package com.floragunn.searchguard.enterprise.femt;

import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.authz.ActionAuthorization;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.privileges.PrivilegesInterceptor;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.user.User;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsRequest;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.admin.indices.refresh.RefreshRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.replication.ReplicationRequest;
import org.elasticsearch.action.support.single.shard.SingleShardRequest;
import org.elasticsearch.action.termvectors.MultiTermVectorsRequest;
import org.elasticsearch.action.termvectors.TermVectorsRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/PrivilegesInterceptorImpl.class */
public class PrivilegesInterceptorImpl implements PrivilegesInterceptor {
    private static final String USER_TENANT = "__user__";
    private static final ImmutableSet<String> READ_ONLY_ALLOWED_ACTIONS = ImmutableSet.of("indices:admin/get", new String[]{"indices:data/read/get", "indices:data/read/search", "indices:data/read/msearch", "indices:data/read/mget", "indices:data/read/mget[shard]"});
    private final Action KIBANA_ALL_SAVED_OBJECTS_WRITE;
    private final Action KIBANA_ALL_SAVED_OBJECTS_READ;
    protected final Logger log = LogManager.getLogger(getClass());
    private final String kibanaServerUsername;
    private final String kibanaIndexName;
    private final String kibanaIndexNamePrefix;
    private final Pattern versionedKibanaIndexPattern;
    private final Pattern kibanaIndexPatternWithTenant;
    private final ImmutableSet<String> tenantNames;
    private final boolean enabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/PrivilegesInterceptorImpl$IndexInfo.class */
    public class IndexInfo {
        final String originalName;
        final String prefix;
        final String suffix;
        final String tenantInfoPart;

        IndexInfo(String str, String str2, String str3) {
            this.originalName = str;
            this.prefix = str2;
            this.suffix = str3;
            this.tenantInfoPart = null;
        }

        IndexInfo(String str, String str2, String str3, String str4) {
            this.originalName = str;
            this.prefix = str2;
            this.suffix = str3;
            this.tenantInfoPart = str4;
        }

        String toInternalIndexName(User user) {
            return PrivilegesInterceptorImpl.USER_TENANT.equals(user.getRequestedTenant()) ? toInternalIndexName(user.getName()) : toInternalIndexName(user.getRequestedTenant());
        }

        boolean isReplacementNeeded() {
            return this.tenantInfoPart == null;
        }

        private String toInternalIndexName(String str) {
            if (str == null) {
                throw new ElasticsearchException("tenant must not be null here", new Object[0]);
            }
            String str2 = "_" + str.hashCode() + "_" + str.toLowerCase().replaceAll("[^a-z0-9]+", "");
            if (this.tenantInfoPart != null && !this.tenantInfoPart.equals(str2)) {
                throw new ElasticsearchSecurityException("This combination of sgtenant header and index is not allowed.\nTenant: " + str + "\nIndex: " + this.originalName, RestStatus.BAD_REQUEST, new Object[0]);
            }
            StringBuilder append = new StringBuilder(this.prefix).append(str2);
            if (this.suffix != null) {
                append.append(this.suffix);
            }
            return append.toString();
        }

        public String toString() {
            return "IndexInfo [originalName=" + this.originalName + ", prefix=" + this.prefix + ", suffix=" + this.suffix + ", tenantInfoPart=" + this.tenantInfoPart + "]";
        }
    }

    public PrivilegesInterceptorImpl(FeMultiTenancyConfig feMultiTenancyConfig, ImmutableSet<String> immutableSet, Actions actions) {
        this.enabled = feMultiTenancyConfig.isEnabled();
        this.kibanaServerUsername = feMultiTenancyConfig.getServerUsername();
        this.kibanaIndexName = feMultiTenancyConfig.getIndex();
        this.kibanaIndexNamePrefix = this.kibanaIndexName + "_";
        this.versionedKibanaIndexPattern = Pattern.compile(Pattern.quote(this.kibanaIndexName) + "(_-?[0-9]+_[a-z0-9]+)?(_[0-9]+\\.[0-9]+\\.[0-9]+(_[0-9]{3})?)");
        this.kibanaIndexPatternWithTenant = Pattern.compile(Pattern.quote(this.kibanaIndexName) + "(_-?[0-9]+_[a-z0-9]+(_[0-9]{3})?)");
        this.tenantNames = immutableSet.with("SGS_GLOBAL_TENANT");
        this.KIBANA_ALL_SAVED_OBJECTS_WRITE = actions.get("kibana:saved_objects/_/write");
        this.KIBANA_ALL_SAVED_OBJECTS_READ = actions.get("kibana:saved_objects/_/read");
    }

