package com.floragunn.searchguard.configuration;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.sgconf.ConfigModel;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.SnapshotRestoreHelper;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.User;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.cluster.metadata.AliasMetaData;
import org.elasticsearch.cluster.metadata.IndexMetaData;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.ImmutableOpenMap;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.query.MatchNoneQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.TermsQueryBuilder;
import org.elasticsearch.search.aggregations.AggregationBuilder;
import org.elasticsearch.search.aggregations.bucket.terms.TermsAggregationBuilder;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator.class */
public class PrivilegesEvaluator {
    protected final Logger log = LogManager.getLogger(getClass());
    protected final Logger actionTrace = LogManager.getLogger("sg_action_trace");
    private final ClusterService clusterService;
    private final ActionGroupHolder ah;
    private final IndexNameExpressionResolver resolver;
    private final String[] sgDeniedActionPatterns;
    private final AuditLog auditLog;
    private ThreadContext threadContext;
    private final ConfigurationRepository configurationRepository;
    private final String searchguardIndex;
    private PrivilegesInterceptor privilegesInterceptor;
    private final boolean enableSnapshotRestorePrivilege;
    private final boolean checkSnapshotRestoreWritePrivileges;
    private ConfigConstants.RolesMappingResolution rolesMappingResolution;
    private final ClusterInfoHolder clusterInfoHolder;
    private final ConfigModel configModel;
    private final IndexResolverReplacer irr;
    private static final String[] READ_ACTIONS = {"indices:data/read/msearch", "indices:data/read/mget", "indices:data/read/get", "indices:data/read/search", "indices:data/read/field_caps*"};
    private static final QueryBuilder NONE_QUERY = new MatchNoneQueryBuilder();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.floragunn.searchguard.configuration.PrivilegesEvaluator$1, reason: invalid class name */
    /* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType;
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type = new int[IndicesAliasesRequest.AliasActions.Type.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type[IndicesAliasesRequest.AliasActions.Type.REMOVE_INDEX.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType = new int[DocWriteRequest.OpType.values().length];
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.CREATE.ordinal()] = 1;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.INDEX.ordinal()] = 2;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.DELETE.ordinal()] = 3;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.UPDATE.ordinal()] = 4;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator$PrivEvalResponse.class */
    public static class PrivEvalResponse {
        boolean allowed = false;
        Set<String> missingPrivileges = new HashSet();
        Map<String, Set<String>> allowedFlsFields;
        Map<String, Set<String>> maskedFields;
        Map<String, Set<String>> queries;

        public boolean isAllowed() {
            return this.allowed;
        }

        public Set<String> getMissingPrivileges() {
            return new HashSet(this.missingPrivileges);
        }

        public Map<String, Set<String>> getAllowedFlsFields() {
            return this.allowedFlsFields;
        }

        public Map<String, Set<String>> getMaskedFields() {
            return this.maskedFields;
        }

        public Map<String, Set<String>> getQueries() {
            return this.queries;
        }

        public String toString() {
            return "PrivEvalResponse [allowed=" + this.allowed + ", missingPrivileges=" + this.missingPrivileges + ", allowedFlsFields=" + this.allowedFlsFields + ", maskedFields=" + this.maskedFields + ", queries=" + this.queries + "]";
        }
    }

