package com.floragunn.searchguard.filter;

import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.action.whoami.WhoAmIAction;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authz.AuthorizationService;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationResult;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.authz.SyncAuthorizationFilter;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.compliance.ComplianceConfig;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContextProviderRegistry;
import com.floragunn.searchguard.privileges.extended_action_handling.ExtendedActionHandlingService;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.support.SourceFieldsContext;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.diag.DiagnosticContext;
import java.util.Iterator;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.close.CloseIndexRequest;
import org.elasticsearch.action.admin.indices.delete.DeleteIndexRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.index.engine.VersionConflictEngineException;
import org.elasticsearch.index.reindex.DeleteByQueryRequest;
import org.elasticsearch.index.reindex.UpdateByQueryRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/filter/SearchGuardFilter.class */
public class SearchGuardFilter implements ActionFilter {
    protected final Logger log = LogManager.getLogger(getClass());
    protected final Logger actionTrace = LogManager.getLogger("sg_action_trace");
    private final PrivilegesEvaluator evalp;
    private final AdminDNs adminDns;
    private final ImmutableList<SyncAuthorizationFilter> syncAuthorizationFilters;
    private final AuditLog auditLog;
    private final ThreadContext threadContext;
    private final ClusterService cs;
    private final ComplianceConfig complianceConfig;
    private final SpecialPrivilegesEvaluationContextProviderRegistry specialPrivilegesEvaluationContextProviderRegistry;
    private final ExtendedActionHandlingService extendedActionHandlingService;
    private final DiagnosticContext diagnosticContext;
    private final Actions actions;
    private final ActionRequestIntrospector actionRequestIntrospector;
    private final IndexNameExpressionResolver resolver;
    private final AuthorizationService authorizationService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/filter/SearchGuardFilter$ImmutableIndexActionListener.class */
    public static class ImmutableIndexActionListener<Response> implements ActionListener<Response> {
        private final ActionListener<Response> originalListener;
        private final AuditLog auditLog;
        private TransportRequest originalRequest;
        private String action;
        private Task task;

        public ImmutableIndexActionListener(ActionListener<Response> actionListener, AuditLog auditLog, TransportRequest transportRequest, String str, Task task) {
            this.originalListener = actionListener;
            this.auditLog = auditLog;
            this.originalRequest = transportRequest;
            this.action = str;
            this.task = task;
        }

        public void onResponse(Response response) {
            this.originalListener.onResponse(response);
        }

        public void onFailure(Exception exc) {
            if (!(exc instanceof VersionConflictEngineException)) {
                this.originalListener.onFailure(exc);
            } else {
                this.auditLog.logImmutableIndexAttempt(this.originalRequest, this.action, this.task);
                this.originalListener.onFailure(new ElasticsearchSecurityException("Index is immutable", RestStatus.FORBIDDEN, new Object[0]));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/filter/SearchGuardFilter$ImmutableState.class */
    public enum ImmutableState {
        FAILURE,
        LISTENER
    }

    public SearchGuardFilter(AuthorizationService authorizationService, PrivilegesEvaluator privilegesEvaluator, AdminDNs adminDNs, ImmutableList<SyncAuthorizationFilter> immutableList, AuditLog auditLog, ThreadPool threadPool, ClusterService clusterService, DiagnosticContext diagnosticContext, ComplianceConfig complianceConfig, Actions actions, ActionRequestIntrospector actionRequestIntrospector, SpecialPrivilegesEvaluationContextProviderRegistry specialPrivilegesEvaluationContextProviderRegistry, ExtendedActionHandlingService extendedActionHandlingService, NamedXContentRegistry namedXContentRegistry, IndexNameExpressionResolver indexNameExpressionResolver) {
        this.evalp = privilegesEvaluator;
        this.adminDns = adminDNs;
        this.syncAuthorizationFilters = immutableList;
        this.auditLog = auditLog;
        this.threadContext = threadPool.getThreadContext();
        this.cs = clusterService;
        this.complianceConfig = complianceConfig;
        this.specialPrivilegesEvaluationContextProviderRegistry = specialPrivilegesEvaluationContextProviderRegistry;
        this.extendedActionHandlingService = extendedActionHandlingService;
        this.diagnosticContext = diagnosticContext;
        this.actions = actions;
        this.actionRequestIntrospector = actionRequestIntrospector;
        this.resolver = indexNameExpressionResolver;
        this.authorizationService = authorizationService;
    }

