package com.huawei.es.security.auth.server.transport.authz;

import com.carrotsearch.hppc.cursors.ObjectCursor;
import com.google.common.collect.Sets;
import com.huawei.es.security.audit.AuditLog;
import com.huawei.es.security.auth.server.transport.bean.IndexScope;
import com.huawei.es.security.auth.server.transport.bean.PermissionGroup;
import com.huawei.es.security.auth.server.transport.common.TransportConstant;
import com.huawei.es.security.auth.server.transport.common.TransportUtils;
import com.huawei.es.security.auth.server.transport.common.WildcardHelper;
import com.huawei.es.security.author.bean.AuthorizationException;
import com.huawei.es.security.author.bean.IndicesPermission;
import com.huawei.es.security.author.bean.OpType;
import com.huawei.es.security.author.tool.AuthorityConstants;
import com.huawei.es.security.author.tool.AuthorityUtil;
import com.huawei.es.security.author.tool.PermissionChecker;
import com.huawei.es.security.index.SecurityIndexManager;
import com.huawei.es.security.plugin.KerberosPlugin;
import com.huawei.es.security.ssl.HwSecurityConstants;
import com.huawei.es.security.util.ZkAclUtil;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.logging.log4j.Logger;
import org.apache.solr.common.cloud.SolrZkClient;
import org.apache.zookeeper.ZooKeeper;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.OriginalIndices;
import org.elasticsearch.action.admin.cluster.storedscripts.DeleteStoredScriptRequest;
import org.elasticsearch.action.admin.cluster.storedscripts.PutStoredScriptRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.delete.DeleteIndexRequest;
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
import org.elasticsearch.action.admin.indices.shrink.ResizeRequest;
import org.elasticsearch.action.admin.indices.template.delete.DeleteComponentTemplateAction;
import org.elasticsearch.action.admin.indices.template.delete.DeleteComposableIndexTemplateAction;
import org.elasticsearch.action.admin.indices.template.delete.DeleteIndexTemplateRequest;
import org.elasticsearch.action.admin.indices.template.put.PutComponentTemplateAction;
import org.elasticsearch.action.admin.indices.template.put.PutComposableIndexTemplateAction;
import org.elasticsearch.action.admin.indices.template.put.PutIndexTemplateRequest;
import org.elasticsearch.action.bulk.BulkItemRequest;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.fieldcaps.FieldCapabilitiesRequest;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.ingest.DeletePipelineRequest;
import org.elasticsearch.action.ingest.PutPipelineRequest;
import org.elasticsearch.action.search.ClearScrollRequest;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.action.termvectors.MultiTermVectorsRequest;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.Metadata;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.regex.Regex;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.http.netty4.pipelining.UpdateIndexInfo2ZKChannelHandler;
import org.elasticsearch.index.Index;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.reindex.ReindexRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.transport.RemoteClusterService;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/huawei/es/security/auth/server/transport/authz/PrivilegeHelper.class */
public class PrivilegeHelper {
    private static final Logger LOG;
    private ThreadContext threadContext;
    private final ClusterService clusterService;
    private static final Set<String> NULL_SET;
    private static final Set<String> NO_INDICES_SET;
    private final IndexNameExpressionResolver resolver = new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY));
    private final String[] deniedActions;
    private final AuditLog auditLog;
    private SolrZkClient solrZkClient;
    private SecurityIndexManager securityIndexManager;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.huawei.es.security.auth.server.transport.authz.PrivilegeHelper$1, reason: invalid class name */
    /* loaded from: input_file:com/huawei/es/security/auth/server/transport/authz/PrivilegeHelper$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType;
        static final /* synthetic */ int[] $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup = new int[PermissionGroup.values().length];

        static {
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.ACCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.WRITE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.READ.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.READ_ACCESS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.JUST_WRITE_OR_READ.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.WRITE_OR_READ.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.INDEX_OWNER.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.TEMPLATE_OWNER.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.SCRIPT_OWNER.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.PIPELINE_OWNER.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.EMPTY_PERMISSION.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[PermissionGroup.SUPPER.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
            $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType = new int[DocWriteRequest.OpType.values().length];
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.INDEX.ordinal()] = 1;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.CREATE.ordinal()] = 2;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.UPDATE.ordinal()] = 3;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[DocWriteRequest.OpType.DELETE.ordinal()] = 4;
            } catch (NoSuchFieldError e16) {
            }
        }
    }

    public PrivilegeHelper(ClusterService clusterService, ThreadContext threadContext, SecurityIndexManager securityIndexManager, SolrZkClient solrZkClient, AuditLog auditLog) {
        this.clusterService = clusterService;
        this.threadContext = threadContext;
        this.solrZkClient = solrZkClient;
        this.auditLog = auditLog;
        ArrayList arrayList = new ArrayList();
        arrayList.add("indices:data/write*");
        arrayList.add("indices:admin/close");
        arrayList.add("indices:admin/delete");
        this.deniedActions = (String[]) arrayList.toArray(new String[0]);
        this.securityIndexManager = securityIndexManager;
    }

    public IndexNameExpressionResolver getResolver() {
        return this.resolver;
    }

