package com.floragunn.searchguard.configuration;

import com.floragunn.searchguard.SearchGuardPlugin;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.User;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.OriginalIndices;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.fieldcaps.FieldCapabilitiesRequest;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.action.termvectors.MultiTermVectorsRequest;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.metadata.AliasMetaData;
import org.elasticsearch.cluster.metadata.AliasOrIndex;
import org.elasticsearch.cluster.metadata.IndexMetaData;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.ImmutableOpenMap;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.Index;
import org.elasticsearch.index.reindex.ReindexRequest;
import org.elasticsearch.repositories.RepositoriesService;
import org.elasticsearch.repositories.Repository;
import org.elasticsearch.search.aggregations.AggregationBuilder;
import org.elasticsearch.search.aggregations.bucket.terms.TermsAggregationBuilder;
import org.elasticsearch.snapshots.SnapshotId;
import org.elasticsearch.snapshots.SnapshotInfo;
import org.elasticsearch.snapshots.SnapshotUtils;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator.class */
public class PrivilegesEvaluator {
    private final ClusterService clusterService;
    private final ActionGroupHolder ah;
    private final IndexNameExpressionResolver resolver;
    private final String[] sgDeniedActionPatterns;
    private final AuditLog auditLog;
    private ThreadContext threadContext;
    private final ConfigurationRepository configurationRepository;
    private final String searchguardIndex;
    private PrivilegesInterceptor privilegesInterceptor;
    private final boolean enableSnapshotRestorePrivilege;
    private final boolean checkSnapshotRestoreWritePrivileges;
    private ConfigConstants.RolesMappingResolution rolesMappingResolution;
    private final ClusterInfoHolder clusterInfoHolder;
    private static final Set<String> NO_INDICES_SET = Sets.newHashSet(new String[]{"\\", ";", ",", "/", "|"});
    private static final Set<String> NULL_SET = Sets.newHashSet(new String[]{(String) null});
    private static final IndicesOptions DEFAULT_INDICES_OPTIONS = IndicesOptions.lenientExpandOpen();
    private final Set<String> DLSFLS = ImmutableSet.of("_dls_", "_fls_");
    protected final Logger log = LogManager.getLogger(getClass());
    protected final Logger actionTrace = LogManager.getLogger("sg_action_trace");
    private final Map<Class<?>, Method> typeCache = Collections.synchronizedMap(new HashMap(100));
    private final Map<Class<?>, Method> typesCache = Collections.synchronizedMap(new HashMap(100));

    /* renamed from: com.floragunn.searchguard.configuration.PrivilegesEvaluator$1, reason: invalid class name */
    /* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType;
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type = new int[IndicesAliasesRequest.AliasActions.Type.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type[IndicesAliasesRequest.AliasActions.Type.REMOVE_INDEX.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType = new int[DocWriteRequest.OpType.values().length];
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.CREATE.ordinal()] = 1;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.INDEX.ordinal()] = 2;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.DELETE.ordinal()] = 3;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.UPDATE.ordinal()] = 4;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator$IndexType.class */
    public static class IndexType {
        private String index;
        private String type;

        public IndexType(String str, String str2) {
            this.index = str;
            this.type = str2.equals("_all") ? "*" : str2;
        }

        public String getCombinedString() {
            return this.index + "#" + this.type;
        }

        public String getIndex() {
            return this.index;
        }

        public String getType() {
            return this.type;
        }

        public int hashCode() {
            return (31 * ((31 * 1) + (this.index == null ? 0 : this.index.hashCode()))) + (this.type == null ? 0 : this.type.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            IndexType indexType = (IndexType) obj;
            if (this.index == null) {
                if (indexType.index != null) {
                    return false;
                }
            } else if (!this.index.equals(indexType.index)) {
                return false;
            }
            return this.type == null ? indexType.type == null : this.type.equals(indexType.type);
        }

        public String toString() {
            return "IndexType [index=" + this.index + ", type=" + this.type + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator$IndexTypeAction.class */
    public static class IndexTypeAction extends IndexType {
        private String action;

        public IndexTypeAction(String str, String str2, String str3) {
            super(str, str2);
            this.action = str3;
        }

        @Override // com.floragunn.searchguard.configuration.PrivilegesEvaluator.IndexType
        public String getCombinedString() {
            return super.getCombinedString() + "#" + this.action;
        }

        @Override // com.floragunn.searchguard.configuration.PrivilegesEvaluator.IndexType
        public int hashCode() {
            return (31 * super.hashCode()) + (this.action == null ? 0 : this.action.hashCode());
        }

        @Override // com.floragunn.searchguard.configuration.PrivilegesEvaluator.IndexType
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass() || !super.equals(obj)) {
                return false;
            }
            IndexTypeAction indexTypeAction = (IndexTypeAction) obj;
            return this.action == null ? indexTypeAction.action == null : this.action.equals(indexTypeAction.action);
        }

        @Override // com.floragunn.searchguard.configuration.PrivilegesEvaluator.IndexType
        public String toString() {
            return "IndexTypeAction [index=" + getIndex() + ", type=" + getType() + ", action=" + this.action + "]";
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/configuration/PrivilegesEvaluator$PrivEvalResponse.class */
    public static class PrivEvalResponse {
        boolean allowed = false;
        Set<String> missingPrivileges = new HashSet();
        Map<String, Set<String>> allowedFlsFields;
        Map<String, Set<String>> queries;

        public boolean isAllowed() {
            return this.allowed;
        }

        public Set<String> getMissingPrivileges() {
            return new HashSet(this.missingPrivileges);
        }

        public Map<String, Set<String>> getAllowedFlsFields() {
            return this.allowedFlsFields;
        }

        public Map<String, Set<String>> getQueries() {
            return this.queries;
        }
    }

    public PrivilegesEvaluator(ClusterService clusterService, ThreadPool threadPool, ConfigurationRepository configurationRepository, ActionGroupHolder actionGroupHolder, IndexNameExpressionResolver indexNameExpressionResolver, AuditLog auditLog, Settings settings, PrivilegesInterceptor privilegesInterceptor, ClusterInfoHolder clusterInfoHolder) {
        this.configurationRepository = configurationRepository;
        this.clusterService = clusterService;
        this.ah = actionGroupHolder;
        this.resolver = indexNameExpressionResolver;
        this.auditLog = auditLog;
        this.threadContext = threadPool.getThreadContext();
        this.searchguardIndex = settings.get(ConfigConstants.SEARCHGUARD_CONFIG_INDEX_NAME, ConfigConstants.SG_DEFAULT_CONFIG_INDEX);
        this.privilegesInterceptor = privilegesInterceptor;
        this.enableSnapshotRestorePrivilege = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, false).booleanValue();
        this.checkSnapshotRestoreWritePrivileges = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, true).booleanValue();
        try {
            this.rolesMappingResolution = ConfigConstants.RolesMappingResolution.valueOf(settings.get(ConfigConstants.SEARCHGUARD_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString()).toUpperCase());
        } catch (Exception e) {
            this.log.error("Cannot apply roles mapping resolution", e);
            this.rolesMappingResolution = ConfigConstants.RolesMappingResolution.MAPPING_ONLY;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add("indices:data/write*");
        arrayList.add("indices:admin/close");
        arrayList.add("indices:admin/delete");
        this.sgDeniedActionPatterns = (String[]) arrayList.toArray(new String[0]);
        this.clusterInfoHolder = clusterInfoHolder;
    }

