package com.floragunn.searchguard.authz;

import com.floragunn.searchguard.GuiceDependencies;
import com.floragunn.searchguard.SearchGuardPlugin;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.configuration.ClusterInfoHolder;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.SnapshotRestoreHelper;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.tasks.Task;

/* loaded from: input_file:com/floragunn/searchguard/authz/SnapshotRestoreEvaluator.class */
public class SnapshotRestoreEvaluator {
    protected final Logger log = LogManager.getLogger(getClass());
    private final boolean enableSnapshotRestorePrivilege;
    private final AuditLog auditLog;
    private final boolean restoreSgIndexEnabled;
    private final GuiceDependencies guiceDependencies;

    public SnapshotRestoreEvaluator(Settings settings, AuditLog auditLog, GuiceDependencies guiceDependencies) {
        this.enableSnapshotRestorePrivilege = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, true).booleanValue();
        this.restoreSgIndexEnabled = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_UNSUPPORTED_RESTORE_SGINDEX_ENABLED, false).booleanValue();
        this.auditLog = auditLog;
        this.guiceDependencies = guiceDependencies;
    }

    public PrivilegesEvaluationResult evaluate(ActionRequest actionRequest, Task task, Action action, ClusterInfoHolder clusterInfoHolder) {
        if (!(actionRequest instanceof RestoreSnapshotRequest)) {
            return PrivilegesEvaluationResult.PENDING;
        }
        if (!this.enableSnapshotRestorePrivilege) {
            this.log.warn(action + " is not allowed for a regular user");
            return PrivilegesEvaluationResult.INSUFFICIENT.reason("Action is not allowed for a non-admin user").missingPrivileges(action);
        }
        if (this.restoreSgIndexEnabled) {
            return PrivilegesEvaluationResult.PENDING;
        }
        if (clusterInfoHolder.isLocalNodeElectedMaster() == Boolean.FALSE) {
            return PrivilegesEvaluationResult.OK;
        }
        RestoreSnapshotRequest restoreSnapshotRequest = (RestoreSnapshotRequest) actionRequest;
        if (restoreSnapshotRequest.includeGlobalState()) {
            this.auditLog.logSgIndexAttempt(actionRequest, action.name(), task);
            this.log.warn(action + " with 'include_global_state' enabled is not allowed");
            return PrivilegesEvaluationResult.INSUFFICIENT.reason("Action with 'include_global_state' enabled is not allowed").missingPrivileges(action);
        }
        List<String> resolveOriginalIndices = SnapshotRestoreHelper.resolveOriginalIndices(restoreSnapshotRequest, this.guiceDependencies.getRepositoriesService());
        if (resolveOriginalIndices == null || !(SearchGuardPlugin.getProtectedIndices().containsProtected(resolveOriginalIndices) || resolveOriginalIndices.contains("_all") || resolveOriginalIndices.contains("*"))) {
            return PrivilegesEvaluationResult.PENDING;
        }
        this.auditLog.logSgIndexAttempt(actionRequest, action.name(), task);
        this.log.warn(action + " for '{}' as source index is not allowed", SearchGuardPlugin.getProtectedIndices().printProtectedIndices());
        return PrivilegesEvaluationResult.INSUFFICIENT.reason("Source index is protected").missingPrivileges(action);
    }
}
