/*
* Copyright 2015 floragunn UG (haftungsbeschränkt)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package com.floragunn.searchguard.configuration;
import java.io.IOException;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.search.IndexSearcher;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.engine.EngineConfig;
import org.elasticsearch.index.engine.EngineException;
import org.elasticsearch.index.engine.IndexSearcherWrapper;
import org.elasticsearch.index.shard.AbstractIndexShardComponent;
import org.elasticsearch.index.shard.IndexShard;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.indices.IndicesLifecycle;
import org.elasticsearch.indices.IndicesLifecycle.Listener;
import org.elasticsearch.transport.TransportRequest;
import com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.user.User;
public class SearchGuardIndexSearcherWrapper extends AbstractIndexShardComponent implements IndexSearcherWrapper {
private final AdminDNs admindns;
protected final ESLogger log = Loggers.getLogger(this.getClass());
private volatile boolean shardReady;
private final String searchguardIndex;
@Inject
public SearchGuardIndexSearcherWrapper(final ShardId shardId, final IndicesLifecycle indicesLifecycle, final Settings indexSettings,
final AdminDNs admindns) {
super(shardId, indexSettings);
this.admindns = admindns;
this.searchguardIndex = indexSettings.get(ConfigConstants.SG_CONFIG_INDEX, ConfigConstants.SG_DEFAULT_CONFIG_INDEX);
if(!isSearchGuardIndexRequest()) {
indicesLifecycle.addListener(new Listener() {
@Override
public void afterIndexShardPostRecovery(IndexShard indexShard) {
if(shardId.equals(indexShard.shardId())) {
shardReady = true;
}
}
});
} else {
shardReady = true;
}
}
@Override
public final DirectoryReader wrap(final DirectoryReader reader) throws IOException {
if (log.isTraceEnabled()) {
log.trace("DirectoryReader {} should be wrapped", reader.getClass());
}
if(!shardReady) {
return reader;
}
if (!isAdminAuhtenticatedOrInternalRequest()) {
//if (settings == null || settings.getAsBoolean("searchguard.dynamic.dlsfls_enabled", true)) {
return dlsFlsWrap(reader);
//}
}
return reader;
}
@Override
public final IndexSearcher wrap(final EngineConfig engineConfig, final IndexSearcher searcher) throws EngineException {
if (log.isTraceEnabled()) {
log.trace("IndexSearcher {} should be wrapped (reader is {})", searcher.getClass(), searcher.getIndexReader().getClass());
}
if(!shardReady) {
return searcher;
}
if (isSearchGuardIndexRequest() && !isAdminAuhtenticatedOrInternalRequest()) {
return new IndexSearcher(new EmptyReader());
}
if (!isAdminAuhtenticatedOrInternalRequest()) {
//if (settings == null || settings.getAsBoolean("searchguard.dynamic.dlsfls_enabled", true)) {
return dlsFlsWrap(engineConfig, searcher);
//}
}
return searcher;
}
protected IndexSearcher dlsFlsWrap(final EngineConfig engineConfig, final IndexSearcher searcher) throws EngineException {
return searcher;
}
protected DirectoryReader dlsFlsWrap(final DirectoryReader reader) throws IOException {
return reader;
}
protected final boolean isAdminAuhtenticatedOrInternalRequest() {
final RequestHolder current = RequestHolder.current();
if (current != null) {
final TransportRequest request = current.getRequest();
if (request != null) {
final User user = (User) request.getFromContext(ConfigConstants.SG_USER);
if (user != null && admindns.isAdmin(user.getName())) {
return true;
}
if ("true".equals(HeaderHelper.getSafeFromHeader(request, ConfigConstants.SG_CONF_REQUEST_HEADER))) {
return true;
}
}
}
return false;
}
protected final boolean isSearchGuardIndexRequest() {
return shardId.index().getName().equals(searchguardIndex);
}
}