package com.floragunn.searchguard.configuration;

import com.floragunn.searchguard.SearchGuardPlugin;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.User;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ListMultimap;
import com.google.common.collect.Multimaps;
import com.google.common.collect.Sets;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.action.termvectors.MultiTermVectorsRequest;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.metadata.AliasMetaData;
import org.elasticsearch.cluster.metadata.IndexMetaData;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.ImmutableOpenMap;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.Index;
import org.elasticsearch.repositories.RepositoriesService;
import org.elasticsearch.repositories.Repository;
import org.elasticsearch.snapshots.SnapshotId;
import org.elasticsearch.snapshots.SnapshotInfo;
import org.elasticsearch.snapshots.SnapshotUtils;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator.class */
public class PrivilegesEvaluator {
    private final ClusterService clusterService;
    private final ActionGroupHolder ah;
    private final IndexNameExpressionResolver resolver;
    private final String[] deniedActionPatterns;
    private final AuditLog auditLog;
    private ThreadContext threadContext;
    private final ConfigurationRepository configurationRepository;
    private final String searchguardIndex;
    private PrivilegesInterceptor privilegesInterceptor;
    private final boolean enableSnapshotRestorePrivilege;
    private final boolean checkSnapshotRestoreWritePrivileges;
    private static final Set<String> NULL_SET = Sets.newHashSet(new String[]{(String) null});
    private static final IndicesOptions DEFAULT_INDICES_OPTIONS = IndicesOptions.lenientExpandOpen();
    private final Set<String> DLSFLS = ImmutableSet.of("_dls_", "_fls_");
    protected final Logger log = LogManager.getLogger(getClass());
    private final Map<Class<?>, Method> typeCache = Collections.synchronizedMap(new HashMap(100));
    private final Map<Class<?>, Method> typesCache = Collections.synchronizedMap(new HashMap(100));

    /* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator$IndexType.class */
    public static class IndexType {
        private String index;
        private String type;

        public IndexType(String str, String str2) {
            this.index = str;
            this.type = str2.equals("_all") ? "*" : str2;
        }

        public String getCombinedString() {
            return this.index + "#" + this.type;
        }

        public String getIndex() {
            return this.index;
        }

        public String getType() {
            return this.type;
        }

        public int hashCode() {
            return (31 * ((31 * 1) + (this.index == null ? 0 : this.index.hashCode()))) + (this.type == null ? 0 : this.type.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            IndexType indexType = (IndexType) obj;
            if (this.index == null) {
                if (indexType.index != null) {
                    return false;
                }
            } else if (!this.index.equals(indexType.index)) {
                return false;
            }
            return this.type == null ? indexType.type == null : this.type.equals(indexType.type);
        }

        public String toString() {
            return "IndexType [index=" + this.index + ", type=" + this.type + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator$IndexTypeAction.class */
    public static class IndexTypeAction extends IndexType {
        private String action;

        public IndexTypeAction(String str, String str2, String str3) {
            super(str, str2);
            this.action = str3;
        }

        @Override // com.floragunn.searchguard.configuration.PrivilegesEvaluator.IndexType
        public String getCombinedString() {
            return super.getCombinedString() + "#" + this.action;
        }

        @Override // com.floragunn.searchguard.configuration.PrivilegesEvaluator.IndexType
        public int hashCode() {
            return (31 * super.hashCode()) + (this.action == null ? 0 : this.action.hashCode());
        }

        @Override // com.floragunn.searchguard.configuration.PrivilegesEvaluator.IndexType
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass() || !super.equals(obj)) {
                return false;
            }
            IndexTypeAction indexTypeAction = (IndexTypeAction) obj;
            return this.action == null ? indexTypeAction.action == null : this.action.equals(indexTypeAction.action);
        }

        @Override // com.floragunn.searchguard.configuration.PrivilegesEvaluator.IndexType
        public String toString() {
            return "IndexTypeAction [index=" + getIndex() + ", type=" + getType() + ", action=" + this.action + "]";
        }
    }

    public PrivilegesEvaluator(ClusterService clusterService, ThreadPool threadPool, ConfigurationRepository configurationRepository, ActionGroupHolder actionGroupHolder, IndexNameExpressionResolver indexNameExpressionResolver, AuditLog auditLog, Settings settings, PrivilegesInterceptor privilegesInterceptor) {
        this.configurationRepository = configurationRepository;
        this.clusterService = clusterService;
        this.ah = actionGroupHolder;
        this.resolver = indexNameExpressionResolver;
        this.auditLog = auditLog;
        this.threadContext = threadPool.getThreadContext();
        this.searchguardIndex = settings.get(ConfigConstants.SG_CONFIG_INDEX, ConfigConstants.SG_DEFAULT_CONFIG_INDEX);
        this.privilegesInterceptor = privilegesInterceptor;
        this.enableSnapshotRestorePrivilege = settings.getAsBoolean(ConfigConstants.SG_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, false).booleanValue();
        this.checkSnapshotRestoreWritePrivileges = settings.getAsBoolean(ConfigConstants.SG_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, true).booleanValue();
        ArrayList arrayList = new ArrayList();
        arrayList.add("indices:data/write*");
        arrayList.add("indices:admin/close");
        arrayList.add("indices:admin/delete");
        this.deniedActionPatterns = (String[]) arrayList.toArray(new String[0]);
    }