    private Settings getRolesSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_ROLES);
    }

    private Settings getRolesMappingSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_ROLES_MAPPING);
    }

    private Settings getConfigSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_CONFIG);
    }

    public boolean isInitialized() {
        return (getRolesSettings() == null || getRolesMappingSettings() == null || getConfigSettings() == null) ? false : true;
    }

    public PrivEvalResponse evaluate(User user, String str, ActionRequest actionRequest, Task task) {
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Search Guard is not initialized.", new Object[0]);
        }
        PrivEvalResponse privEvalResponse = new PrivEvalResponse();
        privEvalResponse.missingPrivileges.add(str);
        try {
            if (actionRequest instanceof SearchRequest) {
                SearchRequest searchRequest = (SearchRequest) actionRequest;
                if (searchRequest.source() != null && searchRequest.source().query() == null && searchRequest.source().aggregations() != null && searchRequest.source().aggregations().getAggregatorFactories() != null && searchRequest.source().aggregations().getAggregatorFactories().size() == 1 && searchRequest.source().size() == 0) {
                    TermsAggregationBuilder termsAggregationBuilder = (AggregationBuilder) searchRequest.source().aggregations().getAggregatorFactories().get(0);
                    if ((termsAggregationBuilder instanceof TermsAggregationBuilder) && "terms".equals(termsAggregationBuilder.getType()) && "indices".equals(termsAggregationBuilder.getName()) && "_index".equals(termsAggregationBuilder.field()) && termsAggregationBuilder.getPipelineAggregations().isEmpty() && termsAggregationBuilder.getSubAggregations().isEmpty()) {
                        privEvalResponse.allowed = true;
                        return privEvalResponse;
                    }
                }
            }
        } catch (Exception e) {
            this.log.warn("Unable to evaluate terms aggregation", e);
        }
        Settings configSettings = getConfigSettings();
        Settings rolesSettings = getRolesSettings();
        boolean z = false;
        TransportAddress transportAddress = (TransportAddress) Objects.requireNonNull((TransportAddress) this.threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS));
        if (this.log.isDebugEnabled()) {
            this.log.debug("### evaluate permissions for {} on {}", user, this.clusterService.localNode().getName());
            this.log.debug("requested {} from {}", str, transportAddress);
        }
        if (str.startsWith("cluster:admin/snapshot/restore")) {
            if (!this.enableSnapshotRestorePrivilege) {
                this.log.warn(str + " is not allowed for a regular user");
                return privEvalResponse;
            }
            if (this.clusterInfoHolder.isLocalNodeElectedMaster() != Boolean.FALSE) {
                return evaluateSnapshotRestore(user, str, actionRequest, transportAddress, task);
            }
            privEvalResponse.allowed = true;
            return privEvalResponse;
        }
        if (str.startsWith("internal:indices/admin/upgrade")) {
            str = "indices:admin/upgrade";
        }
        ClusterState state = this.clusterService.state();
        Tuple<Set<String>, Set<String>> resolve = resolve(user, str, actionRequest, state.metaData());
        SortedSet unmodifiableSortedSet = Collections.unmodifiableSortedSet(new TreeSet((Collection) resolve.v1()));
        HashSet hashSet = new HashSet(((Set) resolve.v1()).size() * ((Set) resolve.v2()).size());
        for (String str2 : (Set) resolve.v1()) {
            Iterator it = ((Set) resolve.v2()).iterator();
            while (it.hasNext()) {
                hashSet.add(new IndexType(str2, (String) it.next()));
            }
        }
        Set<IndexType> unmodifiableSet = Collections.unmodifiableSet(hashSet);
        if (this.log.isDebugEnabled()) {
            this.log.debug("requested resolved indextypes: {}", unmodifiableSet);
        }
        if (unmodifiableSortedSet.contains(this.searchguardIndex) && WildcardMatcher.matchAny(this.sgDeniedActionPatterns, str)) {
            this.auditLog.logSgIndexAttempt(actionRequest, str, task);
            this.log.warn(str + " for '{}' index is not allowed for a regular user", this.searchguardIndex);
            return privEvalResponse;
        }
        if (unmodifiableSortedSet.contains("_all") && WildcardMatcher.matchAny(this.sgDeniedActionPatterns, str)) {
            this.auditLog.logSgIndexAttempt(actionRequest, str, task);
            this.log.warn(str + " for '_all' indices is not allowed for a regular user");
            return privEvalResponse;
        }
        if (unmodifiableSortedSet.contains(this.searchguardIndex) || unmodifiableSortedSet.contains("_all")) {
            if (actionRequest instanceof SearchRequest) {
                ((SearchRequest) actionRequest).requestCache(Boolean.FALSE);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable search request cache for this request");
                }
            }
            if (actionRequest instanceof RealtimeRequest) {
                ((RealtimeRequest) actionRequest).realtime(Boolean.FALSE.booleanValue());
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable realtime for this request");
                }
            }
        }
        Set<String> mapSgRoles = mapSgRoles(user, transportAddress);
        if (this.log.isDebugEnabled()) {
            this.log.debug("mapped roles for {}: {}", user.getName(), mapSgRoles);
        }
        if (this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class) {
            Boolean replaceKibanaIndex = this.privilegesInterceptor.replaceKibanaIndex(actionRequest, str, user, configSettings, unmodifiableSortedSet, mapTenants(user, transportAddress));
            if (this.log.isDebugEnabled()) {
                this.log.debug("Result from privileges interceptor: {}", replaceKibanaIndex);
            }
            if (replaceKibanaIndex == Boolean.TRUE) {
                this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
                return privEvalResponse;
            }
            if (replaceKibanaIndex == Boolean.FALSE) {
                privEvalResponse.allowed = true;
                return privEvalResponse;
            }
        }
        boolean z2 = false;
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        HashSet hashSet2 = new HashSet();
        if (actionRequest instanceof BulkShardRequest) {
            for (BulkItemRequest bulkItemRequest : ((BulkShardRequest) actionRequest).items()) {
                switch (AnonymousClass1.$SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[bulkItemRequest.request().opType().ordinal()]) {
                    case 1:
                        hashSet2.add("indices:data/write/index");
                        break;
                    case 2:
                        hashSet2.add("indices:data/write/index");
                        break;
                    case 3:
                        hashSet2.add("indices:data/write/delete");
                        break;
                    case 4:
                        hashSet2.add("indices:data/write/update");
                        break;
                }
            }
        }
        if (actionRequest instanceof IndicesAliasesRequest) {
            Iterator it2 = ((IndicesAliasesRequest) actionRequest).getAliasActions().iterator();
            while (it2.hasNext()) {
                switch (AnonymousClass1.$SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type[((IndicesAliasesRequest.AliasActions) it2.next()).actionType().ordinal()]) {
                    case 1:
                        hashSet2.add("indices:admin/delete");
                        break;
                }
            }
        }
        if (actionRequest instanceof CreateIndexRequest) {
            CreateIndexRequest createIndexRequest = (CreateIndexRequest) actionRequest;
            if (createIndexRequest.aliases() != null && !createIndexRequest.aliases().isEmpty()) {
                hashSet2.add("indices:admin/aliases");
            }
        }
        privEvalResponse.missingPrivileges.addAll(hashSet2);
        if (this.actionTrace.isTraceEnabled() && !hashSet2.isEmpty()) {
            this.actionTrace.trace("Additional permissions required: " + hashSet2);
        }
        if (this.log.isDebugEnabled() && !hashSet2.isEmpty()) {
            this.log.debug("Additional permissions required: " + hashSet2);
        }
        Set<IndexType> hashSet3 = new HashSet<>(unmodifiableSet);
        for (String str3 : mapSgRoles) {
            Settings byPrefix = rolesSettings.getByPrefix(str3);
            if (!byPrefix.names().isEmpty()) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("---------- evaluate sg_role: {}", str3);
                }
                if (str.startsWith("cluster:") || str.startsWith("indices:admin/template/") || str.startsWith("indices:data/read/scroll") || str.equals("indices:data/write/bulk") || str.equals("indices:data/read/mget") || str.equals("indices:data/read/msearch") || str.equals("indices:data/read/mtv") || str.equals("indices:data/read/coordinate-msearch") || str.equals("indices:data/write/reindex")) {
                    Set<String> resolveActions = resolveActions(byPrefix.getAsList(".cluster", Collections.emptyList()));
                    z = true;
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("  resolved cluster actions:{}", resolveActions);
                    }
                    if (WildcardMatcher.matchAny((String[]) resolveActions.toArray(new String[0]), str)) {
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("  found a match for '{}' and {}, skip other roles", str3, str);
                        }
                        privEvalResponse.allowed = true;
                        return privEvalResponse;
                    }
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("  not match found a match for '{}' and {}, check next role", str3, str);
                    }
                } else {
                    Map groups = byPrefix.getGroups(".indices");
                    HashMap hashMap4 = new HashMap(groups.size());
                    for (String str4 : groups.keySet()) {
                        hashMap4.put(replaceProperties(str4, user), groups.get(str4));
                    }
                    HashSet hashSet4 = new HashSet(unmodifiableSet);
                    for (String str5 : hashMap4.keySet()) {
                        String str6 = rolesSettings.get(str3 + ".indices." + str5 + "._dls_");
                        List asList = rolesSettings.getAsList(str3 + ".indices." + str5 + "._fls_");
                        String[] strArr = new String[0];
                        if ((str6 != null && str6.length() > 0) || (asList != null && asList.size() > 0)) {
                            strArr = this.resolver.concreteIndexNames(this.clusterService.state(), DEFAULT_INDICES_OPTIONS, new String[]{str5});
