package com.floragunn.searchguard.dlsfls;

import com.floragunn.searchguard.GuiceDependencies;
import com.floragunn.searchguard.configuration.DlsFlsRequestValve;
import com.floragunn.searchguard.dlsfls.filter.DlsFilterLevelActionHandler;
import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.sgconf.EvaluatedDlsFlsConfig;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.support.SgUtils;
import java.io.Serializable;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.search.BooleanClause;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.ConstantScoreQuery;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.admin.cluster.shards.ClusterSearchShardsRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.index.query.ParsedQuery;
import org.elasticsearch.search.aggregations.AggregationBuilder;
import org.elasticsearch.search.aggregations.bucket.sampler.DiversifiedAggregationBuilder;
import org.elasticsearch.search.aggregations.bucket.terms.SignificantTermsAggregationBuilder;
import org.elasticsearch.search.aggregations.bucket.terms.TermsAggregationBuilder;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.search.internal.SearchContext;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/dlsfls/DlsFlsValveImpl.class */
public class DlsFlsValveImpl implements DlsFlsRequestValve {
    private static final String MAP_EXECUTION_HINT = "map";
    private static final Logger log;
    private final Client nodeClient;
    private final ClusterService clusterService;
    private final GuiceDependencies guiceDependencies;
    private final ThreadContext threadContext;
    private final Mode mode;
    private final DlsQueryParser dlsQueryParser;
    private final IndexNameExpressionResolver resolver;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:com/floragunn/searchguard/dlsfls/DlsFlsValveImpl$Mode.class */
    public enum Mode {
        ADAPTIVE,
        LUCENE_LEVEL,
        FILTER_LEVEL;

        static Mode get(Settings settings) {
            String str = settings.get("searchguard.dls.mode");
            return "adaptive".equalsIgnoreCase(str) ? ADAPTIVE : "lucene_level".equalsIgnoreCase(str) ? LUCENE_LEVEL : "filter_level".equalsIgnoreCase(str) ? FILTER_LEVEL : ADAPTIVE;
        }
    }

    public DlsFlsValveImpl(Settings settings, Client client, ClusterService clusterService, IndexNameExpressionResolver indexNameExpressionResolver, GuiceDependencies guiceDependencies, NamedXContentRegistry namedXContentRegistry, ThreadContext threadContext) {
        this.nodeClient = client;
        this.clusterService = clusterService;
        this.resolver = indexNameExpressionResolver;
        this.guiceDependencies = guiceDependencies;
        this.threadContext = threadContext;
        this.mode = Mode.get(settings);
        this.dlsQueryParser = new DlsQueryParser(namedXContentRegistry);
    }