    private boolean isTenantAllowed(PrivilegesEvaluationContext privilegesEvaluationContext, ActionRequest actionRequest, Action action, String str, ActionAuthorization actionAuthorization) throws PrivilegesEvaluationException {
        if (!isTenantValid(str)) {
            this.log.warn("Invalid tenant: " + str + "; user: " + privilegesEvaluationContext.getUser());
            return false;
        }
        if (str.equals(USER_TENANT)) {
            return true;
        }
        boolean isOk = actionAuthorization.hasTenantPermission(privilegesEvaluationContext, this.KIBANA_ALL_SAVED_OBJECTS_READ, str).isOk();
        boolean isOk2 = actionAuthorization.hasTenantPermission(privilegesEvaluationContext, this.KIBANA_ALL_SAVED_OBJECTS_WRITE, str).isOk();
        if (!isOk && !isOk2) {
            this.log.warn("Tenant {} is not allowed for user {}", str, privilegesEvaluationContext.getUser().getName());
            return false;
        }
        if (isOk2 || READ_ONLY_ALLOWED_ACTIONS.contains(action.name())) {
            return true;
        }
        this.log.warn("Tenant {} is not allowed to write (user: {})", str, privilegesEvaluationContext.getUser().getName());
        return false;
    }

    public PrivilegesInterceptor.InterceptionResult replaceKibanaIndex(PrivilegesEvaluationContext privilegesEvaluationContext, ActionRequest actionRequest, Action action, ActionAuthorization actionAuthorization) throws PrivilegesEvaluationException {
        if (!this.enabled) {
            return PrivilegesInterceptor.InterceptionResult.NORMAL;
        }
        User user = privilegesEvaluationContext.getUser();
        ActionRequestIntrospector.ResolvedIndices resolvedIndices = privilegesEvaluationContext.getRequestInfo().getResolvedIndices();
        if (user.getName().equals(this.kibanaServerUsername)) {
            return PrivilegesInterceptor.InterceptionResult.NORMAL;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("replaceKibanaIndex(" + action + ", " + user + ")\nrequestedResolved: " + resolvedIndices + "\nrequestedTenant: " + user.getRequestedTenant());
        }
        IndexInfo checkForExclusivelyUsedKibanaIndexOrAlias = checkForExclusivelyUsedKibanaIndexOrAlias(actionRequest, resolvedIndices);
        if (checkForExclusivelyUsedKibanaIndexOrAlias == null) {
            return PrivilegesInterceptor.InterceptionResult.NORMAL;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("IndexInfo: " + checkForExclusivelyUsedKibanaIndexOrAlias);
        }
        String requestedTenant = user.getRequestedTenant();
        if (requestedTenant == null || requestedTenant.length() == 0 || requestedTenant.equals("SGS_GLOBAL_TENANT")) {
            if (checkForExclusivelyUsedKibanaIndexOrAlias.tenantInfoPart == null && !isTenantAllowed(privilegesEvaluationContext, actionRequest, action, "SGS_GLOBAL_TENANT", actionAuthorization)) {
                return PrivilegesInterceptor.InterceptionResult.DENY;
            }
            return PrivilegesInterceptor.InterceptionResult.NORMAL;
        }
        if (!isTenantAllowed(privilegesEvaluationContext, actionRequest, action, requestedTenant, actionAuthorization)) {
            return PrivilegesInterceptor.InterceptionResult.DENY;
        }
        if (checkForExclusivelyUsedKibanaIndexOrAlias.isReplacementNeeded()) {
            replaceIndex(actionRequest, checkForExclusivelyUsedKibanaIndexOrAlias.originalName, checkForExclusivelyUsedKibanaIndexOrAlias.toInternalIndexName(user), action, user);
        }
        return PrivilegesInterceptor.InterceptionResult.ALLOW;
    }