    private Settings getRolesSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_ROLES);
    }

    private Settings getRolesMappingSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_ROLES_MAPPING);
    }

    private Settings getConfigSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_CONFIG);
    }

    public boolean isInitialized() {
        return (getRolesSettings() == null || getRolesMappingSettings() == null || getConfigSettings() == null) ? false : true;
    }

    public boolean evaluate(User user, String str, ActionRequest actionRequest) {
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Search Guard is not initialized.", new Object[0]);
        }
        Settings configSettings = getConfigSettings();
        Settings rolesSettings = getRolesSettings();
        boolean booleanValue = configSettings.getAsBoolean("searchguard.dynamic.composite_enabled", true).booleanValue();
        boolean z = false;
        TransportAddress transportAddress = (TransportAddress) Objects.requireNonNull((TransportAddress) this.threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS));
        if (this.log.isDebugEnabled()) {
            this.log.debug("evaluate permissions for {}", user);
            this.log.debug("requested {} from {}", str, transportAddress);
        }
        if (str.startsWith("cluster:admin/snapshot/restore")) {
            if (this.enableSnapshotRestorePrivilege) {
                return evaluateSnapshotRestore(user, str, actionRequest, transportAddress);
            }
            this.log.warn(str + " is not allowed for a regular user");
            return false;
        }
        if (str.startsWith("internal:indices/admin/upgrade")) {
            str = "indices:admin/upgrade";
        }
        ClusterState state = this.clusterService.state();
        Tuple<Set<String>, Set<String>> resolve = resolve(user, str, (TransportRequest) actionRequest, state.metaData());
        Set<String> unmodifiableSet = Collections.unmodifiableSet((Set) resolve.v1());
        HashSet hashSet = new HashSet(((Set) resolve.v1()).size() * ((Set) resolve.v2()).size());
        for (String str2 : (Set) resolve.v1()) {
            Iterator it = ((Set) resolve.v2()).iterator();
            while (it.hasNext()) {
                hashSet.add(new IndexType(str2, (String) it.next()));
            }
        }
        Set<IndexType> unmodifiableSet2 = Collections.unmodifiableSet(hashSet);
        if (this.log.isDebugEnabled()) {
            this.log.debug("requested resolved indextypes: {}", unmodifiableSet2);
        }
        if (unmodifiableSet.contains(this.searchguardIndex) && WildcardMatcher.matchAny(this.deniedActionPatterns, str)) {
            this.auditLog.logSgIndexAttempt(actionRequest, str);
            this.log.warn(str + " for '{}' index is not allowed for a regular user", this.searchguardIndex);
            return false;
        }
        if (unmodifiableSet.contains("_all") && WildcardMatcher.matchAny(this.deniedActionPatterns, str)) {
            this.auditLog.logSgIndexAttempt(actionRequest, str);
            this.log.warn(str + " for '_all' indices is not allowed for a regular user");
            return false;
        }
        if (unmodifiableSet.contains(this.searchguardIndex) || unmodifiableSet.contains("_all")) {
            if (actionRequest instanceof SearchRequest) {
                ((SearchRequest) actionRequest).requestCache(Boolean.FALSE);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable search request cache for this request");
                }
            }
            if (actionRequest instanceof RealtimeRequest) {
                ((RealtimeRequest) actionRequest).realtime(Boolean.FALSE.booleanValue());
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable realtime for this request");
                }
            }
        }
        Set<String> mapSgRoles = mapSgRoles(user, transportAddress);
        if (this.log.isDebugEnabled()) {
            this.log.debug("mapped roles for {}: {}", user.getName(), mapSgRoles);
        }
        if (this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class) {
            Boolean replaceKibanaIndex = this.privilegesInterceptor.replaceKibanaIndex(actionRequest, str, user, configSettings, unmodifiableSet, mapTenants(user, transportAddress));
            if (replaceKibanaIndex == Boolean.TRUE) {
                this.auditLog.logMissingPrivileges(str, actionRequest);
                return false;
            }
            if (replaceKibanaIndex == Boolean.FALSE) {
                return true;
            }
        }
        boolean z2 = false;
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        for (String str3 : mapSgRoles) {
            Settings byPrefix = rolesSettings.getByPrefix(str3);
            if (!byPrefix.names().isEmpty()) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("---------- evaluate sg_role: {}", str3);
                }
                if (str.startsWith("cluster:") || str.startsWith("indices:admin/template/delete") || str.startsWith("indices:admin/template/get") || str.startsWith("indices:admin/template/put") || str.startsWith("indices:data/read/scroll") || ((booleanValue && str.equals("indices:data/write/bulk")) || ((booleanValue && str.equals("indices:admin/aliases")) || ((booleanValue && str.equals("indices:data/read/mget")) || ((booleanValue && str.equals("indices:data/read/msearch")) || ((booleanValue && str.equals("indices:data/read/mtv")) || ((booleanValue && str.equals("indices:data/read/coordinate-msearch")) || ((booleanValue && str.equals("indices:data/write/reindex")) || (booleanValue && str.equals("indices:data/read/mpercolate")))))))))) {
                    Set<String> resolveActions = resolveActions(byPrefix.getAsArray(".cluster", new String[0]));
                    z = true;
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("  resolved cluster actions:{}", resolveActions);
                    }
                    if (WildcardMatcher.matchAny((String[]) resolveActions.toArray(new String[0]), str)) {
                        if (!this.log.isDebugEnabled()) {
                            return true;
                        }
                        this.log.debug("  found a match for '{}' and {}, skip other roles", str3, str);
                        return true;
                    }
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("  not match found a match for '{}' and {}, check next role", str3, str);
                    }
                } else {
                    Map groups = byPrefix.getGroups(".indices");
                    HashMap hashMap4 = new HashMap(groups.size());
                    for (String str4 : groups.keySet()) {
                        hashMap4.put(str4.replace("${user.name}", user.getName()).replace("${user_name}", user.getName()), groups.get(str4));
                    }
                    ListMultimap synchronizedListMultimap = Multimaps.synchronizedListMultimap(ArrayListMultimap.create());
                    HashSet hashSet2 = new HashSet(unmodifiableSet2);
                    for (String str5 : hashMap4.keySet()) {
                        if (WildcardMatcher.containsWildcard(str5)) {
                            if (this.log.isDebugEnabled()) {
                                this.log.debug("  Try wildcard match for {}", str5);
                            }
                            handleIndicesWithWildcard(str, str5, hashMap4, unmodifiableSet2, hashSet2, unmodifiableSet);
                        } else {
                            if (this.log.isDebugEnabled()) {
                                this.log.debug("  Resolve and match {}", str5);
                            }
                            handleIndicesWithoutWildcard(str, str5, hashMap4, unmodifiableSet2, hashSet2);
                        }
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("For index {} remaining requested indextype: {}", str5, hashSet2);
