package org.elasticsearch.xpack.security.transport;

import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.Executor;
import java.util.function.Function;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.RunOnce;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Strings;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.RemoteClusterPortSettings;
import org.elasticsearch.transport.RemoteConnectionManager;
import org.elasticsearch.transport.SendRequestTransportException;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.TransportRequestOptions;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.transport.TransportResponseHandler;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.CrossClusterAccessSubjectInfo;
import org.elasticsearch.xpack.core.security.transport.ProfileConfigurations;
import org.elasticsearch.xpack.core.security.user.InternalUser;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditUtil;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.CrossClusterAccessAuthenticationService;
import org.elasticsearch.xpack.security.authc.CrossClusterAccessHeaders;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.AuthorizationUtils;
import org.elasticsearch.xpack.security.authz.PreAuthorizationUtils;
import org.elasticsearch.xpack.security.transport.RemoteClusterCredentialsResolver;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor.class */
public class SecurityServerTransportInterceptor implements TransportInterceptor {
    private static final Logger logger;
    private static final Map<String, String> RCS_INTERNAL_ACTIONS_REPLACEMENTS;
    private final AuthenticationService authcService;
    private final AuthorizationService authzService;
    private final SSLService sslService;
    private final Map<String, ServerTransportFilter> profileFilters;
    private final ThreadPool threadPool;
    private final Settings settings;
    private final SecurityContext securityContext;
    private final CrossClusterAccessAuthenticationService crossClusterAccessAuthcService;
    private final RemoteClusterCredentialsResolver remoteClusterCredentialsResolver;
    private final Function<Transport.Connection, Optional<String>> remoteClusterAliasResolver;
    private final XPackLicenseState licenseState;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$AbstractFilterListener.class */
    public static abstract class AbstractFilterListener implements ActionListener<Void> {
        protected final AbstractRunnable receiveMessage;

        protected AbstractFilterListener(AbstractRunnable abstractRunnable) {
            this.receiveMessage = abstractRunnable;
        }

        public void onFailure(Exception exc) {
            try {
                this.receiveMessage.onFailure(exc);
            } finally {
                this.receiveMessage.onAfter();
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.class */
    public static class ProfileSecuredRequestHandler<T extends TransportRequest> implements TransportRequestHandler<T> {
        private final String action;
        private final TransportRequestHandler<T> handler;
        private final Map<String, ServerTransportFilter> profileFilters;
        private final ThreadContext threadContext;
        private final Executor executor;
        private final ThreadPool threadPool;
        private final boolean forceExecution;
        private final Logger logger;
        static final /* synthetic */ boolean $assertionsDisabled;

        ProfileSecuredRequestHandler(Logger logger, String str, boolean z, Executor executor, TransportRequestHandler<T> transportRequestHandler, Map<String, ServerTransportFilter> map, ThreadPool threadPool) {
            this.logger = logger;
            this.action = str;
            this.executor = executor;
            this.handler = transportRequestHandler;
            this.profileFilters = map;
            this.threadContext = threadPool.getThreadContext();
            this.threadPool = threadPool;
            this.forceExecution = z;
        }

        AbstractRunnable getReceiveRunnable(final T t, final TransportChannel transportChannel, final Task task) {
            Objects.requireNonNull(t);
            final RunOnce runOnce = new RunOnce(t::decRef);
            t.mustIncRef();
            return new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.1
                public boolean isForceExecution() {
                    return ProfileSecuredRequestHandler.this.forceExecution;
                }

                public void onFailure(Exception exc) {
                    try {
                        transportChannel.sendResponse(exc);
                    } catch (Exception e) {
                        e.addSuppressed(exc);
                        ProfileSecuredRequestHandler.this.logger.warn("failed to send exception response for action [" + ProfileSecuredRequestHandler.this.action + "]", e);
                    }
                }

                protected void doRun() throws Exception {
                    ProfileSecuredRequestHandler.this.handler.messageReceived(t, transportChannel, task);
                }

                public void onAfter() {
                    runOnce.run();
                }
            };
        }

        public String toString() {
            return "ProfileSecuredRequestHandler{action='" + this.action + "', forceExecution=" + this.forceExecution + "}";
        }

