package com.floragunn.searchguard.privileges;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.configuration.ActionGroupHolder;
import com.floragunn.searchguard.configuration.ClusterInfoHolder;
import com.floragunn.searchguard.configuration.ConfigurationChangeListener;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.resolver.IndexResolverReplacer;
import com.floragunn.searchguard.sgconf.ConfigModel;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.User;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.ListMultimap;
import com.google.common.collect.MultimapBuilder;
import com.google.common.collect.SetMultimap;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.admin.cluster.shards.ClusterSearchShardsRequest;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.get.GetFieldMappingsRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.cluster.metadata.AliasMetaData;
import org.elasticsearch.cluster.metadata.IndexMetaData;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.ImmutableOpenMap;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/privileges/PrivilegesEvaluator.class */
public class PrivilegesEvaluator implements ConfigurationChangeListener {
    private final ClusterService clusterService;
    private final IndexNameExpressionResolver resolver;
    private final AuditLog auditLog;
    private ThreadContext threadContext;
    private final ConfigurationRepository configurationRepository;
    private PrivilegesInterceptor privilegesInterceptor;
    private final boolean checkSnapshotRestoreWritePrivileges;
    private ConfigConstants.RolesMappingResolution rolesMappingResolution;
    private final ClusterInfoHolder clusterInfoHolder;
    private final ConfigModel configModel;
    private final IndexResolverReplacer irr;
    private final SnapshotRestoreEvaluator snapshotRestoreEvaluator;
    private final SearchGuardIndexAccessEvaluator sgIndexAccessEvaluator;
    private final TermsAggregationEvaluator termsAggregationEvaluator;
    private final DlsFlsEvaluator dlsFlsEvaluator;
    private TenantHolder tenantHolder;
    private final boolean enterpriseModulesEnabled;
    protected final Logger log = LogManager.getLogger(getClass());
    protected final Logger actionTrace = LogManager.getLogger("sg_action_trace");
    private RoleMappingHolder roleMappingHolder = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.floragunn.searchguard.privileges.PrivilegesEvaluator$1, reason: invalid class name */
    /* loaded from: input_file:com/floragunn/searchguard/privileges/PrivilegesEvaluator$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType;
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type = new int[IndicesAliasesRequest.AliasActions.Type.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type[IndicesAliasesRequest.AliasActions.Type.REMOVE_INDEX.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType = new int[DocWriteRequest.OpType.values().length];
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.CREATE.ordinal()] = 1;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.INDEX.ordinal()] = 2;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.DELETE.ordinal()] = 3;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.UPDATE.ordinal()] = 4;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/privileges/PrivilegesEvaluator$RoleMappingHolder.class */
    public class RoleMappingHolder {
        private ListMultimap<String, String> users;
        private ListMultimap<Set<String>, String> abars;
        private ListMultimap<String, String> bars;
        private ListMultimap<String, String> hosts;

