package com.floragunn.searchguard.authz;

import com.floragunn.codova.config.text.Pattern;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.GuiceDependencies;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.legacy.LegacySgConfig;
import com.floragunn.searchguard.authc.session.backend.SessionApi;
import com.floragunn.searchguard.authz.PrivilegesEvaluationResult;
import com.floragunn.searchguard.authz.config.ActionGroup;
import com.floragunn.searchguard.authz.config.AuthorizationConfig;
import com.floragunn.searchguard.authz.config.RoleMapping;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.ClusterInfoHolder;
import com.floragunn.searchguard.configuration.ConfigMap;
import com.floragunn.searchguard.configuration.ConfigurationChangeListener;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.privileges.PrivilegesInterceptor;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContextProviderRegistry;
import com.floragunn.searchguard.rest.actions.Action;
import com.floragunn.searchguard.rest.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.rest.actions.Actions;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.StaticSettings;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.google.common.base.Strings;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.shrink.ResizeRequest;
import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.action.support.master.AcknowledgedResponse;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.cluster.ClusterChangedEvent;
import org.elasticsearch.cluster.ClusterStateListener;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.IndexTemplateMetadata;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xcontent.NamedXContentRegistry;

/* loaded from: input_file:com/floragunn/searchguard/authz/PrivilegesEvaluator.class */
public class PrivilegesEvaluator implements ComponentStateProvider {
    private static final String USER_TENANT = "__user__";
    private final ClusterService clusterService;
    private final AuthorizationService authorizationService;
    private final IndexNameExpressionResolver resolver;
    private final AuditLog auditLog;
    private ThreadContext threadContext;
    private PrivilegesInterceptor privilegesInterceptor;
    private final boolean checkSnapshotRestoreWritePrivileges;
    private final ClusterInfoHolder clusterInfoHolder;
    private final ActionRequestIntrospector actionRequestIntrospector;
    private final SnapshotRestoreEvaluator snapshotRestoreEvaluator;
    private final SpecialPrivilegesEvaluationContextProviderRegistry specialPrivilegesEvaluationContextProviderRegistry;
    private final Client localClient;
    private final Pattern adminOnlyActions;
    private final Pattern adminOnlyIndices;
    private final Actions actions;
    private String kibanaServerUsername;
    private String kibanaIndexName;
    static final StaticSettings.Attribute<Pattern> ADMIN_ONLY_ACTIONS = StaticSettings.Attribute.define("searchguard.admin_only_actions").withDefault(Pattern.createUnchecked("cluster:admin:searchguard:config/*", "cluster:admin:searchguard:internal/*", new String[0])).asPattern();
    static final StaticSettings.Attribute<Pattern> ADMIN_ONLY_INDICES = StaticSettings.Attribute.define("searchguard.admin_only_indices").withDefault(Pattern.createUnchecked("searchguard", ".searchguard", new String[]{".searchguard_*", ".signals_watches*", ".signals_accounts", ".signals_settings"})).asPattern();
    static final StaticSettings.Attribute<Boolean> CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES = StaticSettings.Attribute.define("searchguard.check_snapshot_restore_write_privileges").withDefault(true).asBoolean();
    static final StaticSettings.Attribute<Boolean> UNSUPPORTED_RESTORE_SGINDEX_ENABLED = StaticSettings.Attribute.define("searchguard.unsupported.restore.sgindex.enabled").withDefault(false).asBoolean();
    public static final StaticSettings.AttributeSet STATIC_SETTINGS = StaticSettings.AttributeSet.of(new StaticSettings.Attribute[]{ADMIN_ONLY_ACTIONS, ADMIN_ONLY_INDICES, CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, UNSUPPORTED_RESTORE_SGINDEX_ENABLED});
    private static final Logger log = LogManager.getLogger(PrivilegesEvaluator.class);
    protected final Logger actionTrace = LogManager.getLogger("sg_action_trace");
    private final ComponentState componentState = new ComponentState(10, (String) null, "privileges_evaluator");
    private volatile AuthorizationConfig authzConfig = AuthorizationConfig.DEFAULT;
    private volatile RoleBasedActionAuthorization actionAuthorization = null;
    private volatile boolean kibanaIndexTemplateFixApplied = false;