    public PrivilegesEvaluator(ClusterService clusterService, ThreadPool threadPool, ConfigurationRepository configurationRepository, ActionGroupHolder actionGroupHolder, IndexNameExpressionResolver indexNameExpressionResolver, AuditLog auditLog, Settings settings, PrivilegesInterceptor privilegesInterceptor, ClusterInfoHolder clusterInfoHolder) {
        this.configurationRepository = configurationRepository;
        this.clusterService = clusterService;
        this.ah = actionGroupHolder;
        this.resolver = indexNameExpressionResolver;
        this.auditLog = auditLog;
        this.threadContext = threadPool.getThreadContext();
        this.searchguardIndex = settings.get(ConfigConstants.SEARCHGUARD_CONFIG_INDEX_NAME, ConfigConstants.SG_DEFAULT_CONFIG_INDEX);
        this.privilegesInterceptor = privilegesInterceptor;
        this.enableSnapshotRestorePrivilege = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, false).booleanValue();
        this.checkSnapshotRestoreWritePrivileges = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, true).booleanValue();
        try {
            this.rolesMappingResolution = ConfigConstants.RolesMappingResolution.valueOf(settings.get(ConfigConstants.SEARCHGUARD_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString()).toUpperCase());
        } catch (Exception e) {
            this.log.error("Cannot apply roles mapping resolution", e);
            this.rolesMappingResolution = ConfigConstants.RolesMappingResolution.MAPPING_ONLY;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add("indices:data/write*");
        arrayList.add("indices:admin/close");
        arrayList.add("indices:admin/delete");
        arrayList.add("cluster:admin/snapshot/restore");
        this.sgDeniedActionPatterns = (String[]) arrayList.toArray(new String[0]);
        this.clusterInfoHolder = clusterInfoHolder;
        this.configModel = new ConfigModel(actionGroupHolder, configurationRepository);
        this.irr = new IndexResolverReplacer(indexNameExpressionResolver, clusterService, clusterInfoHolder);
    }

    private Settings getRolesSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_ROLES, false);
    }

    private Settings getRolesMappingSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_ROLES_MAPPING, false);
    }

    private Settings getConfigSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_CONFIG, false);
    }

    private ConfigModel.SgRoles getSgRoles(User user, TransportAddress transportAddress) {
        return this.configModel.load().filter(mapSgRoles(user, transportAddress));
    }

    public boolean isInitialized() {
        return (getRolesSettings() == null || getRolesMappingSettings() == null || getConfigSettings() == null) ? false : true;
    }

