package com.floragunn.searchguard.transport;

import com.floragunn.searchguard.GuiceDependencies;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.ClusterInfoHolder;
import com.floragunn.searchguard.ssl.SslExceptionHandler;
import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.diag.DiagnosticContext;
import com.google.common.collect.Maps;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.Executor;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.admin.cluster.shards.ClusterSearchShardsResponse;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchShardsResponse;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.RemoteClusterService;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportException;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.TransportRequestOptions;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.transport.TransportResponseHandler;

/* loaded from: input_file:com/floragunn/searchguard/transport/SearchGuardInterceptor.class */
public class SearchGuardInterceptor {
    protected final Logger actionTrace = LogManager.getLogger("sg_action_trace");
    protected static final Logger log = LogManager.getLogger(SearchGuardInterceptor.class);
    private AuditLog auditLog;
    private final ThreadPool threadPool;
    private final PrincipalExtractor principalExtractor;
    private final InterClusterRequestEvaluator requestEvalProvider;
    private final ClusterService cs;
    private final SslExceptionHandler sslExceptionHandler;
    private final ClusterInfoHolder clusterInfoHolder;
    private final List<Pattern> customAllowedHeaderPatterns;
    private final DiagnosticContext diagnosticContext;
    private final GuiceDependencies guiceDependencies;
    private final AdminDNs adminDns;

    /* loaded from: input_file:com/floragunn/searchguard/transport/SearchGuardInterceptor$RestoringTransportResponseHandler.class */
    private class RestoringTransportResponseHandler<T extends TransportResponse> implements TransportResponseHandler<T> {
        private final ThreadContext.StoredContext contextToRestore;
        private final TransportResponseHandler<T> innerHandler;

        private RestoringTransportResponseHandler(TransportResponseHandler<T> transportResponseHandler, ThreadContext.StoredContext storedContext) {
            this.contextToRestore = storedContext;
            this.innerHandler = transportResponseHandler;
        }

        /* renamed from: read, reason: merged with bridge method [inline-methods] */
        public T m191read(StreamInput streamInput) throws IOException {
            return (T) this.innerHandler.read(streamInput);
        }

        public Executor executor(ThreadPool threadPool) {
            return this.innerHandler.executor(threadPool);
        }

        public void handleResponse(T t) {
            ThreadContext threadContext = SearchGuardInterceptor.this.getThreadContext();
            Map responseHeaders = threadContext.getResponseHeaders();
            List list = (List) responseHeaders.get(ConfigConstants.SG_FLS_FIELDS_HEADER);
            List list2 = (List) responseHeaders.get(ConfigConstants.SG_DLS_QUERY_HEADER);
            List list3 = (List) responseHeaders.get(ConfigConstants.SG_MASKED_FIELD_HEADER);
            this.contextToRestore.restore();
            if ((t instanceof ClusterSearchShardsResponse) || (t instanceof SearchShardsResponse)) {
                if (list != null && !list.isEmpty()) {
                    threadContext.putTransient(ConfigConstants.SG_FLS_FIELDS_CCS, list.get(0));
                }
                if (list2 != null && !list2.isEmpty()) {
                    threadContext.putTransient(ConfigConstants.SG_DLS_QUERY_CCS, list2.get(0));
                }
                if (list3 != null && !list3.isEmpty()) {
                    threadContext.putTransient(ConfigConstants.SG_MASKED_FIELD_CCS, list3.get(0));
                }
            }
            this.innerHandler.handleResponse(t);
        }

        public void handleException(TransportException transportException) {
            this.contextToRestore.restore();
            this.innerHandler.handleException(transportException);
        }
    }

    public SearchGuardInterceptor(Settings settings, ThreadPool threadPool, AuditLog auditLog, PrincipalExtractor principalExtractor, InterClusterRequestEvaluator interClusterRequestEvaluator, ClusterService clusterService, SslExceptionHandler sslExceptionHandler, ClusterInfoHolder clusterInfoHolder, GuiceDependencies guiceDependencies, DiagnosticContext diagnosticContext, AdminDNs adminDNs) {
        this.auditLog = auditLog;
        this.threadPool = threadPool;
        this.principalExtractor = principalExtractor;
        this.requestEvalProvider = interClusterRequestEvaluator;
        this.cs = clusterService;
        this.sslExceptionHandler = sslExceptionHandler;
        this.clusterInfoHolder = clusterInfoHolder;
        this.customAllowedHeaderPatterns = getCustomAllowedHeaderPatterns(settings);
        this.diagnosticContext = diagnosticContext;
        this.guiceDependencies = guiceDependencies;
        this.adminDns = adminDNs;
    }