    public PrivilegesEvaluator(Client client, final ClusterService clusterService, ThreadPool threadPool, ConfigurationRepository configurationRepository, AuthorizationService authorizationService, IndexNameExpressionResolver indexNameExpressionResolver, AuditLog auditLog, final StaticSettings staticSettings, ClusterInfoHolder clusterInfoHolder, final Actions actions, ActionRequestIntrospector actionRequestIntrospector, SpecialPrivilegesEvaluationContextProviderRegistry specialPrivilegesEvaluationContextProviderRegistry, GuiceDependencies guiceDependencies, NamedXContentRegistry namedXContentRegistry, boolean z) {
        this.clusterService = clusterService;
        this.resolver = indexNameExpressionResolver;
        this.auditLog = auditLog;
        this.localClient = client;
        this.authorizationService = authorizationService;
        this.threadContext = threadPool.getThreadContext();
        this.checkSnapshotRestoreWritePrivileges = ((Boolean) staticSettings.get(CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES)).booleanValue();
        this.clusterInfoHolder = clusterInfoHolder;
        this.specialPrivilegesEvaluationContextProviderRegistry = specialPrivilegesEvaluationContextProviderRegistry;
        this.actions = actions;
        this.actionRequestIntrospector = actionRequestIntrospector;
        this.snapshotRestoreEvaluator = new SnapshotRestoreEvaluator(auditLog, guiceDependencies, ((Boolean) staticSettings.get(UNSUPPORTED_RESTORE_SGINDEX_ENABLED)).booleanValue());
        this.adminOnlyActions = (Pattern) staticSettings.get(ADMIN_ONLY_ACTIONS);
        this.adminOnlyIndices = (Pattern) staticSettings.get(ADMIN_ONLY_INDICES);
        configurationRepository.subscribeOnChange(new ConfigurationChangeListener() { // from class: com.floragunn.searchguard.authz.PrivilegesEvaluator.1
            @Override // com.floragunn.searchguard.configuration.ConfigurationChangeListener
            public void onChange(ConfigMap configMap) {
                SgDynamicConfiguration sgDynamicConfiguration = configMap.get(CType.AUTHZ);
                SgDynamicConfiguration sgDynamicConfiguration2 = configMap.get(CType.CONFIG);
                AuthorizationConfig authorizationConfig = AuthorizationConfig.DEFAULT;
                if (sgDynamicConfiguration != null && sgDynamicConfiguration.getCEntry("default") != null) {
                    PrivilegesEvaluator privilegesEvaluator = PrivilegesEvaluator.this;
                    AuthorizationConfig authorizationConfig2 = (AuthorizationConfig) sgDynamicConfiguration.getCEntry("default");
                    authorizationConfig = authorizationConfig2;
                    privilegesEvaluator.authzConfig = authorizationConfig2;
                    PrivilegesEvaluator.log.info("Updated authz config:\n" + sgDynamicConfiguration);
                    if (PrivilegesEvaluator.log.isDebugEnabled()) {
                        PrivilegesEvaluator.log.debug(authorizationConfig);
                    }
                } else if (sgDynamicConfiguration2 != null && sgDynamicConfiguration2.getCEntry("sg_config") != null) {
                    try {
                        LegacySgConfig legacySgConfig = (LegacySgConfig) sgDynamicConfiguration2.getCEntry("sg_config");
                        PrivilegesEvaluator privilegesEvaluator2 = PrivilegesEvaluator.this;
                        AuthorizationConfig parseLegacySgConfig = AuthorizationConfig.parseLegacySgConfig(legacySgConfig.getSource(), null, staticSettings);
                        authorizationConfig = parseLegacySgConfig;
                        privilegesEvaluator2.authzConfig = parseLegacySgConfig;
                        PrivilegesEvaluator.log.info("Updated authz config (legacy):\n" + sgDynamicConfiguration2);
                        if (PrivilegesEvaluator.log.isDebugEnabled()) {
                            PrivilegesEvaluator.log.debug(authorizationConfig);
                        }
                    } catch (ConfigValidationException e) {
                        PrivilegesEvaluator.log.error("Error while parsing sg_config:\n" + e);
                    }
                }
                SgDynamicConfiguration sgDynamicConfiguration3 = configMap.get(CType.ROLES);
                SgDynamicConfiguration sgDynamicConfiguration4 = configMap.get(CType.TENANTS);
                ActionGroup.FlattenedIndex flattenedIndex = configMap.get(CType.ACTIONGROUPS) != null ? new ActionGroup.FlattenedIndex(configMap.get(CType.ACTIONGROUPS)) : ActionGroup.FlattenedIndex.EMPTY;
                PrivilegesEvaluator.this.actionAuthorization = new RoleBasedActionAuthorization(sgDynamicConfiguration3, flattenedIndex, actions, clusterService.state().metadata().indices().keySet(), sgDynamicConfiguration4.getCEntries().keySet(), PrivilegesEvaluator.this.adminOnlyIndices, authorizationConfig.getMetricsLevel());
                PrivilegesEvaluator.this.componentState.setConfigVersion(configMap.getVersionsAsString());
                PrivilegesEvaluator.this.componentState.replacePart(PrivilegesEvaluator.this.actionAuthorization.getComponentState());
                PrivilegesEvaluator.this.componentState.replacePart(flattenedIndex.getComponentState());
                PrivilegesEvaluator.this.componentState.updateStateFromParts();
            }
        });
        clusterService.addListener(new ClusterStateListener() { // from class: com.floragunn.searchguard.authz.PrivilegesEvaluator.2
            public void clusterChanged(ClusterChangedEvent clusterChangedEvent) {
                RoleBasedActionAuthorization roleBasedActionAuthorization = PrivilegesEvaluator.this.actionAuthorization;
                if (roleBasedActionAuthorization != null) {
                    roleBasedActionAuthorization.updateIndices(clusterChangedEvent.state().metadata().indices().keySet());
                }
            }
        });
    }

