package com.huawei.es.security.auth.server.transport.filter;

import com.huawei.es.security.auth.server.transport.KerberosRequestHandler;
import com.huawei.es.security.auth.server.transport.authz.AuthorizationService;
import com.huawei.es.security.auth.server.transport.common.TransportConstant;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.action.support.ActionFilterChain;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/huawei/es/security/auth/server/transport/filter/TransportSecurityFilter.class */
public class TransportSecurityFilter implements ActionFilter {
    private static final Logger LOG = LogManager.getLogger(TransportSecurityFilter.class);
    private final ThreadContext threadContext;
    private AuthorizationService authzService;
    private static final String GLOBAL_CHECKPOINT = "indices:admin/seq_no";
    private static final String INTERNAL_PREFIX = "internal:";
    private static final String TRANSPORT_PROXY_PREFIX = "internal:transport/proxy";
    private static final String CLOSE_CURSOR = "indices:data/read/sql/close_cursor";
    private static final String SERVER_PREFIX = "server:";

    public TransportSecurityFilter(ThreadPool threadPool, AuthorizationService authorizationService) {
        this.threadContext = threadPool.getThreadContext();
        this.authzService = authorizationService;
    }

    public int order() {
        return -2147483647;
    }

    public <T extends ActionRequest, E extends ActionResponse> void apply(Task task, String str, T t, ActionListener<E> actionListener, ActionFilterChain<T, E> actionFilterChain) {
        if (this.threadContext == null) {
            throw new UnsupportedOperationException("threadContext can't be null for this operation");
        }
        LOG.debug("Enter TransportSecurityFilter, action:{}", str);
        if (KerberosRequestHandler.CLIENT.equals(this.threadContext.getHeader(TransportConstant.CUSTOMISED_MODE))) {
            LOG.debug("Received action:{}", str);
            if (!isRequestPass(str)) {
                this.authzService.doAuthorise(str, t);
            }
        }
        putUserNameInRangerMode();
        actionFilterChain.proceed(task, str, t, actionListener);
    }

    private void putUserNameInRangerMode() {
        if (this.threadContext.getTransient("username") == null) {
            if (this.threadContext.getHeader(TransportConstant.CUSTOMISED_USER) != null) {
                this.threadContext.putTransient("username", this.threadContext.getHeader(TransportConstant.CUSTOMISED_USER));
            } else if (this.threadContext.getHeader(TransportConstant.CUSTOMISED_COOKIE) != null) {
                this.threadContext.putTransient("username", getUserFromCookie(this.threadContext.getHeader(TransportConstant.CUSTOMISED_COOKIE)));
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("TransportRangerSecurityFilter can not get {} or {}, skip set thread context header.", TransportConstant.CUSTOMISED_USER, TransportConstant.CUSTOMISED_COOKIE);
            }
        }
    }

    private String getUserFromCookie(String str) {
        int indexOf = str.indexOf("u=");
        int indexOf2 = str.indexOf("p=");
        if (indexOf2 < 0 || indexOf < 0) {
            return null;
        }
        return str.substring(indexOf + 2, indexOf2 - 1);
    }

    private boolean isRequestPass(String str) {
        return (str.startsWith(GLOBAL_CHECKPOINT) || str.startsWith(SERVER_PREFIX)) || (str.startsWith(INTERNAL_PREFIX) && !str.startsWith(TRANSPORT_PROXY_PREFIX)) || isScrollRelatedAction(str);
    }

    private static boolean isScrollRelatedAction(String str) {
        return str.equals("indices:data/read/search[phase/fetch/id/scroll]") || str.equals("indices:data/read/search[phase/query+fetch/scroll]") || str.equals("indices:data/read/search[phase/query/scroll]") || str.equals("indices:data/read/search[free_context/scroll]") || str.equals(CLOSE_CURSOR) || str.equals("indices:data/read/search[clear_scroll_contexts]");
    }
}