        public void messageReceived(T t, TransportChannel transportChannel, Task task) {
            AbstractFilterListener abstractFilterListener;
            ThreadContext.StoredContext newStoredContextPreservingResponseHeaders = this.threadContext.newStoredContextPreservingResponseHeaders();
            try {
                String profileName = transportChannel.getProfileName();
                ServerTransportFilter serverTransportFilter = getServerTransportFilter(profileName);
                if (!$assertionsDisabled && serverTransportFilter == null) {
                    throw new AssertionError();
                }
                if (!$assertionsDisabled && t == null) {
                    throw new AssertionError();
                }
                this.logger.trace(() -> {
                    return Strings.format("Applying transport filter [%s] for transport profile [%s] on request [%s]", new Object[]{serverTransportFilter.getClass(), profileName, t.getClass()});
                });
                AbstractRunnable receiveRunnable = getReceiveRunnable(t, transportChannel, task);
                if (this.executor == EsExecutors.DIRECT_EXECUTOR_SERVICE) {
                    abstractFilterListener = new AbstractFilterListener(receiveRunnable) { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.2
                        public void onResponse(Void r3) {
                            this.receiveMessage.run();
                        }
                    };
                } else {
                    final Thread currentThread = Thread.currentThread();
                    abstractFilterListener = new AbstractFilterListener(receiveRunnable) { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.ProfileSecuredRequestHandler.3
                        public void onResponse(Void r4) {
                            if (currentThread == Thread.currentThread()) {
                                this.receiveMessage.run();
                                return;
                            }
                            try {
                                ProfileSecuredRequestHandler.this.executor.execute(this.receiveMessage);
                            } catch (Exception e) {
                                onFailure(e);
                            }
                        }
                    };
                }
                serverTransportFilter.inbound(this.action, t, transportChannel, abstractFilterListener);
                if (newStoredContextPreservingResponseHeaders != null) {
                    newStoredContextPreservingResponseHeaders.close();
                }
            } catch (Throwable th) {
                if (newStoredContextPreservingResponseHeaders != null) {
                    try {
                        newStoredContextPreservingResponseHeaders.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }

        private ServerTransportFilter getServerTransportFilter(String str) {
            ServerTransportFilter serverTransportFilter = this.profileFilters.get(str);
            if (serverTransportFilter != null) {
                return serverTransportFilter;
            }
            if (".direct".equals(str)) {
                return this.profileFilters.get("default");
            }
            throw new IllegalStateException("transport profile [" + str + "] is not associated with a transport filter");
        }

        static {
            $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
        }
    }

    public SecurityServerTransportInterceptor(Settings settings, ThreadPool threadPool, AuthenticationService authenticationService, AuthorizationService authorizationService, SSLService sSLService, SecurityContext securityContext, DestructiveOperations destructiveOperations, CrossClusterAccessAuthenticationService crossClusterAccessAuthenticationService, RemoteClusterCredentialsResolver remoteClusterCredentialsResolver, XPackLicenseState xPackLicenseState) {
        this(settings, threadPool, authenticationService, authorizationService, sSLService, securityContext, destructiveOperations, crossClusterAccessAuthenticationService, remoteClusterCredentialsResolver, xPackLicenseState, RemoteConnectionManager::resolveRemoteClusterAlias);
    }

    SecurityServerTransportInterceptor(Settings settings, ThreadPool threadPool, AuthenticationService authenticationService, AuthorizationService authorizationService, SSLService sSLService, SecurityContext securityContext, DestructiveOperations destructiveOperations, CrossClusterAccessAuthenticationService crossClusterAccessAuthenticationService, RemoteClusterCredentialsResolver remoteClusterCredentialsResolver, XPackLicenseState xPackLicenseState, Function<Transport.Connection, Optional<String>> function) {
        this.settings = settings;
        this.threadPool = threadPool;
        this.authcService = authenticationService;
        this.authzService = authorizationService;
        this.sslService = sSLService;
        this.securityContext = securityContext;
        this.crossClusterAccessAuthcService = crossClusterAccessAuthenticationService;
        this.licenseState = xPackLicenseState;
        this.remoteClusterCredentialsResolver = remoteClusterCredentialsResolver;
        this.remoteClusterAliasResolver = function;
        this.profileFilters = initializeProfileFilters(destructiveOperations);
    }

    public TransportInterceptor.AsyncSender interceptSender(TransportInterceptor.AsyncSender asyncSender) {
        return interceptForAllRequests(interceptForCrossClusterAccessRequests(asyncSender));
    }

    private TransportInterceptor.AsyncSender interceptForAllRequests(final TransportInterceptor.AsyncSender asyncSender) {
        return new TransportInterceptor.AsyncSender() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.1
            static final /* synthetic */ boolean $assertionsDisabled;