    public PrivEvalResponse evaluate(User user, String str, ActionRequest actionRequest, Task task) {
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Search Guard is not initialized.", new Object[0]);
        }
        if (str.startsWith("internal:indices/admin/upgrade")) {
            str = "indices:admin/upgrade";
        }
        TransportAddress transportAddress = (TransportAddress) Objects.requireNonNull((TransportAddress) this.threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS));
        ConfigModel.SgRoles sgRoles = getSgRoles(user, transportAddress);
        PrivEvalResponse privEvalResponse = new PrivEvalResponse();
        if (this.log.isDebugEnabled()) {
            this.log.debug("### evaluate permissions for {} on {}", user, this.clusterService.localNode().getName());
            this.log.debug("action: " + str + " (" + actionRequest.getClass().getSimpleName() + ")");
        }
        IndexResolverReplacer.Resolved resolveRequest = this.irr.resolveRequest(actionRequest);
        if (this.log.isDebugEnabled()) {
            this.log.debug("requestedResolved : {}", resolveRequest);
        }
        Map<String, Set<String>> maskedFields = sgRoles.getMaskedFields(user, this.resolver, this.clusterService);
        if (maskedFields != null && !maskedFields.isEmpty()) {
            if (this.threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER) == null) {
                this.threadContext.putHeader(ConfigConstants.SG_MASKED_FIELD_HEADER, Base64Helper.serializeObject((Serializable) maskedFields));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("attach masked fields info: {}", maskedFields);
                }
            } else {
                if (!maskedFields.equals(Base64Helper.deserializeObject(this.threadContext.getHeader(ConfigConstants.SG_MASKED_FIELD_HEADER)))) {
                    throw new ElasticsearchSecurityException("_sg_masked_fields does not match (SG 901D)", new Object[0]);
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("_sg_masked_fields already set");
                }
            }
        }
        privEvalResponse.maskedFields = new HashMap(maskedFields);
        Tuple<Map<String, Set<String>>, Map<String, Set<String>>> dlsFls = sgRoles.getDlsFls(user, this.resolver, this.clusterService);
        Map map = (Map) dlsFls.v1();
        Map map2 = (Map) dlsFls.v2();
        if (!map.isEmpty()) {
            if (this.threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER) == null) {
                this.threadContext.putHeader(ConfigConstants.SG_DLS_QUERY_HEADER, Base64Helper.serializeObject((Serializable) map));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("attach DLS info: {}", map);
                }
            } else if (!map.equals(Base64Helper.deserializeObject(this.threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER)))) {
                throw new ElasticsearchSecurityException("_sg_dls_query does not match (SG 900D)", new Object[0]);
            }
            privEvalResponse.queries = new HashMap(map);
            if (!resolveRequest.getAllIndices().isEmpty()) {
                Iterator<Map.Entry<String, Set<String>>> it = privEvalResponse.queries.entrySet().iterator();
                while (it.hasNext()) {
                    if (!WildcardMatcher.matchAny(it.next().getKey(), (Collection<String>) resolveRequest.getAllIndices(), false)) {
                        it.remove();
                    }
                }
            }
        }
        if (!map2.isEmpty()) {
            if (this.threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER) == null) {
                this.threadContext.putHeader(ConfigConstants.SG_FLS_FIELDS_HEADER, Base64Helper.serializeObject((Serializable) map2));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("attach FLS info: {}", map2);
                }
            } else {
                if (!map2.equals(Base64Helper.deserializeObject(this.threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER)))) {
                    throw new ElasticsearchSecurityException("_sg_fls_fields does not match (SG 901D)", new Object[0]);
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("_sg_fls_fields already set");
                }
            }
            privEvalResponse.allowedFlsFields = new HashMap(map2);
            if (!resolveRequest.getAllIndices().isEmpty()) {
                Iterator<Map.Entry<String, Set<String>>> it2 = privEvalResponse.allowedFlsFields.entrySet().iterator();
                while (it2.hasNext()) {
                    if (!WildcardMatcher.matchAny(it2.next().getKey(), (Collection<String>) resolveRequest.getAllIndices(), false)) {
                        it2.remove();
                    }
                }
            }
        }
        if (resolveRequest == IndexResolverReplacer.Resolved._EMPTY) {
            privEvalResponse.allowed = true;
            return privEvalResponse;
        }
        if (actionRequest instanceof RestoreSnapshotRequest) {
            if (!this.enableSnapshotRestorePrivilege) {
