package com.floragunn.searchguard.enterprise.femt;

import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.SyncAuthorizationFilter;
import com.floragunn.searchguard.authz.TenantManager;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.authz.actions.ResolvedIndices;
import com.floragunn.searchguard.enterprise.femt.request.handler.RequestHandlerFactory;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.SearchContextId;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.termvectors.MultiTermVectorsRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.script.Script;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilter.class */
public class MultiTenancyAuthorizationFilter implements SyncAuthorizationFilter {
    static final String TEMP_MIGRATION_INDEX_NAME_POSTFIX_1 = "_reindex_temp";
    static final String TEMP_MIGRATION_INDEX_NAME_POSTFIX_2 = "_reindex_temp_alias";
    public static final String SG_FILTER_LEVEL_FEMT_DONE = "_sg_filter_level_femt_done";
    private static final ImmutableSet<String> READ_ONLY_ALLOWED_ACTIONS = ImmutableSet.of("indices:admin/get", new String[]{"indices:data/read/get", "indices:data/read/search", "indices:data/read/msearch", "indices:data/read/mget", "indices:data/read/mget[shard]", "indices:data/read/open_point_in_time"});
    private final Action KIBANA_ALL_SAVED_OBJECTS_WRITE;
    private final Action KIBANA_ALL_SAVED_OBJECTS_READ;
    private final String kibanaServerUsername;
    private final String kibanaIndexName;
    private final String kibanaIndexNamePrefix;
    private final Pattern versionedKibanaIndexPattern;
    private final boolean enabled;
    private final boolean privateTenantEnabled;
    private final ThreadContext threadContext;
    private final RoleBasedTenantAuthorization tenantAuthorization;
    private final FrontendDataMigrationInterceptor frontendDataMigrationInterceptor;
    private final RequestHandlerFactory requestHandlerFactory;
    private final TenantManager tenantManager;
    protected final Logger log = LogManager.getLogger(getClass());
    private final ImmutableList<String> indexSubNames = ImmutableList.of("alerting_cases", "analytics", "security_solution", new String[]{"ingest"});

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilter$IndexInfo.class */
    public class IndexInfo {
        final String originalName;
        final String prefix;
        final String suffix;

        IndexInfo(String str, String str2, String str3) {
            this.originalName = str;
            this.prefix = str2;
            this.suffix = str3;
        }

        public String toString() {
            return "IndexInfo [originalName=" + this.originalName + ", prefix=" + this.prefix + ", suffix=" + this.suffix + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilter$TenantAccess.class */
    public static final class TenantAccess extends Record {
        private final boolean hasReadPermission;
        private final boolean hasWritePermission;
        public static final TenantAccess INACCESSIBLE = new TenantAccess(false, false);
        public static final TenantAccess FULL_ACCESS = new TenantAccess(true, true);

        TenantAccess(boolean z, boolean z2) {
            this.hasReadPermission = z;
            this.hasWritePermission = z2;
        }

        public boolean hasAnyAccess() {
            return this.hasReadPermission | this.hasWritePermission;
        }

        public boolean isProhibited() {
            return !hasAnyAccess();
        }

        public boolean isWriteProhibited() {
            return !this.hasWritePermission;
        }

        public boolean isReadOnly() {
            return !this.hasWritePermission && this.hasReadPermission;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, TenantAccess.class), TenantAccess.class, "hasReadPermission;hasWritePermission", "FIELD:Lcom/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilter$TenantAccess;->hasReadPermission:Z", "FIELD:Lcom/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilter$TenantAccess;->hasWritePermission:Z").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, TenantAccess.class), TenantAccess.class, "hasReadPermission;hasWritePermission", "FIELD:Lcom/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilter$TenantAccess;->hasReadPermission:Z", "FIELD:Lcom/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilter$TenantAccess;->hasWritePermission:Z").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, TenantAccess.class, Object.class), TenantAccess.class, "hasReadPermission;hasWritePermission", "FIELD:Lcom/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilter$TenantAccess;->hasReadPermission:Z", "FIELD:Lcom/floragunn/searchguard/enterprise/femt/MultiTenancyAuthorizationFilter$TenantAccess;->hasWritePermission:Z").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public boolean hasReadPermission() {
            return this.hasReadPermission;
        }

