package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.authc.AuthInfoService;
import com.floragunn.searchguard.authz.AuthorizationService;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.user.User;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.lucene.search.BooleanClause;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.ConstantScoreQuery;
import org.opensearch.index.query.ParsedQuery;
import org.opensearch.index.shard.SearchOperationListener;
import org.opensearch.search.internal.SearchContext;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/DlsFlsSearchOperationListener.class */
public class DlsFlsSearchOperationListener implements SearchOperationListener {
    private final AuthInfoService authInfoService;
    private final AuthorizationService authorizationService;
    private final AtomicReference<DlsFlsProcessedConfig> config;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DlsFlsSearchOperationListener(AuthInfoService authInfoService, AuthorizationService authorizationService, AtomicReference<DlsFlsProcessedConfig> atomicReference) {
        this.authInfoService = authInfoService;
        this.authorizationService = authorizationService;
        this.config = atomicReference;
    }

    public void onPreQueryPhase(SearchContext searchContext) {
        PrivilegesEvaluationContext privilegesEvaluationContext;
        try {
            DlsFlsProcessedConfig dlsFlsProcessedConfig = this.config.get();
            if (dlsFlsProcessedConfig.isEnabled() && (privilegesEvaluationContext = getPrivilegesEvaluationContext()) != null) {
                RoleBasedDocumentAuthorization documentAuthorization = dlsFlsProcessedConfig.getDocumentAuthorization();
                if (documentAuthorization == null) {
                    throw new IllegalStateException("Authorization configuration is not yet initialized");
                }
                String name = searchContext.indexShard().indexSettings().getIndex().getName();
                if (privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext() != null && privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext().getRolesConfig() != null) {
                    documentAuthorization = new RoleBasedDocumentAuthorization(privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext().getRolesConfig(), ImmutableSet.of(name));
                }
                DlsRestriction dlsRestriction = documentAuthorization.getDlsRestriction(getPrivilegesEvaluationContext(), name);
                if (!dlsRestriction.isUnrestricted()) {
                    BooleanQuery.Builder queryBuilder = dlsRestriction.toQueryBuilder(searchContext.getQueryShardContext(), query -> {
                        return new ConstantScoreQuery(query);
                    });
                    queryBuilder.add(searchContext.parsedQuery().query(), BooleanClause.Occur.MUST);
                    searchContext.parsedQuery(new ParsedQuery(queryBuilder.build()));
                    searchContext.preProcess(true);
                }
            }
        } catch (Exception e) {
            throw new RuntimeException("Error evaluating dls for a search query: " + e, e);
        }
    }

    private PrivilegesEvaluationContext getPrivilegesEvaluationContext() {
        User peekCurrentUser = this.authInfoService.peekCurrentUser();
        if (peekCurrentUser == null) {
            return null;
        }
        SpecialPrivilegesEvaluationContext specialPrivilegesEvaluationContext = this.authInfoService.getSpecialPrivilegesEvaluationContext();
        return new PrivilegesEvaluationContext(peekCurrentUser, this.authorizationService.getMappedRoles(peekCurrentUser, specialPrivilegesEvaluationContext), (Action) null, (Object) null, false, (ActionRequestIntrospector) null, specialPrivilegesEvaluationContext);
    }
}
