package com.amazon.opendistroforelasticsearch.security.filter;

import com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin;
import com.amazon.opendistroforelasticsearch.security.action.whoami.WhoAmIAction;
import com.amazon.opendistroforelasticsearch.security.auditlog.AuditLog;
import com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry;
import com.amazon.opendistroforelasticsearch.security.auth.RolesInjector;
import com.amazon.opendistroforelasticsearch.security.compliance.ComplianceConfig;
import com.amazon.opendistroforelasticsearch.security.configuration.AdminDNs;
import com.amazon.opendistroforelasticsearch.security.configuration.CompatConfig;
import com.amazon.opendistroforelasticsearch.security.configuration.DlsFlsRequestValve;
import com.amazon.opendistroforelasticsearch.security.privileges.PrivilegesEvaluator;
import com.amazon.opendistroforelasticsearch.security.privileges.PrivilegesEvaluatorResponse;
import com.amazon.opendistroforelasticsearch.security.resolver.IndexResolverReplacer;
import com.amazon.opendistroforelasticsearch.security.support.Base64Helper;
import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import com.amazon.opendistroforelasticsearch.security.support.HeaderHelper;
import com.amazon.opendistroforelasticsearch.security.support.SourceFieldsContext;
import com.amazon.opendistroforelasticsearch.security.support.WildcardMatcher;
import com.amazon.opendistroforelasticsearch.security.user.User;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import java.util.Collections;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ResourceAlreadyExistsException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.action.admin.indices.alias.Alias;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.close.CloseIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.admin.indices.delete.DeleteIndexRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.reindex.DeleteByQueryRequest;
import org.elasticsearch.index.reindex.UpdateByQueryRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/filter/OpenDistroSecurityFilter.class */
public class OpenDistroSecurityFilter implements ActionFilter {
    private final PrivilegesEvaluator evalp;
    private final AdminDNs adminDns;
    private DlsFlsRequestValve dlsFlsValve;
    private final AuditLog auditLog;
    private final ThreadContext threadContext;
    private final ClusterService cs;
    private final CompatConfig compatConfig;
    private final IndexResolverReplacer indexResolverReplacer;
    private final WildcardMatcher immutableIndicesMatcher;
    private final Client client;
    private final BackendRegistry backendRegistry;
    protected final Logger log = LogManager.getLogger(getClass());
    private final RolesInjector rolesInjector = new RolesInjector();

    public OpenDistroSecurityFilter(Client client, Settings settings, PrivilegesEvaluator privilegesEvaluator, AdminDNs adminDNs, DlsFlsRequestValve dlsFlsRequestValve, AuditLog auditLog, ThreadPool threadPool, ClusterService clusterService, CompatConfig compatConfig, IndexResolverReplacer indexResolverReplacer, BackendRegistry backendRegistry) {
        this.client = client;
        this.evalp = privilegesEvaluator;
        this.adminDns = adminDNs;
        this.dlsFlsValve = dlsFlsRequestValve;
        this.auditLog = auditLog;
        this.threadContext = threadPool.getThreadContext();
        this.cs = clusterService;
        this.compatConfig = compatConfig;
        this.indexResolverReplacer = indexResolverReplacer;
        this.immutableIndicesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_IMMUTABLE_INDICES, Collections.emptyList()));
        this.backendRegistry = backendRegistry;
        this.log.info("{} indices are made immutable.", this.immutableIndicesMatcher);
    }

