package com.amazon.opendistroforelasticsearch.security.configuration;

import com.amazon.opendistroforelasticsearch.security.configuration.EmptyFilterLeafReader;
import com.amazon.opendistroforelasticsearch.security.privileges.PrivilegesEvaluator;
import com.amazon.opendistroforelasticsearch.security.securityconf.ConfigModel;
import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import com.amazon.opendistroforelasticsearch.security.support.HeaderHelper;
import com.amazon.opendistroforelasticsearch.security.support.WildcardMatcher;
import com.amazon.opendistroforelasticsearch.security.user.User;
import java.io.IOException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.index.DirectoryReader;
import org.elasticsearch.common.CheckedFunction;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.Index;
import org.elasticsearch.index.IndexService;
import org.greenrobot.eventbus.Subscribe;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/configuration/OpenDistroSecurityIndexSearcherWrapper.class */
public class OpenDistroSecurityIndexSearcherWrapper implements CheckedFunction<DirectoryReader, DirectoryReader, IOException> {
    protected final Logger log = LogManager.getLogger(getClass());
    protected final ThreadContext threadContext;
    protected final Index index;
    protected final String opendistrosecurityIndex;
    private final AdminDNs adminDns;
    private ConfigModel configModel;
    private final PrivilegesEvaluator evaluator;
    private final WildcardMatcher protectedIndexMatcher;
    private final WildcardMatcher allowedRolesMatcher;
    private final Boolean protectedIndexEnabled;
    private final Boolean systemIndexEnabled;
    private final WildcardMatcher systemIndexMatcher;

    public OpenDistroSecurityIndexSearcherWrapper(IndexService indexService, Settings settings, AdminDNs adminDNs, PrivilegesEvaluator privilegesEvaluator) {
        this.index = indexService.index();
        this.threadContext = indexService.getThreadPool().getThreadContext();
        this.opendistrosecurityIndex = settings.get(ConfigConstants.OPENDISTRO_SECURITY_CONFIG_INDEX_NAME, ConfigConstants.OPENDISTRO_SECURITY_DEFAULT_CONFIG_INDEX);
        this.evaluator = privilegesEvaluator;
        this.adminDns = adminDNs;
        this.protectedIndexMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_KEY));
        this.allowedRolesMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ROLES_KEY));
        this.protectedIndexEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_PROTECTED_INDICES_ENABLED_DEFAULT);
        this.systemIndexEnabled = settings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_KEY, ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_ENABLED_DEFAULT);
        this.systemIndexMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.OPENDISTRO_SECURITY_SYSTEM_INDICES_KEY));
    }

    @Subscribe
    public void onConfigModelChanged(ConfigModel configModel) {
        this.configModel = configModel;
    }

    public final DirectoryReader apply(DirectoryReader directoryReader) throws IOException {
        if (isSecurityIndexRequest() && !isAdminAuthenticatedOrInternalRequest()) {
            return new EmptyFilterLeafReader.EmptyDirectoryReader(directoryReader);
        }
        if (this.protectedIndexEnabled.booleanValue() && isBlockedProtectedIndexRequest() && !isPermittedOnIndex()) {
            return new EmptyFilterLeafReader.EmptyDirectoryReader(directoryReader);
        }
        if (!this.systemIndexEnabled.booleanValue() || !isBlockedSystemIndexRequest() || isAdminDnOrPluginRequest()) {
            return dlsFlsWrap(directoryReader, isAdminAuthenticatedOrInternalRequest());
        }
        this.log.warn("search action for {} is not allowed for a non adminDN user", this.index.getName());
        return new EmptyFilterLeafReader.EmptyDirectoryReader(directoryReader);
    }

    protected DirectoryReader dlsFlsWrap(DirectoryReader directoryReader, boolean z) throws IOException {
        return directoryReader;
    }

    protected final boolean isAdminAuthenticatedOrInternalRequest() {
        User user = (User) this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
        return (user != null && this.adminDns.isAdmin(user)) || "true".equals(HeaderHelper.getSafeFromHeader(this.threadContext, ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER));
    }

    protected final boolean isSecurityIndexRequest() {
        return this.index.getName().equals(this.opendistrosecurityIndex);
    }

    protected final boolean isBlockedProtectedIndexRequest() {
        return this.protectedIndexMatcher.test(this.index.getName());
    }

    protected final boolean isBlockedSystemIndexRequest() {
        return this.systemIndexMatcher.test(this.index.getName());
    }

    protected final boolean isAdminDnOrPluginRequest() {
        User user = (User) this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
        return user == null || this.adminDns.isAdmin(user);
    }

    protected final boolean isPermittedOnIndex() {
        return this.allowedRolesMatcher.matchAny(this.evaluator.mapRoles((User) this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER), (TransportAddress) this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_REMOTE_ADDRESS)));
    }
}