        public boolean hasWritePermission() {
            return this.hasWritePermission;
        }
    }

    public MultiTenancyAuthorizationFilter(FeMultiTenancyConfig feMultiTenancyConfig, RoleBasedTenantAuthorization roleBasedTenantAuthorization, TenantManager tenantManager, Actions actions, ThreadContext threadContext, Client client, RequestHandlerFactory requestHandlerFactory) {
        this.enabled = feMultiTenancyConfig.isEnabled();
        this.privateTenantEnabled = feMultiTenancyConfig.isPrivateTenantEnabled();
        this.kibanaServerUsername = feMultiTenancyConfig.getServerUsername();
        this.kibanaIndexName = feMultiTenancyConfig.getIndex();
        this.kibanaIndexNamePrefix = this.kibanaIndexName + "_";
        this.versionedKibanaIndexPattern = Pattern.compile("(" + Pattern.quote(this.kibanaIndexName) + toPatternFragment(this.indexSubNames) + ")(_[0-9]+\\.[0-9]+\\.[0-9]+(_[0-9]{3})?)?(" + Pattern.quote(TEMP_MIGRATION_INDEX_NAME_POSTFIX_1) + "|" + Pattern.quote(TEMP_MIGRATION_INDEX_NAME_POSTFIX_2) + ")?");
        this.KIBANA_ALL_SAVED_OBJECTS_WRITE = KibanaActionsProvider.getKibanaWriteAction(actions);
        this.KIBANA_ALL_SAVED_OBJECTS_READ = KibanaActionsProvider.getKibanaReadAction(actions);
        this.threadContext = threadContext;
        this.tenantAuthorization = roleBasedTenantAuthorization;
        this.frontendDataMigrationInterceptor = new FrontendDataMigrationInterceptor(threadContext, client, feMultiTenancyConfig);
        this.requestHandlerFactory = requestHandlerFactory;
        this.tenantManager = tenantManager;
        this.log.info("Filter which supports front-end multi tenancy created, enabled '{}'.", Boolean.valueOf(this.enabled));
    }

    public SyncAuthorizationFilter.Result apply(PrivilegesEvaluationContext privilegesEvaluationContext, ActionListener<?> actionListener) {
        if (!this.enabled) {
            this.log.trace("MultiTenancyAuthorizationFilter is disabled");
            return SyncAuthorizationFilter.Result.OK;
        }
        if (this.threadContext.getHeader(SG_FILTER_LEVEL_FEMT_DONE) != null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("FEMT is already done for: " + this.threadContext.getHeader(SG_FILTER_LEVEL_FEMT_DONE));
            }
            return SyncAuthorizationFilter.Result.PASS_ON_FAST_LANE;
        }
        User user = privilegesEvaluationContext.getUser();
        ResolvedIndices resolvedIndices = privilegesEvaluationContext.getRequestInfo().getResolvedIndices();
        if (this.log.isDebugEnabled()) {
            this.log.debug("apply(" + String.valueOf(privilegesEvaluationContext.getAction()) + ", " + String.valueOf(user) + ")\nrequestedResolved: " + String.valueOf(resolvedIndices) + "\nrequestedTenant: " + user.getRequestedTenant());
        }
        List<IndexInfo> checkForExclusivelyUsedKibanaIndexOrAlias = checkForExclusivelyUsedKibanaIndexOrAlias((ActionRequest) privilegesEvaluationContext.getRequest(), resolvedIndices, user.getRequestedTenant());
        if (checkForExclusivelyUsedKibanaIndexOrAlias.isEmpty()) {
            return SyncAuthorizationFilter.Result.OK;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("IndexInfo: " + String.valueOf(checkForExclusivelyUsedKibanaIndexOrAlias));
        }
        SyncAuthorizationFilter.Result process = this.frontendDataMigrationInterceptor.process(getOriginalIndicesNames(checkForExclusivelyUsedKibanaIndexOrAlias), privilegesEvaluationContext, actionListener);
        if (SyncAuthorizationFilter.Result.PASS_ON_FAST_LANE != process) {
            return process;
        }
        String requestedTenant = user.getRequestedTenant();
        this.log.trace("User's '{}' requested tenant is '{}'", user.getName(), requestedTenant);
        if (this.tenantManager.isTenantHeaderEmpty(requestedTenant)) {
            return SyncAuthorizationFilter.Result.OK;
        }
        try {
            return isTenantAllowed(user.getName().equals(this.kibanaServerUsername) ? TenantAccess.FULL_ACCESS : getTenantAccess(privilegesEvaluationContext, requestedTenant), privilegesEvaluationContext.getUser().getName(), privilegesEvaluationContext.getAction(), requestedTenant, privilegesEvaluationContext.getRequest()) ? handle(privilegesEvaluationContext, actionListener) : SyncAuthorizationFilter.Result.DENIED;
        } catch (PrivilegesEvaluationException e) {
            this.log.error("Error while evaluating privileges for {}, tenant: {}", user, requestedTenant, e);
            return SyncAuthorizationFilter.Result.DENIED;
        }
    }