    @VisibleForTesting
    WildcardMatcher getImmutableIndicesMatcher() {
        return this.immutableIndicesMatcher;
    }

    public int order() {
        return Integer.MIN_VALUE;
    }

    public <Request extends ActionRequest, Response extends ActionResponse> void apply(Task task, String str, Request request, ActionListener<Response> actionListener, ActionFilterChain<Request, Response> actionFilterChain) {
        ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext(true);
        try {
            org.apache.logging.log4j.ThreadContext.clearAll();
            apply0(task, str, request, actionListener, actionFilterChain);
            if (newStoredContext != null) {
                newStoredContext.close();
            }
        } catch (Throwable th) {
            if (newStoredContext != null) {
                try {
                    newStoredContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Set<String> alias2Name(Set<Alias> set) {
        return (Set) set.stream().map(alias -> {
            return alias.name();
        }).collect(ImmutableSet.toImmutableSet());
    }

    private <Request extends ActionRequest, Response extends ActionResponse> void apply0(final Task task, final String str, final Request request, final ActionListener<Response> actionListener, final ActionFilterChain<Request, Response> actionFilterChain) {
        try {
            if (this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN) == null) {
                this.threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN, AuditLog.Origin.LOCAL.toString());
            }
            ComplianceConfig complianceConfig = this.auditLog.getComplianceConfig();
            if (complianceConfig != null && complianceConfig.isEnabled()) {
                attachSourceFieldContext(request);
            }
            Set<String> injectUserAndRoles = this.rolesInjector.injectUserAndRoles(this.threadContext);
            boolean z = false;
            User user = (User) this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
            if (user == null) {
                User authenticate = this.backendRegistry.authenticate(request, null, task, str);
                user = authenticate;
                if (authenticate != null) {
                    this.threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user);
                    z = true;
                }
            }
            boolean isUserAdmin = isUserAdmin(user, this.adminDns);
            boolean isInterClusterRequest = HeaderHelper.isInterClusterRequest(this.threadContext);
            boolean isTrustedClusterRequest = HeaderHelper.isTrustedClusterRequest(this.threadContext);
            boolean equals = "true".equals(HeaderHelper.getSafeFromHeader(this.threadContext, ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER));
            boolean z2 = str.startsWith("indices:admin/seq_no") || str.equals(WhoAmIAction.NAME);
            boolean z3 = (isInterClusterRequest || HeaderHelper.isDirectRequest(this.threadContext)) && str.startsWith("internal:") && !str.startsWith("internal:transport/proxy");
            if (user != null) {
                org.apache.logging.log4j.ThreadContext.put("user", user.getName());
            }
            if (OpenDistroSecurityPlugin.isActionTraceEnabled()) {
                String str2 = request instanceof BulkRequest ? "" + ((BulkRequest) request).requests().size() : "";
                if (request instanceof MultiGetRequest) {
                    str2 = "" + ((MultiGetRequest) request).getItems().size();
                }
                if (request instanceof MultiSearchRequest) {
                    str2 = "" + ((MultiSearchRequest) request).requests().size();
                }
                OpenDistroSecurityPlugin.traceAction("Node " + this.cs.localNode().getName() + " -> " + str + " (" + str2 + "): userIsAdmin=" + isUserAdmin + "/conRequest=" + equals + "/internalRequest=" + z3 + "origin=" + this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN) + "/directRequest=" + HeaderHelper.isDirectRequest(this.threadContext) + "/remoteAddress=" + request.remoteAddress());
                this.threadContext.putHeader("_opendistro_security_trace" + System.currentTimeMillis() + "#" + UUID.randomUUID().toString(), Thread.currentThread().getName() + " FILTER -> Node " + this.cs.localNode().getName() + " -> " + str + " userIsAdmin=" + isUserAdmin + "/conRequest=" + equals + "/internalRequest=" + z3 + "origin=" + this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN) + "/directRequest=" + HeaderHelper.isDirectRequest(this.threadContext) + "/remoteAddress=" + request.remoteAddress() + " " + this.threadContext.getHeaders().entrySet().stream().filter(entry -> {
                    return !((String) entry.getKey()).startsWith("_opendistro_security_trace");
                }).collect(Collectors.toMap(entry2 -> {
                    return (String) entry2.getKey();
                }, entry3 -> {
                    return (String) entry3.getValue();
                })));
            }
            if (isUserAdmin || equals || z3 || z2) {
                if (isUserAdmin && !equals && !z3 && !z2) {
                    this.auditLog.logGrantedPrivileges(str, request, task);
                    this.auditLog.logIndexEvent(str, request, task);
                }