    public <T extends TransportRequest> SearchGuardRequestHandler<T> getHandler(String str, TransportRequestHandler<T> transportRequestHandler) {
        return new SearchGuardRequestHandler<>(str, transportRequestHandler, this.threadPool, this.auditLog, this.principalExtractor, this.requestEvalProvider, this.cs, this.sslExceptionHandler, this.adminDns);
    }

    public <T extends TransportResponse> void sendRequestDecorate(TransportInterceptor.AsyncSender asyncSender, Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
        Map headers = getThreadContext().getHeaders();
        User user = (User) getThreadContext().getTransient(ConfigConstants.SG_USER);
        String str2 = (String) getThreadContext().getTransient(ConfigConstants.SG_ORIGIN);
        TransportAddress transportAddress = (TransportAddress) getThreadContext().getTransient(ConfigConstants.SG_REMOTE_ADDRESS);
        String str3 = (String) getThreadContext().getTransient(ConfigConstants.SG_DLS_QUERY_CCS);
        String str4 = (String) getThreadContext().getTransient(ConfigConstants.SG_FLS_FIELDS_CCS);
        String str5 = (String) getThreadContext().getTransient(ConfigConstants.SG_MASKED_FIELD_CCS);
        String actionStack = this.diagnosticContext.getActionStack();
        ThreadContext.StoredContext stashContext = getThreadContext().stashContext();
        try {
            RestoringTransportResponseHandler restoringTransportResponseHandler = new RestoringTransportResponseHandler(transportResponseHandler, stashContext);
            getThreadContext().putHeader("_sg_remotecn", this.cs.getClusterName().value());
            HashMap hashMap = new HashMap(Maps.filterKeys(headers, str6 -> {
                return str6 != null && (str6.equals(ConfigConstants.SG_CONF_REQUEST_HEADER) || str6.equals(ConfigConstants.SG_ORIGIN_HEADER) || str6.equals(ConfigConstants.SG_REMOTE_ADDRESS_HEADER) || str6.equals(ConfigConstants.SG_USER_HEADER) || str6.equals(ConfigConstants.SG_DLS_QUERY_HEADER) || str6.equals(ConfigConstants.SG_FLS_FIELDS_HEADER) || str6.equals(ConfigConstants.SG_MASKED_FIELD_HEADER) || str6.equals(ConfigConstants.SG_DOC_WHITELST_HEADER) || str6.equals(ConfigConstants.SG_FILTER_LEVEL_DLS_DONE) || str6.equals(ConfigConstants.SG_DLS_MODE_HEADER) || str6.equals(ConfigConstants.SG_DLS_FILTER_LEVEL_QUERY_HEADER) || (!(!str6.equals("_sg_source_field_context") || (transportRequest instanceof SearchRequest) || (transportRequest instanceof GetRequest)) || str6.startsWith("_sg_trace") || str6.startsWith(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER) || checkCustomAllowedHeader(str6)));
            }));
            RemoteClusterService remoteClusterService = this.guiceDependencies.getTransportService().getRemoteClusterService();
            if (remoteClusterService.isCrossClusterSearchEnabled() && this.clusterInfoHolder.isInitialized() && ((str.equals("indices:admin/shards/search_shards") || str.equals("indices:data/read/search")) && !this.clusterInfoHolder.hasNode(connection.getNode()).booleanValue())) {
                if (log.isDebugEnabled()) {
                    log.debug("remove dls/fls/mf because we sent a ccs request to a remote cluster");
                }
                hashMap.remove(ConfigConstants.SG_DLS_QUERY_HEADER);
                hashMap.remove(ConfigConstants.SG_DLS_MODE_HEADER);
                hashMap.remove(ConfigConstants.SG_MASKED_FIELD_HEADER);
                hashMap.remove(ConfigConstants.SG_FLS_FIELDS_HEADER);
                hashMap.remove(ConfigConstants.SG_FILTER_LEVEL_DLS_DONE);
                hashMap.remove(ConfigConstants.SG_DLS_FILTER_LEVEL_QUERY_HEADER);
                hashMap.remove(ConfigConstants.SG_DOC_WHITELST_HEADER);
            }
            if (remoteClusterService.isCrossClusterSearchEnabled() && this.clusterInfoHolder.isInitialized() && !str.startsWith("internal:") && !str.equals("indices:admin/shards/search_shards") && !this.clusterInfoHolder.hasNode(connection.getNode()).booleanValue()) {