    public int order() {
        return Integer.MIN_VALUE;
    }

    public <Request extends ActionRequest, Response extends ActionResponse> void apply(Task task, String str, Request request, ActionListener<Response> actionListener, ActionFilterChain<Request, Response> actionFilterChain) {
        this.specialPrivilegesEvaluationContextProviderRegistry.provide((User) this.threadContext.getTransient(ConfigConstants.SG_USER), this.threadContext, specialPrivilegesEvaluationContext -> {
            try {
                ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext(true);
                try {
                    apply0(task, str, request, actionListener, actionFilterChain, specialPrivilegesEvaluationContext);
                    if (newStoredContext != null) {
                        newStoredContext.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                this.log.error(e);
                actionListener.onFailure(new ElasticsearchSecurityException("Unexpected exception " + str, RestStatus.INTERNAL_SERVER_ERROR, e, new Object[0]));
            }
        }, exc -> {
            this.log.error(exc);
            actionListener.onFailure(new ElasticsearchSecurityException("Unexpected exception " + str, RestStatus.INTERNAL_SERVER_ERROR, exc, new Object[0]));
        });
    }

    private <Request extends ActionRequest, Response extends ActionResponse> void apply0(Task task, String str, Request request, ActionListener<Response> actionListener, ActionFilterChain<Request, Response> actionFilterChain, SpecialPrivilegesEvaluationContext specialPrivilegesEvaluationContext) {
        try {
            if (this.threadContext.getTransient(ConfigConstants.SG_ORIGIN) == null) {
                this.threadContext.putTransient(ConfigConstants.SG_ORIGIN, AuditLog.Origin.LOCAL.toString());
            }
            if (this.complianceConfig != null && this.complianceConfig.isEnabled()) {
                attachSourceFieldContext(request);
            }
            User user = (User) this.threadContext.getTransient(ConfigConstants.SG_USER);
            boolean isUserAdmin = isUserAdmin(user, this.adminDns);
            boolean isInterClusterRequest = HeaderHelper.isInterClusterRequest(this.threadContext);
            boolean isTrustedClusterRequest = HeaderHelper.isTrustedClusterRequest(this.threadContext);
            boolean equals = "true".equals(HeaderHelper.getSafeFromHeader(this.threadContext, ConfigConstants.SG_CONF_REQUEST_HEADER));
            boolean z = str.equals("cluster:admin/searchguard/license/info") || str.startsWith("indices:admin/seq_no") || str.equals(WhoAmIAction.NAME);
            boolean z2 = (isInterClusterRequest || HeaderHelper.isDirectRequest(this.threadContext)) && str.startsWith("internal:") && !str.startsWith("internal:transport/proxy");
            this.diagnosticContext.addHeadersToLogContext(this.cs, this.threadContext);
            if (specialPrivilegesEvaluationContext != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("userIsAdmin: " + isUserAdmin + "\ninterClusterRequest: " + isInterClusterRequest + "\ntrustedClusterRequest: " + isTrustedClusterRequest + "\nconfRequest: " + equals + "\npassThroughRequest: " + z);
                    this.log.debug("Getting auth from specialPrivilegesEvaluationContext.\nOld user: " + user + "\nNew auth: " + specialPrivilegesEvaluationContext);
                    this.log.debug(this.threadContext.getHeaders());
                }
                user = specialPrivilegesEvaluationContext.getUser();
                if (user != null && this.threadContext.getTransient(ConfigConstants.SG_USER) == null) {
                    this.threadContext.putTransient(ConfigConstants.SG_USER, user);
                }
            }
            org.apache.logging.log4j.ThreadContext.put("user", user != null ? user.getName() : "n/a");
            if (this.actionTrace.isTraceEnabled()) {
                String str2 = request instanceof BulkRequest ? "" + ((BulkRequest) request).requests().size() : "";
                if (request instanceof MultiGetRequest) {
                    str2 = "" + ((MultiGetRequest) request).getItems().size();
                }
                if (request instanceof MultiSearchRequest) {
                    str2 = "" + ((MultiSearchRequest) request).requests().size();
                }
                this.actionTrace.trace("Node " + this.cs.localNode().getName() + " -> " + str + " (" + str2 + "): userIsAdmin=" + isUserAdmin + "/conRequest=" + equals + "/internalRequest=" + z2 + "origin=" + this.threadContext.getTransient(ConfigConstants.SG_ORIGIN) + "/directRequest=" + HeaderHelper.isDirectRequest(this.threadContext) + "/remoteAddress=" + request.remoteAddress());
                this.threadContext.putHeader("_sg_trace" + System.currentTimeMillis() + "#" + UUID.randomUUID().toString(), Thread.currentThread().getName() + " FILTER -> Node " + this.cs.localNode().getName() + " -> " + str + " userIsAdmin=" + isUserAdmin + "/conRequest=" + equals + "/internalRequest=" + z2 + "origin=" + this.threadContext.getTransient(ConfigConstants.SG_ORIGIN) + "/directRequest=" + HeaderHelper.isDirectRequest(this.threadContext) + "/remoteAddress=" + request.remoteAddress() + " " + this.threadContext.getHeaders().entrySet().stream().filter(entry -> {
                    return !((String) entry.getKey()).startsWith("_sg_trace");
                }).collect(Collectors.toMap(entry2 -> {
                    return (String) entry2.getKey();
                }, entry3 -> {
                    return (String) entry3.getValue();
                })));
            }
            if (isUserAdmin || equals || z2 || z) {
                if (isUserAdmin && !equals && !z2 && !z) {
                    this.auditLog.logGrantedPrivileges(str, request, task);
                }
                actionFilterChain.proceed(task, str, request, actionListener);
                return;
            }
            Action action = this.actions.get(str);