                        }
                        if (str6 != null && str6.length() > 0) {
                            String replaceProperties = replaceProperties(str6, user);
                            if (hashMap.containsKey(str5)) {
                                ((Set) hashMap.get(str5)).add(replaceProperties);
                            } else {
                                hashMap.put(str5, new HashSet());
                                ((Set) hashMap.get(str5)).add(replaceProperties);
                            }
                            for (String str7 : strArr) {
                                if (hashMap.containsKey(str7)) {
                                    ((Set) hashMap.get(str7)).add(replaceProperties);
                                } else {
                                    hashMap.put(str7, new HashSet());
                                    ((Set) hashMap.get(str7)).add(replaceProperties);
                                }
                            }
                            if (this.log.isDebugEnabled()) {
                                this.log.debug("dls query {} for {}", replaceProperties, Arrays.toString(strArr));
                            }
                        }
                        if (asList != null && asList.size() > 0) {
                            if (hashMap2.containsKey(str5)) {
                                ((Set) hashMap2.get(str5)).addAll(Sets.newHashSet(asList));
                            } else {
                                hashMap2.put(str5, new HashSet());
                                ((Set) hashMap2.get(str5)).addAll(Sets.newHashSet(asList));
                            }
                            for (String str8 : strArr) {
                                if (hashMap2.containsKey(str8)) {
                                    ((Set) hashMap2.get(str8)).addAll(Sets.newHashSet(asList));
                                } else {
                                    hashMap2.put(str8, new HashSet());
                                    ((Set) hashMap2.get(str8)).addAll(Sets.newHashSet(asList));
                                }
                            }
                            if (this.log.isDebugEnabled()) {
                                this.log.debug("fls fields {} for {}", Sets.newHashSet(asList), Arrays.toString(strArr));
                            }
                        }
                        String[] strArr2 = !hashSet2.isEmpty() ? (String[]) hashSet2.toArray(new String[0]) : new String[]{str};
                        if (WildcardMatcher.containsWildcard(str5)) {
                            if (this.log.isDebugEnabled()) {
                                this.log.debug("  Try wildcard match for {}", str5);
                            }
                            handleIndicesWithWildcard(strArr2, str5, hashMap4, unmodifiableSet, hashSet4, hashSet3, unmodifiableSortedSet);
                        } else {
                            if (this.log.isDebugEnabled()) {
                                this.log.debug("  Resolve and match {}", str5);
                            }
                            handleIndicesWithoutWildcard(strArr2, str5, hashMap4, unmodifiableSet, hashSet4, hashSet3);
                        }
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("For index {} remaining requested local indextype: {}", str5, hashSet4);
                            this.log.debug("For index {} remaining requested global indextype: {}", str5, hashSet3);
                        }
                        if (hashSet4.isEmpty()) {
                            Iterator it3 = unmodifiableSortedSet.iterator();
                            while (true) {
                                if (it3.hasNext()) {
                                    String str9 = (String) it3.next();
                                    List<AliasMetaData> arrayList = new ArrayList<>();
                                    IndexMetaData indexMetaData = (IndexMetaData) state.metaData().getIndices().get(str9);
                                    if (indexMetaData == null) {
                                        this.log.debug("{} does not exist in cluster metadata", str9);
                                    } else {
                                        ImmutableOpenMap aliases = indexMetaData.getAliases();
                                        if (aliases != null && aliases.size() > 0) {
                                            if (this.log.isDebugEnabled()) {
                                                this.log.debug("Aliases for {}: {}", str9, aliases);
                                            }
                                            Iterator keysIt = aliases.keysIt();
                                            while (keysIt.hasNext()) {
                                                String str10 = (String) keysIt.next();
                                                AliasMetaData aliasMetaData = (AliasMetaData) aliases.get(str10);
                                                if (aliasMetaData != null && aliasMetaData.filteringRequired()) {
                                                    arrayList.add(aliasMetaData);
                                                    if (this.log.isDebugEnabled()) {
                                                        this.log.debug(str10 + " is a filtered alias " + aliasMetaData.getFilter());
                                                    }
                                                } else if (this.log.isDebugEnabled()) {
                                                    this.log.debug(str10 + " is not an alias or does not have a filter");
                                                }
                                            }
                                        }
                                        if (arrayList.size() > 1 && WildcardMatcher.match("indices:data/read/*search*", str)) {
                                            String str11 = configSettings.get("searchguard.dynamic.filtered_alias_mode", "warn");
                                            if (str11.equals("warn")) {
                                                this.log.warn("More than one ({}) filtered alias found for same index ({}). This is currently not recommended. Aliases: {}", Integer.valueOf(arrayList.size()), str9, toString(arrayList));
                                            } else if (str11.equals("disallow")) {
                                                this.log.error("More than one ({}) filtered alias found for same index ({}). This is currently not supported. Aliases: {}", Integer.valueOf(arrayList.size()), str9, toString(arrayList));
                                            } else if (this.log.isDebugEnabled()) {
                                                this.log.debug("More than one ({}) filtered alias found for same index ({}). Aliases: {}", Integer.valueOf(arrayList.size()), str9, toString(arrayList));
                                            }
                                        }
                                    }
                                } else {
                                    if (this.log.isDebugEnabled()) {
                                        this.log.debug("found a match for '{}.{}', evaluate other roles", str3, str5);
                                    }
                                    z2 = true;
                                }
                            }
                        }
                    }
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Added to leftovers {}=>{}", str3, hashSet4);
                    }
                    hashMap3.put(str3, hashSet4);
                }
            } else if (this.log.isDebugEnabled()) {
                this.log.debug("sg_role {} is empty", str3);
            }
        }
        if (!z2 && configSettings.getAsBoolean("searchguard.dynamic.multi_rolespan_enabled", false).booleanValue()) {
            z2 = hashSet3.isEmpty();
        }
        if (!z2 && this.log.isInfoEnabled()) {
            this.log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]", z ? "cluster" : "index", user, unmodifiableSet, !hashSet2.isEmpty() ? (String[]) hashSet2.toArray(new String[0]) : new String[]{str}, mapSgRoles);
            this.log.info("No permissions for {}", hashMap3);
        }
        if (!hashMap.isEmpty()) {
            if (this.threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER) == null) {
                this.threadContext.putHeader(ConfigConstants.SG_DLS_QUERY_HEADER, Base64Helper.serializeObject(hashMap));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("attach DLS info: {}", hashMap);
                }
            } else if (!hashMap.equals((Map) Base64Helper.deserializeObject(this.threadContext.getHeader(ConfigConstants.SG_DLS_QUERY_HEADER)))) {
                throw new ElasticsearchSecurityException("_sg_dls_query does not match (SG 900D)", new Object[0]);
            }
            privEvalResponse.queries = new HashMap(hashMap);
            if (!unmodifiableSortedSet.isEmpty()) {
                Iterator<Map.Entry<String, Set<String>>> it4 = privEvalResponse.queries.entrySet().iterator();
                while (it4.hasNext()) {
                    if (!WildcardMatcher.matchAny(it4.next().getKey(), (Collection<String>) unmodifiableSortedSet, false)) {
                        it4.remove();
                    }
                }
            }
        }
        if (!hashMap2.isEmpty()) {
            if (this.threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER) == null) {
                this.threadContext.putHeader(ConfigConstants.SG_FLS_FIELDS_HEADER, Base64Helper.serializeObject(hashMap2));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("attach FLS info: {}", hashMap2);
                }
            } else {
                if (!hashMap2.equals((Map) Base64Helper.deserializeObject(this.threadContext.getHeader(ConfigConstants.SG_FLS_FIELDS_HEADER)))) {
                    throw new ElasticsearchSecurityException("_sg_fls_fields does not match (SG 901D)", new Object[0]);
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("_sg_fls_fields already set");
                }
            }
            privEvalResponse.allowedFlsFields = new HashMap(hashMap2);
            if (!unmodifiableSortedSet.isEmpty()) {
                Iterator<Map.Entry<String, Set<String>>> it5 = privEvalResponse.allowedFlsFields.entrySet().iterator();
                while (it5.hasNext()) {
                    if (!WildcardMatcher.matchAny(it5.next().getKey(), (Collection<String>) unmodifiableSortedSet, false)) {
                        it5.remove();
                    }
                }
            }
        }
        if (z2 || this.privilegesInterceptor.getClass() == PrivilegesInterceptor.class || hashMap3.size() <= 0) {
            privEvalResponse.allowed = z2;
            return privEvalResponse;
        }
        privEvalResponse.allowed = this.privilegesInterceptor.replaceAllowedIndices(actionRequest, str, user, configSettings, hashMap3);
        return privEvalResponse;
    }

