package com.floragunn.searchguard.configuration;

import com.floragunn.searchguard.privileges.PrivilegesInterceptor;
import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.sgconf.DynamicConfigModel;
import com.floragunn.searchguard.user.User;
import java.util.Iterator;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsRequest;
import org.elasticsearch.action.admin.indices.refresh.RefreshRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.replication.ReplicationRequest;
import org.elasticsearch.action.support.single.shard.SingleShardRequest;
import org.elasticsearch.action.termvectors.MultiTermVectorsRequest;
import org.elasticsearch.action.termvectors.TermVectorsRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesInterceptorImpl.class */
public class PrivilegesInterceptorImpl extends PrivilegesInterceptor {
    private static final String USER_TENANT = "__user__";
    private static final String EMPTY_STRING = "";
    protected final Logger log;

    public PrivilegesInterceptorImpl(IndexNameExpressionResolver indexNameExpressionResolver, ClusterService clusterService, Client client, ThreadPool threadPool) {
        super(indexNameExpressionResolver, clusterService, client, threadPool);
        this.log = LogManager.getLogger(getClass());
    }

    private boolean isTenantAllowed(ActionRequest actionRequest, String str, User user, Map<String, Boolean> map, String str2) {
        if (!map.keySet().contains(str2)) {
            this.log.warn("Tenant {} is not allowed for user {}", str2, user.getName());
            return false;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("request " + actionRequest.getClass());
        }
        if (map.get(str2) != Boolean.FALSE || !str.startsWith("indices:data/write")) {
            return true;
        }
        this.log.warn("Tenant {} is not allowed to write (user: {})", str2, user.getName());
        return false;
    }

    public Boolean replaceKibanaIndex(ActionRequest actionRequest, String str, User user, DynamicConfigModel dynamicConfigModel, IndexResolverReplacer.Resolved resolved, Map<String, Boolean> map) {
        if (!dynamicConfigModel.isKibanaMultitenancyEnabled()) {
            return null;
        }
        String kibanaServerUsername = dynamicConfigModel.getKibanaServerUsername();
        String kibanaIndexname = dynamicConfigModel.getKibanaIndexname();
        String requestedTenant = user.getRequestedTenant();
        if (this.log.isDebugEnabled()) {
            this.log.debug("raw requestedTenant: '" + requestedTenant + "'");
        }
        boolean z = !user.getName().equals(kibanaServerUsername) && resolveToKibanaIndexOrAlias(resolved, kibanaIndexname);
        if (requestedTenant == null || requestedTenant.length() == 0) {
            if (this.log.isTraceEnabled()) {
                this.log.trace("No tenant, will resolve to " + kibanaIndexname);
            }
            if (!z || isTenantAllowed(actionRequest, str, user, map, "SGS_GLOBAL_TENANT")) {
                return null;
            }
            return Boolean.TRUE;
        }
        if (USER_TENANT.equals(requestedTenant)) {
            requestedTenant = user.getName();
        }
        if (this.log.isDebugEnabled() && !user.getName().equals(kibanaServerUsername)) {
            this.log.debug("requestedResolved: " + resolved);
        }
        if (!user.getName().equals(kibanaServerUsername) && resolved.getAllIndices().size() == 1) {
            if (resolved.getAliases().size() == 0) {
                if (resolved.getAllIndices().contains(toUserIndexName(kibanaIndexname, requestedTenant)) && isTenantAllowed(actionRequest, str, user, map, requestedTenant)) {
                    return Boolean.FALSE;
                }
            } else if (resolved.getAliases().contains(toUserIndexName(kibanaIndexname, requestedTenant)) && isTenantAllowed(actionRequest, str, user, map, requestedTenant)) {
                return Boolean.FALSE;
            }
        }
        if (z) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("requestedTenant: " + requestedTenant);
                this.log.debug("is user tenant: " + requestedTenant.equals(user.getName()));
            }
            if (!isTenantAllowed(actionRequest, str, user, map, requestedTenant)) {
                return Boolean.TRUE;
            }
            replaceIndex(actionRequest, kibanaIndexname, toUserIndexName(kibanaIndexname, requestedTenant), str);
            return Boolean.FALSE;
        }
        if (user.getName().equals(kibanaServerUsername) || !this.log.isTraceEnabled()) {
            return null;
        }
        this.log.trace("not a request to only the .kibana index");
        this.log.trace(user.getName() + "/" + kibanaServerUsername);
        this.log.trace(resolved + " does not contain only " + kibanaIndexname);
        return null;
    }

