package com.amazon.opendistroforelasticsearch.security.configuration;

import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import com.amazon.opendistroforelasticsearch.security.support.HeaderHelper;
import com.amazon.opendistroforelasticsearch.security.support.OpenDistroSecurityUtils;
import com.google.common.collect.ImmutableList;
import java.lang.reflect.Field;
import java.security.AccessController;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.StreamSupport;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.BytesRef;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.admin.indices.shrink.ResizeRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.search.DocValueFormat;
import org.elasticsearch.search.aggregations.BucketOrder;
import org.elasticsearch.search.aggregations.InternalAggregation;
import org.elasticsearch.search.aggregations.InternalAggregations;
import org.elasticsearch.search.aggregations.bucket.MultiBucketsAggregation;
import org.elasticsearch.search.aggregations.bucket.terms.InternalTerms;
import org.elasticsearch.search.aggregations.bucket.terms.StringTerms;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.search.internal.SearchContext;
import org.elasticsearch.search.query.QuerySearchResult;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/configuration/DlsFlsValveImpl.class */
public class DlsFlsValveImpl implements DlsFlsRequestValve {
    private static final Logger log;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/configuration/DlsFlsValveImpl$BucketMerger.class */
    public static class BucketMerger implements Consumer<StringTerms.Bucket> {
        private Comparator<MultiBucketsAggregation.Bucket> comparator;
        private int mergeCount;
        private long mergedDocCount;
        private long mergedDocCountError;
        private final ImmutableList.Builder<StringTerms.Bucket> builder;
        private StringTerms.Bucket bucket = null;
        private boolean showDocCountError = true;

        BucketMerger(Comparator<MultiBucketsAggregation.Bucket> comparator, int i) {
            this.comparator = (Comparator) Objects.requireNonNull(comparator);
            this.builder = ImmutableList.builderWithExpectedSize(i);
        }

        private void finalizeBucket() {
            if (this.mergeCount == 1) {
                this.builder.add(this.bucket);
            } else {
                this.builder.add(new StringTerms.Bucket(StringTermsGetter.getTerm(this.bucket), this.mergedDocCount, this.bucket.getAggregations(), this.showDocCountError, this.mergedDocCountError, StringTermsGetter.getDocValueFormat(this.bucket)));
            }
        }

        private void merge(StringTerms.Bucket bucket) {
            if (this.bucket != null) {
                if (bucket == null || this.comparator.compare(this.bucket, bucket) != 0) {
                    finalizeBucket();
                    this.bucket = null;
                    this.mergeCount = 0;
                    this.mergedDocCount = 0L;
                    this.mergedDocCountError = 0L;
                    this.showDocCountError = true;
                }
            }
        }

        public List<StringTerms.Bucket> getBuckets() {
            merge(null);
            return this.builder.build();
        }

        @Override // java.util.function.Consumer
        public void accept(StringTerms.Bucket bucket) {
            merge(bucket);
            this.mergeCount++;
            this.mergedDocCount += bucket.getDocCount();
            if (this.showDocCountError) {
                try {
                    this.mergedDocCountError += bucket.getDocCountError();
                } catch (IllegalStateException e) {
                    this.showDocCountError = false;
                }
            }
            this.bucket = bucket;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/configuration/DlsFlsValveImpl$StringTermsGetter.class */
    public static class StringTermsGetter {
        private static final Field REDUCE_ORDER = getField(InternalTerms.class, "reduceOrder");
        private static final Field TERM_BYTES = getField(StringTerms.Bucket.class, "termBytes");
        private static final Field FORMAT = getField(InternalTerms.Bucket.class, "format");

        private StringTermsGetter() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static <T> Field getFieldPrivileged(Class<T> cls, String str) {
            try {
                Field declaredField = cls.getDeclaredField(str);
                declaredField.setAccessible(true);
                return declaredField;
            } catch (NoSuchFieldException | SecurityException e) {
                DlsFlsValveImpl.log.error("Failed to get class {} declared field {}", cls.getSimpleName(), str, e);
                if (e instanceof RuntimeException) {
                    throw ((RuntimeException) e);
                }
                throw new RuntimeException(e);
            }
        }

        private static <T> Field getField(Class<T> cls, String str) {
            SpecialPermission.check();
            return (Field) AccessController.doPrivileged(() -> {
                return getFieldPrivileged(cls, str);
            });
        }

        private static <T, C> T getFieldValue(Field field, C c) {
            try {
                return (T) field.get(c);
            } catch (IllegalAccessException | IllegalArgumentException e) {
                DlsFlsValveImpl.log.error("Exception while getting value {} of class {}", field.getName(), c.getClass().getSimpleName(), e);
                if (e instanceof RuntimeException) {
                    throw ((RuntimeException) e);
                }
                throw new RuntimeException(e);
            }
        }

        public static BucketOrder getReduceOrder(StringTerms stringTerms) {
            return (BucketOrder) getFieldValue(REDUCE_ORDER, stringTerms);
        }

        public static BytesRef getTerm(StringTerms.Bucket bucket) {
            return (BytesRef) getFieldValue(TERM_BYTES, bucket);
        }

        public static DocValueFormat getDocValueFormat(StringTerms.Bucket bucket) {
            return (DocValueFormat) getFieldValue(FORMAT, bucket);
        }
    }