    private void doAuthoriseInvolvedZK(String str, TransportRequest transportRequest, PermissionChecker permissionChecker, Settings settings) throws AuthorizationException {
        boolean z = -1;
        switch (str.hashCode()) {
            case -2142164642:
                if (str.equals("cluster:admin/component_template/delete")) {
                    z = 4;
                    break;
                }
                break;
            case -1827755667:
                if (str.equals("indices:admin/template/put")) {
                    z = false;
                    break;
                }
                break;
            case -1676253107:
                if (str.equals("cluster:admin/ingest/pipeline/delete")) {
                    z = 9;
                    break;
                }
                break;
            case -1139563603:
                if (str.equals("cluster:admin/ingest/pipeline/put")) {
                    z = 8;
                    break;
                }
                break;
            case -946262662:
                if (str.equals("indices:admin/index_template/put")) {
                    z = 2;
                    break;
                }
                break;
            case -778655733:
                if (str.equals("cluster:admin/script/put")) {
                    z = 6;
                    break;
                }
                break;
            case -341526087:
                if (str.equals("indices:admin/auto_create")) {
                    z = 12;
                    break;
                }
                break;
            case -173039825:
                if (str.equals("cluster:admin/script/delete")) {
                    z = 7;
                    break;
                }
                break;
            case 567839373:
                if (str.equals("indices:admin/template/delete")) {
                    z = 3;
                    break;
                }
                break;
            case 812770364:
                if (str.equals("cluster:admin/component_template/put")) {
                    z = true;
                    break;
                }
                break;
            case 1576144047:
                if (str.equals("indices:admin/create")) {
                    z = 11;
                    break;
                }
                break;
            case 1592979806:
                if (str.equals("indices:admin/delete")) {
                    z = 10;
                    break;
                }
                break;
            case 1695903584:
                if (str.equals("indices:admin/index_template/delete")) {
                    z = 5;
                    break;
                }
                break;
        }
        switch (z) {
            case HwSecurityConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT /* 0 */:
            case HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT /* 1 */:
            case AuthorityConstants.CODE_2XX_DIVIDE_BY_100 /* 2 */:
                doPutIndexTemplateAuthorise(transportRequest, permissionChecker, settings, str);
                return;
            case true:
            case AuthorityConstants.ERROR4XX_DIVIDE_BY_100 /* 4 */:
            case AuthorityConstants.ERROR_5XX_DIVIDE_BY_100 /* 5 */:
                doDeleteIndexTemplateAuthorise(transportRequest, permissionChecker, settings, str);
                return;
            case true:
                doPutScriptAuthorise(transportRequest, permissionChecker, settings, str);
                return;
            case true:
                doDeleteScriptAuthorise(transportRequest, permissionChecker, settings, str);
                return;
            case true:
                doPutPipelineAuthorise(transportRequest, permissionChecker, settings, str);
                return;
            case true:
                doDeletePipelineAuthorise(transportRequest, permissionChecker, settings, str);
                return;
            case true:
                doDeleteIndexAuthorise(transportRequest, permissionChecker, settings, str);
                return;
            case true:
            case true:
                doCreateIndexAuthorise(transportRequest, permissionChecker, settings, str);
                return;
            default:
                return;
        }
    }

    private void doCreateIndexAuthorise(TransportRequest transportRequest, PermissionChecker permissionChecker, Settings settings, String str) throws AuthorizationException {
        LOG.debug("In doCreateIndexAuthorise action[{}]", str);
        if (transportRequest instanceof CreateIndexRequest) {
            Set<String> parseIndices = parseIndices(str, transportRequest);
            LOG.debug("doCreateIndexAuthorise action[{}], index[{}]", str, parseIndices);
            if (!permissionChecker.isSuper() && !AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
                doAuthoriseByConf(permissionChecker, settings, str, parseIndices, false);
            }
            HashMap hashMap = new HashMap();
            Iterator<String> it = parseIndices.iterator();
            while (it.hasNext()) {
                hashMap.put(it.next(), OpType.CREATE);
            }
            if (LOG.isDebugEnabled() && this.threadContext.getHeaders().containsKey(TransportConstant.ORIGIN_INDEX2TYPE)) {
                LOG.debug("ORIGIN_INDEX2TYPE exit, which is:{}", this.threadContext.getHeader(TransportConstant.ORIGIN_INDEX2TYPE));
            }
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_INDEX2TYPE, TransportUtils.serializeObject(hashMap));
            String str2 = (String) this.threadContext.getHeaders().get(TransportConstant.CUSTOMISED_USER);
            writeIndexOwner(parseIndices, str2, settings);
            this.auditLog.logIndexCreated((String[]) parseIndices.toArray(new String[0]), str2);
            logOriginHeadersWhenDebug("doCreateIndexAuthorise");
        }
    }

    private void writeIndexOwner(Set<String> set, String str, Settings settings) {
        if (!AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
            writeIndexOwner2ZK(set, str);
        }
        if (((Boolean) KerberosPlugin.STORE_SECURITY_INFO.get(settings)).booleanValue()) {
            HashMap hashMap = new HashMap(set.size());
            set.forEach(str2 -> {
                hashMap.put(str2, OpType.CREATE);
            });
            this.securityIndexManager.write2SecurityIndex(str, hashMap);
        }
    }