    public boolean isInitialized() {
        return this.actionAuthorization != null;
    }

    public PrivilegesEvaluationResult evaluate(User user, ImmutableSet<String> immutableSet, String str, ActionRequest actionRequest, Task task, PrivilegesEvaluationContext privilegesEvaluationContext, SpecialPrivilegesEvaluationContext specialPrivilegesEvaluationContext) {
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Search Guard is not initialized.", new Object[0]);
        }
        if (str.startsWith("internal:indices/admin/upgrade")) {
            str = "indices:admin/upgrade";
        }
        Action action = this.actions.get(str);
        if (this.adminOnlyActions.matches(str)) {
            log.info("Action " + str + " is reserved for users authenticating with an admin certificate");
            return PrivilegesEvaluationResult.INSUFFICIENT.reason("Action is reserved for users authenticating with an admin certificate").missingPrivileges(action);
        }
        if (!SessionApi.DeleteAction.NAME.equals(str) && !action.isOpen()) {
            AuthorizationConfig authorizationConfig = this.authzConfig;
            ActionAuthorization actionAuthorization = specialPrivilegesEvaluationContext == null ? this.actionAuthorization : specialPrivilegesEvaluationContext.getActionAuthorization();
            try {
                if ((actionRequest instanceof BulkRequest) && Strings.isNullOrEmpty(user.getRequestedTenant())) {
                    PrivilegesEvaluationResult hasClusterPermission = actionAuthorization.hasClusterPermission(privilegesEvaluationContext, action);
                    if (hasClusterPermission.getStatus() != PrivilegesEvaluationResult.Status.OK) {
                        log.info("No cluster-level permission for {} [Action [{}]] [RolesChecked {}]\n{}", user, str, immutableSet, hasClusterPermission);
                        return hasClusterPermission;
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("Taking shortcut for BulkRequest; user: " + user);
                    }
                    return hasClusterPermission;
                }
                ActionRequestIntrospector.ActionRequestInfo actionRequestInfo = this.actionRequestIntrospector.getActionRequestInfo(str, actionRequest);
                if (log.isDebugEnabled()) {
                    if (actionRequestInfo.isUnknown()) {
                        log.debug("### evaluate UNKNOWN " + str + " (" + actionRequest.getClass().getName() + ")\nUser: " + user + "\nspecialPrivilegesEvaluationContext: " + specialPrivilegesEvaluationContext);
                    } else if (actionRequestInfo.isIndexRequest()) {
                        log.debug("### evaluate " + str + " (" + actionRequest.getClass().getName() + ")\nUser: " + user + "\nspecialPrivilegesEvaluationContext: " + specialPrivilegesEvaluationContext + "\nResolved: " + actionRequestInfo.getResolvedIndices() + "\nUresolved: " + actionRequestInfo.getUnresolved() + "\nIgnoreUnauthorizedIndices: " + authorizationConfig.isIgnoreUnauthorizedIndices());
                    } else {
                        log.debug("### evaluate " + str + " (" + actionRequest.getClass().getName() + ")\nUser: " + user + "\nspecialPrivilegesEvaluationContext: " + specialPrivilegesEvaluationContext);
                    }
                }
                PrivilegesEvaluationResult evaluate = this.snapshotRestoreEvaluator.evaluate(actionRequest, task, action, this.clusterInfoHolder);
                if (!evaluate.isPending()) {
                    return evaluate;
                }
                if (!action.isClusterPrivilege()) {
                    if (action.isTenantPrivilege()) {
                        PrivilegesEvaluationResult hasTenantPermission = hasTenantPermission(user, immutableSet, action, actionAuthorization, privilegesEvaluationContext);
                        if (!hasTenantPermission.isOk()) {
                            log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]:\n{}", "tenant", user, actionRequestInfo, str, immutableSet, hasTenantPermission);
                            return hasTenantPermission;
                        }
                        if (log.isTraceEnabled()) {
                            log.trace("Allowing as tenant privilege: " + str);
                        }
                        return hasTenantPermission;
                    }
                    if (checkDocWhitelistHeader(user, str, actionRequest)) {
                        if (log.isTraceEnabled()) {
                            log.trace("Allowing due to doc whitelist: " + str);
                        }
                        return PrivilegesEvaluationResult.OK;
                    }
                    ImmutableSet<Action> expandPrivileges = action.expandPrivileges(actionRequest);
                    if (log.isDebugEnabled() && (expandPrivileges.size() > 1 || !expandPrivileges.contains(action))) {
                        log.debug("Expanded index privileges: " + expandPrivileges);
                    }
                    return evaluateIndexPrivileges(user, str, expandPrivileges, actionRequest, task, actionRequestInfo, immutableSet, authorizationConfig, actionAuthorization, specialPrivilegesEvaluationContext, privilegesEvaluationContext);
                }
                PrivilegesEvaluationResult hasClusterPermission2 = actionAuthorization.hasClusterPermission(privilegesEvaluationContext, action);
                if (hasClusterPermission2.getStatus() != PrivilegesEvaluationResult.Status.OK) {
                    log.info("### No cluster privileges for {} ({})\nUser: {}\nRoles: {}\n{}", action, actionRequest.getClass().getName(), user, immutableSet, hasClusterPermission2);
                    return hasClusterPermission2;
                }
                if ((actionRequest instanceof RestoreSnapshotRequest) && this.checkSnapshotRestoreWritePrivileges) {
                    return evaluateIndexPrivileges(user, str, action.expandPrivileges(actionRequest), actionRequest, task, actionRequestInfo, immutableSet, authorizationConfig, actionAuthorization, specialPrivilegesEvaluationContext, privilegesEvaluationContext);
                }
                if (this.privilegesInterceptor != null) {
                    PrivilegesInterceptor.InterceptionResult replaceKibanaIndex = this.privilegesInterceptor.replaceKibanaIndex(privilegesEvaluationContext, actionRequest, action, actionAuthorization);
                    if (log.isDebugEnabled()) {
                        log.debug("Result from privileges interceptor for cluster perm: {}", replaceKibanaIndex);
                    }
                    if (replaceKibanaIndex == PrivilegesInterceptor.InterceptionResult.DENY) {
                        this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
                        return PrivilegesEvaluationResult.INSUFFICIENT.reason("Denied due to multi-tenancy settings");
                    }
                    if (replaceKibanaIndex == PrivilegesInterceptor.InterceptionResult.ALLOW) {
                        return PrivilegesEvaluationResult.OK;
                    }
                }
                ImmutableSet<Action> additionalPrivileges = action.getAdditionalPrivileges(actionRequest);
                if (additionalPrivileges.isEmpty()) {
                    if (log.isTraceEnabled()) {
                        log.trace("Allowing as cluster privilege: " + str);
                    }
                    return PrivilegesEvaluationResult.OK;
                }
                if (log.isDebugEnabled()) {
                    log.debug("Additional privileges required: " + additionalPrivileges);
                }
                return evaluateAdditionalPrivileges(user, str, additionalPrivileges, actionRequest, task, actionRequestInfo, immutableSet, authorizationConfig, actionAuthorization, specialPrivilegesEvaluationContext, privilegesEvaluationContext);
            } catch (Exception e) {
                log.error("Error while evaluating " + str + " (" + actionRequest.getClass().getName() + ")", e);
                return PrivilegesEvaluationResult.INSUFFICIENT.with(ImmutableList.of(new PrivilegesEvaluationResult.Error(e.getMessage(), e)));
            }
        }
        return PrivilegesEvaluationResult.OK;
    }