    private PrivEvalResponse evaluateSnapshotRestore(User user, String str, ActionRequest actionRequest, TransportAddress transportAddress, Task task) {
        PrivEvalResponse privEvalResponse = new PrivEvalResponse();
        privEvalResponse.missingPrivileges.add(str);
        if (!(actionRequest instanceof RestoreSnapshotRequest)) {
            return privEvalResponse;
        }
        RestoreSnapshotRequest restoreSnapshotRequest = (RestoreSnapshotRequest) actionRequest;
        if (restoreSnapshotRequest.includeGlobalState()) {
            this.auditLog.logSgIndexAttempt(actionRequest, str, task);
            this.log.warn(str + " with 'include_global_state' enabled is not allowed");
            return privEvalResponse;
        }
        Repository repository = ((RepositoriesService) Objects.requireNonNull(SearchGuardPlugin.GuiceHolder.getRepositoriesService(), "RepositoriesService not initialized")).repository(restoreSnapshotRequest.repository());
        SnapshotInfo snapshotInfo = null;
        Iterator it = repository.getRepositoryData().getSnapshotIds().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            SnapshotId snapshotId = (SnapshotId) it.next();
            if (snapshotId.getName().equals(restoreSnapshotRequest.snapshot())) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("snapshot found: {} (UUID: {})", snapshotId.getName(), snapshotId.getUUID());
                }
                snapshotInfo = repository.getSnapshotInfo(snapshotId);
            }
        }
        if (snapshotInfo == null) {
            this.log.warn(str + " for repository '" + restoreSnapshotRequest.repository() + "', snapshot '" + restoreSnapshotRequest.snapshot() + "' not found");
            return privEvalResponse;
        }
        List<String> filterIndices = SnapshotUtils.filterIndices(snapshotInfo.indices(), restoreSnapshotRequest.indices(), restoreSnapshotRequest.indicesOptions());
        if (this.log.isDebugEnabled()) {
            this.log.debug("resolved indices for restore to: {}", filterIndices.toString());
        }
        if (filterIndices.contains(this.searchguardIndex) || filterIndices.contains("_all")) {
            this.auditLog.logSgIndexAttempt(actionRequest, str, task);
            this.log.warn(str + " for '{}' as source index is not allowed", this.searchguardIndex);
            return privEvalResponse;
        }
        List<String> renamedIndices = renamedIndices(restoreSnapshotRequest, filterIndices);
        if (renamedIndices.contains(this.searchguardIndex) || filterIndices.contains("_all")) {
            this.auditLog.logSgIndexAttempt(actionRequest, str, task);
            this.log.warn(str + " for '{}' as target index is not allowed", this.searchguardIndex);
            return privEvalResponse;
        }
        Set<String> mapSgRoles = mapSgRoles(user, transportAddress);
        if (this.log.isDebugEnabled()) {
            this.log.debug("mapped roles: {}", mapSgRoles);
        }
        boolean z = false;
        Set<String> hashSet = new HashSet<>(renamedIndices);
        Set<IndexType> hashSet2 = new HashSet<>(renamedIndices.size());
        for (String str2 : renamedIndices) {
            Iterator<String> it2 = ConfigConstants.SG_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES.iterator();
            while (it2.hasNext()) {
                hashSet2.add(new IndexTypeAction(str2, "*", it2.next()));
            }
        }
        Settings rolesSettings = getRolesSettings();
        for (String str3 : mapSgRoles) {
            Settings byPrefix = rolesSettings.getByPrefix(str3);
            if (!byPrefix.names().isEmpty()) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("---------- evaluate sg_role: {}", str3);
                }
                Set<String> resolveActions = resolveActions(byPrefix.getAsList(".cluster", Collections.emptyList()));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("  resolved cluster actions:{}", resolveActions);
                }
                if (WildcardMatcher.matchAny((String[]) resolveActions.toArray(new String[0]), str)) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("  found a match for '{}' and {}, skip other roles", str3, str);
                    }
                    z = true;
                } else if (this.log.isDebugEnabled()) {
                    this.log.debug("  not match found a match for '{}' and {}, check next role", str3, str);
                }
                if (this.checkSnapshotRestoreWritePrivileges) {
                    Map groups = byPrefix.getGroups(".indices", true);
                    HashMap hashMap = new HashMap(groups.size());
                    for (String str4 : groups.keySet()) {
                        hashMap.put(replaceProperties(str4, user), groups.get(str4));
                    }
                    for (String str5 : hashMap.keySet()) {
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("  Try wildcard match for {}", str5);
                        }
                        handleSnapshotRestoreWritePrivileges(ConfigConstants.SG_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES, str5, hashMap, hashSet, hashSet2);
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("For index {} remaining requested indextypeaction: {}", str5, hashSet2);
                        }
                    }
                }
            } else if (this.log.isDebugEnabled()) {
                this.log.debug("sg_role {} is empty", str3);
            }
        }
        if (this.checkSnapshotRestoreWritePrivileges && !hashSet2.isEmpty()) {
            z = false;
        }
        if (!z) {
            this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
            this.log.info("No perm match for {} [Action [{}]] [RolesChecked {}]", user, str, mapSgRoles);
        }
        privEvalResponse.allowed = z;
        return privEvalResponse;
    }

