package com.floragunn.searchguard.enterprise.femt;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.DocumentParseException;
import com.floragunn.codova.documents.Format;
import com.floragunn.codova.documents.UnparsedDocument;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.SyncAuthorizationFilter;
import com.floragunn.searchguard.enterprise.femt.tenants.MultitenancyActivationService;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import java.util.Arrays;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.admin.indices.create.TransportCreateIndexAction;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.admin.indices.mapping.put.TransportPutMappingAction;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.master.AcknowledgedResponse;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.rest.RestStatus;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/FrontendDataMigrationInterceptor.class */
public class FrontendDataMigrationInterceptor {
    private final Logger log = LogManager.getLogger(getClass());
    private final String kibanaServerUsername;
    private final ThreadContext threadContext;
    private final Client nodeClient;

    @FunctionalInterface
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/FrontendDataMigrationInterceptor$ActionProcessor.class */
    private interface ActionProcessor {
        SyncAuthorizationFilter.Result process();
    }

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/FrontendDataMigrationInterceptor$PassOnFastLineProcessor.class */
    private class PassOnFastLineProcessor implements ActionProcessor {
        private PassOnFastLineProcessor() {
        }

        @Override // com.floragunn.searchguard.enterprise.femt.FrontendDataMigrationInterceptor.ActionProcessor
        public SyncAuthorizationFilter.Result process() {
            FrontendDataMigrationInterceptor.this.log.debug("Non-migration action, return PASS_ON_FAST_LANE");
            return SyncAuthorizationFilter.Result.PASS_ON_FAST_LANE;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/FrontendDataMigrationInterceptor$UserAccessGuardWrapper.class */
    private class UserAccessGuardWrapper implements ActionProcessor {
        private final User user;
        private final ActionProcessor delegate;

        private UserAccessGuardWrapper(User user, ActionProcessor actionProcessor) {
            this.user = user;
            this.delegate = actionProcessor;
        }

        @Override // com.floragunn.searchguard.enterprise.femt.FrontendDataMigrationInterceptor.ActionProcessor
        public SyncAuthorizationFilter.Result process() {
            if (isUserAllowed(this.user)) {
                return this.delegate.process();
            }
            FrontendDataMigrationInterceptor.this.log.error("User '{} is not allowed to perform this action", this.user.getName());
            return SyncAuthorizationFilter.Result.DENIED;
        }

        private boolean isUserAllowed(User user) {
            return FrontendDataMigrationInterceptor.this.kibanaServerUsername.equals(user.getName());
        }
    }

    public FrontendDataMigrationInterceptor(ThreadContext threadContext, Client client, FeMultiTenancyConfig feMultiTenancyConfig) {
        this.threadContext = threadContext;
        this.nodeClient = client;
        this.kibanaServerUsername = feMultiTenancyConfig.getServerUsername();
    }

    public SyncAuthorizationFilter.Result process(Set<String> set, PrivilegesEvaluationContext privilegesEvaluationContext, ActionListener<?> actionListener) {
        try {
            return ((ActionProcessor) getActionProcessor(set, privilegesEvaluationContext, actionListener).map(actionProcessor -> {
                return new UserAccessGuardWrapper(privilegesEvaluationContext.getUser(), actionProcessor);
            }).orElseGet(() -> {
                return new PassOnFastLineProcessor();
            })).process();
        } catch (Exception e) {
            this.log.error("An error occurred while intercepting migration", e);
            actionListener.onFailure(e);
            return SyncAuthorizationFilter.Result.INTERCEPTED;
        }
    }

    private Optional<ActionProcessor> getActionProcessor(Set<String> set, PrivilegesEvaluationContext privilegesEvaluationContext, ActionListener<?> actionListener) {
        if (privilegesEvaluationContext.getUser() != null && Strings.isNullOrEmpty(privilegesEvaluationContext.getUser().getRequestedTenant()) && this.kibanaServerUsername.equals(privilegesEvaluationContext.getUser().getName())) {
            Object request = privilegesEvaluationContext.getRequest();
            if (request instanceof BulkRequest) {
                BulkRequest bulkRequest = (BulkRequest) request;
                this.log.debug("Index '{}' used during migration detected.", set);
                return Optional.of(() -> {
                    return handleDataMigration(set, privilegesEvaluationContext, bulkRequest, actionListener);
                });
            }
        }
        if (TransportPutMappingAction.TYPE.name().equals(privilegesEvaluationContext.getAction().name())) {
            this.log.debug("Migration of mappings for index '{}' detected ", set);
            return Optional.of(() -> {
                return extendIndexMappingWithMultiTenancyData((PutMappingRequest) privilegesEvaluationContext.getRequest(), (ActionListener<AcknowledgedResponse>) actionListener);
            });
        }
        if (!TransportCreateIndexAction.TYPE.name().equals(privilegesEvaluationContext.getAction().name())) {
            return Optional.empty();
        }
        this.log.debug("Creation of index '{}' detected", set);
        return Optional.of(() -> {
            return extendIndexMappingWithMultiTenancyData((CreateIndexRequest) privilegesEvaluationContext.getRequest(), (ActionListener<CreateIndexResponse>) actionListener);
        });
    }