        private RoleMappingHolder(Settings settings) {
            if (settings != null) {
                ArrayListMultimap create = ArrayListMultimap.create();
                ArrayListMultimap create2 = ArrayListMultimap.create();
                ArrayListMultimap create3 = ArrayListMultimap.create();
                ArrayListMultimap create4 = ArrayListMultimap.create();
                for (String str : settings.names()) {
                    Settings byPrefix = settings.getByPrefix(str);
                    Iterator it = byPrefix.getAsList(".users").iterator();
                    while (it.hasNext()) {
                        create.put((String) it.next(), str);
                    }
                    HashSet hashSet = new HashSet(byPrefix.getAsList(".and_backendroles"));
                    if (!hashSet.isEmpty()) {
                        create2.put(hashSet, str);
                    }
                    Iterator it2 = byPrefix.getAsList(".backendroles").iterator();
                    while (it2.hasNext()) {
                        create3.put((String) it2.next(), str);
                    }
                    Iterator it3 = byPrefix.getAsList(".hosts").iterator();
                    while (it3.hasNext()) {
                        create4.put((String) it3.next(), str);
                    }
                }
                this.users = create;
                this.abars = create2;
                this.bars = create3;
                this.hosts = create4;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> map(User user, TransportAddress transportAddress) {
            if (user == null || this.users == null || this.abars == null || this.bars == null || this.hosts == null) {
                return Collections.emptySet();
            }
            TreeSet treeSet = new TreeSet();
            if (PrivilegesEvaluator.this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || PrivilegesEvaluator.this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BACKENDROLES_ONLY) {
                if (PrivilegesEvaluator.this.log.isDebugEnabled()) {
                    PrivilegesEvaluator.this.log.debug("Pass backendroles from {}", user);
                }
                treeSet.addAll(user.getRoles());
            }
            if (PrivilegesEvaluator.this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.BOTH || PrivilegesEvaluator.this.rolesMappingResolution == ConfigConstants.RolesMappingResolution.MAPPING_ONLY) {
                Iterator<String> it = WildcardMatcher.getAllMatchingPatterns(this.users.keySet(), user.getName()).iterator();
                while (it.hasNext()) {
                    treeSet.addAll(this.users.get(it.next()));
                }
                Iterator<String> it2 = WildcardMatcher.getAllMatchingPatterns(this.bars.keySet(), user.getRoles()).iterator();
                while (it2.hasNext()) {
                    treeSet.addAll(this.bars.get(it2.next()));
                }
                for (Set set : this.abars.keySet()) {
                    if (WildcardMatcher.allPatternsMatched(set, user.getRoles())) {
                        treeSet.addAll(this.abars.get(set));
                    }
                }
                if (transportAddress != null) {
                    Iterator<String> it3 = WildcardMatcher.getAllMatchingPatterns(this.hosts.keySet(), transportAddress.getAddress()).iterator();
                    while (it3.hasNext()) {
                        treeSet.addAll(this.hosts.get(it3.next()));
                    }
                    String str = PrivilegesEvaluator.this.getConfigSettings().get("searchguard.dynamic.hosts_resolver_mode", "ip-only");
                    if (transportAddress.address() != null && (str.equalsIgnoreCase("ip-hostname") || str.equalsIgnoreCase("ip-hostname-lookup"))) {
                        Iterator<String> it4 = WildcardMatcher.getAllMatchingPatterns(this.hosts.keySet(), transportAddress.address().getHostString()).iterator();
                        while (it4.hasNext()) {
                            treeSet.addAll(this.hosts.get(it4.next()));
                        }
                    }
                    if (transportAddress.address() != null && str.equalsIgnoreCase("ip-hostname-lookup")) {
                        Iterator<String> it5 = WildcardMatcher.getAllMatchingPatterns(this.hosts.keySet(), transportAddress.address().getHostName()).iterator();
                        while (it5.hasNext()) {
                            treeSet.addAll(this.hosts.get(it5.next()));
                        }
                    }
                }
            }
            return Collections.unmodifiableSet(treeSet);
        }

        /* synthetic */ RoleMappingHolder(PrivilegesEvaluator privilegesEvaluator, Settings settings, AnonymousClass1 anonymousClass1) {
            this(settings);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/privileges/PrivilegesEvaluator$TenantHolder.class */
    public class TenantHolder implements ConfigurationChangeListener {
        private SetMultimap<String, Tuple<String, Boolean>> tenantsMM;

        private TenantHolder() {
            this.tenantsMM = null;
        }

        public Map<String, Boolean> mapTenants(User user, Set<String> set) {
            if (user == null || this.tenantsMM == null) {
                return Collections.emptyMap();
            }
            HashMap hashMap = new HashMap(set.size());
            hashMap.put(user.getName(), true);
            this.tenantsMM.entries().stream().filter(entry -> {
                return set.contains(entry.getKey());
            }).filter(entry2 -> {
                return !user.getName().equals(((Tuple) entry2.getValue()).v1());
            }).forEach(entry3 -> {
                String str = (String) ((Tuple) entry3.getValue()).v1();
                boolean booleanValue = ((Boolean) ((Tuple) entry3.getValue()).v2()).booleanValue();
                if (booleanValue || !hashMap.containsKey(str)) {
                    hashMap.put(str, Boolean.valueOf(booleanValue));
                }
            });
            return Collections.unmodifiableMap(hashMap);
        }

