package com.floragunn.searchguard.filter;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.BackendRegistry;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.DlsFlsRequestValve;
import com.floragunn.searchguard.configuration.PrivilegesEvaluator;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.user.User;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.inject.Provider;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/filter/SearchGuardFilter.class */
public class SearchGuardFilter implements ActionFilter {
    protected final ESLogger log = Loggers.getLogger(getClass());
    private final Provider<PrivilegesEvaluator> evalp;
    private final Settings settings;
    private final AdminDNs adminDns;
    private Provider<DlsFlsRequestValve> dlsFlsValve;
    private final AuditLog auditLog;

    @Inject
    public SearchGuardFilter(Settings settings, Provider<PrivilegesEvaluator> provider, AdminDNs adminDNs, Provider<BackendRegistry> provider2, Provider<DlsFlsRequestValve> provider3, AuditLog auditLog) {
        this.settings = settings;
        this.evalp = provider;
        this.adminDns = adminDNs;
        this.dlsFlsValve = provider3;
        this.auditLog = auditLog;
    }

    public int order() {
        return Integer.MIN_VALUE;
    }

    public void apply(Task task, String str, ActionRequest actionRequest, ActionListener actionListener, ActionFilterChain actionFilterChain) {
        if (this.log.isTraceEnabled()) {
            this.log.trace("Action {} from {}/{}", new Object[]{str, actionRequest.remoteAddress(), actionListener.getClass().getSimpleName()});
            this.log.trace("Context {}", new Object[]{actionRequest.getContext()});
            this.log.trace("Header {}", new Object[]{actionRequest.getHeaders()});
        }
        User user = (User) actionRequest.getFromContext(ConfigConstants.SG_USER);
        if (user == null && actionRequest.remoteAddress() == null) {
            user = User.SG_INTERNAL;
        }
        if (this.log.isTraceEnabled()) {
            this.log.trace("remote address: {}", new Object[]{actionRequest.getFromContext(ConfigConstants.SG_REMOTE_ADDRESS)});
        }
        if (isUserAdmin(user, this.adminDns) || isInterClusterRequest(actionRequest) || "true".equals(HeaderHelper.getSafeFromHeader(actionRequest, ConfigConstants.SG_CONF_REQUEST_HEADER))) {
            if (((DlsFlsRequestValve) this.dlsFlsValve.get()).invoke(actionRequest, actionListener)) {
                actionFilterChain.proceed(task, str, actionRequest, actionListener);
                return;
            }
            return;
        }
        if (User.SG_INTERNAL.equals(user)) {
            if (str.startsWith("internal:gateway") || str.startsWith("cluster:monitor/") || str.startsWith("indices:monitor/") || str.startsWith("cluster:admin/reroute") || str.startsWith("indices:admin/mapping/put") || str.startsWith("internal:cluster/nodes/indices/shard/store") || str.startsWith("indices:admin/exists")) {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("No user, will allow only standard discovery and monitoring actions", new Object[0]);
                }
                actionFilterChain.proceed(task, str, actionRequest, actionListener);
                return;
            } else {
                this.log.debug("unauthenticated request {} for user {}", new Object[]{str, user});
                this.auditLog.logFailedLogin(user.getName(), (TransportRequest) actionRequest);
                actionListener.onFailure(new ElasticsearchException("unauthenticated request " + str + " for user " + user, new Object[]{RestStatus.FORBIDDEN}));
                return;
            }
        }
        PrivilegesEvaluator privilegesEvaluator = (PrivilegesEvaluator) this.evalp.get();
        if (!privilegesEvaluator.isInitialized()) {
            this.log.error("Search Guard not initialized (SG11) for {}", new Object[]{str});
            actionListener.onFailure(new ElasticsearchException("Search Guard not initialized (SG11) for " + str, new Object[]{RestStatus.SERVICE_UNAVAILABLE}));
            return;
        }
        if (this.log.isTraceEnabled()) {
            this.log.trace("Evaluate permissions for user: {}", new Object[]{user.getName()});
        }
        if (!privilegesEvaluator.evaluate(user, str, actionRequest)) {
            this.auditLog.logMissingPrivileges(str, actionRequest);
            this.log.debug("no permissions for {}", new Object[]{str});
            actionListener.onFailure(new ElasticsearchSecurityException("no permissions for " + str, RestStatus.FORBIDDEN, new Object[0]));
        } else if (((DlsFlsRequestValve) this.dlsFlsValve.get()).invoke(actionRequest, actionListener)) {
            this.auditLog.logAuthenticatedRequest(actionRequest, str);
            actionFilterChain.proceed(task, str, actionRequest, actionListener);
        }
    }

    public void apply(String str, ActionResponse actionResponse, ActionListener actionListener, ActionFilterChain actionFilterChain) {
        actionFilterChain.proceed(str, actionResponse, actionListener);
    }

    private static boolean isInterClusterRequest(ActionRequest actionRequest) {
        return actionRequest.getFromContext(ConfigConstants.SG_SSL_TRANSPORT_INTERCLUSTER_REQUEST) == Boolean.TRUE;
    }

    private static boolean isUserAdmin(User user, AdminDNs adminDNs) {
        return user != null && adminDNs.isAdmin(user.getName());
    }
}