    private PrivilegesEvaluationResult evaluateIndexPrivileges(User user, String str, ImmutableSet<Action> immutableSet, ActionRequest actionRequest, Task task, ActionRequestIntrospector.ActionRequestInfo actionRequestInfo, ImmutableSet<String> immutableSet2, AuthorizationConfig authorizationConfig, ActionAuthorization actionAuthorization, SpecialPrivilegesEvaluationContext specialPrivilegesEvaluationContext, PrivilegesEvaluationContext privilegesEvaluationContext) throws PrivilegesEvaluationException {
        ActionFilter actionFilter = null;
        if (actionRequestInfo.getResolvedIndices().containsOnlyRemoteIndices()) {
            log.debug("Request contains only remote indices. We can skip all further checks and let requests be handled by remote cluster: " + str);
            return PrivilegesEvaluationResult.OK;
        }
        if (log.isDebugEnabled()) {
            log.debug("requested resolved indextypes: {}", actionRequestInfo);
        }
        if (!this.kibanaIndexTemplateFixApplied && user.getName().equals(this.kibanaServerUsername) && (((actionRequest instanceof ResizeRequest) && ((ResizeRequest) actionRequest).getSourceIndex().startsWith(this.kibanaIndexName) && ((ResizeRequest) actionRequest).getSourceIndex().endsWith("_reindex_temp")) || ((actionRequest instanceof CreateIndexRequest) && ((CreateIndexRequest) actionRequest).index().startsWith(this.kibanaIndexName)))) {
            this.kibanaIndexTemplateFixApplied = true;
            IndexTemplateMetadata indexTemplateMetadata = (IndexTemplateMetadata) this.clusterService.state().getMetadata().getTemplates().get("tenant_template");
            if (indexTemplateMetadata != null && indexTemplateMetadata.patterns().size() > 0 && ((String) indexTemplateMetadata.patterns().get(0)).startsWith(this.kibanaIndexName)) {
                actionFilter = new ActionFilter() { // from class: com.floragunn.searchguard.authz.PrivilegesEvaluator.3
                    public int order() {
                        return 0;
                    }

