package org.elasticsearch.xpack.security.authz;

import java.util.Arrays;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.search.TransportSearchAction;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.IndicesAndAliasesResolverField;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.Role;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/PreAuthorizationUtils.class */
public final class PreAuthorizationUtils {
    private static final Logger logger = LogManager.getLogger(PreAuthorizationUtils.class);
    public static final Map<String, Set<String>> CHILD_ACTIONS_PRE_AUTHORIZED_BY_PARENT = Map.of(TransportSearchAction.TYPE.name(), Set.of("indices:data/read/search[free_context]", "indices:data/read/search[phase/dfs]", "indices:data/read/search[phase/query]", "indices:data/read/search[phase/query/id]", "indices:data/read/search[phase/fetch/id]", "indices:data/read/search[phase/rank/feature]", "indices:data/read/search[can_match][n]"));

    public static void maybeSkipChildrenActionAuthorization(SecurityContext securityContext, AuthorizationEngine.AuthorizationContext authorizationContext) {
        IndicesAccessControl indicesAccessControl;
        Role maybeGetRBACEngineRole;
        String action = authorizationContext.getAction();
        if (!CHILD_ACTIONS_PRE_AUTHORIZED_BY_PARENT.containsKey(action) || (indicesAccessControl = authorizationContext.getIndicesAccessControl()) == null || !indicesAccessControl.isGranted() || (maybeGetRBACEngineRole = RBACEngine.maybeGetRBACEngineRole(authorizationContext.getAuthorizationInfo())) == null || maybeGetRBACEngineRole.hasFieldOrDocumentLevelSecurity()) {
            return;
        }
        AuthorizationEngine.ParentActionAuthorization parentAuthorization = securityContext.getParentAuthorization();
        if (parentAuthorization != null) {
            throw new AssertionError("found parent authorization for action [" + parentAuthorization.action() + "] while attempting to set authorization for new parent action [" + action + "]");
        }
        if (logger.isDebugEnabled()) {
            logger.debug("adding authorization for parent action [" + action + "] to the thread context");
        }
        securityContext.setParentAuthorization(new AuthorizationEngine.ParentActionAuthorization(action));
    }

    private static boolean shouldPreAuthorizeChildActionOfParent(String str, String str2) {
        Set<String> set = CHILD_ACTIONS_PRE_AUTHORIZED_BY_PARENT.get(str);
        return set != null && set.contains(str2);
    }

    public static boolean shouldRemoveParentAuthorizationFromThreadContext(Optional<String> optional, String str, SecurityContext securityContext) {
        AuthorizationEngine.ParentActionAuthorization parentAuthorization = securityContext.getParentAuthorization();
        if (parentAuthorization == null) {
            return false;
        }
        return optional.isPresent() || !shouldPreAuthorizeChildActionOfParent(parentAuthorization.action(), str);
    }

    public static boolean shouldPreAuthorizeChildByParentAction(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        Role maybeGetRBACEngineRole;
        String[] indices;
        AuthorizationEngine.ParentActionAuthorization parentAuthorization = requestInfo.getParentAuthorization();
        if (parentAuthorization == null || (maybeGetRBACEngineRole = RBACEngine.maybeGetRBACEngineRole(authorizationInfo)) == null || maybeGetRBACEngineRole.hasFieldOrDocumentLevelSecurity()) {
            return false;
        }
        String action = parentAuthorization.action();
        String action2 = requestInfo.getAction();
        if (!shouldPreAuthorizeChildActionOfParent(action, action2) || !(requestInfo.getRequest() instanceof IndicesRequest) || (indices = requestInfo.getRequest().indices()) == null || indices.length == 0 || Arrays.equals(IndicesAndAliasesResolverField.NO_INDICES_OR_ALIASES_ARRAY, indices)) {
            return false;
        }
        if (!logger.isDebugEnabled()) {
            return true;
        }
        logger.debug("pre-authorizing child action [" + action2 + "] of parent action [" + action + "]");
        return true;
    }

    private PreAuthorizationUtils() {
        throw new IllegalAccessError();
    }
}