    private boolean isReadOnlyAllowedRequest(Object obj) {
        return isUpdateLegacyUrlAliasDuringLoadingDashboard(obj);
    }

    private boolean isUpdateLegacyUrlAliasDuringLoadingDashboard(Object obj) {
        Predicate predicate = docWriteRequest -> {
            Script script;
            Map params;
            String idOrCode;
            return docWriteRequest.id() != null && docWriteRequest.id().startsWith("legacy-url-alias") && (docWriteRequest instanceof UpdateRequest) && (script = ((UpdateRequest) docWriteRequest).script()) != null && "painless".contains(script.getLang()) && (params = script.getParams()) != null && params.containsKey("type") && params.containsKey("time") && "legacy-url-alias".equals(params.get("type")) && (idOrCode = script.getIdOrCode()) != null && idOrCode.contains("ctx._source[params.type].disabled") && idOrCode.contains("ctx._source[params.type].resolveCounter");
        };
        if (!(obj instanceof BulkRequest)) {
            return false;
        }
        BulkRequest bulkRequest = (BulkRequest) obj;
        return bulkRequest.getIndices().size() == 1 && ((String) new ArrayList(bulkRequest.getIndices()).get(0)).startsWith(this.kibanaIndexName) && bulkRequest.requests() != null && bulkRequest.requests().stream().allMatch(predicate);
    }

    private SyncAuthorizationFilter.Result handle(PrivilegesEvaluationContext privilegesEvaluationContext, ActionListener<?> actionListener) {
        Object request = privilegesEvaluationContext.getRequest();
        Optional requestHandlerFor = this.requestHandlerFactory.requestHandlerFor(request);
        String internalTenantName = this.tenantManager.toInternalTenantName(privilegesEvaluationContext.getUser());
        return (SyncAuthorizationFilter.Result) requestHandlerFor.map(requestHandler -> {
            return requestHandler.handle(privilegesEvaluationContext, internalTenantName, (ActionRequest) request, actionListener);
        }).orElseGet(() -> {
            if (this.log.isTraceEnabled()) {
                this.log.trace("Not giving {} special treatment for FEMT", request);
            }
            return SyncAuthorizationFilter.Result.OK;
        });
    }

    private TenantAccess getTenantAccess(PrivilegesEvaluationContext privilegesEvaluationContext, String str) throws PrivilegesEvaluationException {
        if (this.tenantManager.isTenantHeaderValid(str)) {
            return this.tenantManager.isUserTenantHeader(str) ? this.privateTenantEnabled ? TenantAccess.FULL_ACCESS : TenantAccess.INACCESSIBLE : new TenantAccess(this.tenantAuthorization.hasTenantPermission(privilegesEvaluationContext, this.KIBANA_ALL_SAVED_OBJECTS_READ, str).isOk(), this.tenantAuthorization.hasTenantPermission(privilegesEvaluationContext, this.KIBANA_ALL_SAVED_OBJECTS_WRITE, str).isOk());
        }
        this.log.warn("Invalid tenant: " + str + "; user: " + String.valueOf(privilegesEvaluationContext.getUser()));
        return TenantAccess.INACCESSIBLE;
    }

