package com.floragunn.searchguard.privileges;

import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.sgconf.ConfigModel;
import com.floragunn.searchguard.user.User;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.index.query.MatchNoneQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.TermsQueryBuilder;
import org.elasticsearch.search.aggregations.AggregationBuilder;
import org.elasticsearch.search.aggregations.bucket.terms.TermsAggregationBuilder;

/* loaded from: input_file:com/floragunn/searchguard/privileges/TermsAggregationEvaluator.class */
public class TermsAggregationEvaluator {
    protected final Logger log = LogManager.getLogger(getClass());
    private static final String[] READ_ACTIONS = {"indices:data/read/msearch", "indices:data/read/mget", "indices:data/read/get", "indices:data/read/search", "indices:data/read/field_caps*"};
    private static final QueryBuilder NONE_QUERY = new MatchNoneQueryBuilder();

    public PrivilegesEvaluatorResponse evaluate(IndexResolverReplacer.Resolved resolved, ActionRequest actionRequest, ClusterService clusterService, User user, ConfigModel.SgRoles sgRoles, IndexNameExpressionResolver indexNameExpressionResolver, PrivilegesEvaluatorResponse privilegesEvaluatorResponse) {
        try {
            if (actionRequest instanceof SearchRequest) {
                SearchRequest searchRequest = (SearchRequest) actionRequest;
                if (searchRequest.source() != null && searchRequest.source().query() == null && searchRequest.source().aggregations() != null && searchRequest.source().aggregations().getAggregatorFactories() != null && searchRequest.source().aggregations().getAggregatorFactories().size() == 1 && searchRequest.source().size() == 0) {
                    TermsAggregationBuilder termsAggregationBuilder = (AggregationBuilder) searchRequest.source().aggregations().getAggregatorFactories().iterator().next();
                    if ((termsAggregationBuilder instanceof TermsAggregationBuilder) && "terms".equals(termsAggregationBuilder.getType()) && "indices".equals(termsAggregationBuilder.getName()) && "_index".equals(termsAggregationBuilder.field()) && termsAggregationBuilder.getPipelineAggregations().isEmpty() && termsAggregationBuilder.getSubAggregations().isEmpty()) {
                        Set<String> allPermittedIndicesForKibana = sgRoles.getAllPermittedIndicesForKibana(resolved, user, READ_ACTIONS, indexNameExpressionResolver, clusterService);
                        if (allPermittedIndicesForKibana == null || allPermittedIndicesForKibana.isEmpty()) {
                            searchRequest.source().query(NONE_QUERY);
                        } else {
                            searchRequest.source().query(new TermsQueryBuilder("_index", allPermittedIndicesForKibana));
                        }
                        privilegesEvaluatorResponse.allowed = true;
                        return privilegesEvaluatorResponse.markComplete();
                    }
                }
            }
            return privilegesEvaluatorResponse;
        } catch (Exception e) {
            this.log.warn("Unable to evaluate terms aggregation", e);
            return privilegesEvaluatorResponse;
        }
    }
}
