package com.floragunn.searchguard.configuration;

import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.support.SgUtils;
import java.lang.reflect.Field;
import java.security.AccessController;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.BytesRef;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.admin.indices.shrink.ResizeRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.io.stream.DelayableWriteable;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.search.DocValueFormat;
import org.elasticsearch.search.aggregations.Aggregation;
import org.elasticsearch.search.aggregations.AggregationBuilder;
import org.elasticsearch.search.aggregations.BucketOrder;
import org.elasticsearch.search.aggregations.InternalAggregation;
import org.elasticsearch.search.aggregations.InternalAggregations;
import org.elasticsearch.search.aggregations.bucket.terms.InternalTerms;
import org.elasticsearch.search.aggregations.bucket.terms.StringTerms;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.search.internal.SearchContext;
import org.elasticsearch.search.query.QuerySearchResult;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/configuration/DlsFlsValveImpl.class */
public class DlsFlsValveImpl implements DlsFlsRequestValve {
    private static final Logger log;
    private static final Field REDUCE_ORDER_FIELD;
    private static final Field BUCKET_TERM_BYTES;
    private static final Field BUCKET_FORMAT;
    static final /* synthetic */ boolean $assertionsDisabled;

    public boolean invoke(ActionRequest actionRequest, ActionListener<?> actionListener, Map<String, Set<String>> map, Map<String, Set<String>> map2, Map<String, Set<String>> map3, boolean z) {
        SearchSourceBuilder source;
        boolean z2 = (map == null || map.isEmpty()) ? false : true;
        boolean z3 = (map2 == null || map2.isEmpty()) ? false : true;
        boolean z4 = (map3 == null || map3.isEmpty()) ? false : true;
        if (z2 || z3 || z4) {
            if (actionRequest instanceof RealtimeRequest) {
                ((RealtimeRequest) actionRequest).realtime(Boolean.FALSE.booleanValue());
            }
            if (actionRequest instanceof SearchRequest) {
                SearchRequest searchRequest = (SearchRequest) actionRequest;
                if (!z || z2 || z4 || searchRequest.source().aggregations() == null) {
                    searchRequest.requestCache(Boolean.FALSE);
                } else {
                    boolean z5 = true;
                    for (AggregationBuilder aggregationBuilder : searchRequest.source().aggregations().getAggregatorFactories()) {
                        if (aggregationBuilder.getType().equals("cardinality") || aggregationBuilder.getType().equals("count")) {
                            StringBuffer stringBuffer = new StringBuffer();
                            if (searchRequest.source() != null) {
                                stringBuffer.append(Strings.toString(searchRequest.source()) + System.lineSeparator());
                            }
                            stringBuffer.append(Strings.toString(aggregationBuilder) + System.lineSeparator());
                            LogManager.getLogger("debuglogger").error(stringBuffer.toString());
                        } else {
                            z5 = false;
                        }
                    }
                    if (z5) {
                        LogManager.getLogger("debuglogger").error("Shard requestcache enabled for " + (searchRequest.source() == null ? "<NULL>" : Strings.toString(searchRequest.source())));
                    } else {
                        searchRequest.requestCache(Boolean.FALSE);
                    }
                }
            }
            if (actionRequest instanceof UpdateRequest) {
                actionListener.onFailure(new ElasticsearchSecurityException("Update is not supported when FLS or DLS or Fieldmasking is activated", new Object[0]));
                return false;
            }
            if (actionRequest instanceof BulkRequest) {
                Iterator it = ((BulkRequest) actionRequest).requests().iterator();
                while (it.hasNext()) {
                    if (((DocWriteRequest) it.next()) instanceof UpdateRequest) {
                        actionListener.onFailure(new ElasticsearchSecurityException("Update is not supported when FLS or DLS or Fieldmasking is activated", new Object[0]));
                        return false;
                    }
                }
            }
            if (actionRequest instanceof BulkShardRequest) {
                for (BulkItemRequest bulkItemRequest : ((BulkShardRequest) actionRequest).items()) {
                    if (bulkItemRequest.request() instanceof UpdateRequest) {
                        actionListener.onFailure(new ElasticsearchSecurityException("Update is not supported when FLS or DLS or Fieldmasking is activated", new Object[0]));
                        return false;
                    }
                }
            }
            if (actionRequest instanceof ResizeRequest) {
                actionListener.onFailure(new ElasticsearchSecurityException("Resize is not supported when FLS or DLS or Fieldmasking is activated", new Object[0]));
                return false;
            }
        }
        if (!z4 || !(actionRequest instanceof SearchRequest) || (source = ((SearchRequest) actionRequest).source()) == null || !source.profile()) {
            return true;
        }
        actionListener.onFailure(new ElasticsearchSecurityException("Profiling is not supported when DLS is activated", new Object[0]));
        return false;
    }