                actionFilterChain.proceed(task, str, request, actionListener);
                return;
            }
            if (this.immutableIndicesMatcher != WildcardMatcher.NONE) {
                boolean z4 = false;
                if (request instanceof BulkShardRequest) {
                    for (BulkItemRequest bulkItemRequest : ((BulkShardRequest) request).items()) {
                        z4 = checkImmutableIndices(bulkItemRequest.request(), actionListener);
                        if (z4) {
                            break;
                        }
                    }
                } else {
                    z4 = checkImmutableIndices(request, actionListener);
                }
                if (z4) {
                    return;
                }
            }
            if (AuditLog.Origin.LOCAL.toString().equals(this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN)) && ((isInterClusterRequest || HeaderHelper.isDirectRequest(this.threadContext)) && injectUserAndRoles == null && !z)) {
                actionFilterChain.proceed(task, str, request, actionListener);
                return;
            }
            if (user == null) {
                if (str.startsWith("cluster:monitor/state")) {
                    actionFilterChain.proceed(task, str, request, actionListener);
                    return;
                }
                if ((isInterClusterRequest || isTrustedClusterRequest || request.remoteAddress() == null) && !this.compatConfig.transportInterClusterAuthEnabled()) {
                    actionFilterChain.proceed(task, str, request, actionListener);
                    return;
                } else {
                    this.log.error("No user found for " + str + " from " + request.remoteAddress() + " " + this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_ORIGIN) + " via " + this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_CHANNEL_TYPE) + " " + this.threadContext.getHeaders());
                    actionListener.onFailure(new ElasticsearchSecurityException("No user found for " + str, RestStatus.INTERNAL_SERVER_ERROR, new Object[0]));
                    return;
                }
            }
            PrivilegesEvaluator privilegesEvaluator = this.evalp;
            if (!privilegesEvaluator.isInitialized()) {
                this.log.error("Open Distro Security not initialized for {}", str);
                actionListener.onFailure(new ElasticsearchSecurityException("Open Distro Security not initialized for " + str, RestStatus.SERVICE_UNAVAILABLE, new Object[0]));
                return;
            }
            if (this.log.isTraceEnabled()) {
                this.log.trace("Evaluate permissions for user: {}", user.getName());
            }
            PrivilegesEvaluatorResponse evaluate = privilegesEvaluator.evaluate(user, str, request, task, injectUserAndRoles);
            if (this.log.isDebugEnabled()) {
                this.log.debug(evaluate);
            }
            if (!evaluate.isAllowed()) {
                this.auditLog.logMissingPrivileges(str, (TransportRequest) request, task);
                String format = injectUserAndRoles == null ? String.format("no permissions for %s and %s", evaluate.getMissingPrivileges(), user) : String.format("no permissions for %s and associated roles %s", evaluate.getMissingPrivileges(), injectUserAndRoles);
                this.log.debug(format);
                actionListener.onFailure(new ElasticsearchSecurityException(format, RestStatus.FORBIDDEN, new Object[0]));
                return;
            }
            this.auditLog.logGrantedPrivileges(str, request, task);
            this.auditLog.logIndexEvent(str, request, task);
            if (this.dlsFlsValve.invoke(request, actionListener, evaluate.getAllowedFlsFields(), evaluate.getMaskedFields(), evaluate.getQueries())) {
                final CreateIndexRequest request2 = evaluate.getRequest();
                if (request2 == null) {
                    actionFilterChain.proceed(task, str, request, actionListener);
                } else {
                    this.client.admin().indices().create(request2, new ActionListener<CreateIndexResponse>() { // from class: com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityFilter.1
                        public void onResponse(CreateIndexResponse createIndexResponse) {
                            if (createIndexResponse.isAcknowledged()) {
                                OpenDistroSecurityFilter.this.log.debug("Request to create index {} with aliases {} acknowledged, proceeding with {}", request2.index(), OpenDistroSecurityFilter.alias2Name(request2.aliases()), request.getClass().getSimpleName());
                                actionFilterChain.proceed(task, str, request, actionListener);
                            } else {
                                ElasticsearchException elasticsearchException = new ElasticsearchException("Request to create index {} with aliases {} was not acknowledged, failing {}", new Object[]{request2.index(), OpenDistroSecurityFilter.alias2Name(request2.aliases()), request.getClass().getSimpleName()});
                                OpenDistroSecurityFilter.this.log.error(elasticsearchException.getMessage());
                                actionListener.onFailure(elasticsearchException);
                            }
                        }

