package com.floragunn.searchguard.privileges;

import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.sgconf.SgRoles;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.User;
import java.io.Serializable;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.admin.cluster.shards.ClusterSearchShardsRequest;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/privileges/DlsFlsEvaluator.class */
public class DlsFlsEvaluator {
    protected final Logger log = LogManager.getLogger(getClass());
    private final ThreadPool threadPool;

    public DlsFlsEvaluator(Settings settings, ThreadPool threadPool) {
        this.threadPool = threadPool;
    }

    public PrivilegesEvaluatorResponse evaluate(ActionRequest actionRequest, ClusterService clusterService, IndexNameExpressionResolver indexNameExpressionResolver, IndexResolverReplacer.Resolved resolved, User user, SgRoles sgRoles, PrivilegesEvaluatorResponse privilegesEvaluatorResponse) {
        ThreadContext threadContext = this.threadPool.getThreadContext();
        Map<String, Set<String>> maskedFields = sgRoles.getMaskedFields(user, indexNameExpressionResolver, clusterService);
        if (maskedFields != null && !maskedFields.isEmpty()) {
            if ((actionRequest instanceof ClusterSearchShardsRequest) && HeaderHelper.isTrustedClusterRequest(threadContext)) {
                threadContext.addResponseHeader(ConfigConstants.SG_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFields));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("added response header for masked fields info: {}", maskedFields);
                }
            } else if (threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER) == null) {
                threadContext.putHeader(ConfigConstants.SG_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFields));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("attach masked fields info: {}", maskedFields);
                }
            } else {
                if (!maskedFields.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER)))) {
                    throw new ElasticsearchSecurityException("_sg_masked_fields does not match (SG 901D)", new Object[0]);
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("_sg_masked_fields already set");
                }
            }
            privilegesEvaluatorResponse.maskedFields = new HashMap(maskedFields);
            if (!resolved.isLocalAll() && !resolved.getAllIndices().isEmpty()) {
                Iterator<Map.Entry<String, Set<String>>> it = privilegesEvaluatorResponse.maskedFields.entrySet().iterator();
                while (it.hasNext()) {
                    if (!WildcardMatcher.matchAny(it.next().getKey(), (Collection<String>) resolved.getAllIndices(), false)) {
                        it.remove();
                    }
                }
            }
        }
        Tuple<Map<String, Set<String>>, Map<String, Set<String>>> dlsFls = sgRoles.getDlsFls(user, indexNameExpressionResolver, clusterService);
        Map map = (Map) dlsFls.v1();
        Map map2 = (Map) dlsFls.v2();
        if (!map.isEmpty()) {
            if ((actionRequest instanceof ClusterSearchShardsRequest) && HeaderHelper.isTrustedClusterRequest(threadContext)) {
                threadContext.addResponseHeader(ConfigConstants.SG_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) map));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("added response header for DLS info: {}", map);
                }
            } else if (threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER) == null) {
                threadContext.putHeader(ConfigConstants.SG_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) map));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("attach DLS info: {}", map);
                }
            } else if (!map.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER)))) {
                throw new ElasticsearchSecurityException("_sg_dls_query does not match (SG 900D)", new Object[0]);
            }
            privilegesEvaluatorResponse.queries = new HashMap(map);
            if (!resolved.isLocalAll() && !resolved.getAllIndices().isEmpty()) {
                Iterator<Map.Entry<String, Set<String>>> it2 = privilegesEvaluatorResponse.queries.entrySet().iterator();
                while (it2.hasNext()) {
                    if (!WildcardMatcher.matchAny(it2.next().getKey(), (Collection<String>) resolved.getAllIndices(), false)) {
                        it2.remove();
                    }
                }
            }
        }
        if (!map2.isEmpty()) {
            if ((actionRequest instanceof ClusterSearchShardsRequest) && HeaderHelper.isTrustedClusterRequest(threadContext)) {
                threadContext.addResponseHeader(ConfigConstants.SG_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) map2));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("added response header for FLS info: {}", map2);
                }
            } else if (threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER) == null) {
                threadContext.putHeader(ConfigConstants.SG_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) map2));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("attach FLS info: {}", map2);
                }
            } else {
                if (!map2.equals(Base64Helper.deserializeObject(threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER)))) {
                    throw new ElasticsearchSecurityException("_sg_fls_fields does not match (SG 901D)", new Object[0]);
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("_sg_fls_fields already set");
                }
            }
            privilegesEvaluatorResponse.allowedFlsFields = new HashMap(map2);
            if (!resolved.isLocalAll() && !resolved.getAllIndices().isEmpty()) {
                Iterator<Map.Entry<String, Set<String>>> it3 = privilegesEvaluatorResponse.allowedFlsFields.entrySet().iterator();
                while (it3.hasNext()) {
                    if (!WildcardMatcher.matchAny(it3.next().getKey(), (Collection<String>) resolved.getAllIndices(), false)) {
                        it3.remove();
                    }
                }
            }
        }
        return privilegesEvaluatorResponse;
    }
}