                    public <Request extends ActionRequest, Response extends ActionResponse> void apply(final Task task2, final String str2, final Request request, final ActionListener<Response> actionListener, final ActionFilterChain<Request, Response> actionFilterChain) {
                        PrivilegesEvaluator.this.localClient.admin().indices().deleteTemplate(new DeleteIndexTemplateRequest("tenant_template"), new ActionListener<AcknowledgedResponse>() { // from class: com.floragunn.searchguard.authz.PrivilegesEvaluator.3.1
                            public void onResponse(AcknowledgedResponse acknowledgedResponse) {
                                PrivilegesEvaluator.log.info("Deleted obsolete tenant_template");
                                actionFilterChain.proceed(task2, str2, request, actionListener);
                            }

                            public void onFailure(Exception exc) {
                                PrivilegesEvaluator.log.error("Error while deleting tenant_template. Ignoring.", exc);
                                actionFilterChain.proceed(task2, str2, request, actionListener);
                            }
                        });
                    }
                };
            }
        }
        if (this.privilegesInterceptor != null) {
            PrivilegesInterceptor.InterceptionResult replaceKibanaIndex = this.privilegesInterceptor.replaceKibanaIndex(privilegesEvaluationContext, actionRequest, this.actions.get(str), actionAuthorization);
            if (log.isDebugEnabled()) {
                log.debug("Result from privileges interceptor: {}", replaceKibanaIndex);
            }
            if (replaceKibanaIndex == PrivilegesInterceptor.InterceptionResult.DENY) {
                this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
                return PrivilegesEvaluationResult.INSUFFICIENT.reason("Denied due to multi-tenancy settings");
            }
            if (replaceKibanaIndex == PrivilegesInterceptor.InterceptionResult.ALLOW) {
                return PrivilegesEvaluationResult.OK.with(actionFilter);
            }
        }
        boolean z = authorizationConfig.isIgnoreUnauthorizedIndices() && authorizationConfig.getIgnoreUnauthorizedIndicesActions().matches(str) && (actionRequestInfo.ignoreUnavailable() || actionRequestInfo.containsWildcards());
        if (!z) {
            privilegesEvaluationContext.setResolveLocalAll(false);
        }
        ImmutableSet<Action> matching = immutableSet.matching((v0) -> {
            return v0.isIndexPrivilege();
        });
        ImmutableSet matching2 = immutableSet.matching((v0) -> {
            return v0.isClusterPrivilege();
        });
        if (!matching2.isEmpty()) {
            UnmodifiableIterator it = matching2.iterator();
            while (it.hasNext()) {
                Action action = (Action) it.next();
                PrivilegesEvaluationResult hasClusterPermission = actionAuthorization.hasClusterPermission(privilegesEvaluationContext, action);
                if (hasClusterPermission.getStatus() != PrivilegesEvaluationResult.Status.OK) {
                    if (log.isEnabled(Level.INFO)) {
                        log.info("### No cluster privileges for " + action + " (" + actionRequest.getClass().getName() + ")\nUser: " + user + "\nResolved Indices: " + actionRequestInfo.getResolvedIndices() + "\nUnresolved: " + actionRequestInfo.getUnresolved() + "\nRoles: " + immutableSet2 + "\n" + hasClusterPermission);
                    }
                    return hasClusterPermission;
                }
            }
        }
        PrivilegesEvaluationResult hasIndexPermission = actionAuthorization.hasIndexPermission(privilegesEvaluationContext, matching, actionRequestInfo.getResolvedIndices());
        if (log.isTraceEnabled()) {
            log.trace("Result from privileges evaluation: " + hasIndexPermission.getStatus() + "\n" + hasIndexPermission);
        }
        if (hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.PARTIALLY_OK) {
            if (z) {
                if (log.isDebugEnabled()) {
                    log.debug("DNF: Reducing indices to " + hasIndexPermission.getAvailableIndices() + "\n" + hasIndexPermission);
                }
                hasIndexPermission = this.actionRequestIntrospector.reduceIndices(str, actionRequest, hasIndexPermission.getAvailableIndices(), actionRequestInfo);
            } else {
                hasIndexPermission = hasIndexPermission.status(PrivilegesEvaluationResult.Status.INSUFFICIENT);
            }
        } else if (hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.INSUFFICIENT && z) {
            if (!actionRequestInfo.getResolvedIndices().getRemoteIndices().isEmpty()) {
                hasIndexPermission = this.actionRequestIntrospector.reduceIndices(str, actionRequest, ImmutableSet.empty(), actionRequestInfo);