                        public void onFailure(Exception exc) {
                            if (exc instanceof ResourceAlreadyExistsException) {
                                OpenDistroSecurityFilter.this.log.debug("Request to create index {} with aliases {} failed as resource already exist, proceeding with {}", request2.index(), OpenDistroSecurityFilter.alias2Name(request2.aliases()), request.getClass().getSimpleName(), exc);
                                actionFilterChain.proceed(task, str, request, actionListener);
                            } else {
                                OpenDistroSecurityFilter.this.log.error("Request to create index {} with aliases {} failed, failing {}", request2.index(), OpenDistroSecurityFilter.alias2Name(request2.aliases()), request.getClass().getSimpleName(), exc);
                                actionListener.onFailure(exc);
                            }
                        }
                    });
                }
            }
        } catch (ElasticsearchException e) {
            if (task != null) {
                this.log.debug("Failed to apply filter. Task id: {} ({}). Action: {}", Long.valueOf(task.getId()), task.getDescription(), str, e);
            } else {
                this.log.debug("Failed to apply filter. Action: {}", str, e);
            }
            actionListener.onFailure(e);
        } catch (Throwable th) {
            this.log.error("Unexpected exception " + th, th);
            actionListener.onFailure(new ElasticsearchSecurityException("Unexpected exception " + str, RestStatus.INTERNAL_SERVER_ERROR, new Object[0]));
        }
    }

    private static boolean isUserAdmin(User user, AdminDNs adminDNs) {
        return user != null && adminDNs.isAdmin(user);
    }

    private void attachSourceFieldContext(ActionRequest actionRequest) {
        if ((actionRequest instanceof SearchRequest) && SourceFieldsContext.isNeeded((SearchRequest) actionRequest)) {
            if (this.threadContext.getHeader("_opendistro_security_source_field_context") == null) {
                this.threadContext.putHeader("_opendistro_security_source_field_context", Base64Helper.serializeObject(new SourceFieldsContext((SearchRequest) actionRequest)));
                return;
            }
            return;
        }
        if ((actionRequest instanceof GetRequest) && SourceFieldsContext.isNeeded((GetRequest) actionRequest) && this.threadContext.getHeader("_opendistro_security_source_field_context") == null) {
            this.threadContext.putHeader("_opendistro_security_source_field_context", Base64Helper.serializeObject(new SourceFieldsContext((GetRequest) actionRequest)));
        }
    }

    private boolean checkImmutableIndices(Object obj, ActionListener actionListener) {
        if (((obj instanceof DeleteRequest) || (obj instanceof UpdateRequest) || (obj instanceof UpdateByQueryRequest) || (obj instanceof DeleteByQueryRequest) || (obj instanceof DeleteIndexRequest) || (obj instanceof RestoreSnapshotRequest) || (obj instanceof CloseIndexRequest) || (obj instanceof IndicesAliasesRequest)) && isRequestIndexImmutable(obj)) {
            actionListener.onFailure(new ElasticsearchSecurityException("Index is immutable", RestStatus.FORBIDDEN, new Object[0]));
            return true;
        }
        if (!(obj instanceof IndexRequest) || !isRequestIndexImmutable(obj)) {
            return false;
        }
        ((IndexRequest) obj).opType(DocWriteRequest.OpType.CREATE);
        return false;
    }

    private boolean isRequestIndexImmutable(Object obj) {
        return this.immutableIndicesMatcher.matchAny(this.indexResolverReplacer.resolveRequest(obj).getAllIndices());
    }
}