            public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                assertNoCrossClusterAccessHeadersInContext();
                if (!PreAuthorizationUtils.shouldRemoveParentAuthorizationFromThreadContext(SecurityServerTransportInterceptor.this.remoteClusterAliasResolver.apply(connection), str, SecurityServerTransportInterceptor.this.securityContext)) {
                    SecurityServerTransportInterceptor.this.sendRequestInner(asyncSender, connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
                    return;
                }
                SecurityContext securityContext = SecurityServerTransportInterceptor.this.securityContext;
                TransportInterceptor.AsyncSender asyncSender2 = asyncSender;
                securityContext.executeAfterRemovingParentAuthorization(storedContext -> {
                    SecurityServerTransportInterceptor.this.sendRequestInner(asyncSender2, connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(SecurityServerTransportInterceptor.this.threadPool.getThreadContext().wrapRestorable(storedContext), transportResponseHandler));
                });
            }

            private void assertNoCrossClusterAccessHeadersInContext() {
                if (!$assertionsDisabled && SecurityServerTransportInterceptor.this.securityContext.getThreadContext().getHeader(CrossClusterAccessHeaders.CROSS_CLUSTER_ACCESS_CREDENTIALS_HEADER_KEY) != null) {
                    throw new AssertionError("cross cluster access headers should not be in security context");
                }
                if (!$assertionsDisabled && SecurityServerTransportInterceptor.this.securityContext.getThreadContext().getHeader("_cross_cluster_access_subject_info") != null) {
                    throw new AssertionError("cross cluster access headers should not be in security context");
                }
            }

            static {
                $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
            }
        };
    }

    public <T extends TransportResponse> void sendRequestInner(TransportInterceptor.AsyncSender asyncSender, Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
        TransportVersion min = TransportVersion.min(connection.getTransportVersion(), TransportVersion.current());
        if (AuthorizationUtils.shouldReplaceUserWithSystem(this.threadPool.getThreadContext(), str)) {
            this.securityContext.executeAsSystemUser(min, storedContext -> {
                sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(this.threadPool.getThreadContext().wrapRestorable(storedContext), transportResponseHandler), asyncSender);
            });
            return;
        }
        if (AuthorizationUtils.shouldSetUserBasedOnActionOrigin(this.threadPool.getThreadContext())) {
            AuthorizationUtils.switchUserBasedOnActionOriginAndExecute(this.threadPool.getThreadContext(), this.securityContext, min, storedContext2 -> {
                sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(this.threadPool.getThreadContext().wrapRestorable(storedContext2), transportResponseHandler), asyncSender);
            });
        } else if (this.securityContext.getAuthentication() == null || this.securityContext.getAuthentication().getEffectiveSubject().getTransportVersion().equals(min)) {
            sendWithUser(connection, str, transportRequest, transportRequestOptions, transportResponseHandler, asyncSender);
        } else {
            this.securityContext.executeAfterRewritingAuthentication(storedContext3 -> {
                sendWithUser(connection, str, transportRequest, transportRequestOptions, new TransportService.ContextRestoreResponseHandler(this.threadPool.getThreadContext().wrapRestorable(storedContext3), transportResponseHandler), asyncSender);
            }, min);
        }
    }

    Map<String, ServerTransportFilter> getProfileFilters() {
        return this.profileFilters;
    }

    private TransportInterceptor.AsyncSender interceptForCrossClusterAccessRequests(final TransportInterceptor.AsyncSender asyncSender) {
        return new TransportInterceptor.AsyncSender() { // from class: org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor.2
            static final /* synthetic */ boolean $assertionsDisabled;

            public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                Optional<RemoteClusterCredentialsResolver.RemoteClusterCredentials> remoteClusterCredentials = getRemoteClusterCredentials(connection);
                if (remoteClusterCredentials.isPresent()) {
                    sendWithCrossClusterAccessHeaders(remoteClusterCredentials.get(), connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
                    return;
                }
                try {
                    asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
                } catch (Exception e) {
                    transportResponseHandler.handleException(new SendRequestTransportException(connection.getNode(), str, e));
                }
            }

            private Optional<RemoteClusterCredentialsResolver.RemoteClusterCredentials> getRemoteClusterCredentials(Transport.Connection connection) {
                Optional<String> apply = SecurityServerTransportInterceptor.this.remoteClusterAliasResolver.apply(connection);
                if (apply.isEmpty()) {
                    SecurityServerTransportInterceptor.logger.trace("Connection is not remote");
                    return Optional.empty();
                }
                String str = apply.get();
                Optional<RemoteClusterCredentialsResolver.RemoteClusterCredentials> resolve = SecurityServerTransportInterceptor.this.remoteClusterCredentialsResolver.resolve(str);
                if (!resolve.isEmpty()) {
                    return resolve;
                }
                SecurityServerTransportInterceptor.logger.trace("No cluster credentials are configured for remote cluster [{}]", str);
                return Optional.empty();
            }

