package com.huawei.es.security.auth.server.transport.authz;

import com.huawei.es.security.audit.AuditLog;
import com.huawei.es.security.auth.server.transport.common.TransportConstant;
import com.huawei.es.security.auth.server.transport.common.TransportUtils;
import com.huawei.es.security.author.bean.AuthorizationException;
import com.huawei.es.security.author.tool.AuthorityConstants;
import com.huawei.es.security.author.tool.PermissionChecker;
import java.io.File;
import java.io.IOException;
import java.nio.file.FileSystems;
import java.nio.file.Path;
import java.nio.file.WatchEvent;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.util.Iterator;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.support.replication.TransportReplicationAction;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/huawei/es/security/auth/server/transport/authz/AuthorizationService.class */
public class AuthorizationService {
    private static final Logger LOG;
    private final ThreadContext threadContext;
    private static volatile Settings actionSetting;
    private Settings settings;
    private Path configPath;
    private PrivilegeHelper prvHelper;
    private final AuditLog auditlog;
    static final /* synthetic */ boolean $assertionsDisabled;

    public AuthorizationService(ThreadPool threadPool, Settings settings, Path path, PrivilegeHelper privilegeHelper, AuditLog auditLog) {
        this.settings = settings;
        this.configPath = path;
        this.threadContext = threadPool.getThreadContext();
        this.prvHelper = privilegeHelper;
        this.auditlog = auditLog;
        try {
            actionSetting = TransportUtils.getActionSetting(settings, path);
            LOG.info("Loading actions config successful.");
        } catch (IOException e) {
            LOG.error("Loading actions config failed for zz-kerberos-http actions.yml.");
        }
        initWatchFile();
    }

    private void initWatchFile() {
        ExecutorService newFixedThreadPool = Executors.newFixedThreadPool(1);
        final Path path = FileSystems.getDefault().getPath(new Environment(this.settings, this.configPath).modulesFile().toAbsolutePath().toString() + File.separator + "zz-kerberos-http", new String[0]);
        newFixedThreadPool.execute(new Runnable() { // from class: com.huawei.es.security.auth.server.transport.authz.AuthorizationService.1
            @Override // java.lang.Runnable
            public void run() {
                AuthorizationService.this.watchFileTask(path);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void watchFileTask(Path path) {
        long j = 0;
        boolean z = false;
        try {
            WatchService newWatchService = FileSystems.getDefault().newWatchService();
            while (true) {
                WatchKey take = newWatchService.take();
                Iterator<WatchEvent<?>> it = take.pollEvents().iterator();
                while (it.hasNext()) {
                    Path path2 = (Path) it.next().context();
                    File file = path.resolve(path2).toFile();
                    long lastModified = file.lastModified();
                    if (path2.endsWith("actions.yml") && lastModified != j && file.length() > 0) {
                        j = lastModified;
                        z = true;
                    }
                }
                if (z) {
                    actionSetting = TransportUtils.getActionSetting(this.settings, this.configPath);
                    z = false;
                    LOG.info("Reloading actions config successful.");
                }
                if (!take.reset()) {
                    LOG.error("watch key invalid!");
                }
            }
        } catch (IOException e) {
            LOG.error("Reloading actions config failed for zz-kerberos-http actions.yml.");
        } catch (InterruptedException e2) {
            LOG.error("Reloading actions config failed.", e2);
        }
    }

    public void doAuthorise(String str, TransportRequest transportRequest) {
        TransportRequest unwrapRequest;
        if (transportRequest instanceof TransportReplicationAction.ConcreteShardRequest) {
            unwrapRequest = ((TransportReplicationAction.ConcreteShardRequest) transportRequest).getRequest();
            if (!$assertionsDisabled && TransportActionProxy.isProxyRequest(unwrapRequest)) {
                throw new AssertionError("expected non-proxy request for action: " + str);
            }
        } else {
            unwrapRequest = TransportActionProxy.unwrapRequest(transportRequest);
            if (TransportActionProxy.isProxyRequest(transportRequest) && !TransportActionProxy.isProxyAction(str)) {
                throw new IllegalStateException("originRequest is a proxy request for: [" + unwrapRequest + "] but action: [" + str + "] isn't");
            }
        }
        TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_REQ, AuditLog.OriginReq.LOCAL.toString());
        TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_ACTION_NAME, str);
        if (!checkActionSettings()) {
            throw new SettingsException("Get action setting failed.");
        }
        String header = this.threadContext.getHeader(TransportConstant.CUSTOMISED_USER);
        try {
            this.prvHelper.evaluate(new PermissionChecker(AuthorityConstants.SUPER_USER, header), str, unwrapRequest, actionSetting);
            this.auditlog.logActionOps(str, header, unwrapRequest, this.prvHelper.getResolver(), unwrapRequest.toString());
        } catch (AuthorizationException e) {
            this.auditlog.logAuthzFailed(str, header, unwrapRequest, this.prvHelper.getResolver(), unwrapRequest.toString());
            LOG.error("doAuthorise failed for user[{}], action[{}], remoteAddress[{}], reason: {}", header, str, unwrapRequest.remoteAddress(), e.getMessage());
            throw PrivilegeHelper.denial(e, str, header);
        }
    }

    private boolean checkActionSettings() {
        if (actionSetting != null) {
            return true;
        }
        try {
            actionSetting = TransportUtils.getActionSetting(this.settings, this.configPath);
            return true;
        } catch (IOException e) {
            LOG.error("Try to get action setting, but failed again, please check the zz-kerberos-http actions.yml.");
            return false;
        }
    }

    static {
        $assertionsDisabled = !AuthorizationService.class.desiredAssertionStatus();
        LOG = Loggers.getLogger(AuthorizationService.class, new String[]{"AuthorizationService"});
    }
}
