy(refreshPolicy).execute(new ActionListener<UpdateResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.10
                static final /* synthetic */ boolean $assertionsDisabled;

                public void onResponse(UpdateResponse updateResponse) {
                    if (!$assertionsDisabled && updateResponse.getResult() != DocWriteResponse.Result.UPDATED && updateResponse.getResult() != DocWriteResponse.Result.CREATED) {
                        throw new AssertionError();
                    }
                    NativeUsersStore.this.clearRealmCache(str, actionListener, null);
                }

                public void onFailure(Exception exc) {
                    actionListener.onFailure(exc);
                }

                static {
                    $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
                }
            });
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    public void deleteUser(final DeleteUserRequest deleteUserRequest, final ActionListener<Boolean> actionListener) {
        if (state() != State.STARTED) {
            actionListener.onFailure(new IllegalStateException("user cannot be deleted as native user service has not been started"));
            return;
        }
        if (this.isTribeNode) {
            actionListener.onFailure(new UnsupportedOperationException("users may not be deleted using a tribe node"));
            return;
        }
        try {
            DeleteRequest request = this.client.prepareDelete(SecurityTemplateService.SECURITY_INDEX_NAME, "user", deleteUserRequest.username()).request();
            request.indicesOptions().ignoreUnavailable();
            request.setRefreshPolicy(deleteUserRequest.getRefreshPolicy());
            this.client.delete(request, new ActionListener<DeleteResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.11
                public void onResponse(DeleteResponse deleteResponse) {
                    NativeUsersStore.this.clearRealmCache(deleteUserRequest.username(), actionListener, Boolean.valueOf(deleteResponse.getResult() == DocWriteResponse.Result.DELETED));
                }

                public void onFailure(Exception exc) {
                    actionListener.onFailure(exc);
                }
            });
        } catch (Exception e) {
            this.logger.error("unable to remove user", e);
            actionListener.onFailure(e);
        }
    }

    public boolean canStart(ClusterState clusterState, boolean z) {
        if (state() != State.INITIALIZED) {
            return false;
        }
        if (clusterState.blocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
            this.logger.debug("native users store waiting until gateway has recovered from disk");
            return false;
        }
        if (this.isTribeNode) {
            return true;
        }
        if (!SecurityTemplateService.securityIndexMappingAndTemplateUpToDate(clusterState, this.logger)) {
            return false;
        }
        if (clusterState.metaData().index(SecurityTemplateService.SECURITY_INDEX_NAME) == null) {
            this.logger.debug("security index [{}] does not exist, so service can start", SecurityTemplateService.SECURITY_INDEX_NAME);
            return true;
        }
        if (!clusterState.routingTable().index(SecurityTemplateService.SECURITY_INDEX_NAME).allPrimaryShardsActive()) {
            return false;
        }
        this.logger.debug("security index [{}] all primary shards started, so service can start", SecurityTemplateService.SECURITY_INDEX_NAME);
        this.securityIndexExists = true;
        return true;
    }

    public void start() {
        try {
            if (this.state.compareAndSet(State.INITIALIZED, State.STARTING)) {
                this.scrollSize = ((Integer) SCROLL_SIZE_SETTING.get(this.settings)).intValue();
                this.scrollKeepAlive = (TimeValue) SCROLL_KEEP_ALIVE_SETTING.get(this.settings);
                this.state.set(State.STARTED);
            }
        } catch (Exception e) {
            this.logger.error("failed to start native user store", e);
            this.state.set(State.FAILED);
        }
    }

    public void stop() {
        if (this.state.compareAndSet(State.STARTED, State.STOPPING)) {
            this.state.set(State.STOPPED);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public User verifyPassword(String str, SecuredString securedString) {
        if (state() != State.STARTED) {
            this.logger.trace("attempted to verify user credentials for [{}] but service was not started", str);
            return null;
        }
        UserAndPassword userAndPassword = getUserAndPassword(str);
        if (userAndPassword == null || userAndPassword.passwordHash() == null || !this.hasher.verify(securedString, userAndPassword.passwordHash())) {
            return null;
        }
        return userAndPassword.user();
    }

