package org.elasticsearch.xpack.core.security.authz.accesscontrol;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.index.LeafReaderContext;
import org.apache.lucene.search.BooleanClause;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.BulkScorer;
import org.apache.lucene.search.CollectionTerminatedException;
import org.apache.lucene.search.Collector;
import org.apache.lucene.search.ConjunctionDISI;
import org.apache.lucene.search.ConstantScoreQuery;
import org.apache.lucene.search.DocIdSetIterator;
import org.apache.lucene.search.IndexSearcher;
import org.apache.lucene.search.LeafCollector;
import org.apache.lucene.search.Query;
import org.apache.lucene.search.Scorer;
import org.apache.lucene.search.Weight;
import org.apache.lucene.search.join.ToChildBlockJoinQuery;
import org.apache.lucene.util.BitSetIterator;
import org.apache.lucene.util.Bits;
import org.apache.lucene.util.SparseFixedBitSet;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.client.Client;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.logging.LoggerMessageFormat;
import org.elasticsearch.common.logging.ServerLoggers;
import org.elasticsearch.common.lucene.search.Queries;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.XContentFactory;
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.index.IndexSettings;
import org.elasticsearch.index.cache.bitset.BitsetFilterCache;
import org.elasticsearch.index.engine.EngineException;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.BoostingQueryBuilder;
import org.elasticsearch.index.query.ConstantScoreQueryBuilder;
import org.elasticsearch.index.query.GeoShapeQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryRewriteContext;
import org.elasticsearch.index.query.QueryShardContext;
import org.elasticsearch.index.query.Rewriteable;
import org.elasticsearch.index.query.TermsQueryBuilder;
import org.elasticsearch.index.query.functionscore.FunctionScoreQueryBuilder;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.index.shard.ShardUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.script.Script;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.script.ScriptType;
import org.elasticsearch.script.TemplateScript;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.DocumentSubsetReader;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapper.class */
public class SecurityIndexSearcherWrapper extends org.elasticsearch.index.shard.IndexSearcherWrapper {
    private final Function<ShardId, QueryShardContext> queryShardContextProvider;
    private final BitsetFilterCache bitsetFilterCache;
    private final XPackLicenseState licenseState;
    private final ThreadContext threadContext;
    private final Logger logger;
    private final ScriptService scriptService;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapper$IndexSearcherWrapper.class */
    static class IndexSearcherWrapper extends IndexSearcher {
        IndexSearcherWrapper(DocumentSubsetReader.DocumentSubsetDirectoryReader documentSubsetDirectoryReader) {
            super(documentSubsetDirectoryReader);
        }

        protected void search(List<LeafReaderContext> list, Weight weight, Collector collector) throws IOException {
            for (LeafReaderContext leafReaderContext : list) {
                try {
                    LeafCollector leafCollector = collector.getLeafCollector(leafReaderContext);
                    DocumentSubsetReader reader = leafReaderContext.reader();
                    SparseFixedBitSet roleQueryBits = reader.getRoleQueryBits();
                    if (roleQueryBits != null) {
                        if (roleQueryBits instanceof SparseFixedBitSet) {
                            Scorer scorer = weight.scorer(leafReaderContext);
                            if (scorer != null) {
                                try {
                                    SecurityIndexSearcherWrapper.intersectScorerAndRoleBits(scorer, roleQueryBits, leafCollector, reader.getWrappedLiveDocs());
                                } catch (CollectionTerminatedException e) {
                                }
                            }
                        } else {
                            BulkScorer bulkScorer = weight.bulkScorer(leafReaderContext);
                            if (bulkScorer != null) {
                                try {
                                    bulkScorer.score(leafCollector, reader.getLiveDocs());
                                } catch (CollectionTerminatedException e2) {
                                }
                            }
                        }
                    }
                } catch (CollectionTerminatedException e3) {
                }
            }
        }
    }

    public SecurityIndexSearcherWrapper(IndexSettings indexSettings, Function<ShardId, QueryShardContext> function, BitsetFilterCache bitsetFilterCache, ThreadContext threadContext, XPackLicenseState xPackLicenseState, ScriptService scriptService) {
        this.scriptService = scriptService;
        this.logger = ServerLoggers.getLogger(getClass(), indexSettings.getSettings(), new String[0]);
        this.queryShardContextProvider = function;
        this.bitsetFilterCache = bitsetFilterCache;
        this.threadContext = threadContext;
        this.licenseState = xPackLicenseState;
    }