    private void writeIndexOwner2ZK(Set<String> set, String str) {
        for (String str2 : set) {
            try {
                UpdateIndexInfo2ZKChannelHandler.updateIndexInfo2Zk(str2, OpType.CREATE, this.solrZkClient, str);
            } catch (Exception e) {
                if (ZooKeeper.States.CLOSED == this.solrZkClient.getSolrZooKeeper().getState()) {
                    LOG.error("Update index info[{} : {}] to ZK failed, because keeper was closed.", str2, str, e);
                    this.solrZkClient = ZkAclUtil.getNewZkClient(this.solrZkClient);
                } else {
                    LOG.error("Update index info[{} : {}] to ZK failed.", str2, str, e);
                }
            }
        }
    }

    private void doPutIndexTemplateAuthorise(TransportRequest transportRequest, PermissionChecker permissionChecker, Settings settings, String str) throws AuthorizationException {
        if ((transportRequest instanceof PutIndexTemplateRequest) || (transportRequest instanceof PutComposableIndexTemplateAction.Request) || (transportRequest instanceof PutComponentTemplateAction.Request)) {
            String str2 = AuthorityConstants.EMPYT_STRING;
            if (transportRequest instanceof PutIndexTemplateRequest) {
                str2 = ((PutIndexTemplateRequest) transportRequest).name();
            }
            if (transportRequest instanceof PutComposableIndexTemplateAction.Request) {
                str2 = ((PutComposableIndexTemplateAction.Request) transportRequest).name();
            }
            if (transportRequest instanceof PutComponentTemplateAction.Request) {
                str2 = ((PutComponentTemplateAction.Request) transportRequest).name();
            }
            if (!permissionChecker.isSuper() && !AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
                if (TransportUtils.isTemplateExit(this.clusterService, str2)) {
                    doAuthoriseByConf(permissionChecker, settings, str, Sets.newHashSet(new String[]{str2}), false);
                } else {
                    permissionChecker.checkAccessPrivilege();
                }
            }
            HashMap hashMap = new HashMap(1);
            hashMap.put(str2, OpType.CREATE_TEMPLATE);
            if (LOG.isDebugEnabled() && this.threadContext.getHeaders().containsKey(TransportConstant.ORIGIN_TEMPLATE2TYPE)) {
                LOG.debug("ORIGIN_TEMPLATE2TYPE exit, which is:", this.threadContext.getHeader(TransportConstant.ORIGIN_TEMPLATE2TYPE));
            }
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_TEMPLATE2TYPE, TransportUtils.serializeObject(hashMap));
            logOriginHeadersWhenDebug("doPutIndexTemplateAuthorise");
        }
    }

    private void doDeleteIndexTemplateAuthorise(TransportRequest transportRequest, PermissionChecker permissionChecker, Settings settings, String str) throws AuthorizationException {
        if ((transportRequest instanceof DeleteIndexTemplateRequest) || (transportRequest instanceof DeleteComponentTemplateAction.Request) || (transportRequest instanceof DeleteComposableIndexTemplateAction.Request)) {
            LOG.debug("action[{}], template[{}]", str, AuthorityConstants.EMPYT_STRING);
            boolean isMatchAllPattern = Regex.isMatchAllPattern(AuthorityConstants.EMPYT_STRING);
            HashSet hashSet = new HashSet();
            if (transportRequest instanceof DeleteIndexTemplateRequest) {
                String name = ((DeleteIndexTemplateRequest) transportRequest).name();
                Iterator it = this.clusterService.state().metadata().templates().keys().iterator();
                while (it.hasNext()) {
                    addTemplateName(name, hashSet, (String) ((ObjectCursor) it.next()).value);
                }
            }
            if (transportRequest instanceof DeleteComponentTemplateAction.Request) {
                String name2 = ((DeleteComponentTemplateAction.Request) transportRequest).name();
                Iterator it2 = this.clusterService.state().metadata().componentTemplates().keySet().iterator();
                while (it2.hasNext()) {
                    addTemplateName(name2, hashSet, (String) it2.next());
                }
            }
            if (transportRequest instanceof DeleteComposableIndexTemplateAction.Request) {
                String name3 = ((DeleteComposableIndexTemplateAction.Request) transportRequest).name();
                Iterator it3 = this.clusterService.state().metadata().templatesV2().keySet().iterator();
                while (it3.hasNext()) {
                    addTemplateName(name3, hashSet, (String) it3.next());
                }
            }
            if (!permissionChecker.isSuper() && !AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
                doAuthoriseByConf(permissionChecker, settings, str, hashSet, isMatchAllPattern);
            }
            HashMap hashMap = new HashMap();
            Iterator<String> it4 = hashSet.iterator();
            while (it4.hasNext()) {
                hashMap.put(it4.next(), OpType.DELETE_TEMPLATE);
            }
            if (LOG.isDebugEnabled() && this.threadContext.getHeaders().containsKey(TransportConstant.ORIGIN_TEMPLATE2TYPE)) {
                LOG.debug("ORIGIN_TEMPLATE2TYPE exit,which is:", this.threadContext.getHeader(TransportConstant.ORIGIN_TEMPLATE2TYPE));
            }
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_TEMPLATE2TYPE, TransportUtils.serializeObject(hashMap));
            logOriginHeadersWhenDebug("doDeleteIndexTemplateAuthorise");
        }
    }

