package com.floragunn.searchguard.privileges;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import java.util.ArrayList;
import java.util.HashSet;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.tasks.Task;

/* loaded from: input_file:com/floragunn/searchguard/privileges/SearchGuardIndexAccessEvaluator.class */
public class SearchGuardIndexAccessEvaluator {
    protected final Logger log = LogManager.getLogger(getClass());
    private final String searchguardIndex;
    private final AuditLog auditLog;
    private final String[] sgDeniedActionPatterns;
    private final IndexResolverReplacer irr;
    private final boolean filterSgIndex;

    public SearchGuardIndexAccessEvaluator(Settings settings, AuditLog auditLog, IndexResolverReplacer indexResolverReplacer) {
        this.searchguardIndex = settings.get(ConfigConstants.SEARCHGUARD_CONFIG_INDEX_NAME, ConfigConstants.SG_DEFAULT_CONFIG_INDEX);
        this.auditLog = auditLog;
        this.irr = indexResolverReplacer;
        this.filterSgIndex = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_FILTER_SGINDEX_FROM_ALL_REQUESTS, false).booleanValue();
        boolean booleanValue = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_UNSUPPORTED_RESTORE_SGINDEX_ENABLED, false).booleanValue();
        ArrayList arrayList = new ArrayList();
        arrayList.add("indices:data/write*");
        arrayList.add("indices:admin/delete*");
        arrayList.add("indices:admin/mapping/delete*");
        arrayList.add("indices:admin/mapping/put*");
        arrayList.add("indices:admin/freeze*");
        arrayList.add("indices:admin/settings/update*");
        arrayList.add("indices:admin/aliases");
        ArrayList arrayList2 = new ArrayList();
        arrayList2.addAll(arrayList);
        arrayList2.add("indices:admin/close*");
        arrayList2.add("cluster:admin/snapshot/restore*");
        this.sgDeniedActionPatterns = (String[]) (booleanValue ? arrayList : arrayList2).toArray(new String[0]);
    }

    public PrivilegesEvaluatorResponse evaluate(ActionRequest actionRequest, Task task, String str, IndexResolverReplacer.Resolved resolved, PrivilegesEvaluatorResponse privilegesEvaluatorResponse) {
        if (resolved.getAllIndices().contains(this.searchguardIndex) && WildcardMatcher.matchAny(this.sgDeniedActionPatterns, str)) {
            if (!this.filterSgIndex) {
                this.auditLog.logSgIndexAttempt(actionRequest, str, task);
                this.log.warn(str + " for '{}' index is not allowed for a regular user", this.searchguardIndex);
                privilegesEvaluatorResponse.allowed = false;
                return privilegesEvaluatorResponse.markComplete();
            }
            HashSet hashSet = new HashSet(resolved.getAllIndices());
            hashSet.remove(this.searchguardIndex);
            if (hashSet.isEmpty()) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Filtered '{}' but resulting list is empty", this.searchguardIndex);
                }
                privilegesEvaluatorResponse.allowed = false;
                return privilegesEvaluatorResponse.markComplete();
            }
            this.irr.replace(actionRequest, false, (String[]) hashSet.toArray(new String[0]));
            if (this.log.isDebugEnabled()) {
                this.log.debug("Filtered '{}', resulting list is {}", this.searchguardIndex, hashSet);
            }
            return privilegesEvaluatorResponse;
        }
        if (resolved.isLocalAll() && WildcardMatcher.matchAny(this.sgDeniedActionPatterns, str)) {
            if (this.filterSgIndex) {
                this.irr.replace(actionRequest, false, "*", "-" + this.searchguardIndex);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Filtered '{}'from {}, resulting list with *,-{} is {}", this.searchguardIndex, resolved, this.searchguardIndex, this.irr.resolveRequest(actionRequest));
                }
                return privilegesEvaluatorResponse;
            }
            this.auditLog.logSgIndexAttempt(actionRequest, str, task);
            this.log.warn(str + " for '_all' indices is not allowed for a regular user");
            privilegesEvaluatorResponse.allowed = false;
            return privilegesEvaluatorResponse.markComplete();
        }
        if (resolved.getAllIndices().contains(this.searchguardIndex) || resolved.isLocalAll()) {
            if (actionRequest instanceof SearchRequest) {
                ((SearchRequest) actionRequest).requestCache(Boolean.FALSE);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable search request cache for this request");
                }
            }
            if (actionRequest instanceof RealtimeRequest) {
                ((RealtimeRequest) actionRequest).realtime(Boolean.FALSE.booleanValue());
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable realtime for this request");
                }
            }
        }
        return privilegesEvaluatorResponse;
    }
}
