package org.elasticsearch.xpack.security.action.interceptor;

import java.util.HashMap;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.security.authz.permission.IndicesPermission;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.support.Exceptions;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/action/interceptor/IndicesAliasesRequestInterceptor.class */
public final class IndicesAliasesRequestInterceptor implements RequestInterceptor<IndicesAliasesRequest> {
    private final ThreadContext threadContext;
    private final XPackLicenseState licenseState;
    private final AuditTrailService auditTrailService;

    public IndicesAliasesRequestInterceptor(ThreadContext threadContext, XPackLicenseState xPackLicenseState, AuditTrailService auditTrailService) {
        this.threadContext = threadContext;
        this.licenseState = xPackLicenseState;
        this.auditTrailService = auditTrailService;
    }

    @Override // org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor
    public void intercept(IndicesAliasesRequest indicesAliasesRequest, User user, Role role, String str) {
        if (this.licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
            IndicesAccessControl indicesAccessControl = (IndicesAccessControl) this.threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY);
            for (IndicesAliasesRequest.AliasActions aliasActions : indicesAliasesRequest.getAliasActions()) {
                if (aliasActions.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) {
                    for (String str2 : aliasActions.indices()) {
                        IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(str2);
                        if (indexPermissions != null) {
                            boolean hasFieldLevelSecurity = indexPermissions.getFieldPermissions().hasFieldLevelSecurity();
                            boolean z = indexPermissions.getQueries() != null;
                            if (hasFieldLevelSecurity || z) {
                                throw new ElasticsearchSecurityException("Alias requests are not allowed for users who have field or document level security enabled on one of the indices", RestStatus.BAD_REQUEST, new Object[0]);
                            }
                        }
                    }
                }
            }
        }
        HashMap hashMap = new HashMap();
        for (IndicesAliasesRequest.AliasActions aliasActions2 : indicesAliasesRequest.getAliasActions()) {
            if (aliasActions2.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) {
                for (String str3 : aliasActions2.indices()) {
                    IndicesPermission indices = role.indices();
                    indices.getClass();
                    Automaton automaton = (Automaton) hashMap.computeIfAbsent(str3, indices::allowedActionsMatcher);
                    for (String str4 : aliasActions2.aliases()) {
                        IndicesPermission indices2 = role.indices();
                        indices2.getClass();
                        if (!Operations.subsetOf((Automaton) hashMap.computeIfAbsent(str4, indices2::allowedActionsMatcher), automaton)) {
                            this.auditTrailService.accessDenied(user, str, indicesAliasesRequest);
                            throw Exceptions.authorizationError("Adding an alias is not allowed when the alias has more permissions than any of the indices", new Object[0]);
                        }
                    }
                }
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor
    public boolean supports(TransportRequest transportRequest) {
        return transportRequest instanceof IndicesAliasesRequest;
    }
}
