package com.floragunn.searchguard.privileges;

import com.floragunn.searchguard.GuiceDependencies;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.configuration.ClusterInfoHolder;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.privileges.PrivilegesInterceptor;
import com.floragunn.searchguard.privileges.extended_action_handling.ActionConfigRegistry;
import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.sgconf.ConfigModel;
import com.floragunn.searchguard.sgconf.DynamicConfigFactory;
import com.floragunn.searchguard.sgconf.DynamicConfigModel;
import com.floragunn.searchguard.sgconf.InternalUsersModel;
import com.floragunn.searchguard.sgconf.SgRoles;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.ReflectionHelper;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.admin.cluster.shards.ClusterSearchShardsRequest;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsRequest;
import org.elasticsearch.action.admin.indices.resolve.ResolveIndexAction;
import org.elasticsearch.action.admin.indices.shrink.ResizeRequest;
import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.action.support.master.AcknowledgedResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.metadata.AliasMetadata;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.IndexTemplateMetadata;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.ImmutableOpenMap;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/privileges/PrivilegesEvaluator.class */
public class PrivilegesEvaluator implements DynamicConfigFactory.DCFListener {
    private final ClusterService clusterService;
    private final IndexNameExpressionResolver resolver;
    private final AuditLog auditLog;
    private ThreadContext threadContext;
    private PrivilegesInterceptor privilegesInterceptor;
    private final boolean checkSnapshotRestoreWritePrivileges;
    private final ClusterInfoHolder clusterInfoHolder;
    private ConfigModel configModel;
    private final IndexResolverReplacer irr;
    private final SnapshotRestoreEvaluator snapshotRestoreEvaluator;
    private final SearchGuardIndexAccessEvaluator sgIndexAccessEvaluator;
    private final boolean enterpriseModulesEnabled;
    private DynamicConfigModel dcm;
    private final SpecialPrivilegesEvaluationContextProviderRegistry specialPrivilegesEvaluationContextProviderRegistry;
    private final NamedXContentRegistry namedXContentRegistry;
    private final Client localClient;
    private String kibanaServerUsername;
    private String kibanaIndexName;
    protected final Logger log = LogManager.getLogger(getClass());
    protected final Logger actionTrace = LogManager.getLogger("sg_action_trace");
    private volatile boolean kibanaIndexTemplateFixApplied = false;
    private final TermsAggregationEvaluator termsAggregationEvaluator = new TermsAggregationEvaluator();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.floragunn.searchguard.privileges.PrivilegesEvaluator$3, reason: invalid class name */
    /* loaded from: input_file:com/floragunn/searchguard/privileges/PrivilegesEvaluator$3.class */
    public static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType;
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type = new int[IndicesAliasesRequest.AliasActions.Type.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type[IndicesAliasesRequest.AliasActions.Type.REMOVE_INDEX.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType = new int[DocWriteRequest.OpType.values().length];
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.CREATE.ordinal()] = 1;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.INDEX.ordinal()] = 2;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.DELETE.ordinal()] = 3;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.UPDATE.ordinal()] = 4;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    public PrivilegesEvaluator(Client client, ClusterService clusterService, ThreadPool threadPool, ConfigurationRepository configurationRepository, IndexNameExpressionResolver indexNameExpressionResolver, AuditLog auditLog, Settings settings, ClusterInfoHolder clusterInfoHolder, IndexResolverReplacer indexResolverReplacer, SpecialPrivilegesEvaluationContextProviderRegistry specialPrivilegesEvaluationContextProviderRegistry, GuiceDependencies guiceDependencies, NamedXContentRegistry namedXContentRegistry, boolean z) {
        this.clusterService = clusterService;
        this.resolver = indexNameExpressionResolver;
        this.auditLog = auditLog;
        this.localClient = client;
        this.threadContext = threadPool.getThreadContext();
        this.checkSnapshotRestoreWritePrivileges = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, true).booleanValue();
        this.clusterInfoHolder = clusterInfoHolder;
        this.specialPrivilegesEvaluationContextProviderRegistry = specialPrivilegesEvaluationContextProviderRegistry;
        this.irr = indexResolverReplacer;
        this.snapshotRestoreEvaluator = new SnapshotRestoreEvaluator(settings, auditLog, guiceDependencies);
        this.sgIndexAccessEvaluator = new SearchGuardIndexAccessEvaluator(settings, auditLog, indexResolverReplacer);
        this.enterpriseModulesEnabled = z;
        this.namedXContentRegistry = namedXContentRegistry;
    }