                        }
                        if (hashSet2.isEmpty()) {
                            int i = 0;
                            for (String str6 : unmodifiableSet) {
                                IndexMetaData indexMetaData = (IndexMetaData) state.metaData().getIndices().get(str6);
                                if (indexMetaData == null) {
                                    this.log.warn("{} does not exist in cluster metadata", str6);
                                } else {
                                    ImmutableOpenMap aliases = indexMetaData.getAliases();
                                    this.log.debug("Aliases for {}: {}", str6, aliases);
                                    if (aliases != null && aliases.size() > 0) {
                                        Iterator keysIt = aliases.keysIt();
                                        while (keysIt.hasNext()) {
                                            String str7 = (String) keysIt.next();
                                            AliasMetaData aliasMetaData = (AliasMetaData) aliases.get(str7);
                                            if (aliasMetaData == null || !aliasMetaData.filteringRequired()) {
                                                this.log.debug(str7 + " is not an alias or does not have a filter");
                                            } else {
                                                i++;
                                                this.log.debug(str7 + " is a filtered alias " + aliasMetaData.getFilter());
                                            }
                                        }
                                    }
                                }
                            }
                            if (i > 1) {
                                this.log.warn("More than one ({}) filtered alias found for same index ({}). This is currently not supported", Integer.valueOf(i), str5);
                            } else {
                                if (this.log.isDebugEnabled()) {
                                    this.log.debug("found a match for '{}.{}', evaluate other roles", str3, str5);
                                }
                                synchronizedListMultimap.put(str3, str5);
                            }
                        }
                    }
                    if (!synchronizedListMultimap.isEmpty()) {
                        for (String str8 : synchronizedListMultimap.keySet()) {
                            for (String str9 : synchronizedListMultimap.get(str8)) {
                                String str10 = rolesSettings.get(str8 + ".indices." + str9 + "._dls_");
                                String[] asArray = rolesSettings.getAsArray(str8 + ".indices." + str9 + "._fls_");
                                String[] strArr = new String[0];
                                if ((str10 != null && str10.length() > 0) || (asArray != null && asArray.length > 0)) {
                                    strArr = this.resolver.concreteIndexNames(this.clusterService.state(), DEFAULT_INDICES_OPTIONS, new String[]{str9});
                                }
                                if (str10 != null && str10.length() > 0) {
                                    String replace = str10.replace("${user.name}", user.getName()).replace("${user_name}", user.getName());
                                    if (hashMap.containsKey(str9)) {
                                        ((Set) hashMap.get(str9)).add(replace);
                                    } else {
                                        hashMap.put(str9, new HashSet());
                                        ((Set) hashMap.get(str9)).add(replace);
                                    }
                                    for (String str11 : strArr) {
                                        if (hashMap.containsKey(str11)) {
                                            ((Set) hashMap.get(str11)).add(replace);
                                        } else {
                                            hashMap.put(str11, new HashSet());
                                            ((Set) hashMap.get(str11)).add(replace);
                                        }
                                    }
                                    if (this.log.isDebugEnabled()) {
                                        this.log.debug("dls query {} for {}", replace, Arrays.toString(strArr));
                                    }
                                }
                                if (asArray != null && asArray.length > 0) {
                                    if (hashMap2.containsKey(str9)) {
                                        ((Set) hashMap2.get(str9)).addAll(Sets.newHashSet(asArray));
                                    } else {
                                        hashMap2.put(str9, new HashSet());
                                        ((Set) hashMap2.get(str9)).addAll(Sets.newHashSet(asArray));
                                    }
                                    for (String str12 : strArr) {
                                        if (hashMap2.containsKey(str12)) {
                                            ((Set) hashMap2.get(str12)).addAll(Sets.newHashSet(asArray));
                                        } else {
                                            hashMap2.put(str12, new HashSet());
                                            ((Set) hashMap2.get(str12)).addAll(Sets.newHashSet(asArray));
                                        }
                                    }
                                    if (this.log.isDebugEnabled()) {
                                        this.log.debug("fls fields {} for {}", Sets.newHashSet(asArray), Arrays.toString(strArr));
                                    }
                                }
                            }
                        }
                        z2 = true;
                    }
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Added to leftovers {}=>{}", str3, hashSet2);
                    }
                    hashMap3.put(str3, hashSet2);
                }
            } else if (this.log.isDebugEnabled()) {
                this.log.debug("sg_role {} is empty", str3);
            }
        }
        if (!z2 && this.log.isInfoEnabled()) {
            this.log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]", z ? "cluster" : "index", user, unmodifiableSet2, str, mapSgRoles);
            this.log.info("No permissions for {}", hashMap3);
        }
        if (!hashMap.isEmpty()) {
            if (this.threadContext.getHeader(ConfigConstants.SG_DLS_QUERY) == null) {
                this.threadContext.putHeader(ConfigConstants.SG_DLS_QUERY, Base64Helper.serializeObject(hashMap));
            } else if (!hashMap.equals((Map) Base64Helper.deserializeObject(this.threadContext.getHeader(ConfigConstants.SG_DLS_QUERY)))) {
                throw new ElasticsearchSecurityException("_sg_dls_query does not match (SG 900D)", new Object[0]);
            }
        }
        if (!hashMap2.isEmpty()) {
            if (this.threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS) == null) {
                this.threadContext.putHeader(ConfigConstants.SG_FLS_FIELDS, Base64Helper.serializeObject(hashMap2));
            } else if (!hashMap2.equals((Map) Base64Helper.deserializeObject(this.threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS)))) {
                throw new ElasticsearchSecurityException("_sg_fls_fields does not match (SG 901D)", new Object[0]);
            }
        }
        return (z2 || this.privilegesInterceptor.getClass() == PrivilegesInterceptor.class || hashMap3.size() <= 0) ? z2 : this.privilegesInterceptor.replaceAllowedIndices(actionRequest, str, user, configSettings, hashMap3);
    }

