package org.elasticsearch.shield.authz;

import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.admin.indices.alias.Alias;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.cluster.ClusterService;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.InternalShieldUser;
import org.elasticsearch.shield.InternalSystemUser;
import org.elasticsearch.shield.ShieldTemplateService;
import org.elasticsearch.shield.User;
import org.elasticsearch.shield.audit.AuditTrail;
import org.elasticsearch.shield.authc.AnonymousService;
import org.elasticsearch.shield.authc.AuthenticationFailureHandler;
import org.elasticsearch.shield.authz.Permission;
import org.elasticsearch.shield.authz.Privilege;
import org.elasticsearch.shield.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.shield.authz.indicesresolver.DefaultIndicesAndAliasesResolver;
import org.elasticsearch.shield.authz.indicesresolver.IndicesAndAliasesResolver;
import org.elasticsearch.shield.authz.store.RolesStore;
import org.elasticsearch.shield.support.Exceptions;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:lib/shield-2.4.0.jar:org/elasticsearch/shield/authz/InternalAuthorizationService.class */
public class InternalAuthorizationService extends AbstractComponent implements AuthorizationService {
    public static final String INDICES_PERMISSIONS_KEY = "_indices_permissions";
    private static final Predicate<String> MONITOR_INDEX_PREDICATE;
    private final ClusterService clusterService;
    private final RolesStore rolesStore;
    private final AuditTrail auditTrail;
    private final IndicesAndAliasesResolver[] indicesAndAliasesResolvers;
    private final AnonymousService anonymousService;
    private final AuthenticationFailureHandler authcFailureHandler;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public InternalAuthorizationService(Settings settings, RolesStore rolesStore, ClusterService clusterService, AuditTrail auditTrail, AnonymousService anonymousService, AuthenticationFailureHandler authenticationFailureHandler, IndexNameExpressionResolver indexNameExpressionResolver) {
        super(settings);
        this.rolesStore = rolesStore;
        this.clusterService = clusterService;
        this.auditTrail = auditTrail;
        this.indicesAndAliasesResolvers = new IndicesAndAliasesResolver[]{new DefaultIndicesAndAliasesResolver(this, indexNameExpressionResolver)};
        this.anonymousService = anonymousService;
        this.authcFailureHandler = authenticationFailureHandler;
    }

    @Override // org.elasticsearch.shield.authz.AuthorizationService
    public List<String> authorizedIndicesAndAliases(User user, String str) {
        String[] roles = user.roles();
        if (roles.length == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (String str2 : roles) {
            Permission.Global.Role role = this.rolesStore.role(str2);
            if (role != null) {
                arrayList.add(role.indices().allowedIndicesMatcher(str));
            }
        }
        ArrayList arrayList2 = new ArrayList();
        Predicate or = Predicates.or(arrayList);
        Iterator it = this.clusterService.state().metaData().getAliasAndIndexLookup().entrySet().iterator();
        while (it.hasNext()) {
            String str3 = (String) ((Map.Entry) it.next()).getKey();
            if (or.apply(str3)) {
                arrayList2.add(str3);
            }
        }
        if (!InternalShieldUser.is(user) && arrayList2.remove(ShieldTemplateService.SECURITY_INDEX_NAME)) {
            this.logger.debug("removed [{}] from user [{}] list of authorized indices", new Object[]{ShieldTemplateService.SECURITY_INDEX_NAME, user.principal()});
        }
        return Collections.unmodifiableList(arrayList2);
    }

