package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.GuiceDependencies;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.SyncAuthorizationFilter;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.enterprise.dlsfls.DlsFlsConfig;
import com.floragunn.searchguard.enterprise.dlsfls.DlsRestriction;
import com.floragunn.searchguard.enterprise.dlsfls.filter.DlsFilterLevelActionHandler;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
import java.util.Collection;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.search.aggregations.bucket.sampler.DiversifiedAggregationBuilder;
import org.elasticsearch.search.aggregations.bucket.terms.SignificantTermsAggregationBuilder;
import org.elasticsearch.search.aggregations.bucket.terms.TermsAggregationBuilder;
import org.elasticsearch.search.builder.SearchSourceBuilder;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/DlsFlsValve.class */
public class DlsFlsValve implements SyncAuthorizationFilter, ComponentStateProvider {
    private static final String MAP_EXECUTION_HINT = "map";
    private static final Logger log = LogManager.getLogger(DlsFlsValve.class);
    private final Client nodeClient;
    private final ClusterService clusterService;
    private final GuiceDependencies guiceDependencies;
    private final ThreadContext threadContext;
    private final IndexNameExpressionResolver resolver;
    private final AtomicReference<DlsFlsProcessedConfig> config;
    private final ComponentState componentState = new ComponentState(0, (String) null, "dls_fls_valve", DlsFlsValve.class).initialized();
    private final TimeAggregation applyTimeAggregation = new TimeAggregation.Nanoseconds();

    public DlsFlsValve(Client client, ClusterService clusterService, IndexNameExpressionResolver indexNameExpressionResolver, GuiceDependencies guiceDependencies, ThreadContext threadContext, AtomicReference<DlsFlsProcessedConfig> atomicReference) {
        this.nodeClient = client;
        this.clusterService = clusterService;
        this.resolver = indexNameExpressionResolver;
        this.guiceDependencies = guiceDependencies;
        this.threadContext = threadContext;
        this.config = atomicReference;
        this.componentState.addMetrics("filter_request", this.applyTimeAggregation);
    }

