package org.elasticsearch.xpack.security.authz;

import java.io.IOException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.SetOnce;
import org.elasticsearch.common.CheckedBiConsumer;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.search.internal.ShardSearchRequest;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.support.SecurityQueryTemplateEvaluator;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/DlsFlsRequestCacheDifferentiator.class */
public class DlsFlsRequestCacheDifferentiator implements CheckedBiConsumer<ShardSearchRequest, StreamOutput, IOException> {
    private static final Logger logger = LogManager.getLogger(DlsFlsRequestCacheDifferentiator.class);
    private final XPackLicenseState licenseState;
    private final SetOnce<SecurityContext> securityContextHolder;
    private final SetOnce<ScriptService> scriptServiceReference;

    public DlsFlsRequestCacheDifferentiator(XPackLicenseState xPackLicenseState, SetOnce<SecurityContext> setOnce, SetOnce<ScriptService> setOnce2) {
        this.licenseState = xPackLicenseState;
        this.securityContextHolder = setOnce;
        this.scriptServiceReference = setOnce2;
    }

    public void accept(ShardSearchRequest shardSearchRequest, StreamOutput streamOutput) throws IOException {
        SecurityContext securityContext = (SecurityContext) this.securityContextHolder.get();
        IndicesAccessControl indicesAccessControl = (IndicesAccessControl) securityContext.getThreadContext().getTransient("_indices_permissions");
        String indexName = shardSearchRequest.shardId().getIndexName();
        IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(indexName);
        if (indexPermissions != null) {
            boolean hasFieldLevelSecurity = indexPermissions.getFieldPermissions().hasFieldLevelSecurity();
            boolean hasDocumentLevelPermissions = indexPermissions.getDocumentPermissions().hasDocumentLevelPermissions();
            if ((hasFieldLevelSecurity || hasDocumentLevelPermissions) && SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.checkWithoutTracking(this.licenseState)) {
                logger.debug("index [{}] with field level access controls [{}] document level access controls [{}]. Differentiating request cache key", indexName, Boolean.valueOf(hasFieldLevelSecurity), Boolean.valueOf(hasDocumentLevelPermissions));
                indexPermissions.buildCacheKey(streamOutput, SecurityQueryTemplateEvaluator.wrap(securityContext.getUser(), (ScriptService) this.scriptServiceReference.get()));
            }
        }
    }
}