    @Override // com.floragunn.searchguard.sgconf.DynamicConfigFactory.DCFListener
    public void onChanged(ConfigModel configModel, DynamicConfigModel dynamicConfigModel, InternalUsersModel internalUsersModel) {
        this.dcm = dynamicConfigModel;
        this.configModel = configModel;
        this.privilegesInterceptor = ReflectionHelper.instantiatePrivilegesInterceptorImpl(configModel, dynamicConfigModel);
        this.kibanaServerUsername = dynamicConfigModel.getKibanaServerUsername();
        this.kibanaIndexName = dynamicConfigModel.getKibanaIndexname();
    }

    private SgRoles getSgRoles(Set<String> set) {
        return this.configModel.getSgRoles().filter(set);
    }

    public boolean isInitialized() {
        return (this.configModel == null || this.configModel.getSgRoles() == null || this.dcm == null) ? false : true;
    }

    public PrivilegesEvaluatorResponse evaluate(User user, String str, ActionRequest actionRequest, Task task, SpecialPrivilegesEvaluationContext specialPrivilegesEvaluationContext) {
        TransportAddress caller;
        Set<String> mappedRoles;
        SgRoles sgRoles;
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Search Guard is not initialized.", new Object[0]);
        }
        if (str.startsWith("internal:indices/admin/upgrade")) {
            str = "indices:admin/upgrade";
        }
        if (specialPrivilegesEvaluationContext == null) {
            caller = (TransportAddress) Objects.requireNonNull((TransportAddress) this.threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS));
            mappedRoles = mapSgRoles(user, caller);
            sgRoles = getSgRoles(mappedRoles);
        } else {
            caller = specialPrivilegesEvaluationContext.getCaller() != null ? specialPrivilegesEvaluationContext.getCaller() : (TransportAddress) this.threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS);
            mappedRoles = specialPrivilegesEvaluationContext.getMappedRoles();
            sgRoles = specialPrivilegesEvaluationContext.getSgRoles();
        }
        PrivilegesEvaluatorResponse privilegesEvaluatorResponse = new PrivilegesEvaluatorResponse();
        if (this.log.isDebugEnabled()) {
            this.log.debug("### evaluate permissions for {} on {}", user, this.clusterService.localNode().getName());
            this.log.debug("action: " + str + " (" + actionRequest.getClass().getSimpleName() + ")");
            if (specialPrivilegesEvaluationContext != null) {
                this.log.debug("specialPrivilegesEvaluationContext: " + specialPrivilegesEvaluationContext);
            }
        }
        if ((actionRequest instanceof BulkRequest) && Strings.isNullOrEmpty(user.getRequestedTenant())) {
            if (sgRoles.impliesClusterPermissionPermission(str)) {
                privilegesEvaluatorResponse.allowed = true;
                return privilegesEvaluatorResponse;
            }
            privilegesEvaluatorResponse.missingPrivileges.add(str);
            privilegesEvaluatorResponse.allowed = false;
            this.log.info("No {}-level perm match for {} [Action [{}]] [RolesChecked {}]", "cluster", user, str, sgRoles.getRoleNames());
            this.log.info("No permissions for {}", privilegesEvaluatorResponse.missingPrivileges);
            return privilegesEvaluatorResponse;
        }
        IndexResolverReplacer.Resolved resolveRequest = this.irr.resolveRequest(actionRequest);
        privilegesEvaluatorResponse.resolved = resolveRequest;
        if (this.log.isDebugEnabled()) {
            this.log.debug("requestedResolved : {}", resolveRequest);
        }
        if (!this.snapshotRestoreEvaluator.evaluate(actionRequest, task, str, this.clusterInfoHolder, privilegesEvaluatorResponse).isComplete() && !this.sgIndexAccessEvaluator.evaluate(actionRequest, task, str, resolveRequest, privilegesEvaluatorResponse).isComplete()) {
            boolean isDnfofEnabled = this.dcm.isDnfofEnabled();
            if (this.log.isTraceEnabled()) {
                this.log.trace("dnfof enabled? {}", Boolean.valueOf(isDnfofEnabled));
            }
            if (this.enterpriseModulesEnabled) {
                privilegesEvaluatorResponse.evaluatedDlsFlsConfig = sgRoles.getDlsFls(user, this.resolver, this.clusterService, this.namedXContentRegistry);
            }
            if (isClusterPerm(str)) {
                if (!sgRoles.impliesClusterPermissionPermission(str)) {
                    privilegesEvaluatorResponse.missingPrivileges.add(str);
                    privilegesEvaluatorResponse.allowed = false;
                    this.log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]", "cluster", user, resolveRequest, str, sgRoles.getRoleNames());
                    this.log.info("No permissions for {}", privilegesEvaluatorResponse.missingPrivileges);
                    return privilegesEvaluatorResponse;
                }
                if (!(actionRequest instanceof RestoreSnapshotRequest) || !this.checkSnapshotRestoreWritePrivileges) {
                    if (this.privilegesInterceptor != null) {