    private boolean evaluateSnapshotRestore(User user, String str, ActionRequest actionRequest, TransportAddress transportAddress) {
        if (!(actionRequest instanceof RestoreSnapshotRequest)) {
            return false;
        }
        RestoreSnapshotRequest restoreSnapshotRequest = (RestoreSnapshotRequest) actionRequest;
        if (restoreSnapshotRequest.includeGlobalState()) {
            this.auditLog.logSgIndexAttempt(actionRequest, str);
            this.log.warn(str + " with 'include_global_state' enabled is not allowed");
            return false;
        }
        Repository repository = ((RepositoriesService) Objects.requireNonNull(SearchGuardPlugin.RepositoriesServiceHolder.getRepositoriesService(), "RepositoriesService not initialized")).repository(restoreSnapshotRequest.repository());
        SnapshotInfo snapshotInfo = null;
        Iterator it = repository.getRepositoryData().getSnapshotIds().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            SnapshotId snapshotId = (SnapshotId) it.next();
            if (snapshotId.getName().equals(restoreSnapshotRequest.snapshot())) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("snapshot found: {} (UUID: {})", snapshotId.getName(), snapshotId.getUUID());
                }
                snapshotInfo = repository.getSnapshotInfo(snapshotId);
            }
        }
        if (snapshotInfo == null) {
            this.log.warn(str + " for repository '" + restoreSnapshotRequest.repository() + "', snapshot '" + restoreSnapshotRequest.snapshot() + "' not found");
            return false;
        }
        List<String> filterIndices = SnapshotUtils.filterIndices(snapshotInfo.indices(), restoreSnapshotRequest.indices(), restoreSnapshotRequest.indicesOptions());
        if (this.log.isDebugEnabled()) {
            this.log.debug("resolved indices for restore to: {}", filterIndices.toString());
        }
        if (filterIndices.contains(this.searchguardIndex) || filterIndices.contains("_all")) {
            this.auditLog.logSgIndexAttempt(actionRequest, str);
            this.log.warn(str + " for '{}' as source index is not allowed", this.searchguardIndex);
            return false;
        }
        List<String> renamedIndices = renamedIndices(restoreSnapshotRequest, filterIndices);
        if (renamedIndices.contains(this.searchguardIndex) || filterIndices.contains("_all")) {
            this.auditLog.logSgIndexAttempt(actionRequest, str);
            this.log.warn(str + " for '{}' as target index is not allowed", this.searchguardIndex);
            return false;
        }
        Set<String> mapSgRoles = mapSgRoles(user, transportAddress);
        if (this.log.isDebugEnabled()) {
            this.log.debug("mapped roles: {}", mapSgRoles);
        }
        boolean z = false;
        Set<String> hashSet = new HashSet<>(renamedIndices);
        Set<IndexType> hashSet2 = new HashSet<>(renamedIndices.size());
        for (String str2 : renamedIndices) {
            Iterator<String> it2 = ConfigConstants.SG_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES.iterator();
            while (it2.hasNext()) {
                hashSet2.add(new IndexTypeAction(str2, "*", it2.next()));
            }
        }
        Settings rolesSettings = getRolesSettings();
        for (String str3 : mapSgRoles) {
            Settings byPrefix = rolesSettings.getByPrefix(str3);
            if (!byPrefix.names().isEmpty()) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("---------- evaluate sg_role: {}", str3);
                }
                Set<String> resolveActions = resolveActions(byPrefix.getAsArray(".cluster", new String[0]));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("  resolved cluster actions:{}", resolveActions);
                }
                if (WildcardMatcher.matchAny((String[]) resolveActions.toArray(new String[0]), str)) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("  found a match for '{}' and {}, skip other roles", str3, str);
                    }
                    z = true;
                } else if (this.log.isDebugEnabled()) {
                    this.log.debug("  not match found a match for '{}' and {}, check next role", str3, str);
                }
                if (this.checkSnapshotRestoreWritePrivileges) {
                    Map groups = byPrefix.getGroups(".indices");
                    HashMap hashMap = new HashMap(groups.size());
                    for (String str4 : groups.keySet()) {
                        hashMap.put(str4.replace("${user.name}", user.getName()).replace("${user_name}", user.getName()), groups.get(str4));
                    }
                    for (String str5 : hashMap.keySet()) {
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("  Try wildcard match for {}", str5);
                        }
                        handleSnapshotRestoreWritePrivileges(ConfigConstants.SG_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES, str5, hashMap, hashSet, hashSet2);
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("For index {} remaining requested indextypeaction: {}", str5, hashSet2);
                        }
                    }
                }
            } else if (this.log.isDebugEnabled()) {
                this.log.debug("sg_role {} is empty", str3);
            }
        }
        if (this.checkSnapshotRestoreWritePrivileges && !hashSet2.isEmpty()) {
            z = false;
        }
        if (!z) {
            this.auditLog.logMissingPrivileges(str, actionRequest);
            this.log.info("No perm match for {} [Action [{}]] [RolesChecked {}]", user, str, mapSgRoles);
        }
        return z;
    }