    private List<String> renamedIndices(RestoreSnapshotRequest restoreSnapshotRequest, List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            String str2 = str;
            if (restoreSnapshotRequest.renameReplacement() != null && restoreSnapshotRequest.renamePattern() != null) {
                str2 = str.replaceAll(restoreSnapshotRequest.renamePattern(), restoreSnapshotRequest.renameReplacement());
            }
            arrayList.add(str2);
        }
        return arrayList;
    }

    public Set<String> mapSgRoles(User user, TransportAddress transportAddress) {
        Settings rolesMappingSettings = getRolesMappingSettings();
        TreeSet treeSet = new TreeSet();
        if (user == null) {
            return Collections.emptySet();
        }
        if (this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BACKENDROLES_ONLY) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Pass backendroles from {}", user);
            }
            treeSet.addAll(user.getRoles());
        }
        if (rolesMappingSettings != null && (this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.MAPPING_ONLY)) {
            for (String str : rolesMappingSettings.names()) {
                Settings byPrefix = rolesMappingSettings.getByPrefix(str);
                if (WildcardMatcher.allPatternsMatched((String[]) byPrefix.getAsList(".and_backendroles", Collections.emptyList()).toArray(new String[0]), (String[]) user.getRoles().toArray(new String[0]))) {
                    treeSet.add(str);
                } else if (WildcardMatcher.matchAny((String[]) byPrefix.getAsList(".backendroles", Collections.emptyList()).toArray(new String[0]), (String[]) user.getRoles().toArray(new String[0]))) {
                    treeSet.add(str);
                } else if (WildcardMatcher.matchAny(byPrefix.getAsList(".users"), user.getName())) {
                    treeSet.add(str);
                } else {
                    if (transportAddress != null && this.log.isTraceEnabled()) {
                        this.log.trace("caller (getAddress()) is {}", transportAddress.getAddress());
                        this.log.trace("caller unresolved? {}", Boolean.valueOf(transportAddress.address().isUnresolved()));
                        this.log.trace("caller inner? {}", transportAddress.address().getAddress() == null ? "<unresolved>" : transportAddress.address().getAddress().toString());
                        this.log.trace("caller (getHostString()) is {}", transportAddress.address().getHostString());
                        this.log.trace("caller (getHostName(), dns) is {}", transportAddress.address().getHostName());
                    }
                    if (transportAddress != null) {
                        if (WildcardMatcher.matchAny(byPrefix.getAsList(".hosts"), transportAddress.getAddress())) {
                            treeSet.add(str);
                        } else {
                            String str2 = getConfigSettings().get("searchguard.dynamic.hosts_resolver_mode", "ip-only");
                            if (transportAddress.address() != null && (str2.equalsIgnoreCase("ip-hostname") || str2.equalsIgnoreCase("ip-hostname-lookup"))) {
                                if (WildcardMatcher.matchAny(byPrefix.getAsList(".hosts"), transportAddress.address().getHostString())) {
                                    treeSet.add(str);
                                }
                            }
                            if (transportAddress.address() != null && str2.equalsIgnoreCase("ip-hostname-lookup")) {
                                if (WildcardMatcher.matchAny(byPrefix.getAsList(".hosts"), transportAddress.address().getHostName())) {
                                    treeSet.add(str);
                                }
                            }
                        }
                    }
                }
            }
        }
        return Collections.unmodifiableSet(treeSet);
    }