                        PrivilegesInterceptor.InterceptionResult replaceKibanaIndex = this.privilegesInterceptor.replaceKibanaIndex(actionRequest, str, user, resolveRequest, sgRoles);
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("Result from privileges interceptor for cluster perm: {}", replaceKibanaIndex);
                        }
                        if (replaceKibanaIndex == PrivilegesInterceptor.InterceptionResult.DENY) {
                            this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
                            return privilegesEvaluatorResponse;
                        }
                        if (replaceKibanaIndex == PrivilegesInterceptor.InterceptionResult.ALLOW) {
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                    }
                    if (isDnfofEnabled && str.startsWith("indices:data/read/") && !resolveRequest.isAllIndicesEmpty()) {
                        if (resolveRequest.isAllIndicesEmpty()) {
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                        Set<String> reduce = sgRoles.reduce(resolveRequest, user, new String[]{str}, this.resolver, this.clusterService);
                        if (reduce.isEmpty()) {
                            privilegesEvaluatorResponse.allowed = false;
                            return privilegesEvaluatorResponse;
                        }
                        if (this.irr.replace(actionRequest, true, (String[]) reduce.toArray(new String[0]))) {
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                    }
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Allowed because we have cluster permissions for " + str);
                    }
                    privilegesEvaluatorResponse.allowed = true;
                    return privilegesEvaluatorResponse;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Normally allowed but we need to apply some extra checks for a restore request.");
                }
            }
            if (isTenantPerm(str)) {
                if (hasTenantPermission(user, sgRoles, str)) {
                    privilegesEvaluatorResponse.allowed = true;
                    return privilegesEvaluatorResponse;
                }
                privilegesEvaluatorResponse.missingPrivileges.add(str);
                privilegesEvaluatorResponse.allowed = false;
                this.log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]", "tenant", user, resolveRequest, str, mappedRoles);
                this.log.info("No permissions for {}", privilegesEvaluatorResponse.missingPrivileges);
                return privilegesEvaluatorResponse;
            }
            if (checkDocWhitelistHeader(user, str, actionRequest)) {
                privilegesEvaluatorResponse.allowed = true;
                return privilegesEvaluatorResponse;
            }
            if (this.termsAggregationEvaluator.evaluate(resolveRequest, actionRequest, this.clusterService, user, sgRoles, this.resolver, privilegesEvaluatorResponse).isComplete()) {
                return privilegesEvaluatorResponse;
            }
            Set<String> evaluateAdditionalIndexPermissions = evaluateAdditionalIndexPermissions(actionRequest, str);
            String[] strArr = (String[]) evaluateAdditionalIndexPermissions.toArray(new String[0]);
            if (this.log.isDebugEnabled()) {
                this.log.debug("requested {} from {}", evaluateAdditionalIndexPermissions, caller);
            }
            privilegesEvaluatorResponse.missingPrivileges.clear();
            privilegesEvaluatorResponse.missingPrivileges.addAll(evaluateAdditionalIndexPermissions);
            if (this.log.isDebugEnabled()) {
                this.log.debug("requested resolved indextypes: {}", resolveRequest);
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("sgr: {}", sgRoles.getRoleNames());
            }
            if (!this.kibanaIndexTemplateFixApplied && user.getName().equals(this.kibanaServerUsername) && (((actionRequest instanceof ResizeRequest) && ((ResizeRequest) actionRequest).getSourceIndex().startsWith(this.kibanaIndexName) && ((ResizeRequest) actionRequest).getSourceIndex().endsWith("_reindex_temp")) || ((actionRequest instanceof CreateIndexRequest) && ((CreateIndexRequest) actionRequest).index().startsWith(this.kibanaIndexName)))) {
                this.kibanaIndexTemplateFixApplied = true;
                IndexTemplateMetadata indexTemplateMetadata = (IndexTemplateMetadata) this.clusterService.state().getMetadata().getTemplates().get("tenant_template");
                if (indexTemplateMetadata != null && indexTemplateMetadata.patterns().size() > 0 && ((String) indexTemplateMetadata.patterns().get(0)).startsWith(this.kibanaIndexName)) {
                    privilegesEvaluatorResponse.addAdditionalActionFilter(new ActionFilter() { // from class: com.floragunn.searchguard.privileges.PrivilegesEvaluator.1
                        public int order() {
                            return 0;
                        }