    public boolean started() {
        return state() == State.STARTED;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean securityIndexExists() {
        return this.securityIndexExists;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ReservedUserInfo getReservedUserInfo(final String str) throws Exception {
        if (!$assertionsDisabled && !started()) {
            throw new AssertionError();
        }
        final AtomicReference atomicReference = new AtomicReference();
        final AtomicReference atomicReference2 = new AtomicReference();
        CountDownLatch countDownLatch = new CountDownLatch(1);
        this.client.prepareGet(SecurityTemplateService.SECURITY_INDEX_NAME, RESERVED_USER_DOC_TYPE, str).execute(new LatchedActionListener(new ActionListener<GetResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.12
            public void onResponse(GetResponse getResponse) {
                if (getResponse.isExists()) {
                    Map sourceAsMap = getResponse.getSourceAsMap();
                    String str2 = (String) sourceAsMap.get(User.Fields.PASSWORD.getPreferredName());
                    Boolean bool = (Boolean) sourceAsMap.get(User.Fields.ENABLED.getPreferredName());
                    if (str2 == null || str2.isEmpty()) {
                        atomicReference2.set(new IllegalStateException("password hash must not be empty!"));
                    } else if (bool == null) {
                        atomicReference2.set(new IllegalStateException("enabled must not be null!"));
                    } else {
                        atomicReference.set(new ReservedUserInfo(str2.toCharArray(), bool.booleanValue()));
                    }
                }
            }

            public void onFailure(Exception exc) {
                if (exc instanceof IndexNotFoundException) {
                    Logger logger = NativeUsersStore.this.logger;
                    String str2 = str;
                    logger.trace(() -> {
                        return new ParameterizedMessage("could not retrieve built in user [{}] info since security index does not exist", str2);
                    }, exc);
                } else {
                    Logger logger2 = NativeUsersStore.this.logger;
                    String str3 = str;
                    logger2.error(() -> {
                        return new ParameterizedMessage("failed to retrieve built in user [{}] info", str3);
                    }, exc);
                    atomicReference2.set(exc);
                }
            }
        }, countDownLatch));
        try {
            if (!countDownLatch.await(30L, TimeUnit.SECONDS)) {
                atomicReference2.set(new TimeoutException("timed out trying to get built in user [" + str + "]"));
            }
        } catch (InterruptedException e) {
            atomicReference2.set(e);
        }
        Exception exc = (Exception) atomicReference2.get();
        if (exc != null) {
            throw exc;
        }
        return (ReservedUserInfo) atomicReference.get();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, ReservedUserInfo> getAllReservedUserInfo() throws Exception {
        if (!$assertionsDisabled && !started()) {
            throw new AssertionError();
        }
        final HashMap hashMap = new HashMap();
        final AtomicReference atomicReference = new AtomicReference();
        CountDownLatch countDownLatch = new CountDownLatch(1);
        this.client.prepareSearch(new String[]{SecurityTemplateService.SECURITY_INDEX_NAME}).setTypes(new String[]{RESERVED_USER_DOC_TYPE}).setQuery(QueryBuilders.matchAllQuery()).setFetchSource(true).execute(new LatchedActionListener(new ActionListener<SearchResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.13
            static final /* synthetic */ boolean $assertionsDisabled;

            public void onResponse(SearchResponse searchResponse) {
                if (!$assertionsDisabled && searchResponse.getHits().getTotalHits() > 10) {
                    throw new AssertionError("there are more than 10 reserved users we need to change this to retrieve them all!");
                }
                for (SearchHit searchHit : searchResponse.getHits().getHits()) {
                    Map source = searchHit.getSource();
                    String str = (String) source.get(User.Fields.PASSWORD.getPreferredName());
                    Boolean bool = (Boolean) source.get(User.Fields.ENABLED.getPreferredName());
                    if (str == null || str.isEmpty()) {
                        atomicReference.set(new IllegalStateException("password hash must not be empty!"));
                        return;
                    } else {
                        if (bool == null) {
                            atomicReference.set(new IllegalStateException("enabled must not be null!"));
                            return;
                        }
                        hashMap.put(searchHit.getId(), new ReservedUserInfo(str.toCharArray(), bool.booleanValue()));
                    }
                }
            }

            public void onFailure(Exception exc) {
                if (exc instanceof IndexNotFoundException) {
                    NativeUsersStore.this.logger.trace("could not retrieve built in users since security index does not exist", exc);
                } else {
                    NativeUsersStore.this.logger.error("failed to retrieve built in users", exc);
                    atomicReference.set(exc);
                }
            }