    private SyncAuthorizationFilter.Result handleDataMigration(Set<String> set, PrivilegesEvaluationContext privilegesEvaluationContext, BulkRequest bulkRequest, ActionListener<BulkResponse> actionListener) {
        this.log.debug("Data migration - action '{}' invoked, request class '{}'.", privilegesEvaluationContext.getAction().name(), privilegesEvaluationContext.getRequest().getClass());
        boolean z = false;
        for (IndexRequest indexRequest : bulkRequest.requests()) {
            if (indexRequest instanceof IndexRequest) {
                IndexRequest indexRequest2 = indexRequest;
                if (set.contains(indexRequest2.index())) {
                    Map map = (Map) XContentHelper.convertToMap(indexRequest2.source(), true, indexRequest2.getContentType()).v2();
                    if (RequestResponseTenantData.isScopedId(indexRequest2.id())) {
                        if (RequestResponseTenantData.containsSgTenantField((Map<String, Object>) map)) {
                            this.log.debug("Data migration - document already '{}' contains {} field with value '{}'", indexRequest2.id(), RequestResponseTenantData.getSgTenantField(), map.get(RequestResponseTenantData.getSgTenantField()));
                        } else {
                            String extractTenantFromId = RequestResponseTenantData.extractTenantFromId(indexRequest2.id());
                            this.log.debug("Data migration - adding field '{}' to document '{}' from index '{}' with value '{}'.", RequestResponseTenantData.getSgTenantField(), indexRequest2.id(), indexRequest2.index(), extractTenantFromId);
                            RequestResponseTenantData.appendSgTenantFieldTo(map, extractTenantFromId);
                            indexRequest2.source(map);
                            z = true;
                        }
                    }
                }
            }
        }
        if (!z) {
            this.log.debug("Data migration - request not extended");
            return SyncAuthorizationFilter.Result.OK;
        }
        ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext();
        try {
            this.threadContext.putHeader(MultiTenancyAuthorizationFilter.SG_FILTER_LEVEL_FEMT_DONE, bulkRequest.toString());
            this.nodeClient.bulk(bulkRequest, actionListener);
            this.log.debug("Data migration - request extended");
            SyncAuthorizationFilter.Result result = SyncAuthorizationFilter.Result.INTERCEPTED;
            if (newStoredContext != null) {
                newStoredContext.close();
            }
            return result;
        } catch (Throwable th) {
            if (newStoredContext != null) {
                try {
                    newStoredContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private SyncAuthorizationFilter.Result extendIndexMappingWithMultiTenancyData(PutMappingRequest putMappingRequest, ActionListener<AcknowledgedResponse> actionListener) {
        String source = putMappingRequest.source();
        this.log.debug("Extend put mappings request for '{}' to support multi tenancy, current mappings '{}'", putMappingRequest.indices(), source);
        try {
            ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext();
            try {
                Optional<U> map = extendMappingsWithMultitenancy(source).map(docNode -> {
                    return createExtendedPutMappingRequest(putMappingRequest, docNode);
                });
                if (!map.isPresent()) {
                    this.log.debug("Extend put mappings request - mappings not extended");
                    SyncAuthorizationFilter.Result result = SyncAuthorizationFilter.Result.OK;
                    if (newStoredContext != null) {
                        newStoredContext.close();
                    }
                    return result;
                }
                PutMappingRequest putMappingRequest2 = (PutMappingRequest) map.get();
                this.threadContext.putHeader(MultiTenancyAuthorizationFilter.SG_FILTER_LEVEL_FEMT_DONE, putMappingRequest2.toString());
                this.nodeClient.admin().indices().putMapping(putMappingRequest2, actionListener);
                this.log.debug("Extend put mappings request - mappings extended: '{}'", putMappingRequest2.source());
                SyncAuthorizationFilter.Result result2 = SyncAuthorizationFilter.Result.INTERCEPTED;
                if (newStoredContext != null) {
                    newStoredContext.close();
                }
                return result2;
            } finally {
            }
        } catch (DocumentParseException e) {
            this.log.error("Cannot extend put mappings request with information related to multi tenancy", e);
            actionListener.onFailure(new ElasticsearchStatusException("Cannot extend put mappings request with information related to multi tenancy", RestStatus.INTERNAL_SERVER_ERROR, e, new Object[0]));
            return SyncAuthorizationFilter.Result.INTERCEPTED;
        }
    }