    private List<String> renamedIndices(RestoreSnapshotRequest restoreSnapshotRequest, List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            String str2 = str;
            if (restoreSnapshotRequest.renameReplacement() != null && restoreSnapshotRequest.renamePattern() != null) {
                str2 = str.replaceAll(restoreSnapshotRequest.renamePattern(), restoreSnapshotRequest.renameReplacement());
            }
            arrayList.add(str2);
        }
        return arrayList;
    }

    public Set<String> mapSgRoles(User user, TransportAddress transportAddress) {
        Settings rolesMappingSettings = getRolesMappingSettings();
        if (user == null || rolesMappingSettings == null) {
            return Collections.emptySet();
        }
        TreeSet treeSet = new TreeSet();
        for (String str : rolesMappingSettings.names()) {
            Settings byPrefix = rolesMappingSettings.getByPrefix(str);
            if (WildcardMatcher.allPatternsMatched(byPrefix.getAsArray(".and_backendroles"), (String[]) user.getRoles().toArray(new String[0]))) {
                treeSet.add(str);
            } else if (WildcardMatcher.matchAny(byPrefix.getAsArray(".backendroles"), (String[]) user.getRoles().toArray(new String[0]))) {
                treeSet.add(str);
            } else if (WildcardMatcher.matchAny(byPrefix.getAsArray(".users"), user.getName())) {
                treeSet.add(str);
            } else if (transportAddress != null && WildcardMatcher.matchAny(byPrefix.getAsArray(".hosts"), transportAddress.getAddress())) {
                treeSet.add(str);
            } else if (transportAddress != null && WildcardMatcher.matchAny(byPrefix.getAsArray(".hosts"), transportAddress.getHost())) {
                treeSet.add(str);
            }
        }
        return Collections.unmodifiableSet(treeSet);
    }

    public Map<String, Boolean> mapTenants(User user, TransportAddress transportAddress) {
        if (user == null) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        hashMap.put(user.getName(), true);
        Iterator<String> it = mapSgRoles(user, transportAddress).iterator();
        while (it.hasNext()) {
            Settings byPrefix = getRolesSettings().getByPrefix(it.next() + ".tenants.");
            if (byPrefix != null) {
                for (String str : byPrefix.names()) {
                    if (!str.equals(user.getName())) {
                        if ("RW".equalsIgnoreCase(byPrefix.get(str, "RO"))) {
                            hashMap.put(str, true);
                        } else if (!hashMap.containsKey(str)) {
                            hashMap.put(str, false);
                        }
                    }
                }
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    private void handleIndicesWithWildcard(String str, String str2, Map<String, Settings> map, Set<IndexType> set, Set<IndexType> set2, Set<String> set3) {
        List<String> matchAny = WildcardMatcher.getMatchAny(str2, (String[]) set3.toArray(new String[0]));
        if (matchAny.isEmpty()) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("  No wildcard match found for {}", str2);
                return;
            }
            return;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("  Wildcard match for {}: {}", str2, matchAny);
        }
        HashSet<String> hashSet = new HashSet(map.get(str2).names());
        hashSet.removeAll(this.DLSFLS);
        if (this.log.isDebugEnabled()) {
            this.log.debug("  matches for {}, will check now types {}", str2, hashSet);
        }
        for (String str3 : hashSet) {
            Set<String> resolveActions = resolveActions(map.get(str2).getAsArray(str3));
            if (WildcardMatcher.matchAny((String[]) resolveActions.toArray(new String[0]), str)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("    match requested action {} against {}/{}: {}", str, str2, str3, resolveActions);
                }
                for (String str4 : matchAny) {
                    if (wildcardRemoveFromSet(set2, new IndexType(str4, str3))) {
                        this.log.debug("    removed {}", str4 + str3);
                    } else {
                        this.log.debug("    no match {} in {}", str4 + str3, set2);
                    }
                }
            }
        }
    }