            private <T extends TransportResponse> void sendWithCrossClusterAccessHeaders(RemoteClusterCredentialsResolver.RemoteClusterCredentials remoteClusterCredentials, Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                if (false == Security.ADVANCED_REMOTE_CLUSTER_SECURITY_FEATURE.check(SecurityServerTransportInterceptor.this.licenseState)) {
                    throw LicenseUtils.newComplianceException(Security.ADVANCED_REMOTE_CLUSTER_SECURITY_FEATURE.getName());
                }
                String clusterAlias = remoteClusterCredentials.clusterAlias();
                if (connection.getTransportVersion().before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY)) {
                    throw illegalArgumentExceptionWithDebugLog("Settings for remote cluster [" + clusterAlias + "] indicate cross cluster access headers should be sent but target cluster version [" + connection.getTransportVersion() + "] does not support receiving them");
                }
                SecurityServerTransportInterceptor.logger.trace(() -> {
                    return Strings.format("Sending [%s] request for [%s] action to [%s] with cross cluster access headers", new Object[]{transportRequest.getClass(), str, clusterAlias});
                });
                Authentication authentication = SecurityServerTransportInterceptor.this.securityContext.getAuthentication();
                if (!$assertionsDisabled && authentication == null) {
                    throw new AssertionError("authentication must be present in security context");
                }
                User user = authentication.getEffectiveSubject().getUser();
                if ((user instanceof InternalUser) && false == SystemUser.is(user)) {
                    String str2 = "Internal user [" + user.principal() + "] should not be used for cross cluster requests";
                    if (!$assertionsDisabled) {
                        throw new AssertionError(str2);
                    }
                    throw illegalArgumentExceptionWithDebugLog(str2);
                }
                if (!SystemUser.is(user) && !str.equals("cluster:monitor/state")) {
                    if (!$assertionsDisabled && false != str.startsWith("internal:")) {
                        throw new AssertionError("internal action must be sent with system user");
                    }
                    SecurityServerTransportInterceptor.this.authzService.getRoleDescriptorsIntersectionForRemoteCluster(clusterAlias, authentication.getEffectiveSubject(), ActionListener.wrap(roleDescriptorsIntersection -> {
                        SecurityServerTransportInterceptor.logger.trace(() -> {
                            return Strings.format("Subject [%s] has role descriptors intersection [%s] for action [%s] towards remote cluster [%s]", new Object[]{authentication.getEffectiveSubject(), roleDescriptorsIntersection, str, clusterAlias});
                        });
                        if (roleDescriptorsIntersection.isEmpty()) {
                            throw SecurityServerTransportInterceptor.this.authzService.remoteActionDenied(authentication, str, clusterAlias);
                        }
                        sendWithCrossClusterAccessHeaders(new CrossClusterAccessHeaders(remoteClusterCredentials.credentials(), new CrossClusterAccessSubjectInfo(authentication, roleDescriptorsIntersection)), connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
                    }, exc -> {
                        transportResponseHandler.handleException(new SendRequestTransportException(connection.getNode(), str, exc));
                    }));
                    return;
                }
                if (SystemUser.is(user)) {
                    SecurityServerTransportInterceptor.logger.trace("Request [{}] for action [{}] towards [{}] initiated by the system user. Sending request with internal cross cluster access user headers", transportRequest.getClass(), str, clusterAlias);
                } else {
                    SecurityServerTransportInterceptor.logger.trace(() -> {
                        return Strings.format("Switching to the system user for cluster state action towards [{}]. Original user is [%s]", new Object[]{clusterAlias, user});
                    });
                }
                CrossClusterAccessHeaders crossClusterAccessHeaders = new CrossClusterAccessHeaders(remoteClusterCredentials.credentials(), SystemUser.crossClusterAccessSubjectInfo(authentication.getEffectiveSubject().getTransportVersion(), authentication.getEffectiveSubject().getRealm().getNodeName()));
                String orDefault = SecurityServerTransportInterceptor.RCS_INTERNAL_ACTIONS_REPLACEMENTS.getOrDefault(str, str);
                if (false == orDefault.equals(str)) {
                    SecurityServerTransportInterceptor.logger.trace("switching internal action from [{}] to [{}]", str, orDefault);
                }
                sendWithCrossClusterAccessHeaders(crossClusterAccessHeaders, connection, orDefault, transportRequest, transportRequestOptions, transportResponseHandler);
            }