    protected DirectoryReader wrap(DirectoryReader directoryReader) {
        if (!this.licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
            return directoryReader;
        }
        try {
            IndicesAccessControl indicesAccessControl = getIndicesAccessControl();
            ShardId extractShardId = ShardUtils.extractShardId(directoryReader);
            if (extractShardId == null) {
                throw new IllegalStateException(LoggerMessageFormat.format("couldn't extract shardId from reader [{}]", new Object[]{directoryReader}));
            }
            IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(extractShardId.getIndexName());
            if (indexPermissions == null) {
                return directoryReader;
            }
            if (indexPermissions.getQueries() != null) {
                BooleanQuery.Builder builder = new BooleanQuery.Builder();
                for (BytesReference bytesReference : indexPermissions.getQueries()) {
                    QueryShardContext apply = this.queryShardContextProvider.apply(extractShardId);
                    String evaluateTemplate = evaluateTemplate(bytesReference.utf8ToString());
                    XContentParser createParser = XContentFactory.xContent(evaluateTemplate).createParser(apply.getXContentRegistry(), evaluateTemplate);
                    Throwable th = null;
                    try {
                        try {
                            QueryBuilder parseInnerQueryBuilder = apply.parseInnerQueryBuilder(createParser);
                            verifyRoleQuery(parseInnerQueryBuilder);
                            failIfQueryUsesClient(parseInnerQueryBuilder, apply);
                            Query query = apply.toFilter(parseInnerQueryBuilder).query();
                            builder.add(query, BooleanClause.Occur.SHOULD);
                            if (apply.getMapperService().hasNested()) {
                                builder.add(new ToChildBlockJoinQuery(query, apply.bitsetFilter(Queries.newNonNestedFilter(apply.indexVersionCreated()))), BooleanClause.Occur.SHOULD);
                            }
                            if (createParser != null) {
                                $closeResource(null, createParser);
                            }
                        } finally {
                        }
                    } catch (Throwable th2) {
                        if (createParser != null) {
                            $closeResource(th, createParser);
                        }
                        throw th2;
                    }
                }
                builder.setMinimumNumberShouldMatch(1);
                directoryReader = DocumentSubsetReader.wrap(directoryReader, this.bitsetFilterCache, new ConstantScoreQuery(builder.build()));
            }
            return indexPermissions.getFieldPermissions().filter(directoryReader);
        } catch (IOException e) {
            this.logger.error("Unable to apply field level security");
            throw ExceptionsHelper.convertToElastic(e);
        }
    }

    protected IndexSearcher wrap(IndexSearcher indexSearcher) throws EngineException {
        if (!this.licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
            return indexSearcher;
        }
        DocumentSubsetReader.DocumentSubsetDirectoryReader documentSubsetDirectoryReader = (DirectoryReader) indexSearcher.getIndexReader();
        if (!(documentSubsetDirectoryReader instanceof DocumentSubsetReader.DocumentSubsetDirectoryReader)) {
            return indexSearcher;
        }
        IndexSearcherWrapper indexSearcherWrapper = new IndexSearcherWrapper(documentSubsetDirectoryReader);
        indexSearcherWrapper.setQueryCache(indexSearcherWrapper.getQueryCache());
        indexSearcherWrapper.setQueryCachingPolicy(indexSearcherWrapper.getQueryCachingPolicy());
        indexSearcherWrapper.setSimilarity(indexSearcherWrapper.getSimilarity(true));
        return indexSearcherWrapper;
    }

    static void intersectScorerAndRoleBits(Scorer scorer, SparseFixedBitSet sparseFixedBitSet, LeafCollector leafCollector, Bits bits) throws IOException {
        DocIdSetIterator intersectIterators = ConjunctionDISI.intersectIterators(Arrays.asList(new BitSetIterator(sparseFixedBitSet, sparseFixedBitSet.approximateCardinality()), scorer.iterator()));
        int nextDoc = intersectIterators.nextDoc();
        while (true) {
            int i = nextDoc;
            if (i >= Integer.MAX_VALUE) {
                return;
            }
            if (bits == null || bits.get(i)) {
                leafCollector.collect(i);
            }
            nextDoc = intersectIterators.nextDoc();
        }
    }