    private void addTemplateName(String str, Set<String> set, String str2) {
        if (Regex.simpleMatch(str, str2)) {
            set.add(str2);
        }
    }

    private void doPutScriptAuthorise(TransportRequest transportRequest, PermissionChecker permissionChecker, Settings settings, String str) throws AuthorizationException {
        if (transportRequest instanceof PutStoredScriptRequest) {
            String id = ((PutStoredScriptRequest) transportRequest).id();
            if (!permissionChecker.isSuper() && !AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
                if (TransportUtils.isScriptExit(id)) {
                    doAuthoriseByConf(permissionChecker, settings, str, Sets.newHashSet(new String[]{id}), false);
                } else {
                    permissionChecker.checkAccessPrivilege();
                }
            }
            HashMap hashMap = new HashMap(1);
            hashMap.put(id, OpType.CREATE_TEMPLATE_SCRIPTS);
            if (LOG.isDebugEnabled() && this.threadContext.getHeaders().containsKey(TransportConstant.ORIGIN_TEMPLATE2TYPE)) {
                LOG.debug("ORIGIN_TEMPLATE2TYPE exit,which is:", this.threadContext.getHeader(TransportConstant.ORIGIN_TEMPLATE2TYPE));
            }
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_TEMPLATE2TYPE, TransportUtils.serializeObject(hashMap));
            logOriginHeadersWhenDebug("doPutScriptAuthorise");
        }
    }

    private void doDeleteScriptAuthorise(TransportRequest transportRequest, PermissionChecker permissionChecker, Settings settings, String str) throws AuthorizationException {
        if (transportRequest instanceof DeleteStoredScriptRequest) {
            String id = ((DeleteStoredScriptRequest) transportRequest).id();
            LOG.debug("action[{}], script[{}]", str, id);
            if (!permissionChecker.isSuper() && !AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
                doAuthoriseByConf(permissionChecker, settings, str, Sets.newHashSet(new String[]{id}), false);
            }
            HashMap hashMap = new HashMap(1);
            hashMap.put(id, OpType.DELETE_TEMPLATE_SCRIPTS);
            if (LOG.isDebugEnabled() && this.threadContext.getHeaders().containsKey(TransportConstant.ORIGIN_TEMPLATE2TYPE)) {
                LOG.debug("ORIGIN_TEMPLATE2TYPE exit, which is:", this.threadContext.getHeader(TransportConstant.ORIGIN_TEMPLATE2TYPE));
            }
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_TEMPLATE2TYPE, TransportUtils.serializeObject(hashMap));
            logOriginHeadersWhenDebug("doDeleteScriptAuthorise");
        }
    }

    private void doPutPipelineAuthorise(TransportRequest transportRequest, PermissionChecker permissionChecker, Settings settings, String str) throws AuthorizationException {
        if (transportRequest instanceof PutPipelineRequest) {
            String id = ((PutPipelineRequest) transportRequest).getId();
            if (!permissionChecker.isSuper() && !AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
                if (TransportUtils.isPipelineExit(this.clusterService, id)) {
                    doAuthoriseByConf(permissionChecker, settings, str, Sets.newHashSet(new String[]{id}), false);
                } else {
                    permissionChecker.checkAccessPrivilege();
                }
            }
            HashMap hashMap = new HashMap(1);
            hashMap.put(id, OpType.CREATE_PIPELINE);
            if (LOG.isDebugEnabled() && this.threadContext.getHeaders().containsKey(TransportConstant.ORIGIN_PIPELINE2TYPE)) {
                LOG.debug("ORIGIN_PIPELINE2TYPE exit, which is:", this.threadContext.getHeader(TransportConstant.ORIGIN_PIPELINE2TYPE));
            }
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_PIPELINE2TYPE, TransportUtils.serializeObject(hashMap));
            logOriginHeadersWhenDebug("doDeletePipelineAuthorise");
        }
    }

    private void doDeletePipelineAuthorise(TransportRequest transportRequest, PermissionChecker permissionChecker, Settings settings, String str) throws AuthorizationException {
        if (transportRequest instanceof DeletePipelineRequest) {
            String id = ((DeletePipelineRequest) transportRequest).getId();
            LOG.debug("action[{}], pipeline[{}]", str, id);
            boolean isMatchAllPattern = Regex.isMatchAllPattern(id);
            Set<String> pipelineByPattern = TransportUtils.getPipelineByPattern(this.clusterService, id);
            if (!permissionChecker.isSuper() && !AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
                doAuthoriseByConf(permissionChecker, settings, str, pipelineByPattern, isMatchAllPattern);
            }
            HashMap hashMap = new HashMap();
            Iterator<String> it = pipelineByPattern.iterator();
            while (it.hasNext()) {
                hashMap.put(it.next(), OpType.DELETE_PIPELINE);
            }
            if (LOG.isDebugEnabled() && this.threadContext.getHeaders().containsKey(TransportConstant.ORIGIN_PIPELINE2TYPE)) {
                LOG.debug("ORIGIN_PIPELINE2TYPE exit, which is:", this.threadContext.getHeader(TransportConstant.ORIGIN_PIPELINE2TYPE));
            }
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_PIPELINE2TYPE, TransportUtils.serializeObject(hashMap));
            logOriginHeadersWhenDebug("doDeletePipelineAuthorise");
        }
    }

