package org.elasticsearch.xpack.security.authz.interceptor;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/interceptor/BulkShardRequestInterceptor.class */
public class BulkShardRequestInterceptor implements RequestInterceptor {
    private static final Logger logger = LogManager.getLogger(BulkShardRequestInterceptor.class);
    private final ThreadContext threadContext;
    private final XPackLicenseState licenseState;

    public BulkShardRequestInterceptor(ThreadPool threadPool, XPackLicenseState xPackLicenseState) {
        this.threadContext = threadPool.getThreadContext();
        this.licenseState = xPackLicenseState;
    }

    @Override // org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor
    public void intercept(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine authorizationEngine, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<Void> actionListener) {
        BulkShardRequest request = requestInfo.getRequest();
        if (request instanceof BulkShardRequest) {
            BulkShardRequest bulkShardRequest = request;
            IndicesAccessControl.IndexAccessControl indexPermissions = ((IndicesAccessControl) this.threadContext.getTransient("_indices_permissions")).getIndexPermissions(bulkShardRequest.index());
            if (indexPermissions != null && ((indexPermissions.getFieldPermissions().hasFieldLevelSecurity() || indexPermissions.getDocumentPermissions().hasDocumentLevelPermissions()) && SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.checkWithoutTracking(this.licenseState))) {
                for (BulkItemRequest bulkItemRequest : bulkShardRequest.items()) {
                    boolean z = false;
                    if (bulkItemRequest.request() instanceof UpdateRequest) {
                        z = true;
                        logger.trace("aborting bulk item update request for index [{}]", bulkShardRequest.index());
                        bulkItemRequest.abort(bulkItemRequest.index(), new ElasticsearchSecurityException("Can't execute a bulk item request with update requests embedded if field or document level security is enabled", RestStatus.BAD_REQUEST, new Object[0]));
                    }
                    if (!z) {
                        logger.trace("intercepted bulk request for index [{}] without any update requests, continuing execution", bulkShardRequest.index());
                    }
                }
            }
        }
        actionListener.onResponse((Object) null);
    }
}
