package org.elasticsearch.xpack.security.action.interceptor;

import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/action/interceptor/BulkShardRequestInterceptor.class */
public class BulkShardRequestInterceptor extends AbstractComponent implements RequestInterceptor<BulkShardRequest> {
    private final ThreadContext threadContext;
    private final XPackLicenseState licenseState;

    public BulkShardRequestInterceptor(Settings settings, ThreadPool threadPool, XPackLicenseState xPackLicenseState) {
        super(settings);
        this.threadContext = threadPool.getThreadContext();
        this.licenseState = xPackLicenseState;
    }

    @Override // org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor
    public void intercept(BulkShardRequest bulkShardRequest, User user, Role role, String str) {
        if (this.licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
            IndicesAccessControl indicesAccessControl = (IndicesAccessControl) this.threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY);
            for (BulkItemRequest bulkItemRequest : bulkShardRequest.items()) {
                IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(bulkItemRequest.index());
                if (indexPermissions != null) {
                    boolean hasFieldLevelSecurity = indexPermissions.getFieldPermissions().hasFieldLevelSecurity();
                    boolean z = indexPermissions.getQueries() != null;
                    if ((hasFieldLevelSecurity || z) && (bulkItemRequest.request() instanceof UpdateRequest)) {
                        throw new ElasticsearchSecurityException("Can't execute a bulk request with update requests embedded if field or document level security is enabled", RestStatus.BAD_REQUEST, new Object[0]);
                    }
                }
                this.logger.trace("intercepted bulk request for index [{}] without any update requests, continuing execution", bulkItemRequest.index());
            }
        }
    }

    @Override // org.elasticsearch.xpack.security.action.interceptor.RequestInterceptor
    public boolean supports(TransportRequest transportRequest) {
        return transportRequest instanceof BulkShardRequest;
    }
}
