package org.elasticsearch.xpack.security.authz.interceptor;

import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.admin.indices.shrink.ResizeRequest;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.MemoizedSupplier;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.AuditUtil;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/interceptor/ResizeRequestInterceptor.class */
public final class ResizeRequestInterceptor implements RequestInterceptor {
    private final ThreadContext threadContext;
    private final XPackLicenseState licenseState;
    private final AuditTrailService auditTrailService;

    public ResizeRequestInterceptor(ThreadPool threadPool, XPackLicenseState xPackLicenseState, AuditTrailService auditTrailService) {
        this.threadContext = threadPool.getThreadContext();
        this.licenseState = xPackLicenseState;
        this.auditTrailService = auditTrailService;
    }

    @Override // org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor
    public void intercept(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine authorizationEngine, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<Void> actionListener) {
        if (!(requestInfo.getRequest() instanceof ResizeRequest)) {
            actionListener.onResponse((Object) null);
            return;
        }
        ResizeRequest request = requestInfo.getRequest();
        XPackLicenseState copyCurrentLicenseState = this.licenseState.copyCurrentLicenseState();
        AuditTrail auditTrail = this.auditTrailService.get();
        if (!copyCurrentLicenseState.isSecurityEnabled()) {
            actionListener.onResponse((Object) null);
            return;
        }
        MemoizedSupplier memoizedSupplier = new MemoizedSupplier(() -> {
            return Boolean.valueOf(copyCurrentLicenseState.checkFeature(XPackLicenseState.Feature.SECURITY_DLS_FLS));
        });
        IndicesAccessControl.IndexAccessControl indexPermissions = ((IndicesAccessControl) this.threadContext.getTransient("_indices_permissions")).getIndexPermissions(request.getSourceIndex());
        if (indexPermissions != null) {
            boolean hasFieldLevelSecurity = indexPermissions.getFieldPermissions().hasFieldLevelSecurity();
            boolean hasDocumentLevelPermissions = indexPermissions.getDocumentPermissions().hasDocumentLevelPermissions();
            if ((hasFieldLevelSecurity || hasDocumentLevelPermissions) && ((Boolean) memoizedSupplier.get()).booleanValue()) {
                actionListener.onFailure(new ElasticsearchSecurityException("Resize requests are not allowed for users when field or document level security is enabled on the source index", RestStatus.BAD_REQUEST, new Object[0]));
                return;
            }
        }
        Map singletonMap = Collections.singletonMap(request.getSourceIndex(), Collections.singletonList(request.getTargetIndexRequest().index()));
        CheckedConsumer checkedConsumer = authorizationResult -> {
            if (authorizationResult.isGranted()) {
                actionListener.onResponse((Object) null);
                return;
            }
            if (authorizationResult.isAuditable()) {
                auditTrail.accessDenied(AuditUtil.extractRequestId(this.threadContext), requestInfo.getAuthentication(), requestInfo.getAction(), request, authorizationInfo);
            }
            actionListener.onFailure(Exceptions.authorizationError("Resizing an index is not allowed when the target index has more permissions than the source index", new Object[0]));
        };
        Objects.requireNonNull(actionListener);
        authorizationEngine.validateIndexPermissionsAreSubset(requestInfo, authorizationInfo, singletonMap, ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(checkedConsumer, actionListener::onFailure), this.threadContext));
    }
}