    public void handleSearchContext(SearchContext searchContext, ThreadPool threadPool, NamedXContentRegistry namedXContentRegistry) {
        try {
            Map map = (Map) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), "_sg_dls_query");
            String evalMap = SgUtils.evalMap(map, searchContext.indexShard().indexSettings().getIndex().getName());
            if (evalMap != null) {
                if (searchContext.suggest() != null) {
                    return;
                }
                if (!$assertionsDisabled && searchContext.parsedQuery() == null) {
                    throw new AssertionError();
                }
                Set set = (Set) map.get(evalMap);
                if (set != null && !set.isEmpty()) {
                    searchContext.parsedQuery(DlsQueryParser.parse(set, searchContext.parsedQuery(), searchContext.getQueryShardContext(), namedXContentRegistry));
                    searchContext.preProcess(true);
                }
            }
        } catch (Exception e) {
            throw new RuntimeException("Error evaluating dls for a search query: " + e, e);
        }
    }

    public void onQueryPhase(SearchContext searchContext, long j, ThreadPool threadPool) {
        DelayableWriteable aggregations;
        InternalAggregations internalAggregations;
        QuerySearchResult queryResult = searchContext.queryResult();
        if (queryResult == null || (aggregations = queryResult.aggregations()) == null || !isFieldMaskingConfigured(threadPool) || (internalAggregations = (InternalAggregations) aggregations.expand()) == null || checkForCorrectReduceOrder(internalAggregations)) {
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Found buckets with equal keys. Merging these buckets: " + internalAggregations);
        }
        ArrayList arrayList = new ArrayList(internalAggregations.asList().size() + 1);
        Iterator it = internalAggregations.iterator();
        while (it.hasNext()) {
            StringTerms stringTerms = (Aggregation) it.next();
            if (stringTerms instanceof StringTerms) {
                StringTerms stringTerms2 = stringTerms;
                BucketOrder reduceOrder = getReduceOrder(stringTerms2);
                if (checkForCorrectReduceOrder(reduceOrder, stringTerms2.getBuckets())) {
                    arrayList.add(stringTerms);
                } else {
                    arrayList.add(stringTerms2.create(sortAndMergeBucketKeys(reduceOrder, stringTerms2.getBuckets())));
                }
            } else {
                arrayList.add((InternalAggregation) stringTerms);
            }
        }
        queryResult.aggregations(InternalAggregations.from(arrayList));
    }

    private boolean isFieldMaskingConfigured(ThreadPool threadPool) {
        Map map = (Map) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), "_sg_masked_fields");
        return (map == null || map.isEmpty()) ? false : true;
    }

    private boolean checkForCorrectReduceOrder(InternalAggregations internalAggregations) {
        Iterator it = internalAggregations.iterator();
        while (it.hasNext()) {
            StringTerms stringTerms = (Aggregation) it.next();
            if (stringTerms instanceof StringTerms) {
                StringTerms stringTerms2 = stringTerms;
                BucketOrder reduceOrder = getReduceOrder(stringTerms2);
                if (!checkForCorrectReduceOrder(reduceOrder, stringTerms2.getBuckets())) {
                    if (!log.isDebugEnabled()) {
                        return false;
                    }
                    log.debug("Aggregation needs correction: " + stringTerms2 + " " + reduceOrder);
                    return false;
                }
            }
        }
        return true;
    }