            } else if (authorizationConfig.getIgnoreUnauthorizedIndicesActionsAllowingEmptyResult().matches(str)) {
                if (log.isTraceEnabled()) {
                    log.trace("Changing result from INSUFFICIENT to EMPTY");
                }
                hasIndexPermission = hasIndexPermission.status(PrivilegesEvaluationResult.Status.EMPTY);
            }
        }
        if (hasIndexPermission.getStatus() == PrivilegesEvaluationResult.Status.EMPTY) {
            if (this.actionRequestIntrospector.forceEmptyResult(actionRequest)) {
                if (log.isDebugEnabled()) {
                    log.debug("DNF: Reducing indices to yield an empty result\n" + hasIndexPermission);
                }
                hasIndexPermission = hasIndexPermission.status(PrivilegesEvaluationResult.Status.OK);
            } else {
                log.warn("DNFOF for empty results is not available for " + str + " (" + actionRequest.getClass().getName() + ")");
            }
        }
        if (hasIndexPermission.getStatus() != PrivilegesEvaluationResult.Status.OK) {
            Level level = hasIndexPermission.hasErrors() ? Level.WARN : Level.INFO;
            if (log.isEnabled(level)) {
                log.log(level, "### No index privileges for " + str + " (" + actionRequest.getClass().getName() + ")\nUser: " + user + "\nResolved Indices: " + actionRequestInfo.getResolvedIndices() + "\nUnresolved: " + actionRequestInfo.getUnresolved() + "\nRoles: " + immutableSet2 + "\nRequired Privileges: " + matching + "\n" + hasIndexPermission);
            }
            return hasIndexPermission;
        }
        if (actionRequest instanceof ResizeRequest) {
            if (log.isDebugEnabled()) {
                log.debug("Checking additional create index action for resize operation: " + actionRequest);
            }
            PrivilegesEvaluationResult evaluate = evaluate(user, immutableSet2, "indices:admin/create", ((ResizeRequest) actionRequest).getTargetIndexRequest(), task, privilegesEvaluationContext, specialPrivilegesEvaluationContext);
            if (!evaluate.isOk()) {
                return evaluate;
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Allowed because we have all indices permissions for " + matching);
        }
        return PrivilegesEvaluationResult.OK;
    }

    private PrivilegesEvaluationResult evaluateAdditionalPrivileges(User user, String str, ImmutableSet<Action> immutableSet, ActionRequest actionRequest, Task task, ActionRequestIntrospector.ActionRequestInfo actionRequestInfo, ImmutableSet<String> immutableSet2, AuthorizationConfig authorizationConfig, ActionAuthorization actionAuthorization, SpecialPrivilegesEvaluationContext specialPrivilegesEvaluationContext, PrivilegesEvaluationContext privilegesEvaluationContext) throws PrivilegesEvaluationException {
        if (immutableSet.forAllApplies(action -> {
            return action.isIndexPrivilege();
        })) {
            return evaluateIndexPrivileges(user, str, immutableSet, actionRequest, task, actionRequestInfo, immutableSet2, authorizationConfig, actionAuthorization, specialPrivilegesEvaluationContext, privilegesEvaluationContext);
        }
        ImmutableSet<Action> empty = ImmutableSet.empty();
        UnmodifiableIterator it = immutableSet.iterator();
        while (it.hasNext()) {
            Action action2 = (Action) it.next();
            if (action2.isClusterPrivilege()) {
                PrivilegesEvaluationResult hasClusterPermission = actionAuthorization.hasClusterPermission(privilegesEvaluationContext, action2);
                if (hasClusterPermission.getStatus() != PrivilegesEvaluationResult.Status.OK) {
                    log.info("Additional privilege missing: " + hasClusterPermission);
                    return hasClusterPermission;
                }
            } else if (action2.isTenantPrivilege()) {
                PrivilegesEvaluationResult hasTenantPermission = hasTenantPermission(user, immutableSet2, action2, actionAuthorization, privilegesEvaluationContext);
                if (hasTenantPermission.getStatus() != PrivilegesEvaluationResult.Status.OK) {
                    log.info("Additional privilege missing: " + hasTenantPermission);
                    return hasTenantPermission;
                }
            } else if (action2.isIndexPrivilege()) {
                empty = empty.with(action2);
            }
        }
        if (!empty.isEmpty()) {
            return evaluateIndexPrivileges(user, str, empty, actionRequest, task, actionRequestInfo, immutableSet2, authorizationConfig, actionAuthorization, specialPrivilegesEvaluationContext, privilegesEvaluationContext);
        }
        if (log.isTraceEnabled()) {
            log.trace("Allowing: " + str);
        }
        return PrivilegesEvaluationResult.OK;
    }