        @Override // com.floragunn.searchguard.configuration.ConfigurationChangeListener
        public void onChange(Settings settings) {
            HashSet hashSet = new HashSet(settings.size());
            ExecutorService newFixedThreadPool = Executors.newFixedThreadPool(10);
            for (final String str : settings.names()) {
                hashSet.add(newFixedThreadPool.submit(new Callable<Tuple<String, Set<Tuple<String, Boolean>>>>() { // from class: com.floragunn.searchguard.privileges.PrivilegesEvaluator.TenantHolder.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public Tuple<String, Set<Tuple<String, Boolean>>> call() throws Exception {
                        HashSet hashSet2 = new HashSet();
                        Settings byPrefix = PrivilegesEvaluator.this.getRolesSettings().getByPrefix(str + ".tenants.");
                        if (byPrefix != null) {
                            for (String str2 : byPrefix.names()) {
                                if ("RW".equalsIgnoreCase(byPrefix.get(str2, "RO"))) {
                                    hashSet2.add(new Tuple(str2, true));
                                } else {
                                    hashSet2.add(new Tuple(str2, false));
                                }
                            }
                        }
                        return new Tuple<>(str, hashSet2);
                    }
                }));
            }
            newFixedThreadPool.shutdown();
            try {
                newFixedThreadPool.awaitTermination(30L, TimeUnit.SECONDS);
                try {
                    SetMultimap<String, Tuple<String, Boolean>> build = MultimapBuilder.SetMultimapBuilder.hashKeys(hashSet.size()).hashSetValues(16).build();
                    Iterator it = hashSet.iterator();
                    while (it.hasNext()) {
                        Tuple tuple = (Tuple) ((Future) it.next()).get();
                        build.putAll(tuple.v1(), (Iterable) tuple.v2());
                    }
                    this.tenantsMM = build;
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    PrivilegesEvaluator.this.log.error("Thread interrupted (2) while loading roles");
                } catch (ExecutionException e2) {
                    PrivilegesEvaluator.this.log.error("Error while updating roles: {}", e2.getCause(), e2.getCause());
                    throw ExceptionsHelper.convertToElastic(e2);
                }
            } catch (InterruptedException e3) {
                Thread.currentThread().interrupt();
                PrivilegesEvaluator.this.log.error("Thread interrupted (1) while loading roles");
            }
        }

        /* synthetic */ TenantHolder(PrivilegesEvaluator privilegesEvaluator, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    public PrivilegesEvaluator(ClusterService clusterService, ThreadPool threadPool, ConfigurationRepository configurationRepository, ActionGroupHolder actionGroupHolder, IndexNameExpressionResolver indexNameExpressionResolver, AuditLog auditLog, Settings settings, PrivilegesInterceptor privilegesInterceptor, ClusterInfoHolder clusterInfoHolder, IndexResolverReplacer indexResolverReplacer, boolean z) {
        this.tenantHolder = null;
        this.configurationRepository = configurationRepository;
        this.clusterService = clusterService;
        this.resolver = indexNameExpressionResolver;
        this.auditLog = auditLog;
        this.threadContext = threadPool.getThreadContext();
        this.privilegesInterceptor = privilegesInterceptor;
        try {
            this.rolesMappingResolution = ConfigConstants.RolesMappingResolution.valueOf(settings.get(ConfigConstants.SEARCHGUARD_ROLES_MAPPING_RESOLUTION, ConfigConstants.RolesMappingResolution.MAPPING_ONLY.toString()).toUpperCase());
        } catch (Exception e) {
            this.log.error("Cannot apply roles mapping resolution", e);
            this.rolesMappingResolution = ConfigConstants.RolesMappingResolution.MAPPING_ONLY;
        }
        this.checkSnapshotRestoreWritePrivileges = settings.getAsBoolean(ConfigConstants.SEARCHGUARD_CHECK_SNAPSHOT_RESTORE_WRITE_PRIVILEGES, true).booleanValue();
        this.clusterInfoHolder = clusterInfoHolder;
        this.configModel = new ConfigModel(actionGroupHolder);
        configurationRepository.subscribeOnChange(ConfigConstants.CONFIGNAME_ROLES, this.configModel);
        configurationRepository.subscribeOnChange(ConfigConstants.CONFIGNAME_ROLES_MAPPING, this);
        this.irr = indexResolverReplacer;
        this.snapshotRestoreEvaluator = new SnapshotRestoreEvaluator(settings, auditLog);
        this.sgIndexAccessEvaluator = new SearchGuardIndexAccessEvaluator(settings, auditLog);
        this.dlsFlsEvaluator = new DlsFlsEvaluator(settings, threadPool);
        this.termsAggregationEvaluator = new TermsAggregationEvaluator();
        this.tenantHolder = new TenantHolder(this, null);
        configurationRepository.subscribeOnChange(ConfigConstants.CONFIGNAME_ROLES, this.tenantHolder);
        this.enterpriseModulesEnabled = z;
    }