    public Map<String, Boolean> mapTenants(User user, TransportAddress transportAddress) {
        if (user == null) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        hashMap.put(user.getName(), true);
        Iterator<String> it = mapSgRoles(user, transportAddress).iterator();
        while (it.hasNext()) {
            Settings byPrefix = getRolesSettings().getByPrefix(it.next() + ".tenants.");
            if (byPrefix != null) {
                for (String str : byPrefix.names()) {
                    if (!str.equals(user.getName())) {
                        if ("RW".equalsIgnoreCase(byPrefix.get(str, "RO"))) {
                            hashMap.put(str, true);
                        } else if (!hashMap.containsKey(str)) {
                            hashMap.put(str, false);
                        }
                    }
                }
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    private void handleIndicesWithWildcard(String[] strArr, String str, Map<String, Settings> map, Set<IndexType> set, Set<IndexType> set2, Set<IndexType> set3, Set<String> set4) {
        String[] strArr2;
        ArrayList arrayList = new ArrayList();
        arrayList.add(str);
        if (WildcardMatcher.containsWildcard(str) && (strArr2 = (String[]) this.clusterService.state().getMetaData().getAliasAndIndexLookup().entrySet().stream().filter(entry -> {
            return ((AliasOrIndex) entry.getValue()).isAlias();
        }).filter(entry2 -> {
            return WildcardMatcher.match(str, (String) entry2.getKey());
        }).map(entry3 -> {
            return (String) entry3.getKey();
        }).toArray(i -> {
            return new String[i];
        })) != null && strArr2.length > 0) {
            arrayList.addAll(Arrays.asList(this.resolver.concreteIndexNames(this.clusterService.state(), DEFAULT_INDICES_OPTIONS, strArr2)));
        }
        List<String> matchAny = WildcardMatcher.getMatchAny((String[]) arrayList.toArray(new String[0]), set4);
        if (matchAny.isEmpty()) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("  No wildcard match found for {}", str);
                return;
            }
            return;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("  Wildcard match for {}: {}", str, matchAny);
        }
        HashSet<String> hashSet = new HashSet(map.get(str).names());
        hashSet.removeAll(this.DLSFLS);
        if (this.log.isDebugEnabled()) {
            this.log.debug("  matches for {}, will check now types {}", str, hashSet);
        }
        for (String str2 : hashSet) {
            Set<String> resolveActions = resolveActions(map.get(str).getAsList(str2));
            if (WildcardMatcher.matchAll((String[]) resolveActions.toArray(new String[0]), strArr)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("    match requested action {} against {}/{}: {}", strArr, str, str2, resolveActions);
                }
                for (String str3 : matchAny) {
                    IndexType indexType = new IndexType(str3, str2);
                    boolean wildcardRemoveFromSet = wildcardRemoveFromSet(set2, indexType);
                    wildcardRemoveFromSet(set3, indexType);
                    if (wildcardRemoveFromSet) {
                        this.log.debug("    removed {}", str3 + str2);
                    } else {
                        this.log.debug("    no match {} in {}", str3 + str2, set2);
                    }
                }
            }
        }
    }

    private void handleIndicesWithoutWildcard(String[] strArr, String str, Map<String, Settings> map, Set<IndexType> set, Set<IndexType> set2, Set<IndexType> set3) {
        HashSet<String> hashSet = new HashSet();
        if (this.resolver.hasIndexOrAlias(str, this.clusterService.state())) {
            hashSet.addAll(Arrays.asList(this.resolver.concreteIndexNames(this.clusterService.state(), DEFAULT_INDICES_OPTIONS, new String[]{str})));
        } else {
            if (this.log.isDebugEnabled()) {
                this.log.debug("no permittedAliasesIndex '{}' found for  '{}'", str, strArr);
                Iterator<String> it = map.keySet().iterator();
                while (it.hasNext()) {
                    Settings settings = map.get(it.next());
                    this.log.debug("permittedAliasesIndices '{}' -> '{}'", map, settings == null ? "null" : String.valueOf(settings));
                }
                this.log.debug("requestedResolvedIndexTypes '{}'", set);
            }
            hashSet.add(str);
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("  resolved permitted aliases indices for {}: {}", str, hashSet);
        }
        HashSet<String> hashSet2 = new HashSet(map.get(str).names());
        hashSet2.removeAll(this.DLSFLS);
        if (this.log.isDebugEnabled()) {
            this.log.debug("  matches for {}, will check now types {}", str, hashSet2);
        }
        for (String str2 : hashSet2) {
            Set<String> resolveActions = resolveActions(map.get(str).getAsList(str2));
            if (WildcardMatcher.matchAll((String[]) resolveActions.toArray(new String[0]), strArr)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("    match requested action {} against {}/{}: {}", strArr, str, str2, resolveActions);
                }
                for (String str3 : hashSet) {
                    IndexType indexType = new IndexType(str3, str2);
                    boolean wildcardRemoveFromSet = wildcardRemoveFromSet(set2, indexType);
                    wildcardRemoveFromSet(set3, indexType);
                    if (wildcardRemoveFromSet) {
                        this.log.debug("    removed {}", str3 + str2);
                    } else {
                        this.log.debug("    no match {} in {}", str3 + str2, set2);
                    }
                }
            }
        }
    }