    public Set<String> getAllConfiguredTenantNames() {
        return this.actionAuthorization.getTenants();
    }

    public boolean multitenancyEnabled() {
        return this.privilegesInterceptor != null && this.privilegesInterceptor.isEnabled();
    }

    public String getKibanaServerUser() {
        return this.privilegesInterceptor != null ? this.privilegesInterceptor.getKibanaServerUser() : "kibanaserver";
    }

    public String getKibanaIndex() {
        if (this.privilegesInterceptor != null) {
            return this.privilegesInterceptor.getKibanaIndex();
        }
        return null;
    }

    public boolean notFailOnForbiddenEnabled() {
        return this.authzConfig.isIgnoreUnauthorizedIndices();
    }

    public static boolean isTenantPerm(String str) {
        return str.startsWith("cluster:admin:searchguard:tenant:");
    }

    public Map<String, Boolean> mapTenants(User user, Set<String> set) {
        return this.privilegesInterceptor != null ? this.privilegesInterceptor.mapTenants(user, ImmutableSet.of(set), this.actionAuthorization) : ImmutableMap.empty();
    }

    public Map<String, Boolean> evaluateClusterAndTenantPrivileges(User user, TransportAddress transportAddress, Collection<String> collection) {
        if (collection == null || collection.isEmpty() || user == null) {
            log.debug("Privileges or user empty");
            return Collections.emptyMap();
        }
        ImmutableSet<String> mappedRoles = this.authorizationService.getMappedRoles(user, transportAddress);
        String requestedTenant = getRequestedTenant(user);
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(user, mappedRoles, null, null, this.authzConfig.isDebugEnabled(), this.actionRequestIntrospector, null);
        HashMap hashMap = new HashMap();
        boolean isTenantValid = isTenantValid(requestedTenant);
        if (!isTenantValid) {
            log.info("Invalid tenant: " + requestedTenant + "; user: " + user);
        }
        for (String str : collection) {
            Action action = this.actions.get(str);
            try {
                if (!action.isTenantPrivilege()) {
                    hashMap.put(str, Boolean.valueOf(this.actionAuthorization.hasClusterPermission(privilegesEvaluationContext, action).getStatus() == PrivilegesEvaluationResult.Status.OK));
                } else if (isTenantValid) {
                    hashMap.put(str, Boolean.valueOf(this.actionAuthorization.hasTenantPermission(privilegesEvaluationContext, action, requestedTenant).getStatus() == PrivilegesEvaluationResult.Status.OK));
                } else {
                    hashMap.put(str, false);
                }
            } catch (PrivilegesEvaluationException e) {
                log.error("Error while evaluating " + str + " for " + user, e);
                hashMap.put(str, false);
            }
        }
        return hashMap;
    }

    private boolean isTenantValid(String str) {
        if ("SGS_GLOBAL_TENANT".equals(str) || "__user__".equals(str)) {
            return true;
        }
        return getAllConfiguredTenantNames().contains(str);
    }

    private PrivilegesEvaluationResult hasTenantPermission(User user, ImmutableSet<String> immutableSet, Action action, ActionAuthorization actionAuthorization, PrivilegesEvaluationContext privilegesEvaluationContext) throws PrivilegesEvaluationException {
        String requestedTenant = !Strings.isNullOrEmpty(user.getRequestedTenant()) ? user.getRequestedTenant() : "SGS_GLOBAL_TENANT";
        if (multitenancyEnabled() || "SGS_GLOBAL_TENANT".equals(requestedTenant)) {
            return actionAuthorization.hasTenantPermission(privilegesEvaluationContext, action, requestedTenant);
        }
        log.warn("Denying request to non-default tenant because MT is disabled: " + requestedTenant);
        return PrivilegesEvaluationResult.INSUFFICIENT.reason("Multi-tenancy is disabled");
    }