    @Override // com.floragunn.searchguard.configuration.ConfigurationChangeListener
    public void onChange(Settings settings) {
        this.roleMappingHolder = new RoleMappingHolder(this, settings, null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Settings getRolesSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_ROLES);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Settings getConfigSettings() {
        return this.configurationRepository.getConfiguration(ConfigConstants.CONFIGNAME_CONFIG);
    }

    private ConfigModel.SgRoles getSgRoles(Set<String> set) {
        return this.configModel.getSgRoles().filter(set);
    }

    public boolean isInitialized() {
        return (this.roleMappingHolder == null || this.configModel.getSgRoles() == null || getRolesSettings() == null || getConfigSettings() == null) ? false : true;
    }

    public PrivilegesEvaluatorResponse evaluate(User user, String str, ActionRequest actionRequest, Task task) {
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Search Guard is not initialized.", new Object[0]);
        }
        if (str.startsWith("internal:indices/admin/upgrade")) {
            str = "indices:admin/upgrade";
        }
        TransportAddress transportAddress = (TransportAddress) Objects.requireNonNull((TransportAddress) this.threadContext.getTransient(ConfigConstants.SG_REMOTE_ADDRESS));
        Set<String> mapSgRoles = mapSgRoles(user, transportAddress);
        ConfigModel.SgRoles sgRoles = getSgRoles(mapSgRoles);
        PrivilegesEvaluatorResponse privilegesEvaluatorResponse = new PrivilegesEvaluatorResponse();
        if (this.log.isDebugEnabled()) {
            this.log.debug("### evaluate permissions for {} on {}", user, this.clusterService.localNode().getName());
            this.log.debug("action: " + str + " (" + actionRequest.getClass().getSimpleName() + ")");
        }
        IndexResolverReplacer.Resolved resolveRequest = this.irr.resolveRequest(actionRequest);
        if (this.log.isDebugEnabled()) {
            this.log.debug("requestedResolved : {}", resolveRequest);
        }
        if ((!this.enterpriseModulesEnabled || !this.dlsFlsEvaluator.evaluate(actionRequest, this.clusterService, this.resolver, resolveRequest, user, sgRoles, privilegesEvaluatorResponse).isComplete()) && !this.snapshotRestoreEvaluator.evaluate(actionRequest, task, str, this.clusterInfoHolder, privilegesEvaluatorResponse).isComplete() && !this.sgIndexAccessEvaluator.evaluate(actionRequest, task, str, resolveRequest, privilegesEvaluatorResponse).isComplete()) {
            boolean z = getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.do_not_fail_on_forbidden", false).booleanValue() || getConfigSettings().getAsBoolean("searchguard.dynamic.do_not_fail_on_forbidden", false).booleanValue();
            if (this.log.isTraceEnabled()) {
                this.log.trace("dnfof enabled? {}", Boolean.valueOf(z));
            }
            Settings configSettings = getConfigSettings();
            if (isClusterPerm(str)) {
                if (!sgRoles.impliesClusterPermissionPermission(str)) {
                    privilegesEvaluatorResponse.missingPrivileges.add(str);
                    privilegesEvaluatorResponse.allowed = false;
                    this.log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]", "cluster", user, resolveRequest, str, sgRoles.getRoles().stream().map(sgRole -> {
                        return sgRole.getName();
                    }).toArray());
                    this.log.info("No permissions for {}", privilegesEvaluatorResponse.missingPrivileges);
                    return privilegesEvaluatorResponse;
                }
                if (!(actionRequest instanceof RestoreSnapshotRequest) || !this.checkSnapshotRestoreWritePrivileges) {
                    if (this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class) {
                        Boolean replaceKibanaIndex = this.privilegesInterceptor.replaceKibanaIndex(actionRequest, str, user, configSettings, resolveRequest, mapTenants(user, mapSgRoles));
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("Result from privileges interceptor for cluster perm: {}", replaceKibanaIndex);
                        }
                        if (replaceKibanaIndex == Boolean.TRUE) {
                            this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
                            return privilegesEvaluatorResponse;
                        }
                        if (replaceKibanaIndex == Boolean.FALSE) {
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                    }
                    if (z && str.startsWith("indices:data/read/") && !resolveRequest.getAllIndices().isEmpty()) {
                        if (resolveRequest.getAllIndices().isEmpty()) {
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                        Set<String> reduce = sgRoles.reduce(resolveRequest, user, new String[]{str}, this.resolver, this.clusterService);
                        if (reduce.isEmpty()) {
                            privilegesEvaluatorResponse.allowed = false;
                            return privilegesEvaluatorResponse;
                        }
                        if (this.irr.replace(actionRequest, true, (String[]) reduce.toArray(new String[0]))) {
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                    }
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Allowed because we have cluster permissions for " + str);
                    }
                    privilegesEvaluatorResponse.allowed = true;
                    return privilegesEvaluatorResponse;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Normally allowed but we need to apply some extra checks for a restore request.");
                }