                if (log.isDebugEnabled()) {
                    log.debug("add dls/fls/mf from transient");
                }
                if (str3 != null && !str3.isEmpty()) {
                    hashMap.put(ConfigConstants.SG_DLS_QUERY_HEADER, str3);
                }
                if (str5 != null && !str5.isEmpty()) {
                    hashMap.put(ConfigConstants.SG_MASKED_FIELD_HEADER, str5);
                }
                if (str4 != null && !str4.isEmpty()) {
                    hashMap.put(ConfigConstants.SG_FLS_FIELDS_HEADER, str4);
                }
            }
            if (actionStack != null) {
                getThreadContext().putHeader("x_action_stack", actionStack);
            }
            getThreadContext().putHeader(hashMap);
            ensureCorrectHeaders(transportAddress, user, str2);
            if (this.actionTrace.isTraceEnabled()) {
                ThreadContext threadContext = getThreadContext();
                long currentTimeMillis = System.currentTimeMillis();
                UUID.randomUUID().toString();
                threadContext.putHeader("_sg_trace" + currentTimeMillis + "#" + threadContext, Thread.currentThread().getName() + " IC -> " + str + " " + getThreadContext().getHeaders().entrySet().stream().filter(entry -> {
                    return !((String) entry.getKey()).startsWith("_sg_trace");
                }).collect(Collectors.toMap(entry2 -> {
                    return (String) entry2.getKey();
                }, entry3 -> {
                    return (String) entry3.getValue();
                })));
            }
            asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, restoringTransportResponseHandler);
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void ensureCorrectHeaders(TransportAddress transportAddress, User user, String str) {
        if (str != null && !str.isEmpty() && getThreadContext().getHeader(ConfigConstants.SG_ORIGIN_HEADER) == null) {
            getThreadContext().putHeader(ConfigConstants.SG_ORIGIN_HEADER, str);
        }
        if (str == null && getThreadContext().getHeader(ConfigConstants.SG_ORIGIN_HEADER) == null) {
            getThreadContext().putHeader(ConfigConstants.SG_ORIGIN_HEADER, AuditLog.Origin.LOCAL.toString());
        }
        if (transportAddress != null && getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER) == null) {
            getThreadContext().putHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER, Base64Helper.serializeObject(transportAddress.address()));
        }
        if (user == null || getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER) != null) {
            return;
        }
        getThreadContext().putHeader(ConfigConstants.SG_USER_HEADER, Base64Helper.serializeObject(user));
    }

    private ThreadContext getThreadContext() {
        return this.threadPool.getThreadContext();
    }

    private boolean checkCustomAllowedHeader(String str) {
        if (str.startsWith(ConfigConstants.SG_CONFIG_PREFIX) || str.equals("X-Opaque-Id") || this.customAllowedHeaderPatterns.size() == 0) {
            return false;
        }
        Iterator<Pattern> it = this.customAllowedHeaderPatterns.iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).matches()) {
                return true;
            }
        }
        return false;
    }

    private static List<Pattern> getCustomAllowedHeaderPatterns(Settings settings) {
        List<String> asList = settings.getAsList(ConfigConstants.SEARCHGUARD_ALLOW_CUSTOM_HEADERS, Collections.emptyList());
        ArrayList arrayList = new ArrayList(asList.size());
        for (String str : asList) {
            try {
                arrayList.add(Pattern.compile(str));
            } catch (PatternSyntaxException e) {
                log.error("Invalid pattern configured in searchguard.allow_custom_headers: " + str, e);
            }
        }
        return Collections.unmodifiableList(arrayList);
    }
}