    public SyncAuthorizationFilter.Result apply(PrivilegesEvaluationContext privilegesEvaluationContext, ActionListener<?> actionListener) {
        boolean containsTermLookupQuery;
        SearchSourceBuilder source;
        if (this.threadContext.getHeader("_sg_filter_level_dls_done") != null) {
            if (log.isDebugEnabled()) {
                log.debug("DLS is already done for: " + this.threadContext.getHeader("_sg_filter_level_dls_done"));
            }
            return SyncAuthorizationFilter.Result.OK;
        }
        DlsFlsProcessedConfig dlsFlsProcessedConfig = this.config.get();
        try {
            Meter detail = Meter.detail(dlsFlsProcessedConfig.getMetricsLevel(), this.applyTimeAggregation);
            try {
                RoleBasedDocumentAuthorization documentAuthorization = dlsFlsProcessedConfig.getDocumentAuthorization();
                RoleBasedFieldAuthorization fieldAuthorization = dlsFlsProcessedConfig.getFieldAuthorization();
                RoleBasedFieldMasking fieldMasking = dlsFlsProcessedConfig.getFieldMasking();
                DlsFlsConfig.Mode dlsMode = dlsFlsProcessedConfig.getDlsFlsConfig().getDlsMode();
                if (!dlsFlsProcessedConfig.isEnabled()) {
                    SyncAuthorizationFilter.Result result = SyncAuthorizationFilter.Result.OK;
                    if (detail != null) {
                        detail.close();
                    }
                    return result;
                }
                if (log.isDebugEnabled()) {
                    log.debug("DlsFlsValveImpl.invoke()\nrequest: " + privilegesEvaluationContext.getRequest() + "\nresolved: " + privilegesEvaluationContext.getRequestInfo().getResolvedIndices() + "\nmode: " + dlsMode);
                }
                ImmutableSet localIndices = privilegesEvaluationContext.getRequestInfo().getResolvedIndices().getLocalIndices();
                if (privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext() != null && privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext().getRolesConfig() != null) {
                    SgDynamicConfiguration rolesConfig = privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext().getRolesConfig();
                    documentAuthorization = new RoleBasedDocumentAuthorization(rolesConfig, localIndices, MetricsLevel.NONE);
                    fieldAuthorization = new RoleBasedFieldAuthorization(rolesConfig, localIndices, MetricsLevel.NONE);
                    fieldMasking = new RoleBasedFieldMasking(rolesConfig, fieldMasking.getFieldMaskingConfig(), localIndices, MetricsLevel.NONE);
                }
                boolean hasDlsRestrictions = documentAuthorization.hasDlsRestrictions(privilegesEvaluationContext, localIndices, detail);
                boolean hasFlsRestrictions = fieldAuthorization.hasFlsRestrictions(privilegesEvaluationContext, (Collection<String>) localIndices, detail);
                boolean hasFieldMaskingRestrictions = fieldMasking.hasFieldMaskingRestrictions(privilegesEvaluationContext, (Collection<String>) localIndices, detail);
                if (!hasDlsRestrictions && !hasFlsRestrictions && !hasFieldMaskingRestrictions) {
                    SyncAuthorizationFilter.Result result2 = SyncAuthorizationFilter.Result.OK;
                    if (detail != null) {
                        detail.close();
                    }
                    return result2;
                }
                DlsRestriction.IndexMap indexMap = null;
                if (dlsMode == DlsFlsConfig.Mode.FILTER_LEVEL) {
                    containsTermLookupQuery = true;
                    indexMap = documentAuthorization.getDlsRestriction(privilegesEvaluationContext, (Collection<String>) localIndices, detail);
                } else if (dlsMode == DlsFlsConfig.Mode.LUCENE_LEVEL) {
                    containsTermLookupQuery = false;
                } else if (getDlsModeHeader() == DlsFlsConfig.Mode.FILTER_LEVEL) {
                    containsTermLookupQuery = true;
                    log.debug("Doing filter-level DLS due to header");
                } else {
                    indexMap = documentAuthorization.getDlsRestriction(privilegesEvaluationContext, (Collection<String>) localIndices, detail);
                    containsTermLookupQuery = indexMap.containsTermLookupQuery();
                    if (containsTermLookupQuery) {
                        setDlsModeHeader(DlsFlsConfig.Mode.FILTER_LEVEL);
                        log.debug("Doing filter-level DLS because query contains TLQ");
                    } else {
                        log.debug("Doing lucene-level DLS because query does not contain TLQ");
                    }
                }
                Object request = privilegesEvaluationContext.getRequest();
                if (request instanceof RealtimeRequest) {
                    ((RealtimeRequest) request).realtime(Boolean.FALSE.booleanValue());
                }
                if (request instanceof SearchRequest) {
                    SearchRequest searchRequest = (SearchRequest) request;
                    if (searchRequest.source() != null && searchRequest.source().aggregations() != null) {
                        for (TermsAggregationBuilder termsAggregationBuilder : searchRequest.source().aggregations().getAggregatorFactories()) {
                            if ((termsAggregationBuilder instanceof TermsAggregationBuilder) && termsAggregationBuilder.minDocCount() == 0) {
                                SyncAuthorizationFilter.Result reason = SyncAuthorizationFilter.Result.DENIED.reason("min_doc_count 0 is not supported when DLS is activated");
                                if (detail != null) {
                                    detail.close();
                                }
                                return reason;
                            }
                        }
                    }
                    if (hasFieldMaskingRestrictions && searchRequest.source() != null && searchRequest.source().aggregations() != null) {
                        for (TermsAggregationBuilder termsAggregationBuilder2 : searchRequest.source().aggregations().getAggregatorFactories()) {
                            if (termsAggregationBuilder2 instanceof TermsAggregationBuilder) {
                                termsAggregationBuilder2.executionHint(MAP_EXECUTION_HINT);
                            }
                            if (termsAggregationBuilder2 instanceof SignificantTermsAggregationBuilder) {
                                ((SignificantTermsAggregationBuilder) termsAggregationBuilder2).executionHint(MAP_EXECUTION_HINT);
                            }
                            if (termsAggregationBuilder2 instanceof DiversifiedAggregationBuilder) {
                                ((DiversifiedAggregationBuilder) termsAggregationBuilder2).executionHint(MAP_EXECUTION_HINT);
                            }
                        }
                    }
                }
                if (hasDlsRestrictions && (request instanceof SearchRequest) && (source = ((SearchRequest) request).source()) != null && source.profile()) {
                    SyncAuthorizationFilter.Result reason2 = SyncAuthorizationFilter.Result.DENIED.reason("Profiling is not supported when DLS is activated");
                    if (detail != null) {
                        detail.close();
                    }
                    return reason2;
                }
                if (containsTermLookupQuery) {
                    SyncAuthorizationFilter.Result handle = DlsFilterLevelActionHandler.handle(privilegesEvaluationContext.getAction(), (ActionRequest) request, actionListener, indexMap, privilegesEvaluationContext.getRequestInfo().getResolvedIndices(), this.nodeClient, this.clusterService, this.guiceDependencies.getIndicesService(), this.resolver, this.threadContext);
                    if (detail != null) {
                        detail.close();
                    }
                    return handle;
                }
                SyncAuthorizationFilter.Result result3 = SyncAuthorizationFilter.Result.OK;
                if (detail != null) {
                    detail.close();
                }
                return result3;
            } finally {
            }
        } catch (PrivilegesEvaluationException e) {
            log.error("Error while evaluating DLS/FLS privileges", e);
            this.componentState.addLastException("filter_request", e);
            return SyncAuthorizationFilter.Result.DENIED.reason(e.getMessage()).cause(e);
        } catch (RuntimeException e2) {
            log.error("Error while evaluating DLS/FLS privileges", e2);
            this.componentState.addLastException("filter_request_u", e2);
            throw e2;
        }
    }

    private void setDlsModeHeader(DlsFlsConfig.Mode mode) {
        String name = mode.name();
        if (this.threadContext.getHeader("_sg_dls_mode") == null) {
            this.threadContext.putHeader("_sg_dls_mode", name);
        } else {
            if (name.equals(this.threadContext.getHeader("_sg_dls_mode"))) {
                return;
            }
            log.warn("Cannot update DLS mode to " + mode + "; current: " + this.threadContext.getHeader("_sg_dls_mode"));
        }
    }

    private DlsFlsConfig.Mode getDlsModeHeader() {
        String header = this.threadContext.getHeader("_sg_dls_mode");
        if (header != null) {
            return DlsFlsConfig.Mode.valueOf(header);
        }
        return null;
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