    private void handleIndicesWithoutWildcard(String str, String str2, Map<String, Settings> map, Set<IndexType> set, Set<IndexType> set2) {
        HashSet<String> hashSet = new HashSet();
        if (this.resolver.hasIndexOrAlias(str2, this.clusterService.state())) {
            hashSet.addAll(Arrays.asList(this.resolver.concreteIndexNames(this.clusterService.state(), DEFAULT_INDICES_OPTIONS, new String[]{str2})));
        } else {
            if (this.log.isDebugEnabled()) {
                this.log.debug("no permittedAliasesIndex '{}' found for  '{}'", str2, str);
                Iterator<String> it = map.keySet().iterator();
                while (it.hasNext()) {
                    Settings settings = map.get(it.next());
                    this.log.debug("permittedAliasesIndices '{}' -> '{}'", map, settings == null ? "null" : String.valueOf(settings.getAsMap()));
                }
                this.log.debug("requestedResolvedIndexTypes '{}'", set);
            }
            hashSet.add(str2);
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("  resolved permitted aliases indices for {}: {}", str2, hashSet);
        }
        HashSet<String> hashSet2 = new HashSet(map.get(str2).names());
        hashSet2.removeAll(this.DLSFLS);
        if (this.log.isDebugEnabled()) {
            this.log.debug("  matches for {}, will check now types {}", str2, hashSet2);
        }
        for (String str3 : hashSet2) {
            Set<String> resolveActions = resolveActions(map.get(str2).getAsArray(str3));
            if (WildcardMatcher.matchAny((String[]) resolveActions.toArray(new String[0]), str)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("    match requested action {} against {}/{}: {}", str, str2, str3, resolveActions);
                }
                for (String str4 : hashSet) {
                    if (wildcardRemoveFromSet(set2, new IndexType(str4, str3))) {
                        this.log.debug("    removed {}", str4 + str3);
                    } else {
                        this.log.debug("    no match {} in {}", str4 + str3, set2);
                    }
                }
            }
        }
    }

    private void handleSnapshotRestoreWritePrivileges(Set<String> set, String str, Map<String, Settings> map, Set<String> set2, Set<IndexType> set3) {
        List<String> matchAny = WildcardMatcher.getMatchAny(str, (String[]) set2.toArray(new String[0]));
        if (matchAny.isEmpty()) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("  No wildcard match found for {}", str);
                return;
            }
            return;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("  Wildcard match for {}: {}", str, matchAny);
        }
        Set<String> resolveActions = resolveActions(map.get(str).getAsArray("*"));
        if (this.log.isDebugEnabled()) {
            this.log.debug("  matches for {}, will check now wildcard type '*'", str);
        }
        for (String str2 : resolveActions) {
            if (!WildcardMatcher.getMatchAny(str2, (String[]) set.toArray(new String[0])).isEmpty()) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("    match requested actions {} against {}/*: {}", set, str, resolveActions);
                }
                for (String str3 : matchAny) {
                    if (wildcardRemoveFromSet(set3, new IndexTypeAction(str3, "*", str2))) {
                        this.log.debug("    removed {}", str3 + '*');
                    } else {
                        this.log.debug("    no match {} in {}", str3 + '*', set3);
                    }
                }
            }
        }
    }

