package com.floragunn.searchguard.filter;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.DlsFlsRequestValve;
import com.floragunn.searchguard.configuration.PrivilegesEvaluator;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.user.User;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/filter/SearchGuardFilter.class */
public class SearchGuardFilter implements ActionFilter {
    protected final Logger log = LogManager.getLogger(getClass());
    private final PrivilegesEvaluator evalp;
    private final Settings settings;
    private final AdminDNs adminDns;
    private DlsFlsRequestValve dlsFlsValve;
    private final AuditLog auditLog;
    private final ThreadContext threadContext;

    public SearchGuardFilter(Settings settings, PrivilegesEvaluator privilegesEvaluator, AdminDNs adminDNs, DlsFlsRequestValve dlsFlsRequestValve, AuditLog auditLog, ThreadPool threadPool) {
        this.settings = settings;
        this.evalp = privilegesEvaluator;
        this.adminDns = adminDNs;
        this.dlsFlsValve = dlsFlsRequestValve;
        this.auditLog = auditLog;
        this.threadContext = threadPool.getThreadContext();
    }

    public int order() {
        return Integer.MIN_VALUE;
    }

    public void apply(Task task, String str, ActionRequest actionRequest, ActionListener actionListener, ActionFilterChain actionFilterChain) {
        User user = (User) this.threadContext.getTransient(ConfigConstants.SG_USER);
        if (user == null && actionRequest.remoteAddress() == null) {
            user = User.SG_INTERNAL;
        }
        boolean isUserAdmin = isUserAdmin(user, this.adminDns);
        boolean isInterClusterRequest = HeaderHelper.isInterClusterRequest(this.threadContext);
        boolean equals = "true".equals(HeaderHelper.getSafeFromHeader(this.threadContext, ConfigConstants.SG_CONF_REQUEST_HEADER));
        if (isUserAdmin || isInterClusterRequest || equals) {
            if (isUserAdmin && !isInterClusterRequest && !equals) {
                this.auditLog.logAuthenticatedRequest(actionRequest, str);
            }
            if (this.dlsFlsValve.invoke(actionRequest, actionListener, this.threadContext)) {
                actionFilterChain.proceed(task, str, actionRequest, actionListener);
                return;
            }
            return;
        }
        if (User.SG_INTERNAL.equals(user)) {
            if (str.startsWith("internal:gateway") || str.startsWith("cluster:monitor/") || str.startsWith("indices:monitor/") || str.startsWith("cluster:admin/reroute") || str.startsWith("indices:admin/mapping/put") || str.startsWith("internal:cluster/nodes/indices/shard/store") || str.startsWith("indices:admin/exists")) {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("No user, will allow only standard discovery and monitoring actions");
                }
                actionFilterChain.proceed(task, str, actionRequest, actionListener);
                return;
            } else {
                this.log.debug("unauthenticated request {} for user {}", str, user);
                this.auditLog.logFailedLogin(user.getName(), (TransportRequest) actionRequest);
                actionListener.onFailure(new ElasticsearchSecurityException("unauthenticated request " + str + " for user " + user, RestStatus.FORBIDDEN, new Object[0]));
                return;
            }
        }
        PrivilegesEvaluator privilegesEvaluator = this.evalp;
        if (!privilegesEvaluator.isInitialized()) {
            this.log.error("Search Guard not initialized (SG11) for {}", str);
            actionListener.onFailure(new ElasticsearchSecurityException("Search Guard not initialized (SG11) for " + str + ". See https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md", RestStatus.SERVICE_UNAVAILABLE, new Object[0]));
            return;
        }
        if (this.log.isTraceEnabled()) {
            this.log.trace("Evaluate permissions for user: {}", user.getName());
        }
        if (!privilegesEvaluator.evaluate(user, str, actionRequest)) {
            this.auditLog.logMissingPrivileges(str, actionRequest);
            this.log.debug("no permissions for {}", str);
            actionListener.onFailure(new ElasticsearchSecurityException("no permissions for " + str, RestStatus.FORBIDDEN, new Object[0]));
        } else {
            this.auditLog.logAuthenticatedRequest(actionRequest, str);
            if (this.dlsFlsValve.invoke(actionRequest, actionListener, this.threadContext)) {
                actionFilterChain.proceed(task, str, actionRequest, actionListener);
            }
        }
    }

    private static boolean isUserAdmin(User user, AdminDNs adminDNs) {
        return user != null && AdminDNs.isAdmin(user.getName());
    }
}
