package org.elasticsearch.xpack.core.security.authz.accesscontrol;

import java.io.IOException;
import java.util.Objects;
import java.util.function.Function;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.ConstantScoreQuery;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.CheckedFunction;
import org.elasticsearch.common.logging.LoggerMessageFormat;
import org.elasticsearch.index.query.QueryShardContext;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.index.shard.ShardUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/accesscontrol/SecurityIndexReaderWrapper.class */
public class SecurityIndexReaderWrapper implements CheckedFunction<DirectoryReader, DirectoryReader, IOException> {
    private static final Logger logger = LogManager.getLogger(SecurityIndexReaderWrapper.class);
    private final Function<ShardId, QueryShardContext> queryShardContextProvider;
    private final DocumentSubsetBitsetCache bitsetCache;
    private final XPackLicenseState licenseState;
    private final SecurityContext securityContext;
    private final ScriptService scriptService;

    public SecurityIndexReaderWrapper(Function<ShardId, QueryShardContext> function, DocumentSubsetBitsetCache documentSubsetBitsetCache, SecurityContext securityContext, XPackLicenseState xPackLicenseState, ScriptService scriptService) {
        this.scriptService = scriptService;
        this.queryShardContextProvider = function;
        this.bitsetCache = documentSubsetBitsetCache;
        this.securityContext = securityContext;
        this.licenseState = xPackLicenseState;
    }

    public DirectoryReader apply(DirectoryReader directoryReader) {
        BooleanQuery filter;
        if (!this.licenseState.isDocumentAndFieldLevelSecurityAllowed()) {
            return directoryReader;
        }
        try {
            IndicesAccessControl indicesAccessControl = getIndicesAccessControl();
            ShardId extractShardId = ShardUtils.extractShardId(directoryReader);
            if (extractShardId == null) {
                throw new IllegalStateException(LoggerMessageFormat.format("couldn't extract shardId from reader [{}]", new Object[]{directoryReader}));
            }
            IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(extractShardId.getIndexName());
            if (indexPermissions == null) {
                return directoryReader;
            }
            DirectoryReader directoryReader2 = directoryReader;
            DocumentPermissions documentPermissions = indexPermissions.getDocumentPermissions();
            if (documentPermissions != null && documentPermissions.hasDocumentLevelPermissions() && (filter = documentPermissions.filter(getUser(), this.scriptService, extractShardId, this.queryShardContextProvider)) != null) {
                directoryReader2 = DocumentSubsetReader.wrap(directoryReader2, this.bitsetCache, new ConstantScoreQuery(filter));
            }
            return indexPermissions.getFieldPermissions().filter(directoryReader2);
        } catch (IOException e) {
            logger.error("Unable to apply field level security");
            throw ExceptionsHelper.convertToElastic(e);
        }
    }

    protected IndicesAccessControl getIndicesAccessControl() {
        IndicesAccessControl indicesAccessControl = (IndicesAccessControl) this.securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
        if (indicesAccessControl == null) {
            throw Exceptions.authorizationError("no indices permissions found", new Object[0]);
        }
        return indicesAccessControl;
    }

    protected User getUser() {
        return (User) Objects.requireNonNull(this.securityContext.getUser());
    }
}