                        public <Request extends ActionRequest, Response extends ActionResponse> void apply(final Task task2, final String str2, final Request request, final ActionListener<Response> actionListener, final ActionFilterChain<Request, Response> actionFilterChain) {
                            PrivilegesEvaluator.this.localClient.admin().indices().deleteTemplate(new DeleteIndexTemplateRequest("tenant_template"), new ActionListener<AcknowledgedResponse>() { // from class: com.floragunn.searchguard.privileges.PrivilegesEvaluator.1.1
                                public void onResponse(AcknowledgedResponse acknowledgedResponse) {
                                    PrivilegesEvaluator.this.log.info("Deleted obsolete tenant_template");
                                    actionFilterChain.proceed(task2, str2, request, actionListener);
                                }

                                public void onFailure(Exception exc) {
                                    PrivilegesEvaluator.this.log.error("Error while deleting tenant_template. Ignoring.", exc);
                                    actionFilterChain.proceed(task2, str2, request, actionListener);
                                }
                            });
                        }
                    });
                }
            }
            if (this.privilegesInterceptor != null) {
                PrivilegesInterceptor.InterceptionResult replaceKibanaIndex2 = this.privilegesInterceptor.replaceKibanaIndex(actionRequest, str, user, resolveRequest, sgRoles);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Result from privileges interceptor: {}", replaceKibanaIndex2);
                }
                if (replaceKibanaIndex2 == PrivilegesInterceptor.InterceptionResult.DENY) {
                    this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
                    return privilegesEvaluatorResponse;
                }
                if (replaceKibanaIndex2 == PrivilegesInterceptor.InterceptionResult.ALLOW) {
                    privilegesEvaluatorResponse.allowed = true;
                    return privilegesEvaluatorResponse;
                }
            }
            if (isDnfofEnabled && (str.startsWith("indices:data/read/") || str.startsWith("indices:admin/mappings/fields/get") || str.equals("indices:admin/shards/search_shards") || str.equals("indices:admin/resolve/index"))) {
                if (resolveRequest.isAllIndicesEmpty()) {
                    privilegesEvaluatorResponse.missingPrivileges.clear();
                    privilegesEvaluatorResponse.allowed = true;
                    return privilegesEvaluatorResponse;
                }
                Set<String> reduce2 = sgRoles.reduce(resolveRequest, user, strArr, this.resolver, this.clusterService);
                if (reduce2.isEmpty()) {
                    if (this.dcm.isDnfofForEmptyResultsEnabled()) {
                        if (actionRequest instanceof SearchRequest) {
                            ((SearchRequest) actionRequest).indices(new String[0]);
                            ((SearchRequest) actionRequest).indicesOptions(IndicesOptions.fromOptions(true, true, false, false));
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                        if (actionRequest instanceof ClusterSearchShardsRequest) {
                            ((ClusterSearchShardsRequest) actionRequest).indices(new String[0]);
                            ((ClusterSearchShardsRequest) actionRequest).indicesOptions(IndicesOptions.fromOptions(true, true, false, false));
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                        if (actionRequest instanceof GetFieldMappingsRequest) {
                            ((GetFieldMappingsRequest) actionRequest).indices(new String[0]);
                            ((GetFieldMappingsRequest) actionRequest).indicesOptions(IndicesOptions.fromOptions(true, true, false, false));
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                        if (actionRequest instanceof ResolveIndexAction.Request) {
                            ((ResolveIndexAction.Request) actionRequest).indices(new String[0]);
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                    }
                    privilegesEvaluatorResponse.allowed = false;
                    return privilegesEvaluatorResponse;
                }
                if (this.irr.replace(actionRequest, true, (String[]) reduce2.toArray(new String[0]))) {
                    privilegesEvaluatorResponse.missingPrivileges.clear();
                    privilegesEvaluatorResponse.allowed = true;
                    return privilegesEvaluatorResponse;
                }
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("sgr2: {}", sgRoles.getRoleNames());
            }
            boolean impliesTypePermGlobal = this.dcm.isMultiRolespanEnabled() ? sgRoles.impliesTypePermGlobal(resolveRequest, user, strArr, this.resolver, this.clusterService) : sgRoles.get(resolveRequest, user, strArr, this.resolver, this.clusterService);
            if (impliesTypePermGlobal && (actionRequest instanceof ResizeRequest)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Checking additional create index action for resize operation: " + actionRequest);
                }
                PrivilegesEvaluatorResponse evaluate = evaluate(user, "indices:admin/create", ((ResizeRequest) actionRequest).getTargetIndexRequest(), task, specialPrivilegesEvaluationContext);
                if (!evaluate.allowed) {
                    return evaluate;
                }
            }
            if (!impliesTypePermGlobal) {
                this.log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]", ConfigConstants.SEARCHGUARD_AUDIT_ES_INDEX, user, resolveRequest, str, sgRoles.getRoleNames());
                this.log.info("No permissions for {}", privilegesEvaluatorResponse.missingPrivileges);
            } else {
                if (checkFilteredAliases(resolveRequest, str)) {
                    privilegesEvaluatorResponse.allowed = false;
                    return privilegesEvaluatorResponse;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Allowed because we have all indices permissions for " + str);
                }
            }
            privilegesEvaluatorResponse.allowed = impliesTypePermGlobal;
            return privilegesEvaluatorResponse;
        }
        return privilegesEvaluatorResponse;
    }