    private Tuple<Set<String>, Set<String>> resolve(User user, String str, TransportRequest transportRequest, MetaData metaData) {
        if (transportRequest instanceof PutMappingRequest) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("PutMappingRequest will be handled in a special way cause they does not return indices via .indices()Instead .getConcreteIndex() must be used");
            }
            PutMappingRequest putMappingRequest = (PutMappingRequest) transportRequest;
            Index concreteIndex = putMappingRequest.getConcreteIndex();
            if (concreteIndex != null && (putMappingRequest.indices() == null || putMappingRequest.indices().length == 0)) {
                return new Tuple<>(Sets.newHashSet(new String[]{concreteIndex.getName()}), Sets.newHashSet(new String[]{putMappingRequest.type()}));
            }
        }
        if (!(transportRequest instanceof CompositeIndicesRequest) && !(transportRequest instanceof IndicesRequest)) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("{} is not an IndicesRequest", transportRequest.getClass());
            }
            return new Tuple<>(Sets.newHashSet(new String[]{"_all"}), Sets.newHashSet(new String[]{"_all"}));
        }
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (!(transportRequest instanceof CompositeIndicesRequest)) {
            Tuple<Set<String>, Set<String>> resolve = resolve(user, str, (IndicesRequest) transportRequest, metaData);
            hashSet.addAll((Collection) resolve.v1());
            hashSet2.addAll((Collection) resolve.v2());
        } else if (transportRequest instanceof IndicesRequest) {
            Tuple<Set<String>, Set<String>> resolve2 = resolve(user, str, (IndicesRequest) transportRequest, metaData);
            hashSet.addAll((Collection) resolve2.v1());
            hashSet2.addAll((Collection) resolve2.v2());
        } else if (transportRequest instanceof BulkRequest) {
            Iterator it = ((BulkRequest) transportRequest).requests().iterator();
            while (it.hasNext()) {
                Tuple<Set<String>, Set<String>> resolve3 = resolve(user, str, (IndicesRequest) it.next(), metaData);
                hashSet.addAll((Collection) resolve3.v1());
                hashSet2.addAll((Collection) resolve3.v2());
            }
        } else if (transportRequest instanceof IndicesRequest) {
            Tuple<Set<String>, Set<String>> resolve4 = resolve(user, str, (IndicesRequest) transportRequest, metaData);
            hashSet.addAll((Collection) resolve4.v1());
            hashSet2.addAll((Collection) resolve4.v2());
        } else if (transportRequest instanceof MultiGetRequest) {
            Iterator it2 = ((MultiGetRequest) transportRequest).getItems().iterator();
            while (it2.hasNext()) {
                Tuple<Set<String>, Set<String>> resolve5 = resolve(user, str, (IndicesRequest) it2.next(), metaData);
                hashSet.addAll((Collection) resolve5.v1());
                hashSet2.addAll((Collection) resolve5.v2());
            }
        } else if (transportRequest instanceof MultiSearchRequest) {
            Iterator it3 = ((MultiSearchRequest) transportRequest).requests().iterator();
            while (it3.hasNext()) {
                Tuple<Set<String>, Set<String>> resolve6 = resolve(user, str, (TransportRequest) it3.next(), metaData);
                hashSet.addAll((Collection) resolve6.v1());
                hashSet2.addAll((Collection) resolve6.v2());
            }
        } else if (transportRequest instanceof MultiTermVectorsRequest) {
            Iterable iterable = () -> {
                return ((MultiTermVectorsRequest) transportRequest).iterator();
            };
            Iterator it4 = iterable.iterator();
            while (it4.hasNext()) {
                Tuple<Set<String>, Set<String>> resolve7 = resolve(user, str, (TransportRequest) it4.next(), metaData);
                hashSet.addAll((Collection) resolve7.v1());
                hashSet2.addAll((Collection) resolve7.v2());
            }
        } else if (transportRequest.getClass().getName().equals("org.elasticsearch.index.reindex.ReindexRequest")) {
            try {
                Tuple<Set<String>, Set<String>> resolve8 = resolve(user, str, (IndicesRequest) transportRequest.getClass().getMethod("getDestination", new Class[0]).invoke(transportRequest, new Object[0]), metaData);
                hashSet.addAll((Collection) resolve8.v1());
                hashSet2.addAll((Collection) resolve8.v2());
                Tuple<Set<String>, Set<String>> resolve9 = resolve(user, str, (IndicesRequest) transportRequest.getClass().getMethod("getSearchRequest", new Class[0]).invoke(transportRequest, new Object[0]), metaData);
                hashSet.addAll((Collection) resolve9.v1());
                hashSet2.addAll((Collection) resolve9.v2());
            } catch (Exception e) {
                this.log.error("Unable to handle " + transportRequest.getClass() + " due to " + e);
                if (this.log.isDebugEnabled()) {
                    this.log.debug(ExceptionsHelper.stackTrace(e));
                }
            }
        } else if (transportRequest.getClass().getName().equals("org.elasticsearch.percolator.MultiPercolateRequest")) {
            try {
                Iterator it5 = ((List) transportRequest.getClass().getMethod("requests", new Class[0]).invoke(transportRequest, new Object[0])).iterator();
                while (it5.hasNext()) {
                    Tuple<Set<String>, Set<String>> resolve10 = resolve(user, str, (TransportRequest) it5.next(), metaData);
                    hashSet.addAll((Collection) resolve10.v1());
                    hashSet2.addAll((Collection) resolve10.v2());
                }
            } catch (Exception e2) {
                this.log.error("Unable to handle " + transportRequest.getClass() + " due to " + e2);
                if (this.log.isDebugEnabled()) {
                    this.log.debug(ExceptionsHelper.stackTrace(e2));
                }
            }
        } else {
            this.log.warn("Can not handle composite request of type '" + transportRequest.getClass().getName() + "'for " + str + " here");
        }
        if (IndexNameExpressionResolver.isAllIndices(new ArrayList(hashSet))) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("The following list are '_all' indices: {}", hashSet);
            }
            if (!hashSet.isEmpty()) {
                hashSet.clear();
                hashSet.add("_all");
            }
        }
        if (hashSet2.isEmpty()) {
            hashSet2.add("_all");
        }
        return new Tuple<>(Collections.unmodifiableSet(hashSet), Collections.unmodifiableSet(hashSet2));
    }