    private void handleSnapshotRestoreWritePrivileges(Set<String> set, String str, Map<String, Settings> map, Set<String> set2, Set<IndexType> set3) {
        List<String> matchAny = WildcardMatcher.getMatchAny(str, (String[]) set2.toArray(new String[0]));
        if (matchAny.isEmpty()) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("  No wildcard match found for {}", str);
                return;
            }
            return;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("  Wildcard match for {}: {}", str, matchAny);
        }
        Set<String> resolveActions = resolveActions(map.get(str).getAsList("*"));
        if (this.log.isDebugEnabled()) {
            this.log.debug("  matches for {}, will check now wildcard type '*'", str);
        }
        for (String str2 : resolveActions) {
            if (!WildcardMatcher.getMatchAny(str2, (String[]) set.toArray(new String[0])).isEmpty()) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("    match requested actions {} against {}/*: {}", set, str, resolveActions);
                }
                for (String str3 : matchAny) {
                    if (wildcardRemoveFromSet(set3, new IndexTypeAction(str3, "*", str2))) {
                        this.log.debug("    removed {}", str3 + '*');
                    } else {
                        this.log.debug("    no match {} in {}", str3 + '*', set3);
                    }
                }
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v14, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r0v17, types: [java.util.Set] */
    private Tuple<Set<String>, Set<String>> resolve(User user, String str, TransportRequest transportRequest, MetaData metaData) {
        if (transportRequest instanceof PutMappingRequest) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("PutMappingRequest will be handled in a special way cause they does not return indices via .indices()Instead .getConcreteIndex() must be used");
            }
            PutMappingRequest putMappingRequest = (PutMappingRequest) transportRequest;
            Index concreteIndex = putMappingRequest.getConcreteIndex();
            if (concreteIndex != null && (putMappingRequest.indices() == null || putMappingRequest.indices().length == 0)) {
                return new Tuple<>(Sets.newHashSet(new String[]{concreteIndex.getName()}), Sets.newHashSet(new String[]{putMappingRequest.type()}));
            }
        }
        if (!(transportRequest instanceof CompositeIndicesRequest) && !(transportRequest instanceof IndicesRequest) && !(transportRequest instanceof IndicesAliasesRequest)) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("{} is not an IndicesRequest", transportRequest.getClass());
            }
            return new Tuple<>(Sets.newHashSet(new String[]{"_all"}), Sets.newHashSet(new String[]{"_all"}));
        }
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (transportRequest instanceof IndicesAliasesRequest) {
            Iterator it = ((IndicesAliasesRequest) transportRequest).getAliasActions().iterator();
            while (it.hasNext()) {
                Tuple<Set<String>, Set<String>> resolveIndicesRequest = resolveIndicesRequest(user, str, (IndicesAliasesRequest.AliasActions) it.next(), metaData);
                hashSet.addAll((Collection) resolveIndicesRequest.v1());
                hashSet2.addAll((Collection) resolveIndicesRequest.v2());
            }
        } else if (!(transportRequest instanceof CompositeIndicesRequest)) {
            Tuple<Set<String>, Set<String>> resolveIndicesRequest2 = resolveIndicesRequest(user, str, (IndicesRequest) transportRequest, metaData);
            hashSet = (Set) resolveIndicesRequest2.v1();
            hashSet2 = (Set) resolveIndicesRequest2.v2();
        } else if (transportRequest instanceof IndicesRequest) {
            Tuple<Set<String>, Set<String>> resolveIndicesRequest3 = resolveIndicesRequest(user, str, (IndicesRequest) transportRequest, metaData);
            hashSet.addAll((Collection) resolveIndicesRequest3.v1());
            hashSet2.addAll((Collection) resolveIndicesRequest3.v2());
        } else if (transportRequest instanceof BulkRequest) {
            Iterator it2 = ((BulkRequest) transportRequest).requests().iterator();
            while (it2.hasNext()) {
                Tuple<Set<String>, Set<String>> resolveIndicesRequest4 = resolveIndicesRequest(user, str, (DocWriteRequest) it2.next(), metaData);
                hashSet.addAll((Collection) resolveIndicesRequest4.v1());
                hashSet2.addAll((Collection) resolveIndicesRequest4.v2());
            }
        } else if (transportRequest instanceof MultiGetRequest) {
            Iterator it3 = ((MultiGetRequest) transportRequest).getItems().iterator();
            while (it3.hasNext()) {
                Tuple<Set<String>, Set<String>> resolveIndicesRequest5 = resolveIndicesRequest(user, str, (MultiGetRequest.Item) it3.next(), metaData);
                hashSet.addAll((Collection) resolveIndicesRequest5.v1());
                hashSet2.addAll((Collection) resolveIndicesRequest5.v2());
            }
        } else if (transportRequest instanceof MultiSearchRequest) {
            Iterator it4 = ((MultiSearchRequest) transportRequest).requests().iterator();
            while (it4.hasNext()) {
                Tuple<Set<String>, Set<String>> resolve = resolve(user, str, (ActionRequest) it4.next(), metaData);
                hashSet.addAll((Collection) resolve.v1());
                hashSet2.addAll((Collection) resolve.v2());
            }
        } else if (transportRequest instanceof MultiTermVectorsRequest) {
            Iterable iterable = () -> {
                return ((MultiTermVectorsRequest) transportRequest).iterator();
            };
            Iterator it5 = iterable.iterator();
            while (it5.hasNext()) {
                Tuple<Set<String>, Set<String>> resolve2 = resolve(user, str, (ActionRequest) it5.next(), metaData);
                hashSet.addAll((Collection) resolve2.v1());
                hashSet2.addAll((Collection) resolve2.v2());
            }
        } else if (transportRequest instanceof ReindexRequest) {
            ReindexRequest reindexRequest = (ReindexRequest) transportRequest;
            Tuple<Set<String>, Set<String>> resolveIndicesRequest6 = resolveIndicesRequest(user, str, reindexRequest.getDestination(), metaData);
            hashSet.addAll((Collection) resolveIndicesRequest6.v1());
            hashSet2.addAll((Collection) resolveIndicesRequest6.v2());
            Tuple<Set<String>, Set<String>> resolveIndicesRequest7 = resolveIndicesRequest(user, str, reindexRequest.getSearchRequest(), metaData);
            hashSet.addAll((Collection) resolveIndicesRequest7.v1());
            hashSet2.addAll((Collection) resolveIndicesRequest7.v2());
        } else {
            this.log.error("Can not handle composite request of type '" + transportRequest.getClass().getName() + "'for " + str + " here");
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("pre final indices: {}", hashSet);
            this.log.debug("pre final types: {}", hashSet2);
        }
        if (hashSet == NO_INDICES_SET) {
            return new Tuple<>(Collections.emptySet(), Collections.unmodifiableSet(hashSet2));
        }
        if (IndexNameExpressionResolver.isAllIndices(new ArrayList(hashSet))) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("The following list are '_all' indices: {}", hashSet);
            }
            if (!hashSet.isEmpty()) {
                hashSet.clear();
                hashSet.add("_all");
            }
        }
        if (hashSet2.isEmpty()) {
            hashSet2.add("_all");
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("final indices: {}", hashSet);
            this.log.debug("final types: {}", hashSet2);
        }
        return new Tuple<>(Collections.unmodifiableSet(hashSet), Collections.unmodifiableSet(hashSet2));
    }