            private <T extends TransportResponse> void sendWithCrossClusterAccessHeaders(CrossClusterAccessHeaders crossClusterAccessHeaders, Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                ThreadContext threadContext = SecurityServerTransportInterceptor.this.securityContext.getThreadContext();
                TransportService.ContextRestoreResponseHandler contextRestoreResponseHandler = new TransportService.ContextRestoreResponseHandler(threadContext.newRestorableContext(true), transportResponseHandler);
                try {
                    ThreadContext.StoredContext stashContextPreservingRequestHeaders = threadContext.stashContextPreservingRequestHeaders(new String[]{AuditUtil.AUDIT_REQUEST_ID});
                    try {
                        crossClusterAccessHeaders.writeToContext(threadContext);
                        asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, contextRestoreResponseHandler);
                        if (stashContextPreservingRequestHeaders != null) {
                            stashContextPreservingRequestHeaders.close();
                        }
                    } finally {
                    }
                } catch (Exception e) {
                    contextRestoreResponseHandler.handleException(new SendRequestTransportException(connection.getNode(), str, e));
                }
            }

            private static IllegalArgumentException illegalArgumentExceptionWithDebugLog(String str) {
                SecurityServerTransportInterceptor.logger.debug(str);
                return new IllegalArgumentException(str);
            }

            static {
                $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
            }
        };
    }

    private <T extends TransportResponse> void sendWithUser(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler, TransportInterceptor.AsyncSender asyncSender) {
        if (this.securityContext.getAuthentication() == null) {
            assertNoAuthentication(str);
            throw new IllegalStateException("there should always be a user when sending a message for action [" + str + "]");
        }
        if (!$assertionsDisabled && this.securityContext.getParentAuthorization() != null && this.remoteClusterAliasResolver.apply(connection).isPresent()) {
            throw new AssertionError("parent authorization header should not be set for remote cluster requests");
        }
        try {
            asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
        } catch (Exception e) {
            transportResponseHandler.handleException(new SendRequestTransportException(connection.getNode(), str, e));
        }
    }

    void assertNoAuthentication(String str) {
        if (!$assertionsDisabled) {
            throw new AssertionError("there should always be a user when sending a message for action [" + str + "]");
        }
    }

    public <T extends TransportRequest> TransportRequestHandler<T> interceptHandler(String str, Executor executor, boolean z, TransportRequestHandler<T> transportRequestHandler) {
        return new ProfileSecuredRequestHandler(logger, str, z, executor, transportRequestHandler, this.profileFilters, this.threadPool);
    }

    private Map<String, ServerTransportFilter> initializeProfileFilters(DestructiveOperations destructiveOperations) {
        Map<String, SslConfiguration> map = ProfileConfigurations.get(this.settings, this.sslService, false);
        Map newMapWithExpectedSize = Maps.newMapWithExpectedSize(map.size() + 1);
        boolean booleanValue = ((Boolean) XPackSettings.TRANSPORT_SSL_ENABLED.get(this.settings)).booleanValue();
        boolean booleanValue2 = ((Boolean) RemoteClusterPortSettings.REMOTE_CLUSTER_SERVER_ENABLED.get(this.settings)).booleanValue();
        boolean booleanValue3 = ((Boolean) XPackSettings.REMOTE_CLUSTER_SERVER_SSL_ENABLED.get(this.settings)).booleanValue();
        for (Map.Entry<String, SslConfiguration> entry : map.entrySet()) {
            SslConfiguration value = entry.getValue();
            String key = entry.getKey();
            if (booleanValue2 && key.equals("_remote_cluster")) {
                newMapWithExpectedSize.put(key, new CrossClusterAccessServerTransportFilter(this.crossClusterAccessAuthcService, this.authzService, this.threadPool.getThreadContext(), booleanValue3 && SSLService.isSSLClientAuthEnabled(value), destructiveOperations, this.securityContext, this.licenseState));
            } else {
                newMapWithExpectedSize.put(key, new ServerTransportFilter(this.authcService, this.authzService, this.threadPool.getThreadContext(), booleanValue && SSLService.isSSLClientAuthEnabled(value), destructiveOperations, this.securityContext));
            }
        }
        return Collections.unmodifiableMap(newMapWithExpectedSize);
    }

    static {
        $assertionsDisabled = !SecurityServerTransportInterceptor.class.desiredAssertionStatus();
        logger = LogManager.getLogger(SecurityServerTransportInterceptor.class);
        RCS_INTERNAL_ACTIONS_REPLACEMENTS = Map.of("internal:admin/ccr/restore/session/put", "indices:internal/admin/ccr/restore/session/put", "internal:admin/ccr/restore/session/clear", "indices:internal/admin/ccr/restore/session/clear", "internal:admin/ccr/restore/file_chunk/get", "indices:internal/admin/ccr/restore/file_chunk/get");
    }
}