            }
            if (this.termsAggregationEvaluator.evaluate(resolveRequest, actionRequest, this.clusterService, user, sgRoles, this.resolver, privilegesEvaluatorResponse).isComplete()) {
                return privilegesEvaluatorResponse;
            }
            Set<String> evaluateAdditionalIndexPermissions = evaluateAdditionalIndexPermissions(actionRequest, str);
            String[] strArr = (String[]) evaluateAdditionalIndexPermissions.toArray(new String[0]);
            if (this.log.isDebugEnabled()) {
                this.log.debug("requested {} from {}", evaluateAdditionalIndexPermissions, transportAddress);
            }
            privilegesEvaluatorResponse.missingPrivileges.clear();
            privilegesEvaluatorResponse.missingPrivileges.addAll(evaluateAdditionalIndexPermissions);
            if (this.log.isDebugEnabled()) {
                this.log.debug("requested resolved indextypes: {}", resolveRequest);
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("sgr: {}", sgRoles.getRoles().stream().map(sgRole2 -> {
                    return sgRole2.getName();
                }).toArray());
            }
            if (this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class) {
                Boolean replaceKibanaIndex2 = this.privilegesInterceptor.replaceKibanaIndex(actionRequest, str, user, configSettings, resolveRequest, mapTenants(user, mapSgRoles));
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Result from privileges interceptor: {}", replaceKibanaIndex2);
                }
                if (replaceKibanaIndex2 == Boolean.TRUE) {
                    this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
                    return privilegesEvaluatorResponse;
                }
                if (replaceKibanaIndex2 == Boolean.FALSE) {
                    privilegesEvaluatorResponse.allowed = true;
                    return privilegesEvaluatorResponse;
                }
            }
            if (z && (str.startsWith("indices:data/read/") || str.startsWith("indices:admin/mappings/fields/get") || str.equals("indices:admin/shards/search_shards"))) {
                if (resolveRequest.getAllIndices().isEmpty()) {
                    privilegesEvaluatorResponse.missingPrivileges.clear();
                    privilegesEvaluatorResponse.allowed = true;
                    return privilegesEvaluatorResponse;
                }
                Set<String> reduce2 = sgRoles.reduce(resolveRequest, user, strArr, this.resolver, this.clusterService);
                if (reduce2.isEmpty()) {
                    if (getConfigSettings().getAsBoolean("searchguard.dynamic.do_not_fail_on_forbidden_empty", false).booleanValue()) {
                        if (actionRequest instanceof SearchRequest) {
                            ((SearchRequest) actionRequest).indices(new String[0]);
                            ((SearchRequest) actionRequest).indicesOptions(IndicesOptions.fromOptions(true, true, false, false));
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                        if (actionRequest instanceof ClusterSearchShardsRequest) {
                            ((ClusterSearchShardsRequest) actionRequest).indices(new String[0]);
                            ((ClusterSearchShardsRequest) actionRequest).indicesOptions(IndicesOptions.fromOptions(true, true, false, false));
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                        if (actionRequest instanceof GetFieldMappingsRequest) {
                            ((GetFieldMappingsRequest) actionRequest).indices(new String[0]);
                            ((GetFieldMappingsRequest) actionRequest).indicesOptions(IndicesOptions.fromOptions(true, true, false, false));
                            privilegesEvaluatorResponse.missingPrivileges.clear();
                            privilegesEvaluatorResponse.allowed = true;
                            return privilegesEvaluatorResponse;
                        }
                    }
                    privilegesEvaluatorResponse.allowed = false;
                    return privilegesEvaluatorResponse;
                }
                if (this.irr.replace(actionRequest, true, (String[]) reduce2.toArray(new String[0]))) {
                    privilegesEvaluatorResponse.missingPrivileges.clear();
                    privilegesEvaluatorResponse.allowed = true;
                    return privilegesEvaluatorResponse;
                }
            }
            boolean impliesTypePermGlobal = configSettings.getAsBoolean("searchguard.dynamic.multi_rolespan_enabled", false).booleanValue() ? sgRoles.impliesTypePermGlobal(resolveRequest, user, strArr, this.resolver, this.clusterService) : sgRoles.get(resolveRequest, user, strArr, this.resolver, this.clusterService);
            if (!impliesTypePermGlobal) {
                this.log.info("No {}-level perm match for {} {} [Action [{}]] [RolesChecked {}]", ConfigConstants.SEARCHGUARD_AUDIT_ES_INDEX, user, resolveRequest, str, sgRoles.getRoles().stream().map(sgRole3 -> {
                    return sgRole3.getName();
                }).toArray());
                this.log.info("No permissions for {}", privilegesEvaluatorResponse.missingPrivileges);
            } else {
                if (checkFilteredAliases(resolveRequest.getAllIndices(), str)) {
                    privilegesEvaluatorResponse.allowed = false;
                    return privilegesEvaluatorResponse;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Allowed because we have all indices permissions for " + str);
                }
            }
            privilegesEvaluatorResponse.allowed = impliesTypePermGlobal;
            return privilegesEvaluatorResponse;
        }
        return privilegesEvaluatorResponse;
    }