    public Set<String> mapSgRoles(User user, TransportAddress transportAddress) {
        return this.configModel.mapSgRoles(user, transportAddress);
    }

    public Set<String> getAllConfiguredTenantNames() {
        return this.configModel.getAllConfiguredTenantNames();
    }

    public boolean multitenancyEnabled() {
        return this.privilegesInterceptor != null && this.dcm.isKibanaMultitenancyEnabled();
    }

    public boolean notFailOnForbiddenEnabled() {
        return this.privilegesInterceptor != null && this.dcm.isDnfofEnabled();
    }

    public String kibanaIndex() {
        return this.dcm.getKibanaIndexname();
    }

    public String kibanaServerUsername() {
        return this.dcm.getKibanaServerUsername();
    }

    private Set<String> evaluateAdditionalIndexPermissions(ActionRequest actionRequest, String str) {
        HashSet hashSet = new HashSet();
        if (!isClusterPerm(str)) {
            hashSet.add(str);
        }
        if (actionRequest instanceof ClusterSearchShardsRequest) {
            hashSet.add("indices:data/read/search");
        }
        if (actionRequest instanceof BulkShardRequest) {
            for (BulkItemRequest bulkItemRequest : ((BulkShardRequest) actionRequest).items()) {
                switch (AnonymousClass3.$SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[bulkItemRequest.request().opType().ordinal()]) {
                    case 1:
                        hashSet.add("indices:data/write/index");
                        break;
                    case 2:
                        hashSet.add("indices:data/write/index");
                        break;
                    case 3:
                        hashSet.add("indices:data/write/delete");
                        break;
                    case 4:
                        hashSet.add("indices:data/write/update");
                        break;
                }
            }
        }
        if (actionRequest instanceof IndicesAliasesRequest) {
            Iterator it = ((IndicesAliasesRequest) actionRequest).getAliasActions().iterator();
            while (it.hasNext()) {
                switch (AnonymousClass3.$SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type[((IndicesAliasesRequest.AliasActions) it.next()).actionType().ordinal()]) {
                    case 1:
                        hashSet.add("indices:admin/delete");
                        break;
                }
            }
        }
        if (actionRequest instanceof CreateIndexRequest) {
            CreateIndexRequest createIndexRequest = (CreateIndexRequest) actionRequest;
            if (createIndexRequest.aliases() != null && !createIndexRequest.aliases().isEmpty()) {
                hashSet.add("indices:admin/aliases");
            }
        }
        if ((actionRequest instanceof RestoreSnapshotRequest) && this.checkSnapshotRestoreWritePrivileges) {
            hashSet.addAll(ConfigConstants.SG_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES);
        }
        if (this.actionTrace.isTraceEnabled() && hashSet.size() > 1) {
            this.actionTrace.trace("Additional permissions required: " + hashSet);
        }
        if (this.log.isDebugEnabled() && hashSet.size() > 1) {
            this.log.debug("Additional permissions required: " + hashSet);
        }
        return Collections.unmodifiableSet(hashSet);
    }

