package org.elasticsearch.xpack.security.authz.interceptor;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.AuditUtil;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/interceptor/IndicesAliasesRequestInterceptor.class */
public final class IndicesAliasesRequestInterceptor implements RequestInterceptor {
    private final ThreadContext threadContext;
    private final XPackLicenseState licenseState;
    private final AuditTrailService auditTrailService;

    public IndicesAliasesRequestInterceptor(ThreadContext threadContext, XPackLicenseState xPackLicenseState, AuditTrailService auditTrailService) {
        this.threadContext = threadContext;
        this.licenseState = xPackLicenseState;
        this.auditTrailService = auditTrailService;
    }

    @Override // org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor
    public void intercept(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine authorizationEngine, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<Void> actionListener) {
        IndicesAliasesRequest request = requestInfo.getRequest();
        if (!(request instanceof IndicesAliasesRequest)) {
            actionListener.onResponse((Object) null);
            return;
        }
        IndicesAliasesRequest indicesAliasesRequest = request;
        AuditTrail auditTrail = this.auditTrailService.get();
        boolean checkWithoutTracking = SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.checkWithoutTracking(this.licenseState);
        boolean checkWithoutTracking2 = SecurityField.FIELD_LEVEL_SECURITY_FEATURE.checkWithoutTracking(this.licenseState);
        IndicesAccessControl indicesAccessControl = (IndicesAccessControl) this.threadContext.getTransient("_indices_permissions");
        if (checkWithoutTracking || checkWithoutTracking2) {
            for (IndicesAliasesRequest.AliasActions aliasActions : indicesAliasesRequest.getAliasActions()) {
                if (aliasActions.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD) {
                    for (String str : aliasActions.indices()) {
                        IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(str);
                        if (indexPermissions != null && (indexPermissions.getFieldPermissions().hasFieldLevelSecurity() || indexPermissions.getDocumentPermissions().hasDocumentLevelPermissions())) {
                            actionListener.onFailure(new ElasticsearchSecurityException("Alias requests are not allowed for users who have field or document level security enabled on one of the indices", RestStatus.BAD_REQUEST, new Object[0]));
                            return;
                        }
                    }
                }
            }
        }
        Map map = (Map) indicesAliasesRequest.getAliasActions().stream().filter(aliasActions2 -> {
            return aliasActions2.actionType() == IndicesAliasesRequest.AliasActions.Type.ADD;
        }).flatMap(aliasActions3 -> {
            return Arrays.stream(aliasActions3.indices()).map(str2 -> {
                return new Tuple(str2, Arrays.asList(aliasActions3.aliases()));
            });
        }).collect(Collectors.toMap((v0) -> {
            return v0.v1();
        }, (v0) -> {
            return v0.v2();
        }, (list, list2) -> {
            ArrayList arrayList = new ArrayList(list.size() + list2.size());
            arrayList.addAll(list);
            arrayList.addAll(list2);
            return arrayList;
        }));
        CheckedConsumer checkedConsumer = authorizationResult -> {
            if (authorizationResult.isGranted()) {
                actionListener.onResponse((Object) null);
            } else {
                auditTrail.accessDenied(AuditUtil.extractRequestId(this.threadContext), requestInfo.getAuthentication(), requestInfo.getAction(), indicesAliasesRequest, authorizationInfo);
                actionListener.onFailure(Exceptions.authorizationError("Adding an alias is not allowed when the alias has more permissions than any of the indices", new Object[0]));
            }
        };
        Objects.requireNonNull(actionListener);
        authorizationEngine.validateIndexPermissionsAreSubset(requestInfo, authorizationInfo, map, ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(checkedConsumer, actionListener::onFailure), this.threadContext));
    }
}