            if (this.complianceConfig != null && this.complianceConfig.isEnabled()) {
                if (request instanceof BulkShardRequest) {
                    for (BulkItemRequest bulkItemRequest : ((BulkShardRequest) request).items()) {
                        Tuple<ImmutableState, ActionListener> checkImmutableIndices = checkImmutableIndices(bulkItemRequest.request(), request, actionListener, str, task, this.auditLog);
                        if (checkImmutableIndices != null && checkImmutableIndices.v1() == ImmutableState.FAILURE) {
                            return;
                        }
                        if (checkImmutableIndices != null && checkImmutableIndices.v1() == ImmutableState.LISTENER) {
                            actionListener = (ActionListener) checkImmutableIndices.v2();
                        }
                    }
                } else {
                    Tuple<ImmutableState, ActionListener> checkImmutableIndices2 = checkImmutableIndices(request, request, actionListener, str, task, this.auditLog);
                    if (checkImmutableIndices2 != null && checkImmutableIndices2.v1() == ImmutableState.FAILURE) {
                        return;
                    }
                    if (checkImmutableIndices2 != null && checkImmutableIndices2.v1() == ImmutableState.LISTENER) {
                        actionListener = (ActionListener) checkImmutableIndices2.v2();
                    }
                }
            }
            if (AuditLog.Origin.LOCAL.toString().equals(this.threadContext.getTransient(ConfigConstants.SG_ORIGIN)) && (isInterClusterRequest || (HeaderHelper.isDirectRequest(this.threadContext) && (specialPrivilegesEvaluationContext == null || !specialPrivilegesEvaluationContext.requiresPrivilegeEvaluationForLocalRequests())))) {
                actionFilterChain.proceed(task, str, request, actionListener);
                return;
            }
            if (user == null) {
                if (str.startsWith("cluster:monitor/state")) {
                    actionFilterChain.proceed(task, str, request, actionListener);
                    return;
                } else {
                    this.log.error("No user found for " + str + " from " + request.remoteAddress() + " " + this.threadContext.getTransient(ConfigConstants.SG_ORIGIN) + " via " + this.threadContext.getTransient(ConfigConstants.SG_CHANNEL_TYPE) + " " + this.threadContext.getHeaders());
                    actionListener.onFailure(new ElasticsearchSecurityException("No user found for " + str, RestStatus.INTERNAL_SERVER_ERROR, new Object[0]));
                    return;
                }
            }
            PrivilegesEvaluator privilegesEvaluator = this.evalp;
            if (!privilegesEvaluator.isInitialized()) {
                this.log.error("Search Guard not initialized (SG11) for {}", str);
                actionListener.onFailure(new ElasticsearchSecurityException("Search Guard not initialized (SG11) for " + str + ". See https://docs.search-guard.com/latest/sgadmin", RestStatus.SERVICE_UNAVAILABLE, new Object[0]));
                return;
            }
            if (this.log.isTraceEnabled()) {
                this.log.trace("Evaluate permissions for user: {}", user.getName());
            }
            ImmutableSet<String> mappedRoles = this.authorizationService.getMappedRoles(user, specialPrivilegesEvaluationContext);
            PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(user, mappedRoles, action, request, privilegesEvaluator.isDebugEnabled(), this.actionRequestIntrospector, specialPrivilegesEvaluationContext);
            PrivilegesEvaluationResult evaluate = privilegesEvaluator.evaluate(user, mappedRoles, str, request, task, privilegesEvaluationContext, specialPrivilegesEvaluationContext);
            if (!evaluate.isOk()) {
                this.auditLog.logMissingPrivileges(str, (TransportRequest) request, task);
                actionListener.onFailure(evaluate.toSecurityException(privilegesEvaluationContext));
                return;
            }
            this.auditLog.logGrantedPrivileges(str, request, task);
            if (this.threadContext.getHeader(ConfigConstants.SG_USER_NAME) == null) {
                this.threadContext.putHeader(ConfigConstants.SG_USER_NAME, user.getName());
            }
            Iterator it = this.syncAuthorizationFilters.iterator();
            while (it.hasNext()) {
                SyncAuthorizationFilter.Result apply = ((SyncAuthorizationFilter) it.next()).apply(privilegesEvaluationContext, actionListener);
                if (apply.getStatus() != SyncAuthorizationFilter.Result.Status.OK) {
                    if (apply.getStatus() == SyncAuthorizationFilter.Result.Status.DENIED) {
                        actionListener.onFailure(apply.toSecurityException(privilegesEvaluationContext));
                        return;
                    } else if (apply.getStatus() == SyncAuthorizationFilter.Result.Status.INTERCEPTED) {
                        return;
                    }
                }
            }
            if (evaluate.hasAdditionalActionFilters()) {
                actionFilterChain = new ExtendedActionFilterChain(evaluate.getAdditionalActionFilters(), actionFilterChain);
            }
            Action.WellKnownAction<Request, ?, ?> wellKnown = action.wellKnown(request);
            if (wellKnown == null || !wellKnown.requiresSpecialProcessing()) {
                actionFilterChain.proceed(task, str, request, actionListener);
            } else {
                this.extendedActionHandlingService.apply(wellKnown, task, str, privilegesEvaluationContext, request, actionListener, actionFilterChain);
            }
        } catch (Exception e) {
            this.log.error("Exception while handling " + str + "; " + request, e);
            actionListener.onFailure(e);
        } catch (Throwable th) {
            this.log.error("Throwable while handling " + str + "; " + request, th);
            actionListener.onFailure(new RuntimeException(th));
        }
    }