    private void replaceIndex(ActionRequest actionRequest, String str, String str2, String str3) {
        boolean z = false;
        if (this.log.isDebugEnabled()) {
            this.log.debug("{} index will be replaced with {} in this {} request", str, str2, actionRequest.getClass().getName());
        }
        if ((actionRequest instanceof GetFieldMappingsIndexRequest) || (actionRequest instanceof GetFieldMappingsRequest)) {
            return;
        }
        String[] strArr = {str2};
        if (actionRequest instanceof CreateIndexRequest) {
            ((CreateIndexRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof BulkRequest) {
            for (DeleteRequest deleteRequest : ((BulkRequest) actionRequest).requests()) {
                if (deleteRequest instanceof DeleteRequest) {
                    deleteRequest.index(str2);
                }
                if (deleteRequest instanceof IndexRequest) {
                    ((IndexRequest) deleteRequest).index(str2);
                }
                if (deleteRequest instanceof UpdateRequest) {
                    ((UpdateRequest) deleteRequest).index(str2);
                }
            }
            z = true;
        } else if (actionRequest instanceof MultiGetRequest) {
            Iterator it = ((MultiGetRequest) actionRequest).getItems().iterator();
            while (it.hasNext()) {
                ((MultiGetRequest.Item) it.next()).index(str2);
            }
            z = true;
        } else if (actionRequest instanceof MultiSearchRequest) {
            Iterator it2 = ((MultiSearchRequest) actionRequest).requests().iterator();
            while (it2.hasNext()) {
                ((SearchRequest) it2.next()).indices(strArr);
            }
            z = true;
        } else if (actionRequest instanceof MultiTermVectorsRequest) {
            Iterable iterable = () -> {
                return ((MultiTermVectorsRequest) actionRequest).iterator();
            };
            Iterator it3 = iterable.iterator();
            while (it3.hasNext()) {
                ((TermVectorsRequest) it3.next()).index(str2);
            }
            z = true;
        } else if (actionRequest instanceof UpdateRequest) {
            ((UpdateRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof IndexRequest) {
            ((IndexRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof DeleteRequest) {
            ((DeleteRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof SingleShardRequest) {
            ((SingleShardRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof RefreshRequest) {
            ((RefreshRequest) actionRequest).indices(strArr);
            z = true;
        } else if (actionRequest instanceof ReplicationRequest) {
            ((ReplicationRequest) actionRequest).index(str2);
            z = true;
        } else if (actionRequest instanceof IndicesRequest.Replaceable) {
            ((IndicesRequest.Replaceable) actionRequest).indices(strArr);
            z = true;
        } else {
            this.log.warn("Dont know what to do (1) with {}", actionRequest.getClass());
        }
        if (z) {
            return;
        }
        this.log.warn("Dont know what to do (2) with {}", actionRequest.getClass());
    }

    private String toUserIndexName(String str, String str2) {
        if (str2 == null) {
            throw new ElasticsearchException("tenant must not be null here", new Object[0]);
        }
        return str + "_" + str2.hashCode() + "_" + str2.toLowerCase().replaceAll("[^a-z0-9]+", EMPTY_STRING);
    }

    private boolean resolveToKibanaIndexOrAlias(IndexResolverReplacer.Resolved resolved, String str) {
        return (resolved.getAllIndices().size() == 1 && resolved.getAllIndices().contains(str)) || (resolved.getAliases().size() == 1 && resolved.getAliases().contains(str));
    }
}