    private Tuple<Set<String>, Set<String>> resolve(User user, String str, IndicesRequest indicesRequest, MetaData metaData) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Resolve {} from {}", indicesRequest.indices(), indicesRequest.getClass());
        }
        Class<?> cls = indicesRequest.getClass();
        HashSet hashSet = new HashSet();
        Method method = null;
        if (this.typeCache.containsKey(cls)) {
            method = this.typeCache.get(cls);
        } else {
            try {
                method = cls.getMethod("type", new Class[0]);
                this.typeCache.put(cls, method);
            } catch (NoSuchMethodException e) {
                this.typeCache.put(cls, null);
            } catch (SecurityException e2) {
                this.log.error("Cannot evaluate type() for {} due to {}", cls, e2);
            }
        }
        Method method2 = null;
        if (this.typesCache.containsKey(cls)) {
            method2 = this.typesCache.get(cls);
        } else {
            try {
                method2 = cls.getMethod("types", new Class[0]);
                this.typesCache.put(cls, method2);
            } catch (NoSuchMethodException e3) {
                this.typesCache.put(cls, null);
            } catch (SecurityException e4) {
                this.log.error("Cannot evaluate types() for {} due to {}", cls, e4);
            }
        }
        if (method != null) {
            try {
                String str2 = (String) method.invoke(indicesRequest, new Object[0]);
                if (str2 != null) {
                    hashSet.add(str2);
                }
            } catch (Exception e5) {
                this.log.error("Unable to invoke type() for {} due to {}", e5, cls, e5);
            }
        }
        if (method2 != null) {
            try {
                String[] strArr = (String[]) method2.invoke(indicesRequest, new Object[0]);
                if (strArr != null) {
                    hashSet.addAll(Arrays.asList(strArr));
                }
            } catch (Exception e6) {
                this.log.error("Unable to invoke types() for {} due to {}", e6, cls, e6);
            }
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("indicesOptions {}", indicesRequest.indicesOptions());
            this.log.debug("raw indices {}", Arrays.toString(indicesRequest.indices()));
        }
        HashSet hashSet2 = new HashSet();
        if (indicesRequest.indices() == null || indicesRequest.indices().length == 0 || new HashSet(Arrays.asList(indicesRequest.indices())).equals(NULL_SET)) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("No indices found in request, assume _all");
            }
            hashSet2.addAll(Arrays.asList(this.resolver.concreteIndexNames(this.clusterService.state(), DEFAULT_INDICES_OPTIONS, new String[]{"*"})));
        } else {
            try {
                hashSet2.addAll(Arrays.asList(this.resolver.concreteIndexNames(this.clusterService.state(), indicesRequest)));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Resolved {} to {}", indicesRequest.indices(), hashSet2);
                }
            } catch (Exception e7) {
                this.log.debug("Cannot resolve {} (due to {}) so we use the raw values", Arrays.toString(indicesRequest.indices()), e7);
                hashSet2.addAll(Arrays.asList(indicesRequest.indices()));
            }
        }
        return new Tuple<>(hashSet2, hashSet);
    }

    private Set<String> resolveActions(String[] strArr) {
        HashSet hashSet = new HashSet();
        for (String str : strArr) {
            Set<String> groupMembers = this.ah.getGroupMembers(str);
            if (groupMembers.isEmpty()) {
                hashSet.add(str);
            } else {
                hashSet.addAll(groupMembers);
            }
        }
        return hashSet;
    }

    private boolean wildcardRemoveFromSet(Set<IndexType> set, IndexType indexType) {
        if (set.contains(indexType)) {
            return set.remove(indexType);
        }
        boolean z = false;
        for (IndexType indexType2 : new HashSet(set)) {
            if (WildcardMatcher.match(indexType.getCombinedString(), indexType2.getCombinedString())) {
                z = set.remove(indexType2) | z;
            }
        }
        return z;
    }

    public boolean multitenancyEnabled() {
        return this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class && getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.multitenancy_enabled", true).booleanValue();
    }

    public boolean notFailOnForbiddenEnabled() {
        return this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class && getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.do_not_fail_on_forbidden", false).booleanValue();
    }

    public String kibanaIndex() {
        return getConfigSettings().get("searchguard.dynamic.kibana.index", ".kibana");
    }

    public String kibanaServerUsername() {
        return getConfigSettings().get("searchguard.dynamic.kibana.server_username", "kibanaserver");
    }

    public boolean kibanaIndexReadonly(User user, TransportAddress transportAddress) {
        String[] asArray;
        Set<String> mapSgRoles = mapSgRoles(user, transportAddress);
        String kibanaIndex = kibanaIndex();
        Iterator<String> it = mapSgRoles.iterator();
        while (it.hasNext()) {
            Settings byPrefix = getRolesSettings().getByPrefix(it.next());
            if (!byPrefix.names().isEmpty()) {
                Map groups = byPrefix.getGroups(".indices");
                HashMap hashMap = new HashMap(groups.size());
                for (String str : groups.keySet()) {
                    hashMap.put(str.replace("${user.name}", user.getName()).replace("${user_name}", user.getName()), groups.get(str));
                }
                for (String str2 : hashMap.keySet()) {
                    if (WildcardMatcher.match(str2, kibanaIndex) && (asArray = ((Settings) hashMap.get(str2)).getAsArray("*")) != null && asArray.length > 0 && WildcardMatcher.matchAny((String[]) resolveActions(asArray).toArray(new String[0]), "indices:data/write/update")) {
                        return false;
                    }
                }
            }
        }
        return true;
    }
}
