package com.amazon.opendistroforelasticsearch.security.privileges;

import com.amazon.opendistroforelasticsearch.security.auditlog.AuditLog;
import com.amazon.opendistroforelasticsearch.security.configuration.ClusterInfoHolder;
import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import com.amazon.opendistroforelasticsearch.security.support.SnapshotRestoreHelper;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.admin.cluster.snapshots.restore.RestoreSnapshotRequest;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.tasks.Task;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/privileges/SnapshotRestoreEvaluator.class */
public class SnapshotRestoreEvaluator {
    protected final Logger log = LogManager.getLogger(getClass());
    private final boolean enableSnapshotRestorePrivilege;
    private final String opendistrosecurityIndex;
    private final AuditLog auditLog;
    private final boolean restoreSecurityIndexEnabled;

    public SnapshotRestoreEvaluator(Settings settings, AuditLog auditLog) {
        this.enableSnapshotRestorePrivilege = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_ENABLE_SNAPSHOT_RESTORE_PRIVILEGE, true).booleanValue();
        this.restoreSecurityIndexEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_RESTORE_SECURITYINDEX_ENABLED, false).booleanValue();
        this.opendistrosecurityIndex = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX);
        this.auditLog = auditLog;
    }

    public PrivilegesEvaluatorResponse evaluate(ActionRequest actionRequest, Task task, String str, ClusterInfoHolder clusterInfoHolder, PrivilegesEvaluatorResponse privilegesEvaluatorResponse) {
        if (!(actionRequest instanceof RestoreSnapshotRequest)) {
            return privilegesEvaluatorResponse;
        }
        if (!this.enableSnapshotRestorePrivilege) {
            this.log.warn(str + " is not allowed for a regular user");
            privilegesEvaluatorResponse.allowed = false;
            return privilegesEvaluatorResponse.markComplete();
        }
        if (this.restoreSecurityIndexEnabled) {
            privilegesEvaluatorResponse.allowed = true;
            return privilegesEvaluatorResponse;
        }
        if (clusterInfoHolder.isLocalNodeElectedMaster() == Boolean.FALSE) {
            privilegesEvaluatorResponse.allowed = true;
            return privilegesEvaluatorResponse.markComplete();
        }
        RestoreSnapshotRequest restoreSnapshotRequest = (RestoreSnapshotRequest) actionRequest;
        if (restoreSnapshotRequest.includeGlobalState()) {
            this.auditLog.logSecurityIndexAttempt(actionRequest, str, task);
            this.log.warn(str + " with 'include_global_state' enabled is not allowed");
            privilegesEvaluatorResponse.allowed = false;
            return privilegesEvaluatorResponse.markComplete();
        }
        List<String> resolveOriginalIndices = SnapshotRestoreHelper.resolveOriginalIndices(restoreSnapshotRequest);
        if (resolveOriginalIndices == null || !(resolveOriginalIndices.contains(this.opendistrosecurityIndex) || resolveOriginalIndices.contains("_all") || resolveOriginalIndices.contains("*"))) {
            return privilegesEvaluatorResponse;
        }
        this.auditLog.logSecurityIndexAttempt(actionRequest, str, task);
        this.log.warn(str + " for '{}' as source index is not allowed", this.opendistrosecurityIndex);
        privilegesEvaluatorResponse.allowed = false;
        return privilegesEvaluatorResponse.markComplete();
    }
}