    private void logOriginHeadersWhenDebug(String str) {
        if (LOG.isDebugEnabled()) {
            Map headers = this.threadContext.getHeaders();
            if (headers.entrySet().isEmpty()) {
                return;
            }
            LOG.debug("In method {}, the header is as follow.", str);
            for (Map.Entry entry : headers.entrySet()) {
                if (!TransportConstant.CUSTOMISED_AUTHORIZATION.equals(entry.getKey()) && !TransportConstant.CUSTOMISED_COOKIE.equals(entry.getKey())) {
                    LOG.debug("{} : {}.", entry.getKey(), entry.getValue());
                }
            }
        }
    }

    private void doDeleteIndexAuthorise(TransportRequest transportRequest, PermissionChecker permissionChecker, Settings settings, String str) throws AuthorizationException {
        if (transportRequest instanceof DeleteIndexRequest) {
            Set<String> parseIndices = parseIndices(str, transportRequest);
            LOG.debug("action[{}], index[{}]", str, parseIndices);
            boolean z = parseIndices.contains(AuthorityConstants.ALL) || parseIndices.contains(AuthorityConstants.PATTERN_STAR);
            if (!permissionChecker.isSuper() && !AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
                doAuthoriseByConf(permissionChecker, settings, str, parseIndices, z);
            }
            HashMap hashMap = new HashMap();
            Iterator<String> it = parseIndices.iterator();
            while (it.hasNext()) {
                hashMap.put(it.next(), OpType.DELETE);
            }
            if (LOG.isDebugEnabled() && this.threadContext.getHeaders().containsKey(TransportConstant.ORIGIN_INDEX2TYPE)) {
                LOG.debug("ORIGIN_INDEX2TYPE exit, which is:", this.threadContext.getHeader(TransportConstant.ORIGIN_INDEX2TYPE));
            }
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_INDEX2TYPE, TransportUtils.serializeObject(hashMap));
            logOriginHeadersWhenDebug("doDeleteIndexAuthorise");
        }
    }

    public void evaluate(PermissionChecker permissionChecker, String str, TransportRequest transportRequest, Settings settings) throws AuthorizationException {
        if (ZkAclUtil.isNeedUpdateZk(str)) {
            doAuthoriseInvolvedZK(str, transportRequest, permissionChecker, settings);
            return;
        }
        if (AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting()) || isRequestPass(str, settings)) {
            return;
        }
        if (transportRequest instanceof ClearScrollRequest) {
            if (((ClearScrollRequest) transportRequest).getScrollIds().contains(AuthorityConstants.ALL)) {
                permissionChecker.checkSuperPrivilege();
                return;
            }
            return;
        }
        Set<String> parseIndices = parseIndices(str, transportRequest);
        putOrgIndex2Context(parseIndices);
        if (LOG.isDebugEnabled()) {
            LOG.debug("requested resolved indices: {}", parseIndices);
        }
        if (permissionChecker.isSuper()) {
            return;
        }
        boolean z = parseIndices.contains(AuthorityConstants.ALL) || parseIndices.contains(AuthorityConstants.PATTERN_STAR);
        if (z && WildcardHelper.matchAnyone(this.deniedActions, str)) {
            LOG.warn(str + " for '_all' indices is not allowed for a regular user");
            throw new AuthorizationException(str + " for '_all' indices is not allowed for a regular user.");
        }
        if (transportRequest instanceof BulkShardRequest) {
            authorizeBulkItems((BulkShardRequest) transportRequest, parseIndices, permissionChecker, settings);
        } else {
            doAuthorise(permissionChecker, settings, str, parseIndices, z, transportRequest);
        }
    }

    private void putOrgIndex2Context(Set<String> set) {
        StringBuffer stringBuffer = new StringBuffer();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            stringBuffer.append(it.next()).append("#");
        }
        TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_INDEX, stringBuffer.toString());
    }

    private void authorizeBulkItems(BulkShardRequest bulkShardRequest, Set<String> set, PermissionChecker permissionChecker, Settings settings) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (BulkItemRequest bulkItemRequest : bulkShardRequest.items()) {
            String bulkAction = getBulkAction(bulkItemRequest);
            String str = (String) hashMap.computeIfAbsent(bulkItemRequest.index(), str2 -> {
                Set<String> parseIndicesRequest = parseIndicesRequest(bulkAction, bulkItemRequest.request());
                if (parseIndicesRequest.size() != 1) {
                    throw illegalArgument("Bulk item should write to exactly 1 index, but request writes to " + String.join(",", parseIndicesRequest));
                }
                String str2 = (String) parseIndicesRequest.toArray()[0];
                if (set.contains(str2)) {
                    return str2;
                }
                throw illegalArgument("Found bulk item that writes to index " + str2 + " but the request writes to " + set);
            });
            hashMap2.computeIfAbsent(new Tuple(str, bulkAction), tuple -> {
                try {
                    doAuthorise(permissionChecker, settings, bulkAction, Sets.newHashSet(new String[]{str}), false, bulkShardRequest);
                    return true;
                } catch (AuthorizationException e) {
                    bulkItemRequest.abort(str, denial(e, bulkAction, permissionChecker.getUser()));
                    return false;
                }
            });
        }
    }

