package com.floragunn.searchguard.authz;

import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.SearchGuardPlugin;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import java.util.ArrayList;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.tasks.Task;

/* loaded from: input_file:com/floragunn/searchguard/authz/SearchGuardIndexAccessEvaluator.class */
public class SearchGuardIndexAccessEvaluator {
    protected final Logger log = LogManager.getLogger(getClass());
    private final AuditLog auditLog;
    private final String[] sgDeniedActionPatterns;
    private final ActionRequestIntrospector actionRequestIntrospector;
    private final boolean filterSgIndex;

    public SearchGuardIndexAccessEvaluator(Settings settings, AuditLog auditLog, ActionRequestIntrospector actionRequestIntrospector) {
        this.auditLog = auditLog;
        this.actionRequestIntrospector = actionRequestIntrospector;
        this.filterSgIndex = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_FILTER_SGINDEX_FROM_ALL_REQUESTS, false).booleanValue();
        boolean booleanValue = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_UNSUPPORTED_RESTORE_SGINDEX_ENABLED, false).booleanValue();
        ArrayList arrayList = new ArrayList();
        arrayList.add("indices:data/write*");
        arrayList.add("indices:admin/delete*");
        arrayList.add("indices:admin/mapping/delete*");
        arrayList.add("indices:admin/mapping/put*");
        arrayList.add("indices:admin/freeze*");
        arrayList.add("indices:admin/settings/update*");
        arrayList.add("indices:admin/aliases");
        ArrayList arrayList2 = new ArrayList();
        arrayList2.addAll(arrayList);
        arrayList2.add("indices:admin/close*");
        arrayList2.add("cluster:admin/snapshot/restore*");
        this.sgDeniedActionPatterns = (String[]) (booleanValue ? arrayList : arrayList2).toArray(new String[0]);
    }

    public PrivilegesEvaluationResult evaluate(ActionRequest actionRequest, Task task, Action action, ActionRequestIntrospector.ActionRequestInfo actionRequestInfo) {
        if (!actionRequestInfo.isIndexRequest()) {
            return PrivilegesEvaluationResult.PENDING;
        }
        ActionRequestIntrospector.ResolvedIndices resolvedIndices = actionRequestInfo.getResolvedIndices();
        if (WildcardMatcher.matchAny(this.sgDeniedActionPatterns, action.name())) {
            if (resolvedIndices.isLocalAll()) {
                if (!this.filterSgIndex) {
                    this.auditLog.logSgIndexAttempt(actionRequest, action.name(), task);
                    this.log.warn(action + " for '_all' indices is not allowed for a regular user");
                    return PrivilegesEvaluationResult.INSUFFICIENT.reason("Action for '_all' indices is not allowed for a regular user").missingPrivileges(action);
                }
                ImmutableSet<String> protectedIndicesAsMinusPattern = SearchGuardPlugin.getProtectedIndices().getProtectedIndicesAsMinusPattern();
                this.actionRequestIntrospector.replaceIndices(actionRequest, resolvedIndices2 -> {
                    return resolvedIndices2.isLocalAll() ? ImmutableList.of("*").with(protectedIndicesAsMinusPattern) : ImmutableList.of(resolvedIndices2.getLocalIndices()).with(protectedIndicesAsMinusPattern).with(resolvedIndices2.getRemoteIndices());
                }, actionRequestInfo);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Filtered '{}'from {}, resulting list with *,-{} is {}", SearchGuardPlugin.getProtectedIndices().printProtectedIndices(), resolvedIndices, protectedIndicesAsMinusPattern);
                }
                return PrivilegesEvaluationResult.PENDING;
            }
            if (SearchGuardPlugin.getProtectedIndices().containsProtected(resolvedIndices.getLocalIndices())) {
                if (!this.filterSgIndex) {
                    this.auditLog.logSgIndexAttempt(actionRequest, action.name(), task);
                    this.log.warn(action + " for '{}' index is not allowed for a regular user", SearchGuardPlugin.getProtectedIndices().printProtectedIndices());
                    return PrivilegesEvaluationResult.INSUFFICIENT.reason("Action requested index is not allowed for a regular user").missingPrivileges(action);
                }
                if (this.actionRequestIntrospector.replaceIndices(actionRequest, resolvedIndices3 -> {
                    return ImmutableList.of(resolvedIndices3.getLocalIndices()).without(SearchGuardPlugin.getProtectedIndices().getProtectedPatterns()).with(resolvedIndices3.getRemoteIndices());
                }, actionRequestInfo)) {
                    return PrivilegesEvaluationResult.PENDING;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Filtered '{}' but resulting list is empty", SearchGuardPlugin.getProtectedIndices().printProtectedIndices());
                }
                return PrivilegesEvaluationResult.INSUFFICIENT.reason("No unprotected indices referenced").missingPrivileges(action);
            }
        }
        if (resolvedIndices.isLocalAll() || SearchGuardPlugin.getProtectedIndices().containsProtected(resolvedIndices.getLocalIndices())) {
            if (actionRequest instanceof SearchRequest) {
                ((SearchRequest) actionRequest).requestCache(Boolean.FALSE);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable search request cache for this request");
                }
            }
            if (actionRequest instanceof RealtimeRequest) {
                ((RealtimeRequest) actionRequest).realtime(Boolean.FALSE.booleanValue());
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable realtime for this request");
                }
            }
        }
        return PrivilegesEvaluationResult.PENDING;
    }
}