    @Override // org.elasticsearch.shield.authz.AuthorizationService
    public void authorize(User user, String str, TransportRequest transportRequest) throws ElasticsearchSecurityException {
        if (InternalSystemUser.is(user)) {
            if (!InternalSystemUser.isAuthorized(str)) {
                throw denial(user, str, transportRequest);
            }
            transportRequest.putInContext(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL);
            grant(user, str, transportRequest);
            return;
        }
        Permission.Global permission = permission(user.roles());
        boolean z = user.runAs() != null;
        if (permission == null || permission.isEmpty()) {
            if (!z) {
                throw denial(user, str, transportRequest);
            }
            throw denyRunAs(user, str, transportRequest);
        }
        if (z) {
            Permission.RunAs runAs = permission.runAs();
            if (runAs == null || !runAs.check(user.runAs().principal())) {
                throw denyRunAs(user, str, transportRequest);
            }
            grantRunAs(user, str, transportRequest);
            permission = permission(user.runAs().roles());
            if (permission == null || permission.isEmpty()) {
                throw denial(user, str, transportRequest);
            }
        }
        if (Privilege.Cluster.ACTION_MATCHER.apply(str)) {
            Permission.Cluster cluster = permission.cluster();
            if (cluster == null || !cluster.check(str)) {
                throw denial(user, str, transportRequest);
            }
            transportRequest.putInContext(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL);
            grant(user, str, transportRequest);
            return;
        }
        if (!Privilege.Index.ACTION_MATCHER.apply(str)) {
            throw denial(user, str, transportRequest);
        }
        if (!(transportRequest instanceof IndicesRequest) && !(transportRequest instanceof CompositeIndicesRequest)) {
            if (isScrollRelatedAction(str)) {
                grant(user, str, transportRequest);
                return;
            } else {
                if (!$assertionsDisabled) {
                    throw new AssertionError("only scroll related requests are known indices api that don't support retrieving the indices they relate to");
                }
                throw denial(user, str, transportRequest);
            }
        }
        if (permission.indices() == null || permission.indices().isEmpty()) {
            throw denial(user, str, transportRequest);
        }
        ClusterState state = this.clusterService.state();
        Set<String> resolveIndices = resolveIndices(user, str, transportRequest, state);
        if (!$assertionsDisabled && resolveIndices.isEmpty()) {
            throw new AssertionError("every indices request needs to have its indices set thus the resolved indices must not be empty");
        }
        MetaData metaData = state.metaData();
        IndicesAccessControl authorize = permission.authorize(str, resolveIndices, metaData);
        if (!authorize.isGranted()) {
            throw denial(user, str, transportRequest);
        }
        if (authorize.getIndexPermissions(ShieldTemplateService.SECURITY_INDEX_NAME) != null && authorize.getIndexPermissions(ShieldTemplateService.SECURITY_INDEX_NAME).isGranted() && !InternalShieldUser.is(user) && !MONITOR_INDEX_PREDICATE.apply(str)) {
            this.logger.debug("user [{}] attempted to directly perform [{}] against the security index [{}]", new Object[]{user.principal(), str, ShieldTemplateService.SECURITY_INDEX_NAME});
            throw denial(user, str, transportRequest);
        }
        transportRequest.putInContext(INDICES_PERMISSIONS_KEY, authorize);
        if (Privilege.Index.CREATE_INDEX_MATCHER.apply(str)) {
            if (!$assertionsDisabled && !(transportRequest instanceof CreateIndexRequest)) {
                throw new AssertionError();
            }
            Set aliases = ((CreateIndexRequest) transportRequest).aliases();
            if (!aliases.isEmpty()) {
                HashSet newHashSet = Sets.newHashSet(resolveIndices);
                Iterator it = aliases.iterator();
                while (it.hasNext()) {
                    newHashSet.add(((Alias) it.next()).name());
                }
                if (!permission.authorize("indices:admin/aliases", newHashSet, metaData).isGranted()) {
                    throw denial(user, "indices:admin/aliases", transportRequest);
                }
            }
        }
        grant(user, str, transportRequest);
    }

    private Permission.Global permission(String[] strArr) {
        if (strArr.length == 0) {
            return Permission.Global.NONE;
        }
        if (strArr.length == 1) {
            Permission.Global.Role role = this.rolesStore.role(strArr[0]);
            return role == null ? Permission.Global.NONE : role;
        }
        Permission.Global.Compound.Builder builder = Permission.Global.Compound.builder();
        for (String str : strArr) {
            Permission.Global.Role role2 = this.rolesStore.role(str);
            if (role2 != null) {
                builder.add(role2);
            }
        }
        return builder.build();
    }

    private Set<String> resolveIndices(User user, String str, TransportRequest transportRequest, ClusterState clusterState) {
        MetaData metaData = clusterState.metaData();
        for (IndicesAndAliasesResolver indicesAndAliasesResolver : this.indicesAndAliasesResolvers) {
            if (indicesAndAliasesResolver.requestType().isInstance(transportRequest)) {
                return indicesAndAliasesResolver.resolve(user, str, transportRequest, metaData);
            }
        }
        if ($assertionsDisabled) {
            throw denial(user, str, transportRequest);
        }
        throw new AssertionError("we should be able to resolve indices for any known request that requires indices privileges");
    }

    private static boolean isScrollRelatedAction(String str) {
        return str.equals("indices:data/read/scroll") || str.equals("indices:data/read/search[phase/scan/scroll]") || str.equals("indices:data/read/search[phase/fetch/id/scroll]") || str.equals("indices:data/read/search[phase/query+fetch/scroll]") || str.equals("indices:data/read/search[phase/query/scroll]") || str.equals("indices:data/read/search[free_context/scroll]") || str.equals("indices:data/read/scroll/clear") || str.equals("indices:data/read/search[clear_scroll_contexts]");
    }

    private ElasticsearchSecurityException denial(User user, String str, TransportRequest transportRequest) {
        this.auditTrail.accessDenied(user, str, transportRequest);
        return denialException(user, str);
    }

    private ElasticsearchSecurityException denyRunAs(User user, String str, TransportRequest transportRequest) {
        this.auditTrail.runAsDenied(user, str, transportRequest);
        return denialException(user, str);
    }

    private void grant(User user, String str, TransportRequest transportRequest) {
        this.auditTrail.accessGranted(user, str, transportRequest);
    }

    private void grantRunAs(User user, String str, TransportRequest transportRequest) {
        this.auditTrail.runAsGranted(user, str, transportRequest);
    }

    private ElasticsearchSecurityException denialException(User user, String str) {
        if (!this.anonymousService.isAnonymous(user) || this.anonymousService.authorizationExceptionsEnabled()) {
            return user.runAs() != null ? Exceptions.authorizationError("action [{}] is unauthorized for user [{}] run as [{}]", str, user.principal(), user.runAs().principal()) : Exceptions.authorizationError("action [{}] is unauthorized for user [{}]", str, user.principal());
        }
        throw this.authcFailureHandler.authenticationRequired(str);
    }

    static {
        $assertionsDisabled = !InternalAuthorizationService.class.desiredAssertionStatus();
        MONITOR_INDEX_PREDICATE = Privilege.Index.MONITOR.predicate();
    }
}