    private boolean checkForCorrectReduceOrder(BucketOrder bucketOrder, List<StringTerms.Bucket> list) {
        Comparator comparator = bucketOrder.comparator();
        StringTerms.Bucket bucket = null;
        for (StringTerms.Bucket bucket2 : list) {
            if (bucket == null) {
                bucket = bucket2;
            } else {
                if (comparator.compare(bucket, bucket2) >= 0) {
                    return false;
                }
                bucket = bucket2;
            }
        }
        return true;
    }

    private List<StringTerms.Bucket> sortAndMergeBucketKeys(BucketOrder bucketOrder, List<StringTerms.Bucket> list) {
        long j;
        Comparator comparator = bucketOrder.comparator();
        int size = list.size();
        StringTerms.Bucket[] bucketArr = (StringTerms.Bucket[]) list.toArray(new StringTerms.Bucket[size]);
        ArrayList arrayList = new ArrayList(size);
        Arrays.sort(bucketArr, comparator);
        if (log.isDebugEnabled()) {
            log.debug("Merging buckets: " + list.stream().map(bucket -> {
                return bucket.getKeyAsString();
            }).collect(Collectors.toList()));
        }
        int i = 0;
        while (i < size) {
            StringTerms.Bucket bucket2 = bucketArr[i];
            if (i + 1 >= size || comparator.compare(bucket2, bucketArr[i + 1]) != 0) {
                arrayList.add(bucket2);
                i++;
            } else {
                int i2 = i + 1;
                long docCount = bucket2.getDocCount();
                try {
                    j = bucket2.getDocCountError();
                } catch (IllegalStateException e) {
                    j = -1;
                }
                do {
                    StringTerms.Bucket bucket3 = bucketArr[i2];
                    docCount += bucket3.getDocCount();
                    if (j != -1) {
                        try {
                            j += bucket3.getDocCountError();
                        } catch (IllegalStateException e2) {
                            j = -1;
                        }
                    }
                    i2++;
                    if (i2 >= size) {
                        break;
                    }
                } while (comparator.compare(bucket2, bucketArr[i2]) == 0);
                arrayList.add(new StringTerms.Bucket(getTerm(bucket2), docCount, bucket2.getAggregations(), j != -1, j, getDocValueFormat(bucket2)));
                i = i2;
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("New buckets: " + arrayList.stream().map(bucket4 -> {
                return bucket4.getKeyAsString();
            }).collect(Collectors.toList()));
        }
        return arrayList;
    }

    private static BucketOrder getReduceOrder(InternalTerms<?, ?> internalTerms) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (BucketOrder) AccessController.doPrivileged(() -> {
            try {
                return (BucketOrder) REDUCE_ORDER_FIELD.get(internalTerms);
            } catch (IllegalAccessException | IllegalArgumentException e) {
                throw new RuntimeException(e);
            }
        });
    }

    private static BytesRef getTerm(StringTerms.Bucket bucket) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (BytesRef) AccessController.doPrivileged(() -> {
            try {
                return (BytesRef) BUCKET_TERM_BYTES.get(bucket);
            } catch (IllegalAccessException | IllegalArgumentException e) {
                throw new RuntimeException(e);
            }
        });
    }

    private static DocValueFormat getDocValueFormat(InternalTerms.Bucket<?> bucket) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (DocValueFormat) AccessController.doPrivileged(() -> {
            try {
                return (DocValueFormat) BUCKET_FORMAT.get(bucket);
            } catch (IllegalAccessException | IllegalArgumentException e) {
                throw new RuntimeException(e);
            }
        });
    }

    private static Field getField(Class<?> cls, String str) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (Field) AccessController.doPrivileged(() -> {
            try {
                Field declaredField = cls.getDeclaredField(str);
                declaredField.setAccessible(true);
                return declaredField;
            } catch (NoSuchFieldException | SecurityException e) {
                throw new RuntimeException(e);
            }
        });
    }

    static {
        $assertionsDisabled = !DlsFlsValveImpl.class.desiredAssertionStatus();
        log = LogManager.getLogger(DlsFlsValveImpl.class);
        REDUCE_ORDER_FIELD = getField(InternalTerms.class, "reduceOrder");
        BUCKET_TERM_BYTES = getField(StringTerms.Bucket.class, "termBytes");
        BUCKET_FORMAT = getField(InternalTerms.Bucket.class, "format");
    }
}