                this.log.warn(str + " is not allowed for a regular user");
                privEvalResponse.allowed = false;
                return privEvalResponse;
            }
            if (this.clusterInfoHolder.isLocalNodeElectedMaster() == Boolean.FALSE) {
                privEvalResponse.allowed = true;
                return privEvalResponse;
            }
            RestoreSnapshotRequest restoreSnapshotRequest = (RestoreSnapshotRequest) actionRequest;
            if (restoreSnapshotRequest.includeGlobalState()) {
                this.auditLog.logSgIndexAttempt(actionRequest, str, task);
                this.log.warn(str + " with 'include_global_state' enabled is not allowed");
                privEvalResponse.allowed = false;
                return privEvalResponse;
            }
            List<String> resolveOriginalIndices = SnapshotRestoreHelper.resolveOriginalIndices(restoreSnapshotRequest);
            if (resolveOriginalIndices != null && (resolveOriginalIndices.contains(this.searchguardIndex) || resolveOriginalIndices.contains("_all") || resolveOriginalIndices.contains("*"))) {
                this.auditLog.logSgIndexAttempt(actionRequest, str, task);
                this.log.warn(str + " for '{}' as source index is not allowed", this.searchguardIndex);
                privEvalResponse.allowed = false;
                return privEvalResponse;
            }
        }
        if (resolveRequest.getAllIndices().contains(this.searchguardIndex) && WildcardMatcher.matchAny(this.sgDeniedActionPatterns, str)) {
            this.auditLog.logSgIndexAttempt(actionRequest, str, task);
            this.log.warn(str + " for '{}' index is not allowed for a regular user", this.searchguardIndex);
            privEvalResponse.allowed = false;
            return privEvalResponse;
        }
        if (resolveRequest.isAll() && WildcardMatcher.matchAny(this.sgDeniedActionPatterns, str)) {
            this.auditLog.logSgIndexAttempt(actionRequest, str, task);
            this.log.warn(str + " for '_all' indices is not allowed for a regular user");
            privEvalResponse.allowed = false;
            return privEvalResponse;
        }
        if (resolveRequest.getAllIndices().contains(this.searchguardIndex) || resolveRequest.isAll()) {
            if (actionRequest instanceof SearchRequest) {
                ((SearchRequest) actionRequest).requestCache(Boolean.FALSE);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable search request cache for this request");
                }
            }
            if (actionRequest instanceof RealtimeRequest) {
                ((RealtimeRequest) actionRequest).realtime(Boolean.FALSE.booleanValue());
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable realtime for this request");
                }
            }
        }
        boolean z = getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.do_not_fail_on_forbidden", false).booleanValue() || getConfigSettings().getAsBoolean("searchguard.dynamic.do_not_fail_on_forbidden", false).booleanValue();
        if (this.log.isTraceEnabled()) {
            this.log.trace("dnfof enabled? {}", Boolean.valueOf(z));
        }
        if (isClusterPerm(str)) {
            if (!sgRoles.impliesClusterPermissionPermission(str)) {
                privEvalResponse.missingPrivileges.add(str);
                privEvalResponse.allowed = false;
                this.log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]", "cluster", user, resolveRequest, str, sgRoles.getRoles().stream().map(sgRole -> {
                    return sgRole.getName();
                }).toArray());
                this.log.info("No permissions for {}", privEvalResponse.missingPrivileges);
                return privEvalResponse;
            }
            if (!(actionRequest instanceof RestoreSnapshotRequest) || !this.checkSnapshotRestoreWritePrivileges) {
                if (z && str.startsWith("indices:data/read/") && !resolveRequest.getAllIndices().isEmpty()) {
                    Set<String> reduce = sgRoles.reduce(resolveRequest, user, new String[]{str}, this.resolver, this.clusterService);
                    if (reduce.isEmpty()) {
                        privEvalResponse.allowed = false;
                        return privEvalResponse;
                    }
                    if (this.irr.replace(actionRequest, true, (String[]) reduce.toArray(new String[0]))) {
                        privEvalResponse.missingPrivileges.clear();
                        privEvalResponse.allowed = true;
                        return privEvalResponse;
                    }
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Allowed because we have cluster permissions for " + str);
                }
                privEvalResponse.allowed = true;
                return privEvalResponse;
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("Normally allowed but we need to apply some extra checks for a restore request.");
            }
        }
        try {
            if (actionRequest instanceof SearchRequest) {
                SearchRequest searchRequest = (SearchRequest) actionRequest;