    private void replaceIndex(ActionRequest actionRequest, String str, String str2, Action action, User user) {
        boolean z = false;
        if (this.log.isDebugEnabled()) {
            this.log.debug("{} index will be replaced with {} in this {} request", str, str2, actionRequest.getClass().getName());
        }
        if ((actionRequest instanceof GetFieldMappingsIndexRequest) || (actionRequest instanceof GetFieldMappingsRequest)) {
            return;
        }
        String[] strArr = {str2};
        if (actionRequest instanceof CreateIndexRequest) {
            ((CreateIndexRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof BulkRequest) {
            for (DeleteRequest deleteRequest : ((BulkRequest) actionRequest).requests()) {
                if (deleteRequest instanceof DeleteRequest) {
                    deleteRequest.index(str2);
                }
                if (deleteRequest instanceof IndexRequest) {
                    ((IndexRequest) deleteRequest).index(str2);
                }
                if (deleteRequest instanceof UpdateRequest) {
                    ((UpdateRequest) deleteRequest).index(str2);
                }
            }
            z = true;
        } else if (actionRequest instanceof MultiGetRequest) {
            Iterator it = ((MultiGetRequest) actionRequest).getItems().iterator();
            while (it.hasNext()) {
                ((MultiGetRequest.Item) it.next()).index(str2);
            }
            z = true;
        } else if (actionRequest instanceof MultiSearchRequest) {
            Iterator it2 = ((MultiSearchRequest) actionRequest).requests().iterator();
            while (it2.hasNext()) {
                ((SearchRequest) it2.next()).indices(strArr);
            }
            z = true;
        } else if (actionRequest instanceof MultiTermVectorsRequest) {
            Iterable iterable = () -> {
                return ((MultiTermVectorsRequest) actionRequest).iterator();
            };
            Iterator it3 = iterable.iterator();
            while (it3.hasNext()) {
                ((TermVectorsRequest) it3.next()).index(str2);
            }
            z = true;
        } else if (actionRequest instanceof UpdateRequest) {
            ((UpdateRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof IndexRequest) {
            ((IndexRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof DeleteRequest) {
            ((DeleteRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof SingleShardRequest) {
            ((SingleShardRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof RefreshRequest) {
            ((RefreshRequest) actionRequest).indices(strArr);
            z = true;
        } else if (actionRequest instanceof ReplicationRequest) {
            ((ReplicationRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof IndicesRequest.Replaceable) {
            ((IndicesRequest.Replaceable) actionRequest).indices(strArr);
            z = true;
        } else if (actionRequest instanceof IndicesAliasesRequest) {
            IndicesAliasesRequest indicesAliasesRequest = (IndicesAliasesRequest) actionRequest;
            for (IndicesAliasesRequest.AliasActions aliasActions : indicesAliasesRequest.getAliasActions()) {
                if (aliasActions.indices() == null || aliasActions.indices().length != 1) {
                    this.log.warn("Unexpected AliasActions: " + aliasActions);
                } else if (aliasActions.indices()[0].equals(str)) {
                    aliasActions.index(str2);
                    if (aliasActions.actionType() != IndicesAliasesRequest.AliasActions.Type.REMOVE_INDEX) {
                        if (aliasActions.aliases() == null) {
                            this.log.warn("Unexpected AliasActions: " + aliasActions);
                        } else {
                            String[] aliases = aliasActions.aliases();
                            String[] strArr2 = new String[aliases.length];
                            for (int i = 0; i < aliases.length; i++) {
                                IndexInfo checkForExclusivelyUsedKibanaIndexOrAlias = checkForExclusivelyUsedKibanaIndexOrAlias(aliases[i]);
                                if (checkForExclusivelyUsedKibanaIndexOrAlias == null || !checkForExclusivelyUsedKibanaIndexOrAlias.isReplacementNeeded()) {
                                    strArr2[i] = aliases[i];
                                } else {
                                    strArr2[i] = checkForExclusivelyUsedKibanaIndexOrAlias.toInternalIndexName(user);
                                }
                            }
                            aliasActions.aliases(strArr2);
                        }
                    }
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Rewritten IndicesAliasesRequest: " + indicesAliasesRequest.getAliasActions());
                    }
                } else {
                    this.log.warn("Unexpected AliasActions: " + aliasActions + "; expected index: " + str);
                }
            }
            z = true;
        } else {
            this.log.warn("Dont know what to do (1) with {}", actionRequest.getClass());
        }
        if (z) {
            return;
        }
        this.log.warn("Dont know what to do (2) with {}", actionRequest.getClass());
    }