    public static boolean isClusterPerm(String str) {
        return !isTenantPerm(str) && (str.startsWith("searchguard:cluster:") || str.startsWith("cluster:") || str.startsWith("indices:admin/template/") || str.startsWith("indices:admin/index_template/") || str.startsWith("indices:data/read/scroll") || str.equals("indices:data/write/bulk") || str.equals("indices:data/read/mget") || str.equals("indices:data/read/msearch") || str.equals("indices:data/read/mtv") || str.equals("indices:data/write/reindex") || str.equals("indices:data/read/search/template") || str.equals("indices:data/read/msearch/template") || ActionConfigRegistry.INSTANCE.isClusterAction(str));
    }

    public static boolean isTenantPerm(String str) {
        return str.startsWith("cluster:admin:searchguard:tenant:");
    }

    public static boolean isIndexPerm(String str) {
        return (isClusterPerm(str) || isTenantPerm(str)) ? false : true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private boolean checkFilteredAliases(IndexResolverReplacer.Resolved resolved, String str) {
        Iterable<IndexMetadata> iterable;
        if (!"disallow".equals(this.dcm.getFilteredAliasMode()) || !WildcardMatcher.match("indices:data/read/*search*", str)) {
            return false;
        }
        if (resolved.isLocalAll()) {
            iterable = new Iterable<IndexMetadata>() { // from class: com.floragunn.searchguard.privileges.PrivilegesEvaluator.2
                @Override // java.lang.Iterable
                public Iterator<IndexMetadata> iterator() {
                    return PrivilegesEvaluator.this.clusterService.state().getMetadata().getIndices().valuesIt();
                }
            };
        } else {
            HashSet hashSet = new HashSet(resolved.getAllIndices().size());
            for (String str2 : resolved.getAllIndices()) {
                IndexMetadata indexMetadata = (IndexMetadata) this.clusterService.state().getMetadata().getIndices().get(str2);
                if (indexMetadata == null) {
                    this.log.debug("{} does not exist in cluster metadata", str2);
                } else {
                    hashSet.add(indexMetadata);
                }
            }
            iterable = hashSet;
        }
        for (IndexMetadata indexMetadata2 : iterable) {
            ArrayList arrayList = new ArrayList();
            ImmutableOpenMap aliases = indexMetadata2.getAliases();
            if (aliases != null && aliases.size() > 0) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Aliases for {}: {}", indexMetadata2.getIndex().getName(), aliases);
                }
                Iterator keysIt = aliases.keysIt();
                while (keysIt.hasNext()) {
                    String str3 = (String) keysIt.next();
                    AliasMetadata aliasMetadata = (AliasMetadata) aliases.get(str3);
                    if (aliasMetadata != null && aliasMetadata.filteringRequired()) {
                        arrayList.add(aliasMetadata);
                        if (this.log.isDebugEnabled()) {
                            this.log.debug(str3 + " is a filtered alias " + aliasMetadata.getFilter());
                        }
                    } else if (this.log.isDebugEnabled()) {
                        this.log.debug(str3 + " is not an alias or does not have a filter");
                    }
                }
            }
            if (arrayList.size() > 1) {
                this.log.error("More than one ({}) filtered alias found for same index ({}). This is currently not supported. Aliases: {}", Integer.valueOf(arrayList.size()), indexMetadata2.getIndex().getName(), toString(arrayList));
                return true;
            }
        }
        return false;
    }

