package org.elasticsearch.shield.authz.accesscontrol;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.index.LeafReaderContext;
import org.apache.lucene.search.BooleanClause;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.CollectionTerminatedException;
import org.apache.lucene.search.Collector;
import org.apache.lucene.search.ConjunctionDISI;
import org.apache.lucene.search.IndexSearcher;
import org.apache.lucene.search.LeafCollector;
import org.apache.lucene.search.Scorer;
import org.apache.lucene.search.Weight;
import org.apache.lucene.util.BitSetIterator;
import org.apache.lucene.util.Bits;
import org.apache.lucene.util.SparseFixedBitSet;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.support.LoggerMessageFormat;
import org.elasticsearch.index.cache.bitset.BitsetFilterCache;
import org.elasticsearch.index.engine.EngineConfig;
import org.elasticsearch.index.engine.EngineException;
import org.elasticsearch.index.engine.IndexSearcherWrapper;
import org.elasticsearch.index.mapper.DocumentMapper;
import org.elasticsearch.index.mapper.MapperService;
import org.elasticsearch.index.mapper.internal.ParentFieldMapper;
import org.elasticsearch.index.query.IndexQueryParserService;
import org.elasticsearch.index.settings.IndexSettingsService;
import org.elasticsearch.index.shard.AbstractIndexShardComponent;
import org.elasticsearch.index.shard.IndexShard;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.index.shard.ShardUtils;
import org.elasticsearch.indices.IndicesLifecycle;
import org.elasticsearch.shield.authz.InternalAuthorizationService;
import org.elasticsearch.shield.authz.accesscontrol.DocumentSubsetReader;
import org.elasticsearch.shield.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.shield.license.ShieldLicenseState;
import org.elasticsearch.shield.support.Exceptions;

/* loaded from: input_file:org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.class */
public final class ShieldIndexSearcherWrapper extends AbstractIndexShardComponent implements IndexSearcherWrapper {
    private final MapperService mapperService;
    private final Set<String> allowedMetaFields;
    private final IndexQueryParserService parserService;
    private final BitsetFilterCache bitsetFilterCache;
    private final ShieldLicenseState shieldLicenseState;
    private volatile boolean shardStarted;

    /* loaded from: input_file:org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper$ShardLifecycleListener.class */
    private class ShardLifecycleListener extends IndicesLifecycle.Listener {
        private ShardLifecycleListener() {
        }

        public void afterIndexShardPostRecovery(IndexShard indexShard) {
            if (ShieldIndexSearcherWrapper.this.shardId.equals(indexShard.shardId())) {
                ShieldIndexSearcherWrapper.this.shardStarted = true;
            }
        }
    }

    @Inject
    public ShieldIndexSearcherWrapper(ShardId shardId, IndexSettingsService indexSettingsService, IndexQueryParserService indexQueryParserService, IndicesLifecycle indicesLifecycle, MapperService mapperService, BitsetFilterCache bitsetFilterCache, ShieldLicenseState shieldLicenseState) {
        super(shardId, indexSettingsService.getSettings());
        this.shardStarted = false;
        this.mapperService = mapperService;
        this.parserService = indexQueryParserService;
        this.bitsetFilterCache = bitsetFilterCache;
        this.shieldLicenseState = shieldLicenseState;
        indicesLifecycle.addListener(new ShardLifecycleListener());
        HashSet hashSet = new HashSet();
        hashSet.addAll(Arrays.asList(MapperService.getAllMetaFields()));
        hashSet.add("_source");
        hashSet.add("_version");
        hashSet.remove("_all");
        this.allowedMetaFields = Collections.unmodifiableSet(hashSet);
    }