    private boolean isTenantAllowed(TenantAccess tenantAccess, String str, Action action, String str2, Object obj) throws PrivilegesEvaluationException {
        if (tenantAccess.isProhibited()) {
            this.log.warn("Tenant {} is not allowed for user {}", str2, str);
            return false;
        }
        if (!tenantAccess.isWriteProhibited() || READ_ONLY_ALLOWED_ACTIONS.contains(action.name()) || isReadOnlyAllowedRequest(obj)) {
            return true;
        }
        this.log.warn("Tenant {} is not allowed to write (user: {})", str2, str);
        return false;
    }

    private List<IndexInfo> checkForExclusivelyUsedKibanaIndexOrAlias(ActionRequest actionRequest, ResolvedIndices resolvedIndices, String str) {
        if (resolvedIndices.isLocalAll()) {
            return Collections.emptyList();
        }
        Set<String> indices = getIndices(actionRequest);
        List<IndexInfo> list = (List) indices.stream().map(this::checkForExclusivelyUsedKibanaIndexOrAlias).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
        if (!Strings.isNullOrEmpty(str) && !list.isEmpty() && indices.size() != list.size()) {
            this.log.error("Request '{}' is related to multi-tenancy indices and some other indices '{}', requested tenant '{}'", actionRequest.getClass(), String.join(", ", indices), str);
        }
        return list;
    }

    private IndexInfo checkForExclusivelyUsedKibanaIndexOrAlias(String str) {
        if (str.equals(this.kibanaIndexName)) {
            return new IndexInfo(str, this.kibanaIndexName, null);
        }
        if (!str.startsWith(this.kibanaIndexNamePrefix)) {
            return null;
        }
        Matcher matcher = this.versionedKibanaIndexPattern.matcher(str);
        if (matcher.matches()) {
            return new IndexInfo(str, matcher.group(1), matcher.group(2));
        }
        return null;
    }

    private Set<String> getOriginalIndicesNames(List<IndexInfo> list) {
        return (Set) list.stream().map(indexInfo -> {
            return indexInfo.originalName;
        }).collect(Collectors.toSet());
    }

    private Set<String> getIndices(ActionRequest actionRequest) {
        if (actionRequest instanceof PutMappingRequest) {
            PutMappingRequest putMappingRequest = (PutMappingRequest) actionRequest;
            return ImmutableSet.of(putMappingRequest.getConcreteIndex() != null ? putMappingRequest.getConcreteIndex().getName() : null, putMappingRequest.indices());
        }
        if (actionRequest instanceof SearchRequest) {
            SearchRequest searchRequest = (SearchRequest) actionRequest;
            if (Objects.nonNull(searchRequest.pointInTimeBuilder())) {
                return ImmutableSet.ofArray(SearchContextId.decodeIndices(searchRequest.pointInTimeBuilder().getEncodedId()));
            }
        }
        if (actionRequest instanceof IndicesRequest) {
            return ((IndicesRequest) actionRequest).indices() != null ? ImmutableSet.of(Arrays.asList(((IndicesRequest) actionRequest).indices())) : Collections.emptySet();
        }
        if (actionRequest instanceof BulkRequest) {
            return ((BulkRequest) actionRequest).getIndices();
        }
        if (actionRequest instanceof MultiGetRequest) {
            return (Set) ((MultiGetRequest) actionRequest).getItems().stream().map(item -> {
                return item.index();
            }).collect(Collectors.toSet());
        }
        if (actionRequest instanceof MultiSearchRequest) {
            return (Set) ((MultiSearchRequest) actionRequest).requests().stream().flatMap(searchRequest2 -> {
                return Arrays.stream(searchRequest2.indices());
            }).collect(Collectors.toSet());
        }
        if (actionRequest instanceof MultiTermVectorsRequest) {
            return (Set) ((MultiTermVectorsRequest) actionRequest).getRequests().stream().flatMap(termVectorsRequest -> {
                return Arrays.stream(termVectorsRequest.indices());
            }).collect(Collectors.toSet());
        }
        if (this.log.isTraceEnabled()) {
            this.log.trace("Not supported for multi tenancy: {} ", actionRequest);
        }
        return Collections.emptySet();
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    private String toPatternFragment(Collection<String> collection) {
        StringBuilder sb = new StringBuilder("(?:");
        for (String str : collection) {
            sb.append("|_");
            sb.append(Pattern.quote(str));
        }
        sb.append(")");
        return sb.toString();
    }
}