    private List<String> toString(List<AliasMetadata> list) {
        if (list == null || list.size() == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (AliasMetadata aliasMetadata : list) {
            if (aliasMetadata != null) {
                arrayList.add(aliasMetadata.alias());
            }
        }
        return Collections.unmodifiableList(arrayList);
    }

    public Map<String, Boolean> mapTenants(User user, Set<String> set) {
        return getSgRoles(set).mapTenants(user, this.configModel.getAllConfiguredTenantNames());
    }

    public Map<String, Boolean> evaluateClusterAndTenantPrivileges(User user, TransportAddress transportAddress, Collection<String> collection) {
        if (collection == null || collection.isEmpty() || user == null) {
            this.log.debug("Privileges or user empty");
            return Collections.emptyMap();
        }
        SgRoles sgRoles = getSgRoles(mapSgRoles(user, transportAddress));
        String requestedTenant = getRequestedTenant(user);
        HashSet hashSet = new HashSet();
        if (this.configModel.isTenantValid(requestedTenant)) {
            hashSet.addAll(sgRoles.getTenantPermissions(user, requestedTenant).getPermissions());
        } else {
            this.log.info("Invalid tenant: " + requestedTenant + "; user: " + user);
        }
        hashSet.addAll(sgRoles.getClusterPermissions(user));
        return matchPrivileges(hashSet, collection);
    }

    private Map<String, Boolean> matchPrivileges(Set<String> set, Collection<String> collection) {
        this.log.debug(() -> {
            return "Check " + set + " against " + collection;
        });
        HashMap hashMap = new HashMap();
        for (String str : collection) {
            if (set == null || set.isEmpty()) {
                hashMap.put(str, false);
            } else {
                hashMap.put(str, Boolean.valueOf(WildcardMatcher.matchAny(set, str)));
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    private boolean hasTenantPermission(User user, SgRoles sgRoles, String str) {
        String requestedTenant = !Strings.isNullOrEmpty(user.getRequestedTenant()) ? user.getRequestedTenant() : "SGS_GLOBAL_TENANT";
        if (!multitenancyEnabled() && !"SGS_GLOBAL_TENANT".equals(requestedTenant)) {
            return false;
        }
        if (this.configModel.isTenantValid(requestedTenant)) {
            return sgRoles.hasTenantPermission(user, requestedTenant, str);
        }
        this.log.info("Invalid tenant: " + requestedTenant + "; user: " + user);
        return false;
    }

    private String getRequestedTenant(User user) {
        String requestedTenant = user.getRequestedTenant();
        return (Strings.isNullOrEmpty(requestedTenant) || !multitenancyEnabled()) ? "SGS_GLOBAL_TENANT" : requestedTenant;
    }

    public boolean hasClusterPermission(User user, String str) {
        SgRoles sgRoles;
        SpecialPrivilegesEvaluationContext provide = this.specialPrivilegesEvaluationContextProviderRegistry.provide(user, this.threadContext);
        if (provide != null) {
            user = provide.getUser();
        }
        if (provide == null) {
            sgRoles = getSgRoles(mapSgRoles(user, (TransportAddress) Objects.requireNonNull((TransportAddress) this.threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS))));
        } else {
            TransportAddress caller = provide.getCaller() != null ? provide.getCaller() : (TransportAddress) this.threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS);
            provide.getMappedRoles();
            sgRoles = provide.getSgRoles();
        }
        return sgRoles.impliesClusterPermissionPermission(str);
    }

    private boolean checkDocWhitelistHeader(User user, String str, ActionRequest actionRequest) {
        String header = this.threadContext.getHeader(ConfigConstants.SG_DOC_WHITELST_HEADER);
        if (header == null || !(actionRequest instanceof GetRequest)) {
            return false;
        }
        try {
            DocumentWhitelist parse = DocumentWhitelist.parse(header);
            GetRequest getRequest = (GetRequest) actionRequest;
            if (!parse.isWhitelisted(getRequest.index(), getRequest.id())) {
                return false;
            }
            if (!this.log.isDebugEnabled()) {
                return true;
            }
            this.log.debug("Request " + actionRequest + " is whitelisted by " + parse);
            return true;
        } catch (Exception e) {
            this.log.error("Error while handling document whitelist: " + header, e);
            return false;
        }
    }

    public boolean isKibanaRbacEnabled() {
        return this.dcm.isKibanaRbacEnabled();
    }
}