    private Tuple<Set<String>, Set<String>> resolveIndicesRequest(User user, String str, IndicesRequest indicesRequest, MetaData metaData) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Resolve {} from {} for action {}", indicesRequest.indices(), indicesRequest.getClass(), str);
        }
        Class<?> cls = indicesRequest.getClass();
        HashSet hashSet = new HashSet();
        Method method = null;
        if (this.typeCache.containsKey(cls)) {
            method = this.typeCache.get(cls);
        } else {
            try {
                method = cls.getMethod("type", new Class[0]);
                this.typeCache.put(cls, method);
            } catch (NoSuchMethodException e) {
                this.typeCache.put(cls, null);
            } catch (SecurityException e2) {
                this.log.error("Cannot evaluate type() for {} due to {}", cls, e2, e2);
            }
        }
        Method method2 = null;
        if (this.typesCache.containsKey(cls)) {
            method2 = this.typesCache.get(cls);
        } else {
            try {
                method2 = cls.getMethod("types", new Class[0]);
                this.typesCache.put(cls, method2);
            } catch (NoSuchMethodException e3) {
                this.typesCache.put(cls, null);
            } catch (SecurityException e4) {
                this.log.error("Cannot evaluate types() for {} due to {}", cls, e4, e4);
            }
        }
        if (method != null) {
            try {
                String str2 = (String) method.invoke(indicesRequest, new Object[0]);
                if (str2 != null) {
                    hashSet.add(str2);
                }
            } catch (Exception e5) {
                this.log.error("Unable to invoke type() for {} due to", cls, e5);
            }
        }
        if (method2 != null) {
            try {
                String[] strArr = (String[]) method2.invoke(indicesRequest, new Object[0]);
                if (strArr != null) {
                    hashSet.addAll(Arrays.asList(strArr));
                }
            } catch (Exception e6) {
                this.log.error("Unable to invoke types() for {} due to", cls, e6);
            }
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("indicesOptions {}", indicesRequest.indicesOptions());
            this.log.debug("{} raw indices {}", Integer.valueOf(indicesRequest.indices() == null ? 0 : indicesRequest.indices().length), Arrays.toString(indicesRequest.indices()));
            this.log.debug("{} requestTypes {}", Integer.valueOf(hashSet.size()), hashSet);
        }
        HashSet hashSet2 = new HashSet();
        if (indicesRequest.indices() == null || indicesRequest.indices().length == 0 || new HashSet(Arrays.asList(indicesRequest.indices())).equals(NULL_SET)) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("No indices found in request, assume _all");
            }
            hashSet2.addAll(Arrays.asList(this.resolver.concreteIndexNames(this.clusterService.state(), DEFAULT_INDICES_OPTIONS, new String[]{"*"})));
        } else {
            String[] indices = indicesRequest.indices();
            if ((indicesRequest instanceof FieldCapabilitiesRequest) || (indicesRequest instanceof SearchRequest)) {
                IndicesRequest.Replaceable replaceable = (IndicesRequest.Replaceable) indicesRequest;
                Map groupIndices = SearchGuardPlugin.GuiceHolder.getRemoteClusterService().groupIndices(replaceable.indicesOptions(), replaceable.indices(), str3 -> {
                    return this.resolver.hasIndexOrAlias(str3, this.clusterService.state());
                });
                if (groupIndices.size() > 1) {
                    indices = ((OriginalIndices) groupIndices.get("")).indices();
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("remoteClusterIndices keys" + groupIndices.keySet() + "//remoteClusterIndices " + groupIndices);
                    }
                    if (indices.length == 0) {
                        return new Tuple<>(NO_INDICES_SET, hashSet);
                    }
                }
            }
            try {
                String[] matches = WildcardMatcher.matches("<*>", indices, false);
                if (matches.length > 0) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Date math indices detected {} (all: {})", matches, indices);
                    }
                    for (String str4 : matches) {
                        hashSet2.addAll(Arrays.asList(this.resolver.resolveDateMathExpression(str4)));
                    }
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Resolved date math indices {} to {}", matches, hashSet2);
                    }
                    if (indices.length > matches.length) {
                        for (String str5 : indices) {
                            if (!WildcardMatcher.match("<*>", str5)) {
                                hashSet2.addAll(Arrays.asList(this.resolver.concreteIndexNames(this.clusterService.state(), indicesRequest.indicesOptions(), matches)));
                            }
                        }
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("Resolved additional non date math indices {} to {}", indices, hashSet2);
                        }
                    }
                } else {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("No date math indices found");
                    }
                    hashSet2.addAll(Arrays.asList(this.resolver.concreteIndexNames(this.clusterService.state(), indicesRequest.indicesOptions(), indices)));
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Resolved {} to {}", indices, hashSet2);
                    }
                }
            } catch (Exception e7) {
                this.log.debug("Cannot resolve {} (due to {}) so we use the raw values", Arrays.toString(indices), e7);
                hashSet2.addAll(Arrays.asList(indices));
            }
        }
        return new Tuple<>(hashSet2, hashSet);
    }

    private Set<String> resolveActions(List<String> list) {
        HashSet hashSet = new HashSet();
        for (String str : list) {
            Set<String> groupMembers = this.ah.getGroupMembers(str);
            if (groupMembers.isEmpty()) {
                hashSet.add(str);
            } else {
                hashSet.addAll(groupMembers);
            }
        }
        return hashSet;
    }

    private boolean wildcardRemoveFromSet(Set<IndexType> set, IndexType indexType) {
        if (set.contains(indexType)) {
            return set.remove(indexType);
        }
        boolean z = false;
        for (IndexType indexType2 : new HashSet(set)) {
            if (WildcardMatcher.match(indexType.getCombinedString(), indexType2.getCombinedString())) {
                z = set.remove(indexType2) || z;
            }
        }
        return z;
    }

    private List<String> toString(List<AliasMetaData> list) {
        if (list == null || list.size() == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (AliasMetaData aliasMetaData : list) {
            if (aliasMetaData != null) {
                arrayList.add(aliasMetaData.alias());
            }
        }
        return Collections.unmodifiableList(arrayList);
    }

    public boolean multitenancyEnabled() {
        return this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class && getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.multitenancy_enabled", true).booleanValue();
    }

    public boolean notFailOnForbiddenEnabled() {
        return this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class && getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.do_not_fail_on_forbidden", false).booleanValue();
    }

    public String kibanaIndex() {
        return getConfigSettings().get("searchguard.dynamic.kibana.index", ".kibana");
    }

    public String kibanaServerUsername() {
        return getConfigSettings().get("searchguard.dynamic.kibana.server_username", "kibanaserver");
    }

    public boolean kibanaIndexReadonly(User user, TransportAddress transportAddress) {
        List<String> asList;
        Set<String> mapSgRoles = mapSgRoles(user, transportAddress);
        String kibanaIndex = kibanaIndex();
        Iterator<String> it = mapSgRoles.iterator();
        while (it.hasNext()) {
            Settings byPrefix = getRolesSettings().getByPrefix(it.next());
            if (!byPrefix.names().isEmpty()) {
                Map groups = byPrefix.getGroups(".indices", true);
                HashMap hashMap = new HashMap(groups.size());
                for (String str : groups.keySet()) {
                    hashMap.put(replaceProperties(str, user), groups.get(str));
                }
                for (String str2 : hashMap.keySet()) {
                    if (WildcardMatcher.match(str2, kibanaIndex) && (asList = ((Settings) hashMap.get(str2)).getAsList("*")) != null && asList.size() > 0 && WildcardMatcher.matchAny((String[]) resolveActions(asList).toArray(new String[0]), "indices:data/write/update")) {
                        return false;
                    }
                }
            }
        }
        return true;
    }

    private static String replaceProperties(String str, User user) {
        String replace = str.replace("${user.name}", user.getName()).replace("${user_name}", user.getName());
        for (Map.Entry<String, String> entry : user.getCustomAttributesMap().entrySet()) {
            if (entry != null && entry.getKey() != null && entry.getValue() != null) {
                replace = replace.replace("${" + entry.getKey() + "}", entry.getValue()).replace("${" + entry.getKey().replace('.', '_') + "}", entry.getValue());
            }
        }
        return replace;
    }
}