    private IndexInfo checkForExclusivelyUsedKibanaIndexOrAlias(ActionRequest actionRequest, ActionRequestIntrospector.ResolvedIndices resolvedIndices) {
        if (resolvedIndices.isLocalAll()) {
            return null;
        }
        Set<String> indices = getIndices(actionRequest);
        if (indices.size() == 1) {
            return checkForExclusivelyUsedKibanaIndexOrAlias(indices.iterator().next());
        }
        return null;
    }

    private IndexInfo checkForExclusivelyUsedKibanaIndexOrAlias(String str) {
        if (str.equals(this.kibanaIndexName)) {
            return new IndexInfo(str, this.kibanaIndexName, null);
        }
        if (!str.startsWith(this.kibanaIndexNamePrefix)) {
            return null;
        }
        Matcher matcher = this.versionedKibanaIndexPattern.matcher(str);
        if (matcher.matches()) {
            return matcher.group(1) == null ? new IndexInfo(str, this.kibanaIndexName, matcher.group(2)) : new IndexInfo(str, this.kibanaIndexName, matcher.group(2), matcher.group(1));
        }
        Matcher matcher2 = this.kibanaIndexPatternWithTenant.matcher(str);
        if (matcher2.matches()) {
            return new IndexInfo(str, this.kibanaIndexName, null, matcher2.group(1));
        }
        return null;
    }

    private Set<String> getIndices(ActionRequest actionRequest) {
        if (actionRequest instanceof PutMappingRequest) {
            PutMappingRequest putMappingRequest = (PutMappingRequest) actionRequest;
            return ImmutableSet.of(putMappingRequest.getConcreteIndex() != null ? putMappingRequest.getConcreteIndex().getName() : null, putMappingRequest.indices());
        }
        if (actionRequest instanceof IndicesRequest) {
            return ((IndicesRequest) actionRequest).indices() != null ? ImmutableSet.of(Arrays.asList(((IndicesRequest) actionRequest).indices())) : Collections.emptySet();
        }
        if (actionRequest instanceof BulkRequest) {
            return ((BulkRequest) actionRequest).getIndices();
        }
        if (actionRequest instanceof MultiGetRequest) {
            return (Set) ((MultiGetRequest) actionRequest).getItems().stream().map(item -> {
                return item.index();
            }).collect(Collectors.toSet());
        }
        if (actionRequest instanceof MultiSearchRequest) {
            return (Set) ((MultiSearchRequest) actionRequest).requests().stream().flatMap(searchRequest -> {
                return Arrays.stream(searchRequest.indices());
            }).collect(Collectors.toSet());
        }
        if (actionRequest instanceof MultiTermVectorsRequest) {
            return (Set) ((MultiTermVectorsRequest) actionRequest).getRequests().stream().flatMap(termVectorsRequest -> {
                return Arrays.stream(termVectorsRequest.indices());
            }).collect(Collectors.toSet());
        }
        if (this.log.isTraceEnabled()) {
            this.log.trace("Not supported for multi tenancy: " + actionRequest);
        }
        return Collections.emptySet();
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public String getKibanaIndex() {
        return this.kibanaIndexName;
    }

    public String getKibanaServerUser() {
        return this.kibanaServerUsername;
    }

    public Map<String, Boolean> mapTenants(User user, ImmutableSet<String> immutableSet, ActionAuthorization actionAuthorization) {
        if (user == null) {
            return ImmutableMap.empty();
        }
        ImmutableMap.Builder builder = new ImmutableMap.Builder(immutableSet.size());
        builder.put(user.getName(), true);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(user, immutableSet, (Action) null, (Object) null, false, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
        UnmodifiableIterator it = this.tenantNames.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            try {
                boolean isOk = actionAuthorization.hasTenantPermission(privilegesEvaluationContext, this.KIBANA_ALL_SAVED_OBJECTS_READ, str).isOk();
                if (actionAuthorization.hasTenantPermission(privilegesEvaluationContext, this.KIBANA_ALL_SAVED_OBJECTS_WRITE, str).isOk()) {
                    builder.put(str, true);
                } else if (isOk) {
                    builder.put(str, false);
                }
            } catch (PrivilegesEvaluationException e) {
                this.log.error("Error while evaluating privileges for " + user + " " + str, e);
            }
        }
        return builder.build();
    }

    private boolean isTenantValid(String str) {
        return USER_TENANT.equals(str) || this.tenantNames.contains(str);
    }
}
