package org.elasticsearch.xpack.core.security.authz.permission;

import java.io.IOException;
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import org.apache.lucene.search.BooleanClause;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.Query;
import org.apache.lucene.search.join.ToChildBlockJoinQuery;
import org.elasticsearch.client.Client;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.lucene.search.Queries;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryRewriteContext;
import org.elasticsearch.index.query.QueryShardContext;
import org.elasticsearch.index.query.Rewriteable;
import org.elasticsearch.index.search.NestedHelper;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.xpack.core.security.authz.support.DLSRoleQueryValidator;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissions.class */
public final class DocumentPermissions {
    private final Set<BytesReference> queries;
    private final Set<BytesReference> limitedByQueries;
    private static DocumentPermissions ALLOW_ALL;
    static final /* synthetic */ boolean $assertionsDisabled;

    DocumentPermissions() {
        this.queries = null;
        this.limitedByQueries = null;
    }

    DocumentPermissions(Set<BytesReference> set) {
        this(set, null);
    }

    DocumentPermissions(Set<BytesReference> set, Set<BytesReference> set2) {
        if (set == null && set2 == null) {
            throw new IllegalArgumentException("one of the queries or scoped queries must be provided");
        }
        this.queries = set != null ? Collections.unmodifiableSet(set) : set;
        this.limitedByQueries = set2 != null ? Collections.unmodifiableSet(set2) : set2;
    }

    public Set<BytesReference> getQueries() {
        return this.queries;
    }

    public Set<BytesReference> getLimitedByQueries() {
        return this.limitedByQueries;
    }

    public boolean hasDocumentLevelPermissions() {
        return (this.queries == null && this.limitedByQueries == null) ? false : true;
    }

    public BooleanQuery filter(User user, ScriptService scriptService, ShardId shardId, Function<ShardId, QueryShardContext> function) throws IOException {
        BooleanQuery.Builder builder;
        if (!hasDocumentLevelPermissions()) {
            return null;
        }
        if (this.queries != null && this.limitedByQueries != null) {
            builder = new BooleanQuery.Builder();
            BooleanQuery.Builder builder2 = new BooleanQuery.Builder();
            buildRoleQuery(user, scriptService, shardId, function, this.limitedByQueries, builder2);
            builder.add(builder2.build(), BooleanClause.Occur.FILTER);
            buildRoleQuery(user, scriptService, shardId, function, this.queries, builder);
        } else if (this.queries != null) {
            builder = new BooleanQuery.Builder();
            buildRoleQuery(user, scriptService, shardId, function, this.queries, builder);
        } else {
            if (this.limitedByQueries == null) {
                return null;
            }
            builder = new BooleanQuery.Builder();
            buildRoleQuery(user, scriptService, shardId, function, this.limitedByQueries, builder);
        }
        return builder.build();
    }

    private static void buildRoleQuery(User user, ScriptService scriptService, ShardId shardId, Function<ShardId, QueryShardContext> function, Set<BytesReference> set, BooleanQuery.Builder builder) throws IOException {
        for (BytesReference bytesReference : set) {
            QueryShardContext apply = function.apply(shardId);
            QueryBuilder evaluateAndVerifyRoleQuery = DLSRoleQueryValidator.evaluateAndVerifyRoleQuery(bytesReference, scriptService, apply.getXContentRegistry(), user);
            if (evaluateAndVerifyRoleQuery != null) {
                failIfQueryUsesClient(evaluateAndVerifyRoleQuery, apply);
                Query query = apply.toQuery(evaluateAndVerifyRoleQuery).query();
                builder.add(query, BooleanClause.Occur.SHOULD);
                if (apply.hasNested()) {
                    Objects.requireNonNull(apply);
                    Function function2 = apply::getObjectMapper;
                    Objects.requireNonNull(apply);
                    if (new NestedHelper(function2, apply::isFieldMapped).mightMatchNestedDocs(query)) {
                        query = new BooleanQuery.Builder().add(query, BooleanClause.Occur.FILTER).add(Queries.newNonNestedFilter(apply.indexVersionCreated()), BooleanClause.Occur.FILTER).build();
                    }
                    builder.add(new ToChildBlockJoinQuery(query, apply.bitsetFilter(Queries.newNonNestedFilter(apply.indexVersionCreated()))), BooleanClause.Occur.SHOULD);
                }
            }
        }
        builder.setMinimumNumberShouldMatch(1);
    }

    static void failIfQueryUsesClient(QueryBuilder queryBuilder, QueryRewriteContext queryRewriteContext) throws IOException {
        NamedXContentRegistry xContentRegistry = queryRewriteContext.getXContentRegistry();
        NamedWriteableRegistry writeableRegistry = queryRewriteContext.getWriteableRegistry();
        Objects.requireNonNull(queryRewriteContext);
        QueryRewriteContext queryRewriteContext2 = new QueryRewriteContext(xContentRegistry, writeableRegistry, (Client) null, queryRewriteContext::nowInMillis);
        Rewriteable.rewrite(queryBuilder, queryRewriteContext2);
        if (queryRewriteContext2.hasAsyncActions()) {
            throw new IllegalStateException("role queries are not allowed to execute additional requests");
        }
    }

    public static DocumentPermissions filteredBy(Set<BytesReference> set) {
        if (set == null || set.isEmpty()) {
            throw new IllegalArgumentException("null or empty queries not permitted");
        }
        return new DocumentPermissions(set);
    }

    public static DocumentPermissions allowAll() {
        return ALLOW_ALL;
    }

    public DocumentPermissions limitDocumentPermissions(DocumentPermissions documentPermissions) {
        if ($assertionsDisabled || (this.limitedByQueries == null && documentPermissions.limitedByQueries == null)) {
            return (this.queries == null && documentPermissions.queries == null) ? allowAll() : new DocumentPermissions(this.queries, documentPermissions.queries);
        }
        throw new AssertionError("nested scoping for document permissions is not permitted");
    }

    public String toString() {
        return "DocumentPermissions [queries=" + this.queries + ", scopedByQueries=" + this.limitedByQueries + "]";
    }

    static {
        $assertionsDisabled = !DocumentPermissions.class.desiredAssertionStatus();
        ALLOW_ALL = new DocumentPermissions();
    }
}