    @Override // com.amazon.opendistroforelasticsearch.security.configuration.DlsFlsRequestValve
    public boolean invoke(ActionRequest actionRequest, ActionListener<?> actionListener, Map<String, Set<String>> map, Map<String, Set<String>> map2, Map<String, Set<String>> map3) {
        SearchSourceBuilder source;
        boolean z = (map == null || map.isEmpty()) ? false : true;
        boolean z2 = (map2 == null || map2.isEmpty()) ? false : true;
        boolean z3 = (map3 == null || map3.isEmpty()) ? false : true;
        if (z || z2 || z3) {
            if (actionRequest instanceof RealtimeRequest) {
                ((RealtimeRequest) actionRequest).realtime(Boolean.FALSE.booleanValue());
            }
            if (actionRequest instanceof SearchRequest) {
                ((SearchRequest) actionRequest).requestCache(Boolean.FALSE);
            }
            if (actionRequest instanceof UpdateRequest) {
                actionListener.onFailure(new ElasticsearchSecurityException("Update is not supported when FLS or DLS or Fieldmasking is activated", new Object[0]));
                return false;
            }
            if (actionRequest instanceof BulkRequest) {
                Iterator it = ((BulkRequest) actionRequest).requests().iterator();
                while (it.hasNext()) {
                    if (((DocWriteRequest) it.next()) instanceof UpdateRequest) {
                        actionListener.onFailure(new ElasticsearchSecurityException("Update is not supported when FLS or DLS or Fieldmasking is activated", new Object[0]));
                        return false;
                    }
                }
            }
            if (actionRequest instanceof BulkShardRequest) {
                for (BulkItemRequest bulkItemRequest : ((BulkShardRequest) actionRequest).items()) {
                    if (bulkItemRequest.request() instanceof UpdateRequest) {
                        actionListener.onFailure(new ElasticsearchSecurityException("Update is not supported when FLS or DLS or Fieldmasking is activated", new Object[0]));
                        return false;
                    }
                }
            }
            if (actionRequest instanceof ResizeRequest) {
                actionListener.onFailure(new ElasticsearchSecurityException("Resize is not supported when FLS or DLS or Fieldmasking is activated", new Object[0]));
                return false;
            }
        }
        if (!z3 || !(actionRequest instanceof SearchRequest) || (source = ((SearchRequest) actionRequest).source()) == null || !source.profile()) {
            return true;
        }
        actionListener.onFailure(new ElasticsearchSecurityException("Profiling is not supported when DLS is activated", new Object[0]));
        return false;
    }

    @Override // com.amazon.opendistroforelasticsearch.security.configuration.DlsFlsRequestValve
    public void handleSearchContext(SearchContext searchContext, ThreadPool threadPool, NamedXContentRegistry namedXContentRegistry) {
        try {
            Map map = (Map) HeaderHelper.deserializeSafeFromHeader(threadPool.getThreadContext(), ConfigConstants.OPENDISTRO_SECURITY_DLS_QUERY_HEADER);
            String evalMap = OpenDistroSecurityUtils.evalMap(map, searchContext.indexShard().indexSettings().getIndex().getName());
            if (evalMap != null) {
                if (searchContext.suggest() != null) {
                    return;
                }
                if (!$assertionsDisabled && searchContext.parsedQuery() == null) {
                    throw new AssertionError();
                }
                Set set = (Set) map.get(evalMap);
                if (set != null && !set.isEmpty()) {
                    searchContext.parsedQuery(DlsQueryParser.parse(set, searchContext.parsedQuery(), searchContext.getQueryShardContext(), namedXContentRegistry));
                    searchContext.preProcess(true);
                }
            }
        } catch (Exception e) {
            throw new RuntimeException("Error evaluating dls for a search query: " + e, e);
        }
    }

    @Override // com.amazon.opendistroforelasticsearch.security.configuration.DlsFlsRequestValve
    public void onQueryPhase(QuerySearchResult querySearchResult) {
        InternalAggregations expand = querySearchResult.aggregations().expand();
        if (!$assertionsDisabled && expand == null) {
            throw new AssertionError();
        }
        querySearchResult.aggregations(InternalAggregations.from((List) StreamSupport.stream(expand.spliterator(), false).map(aggregation -> {
            return aggregateBuckets((InternalAggregation) aggregation);
        }).collect(ImmutableList.toImmutableList())));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static InternalAggregation aggregateBuckets(InternalAggregation internalAggregation) {
        if (internalAggregation instanceof StringTerms) {
            StringTerms stringTerms = (StringTerms) internalAggregation;
            List buckets = stringTerms.getBuckets();
            if (buckets.size() > 1) {
                internalAggregation = stringTerms.create(mergeBuckets(buckets, StringTermsGetter.getReduceOrder(stringTerms).comparator()));
            }
        }
        return internalAggregation;
    }

    private static List<StringTerms.Bucket> mergeBuckets(List<StringTerms.Bucket> list, Comparator<MultiBucketsAggregation.Bucket> comparator) {
        if (log.isDebugEnabled()) {
            log.debug("Merging buckets: {}", list.stream().map(bucket -> {
                return bucket.getKeyAsString();
            }).collect(ImmutableList.toImmutableList()));
        }
        list.sort(comparator);
        BucketMerger bucketMerger = new BucketMerger(comparator, list.size());
        list.stream().forEach(bucketMerger);
        List<StringTerms.Bucket> buckets = bucketMerger.getBuckets();
        if (log.isDebugEnabled()) {
            log.debug("New buckets: {}", buckets.stream().map(bucket2 -> {
                return bucket2.getKeyAsString();
            }).collect(ImmutableList.toImmutableList()));
        }
        return buckets;
    }

    static {
        $assertionsDisabled = !DlsFlsValveImpl.class.desiredAssertionStatus();
        log = LogManager.getLogger(DlsFlsValveImpl.class);
    }
}