    public Set<String> mapSgRoles(User user, TransportAddress transportAddress) {
        return this.roleMappingHolder.map(user, transportAddress);
    }

    public Map<String, Boolean> mapTenants(User user, Set<String> set) {
        return this.tenantHolder.mapTenants(user, set);
    }

    public Set<String> getAllConfiguredTenantNames() {
        Settings rolesSettings = getRolesSettings();
        if (rolesSettings == null || rolesSettings.isEmpty()) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        Iterator it = rolesSettings.names().iterator();
        while (it.hasNext()) {
            Settings byPrefix = rolesSettings.getByPrefix(((String) it.next()) + ".tenants.");
            if (byPrefix != null) {
                hashSet.addAll(byPrefix.names());
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    public boolean multitenancyEnabled() {
        return this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class && getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.multitenancy_enabled", true).booleanValue();
    }

    public boolean notFailOnForbiddenEnabled() {
        return this.privilegesInterceptor.getClass() != PrivilegesInterceptor.class && getConfigSettings().getAsBoolean("searchguard.dynamic.kibana.do_not_fail_on_forbidden", false).booleanValue();
    }

    public String kibanaIndex() {
        return getConfigSettings().get("searchguard.dynamic.kibana.index", ".kibana");
    }

    public String kibanaServerUsername() {
        return getConfigSettings().get("searchguard.dynamic.kibana.server_username", "kibanaserver");
    }