    private SyncAuthorizationFilter.Result extendIndexMappingWithMultiTenancyData(CreateIndexRequest createIndexRequest, ActionListener<CreateIndexResponse> actionListener) {
        String mappings = createIndexRequest.mappings();
        if (Strings.isNullOrEmpty(mappings)) {
            this.log.debug("Extend create index request for '{}' to support multi tenancy. Exit early, mappings from request are empty", Arrays.asList(createIndexRequest.indices()));
            return SyncAuthorizationFilter.Result.OK;
        }
        this.log.debug("Extend create index request for '{}' to support multi tenancy, current mappings '{}", Arrays.asList(createIndexRequest.indices()), mappings);
        try {
            ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext();
            try {
                DocNode parseAsDocNode = UnparsedDocument.from(mappings, Format.JSON).parseAsDocNode();
                if (parseAsDocNode.hasNonNull("_doc")) {
                    Optional map = extendMappingsWithMultitenancy(parseAsDocNode.getAsNode("_doc")).map(docNode -> {
                        return parseAsDocNode.with("_doc", docNode);
                    }).map((v0) -> {
                        return v0.toJsonString();
                    });
                    if (map.isPresent()) {
                        String str = (String) map.get();
                        createIndexRequest.mapping(str);
                        this.threadContext.putHeader(MultiTenancyAuthorizationFilter.SG_FILTER_LEVEL_FEMT_DONE, createIndexRequest.toString());
                        this.nodeClient.admin().indices().create(createIndexRequest, actionListener);
                        this.log.debug("Extend create index - mappings extended: '{}'", str);
                        SyncAuthorizationFilter.Result result = SyncAuthorizationFilter.Result.INTERCEPTED;
                        if (newStoredContext != null) {
                            newStoredContext.close();
                        }
                        return result;
                    }
                    this.log.debug("Extend create index - mappings not extended");
                }
                if (newStoredContext != null) {
                    newStoredContext.close();
                }
                return SyncAuthorizationFilter.Result.OK;
            } finally {
            }
        } catch (DocumentParseException e) {
            this.log.error("Cannot extend index mapping with information related to multi tenancy during index creation", e);
            actionListener.onFailure(new ElasticsearchStatusException("Cannot extend index mapping with information related to multi tenancy during index creation", RestStatus.INTERNAL_SERVER_ERROR, e, new Object[0]));
            return SyncAuthorizationFilter.Result.INTERCEPTED;
        }
    }

    private Optional<DocNode> extendMappingsWithMultitenancy(String str) throws DocumentParseException {
        return extendMappingsWithMultitenancy(UnparsedDocument.from(str, Format.JSON).parseAsDocNode());
    }

    private PutMappingRequest createExtendedPutMappingRequest(PutMappingRequest putMappingRequest, DocNode docNode) {
        PutMappingRequest indicesOptions = new PutMappingRequest(putMappingRequest.indices()).source(docNode).origin(putMappingRequest.origin()).writeIndexOnly(putMappingRequest.writeIndexOnly()).masterNodeTimeout(putMappingRequest.masterNodeTimeout()).ackTimeout(putMappingRequest.ackTimeout()).indicesOptions(putMappingRequest.indicesOptions());
        if (putMappingRequest.getConcreteIndex() != null) {
            indicesOptions.setConcreteIndex(putMappingRequest.getConcreteIndex());
        }
        return indicesOptions;
    }

    private Optional<DocNode> extendMappingsWithMultitenancy(DocNode docNode) {
        return Optional.of(docNode).filter(docNode2 -> {
            return docNode2.hasNonNull("properties");
        }).map(docNode3 -> {
            return docNode3.getAsNode("properties");
        }).filter(docNode4 -> {
            return !RequestResponseTenantData.containsSgTenantField(docNode4);
        }).map(docNode5 -> {
            return docNode5.with(MultitenancyActivationService.getSgTenantFieldMapping());
        }).map(docNode6 -> {
            return docNode.with("properties", docNode6);
        });
    }
}