            static {
                $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
            }
        }, countDownLatch));
        try {
            if (!countDownLatch.await(30L, TimeUnit.SECONDS)) {
                atomicReference.set(new TimeoutException("timed out trying to get built in users"));
            }
        } catch (InterruptedException e) {
            atomicReference.set(e);
        }
        Exception exc = (Exception) atomicReference.get();
        if (exc != null) {
            throw exc;
        }
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void clearScrollResponse(final String str) {
        this.client.clearScroll(this.client.prepareClearScroll().addScrollId(str).request(), new ActionListener<ClearScrollResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.14
            public void onResponse(ClearScrollResponse clearScrollResponse) {
            }

            public void onFailure(Exception exc) {
                Logger logger = NativeUsersStore.this.logger;
                String str2 = str;
                logger.warn(() -> {
                    return new ParameterizedMessage("failed to clear scroll [{}]", str2);
                }, exc);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public <Response> void clearRealmCache(final String str, final ActionListener<Response> actionListener, final Response response) {
        SecurityClient securityClient = new SecurityClient(this.client);
        securityClient.clearRealmCache((ClearRealmCacheRequest) securityClient.prepareClearRealmCache().usernames(str).request(), new ActionListener<ClearRealmCacheResponse>() { // from class: org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.15
            public void onResponse(ClearRealmCacheResponse clearRealmCacheResponse) {
                actionListener.onResponse(response);
            }

            public void onFailure(Exception exc) {
                Logger logger = NativeUsersStore.this.logger;
                String str2 = str;
                logger.error(() -> {
                    return new ParameterizedMessage("unable to clear realm cache for user [{}]", str2);
                }, exc);
                actionListener.onFailure(new ElasticsearchException("clearing the cache for [" + str + "] failed. please clear the realm cache manually", exc, new Object[0]));
            }
        });
    }

    public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
        if (!(clusterChangedEvent.state().metaData().indices().get(SecurityTemplateService.SECURITY_INDEX_NAME) != null) || !clusterChangedEvent.state().routingTable().index(SecurityTemplateService.SECURITY_INDEX_NAME).allPrimaryShardsActive()) {
            this.securityIndexExists = false;
        } else {
            this.logger.debug("security index [{}] all primary shards started, so polling can start", SecurityTemplateService.SECURITY_INDEX_NAME);
            this.securityIndexExists = true;
        }
    }

    public State state() {
        return this.state.get();
    }

    public void reset() {
        State state = state();
        if (state != State.STOPPED && state != State.FAILED) {
            throw new IllegalStateException("can only reset if stopped!!!");
        }
        this.securityIndexExists = false;
        this.state.set(State.INITIALIZED);
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Nullable
    public UserAndPassword transformUser(String str, Map<String, Object> map) {
        if (map == null) {
            return null;
        }
        try {
            String str2 = (String) map.get(User.Fields.PASSWORD.getPreferredName());
            String[] strArr = (String[]) ((List) map.get(User.Fields.ROLES.getPreferredName())).toArray(Strings.EMPTY_ARRAY);
            String str3 = (String) map.get(User.Fields.FULL_NAME.getPreferredName());
            String str4 = (String) map.get(User.Fields.EMAIL.getPreferredName());
            Boolean bool = (Boolean) map.get(User.Fields.ENABLED.getPreferredName());
            if (bool == null) {
                bool = Boolean.TRUE;
            }
            return new UserAndPassword(new User(str, strArr, str3, str4, (Map) map.get(User.Fields.METADATA.getPreferredName()), bool.booleanValue()), str2.toCharArray());
        } catch (Exception e) {
            this.logger.error(() -> {
                return new ParameterizedMessage("error in the format of data for user [{}]", str);
            }, e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isIndexNotFoundOrDocumentMissing(Exception exc) {
        if (!(exc instanceof ElasticsearchException)) {
            return false;
        }
        Throwable unwrapCause = ExceptionsHelper.unwrapCause(exc);
        return (unwrapCause instanceof IndexNotFoundException) || (unwrapCause instanceof DocumentMissingException);
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(SCROLL_SIZE_SETTING);
        list.add(SCROLL_KEEP_ALIVE_SETTING);
    }

    static {
        $assertionsDisabled = !NativeUsersStore.class.desiredAssertionStatus();
        SCROLL_SIZE_SETTING = Setting.intSetting(Security.setting("authc.native.scroll.size"), 1000, new Setting.Property[]{Setting.Property.NodeScope});
        SCROLL_KEEP_ALIVE_SETTING = Setting.timeSetting(Security.setting("authc.native.scroll.keep_alive"), TimeValue.timeValueSeconds(10L), new Setting.Property[]{Setting.Property.NodeScope});
    }
}