    private static boolean isUserAdmin(User user, AdminDNs adminDNs) {
        return user != null && adminDNs.isAdmin(user);
    }

    private void attachSourceFieldContext(ActionRequest actionRequest) {
        if ((actionRequest instanceof SearchRequest) && SourceFieldsContext.isNeeded((SearchRequest) actionRequest)) {
            if (this.threadContext.getHeader("_sg_source_field_context") == null) {
                this.threadContext.putHeader("_sg_source_field_context", Base64Helper.serializeObject(new SourceFieldsContext((SearchRequest) actionRequest)));
                return;
            }
            return;
        }
        if ((actionRequest instanceof GetRequest) && SourceFieldsContext.isNeeded((GetRequest) actionRequest) && this.threadContext.getHeader("_sg_source_field_context") == null) {
            this.threadContext.putHeader("_sg_source_field_context", Base64Helper.serializeObject(new SourceFieldsContext((GetRequest) actionRequest)));
        }
    }

    private Tuple<ImmutableState, ActionListener> checkImmutableIndices(Object obj, TransportRequest transportRequest, ActionListener actionListener, String str, Task task, AuditLog auditLog) {
        if (((obj instanceof DeleteRequest) || (obj instanceof UpdateRequest) || (obj instanceof UpdateByQueryRequest) || (obj instanceof DeleteByQueryRequest) || (obj instanceof DeleteIndexRequest) || (obj instanceof RestoreSnapshotRequest) || (obj instanceof CloseIndexRequest) || (obj instanceof IndicesAliasesRequest)) && this.complianceConfig != null && this.complianceConfig.isIndexImmutable(str, obj)) {
            auditLog.logImmutableIndexAttempt(transportRequest, str, task);
            actionListener.onFailure(new ElasticsearchSecurityException("Index is immutable", RestStatus.FORBIDDEN, new Object[0]));
            return new Tuple<>(ImmutableState.FAILURE, actionListener);
        }
        if (!(obj instanceof IndexRequest) || this.complianceConfig == null || !this.complianceConfig.isIndexImmutable(str, obj)) {
            return null;
        }
        ((IndexRequest) obj).opType(DocWriteRequest.OpType.CREATE);
        return new Tuple<>(ImmutableState.LISTENER, new ImmutableIndexActionListener(actionListener, auditLog, transportRequest, str, task));
    }
}
