package com.amazon.opendistroforelasticsearch.security.privileges;

import com.amazon.opendistroforelasticsearch.security.auditlog.AuditLog;
import com.amazon.opendistroforelasticsearch.security.resolver.IndexResolverReplacer;
import com.amazon.opendistroforelasticsearch.security.securityconf.SecurityRoles;
import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import com.amazon.opendistroforelasticsearch.security.support.WildcardMatcher;
import java.util.ArrayList;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.RealtimeRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/privileges/OpenDistroProtectedIndexAccessEvaluator.class */
public class OpenDistroProtectedIndexAccessEvaluator {
    protected final Logger log = LogManager.getLogger(getClass());
    private final AuditLog auditLog;
    private final WildcardMatcher indexMatcher;
    private final WildcardMatcher allowedRolesMatcher;
    private final Boolean protectedIndexEnabled;
    private final WildcardMatcher deniedActionMatcher;

    public OpenDistroProtectedIndexAccessEvaluator(Settings settings, AuditLog auditLog) {
        this.indexMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_DEFAULT));
        this.allowedRolesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_DEFAULT));
        this.protectedIndexEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT);
        this.auditLog = auditLog;
        ArrayList arrayList = new ArrayList();
        arrayList.add("indices:data/write*");
        arrayList.add("indices:admin/delete*");
        arrayList.add("indices:admin/mapping/delete*");
        arrayList.add("indices:admin/mapping/put*");
        arrayList.add("indices:admin/freeze*");
        arrayList.add("indices:admin/settings/update*");
        arrayList.add("indices:admin/aliases");
        arrayList.add("indices:admin/close*");
        arrayList.add("cluster:admin/snapshot/restore*");
        this.deniedActionMatcher = WildcardMatcher.from(arrayList);
    }

    public PrivilegesEvaluatorResponse evaluate(ActionRequest actionRequest, Task task, String str, IndexResolverReplacer.Resolved resolved, PrivilegesEvaluatorResponse privilegesEvaluatorResponse, SecurityRoles securityRoles) {
        if (!this.protectedIndexEnabled.booleanValue()) {
            return privilegesEvaluatorResponse;
        }
        if (this.indexMatcher.matchAny(resolved.getAllIndices()) && this.deniedActionMatcher.test(str) && !this.allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) {
            this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
            this.log.warn(str + " for '{}' index/indices is not allowed for a regular user", this.indexMatcher);
            privilegesEvaluatorResponse.allowed = false;
            return privilegesEvaluatorResponse.markComplete();
        }
        if (resolved.isLocalAll() && this.deniedActionMatcher.test(str) && !this.allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) {
            this.auditLog.logMissingPrivileges(str, (TransportRequest) actionRequest, task);
            this.log.warn(str + " for '_all' indices is not allowed for a regular user");
            privilegesEvaluatorResponse.allowed = false;
            return privilegesEvaluatorResponse.markComplete();
        }
        if ((this.indexMatcher.matchAny(resolved.getAllIndices()) || resolved.isLocalAll()) && !this.allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) {
            if (actionRequest instanceof SearchRequest) {
                ((SearchRequest) actionRequest).requestCache(Boolean.FALSE);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable search request cache for this request");
                }
            }
            if (actionRequest instanceof RealtimeRequest) {
                ((RealtimeRequest) actionRequest).realtime(Boolean.FALSE.booleanValue());
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Disable realtime for this request");
                }
            }
        }
        return privilegesEvaluatorResponse;
    }
}