    private Set<String> evaluateAdditionalIndexPermissions(ActionRequest actionRequest, String str) {
        HashSet hashSet = new HashSet();
        if (!isClusterPerm(str)) {
            hashSet.add(str);
        }
        if (actionRequest instanceof ClusterSearchShardsRequest) {
            hashSet.add("indices:data/read/search");
        }
        if (actionRequest instanceof BulkShardRequest) {
            for (BulkItemRequest bulkItemRequest : ((BulkShardRequest) actionRequest).items()) {
                switch (AnonymousClass1.$SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[bulkItemRequest.request().opType().ordinal()]) {
                    case 1:
                        hashSet.add("indices:data/write/index");
                        break;
                    case 2:
                        hashSet.add("indices:data/write/index");
                        break;
                    case 3:
                        hashSet.add("indices:data/write/delete");
                        break;
                    case 4:
                        hashSet.add("indices:data/write/update");
                        break;
                }
            }
        }
        if (actionRequest instanceof IndicesAliasesRequest) {
            Iterator it = ((IndicesAliasesRequest) actionRequest).getAliasActions().iterator();
            while (it.hasNext()) {
                switch (AnonymousClass1.$SwitchMap$org$elasticsearch$action$admin$indices$alias$IndicesAliasesRequest$AliasActions$Type[((IndicesAliasesRequest.AliasActions) it.next()).actionType().ordinal()]) {
                    case 1:
                        hashSet.add("indices:admin/delete");
                        break;
                }
            }
        }
        if (actionRequest instanceof CreateIndexRequest) {
            CreateIndexRequest createIndexRequest = (CreateIndexRequest) actionRequest;
            if (createIndexRequest.aliases() != null && !createIndexRequest.aliases().isEmpty()) {
                hashSet.add("indices:admin/aliases");
            }
        }
        if ((actionRequest instanceof RestoreSnapshotRequest) && this.checkSnapshotRestoreWritePrivileges) {
            hashSet.addAll(ConfigConstants.SG_SNAPSHOT_RESTORE_NEEDED_WRITE_PRIVILEGES);
        }
        if (this.actionTrace.isTraceEnabled() && hashSet.size() > 1) {
            this.actionTrace.trace("Additional permissions required: " + hashSet);
        }
        if (this.log.isDebugEnabled() && hashSet.size() > 1) {
            this.log.debug("Additional permissions required: " + hashSet);
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private static boolean isClusterPerm(String str) {
        return str.startsWith("cluster:") || str.startsWith("indices:admin/template/") || str.startsWith("indices:data/read/scroll") || str.equals("indices:data/write/bulk") || str.equals("indices:data/read/mget") || str.equals("indices:data/read/msearch") || str.equals("indices:data/read/mtv") || str.equals("indices:data/write/reindex");
    }

    private boolean checkFilteredAliases(Set<String> set, String str) {
        for (String str2 : set) {
            ArrayList arrayList = new ArrayList();
            IndexMetaData indexMetaData = (IndexMetaData) this.clusterService.state().metaData().getIndices().get(str2);
            if (indexMetaData == null) {
                this.log.debug("{} does not exist in cluster metadata", str2);
            } else {
                ImmutableOpenMap aliases = indexMetaData.getAliases();
                if (aliases != null && aliases.size() > 0) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Aliases for {}: {}", str2, aliases);
                    }
                    Iterator keysIt = aliases.keysIt();
                    while (keysIt.hasNext()) {
                        String str3 = (String) keysIt.next();
                        AliasMetaData aliasMetaData = (AliasMetaData) aliases.get(str3);
                        if (aliasMetaData != null && aliasMetaData.filteringRequired()) {
                            arrayList.add(aliasMetaData);
                            if (this.log.isDebugEnabled()) {
                                this.log.debug(str3 + " is a filtered alias " + aliasMetaData.getFilter());
                            }
                        } else if (this.log.isDebugEnabled()) {
                            this.log.debug(str3 + " is not an alias or does not have a filter");
                        }
                    }
                }
                if (arrayList.size() > 1 && WildcardMatcher.match("indices:data/read/*search*", str)) {
                    String str4 = getConfigSettings().get("searchguard.dynamic.filtered_alias_mode", "warn");
                    if (str4.equals("warn")) {
                        this.log.warn("More than one ({}) filtered alias found for same index ({}). This is currently not recommended. Aliases: {}", Integer.valueOf(arrayList.size()), str2, toString(arrayList));
                    } else {
                        if (str4.equals("disallow")) {
                            this.log.error("More than one ({}) filtered alias found for same index ({}). This is currently not supported. Aliases: {}", Integer.valueOf(arrayList.size()), str2, toString(arrayList));
                            return true;
                        }
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("More than one ({}) filtered alias found for same index ({}). Aliases: {}", Integer.valueOf(arrayList.size()), str2, toString(arrayList));
                        }
                    }
                }
            }
        }
        return false;
    }

    private List<String> toString(List<AliasMetaData> list) {
        if (list == null || list.size() == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(list.size());
        for (AliasMetaData aliasMetaData : list) {
            if (aliasMetaData != null) {
                arrayList.add(aliasMetaData.alias());
            }
        }
        return Collections.unmodifiableList(arrayList);
    }
}
