package org.elasticsearch.xpack.core.security.action.apikey;

import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.util.CollectionUtils;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.ParseField;
import org.elasticsearch.xcontent.XContentParserConfiguration;
import org.elasticsearch.xcontent.json.JsonXContent;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/action/apikey/CrossClusterApiKeyRoleDescriptorBuilder.class */
public class CrossClusterApiKeyRoleDescriptorBuilder {
    public static final String[] CCS_CLUSTER_PRIVILEGE_NAMES;
    public static final String[] CCR_CLUSTER_PRIVILEGE_NAMES;
    public static final String[] CCS_AND_CCR_CLUSTER_PRIVILEGE_NAMES;
    public static final String[] CCS_INDICES_PRIVILEGE_NAMES;
    public static final String[] CCR_INDICES_PRIVILEGE_NAMES;
    public static final String ROLE_DESCRIPTOR_NAME = "cross_cluster";
    public static final ConstructingObjectParser<CrossClusterApiKeyRoleDescriptorBuilder, Void> PARSER;
    private final List<RoleDescriptor.IndicesPrivileges> search;
    private final List<RoleDescriptor.IndicesPrivileges> replication;
    static final /* synthetic */ boolean $assertionsDisabled;

    private CrossClusterApiKeyRoleDescriptorBuilder(List<RoleDescriptor.IndicesPrivileges> list, List<RoleDescriptor.IndicesPrivileges> list2) {
        this.search = list == null ? List.of() : list;
        this.replication = list2 == null ? List.of() : list2;
        if (!$assertionsDisabled && !this.search.stream().allMatch(indicesPrivileges -> {
            return Arrays.equals(indicesPrivileges.getPrivileges(), CCS_INDICES_PRIVILEGE_NAMES);
        })) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && !this.replication.stream().allMatch(indicesPrivileges2 -> {
            return Arrays.equals(indicesPrivileges2.getPrivileges(), CCR_INDICES_PRIVILEGE_NAMES);
        })) {
            throw new AssertionError();
        }
    }

    public RoleDescriptor build() {
        if (this.search.isEmpty() && this.replication.isEmpty()) {
            throw new IllegalArgumentException("must specify non-empty access for either [search] or [replication]");
        }
        String[] strArr = this.search.isEmpty() ? CCR_CLUSTER_PRIVILEGE_NAMES : this.replication.isEmpty() ? CCS_CLUSTER_PRIVILEGE_NAMES : CCS_AND_CCR_CLUSTER_PRIVILEGE_NAMES;
        if (this.replication.stream().anyMatch((v0) -> {
            return v0.isUsingDocumentOrFieldLevelSecurity();
        })) {
            throw new IllegalArgumentException("replication does not support document or field level security");
        }
        return new RoleDescriptor(ROLE_DESCRIPTOR_NAME, strArr, (RoleDescriptor.IndicesPrivileges[]) CollectionUtils.concatLists(this.search, this.replication).toArray(i -> {
            return new RoleDescriptor.IndicesPrivileges[i];
        }), null);
    }

    public static CrossClusterApiKeyRoleDescriptorBuilder parse(String str) throws IOException {
        return (CrossClusterApiKeyRoleDescriptorBuilder) PARSER.parse(JsonXContent.jsonXContent.createParser(XContentParserConfiguration.EMPTY, str), (Object) null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void validate(RoleDescriptor roleDescriptor) {
        if (false == ROLE_DESCRIPTOR_NAME.equals(roleDescriptor.getName())) {
            throw new IllegalArgumentException("invalid role descriptor name [" + roleDescriptor.getName() + "]");
        }
        if (roleDescriptor.hasApplicationPrivileges()) {
            throw new IllegalArgumentException("application privilege must be empty");
        }
        if (roleDescriptor.hasRunAs()) {
            throw new IllegalArgumentException("run_as privilege must be empty");
        }
        if (roleDescriptor.hasConfigurableClusterPrivileges()) {
            throw new IllegalArgumentException("configurable cluster privilege must be empty");
        }
        if (roleDescriptor.hasRemoteIndicesPrivileges()) {
            throw new IllegalArgumentException("remote indices privileges must be empty");
        }
        String[] clusterPrivileges = roleDescriptor.getClusterPrivileges();
        if (false == Arrays.equals(clusterPrivileges, CCS_CLUSTER_PRIVILEGE_NAMES) && false == Arrays.equals(clusterPrivileges, CCR_CLUSTER_PRIVILEGE_NAMES) && false == Arrays.equals(clusterPrivileges, CCS_AND_CCR_CLUSTER_PRIVILEGE_NAMES)) {
            throw new IllegalArgumentException("invalid cluster privileges: [" + Strings.arrayToCommaDelimitedString(clusterPrivileges) + "]");
        }
        RoleDescriptor.IndicesPrivileges[] indicesPrivileges = roleDescriptor.getIndicesPrivileges();
        if (indicesPrivileges.length == 0) {
            throw new IllegalArgumentException("indices privileges must not be empty");
        }
        for (RoleDescriptor.IndicesPrivileges indicesPrivileges2 : indicesPrivileges) {
            String[] privileges = indicesPrivileges2.getPrivileges();
            if (Arrays.equals(privileges, CCR_INDICES_PRIVILEGE_NAMES)) {
                if (indicesPrivileges2.isUsingDocumentOrFieldLevelSecurity()) {
                    throw new IllegalArgumentException("replication does not support document or field level security");
                }
            } else if (false == Arrays.equals(privileges, CCS_INDICES_PRIVILEGE_NAMES)) {
                throw new IllegalArgumentException("invalid indices privileges: [" + Strings.arrayToCommaDelimitedString(privileges));
            }
        }
    }

    static {
        $assertionsDisabled = !CrossClusterApiKeyRoleDescriptorBuilder.class.desiredAssertionStatus();
        CCS_CLUSTER_PRIVILEGE_NAMES = new String[]{"cross_cluster_search"};
        CCR_CLUSTER_PRIVILEGE_NAMES = new String[]{"cross_cluster_replication"};
        CCS_AND_CCR_CLUSTER_PRIVILEGE_NAMES = new String[]{"cross_cluster_search", "cross_cluster_replication"};
        CCS_INDICES_PRIVILEGE_NAMES = new String[]{"read", "read_cross_cluster", "view_index_metadata"};
        CCR_INDICES_PRIVILEGE_NAMES = new String[]{"cross_cluster_replication", "cross_cluster_replication_internal"};
        PARSER = new ConstructingObjectParser<>("cross_cluster_api_key_request_access", false, (objArr, r7) -> {
            return new CrossClusterApiKeyRoleDescriptorBuilder((List) objArr[0], (List) objArr[1]);
        });
        PARSER.declareObjectArray(ConstructingObjectParser.optionalConstructorArg(), (xContentParser, r5) -> {
            return RoleDescriptor.parseIndexWithPredefinedPrivileges(ROLE_DESCRIPTOR_NAME, CCS_INDICES_PRIVILEGE_NAMES, xContentParser);
        }, new ParseField("search", new String[0]));
        PARSER.declareObjectArray(ConstructingObjectParser.optionalConstructorArg(), (xContentParser2, r52) -> {
            return RoleDescriptor.parseIndexWithPredefinedPrivileges(ROLE_DESCRIPTOR_NAME, CCR_INDICES_PRIVILEGE_NAMES, xContentParser2);
        }, new ParseField("replication", new String[0]));
    }
}