    public DirectoryReader wrap(DirectoryReader directoryReader) {
        if (!this.shieldLicenseState.documentAndFieldLevelSecurityEnabled()) {
            return directoryReader;
        }
        Set<String> set = this.allowedMetaFields;
        try {
            RequestContext current = RequestContext.current();
            if (current == null) {
                if (this.shardStarted) {
                    throw new IllegalStateException("can't locate the origin of the current request");
                }
                this.logger.trace("shard is not started and could not locate the current request, fls and dls will not be applied", new Object[0]);
                return directoryReader;
            }
            IndicesAccessControl indicesAccessControl = (IndicesAccessControl) current.getRequest().getFromContext(InternalAuthorizationService.INDICES_PERMISSIONS_KEY);
            if (indicesAccessControl == null) {
                throw Exceptions.authorizationError("no indices permissions found", new Object[0]);
            }
            ShardId extractShardId = ShardUtils.extractShardId(directoryReader);
            if (extractShardId == null) {
                throw new IllegalStateException(LoggerMessageFormat.format("couldn't extract shardId from reader [{}]", new Object[]{directoryReader}));
            }
            IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(extractShardId.getIndex());
            if (indexPermissions == null) {
                return directoryReader;
            }
            if (indexPermissions.getQueries() != null) {
                BooleanQuery.Builder builder = new BooleanQuery.Builder();
                Iterator it = indexPermissions.getQueries().iterator();
                while (it.hasNext()) {
                    builder.add(this.parserService.parse((BytesReference) it.next()).query(), BooleanClause.Occur.FILTER);
                }
                directoryReader = DocumentSubsetReader.wrap(directoryReader, this.bitsetFilterCache, builder.build());
            }
            if (indexPermissions.getFields() != null) {
                HashSet hashSet = new HashSet(set);
                Iterator it2 = indexPermissions.getFields().iterator();
                while (it2.hasNext()) {
                    hashSet.addAll(this.mapperService.simpleMatchToIndexNames((String) it2.next()));
                }
                resolveParentChildJoinFields(hashSet);
                directoryReader = FieldSubsetReader.wrap(directoryReader, hashSet);
            }
            return directoryReader;
        } catch (IOException e) {
            this.logger.error("Unable to apply field level security", new Object[0]);
            throw ExceptionsHelper.convertToElastic(e);
        }
    }

    public IndexSearcher wrap(EngineConfig engineConfig, IndexSearcher indexSearcher) throws EngineException {
        if (!this.shieldLicenseState.documentAndFieldLevelSecurityEnabled()) {
            return indexSearcher;
        }
        DirectoryReader indexReader = indexSearcher.getIndexReader();
        if (!(indexReader instanceof DocumentSubsetReader.DocumentSubsetDirectoryReader)) {
            return indexSearcher;
        }
        IndexSearcher indexSearcher2 = new IndexSearcher(indexReader) { // from class: org.elasticsearch.shield.authz.accesscontrol.ShieldIndexSearcherWrapper.1
            protected void search(List<LeafReaderContext> list, Weight weight, Collector collector) throws IOException {
                Scorer scorer;
                for (LeafReaderContext leafReaderContext : list) {
                    try {
                        LeafCollector leafCollector = collector.getLeafCollector(leafReaderContext);
                        DocumentSubsetReader reader = leafReaderContext.reader();
                        SparseFixedBitSet roleQueryBits = reader.getRoleQueryBits();
                        if (roleQueryBits != null && (scorer = weight.scorer(leafReaderContext)) != null) {
                            try {
                                if (roleQueryBits instanceof SparseFixedBitSet) {
                                    ShieldIndexSearcherWrapper.intersectScorerAndRoleBits(scorer, roleQueryBits, leafCollector, reader.getWrappedLiveDocs());
                                } else {
                                    weight.bulkScorer(leafReaderContext).score(leafCollector, reader.getLiveDocs());
                                }
                            } catch (CollectionTerminatedException e) {
                            }
                        }
                    } catch (CollectionTerminatedException e2) {
                    }
                }
            }
        };
        indexSearcher2.setQueryCache(engineConfig.getQueryCache());
        indexSearcher2.setQueryCachingPolicy(engineConfig.getQueryCachingPolicy());
        indexSearcher2.setSimilarity(engineConfig.getSimilarity());
        return indexSearcher2;
    }

    public Set<String> getAllowedMetaFields() {
        return this.allowedMetaFields;
    }

    private void resolveParentChildJoinFields(Set<String> set) {
        Iterator it = this.mapperService.docMappers(false).iterator();
        while (it.hasNext()) {
            ParentFieldMapper parentFieldMapper = ((DocumentMapper) it.next()).parentFieldMapper();
            if (parentFieldMapper.active()) {
                set.add(ParentFieldMapper.joinField(parentFieldMapper.type()));
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    static void intersectScorerAndRoleBits(Scorer scorer, SparseFixedBitSet sparseFixedBitSet, LeafCollector leafCollector, Bits bits) throws IOException {
        ConjunctionDISI intersect = ConjunctionDISI.intersect(Arrays.asList(new BitSetIterator(sparseFixedBitSet, sparseFixedBitSet.approximateCardinality()), scorer));
        int nextDoc = intersect.nextDoc();
        while (true) {
            int i = nextDoc;
            if (i >= Integer.MAX_VALUE) {
                return;
            }
            if (bits == null || bits.get(i)) {
                leafCollector.collect(i);
            }
            nextDoc = intersect.nextDoc();
        }
    }
}