                if (searchRequest.source() != null && searchRequest.source().query() == null && searchRequest.source().aggregations() != null && searchRequest.source().aggregations().getAggregatorFactories() != null && searchRequest.source().aggregations().getAggregatorFactories().size() == 1 && searchRequest.source().size() == 0) {
                    TermsAggregationBuilder termsAggregationBuilder = (AggregationBuilder) searchRequest.source().aggregations().getAggregatorFactories().get(0);
                    if ((termsAggregationBuilder instanceof TermsAggregationBuilder) && "terms".equals(termsAggregationBuilder.getType()) && "indices".equals(termsAggregationBuilder.getName()) && "_index".equals(termsAggregationBuilder.field()) && termsAggregationBuilder.getPipelineAggregations().isEmpty() && termsAggregationBuilder.getSubAggregations().isEmpty()) {
                        Set<String> allPermittedIndices = getSgRoles(user, transportAddress).getAllPermittedIndices(user, READ_ACTIONS, this.resolver, this.clusterService);
                        if (allPermittedIndices == null || allPermittedIndices.isEmpty()) {
                            searchRequest.source().query(NONE_QUERY);
                        } else {
                            searchRequest.source().query(new TermsQueryBuilder("_index", allPermittedIndices));
                        }
                        privEvalResponse.allowed = true;
                        return privEvalResponse;
                    }
                }
            }
        } catch (Exception e) {
            this.log.warn("Unable to evaluate terms aggregation", e);
        }
        Set<String> evaluateAdditionalIndexPermissions = evaluateAdditionalIndexPermissions(actionRequest, str);
        String[] strArr = (String[]) evaluateAdditionalIndexPermissions.toArray(new String[0]);
        if (this.log.isDebugEnabled()) {
            this.log.debug("requested {} from {}", evaluateAdditionalIndexPermissions, transportAddress);
        }
        privEvalResponse.missingPrivileges.clear();
        privEvalResponse.missingPrivileges.addAll(evaluateAdditionalIndexPermissions);
        Settings configSettings = getConfigSettings();
        if (this.log.isDebugEnabled()) {
            this.log.debug("requested resolved indextypes: {}", resolveRequest);
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("sgr: {}", sgRoles.getRoles().stream().map(sgRole2 -> {
                return sgRole2.getName();
            }).toArray());
        }
        if (this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class) {
            Boolean replaceKibanaIndex = this.privilegesInterceptor.replaceKibanaIndex(actionRequest, str, user, configSettings, resolveRequest.getAllIndices(), mapTenants(user, transportAddress));
            if (this.log.isDebugEnabled()) {
                this.log.debug("Result from privileges interceptor: {}", replaceKibanaIndex);
            }
            if (replaceKibanaIndex == Boolean.TRUE) {
                this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
                return privEvalResponse;
            }
            if (replaceKibanaIndex == Boolean.FALSE) {
                privEvalResponse.allowed = true;
                return privEvalResponse;
            }
        }
        if (z && (str.startsWith("indices:data/read/") || str.startsWith("indices:admin/mappings/fields/get"))) {
            Set<String> reduce2 = sgRoles.reduce(resolveRequest, user, strArr, this.resolver, this.clusterService);
            if (reduce2.isEmpty()) {
                privEvalResponse.allowed = false;
                return privEvalResponse;
            }
            if (this.irr.replace(actionRequest, true, (String[]) reduce2.toArray(new String[0]))) {
                privEvalResponse.missingPrivileges.clear();
                privEvalResponse.allowed = true;
                return privEvalResponse;
            }
        }
        boolean impliesTypePermGlobal = configSettings.getAsBoolean("searchguard.dynamic.multi_rolespan_enabled", false).booleanValue() ? sgRoles.impliesTypePermGlobal(resolveRequest, user, strArr, this.resolver, this.clusterService) : sgRoles.get(resolveRequest, user, strArr, this.resolver, this.clusterService);
        if (!impliesTypePermGlobal) {
            this.log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]", ConfigConstants.SEARCHGUARD_AUDIT_ES_INDEX, user, resolveRequest, str, sgRoles.getRoles().stream().map(sgRole3 -> {
                return sgRole3.getName();
            }).toArray());
            this.log.info("No permissions for {}", privEvalResponse.missingPrivileges);
        } else {
            if (checkFilteredAliases(resolveRequest.getAllIndices(), str)) {
                privEvalResponse.allowed = false;
                return privEvalResponse;
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("Allowed because we have all indices permissions for " + str);
            }
        }
        privEvalResponse.allowed = impliesTypePermGlobal;
        return privEvalResponse;
    }

