package org.elasticsearch.xpack.security.authz.interceptor;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Strings;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.Role;
import org.elasticsearch.xpack.security.authz.RBACEngine;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/interceptor/DlsFlsLicenseRequestInterceptor.class */
public class DlsFlsLicenseRequestInterceptor implements RequestInterceptor {
    private static final Logger logger = LogManager.getLogger(DlsFlsLicenseRequestInterceptor.class);
    private final ThreadContext threadContext;
    private final XPackLicenseState licenseState;

    public DlsFlsLicenseRequestInterceptor(ThreadContext threadContext, XPackLicenseState xPackLicenseState) {
        this.threadContext = threadContext;
        this.licenseState = xPackLicenseState;
    }

    @Override // org.elasticsearch.xpack.security.authz.interceptor.RequestInterceptor
    public void intercept(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine authorizationEngine, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<Void> actionListener) {
        Role maybeGetRBACEngineRole;
        if ((requestInfo.getRequest() instanceof IndicesRequest) && false == TransportActionProxy.isProxyAction(requestInfo.getAction()) && ((maybeGetRBACEngineRole = RBACEngine.maybeGetRBACEngineRole((AuthorizationEngine.AuthorizationInfo) this.threadContext.getTransient("_authz_info"))) == null || maybeGetRBACEngineRole.hasFieldOrDocumentLevelSecurity())) {
            logger.trace("Role has DLS or FLS. Checking for whether the request touches any indices that have DLS or FLS configured");
            IndicesAccessControl indicesAccessControl = (IndicesAccessControl) this.threadContext.getTransient("_indices_permissions");
            if (indicesAccessControl != null) {
                XPackLicenseState copyCurrentLicenseState = this.licenseState.copyCurrentLicenseState();
                if (logger.isDebugEnabled()) {
                    IndicesAccessControl.DlsFlsUsage fieldAndDocumentLevelSecurityUsage = indicesAccessControl.getFieldAndDocumentLevelSecurityUsage();
                    if (fieldAndDocumentLevelSecurityUsage.hasFieldLevelSecurity()) {
                        logger.debug(() -> {
                            return Strings.format("User [%s] has field level security on [%s]", new Object[]{requestInfo.getAuthentication(), indicesAccessControl.getIndicesWithFieldLevelSecurity()});
                        });
                    }
                    if (fieldAndDocumentLevelSecurityUsage.hasDocumentLevelSecurity()) {
                        logger.debug(() -> {
                            return Strings.format("User [%s] has document level security on [%s]", new Object[]{requestInfo.getAuthentication(), indicesAccessControl.getIndicesWithDocumentLevelSecurity()});
                        });
                    }
                }
                if (false == SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.checkWithoutTracking(copyCurrentLicenseState) || false == SecurityField.FIELD_LEVEL_SECURITY_FEATURE.checkWithoutTracking(copyCurrentLicenseState)) {
                    boolean z = false;
                    IndicesAccessControl.DlsFlsUsage fieldAndDocumentLevelSecurityUsage2 = indicesAccessControl.getFieldAndDocumentLevelSecurityUsage();
                    if (fieldAndDocumentLevelSecurityUsage2.hasDocumentLevelSecurity() && false == SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.check(copyCurrentLicenseState)) {
                        z = true;
                    }
                    if (fieldAndDocumentLevelSecurityUsage2.hasFieldLevelSecurity() && false == SecurityField.FIELD_LEVEL_SECURITY_FEATURE.check(copyCurrentLicenseState)) {
                        z = true;
                    }
                    if (z) {
                        ElasticsearchSecurityException newComplianceException = LicenseUtils.newComplianceException("field and document level security");
                        newComplianceException.addMetadata("es.indices_with_dls_or_fls", indicesAccessControl.getIndicesWithFieldOrDocumentLevelSecurity());
                        actionListener.onFailure(newComplianceException);
                        return;
                    }
                }
            }
        }
        actionListener.onResponse((Object) null);
    }
}
