package com.floragunn.searchguard.enterprise.dlsfls.lucene;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authz.DocumentWhitelist;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.enterprise.dlsfls.DlsFlsBaseContext;
import com.floragunn.searchguard.enterprise.dlsfls.DlsFlsLicenseInfo;
import com.floragunn.searchguard.enterprise.dlsfls.DlsFlsProcessedConfig;
import com.floragunn.searchguard.enterprise.dlsfls.DlsRestriction;
import com.floragunn.searchguard.enterprise.dlsfls.RoleBasedDocumentAuthorization;
import com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldAuthorization;
import com.floragunn.searchguard.enterprise.dlsfls.RoleBasedFieldMasking;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
import com.floragunn.searchsupport.meta.Meta;
import java.io.IOException;
import java.util.Collections;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.LongSupplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.search.ConstantScoreQuery;
import org.apache.lucene.search.IndexSearcher;
import org.apache.lucene.search.Query;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedFunction;
import org.elasticsearch.index.Index;
import org.elasticsearch.index.IndexService;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.index.shard.ShardUtils;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/lucene/DlsFlsDirectoryReaderWrapper.class */
public class DlsFlsDirectoryReaderWrapper implements CheckedFunction<DirectoryReader, DirectoryReader, IOException> {
    private static final Logger log = LogManager.getLogger(DlsFlsDirectoryReaderWrapper.class);
    private final IndexService indexService;
    private final AuditLog auditlog;
    private final Index index;
    private final ThreadContext threadContext;
    private final DlsFlsBaseContext dlsFlsBaseContext;
    private final AtomicReference<DlsFlsProcessedConfig> config;
    private final AtomicReference<DlsFlsLicenseInfo> licenseInfo;
    private final ComponentState componentState;
    private final TimeAggregation directoryReaderWrapperApplyAggregation;

    public DlsFlsDirectoryReaderWrapper(IndexService indexService, AuditLog auditLog, DlsFlsBaseContext dlsFlsBaseContext, AtomicReference<DlsFlsProcessedConfig> atomicReference, AtomicReference<DlsFlsLicenseInfo> atomicReference2, ComponentState componentState, TimeAggregation timeAggregation) {
        this.componentState = componentState;
        this.directoryReaderWrapperApplyAggregation = timeAggregation;
        this.indexService = indexService;
        this.index = indexService.index();
        this.auditlog = auditLog;
        this.threadContext = indexService.getThreadPool().getThreadContext();
        this.config = atomicReference;
        this.licenseInfo = atomicReference2;
        this.dlsFlsBaseContext = dlsFlsBaseContext;
    }

    public final DirectoryReader apply(DirectoryReader directoryReader) throws IOException {
        DlsFlsProcessedConfig dlsFlsProcessedConfig = this.config.get();
        PrivilegesEvaluationContext privilegesEvaluationContext = this.dlsFlsBaseContext.getPrivilegesEvaluationContext();
        if (privilegesEvaluationContext == null) {
            log.trace("DlsFlsDirectoryReaderWrapper.apply(): No PrivilegesEvaluationContext");
            return directoryReader;
        }
        try {
            Meter detail = Meter.detail(dlsFlsProcessedConfig.getMetricsLevel(), this.directoryReaderWrapperApplyAggregation);
            try {
                DlsFlsLicenseInfo dlsFlsLicenseInfo = this.licenseInfo.get();
                ShardId extractShardId = ShardUtils.extractShardId(directoryReader);
                RoleBasedDocumentAuthorization documentAuthorization = dlsFlsProcessedConfig.getDocumentAuthorization();
                RoleBasedFieldAuthorization fieldAuthorization = dlsFlsProcessedConfig.getFieldAuthorization();
                RoleBasedFieldMasking fieldMasking = dlsFlsProcessedConfig.getFieldMasking();
                DocumentWhitelist documentWhitelist = DocumentWhitelist.get(this.threadContext);
                if (privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext() != null && privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext().getRolesConfig() != null) {
                    SgDynamicConfiguration rolesConfig = privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext().getRolesConfig();
                    documentAuthorization = new RoleBasedDocumentAuthorization(rolesConfig, null, MetricsLevel.NONE);
                    fieldAuthorization = new RoleBasedFieldAuthorization(rolesConfig, null, MetricsLevel.NONE);
                    fieldMasking = new RoleBasedFieldMasking(rolesConfig, fieldMasking.getFieldMaskingConfig(), null, MetricsLevel.NONE);
                }
                Meta.Index index = (Meta.Index) this.dlsFlsBaseContext.getIndexMetaData().getIndexOrLike(this.index.getName());
                DlsRestriction restriction = !this.dlsFlsBaseContext.isDlsDoneOnFilterLevel() ? documentAuthorization.getRestriction(privilegesEvaluationContext, index, detail) : DlsRestriction.NONE;
                RoleBasedFieldAuthorization.FlsRule restriction2 = fieldAuthorization.getRestriction(privilegesEvaluationContext, index, detail);
                RoleBasedFieldMasking.FieldMaskingRule restriction3 = fieldMasking.getRestriction(privilegesEvaluationContext, index, detail);
                Query constantScoreQuery = restriction.isUnrestricted() ? null : new ConstantScoreQuery(restriction.toQuery(this.indexService.newSearchExecutionContext(extractShardId.getId(), 0, (IndexSearcher) null, nowSupplier(dlsFlsProcessedConfig), (String) null, Collections.emptyMap()), null));
                if (documentWhitelist.isWhitelistForIndexPresent(this.index.getName()) && (!restriction2.isAllowAll() || !restriction3.isAllowAll())) {
                    log.debug("Lifting FLS/FM for {} due to present document whitelist");
                    restriction2 = RoleBasedFieldAuthorization.FlsRule.ALLOW_ALL;
                    restriction3 = RoleBasedFieldMasking.FieldMaskingRule.ALLOW_ALL;
                }
                if (log.isDebugEnabled()) {
                    log.debug("Applying DLS/FLS:\nIndex: {}\ndlsRestriction: {}\ndlsQuery: {}\nfls: {}\nfieldMasking: {}", this.indexService.index().getName(), restriction, constantScoreQuery, restriction2, restriction3);
                }
                DlsFlsDirectoryReader dlsFlsDirectoryReader = new DlsFlsDirectoryReader(directoryReader, new DlsFlsActionContext(constantScoreQuery, restriction2, restriction3, this.indexService, this.threadContext, dlsFlsLicenseInfo, this.auditlog, extractShardId));
                if (detail != null) {
                    detail.close();
                }
                return dlsFlsDirectoryReader;
            } finally {
            }
        } catch (PrivilegesEvaluationException e) {
            log.error("Error while evaluating privileges in " + this, e);
            this.componentState.addLastException("wrap_reader", e);
            throw new RuntimeException((Throwable) e);
        }
    }

    private LongSupplier nowSupplier(DlsFlsProcessedConfig dlsFlsProcessedConfig) {
        return dlsFlsProcessedConfig.getDlsFlsConfig().isNowAllowedInQueries() ? () -> {
            return System.currentTimeMillis();
        } : () -> {
            throw new IllegalArgumentException("'now' is not allowed in DLS queries");
        };
    }
}
