package org.elasticsearch.xpack.security.authz.interceptor;

import java.util.HashMap;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.class */
abstract class FieldAndDocumentLevelSecurityRequestInterceptor implements RequestInterceptor {
    private final ThreadContext threadContext;
    private final XPackLicenseState licenseState;
    private final Logger logger = LogManager.getLogger(getClass());

    /* JADX INFO: Access modifiers changed from: package-private */
    public FieldAndDocumentLevelSecurityRequestInterceptor(ThreadContext threadContext, XPackLicenseState xPackLicenseState) {
        this.threadContext = threadContext;
        this.licenseState = xPackLicenseState;
    }

    @Override // org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor
    public void intercept(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine authorizationEngine, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<Void> actionListener) {
        TransportRequest request = requestInfo.getRequest();
        if (request instanceof IndicesRequest) {
            IndicesRequest indicesRequest = (IndicesRequest) request;
            if (false == TransportActionProxy.isProxyAction(requestInfo.getAction()) && supports(indicesRequest)) {
                boolean checkWithoutTracking = SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.checkWithoutTracking(this.licenseState);
                IndicesAccessControl indicesAccessControl = (IndicesAccessControl) this.threadContext.getTransient("_indices_permissions");
                HashMap hashMap = new HashMap();
                for (String str : requestIndices(indicesRequest)) {
                    IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(str);
                    if (indexPermissions != null) {
                        boolean hasFieldLevelSecurity = indexPermissions.getFieldPermissions().hasFieldLevelSecurity();
                        boolean hasDocumentLevelPermissions = indexPermissions.getDocumentPermissions().hasDocumentLevelPermissions();
                        if ((hasFieldLevelSecurity || hasDocumentLevelPermissions) && checkWithoutTracking) {
                            this.logger.trace("intercepted request for index [{}] with field level access controls [{}] document level access controls [{}]. disabling conflicting features", str, Boolean.valueOf(hasFieldLevelSecurity), Boolean.valueOf(hasDocumentLevelPermissions));
                            hashMap.put(str, indexPermissions);
                        }
                    } else {
                        this.logger.trace("intercepted request for index [{}] without field or document level access controls", str);
                    }
                }
                if (false == hashMap.isEmpty()) {
                    disableFeatures(indicesRequest, hashMap, actionListener);
                    return;
                }
            }
        }
        actionListener.onResponse((Object) null);
    }

    abstract void disableFeatures(IndicesRequest indicesRequest, Map<String, IndicesAccessControl.IndexAccessControl> map, ActionListener<Void> actionListener);

    String[] requestIndices(IndicesRequest indicesRequest) {
        return indicesRequest.indices();
    }

    abstract boolean supports(IndicesRequest indicesRequest);
}
