package org.elasticsearch.xpack.security.action.interceptor;

import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.indices.shrink.ResizeRequest;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.support.Exceptions;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/action/interceptor/ResizeRequestInterceptor.class */
public final class ResizeRequestInterceptor extends AbstractComponent implements RequestInterceptor<ResizeRequest> {
    private final ThreadContext threadContext;
    private final XPackLicenseState licenseState;
    private final AuditTrailService auditTrailService;

    public ResizeRequestInterceptor(Settings settings, ThreadPool threadPool, XPackLicenseState xPackLicenseState, AuditTrailService auditTrailService) {
        super(settings);
        this.threadContext = threadPool.getThreadContext();
        this.licenseState = xPackLicenseState;
        this.auditTrailService = auditTrailService;
    }

    @Override // org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor
    public void intercept(ResizeRequest resizeRequest, User user, Role role, String str) {
        IndicesAccessControl.IndexAccessControl indexPermissions;
        if (this.licenseState.isDocumentAndFieldLevelSecurityAllowed() && (indexPermissions = ((IndicesAccessControl) this.threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY)).getIndexPermissions(resizeRequest.getSourceIndex())) != null) {
            boolean hasFieldLevelSecurity = indexPermissions.getFieldPermissions().hasFieldLevelSecurity();
            boolean z = indexPermissions.getQueries() != null;
            if (hasFieldLevelSecurity || z) {
                throw new ElasticsearchSecurityException("Resize requests are not allowed for users when field or document level security is enabled on the source index", RestStatus.BAD_REQUEST, new Object[0]);
            }
        }
        if (Operations.subsetOf(role.indices().allowedActionsMatcher(resizeRequest.getTargetIndexRequest().index()), role.indices().allowedActionsMatcher(resizeRequest.getSourceIndex()))) {
            return;
        }
        this.auditTrailService.accessDenied(user, str, resizeRequest);
        throw Exceptions.authorizationError("Resizing an index is not allowed when the target index has more permissions than the source index", new Object[0]);
    }

    @Override // org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor
    public boolean supports(TransportRequest transportRequest) {
        return transportRequest instanceof ResizeRequest;
    }
}
