package com.floragunn.searchguard.enterprise.dlsfls.lucene;

import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.AuthInfoService;
import com.floragunn.searchguard.authz.AuthorizationService;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.enterprise.dlsfls.DlsFlsLicenseInfo;
import com.floragunn.searchguard.enterprise.dlsfls.DlsFlsProcessedConfig;
import com.floragunn.searchguard.enterprise.dlsfls.DlsRestriction;
import com.floragunn.searchguard.enterprise.dlsfls.RoleBasedDocumentAuthorization;
import com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldAuthorization;
import com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.user.User;
import java.io.IOException;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.LongSupplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.search.ConstantScoreQuery;
import org.apache.lucene.search.IndexSearcher;
import org.apache.lucene.search.Query;
import org.elasticsearch.common.CheckedFunction;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.Index;
import org.elasticsearch.index.IndexService;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.index.shard.ShardUtils;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/lucene/DlsFlsIndexSearcherWrapper.class */
public class DlsFlsIndexSearcherWrapper implements CheckedFunction<DirectoryReader, DirectoryReader, IOException> {
    private static final Logger log = LogManager.getLogger(DlsFlsIndexSearcherWrapper.class);
    private final IndexService indexService;
    private final AuditLog auditlog;
    private final Index index;
    private final ThreadContext threadContext;
    private final AuthInfoService authInfoService;
    private final AuthorizationService authorizationService;
    private final AtomicReference<DlsFlsProcessedConfig> config;
    private final AtomicReference<DlsFlsLicenseInfo> licenseInfo;

    public DlsFlsIndexSearcherWrapper(IndexService indexService, AuditLog auditLog, AuthInfoService authInfoService, AuthorizationService authorizationService, AtomicReference<DlsFlsProcessedConfig> atomicReference, AtomicReference<DlsFlsLicenseInfo> atomicReference2) {
        this.indexService = indexService;
        this.index = indexService.index();
        this.auditlog = auditLog;
        this.threadContext = indexService.getThreadPool().getThreadContext();
        this.config = atomicReference;
        this.licenseInfo = atomicReference2;
        this.authInfoService = authInfoService;
        this.authorizationService = authorizationService;
    }

    public final DirectoryReader apply(DirectoryReader directoryReader) throws IOException {
        PrivilegesEvaluationContext privilegesEvaluationContext;
        try {
            DlsFlsProcessedConfig dlsFlsProcessedConfig = this.config.get();
            if (dlsFlsProcessedConfig.isEnabled() && (privilegesEvaluationContext = getPrivilegesEvaluationContext()) != null) {
                DlsFlsLicenseInfo dlsFlsLicenseInfo = this.licenseInfo.get();
                ShardId extractShardId = ShardUtils.extractShardId(directoryReader);
                RoleBasedDocumentAuthorization documentAuthorization = dlsFlsProcessedConfig.getDocumentAuthorization();
                RoleBasedFieldAuthorization fieldAuthorization = dlsFlsProcessedConfig.getFieldAuthorization();
                RoleBasedFieldMasking fieldMasking = dlsFlsProcessedConfig.getFieldMasking();
                if (privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext() != null && privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext().getRolesConfig() != null) {
                    SgDynamicConfiguration rolesConfig = privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext().getRolesConfig();
                    ImmutableSet of = ImmutableSet.of(this.index.getName());
                    documentAuthorization = new RoleBasedDocumentAuthorization(rolesConfig, of);
                    fieldAuthorization = new RoleBasedFieldAuthorization(rolesConfig, of);
                    fieldMasking = new RoleBasedFieldMasking(rolesConfig, fieldMasking.getFieldMaskingConfig(), of);
                }
                DlsRestriction dlsRestriction = documentAuthorization.getDlsRestriction(privilegesEvaluationContext, this.index.getName());
                RoleBasedFieldAuthorization.FlsRule flsRule = fieldAuthorization.getFlsRule(privilegesEvaluationContext, this.index.getName());
                RoleBasedFieldMasking.FieldMaskingRule fieldMaskingRule = fieldMasking.getFieldMaskingRule(privilegesEvaluationContext, this.index.getName());
                Query constantScoreQuery = dlsRestriction.isUnrestricted() ? null : new ConstantScoreQuery(dlsRestriction.toQueryBuilder(this.indexService.newQueryShardContext(extractShardId.getId(), (IndexSearcher) null, nowSupplier(dlsFlsProcessedConfig), (String) null), null).build());
                if (log.isDebugEnabled()) {
                    log.debug("Applying DLS/FLS:\nIndex: " + this.indexService.index().getName() + "\ndlsQuery: " + constantScoreQuery + "\nfls: " + flsRule + "\nfieldMasking: " + fieldMaskingRule);
                }
                return new DlsFlsDirectoryReader(directoryReader, new DlsFlsContext(constantScoreQuery, flsRule, fieldMaskingRule, this.indexService, this.threadContext, dlsFlsLicenseInfo, this.auditlog, extractShardId));
            }
            return directoryReader;
        } catch (PrivilegesEvaluationException e) {
            log.error("Error while evaluating privileges in " + this, e);
            throw new RuntimeException((Throwable) e);
        }
    }

    private LongSupplier nowSupplier(DlsFlsProcessedConfig dlsFlsProcessedConfig) {
        return dlsFlsProcessedConfig.getDlsFlsConfig().isNowAllowedInQueries() ? () -> {
            return System.currentTimeMillis();
        } : () -> {
            throw new IllegalArgumentException("'now' is not allowed in DLS queries");
        };
    }

    private PrivilegesEvaluationContext getPrivilegesEvaluationContext() {
        User peekCurrentUser = this.authInfoService.peekCurrentUser();
        if (peekCurrentUser == null) {
            return null;
        }
        SpecialPrivilegesEvaluationContext specialPrivilegesEvaluationContext = this.authInfoService.getSpecialPrivilegesEvaluationContext();
        return new PrivilegesEvaluationContext(peekCurrentUser, this.authorizationService.getMappedRoles(peekCurrentUser, specialPrivilegesEvaluationContext), (Action) null, (Object) null, false, (ActionRequestIntrospector) null, specialPrivilegesEvaluationContext);
    }
}