    public static ElasticsearchSecurityException denial(AuthorizationException authorizationException, String str, String str2) {
        LOG.warn("action [{}], exception message is {}.", str, authorizationException.getMessage());
        return new ElasticsearchSecurityException("action [{}], " + authorizationException.getMessage(), RestStatus.FORBIDDEN, new Object[]{str});
    }

    private IllegalArgumentException illegalArgument(String str) {
        if ($assertionsDisabled) {
            return new IllegalArgumentException(str);
        }
        throw new AssertionError(str);
    }

    private String getBulkAction(BulkItemRequest bulkItemRequest) {
        DocWriteRequest request = bulkItemRequest.request();
        switch (AnonymousClass1.$SwitchMap$org$elasticsearch$action$DocWriteRequest$OpType[request.opType().ordinal()]) {
            case HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT /* 1 */:
            case AuthorityConstants.CODE_2XX_DIVIDE_BY_100 /* 2 */:
                return "indices:data/write/index";
            case 3:
                return "indices:data/write/update";
            case AuthorityConstants.ERROR4XX_DIVIDE_BY_100 /* 4 */:
                return "indices:data/write/delete";
            default:
                throw new IllegalArgumentException("No equivalent action for opType [" + request.opType() + "]");
        }
    }

    private boolean isRequestPass(String str, Settings settings) {
        return WildcardHelper.matchAnyone(settings.getAsList(new StringBuilder().append(PermissionGroup.EMPTY_PERMISSION.getName()).append(".").append(IndexScope.NONE.getName()).toString()), str);
    }

    private Tuple<Set<String>, Set<String>> splitIndexByExiting(Set<String> set) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        Metadata metadata = this.clusterService.state().metadata();
        for (String str : set) {
            if (metadata.hasIndex(str)) {
                hashSet.add(str);
            } else {
                hashSet2.add(str);
            }
        }
        return new Tuple<>(hashSet, hashSet2);
    }

    private void doAuthorise(PermissionChecker permissionChecker, Settings settings, String str, Set<String> set, boolean z, TransportRequest transportRequest) throws AuthorizationException {
        boolean z2 = -1;
        switch (str.hashCode()) {
            case -1581112528:
                if (str.equals("indices:data/write/index")) {
                    z2 = false;
                    break;
                }
                break;
            case 114089309:
                if (str.equals("indices:data/write/reindex")) {
                    z2 = true;
                    break;
                }
                break;
            case 1994000487:
                if (str.equals("indices:admin/resize")) {
                    z2 = 2;
                    break;
                }
                break;
            case 2025370044:
                if (str.equals("indices:admin/shrink")) {
                    z2 = 3;
                    break;
                }
                break;
        }
        switch (z2) {
            case HwSecurityConstants.SECURITY_SSL_HTTP_ENABLED_DEFAULT /* 0 */:
                Tuple<Set<String>, Set<String>> splitIndexByExiting = splitIndexByExiting(set);
                if (!((Set) splitIndexByExiting.v2()).isEmpty()) {
                    permissionChecker.checkAccessPrivilege();
                }
                if (((Set) splitIndexByExiting.v1()).isEmpty()) {
                    return;
                }
                Set<String> set2 = (Set) splitIndexByExiting.v1();
                doAuthoriseByConf(permissionChecker, settings, str, set2, isIndicesAll(set2));
                return;
            case HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT /* 1 */:
                Tuple<Set<String>, Set<String>> parseReindexIndices = parseReindexIndices(str, transportRequest);
                doAuthoriseByConf(permissionChecker, settings, str + "/p1", (Set) parseReindexIndices.v1(), isIndicesAll((Set) parseReindexIndices.v1()));
                doAuthoriseByConf(permissionChecker, settings, str + "/p2", (Set) parseReindexIndices.v2(), isIndicesAll((Set) parseReindexIndices.v2()));
                return;
            case AuthorityConstants.CODE_2XX_DIVIDE_BY_100 /* 2 */:
            case true:
                Set<String> parseIndicesRequest = parseIndicesRequest(str, (IndicesRequest) transportRequest);
                doAuthoriseByConf(permissionChecker, settings, str, parseIndicesRequest, isIndicesAll(parseIndicesRequest));
                return;
            default:
                doAuthoriseByConf(permissionChecker, settings, str, set, z);
                return;
        }
    }

    private boolean isIndicesAll(Set<String> set) {
        return set.contains(AuthorityConstants.ALL) || set.contains(AuthorityConstants.PATTERN_STAR);
    }