    private String getRequestedTenant(User user) {
        String requestedTenant = user.getRequestedTenant();
        return (Strings.isNullOrEmpty(requestedTenant) || !multitenancyEnabled()) ? "SGS_GLOBAL_TENANT" : requestedTenant;
    }

    public boolean hasClusterPermission(User user, String str, TransportAddress transportAddress) throws PrivilegesEvaluationException {
        ImmutableSet<String> mappedRoles;
        ActionAuthorization actionAuthorization;
        SpecialPrivilegesEvaluationContext provide = this.specialPrivilegesEvaluationContextProviderRegistry.provide(user, this.threadContext);
        if (provide != null) {
            user = provide.getUser();
        }
        if (provide == null) {
            mappedRoles = this.authorizationService.getMappedRoles(user, transportAddress);
            actionAuthorization = this.actionAuthorization;
        } else {
            mappedRoles = provide.getMappedRoles();
            actionAuthorization = provide.getActionAuthorization();
        }
        Action action = this.actions.get(str);
        return actionAuthorization.hasClusterPermission(new PrivilegesEvaluationContext(user, mappedRoles, action, null, this.authzConfig.isDebugEnabled(), this.actionRequestIntrospector, provide), action).getStatus() == PrivilegesEvaluationResult.Status.OK;
    }

    public boolean hasClusterPermissions(User user, List<String> list, TransportAddress transportAddress) throws PrivilegesEvaluationException {
        ImmutableSet<String> mappedRoles;
        ActionAuthorization actionAuthorization;
        if (list.isEmpty()) {
            return true;
        }
        SpecialPrivilegesEvaluationContext provide = this.specialPrivilegesEvaluationContextProviderRegistry.provide(user, this.threadContext);
        if (provide != null) {
            user = provide.getUser();
        }
        if (provide == null) {
            mappedRoles = this.authorizationService.getMappedRoles(user, transportAddress);
            actionAuthorization = this.actionAuthorization;
        } else {
            mappedRoles = provide.getMappedRoles();
            actionAuthorization = provide.getActionAuthorization();
        }
        PrivilegesEvaluationContext privilegesEvaluationContext = new PrivilegesEvaluationContext(user, mappedRoles, null, null, this.authzConfig.isDebugEnabled(), this.actionRequestIntrospector, null);
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (actionAuthorization.hasClusterPermission(privilegesEvaluationContext, this.actions.get(it.next())).getStatus() != PrivilegesEvaluationResult.Status.OK) {
                return false;
            }
        }
        return true;
    }

    public boolean hasClusterPermissions(String str, PrivilegesEvaluationContext privilegesEvaluationContext) throws PrivilegesEvaluationException {
        return (privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext() == null ? this.actionAuthorization : privilegesEvaluationContext.getSpecialPrivilegesEvaluationContext().getActionAuthorization()).hasClusterPermission(privilegesEvaluationContext, this.actions.get(str)).getStatus() == PrivilegesEvaluationResult.Status.OK;
    }

    private boolean checkDocWhitelistHeader(User user, String str, ActionRequest actionRequest) {
        String header = this.threadContext.getHeader(ConfigConstants.SG_DOC_WHITELST_HEADER);
        if (header == null || !(actionRequest instanceof GetRequest)) {
            return false;
        }
        try {
            DocumentWhitelist parse = DocumentWhitelist.parse(header);
            GetRequest getRequest = (GetRequest) actionRequest;
            if (!parse.isWhitelisted(getRequest.index(), getRequest.id())) {
                return false;
            }
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Request " + actionRequest + " is whitelisted by " + parse);
            return true;
        } catch (Exception e) {
            log.error("Error while handling document whitelist: " + header, e);
            return false;
        }
    }

    public PrivilegesInterceptor getPrivilegesInterceptor() {
        return this.privilegesInterceptor;
    }

    public void setPrivilegesInterceptor(PrivilegesInterceptor privilegesInterceptor) {
        this.privilegesInterceptor = privilegesInterceptor;
    }

    public RoleBasedActionAuthorization getActionAuthorization() {
        return this.actionAuthorization;
    }

    public RoleMapping.ResolutionMode getRolesMappingResolution() {
        return this.authzConfig.getRoleMappingResolution();
    }

    public ActionGroup.FlattenedIndex getActionGroups() {
        return this.actionAuthorization.getActionGroups();
    }

    public ClusterService getClusterService() {
        return this.clusterService;
    }

    public IndexNameExpressionResolver getResolver() {
        return this.resolver;
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }

    public boolean isDebugEnabled() {
        return this.authzConfig.isDebugEnabled();
    }
}