    public boolean invoke(String str, ActionRequest actionRequest, ActionListener<?> actionListener, EvaluatedDlsFlsConfig evaluatedDlsFlsConfig, boolean z, IndexResolverReplacer.Resolved resolved) {
        boolean containsTermLookupQuery;
        SearchSourceBuilder source;
        if (log.isDebugEnabled()) {
            log.debug("DlsFlsValveImpl.invoke()\nrequest: " + actionRequest + "\nevaluatedDlsFlsConfig: " + evaluatedDlsFlsConfig + "\nresolved: " + resolved + "\nmode: " + this.mode);
        }
        if (evaluatedDlsFlsConfig == null || evaluatedDlsFlsConfig.isEmpty()) {
            return true;
        }
        if (this.threadContext.getHeader("_sg_filter_level_dls_done") != null) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("DLS is already done for: " + this.threadContext.getHeader("_sg_filter_level_dls_done"));
            return true;
        }
        EvaluatedDlsFlsConfig filter = evaluatedDlsFlsConfig.filter(resolved);
        if (this.mode == Mode.FILTER_LEVEL) {
            containsTermLookupQuery = true;
        } else if (this.mode == Mode.LUCENE_LEVEL) {
            containsTermLookupQuery = false;
        } else if (getDlsModeHeader() == Mode.FILTER_LEVEL) {
            containsTermLookupQuery = true;
            log.debug("Doing filter-level DLS due to header");
        } else {
            containsTermLookupQuery = this.dlsQueryParser.containsTermLookupQuery(filter.getAllQueries());
            if (containsTermLookupQuery) {
                setDlsModeHeader(Mode.FILTER_LEVEL);
                log.debug("Doing filter-level DLS because query contains TLQ");
            } else {
                log.debug("Doing lucene-level DLS because query does not contain TLQ");
            }
        }
        if (!containsTermLookupQuery) {
            setDlsHeaders(evaluatedDlsFlsConfig, actionRequest);
        }
        setFlsHeaders(evaluatedDlsFlsConfig, actionRequest);
        if (filter.isEmpty()) {
            return true;
        }
        if (actionRequest instanceof RealtimeRequest) {
            ((RealtimeRequest) actionRequest).realtime(Boolean.FALSE.booleanValue());
        }
        if (actionRequest instanceof SearchRequest) {
            SearchRequest searchRequest = (SearchRequest) actionRequest;
            if (searchRequest.source() != null && searchRequest.source().aggregations() != null) {
                for (TermsAggregationBuilder termsAggregationBuilder : searchRequest.source().aggregations().getAggregatorFactories()) {
                    if ((termsAggregationBuilder instanceof TermsAggregationBuilder) && termsAggregationBuilder.minDocCount() == 0) {
                        actionListener.onFailure(new ElasticsearchSecurityException("min_doc_count 0 is not supported when DLS is activated", new Object[0]));
                        return false;
                    }
                }
            }
            if (evaluatedDlsFlsConfig.hasFieldMasking() && searchRequest.source() != null && searchRequest.source().aggregations() != null) {
                for (TermsAggregationBuilder termsAggregationBuilder2 : searchRequest.source().aggregations().getAggregatorFactories()) {
                    if (termsAggregationBuilder2 instanceof TermsAggregationBuilder) {
                        termsAggregationBuilder2.executionHint(MAP_EXECUTION_HINT);
                    }
                    if (termsAggregationBuilder2 instanceof SignificantTermsAggregationBuilder) {
                        ((SignificantTermsAggregationBuilder) termsAggregationBuilder2).executionHint(MAP_EXECUTION_HINT);
                    }
                    if (termsAggregationBuilder2 instanceof DiversifiedAggregationBuilder) {
                        ((DiversifiedAggregationBuilder) termsAggregationBuilder2).executionHint(MAP_EXECUTION_HINT);
                    }
                }
            }
            if (!z || evaluatedDlsFlsConfig.hasFls() || evaluatedDlsFlsConfig.hasDls() || searchRequest.source().aggregations() == null) {
                searchRequest.requestCache(Boolean.FALSE);
            } else {
                boolean z2 = true;
                Iterator it = searchRequest.source().aggregations().getAggregatorFactories().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    AggregationBuilder aggregationBuilder = (AggregationBuilder) it.next();
                    if (!aggregationBuilder.getType().equals("cardinality") && !aggregationBuilder.getType().equals("count")) {
                        z2 = false;
                        break;
                    }
                }
                if (!z2) {
                    searchRequest.requestCache(Boolean.FALSE);
                }
            }
        }
        if (evaluatedDlsFlsConfig.hasDls() && (actionRequest instanceof SearchRequest) && (source = ((SearchRequest) actionRequest).source()) != null && source.profile()) {
            actionListener.onFailure(new ElasticsearchSecurityException("Profiling is not supported when DLS is activated", new Object[0]));
            return false;
        }
        if (containsTermLookupQuery && filter.hasDls()) {
            return DlsFilterLevelActionHandler.handle(str, actionRequest, actionListener, evaluatedDlsFlsConfig, resolved, this.nodeClient, this.clusterService, this.guiceDependencies.getIndicesService(), this.resolver, this.dlsQueryParser, this.threadContext);
        }
        return true;
    }

    public void handleSearchContext(SearchContext searchContext, ThreadPool threadPool, NamedXContentRegistry namedXContentRegistry) {
        try {
            Map map = (Map) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), "_sg_dls_query");
            String evalMap = SgUtils.evalMap(map, searchContext.indexShard().indexSettings().getIndex().getName());
            if (evalMap != null) {
                if (searchContext.suggest() != null) {
                    return;
                }
                if (!$assertionsDisabled && searchContext.parsedQuery() == null) {
                    throw new AssertionError();
                }
                Set<String> set = (Set) map.get(evalMap);
                if (set != null && !set.isEmpty()) {
                    BooleanQuery.Builder parse = this.dlsQueryParser.parse(set, searchContext.getQueryShardContext(), query -> {
                        return new ConstantScoreQuery(query);
                    });
                    parse.add(searchContext.parsedQuery().query(), BooleanClause.Occur.MUST);
                    ParsedQuery parsedQuery = new ParsedQuery(parse.build());
                    if (parsedQuery != null) {
                        searchContext.parsedQuery(parsedQuery);
                        searchContext.preProcess(true);
                    }
                }
            }
        } catch (Exception e) {
            throw new RuntimeException("Error evaluating dls for a search query: " + e, e);
        }
    }