    private void doAuthoriseByConf(PermissionChecker permissionChecker, Settings settings, String str, Set<String> set, boolean z) throws AuthorizationException {
        Tuple<PermissionGroup, IndexScope> parseActionPermission = parseActionPermission(str, settings, z);
        if (parseActionPermission == null) {
            permissionChecker.checkSuperPrivilege();
            return;
        }
        switch (AnonymousClass1.$SwitchMap$com$huawei$es$security$auth$server$transport$bean$PermissionGroup[((PermissionGroup) parseActionPermission.v1()).ordinal()]) {
            case HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED_DEFAULT /* 1 */:
                permissionChecker.checkAccessPrivilege();
                return;
            case AuthorityConstants.CODE_2XX_DIVIDE_BY_100 /* 2 */:
                permissionChecker.checkPermission(set, IndicesPermission.IndexPermission.WRITE);
                return;
            case 3:
                permissionChecker.checkPermission(set, IndicesPermission.IndexPermission.READ);
                return;
            case AuthorityConstants.ERROR4XX_DIVIDE_BY_100 /* 4 */:
                permissionChecker.checkPermission(set, IndicesPermission.IndexPermission.READ);
                permissionChecker.checkAccessPrivilege();
                return;
            case AuthorityConstants.ERROR_5XX_DIVIDE_BY_100 /* 5 */:
                permissionChecker.checkIndexJustWriteOrReadPrivilege(set);
                return;
            case 6:
                permissionChecker.checkIndexWriteOrReadPrivilege(set);
                return;
            case 7:
                permissionChecker.checkIndexOwnerPrivilege(set);
                return;
            case 8:
                permissionChecker.checkTemplateOwnerPrivilege(set);
                return;
            case 9:
                permissionChecker.checkScriptOwnerPrivilege(set);
                return;
            case 10:
                permissionChecker.checkPipelineOwnerPrivilege(set);
                return;
            case 11:
                return;
            case 12:
            default:
                permissionChecker.checkSuperPrivilege();
                return;
        }
    }

    private Tuple<PermissionGroup, IndexScope> parseActionPermission(String str, Settings settings, boolean z) {
        for (String str2 : settings.keySet()) {
            if (WildcardHelper.matchAnyone(settings.getAsList(str2), str)) {
                String[] split = str2.split("\\.");
                if (split.length == 2 && ((z && IndexScope.ALL.getName().equals(split[1].toLowerCase())) || ((!z && IndexScope.ONE.getName().equals(split[1].toLowerCase())) || IndexScope.NONE.getName().equals(split[1].toLowerCase())))) {
                    return new Tuple<>(PermissionGroup.toInstance(split[0]), IndexScope.toInstance(split[1]));
                }
            }
        }
        return null;
    }

    private Tuple<Set<String>, Set<String>> parseReindexIndices(String str, TransportRequest transportRequest) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        if (transportRequest instanceof ReindexRequest) {
            ReindexRequest reindexRequest = (ReindexRequest) transportRequest;
            hashSet.addAll(parseIndicesRequest(str, reindexRequest.getSearchRequest()));
            hashSet2.addAll(parseIndicesRequest(str, reindexRequest.getDestination()));
        }
        return new Tuple<>(hashSet, hashSet2);
    }

    private Set<String> parseIndices(String str, TransportRequest transportRequest) {
        if (transportRequest instanceof PutMappingRequest) {
            LOG.debug("Handled PutMappingRequest via .getConcreteIndex()");
            PutMappingRequest putMappingRequest = (PutMappingRequest) transportRequest;
            Index concreteIndex = putMappingRequest.getConcreteIndex();
            if (concreteIndex != null && (putMappingRequest.indices() == null || putMappingRequest.indices().length == 0)) {
                return Sets.newHashSet(new String[]{concreteIndex.getName()});
            }
        }
        if (!(transportRequest instanceof CompositeIndicesRequest) && !(transportRequest instanceof IndicesRequest) && !(transportRequest instanceof IndicesAliasesRequest)) {
            LOG.debug("The request:{} is not an IndicesRequest", transportRequest.getClass());
            return Sets.newHashSet();
        }
        Set<String> indicesByRequestType = getIndicesByRequestType(transportRequest, str);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Indices parsed: {}", indicesByRequestType);
        }
        if (indicesByRequestType == NO_INDICES_SET) {
            return Collections.emptySet();
        }
        if (IndexNameExpressionResolver.isAllIndices(new ArrayList(indicesByRequestType))) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("The indices: {} are '_all'", indicesByRequestType);
            }
            if (!indicesByRequestType.isEmpty()) {
                indicesByRequestType.clear();
                indicesByRequestType.add(AuthorityConstants.ALL);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Final indices: {}", indicesByRequestType);
        }
        return Collections.unmodifiableSet(indicesByRequestType);
    }

    private Set<String> getIndicesByRequestType(TransportRequest transportRequest, String str) {
        HashSet hashSet = new HashSet();
        if (transportRequest instanceof IndicesAliasesRequest) {
            Iterator it = ((IndicesAliasesRequest) transportRequest).getAliasActions().iterator();
            while (it.hasNext()) {
                hashSet.addAll(parseIndicesRequest(str, (IndicesAliasesRequest.AliasActions) it.next()));
            }
        } else if (transportRequest instanceof CompositeIndicesRequest) {
            addIndicesOnCompositeIndicesRequest(transportRequest, str, hashSet);
        } else {
            if (transportRequest instanceof ResizeRequest) {
                hashSet.addAll(parseIndicesRequest(str, ((ResizeRequest) transportRequest).getTargetIndexRequest()));
            }
            hashSet.addAll(parseIndicesRequest(str, (IndicesRequest) transportRequest));
        }
        return hashSet;
    }