    public Set<String> mapSgRoles(User user, TransportAddress transportAddress) {
        Settings rolesMappingSettings = getRolesMappingSettings();
        TreeSet treeSet = new TreeSet();
        if (user == null) {
            return Collections.emptySet();
        }
        if (this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BACKENDROLES_ONLY) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Pass backendroles from {}", user);
            }
            treeSet.addAll(user.getRoles());
        }
        if (rolesMappingSettings != null && (this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.MAPPING_ONLY)) {
            for (String str : rolesMappingSettings.names()) {
                Settings byPrefix = rolesMappingSettings.getByPrefix(str);
                if (WildcardMatcher.allPatternsMatched((String[]) byPrefix.getAsList(".and_backendroles", Collections.emptyList()).toArray(new String[0]), (String[]) user.getRoles().toArray(new String[0]))) {
                    treeSet.add(str);
                } else if (WildcardMatcher.matchAny((String[]) byPrefix.getAsList(".backendroles", Collections.emptyList()).toArray(new String[0]), (String[]) user.getRoles().toArray(new String[0]))) {
                    treeSet.add(str);
                } else if (WildcardMatcher.matchAny(byPrefix.getAsList(".users"), user.getName())) {
                    treeSet.add(str);
                } else {
                    if (transportAddress != null && this.log.isTraceEnabled()) {
                        this.log.trace("caller (getAddress()) is {}", transportAddress.getAddress());
                        this.log.trace("caller unresolved? {}", Boolean.valueOf(transportAddress.address().isUnresolved()));
                        this.log.trace("caller inner? {}", transportAddress.address().getAddress() == null ? "<unresolved>" : transportAddress.address().getAddress().toString());
                        this.log.trace("caller (getHostString()) is {}", transportAddress.address().getHostString());
                        this.log.trace("caller (getHostName(), dns) is {}", transportAddress.address().getHostName());
                    }
                    if (transportAddress != null) {
                        if (WildcardMatcher.matchAny(byPrefix.getAsList(".hosts"), transportAddress.getAddress())) {
                            treeSet.add(str);
                        } else {
                            String str2 = getConfigSettings().get("searchguard.dynamic.hosts_resolver_mode", "ip-only");
                            if (transportAddress.address() != null && (str2.equalsIgnoreCase("ip-hostname") || str2.equalsIgnoreCase("ip-hostname-lookup"))) {
                                if (WildcardMatcher.matchAny(byPrefix.getAsList(".hosts"), transportAddress.address().getHostString())) {
                                    treeSet.add(str);
                                }
                            }
                            if (transportAddress.address() != null && str2.equalsIgnoreCase("ip-hostname-lookup")) {
                                if (WildcardMatcher.matchAny(byPrefix.getAsList(".hosts"), transportAddress.address().getHostName())) {
                                    treeSet.add(str);
                                }
                            }
                        }
                    }
                }
            }
        }
        return Collections.unmodifiableSet(treeSet);
    }

