package org.elasticsearch.xpack.core.security.authz.accesscontrol;

import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import java.util.function.Function;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.index.LeafReaderContext;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.BulkScorer;
import org.apache.lucene.search.CollectionTerminatedException;
import org.apache.lucene.search.Collector;
import org.apache.lucene.search.ConjunctionDISI;
import org.apache.lucene.search.ConstantScoreQuery;
import org.apache.lucene.search.DocIdSetIterator;
import org.apache.lucene.search.IndexSearcher;
import org.apache.lucene.search.LeafCollector;
import org.apache.lucene.search.Scorer;
import org.apache.lucene.search.Weight;
import org.apache.lucene.util.BitSetIterator;
import org.apache.lucene.util.Bits;
import org.apache.lucene.util.SparseFixedBitSet;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.logging.LoggerMessageFormat;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.cache.bitset.BitsetFilterCache;
import org.elasticsearch.index.engine.EngineException;
import org.elasticsearch.index.query.QueryShardContext;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.index.shard.ShardUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.DocumentSubsetReader;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapper.class */
public class SecurityIndexSearcherWrapper extends org.elasticsearch.index.shard.IndexSearcherWrapper {
    private static final Logger logger = LogManager.getLogger(SecurityIndexSearcherWrapper.class);
    private final Function<ShardId, QueryShardContext> queryShardContextProvider;
    private final BitsetFilterCache bitsetFilterCache;
    private final XPackLicenseState licenseState;
    private final ThreadContext threadContext;
    private final ScriptService scriptService;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexSearcherWrapper$IndexSearcherWrapper.class */
    static class IndexSearcherWrapper extends IndexSearcher {
        IndexSearcherWrapper(DocumentSubsetReader.DocumentSubsetDirectoryReader documentSubsetDirectoryReader) {
            super(documentSubsetDirectoryReader);
        }

        protected void search(List<LeafReaderContext> list, Weight weight, Collector collector) throws IOException {
            for (LeafReaderContext leafReaderContext : list) {
                try {
                    LeafCollector leafCollector = collector.getLeafCollector(leafReaderContext);
                    DocumentSubsetReader reader = leafReaderContext.reader();
                    SparseFixedBitSet roleQueryBits = reader.getRoleQueryBits();
                    if (roleQueryBits != null) {
                        if (roleQueryBits instanceof SparseFixedBitSet) {
                            Scorer scorer = weight.scorer(leafReaderContext);
                            if (scorer != null) {
                                try {
                                    SecurityIndexSearcherWrapper.intersectScorerAndRoleBits(scorer, roleQueryBits, leafCollector, reader.getWrappedLiveDocs());
                                } catch (CollectionTerminatedException e) {
                                }
                            }
                        } else {
                            BulkScorer bulkScorer = weight.bulkScorer(leafReaderContext);
                            if (bulkScorer != null) {
                                try {
                                    bulkScorer.score(leafCollector, reader.getLiveDocs());
                                } catch (CollectionTerminatedException e2) {
                                }
                            }
                        }
                    }
                } catch (CollectionTerminatedException e3) {
                }
            }
        }
    }

    public SecurityIndexSearcherWrapper(Function<ShardId, QueryShardContext> function, BitsetFilterCache bitsetFilterCache, ThreadContext threadContext, XPackLicenseState xPackLicenseState, ScriptService scriptService) {
        this.scriptService = scriptService;
        this.queryShardContextProvider = function;
        this.bitsetFilterCache = bitsetFilterCache;
        this.threadContext = threadContext;
        this.licenseState = xPackLicenseState;
    }

    protected DirectoryReader wrap(DirectoryReader directoryReader) {
        BooleanQuery filter;
        if (!this.licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
            return directoryReader;
        }
        try {
            IndicesAccessControl indicesAccessControl = getIndicesAccessControl();
            ShardId extractShardId = ShardUtils.extractShardId(directoryReader);
            if (extractShardId == null) {
                throw new IllegalStateException(LoggerMessageFormat.format("couldn't extract shardId from reader [{}]", new Object[]{directoryReader}));
            }
            IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(extractShardId.getIndexName());
            if (indexPermissions == null) {
                return directoryReader;
            }
            DirectoryReader directoryReader2 = directoryReader;
            DocumentPermissions documentPermissions = indexPermissions.getDocumentPermissions();
            if (documentPermissions != null && documentPermissions.hasDocumentLevelPermissions() && (filter = documentPermissions.filter(getUser(), this.scriptService, extractShardId, this.queryShardContextProvider)) != null) {
                directoryReader2 = DocumentSubsetReader.wrap(directoryReader2, this.bitsetFilterCache, new ConstantScoreQuery(filter));
            }
            return indexPermissions.getFieldPermissions().filter(directoryReader2);
        } catch (IOException e) {
            logger.error("Unable to apply field level security");
            throw ExceptionsHelper.convertToElastic(e);
        }
    }

    protected IndexSearcher wrap(IndexSearcher indexSearcher) throws EngineException {
        if (!this.licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
            return indexSearcher;
        }
        DocumentSubsetReader.DocumentSubsetDirectoryReader documentSubsetDirectoryReader = (DirectoryReader) indexSearcher.getIndexReader();
        if (!(documentSubsetDirectoryReader instanceof DocumentSubsetReader.DocumentSubsetDirectoryReader)) {
            return indexSearcher;
        }
        IndexSearcherWrapper indexSearcherWrapper = new IndexSearcherWrapper(documentSubsetDirectoryReader);
        indexSearcherWrapper.setQueryCache(indexSearcherWrapper.getQueryCache());
        indexSearcherWrapper.setQueryCachingPolicy(indexSearcherWrapper.getQueryCachingPolicy());
        indexSearcherWrapper.setSimilarity(indexSearcherWrapper.getSimilarity(true));
        return indexSearcherWrapper;
    }

    static void intersectScorerAndRoleBits(Scorer scorer, SparseFixedBitSet sparseFixedBitSet, LeafCollector leafCollector, Bits bits) throws IOException {
        DocIdSetIterator intersectIterators = ConjunctionDISI.intersectIterators(Arrays.asList(new BitSetIterator(sparseFixedBitSet, sparseFixedBitSet.approximateCardinality()), scorer.iterator()));
        int nextDoc = intersectIterators.nextDoc();
        while (true) {
            int i = nextDoc;
            if (i >= Integer.MAX_VALUE) {
                return;
            }
            if (bits == null || bits.get(i)) {
                leafCollector.collect(i);
            }
            nextDoc = intersectIterators.nextDoc();
        }
    }

    protected IndicesAccessControl getIndicesAccessControl() {
        IndicesAccessControl indicesAccessControl = (IndicesAccessControl) this.threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
        if (indicesAccessControl == null) {
            throw Exceptions.authorizationError("no indices permissions found", new Object[0]);
        }
        return indicesAccessControl;
    }

    protected User getUser() {
        return Authentication.getAuthentication(this.threadContext).getUser();
    }
}