    private void addIndicesOnCompositeIndicesRequest(TransportRequest transportRequest, String str, Set<String> set) {
        if (transportRequest instanceof IndicesRequest) {
            set.addAll(parseIndicesRequest(str, (IndicesRequest) transportRequest));
            return;
        }
        if (transportRequest instanceof BulkRequest) {
            Iterator it = ((BulkRequest) transportRequest).requests().iterator();
            while (it.hasNext()) {
                set.addAll(parseIndicesRequest(str, (DocWriteRequest) it.next()));
            }
            return;
        }
        if (transportRequest instanceof ReindexRequest) {
            ReindexRequest reindexRequest = (ReindexRequest) transportRequest;
            set.addAll(parseIndicesRequest(str, reindexRequest.getDestination()));
            set.addAll(parseIndicesRequest(str, reindexRequest.getSearchRequest()));
            return;
        }
        if (transportRequest instanceof MultiSearchRequest) {
            Iterator it2 = ((MultiSearchRequest) transportRequest).requests().iterator();
            while (it2.hasNext()) {
                set.addAll(parseIndices(str, (ActionRequest) it2.next()));
            }
            return;
        }
        if (transportRequest instanceof MultiGetRequest) {
            Iterator it3 = ((MultiGetRequest) transportRequest).getItems().iterator();
            while (it3.hasNext()) {
                set.addAll(parseIndicesRequest(str, (MultiGetRequest.Item) it3.next()));
            }
        } else {
            if (transportRequest instanceof MultiTermVectorsRequest) {
                Iterable iterable = () -> {
                    return ((MultiTermVectorsRequest) transportRequest).iterator();
                };
                Iterator it4 = iterable.iterator();
                while (it4.hasNext()) {
                    set.addAll(parseIndices(str, (ActionRequest) it4.next()));
                }
                return;
            }
            if (transportRequest instanceof DeleteRequest) {
                set.addAll(getIndicesByPattern(((DeleteRequest) transportRequest).indices()));
            } else if (transportRequest instanceof IndexRequest) {
                set.addAll(getIndicesByPattern(((IndexRequest) transportRequest).indices()));
            } else {
                LOG.warn("Can not handle composite request[{}] for action[{}]", transportRequest.getClass().getName(), str);
            }
        }
    }

    private Set<String> parseIndicesRequest(String str, IndicesRequest indicesRequest) {
        LOG.debug("Resolve {} from {} for action {}", indicesRequest.indices(), indicesRequest.getClass(), str);
        LOG.debug("indicesOptions {}", indicesRequest.indicesOptions());
        LOG.debug("{} raw indices[{}]", Integer.valueOf(indicesRequest.indices() == null ? 0 : indicesRequest.indices().length), Arrays.toString(indicesRequest.indices()));
        HashSet hashSet = new HashSet();
        String[] indices = indicesRequest.indices();
        if (indices == null || indices.length == 0 || new HashSet(Arrays.asList(indices)).equals(NULL_SET)) {
            LOG.debug("No indices in request, make _all instead.");
            hashSet.add(AuthorityConstants.ALL);
        } else {
            if ((indicesRequest instanceof FieldCapabilitiesRequest) || (indicesRequest instanceof SearchRequest)) {
                IndicesRequest.Replaceable replaceable = (IndicesRequest.Replaceable) indicesRequest;
                RemoteClusterService remoteClusterService = KerberosPlugin.GuiceHolder.getRemoteClusterService();
                if (remoteClusterService != null) {
                    Map groupIndices = remoteClusterService.groupIndices(replaceable.indicesOptions(), replaceable.indices(), str2 -> {
                        return this.resolver.hasIndexAbstraction(str2, this.clusterService.state());
                    });
                    if (groupIndices.size() > 1) {
                        indices = ((OriginalIndices) groupIndices.get(AuthorityConstants.EMPYT_STRING)).indices();
                        LOG.debug("remoteIndices keys:{}, remoteIndices:{}", groupIndices.keySet(), groupIndices);
                        if (indices.length == 0) {
                            return NO_INDICES_SET;
                        }
                    }
                }
            }
            hashSet.addAll(getIndicesByPattern(indices));
        }
        return hashSet;
    }

    private List<String> getIndicesByPattern(String[] strArr) {
        ArrayList arrayList;
        List asList = Arrays.asList(strArr);
        if (asList.contains(AuthorityConstants.ALL) || asList.contains(AuthorityConstants.PATTERN_STAR)) {
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(AuthorityConstants.ALL);
            return arrayList2;
        }
        try {
            arrayList = new ArrayList(Arrays.asList(this.resolver.concreteIndexNames(this.clusterService.state(), IndicesOptions.fromOptions(false, true, true, false), strArr)));
            if (LOG.isDebugEnabled()) {
                LOG.debug("Resolved pattern {} to {}", strArr, arrayList);
            }
        } catch (IndexNotFoundException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("No such indices for pattern {}, use raw values", strArr);
            }
            arrayList = new ArrayList(strArr.length);
            for (String str : strArr) {
                arrayList.add(this.resolver.resolveDateMathExpression(str));
            }
        }
        return arrayList;
    }

    static {
        $assertionsDisabled = !PrivilegeHelper.class.desiredAssertionStatus();
        LOG = Loggers.getLogger(PrivilegeHelper.class, new String[]{"PrivilegeHelper"});
        NULL_SET = Sets.newHashSet(new String[]{(String) null});
        NO_INDICES_SET = Sets.newHashSet(new String[]{"\\", ";", ",", "/", "|"});
    }
}