    public Map<String, Boolean> mapTenants(User user, TransportAddress transportAddress) {
        if (user == null) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        hashMap.put(user.getName(), true);
        Iterator<String> it = mapSgRoles(user, transportAddress).iterator();
        while (it.hasNext()) {
            Settings byPrefix = getRolesSettings().getByPrefix(it.next() + ".tenants.");
            if (byPrefix != null) {
                for (String str : byPrefix.names()) {
                    if (!str.equals(user.getName())) {
                        if ("RW".equalsIgnoreCase(byPrefix.get(str, "RO"))) {
                            hashMap.put(str, true);
                        } else if (!hashMap.containsKey(str)) {
                            hashMap.put(str, false);
                        }
                    }
                }
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    public boolean multitenancyEnabled() {
        return this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class && getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.multitenancy_enabled", true).booleanValue();
    }

    public boolean notFailOnForbiddenEnabled() {
        return this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class && getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.do_not_fail_on_forbidden", false).booleanValue();
    }

    public String kibanaIndex() {
        return getConfigSettings().get("searchguard.dynamic.kibana.index", ".kibana");
    }

    public String kibanaServerUsername() {
        return getConfigSettings().get("searchguard.dynamic.kibana.server_username", "kibanaserver");
    }

    private Set<String> evaluateAdditionalIndexPermissions(ActionRequest actionRequest, String str) {
        HashSet hashSet = new HashSet();
        if (!isClusterPerm(str)) {
            hashSet.add(str);
        }
        if (actionRequest instanceof BulkShardRequest) {
            for (BulkItemRequest bulkItemRequest : ((BulkShardRequest) actionRequest).items()) {
                switch (AnonymousClass1.$SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[bulkItemRequest.request().opType().ordinal()]) {
                    case 1:
                        hashSet.add("indices:data/write/index");
                        break;
                    case 2:
                        hashSet.add("indices:data/write/index");
                        break;
                    case 3:
                        hashSet.add("indices:data/write/delete");
                        break;
                    case 4:
                        hashSet.add("indices:data/write/update");
                        break;
                }
            }
        }
        if (actionRequest instanceof IndicesAliasesRequest) {
            Iterator it = ((IndicesAliasesRequest) actionRequest).getAliasActions().iterator();
            while (it.hasNext()) {
                switch (AnonymousClass1.$SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type[((IndicesAliasesRequest.AliasActions) it.next()).actionType().ordinal()]) {
                    case 1:
                        hashSet.add("indices:admin/delete");
                        break;
                }
            }
        }
        if (actionRequest instanceof CreateIndexRequest) {
            CreateIndexRequest createIndexRequest = (CreateIndexRequest) actionRequest;
            if (createIndexRequest.aliases() != null && !createIndexRequest.aliases().isEmpty()) {
                hashSet.add("indices:admin/aliases");
            }
        }
        if ((actionRequest instanceof RestoreSnapshotRequest) && this.checkSnapshotRestoreWritePrivileges) {
            hashSet.addAll(ConfigConstants.SG_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES);
        }
        if (this.actionTrace.isTraceEnabled() && hashSet.size() > 1) {
            this.actionTrace.trace("Additional permissions required: " + hashSet);
        }
        if (this.log.isDebugEnabled() && hashSet.size() > 1) {
            this.log.debug("Additional permissions required: " + hashSet);
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private static boolean isClusterPerm(String str) {
        return str.startsWith("cluster:") || str.startsWith("indices:admin/template/") || str.startsWith("indices:data/read/scroll") || str.equals("indices:data/write/bulk") || str.equals("indices:data/read/mget") || str.equals("indices:data/read/msearch") || str.equals("indices:data/read/mtv") || str.equals("indices:data/read/coordinate-msearch") || str.equals("indices:data/write/reindex");
    }

    private boolean checkFilteredAliases(Set<String> set, String str) {
        for (String str2 : set) {
            ArrayList arrayList = new ArrayList();
            IndexMetaData indexMetaData = (IndexMetaData) this.clusterService.state().metaData().getIndices().get(str2);
            if (indexMetaData == null) {
                this.log.debug("{} does not exist in cluster metadata", str2);
            } else {
                ImmutableOpenMap aliases = indexMetaData.getAliases();
                if (aliases != null && aliases.size() > 0) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Aliases for {}: {}", str2, aliases);
                    }
                    Iterator keysIt = aliases.keysIt();
                    while (keysIt.hasNext()) {
                        String str3 = (String) keysIt.next();
                        AliasMetaData aliasMetaData = (AliasMetaData) aliases.get(str3);
                        if (aliasMetaData != null && aliasMetaData.filteringRequired()) {
                            arrayList.add(aliasMetaData);
                            if (this.log.isDebugEnabled()) {
                                this.log.debug(str3 + " is a filtered alias " + aliasMetaData.getFilter());
                            }
                        } else if (this.log.isDebugEnabled()) {
                            this.log.debug(str3 + " is not an alias or does not have a filter");
                        }
                    }
                }
                if (arrayList.size() > 1 && WildcardMatcher.match("indices:data/read/*search*", str)) {
                    String str4 = getConfigSettings().get("searchguard.dynamic.filtered_alias_mode", "warn");
                    if (str4.equals("warn")) {
                        this.log.warn("More than one ({}) filtered alias found for same index ({}). This is currently not recommended. Aliases: {}", Integer.valueOf(arrayList.size()), str2, toString(arrayList));
                    } else {
                        if (str4.equals("disallow")) {
                            this.log.error("More than one ({}) filtered alias found for same index ({}). This is currently not supported. Aliases: {}", Integer.valueOf(arrayList.size()), str2, toString(arrayList));
                            return true;
                        }
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("More than one ({}) filtered alias found for same index ({}). Aliases: {}", Integer.valueOf(arrayList.size()), str2, toString(arrayList));
                        }
                    }
                }
            }
        }
        return false;
    }

    private List<String> toString(List<AliasMetaData> list) {
        if (list == null || list.size() == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (AliasMetaData aliasMetaData : list) {
            if (aliasMetaData != null) {
                arrayList.add(aliasMetaData.alias());
            }
        }
        return Collections.unmodifiableList(arrayList);
    }
}