    private void setDlsHeaders(EvaluatedDlsFlsConfig evaluatedDlsFlsConfig, ActionRequest actionRequest) {
        if (evaluatedDlsFlsConfig.getDlsQueriesByIndex().isEmpty()) {
            return;
        }
        Map dlsQueriesByIndex = evaluatedDlsFlsConfig.getDlsQueriesByIndex();
        if ((actionRequest instanceof ClusterSearchShardsRequest) && HeaderHelper.isTrustedClusterRequest(this.threadContext)) {
            this.threadContext.addResponseHeader("_sg_dls_query", Base64Helper.serializeObject((Serializable) dlsQueriesByIndex));
            if (log.isDebugEnabled()) {
                log.debug("added response header for DLS info: {}", dlsQueriesByIndex);
                return;
            }
            return;
        }
        if (this.threadContext.getHeader("_sg_dls_query") != null) {
            if (!dlsQueriesByIndex.equals(Base64Helper.deserializeObject(this.threadContext.getHeader("_sg_dls_query")))) {
                throw new ElasticsearchSecurityException("_sg_dls_query does not match (SG 900D)", new Object[0]);
            }
        } else {
            this.threadContext.putHeader("_sg_dls_query", Base64Helper.serializeObject((Serializable) dlsQueriesByIndex));
            if (log.isDebugEnabled()) {
                log.debug("attach DLS info: {}", dlsQueriesByIndex);
            }
        }
    }

    private void setDlsModeHeader(Mode mode) {
        String name = mode.name();
        if (this.threadContext.getHeader("_sg_dls_mode") == null) {
            this.threadContext.putHeader("_sg_dls_mode", name);
        } else {
            if (name.equals(this.threadContext.getHeader("_sg_dls_mode"))) {
                return;
            }
            log.warn("Cannot update DLS mode to " + mode + "; current: " + this.threadContext.getHeader("_sg_dls_mode"));
        }
    }

    private Mode getDlsModeHeader() {
        String header = this.threadContext.getHeader("_sg_dls_mode");
        if (header != null) {
            return Mode.valueOf(header);
        }
        return null;
    }

    private void setFlsHeaders(EvaluatedDlsFlsConfig evaluatedDlsFlsConfig, ActionRequest actionRequest) {
        if (!evaluatedDlsFlsConfig.getFieldMaskingByIndex().isEmpty()) {
            Map fieldMaskingByIndex = evaluatedDlsFlsConfig.getFieldMaskingByIndex();
            if ((actionRequest instanceof ClusterSearchShardsRequest) && HeaderHelper.isTrustedClusterRequest(this.threadContext)) {
                this.threadContext.addResponseHeader("_sg_masked_fields", Base64Helper.serializeObject((Serializable) fieldMaskingByIndex));
                if (log.isDebugEnabled()) {
                    log.debug("added response header for masked fields info: {}", fieldMaskingByIndex);
                }
            } else if (this.threadContext.getHeader("_sg_masked_fields") == null) {
                this.threadContext.putHeader("_sg_masked_fields", Base64Helper.serializeObject((Serializable) fieldMaskingByIndex));
                if (log.isDebugEnabled()) {
                    log.debug("attach masked fields info: {}", fieldMaskingByIndex);
                }
            } else {
                if (!fieldMaskingByIndex.equals(Base64Helper.deserializeObject(this.threadContext.getHeader("_sg_masked_fields")))) {
                    throw new ElasticsearchSecurityException("_sg_masked_fields does not match (SG 901D)", new Object[0]);
                }
                if (log.isDebugEnabled()) {
                    log.debug("_sg_masked_fields already set");
                }
            }
        }
        if (evaluatedDlsFlsConfig.getFlsByIndex().isEmpty()) {
            return;
        }
        Map flsByIndex = evaluatedDlsFlsConfig.getFlsByIndex();
        if ((actionRequest instanceof ClusterSearchShardsRequest) && HeaderHelper.isTrustedClusterRequest(this.threadContext)) {
            this.threadContext.addResponseHeader("_sg_fls_fields", Base64Helper.serializeObject((Serializable) flsByIndex));
            if (log.isDebugEnabled()) {
                log.debug("added response header for FLS info: {}", flsByIndex);
                return;
            }
            return;
        }
        if (this.threadContext.getHeader("_sg_fls_fields") == null) {
            this.threadContext.putHeader("_sg_fls_fields", Base64Helper.serializeObject((Serializable) flsByIndex));
            if (log.isDebugEnabled()) {
                log.debug("attach FLS info: {}", flsByIndex);
                return;
            }
            return;
        }
        if (!flsByIndex.equals(Base64Helper.deserializeObject(this.threadContext.getHeader("_sg_fls_fields")))) {
            throw new ElasticsearchSecurityException("_sg_fls_fields does not match (SG 901D) " + flsByIndex + "---" + Base64Helper.deserializeObject(this.threadContext.getHeader("_sg_fls_fields")), new Object[0]);
        }
        if (log.isDebugEnabled()) {
            log.debug("_sg_fls_fields already set");
        }
    }

    static {
        $assertionsDisabled = !DlsFlsValveImpl.class.desiredAssertionStatus();
        log = LogManager.getLogger(DlsFlsValveImpl.class);
    }
}