    String evaluateTemplate(String str) throws IOException {
        XContentParser createParser = XContentFactory.xContent(str).createParser(NamedXContentRegistry.EMPTY, str);
        try {
            XContentParser.Token nextToken = createParser.nextToken();
            if (nextToken != XContentParser.Token.START_OBJECT) {
                throw new ElasticsearchParseException("Unexpected token [" + nextToken + "]", new Object[0]);
            }
            XContentParser.Token nextToken2 = createParser.nextToken();
            if (nextToken2 != XContentParser.Token.FIELD_NAME) {
                throw new ElasticsearchParseException("Unexpected token [" + nextToken2 + "]", new Object[0]);
            }
            if (!"template".equals(createParser.currentName())) {
                return str;
            }
            XContentParser.Token nextToken3 = createParser.nextToken();
            if (nextToken3 != XContentParser.Token.START_OBJECT) {
                throw new ElasticsearchParseException("Unexpected token [" + nextToken3 + "]", new Object[0]);
            }
            Script parse = Script.parse(createParser);
            HashMap hashMap = new HashMap();
            if (parse.getParams() != null) {
                hashMap.putAll(parse.getParams());
            }
            User user = getUser();
            HashMap hashMap2 = new HashMap();
            hashMap2.put("username", user.principal());
            hashMap2.put("full_name", user.fullName());
            hashMap2.put("email", user.email());
            hashMap2.put("roles", Arrays.asList(user.roles()));
            hashMap2.put("metadata", Collections.unmodifiableMap(user.metadata()));
            hashMap.put("_user", hashMap2);
            Script script = new Script(parse.getType(), parse.getType() == ScriptType.STORED ? null : "mustache", parse.getIdOrCode(), parse.getOptions(), hashMap);
            String execute = ((TemplateScript.Factory) this.scriptService.compile(script, TemplateScript.CONTEXT)).newInstance(script.getParams()).execute();
            if (createParser != null) {
                $closeResource(null, createParser);
            }
            return execute;
        } finally {
            if (createParser != null) {
                $closeResource(null, createParser);
            }
        }
    }

    protected IndicesAccessControl getIndicesAccessControl() {
        IndicesAccessControl indicesAccessControl = (IndicesAccessControl) this.threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
        if (indicesAccessControl == null) {
            throw Exceptions.authorizationError("no indices permissions found", new Object[0]);
        }
        return indicesAccessControl;
    }

    protected User getUser() {
        return Authentication.getAuthentication(this.threadContext).getUser();
    }

    static void verifyRoleQuery(QueryBuilder queryBuilder) throws IOException {
        if (queryBuilder instanceof TermsQueryBuilder) {
            if (((TermsQueryBuilder) queryBuilder).termsLookup() != null) {
                throw new IllegalArgumentException("terms query with terms lookup isn't supported as part of a role query");
            }
            return;
        }
        if (queryBuilder instanceof GeoShapeQueryBuilder) {
            if (((GeoShapeQueryBuilder) queryBuilder).shape() == null) {
                throw new IllegalArgumentException("geoshape query referring to indexed shapes isn't support as part of a role query");
            }
            return;
        }
        if (queryBuilder.getName().equals("percolate")) {
            throw new IllegalArgumentException("percolate query isn't support as part of a role query");
        }
        if (queryBuilder.getName().equals("has_child")) {
            throw new IllegalArgumentException("has_child query isn't support as part of a role query");
        }
        if (queryBuilder.getName().equals("has_parent")) {
            throw new IllegalArgumentException("has_parent query isn't support as part of a role query");
        }
        if (queryBuilder instanceof BoolQueryBuilder) {
            BoolQueryBuilder boolQueryBuilder = (BoolQueryBuilder) queryBuilder;
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(boolQueryBuilder.filter());
            arrayList.addAll(boolQueryBuilder.must());
            arrayList.addAll(boolQueryBuilder.mustNot());
            arrayList.addAll(boolQueryBuilder.should());
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                verifyRoleQuery((QueryBuilder) it.next());
            }
            return;
        }
        if (queryBuilder instanceof ConstantScoreQueryBuilder) {
            verifyRoleQuery(((ConstantScoreQueryBuilder) queryBuilder).innerQuery());
            return;
        }
        if (queryBuilder instanceof FunctionScoreQueryBuilder) {
            verifyRoleQuery(((FunctionScoreQueryBuilder) queryBuilder).query());
        } else if (queryBuilder instanceof BoostingQueryBuilder) {
            verifyRoleQuery(((BoostingQueryBuilder) queryBuilder).negativeQuery());
            verifyRoleQuery(((BoostingQueryBuilder) queryBuilder).positiveQuery());
        }
    }

    static void failIfQueryUsesClient(QueryBuilder queryBuilder, QueryRewriteContext queryRewriteContext) throws IOException {
        NamedXContentRegistry xContentRegistry = queryRewriteContext.getXContentRegistry();
        NamedWriteableRegistry writeableRegistry = queryRewriteContext.getWriteableRegistry();
        Objects.requireNonNull(queryRewriteContext);
        QueryRewriteContext queryRewriteContext2 = new QueryRewriteContext(xContentRegistry, writeableRegistry, (Client) null, queryRewriteContext::nowInMillis);
        Rewriteable.rewrite(queryBuilder, queryRewriteContext2);
        if (queryRewriteContext2.hasAsyncActions()) {
            throw new IllegalStateException("role queries are not allowed to execute additional requests");
        }
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }
}
