package org.elasticsearch.xpack.core.security.action.role;

import java.util.Arrays;
import java.util.Set;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.action.ValidateActions;
import org.elasticsearch.xpack.core.common.notifications.AbstractAuditor;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.core.security.authz.restriction.WorkflowResolver;
import org.elasticsearch.xpack.core.security.support.MetadataUtils;
import org.elasticsearch.xpack.core.security.support.Validation;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/action/role/RoleDescriptorRequestValidator.class */
public class RoleDescriptorRequestValidator {
    private RoleDescriptorRequestValidator() {
    }

    public static ActionRequestValidationException validate(RoleDescriptor roleDescriptor) {
        return validate(roleDescriptor, null);
    }

    public static ActionRequestValidationException validate(RoleDescriptor roleDescriptor, ActionRequestValidationException actionRequestValidationException) {
        Validation.Error validateRoleDescription;
        if (roleDescriptor.getName() == null) {
            actionRequestValidationException = ValidateActions.addValidationError("role name is missing", actionRequestValidationException);
        }
        if (roleDescriptor.getClusterPrivileges() != null) {
            for (String str : roleDescriptor.getClusterPrivileges()) {
                try {
                    ClusterPrivilegeResolver.resolve(str);
                } catch (IllegalArgumentException e) {
                    actionRequestValidationException = ValidateActions.addValidationError(e.getMessage(), actionRequestValidationException);
                }
            }
        }
        if (roleDescriptor.getIndicesPrivileges() != null) {
            for (RoleDescriptor.IndicesPrivileges indicesPrivileges : roleDescriptor.getIndicesPrivileges()) {
                try {
                    IndexPrivilege.get(Set.of((Object[]) indicesPrivileges.getPrivileges()));
                } catch (IllegalArgumentException e2) {
                    actionRequestValidationException = ValidateActions.addValidationError(e2.getMessage(), actionRequestValidationException);
                }
            }
        }
        for (RoleDescriptor.RemoteIndicesPrivileges remoteIndicesPrivileges : roleDescriptor.getRemoteIndicesPrivileges()) {
            if (Arrays.asList(remoteIndicesPrivileges.remoteClusters()).contains(AbstractAuditor.All_RESOURCES_ID)) {
                actionRequestValidationException = ValidateActions.addValidationError("remote index cluster alias cannot be an empty string", actionRequestValidationException);
            }
            try {
                IndexPrivilege.get(Set.of((Object[]) remoteIndicesPrivileges.indicesPrivileges().getPrivileges()));
            } catch (IllegalArgumentException e3) {
                actionRequestValidationException = ValidateActions.addValidationError(e3.getMessage(), actionRequestValidationException);
            }
        }
        if (roleDescriptor.hasRemoteClusterPermissions()) {
            try {
                roleDescriptor.getRemoteClusterPermissions().validate();
            } catch (IllegalArgumentException e4) {
                actionRequestValidationException = ValidateActions.addValidationError(e4.getMessage(), actionRequestValidationException);
            }
        }
        if (roleDescriptor.getApplicationPrivileges() != null) {
            for (RoleDescriptor.ApplicationResourcePrivileges applicationResourcePrivileges : roleDescriptor.getApplicationPrivileges()) {
                try {
                    ApplicationPrivilege.validateApplicationNameOrWildcard(applicationResourcePrivileges.getApplication());
                } catch (IllegalArgumentException e5) {
                    actionRequestValidationException = ValidateActions.addValidationError(e5.getMessage(), actionRequestValidationException);
                }
                for (String str2 : applicationResourcePrivileges.getPrivileges()) {
                    try {
                        ApplicationPrivilege.validatePrivilegeOrActionName(str2);
                    } catch (IllegalArgumentException e6) {
                        actionRequestValidationException = ValidateActions.addValidationError(e6.getMessage(), actionRequestValidationException);
                    }
                }
            }
        }
        if (roleDescriptor.getMetadata() != null && MetadataUtils.containsReservedMetadata(roleDescriptor.getMetadata())) {
            actionRequestValidationException = ValidateActions.addValidationError("role descriptor metadata keys may not start with [_]", actionRequestValidationException);
        }
        if (roleDescriptor.hasWorkflowsRestriction()) {
            for (String str3 : roleDescriptor.getRestriction().getWorkflows()) {
                try {
                    WorkflowResolver.resolveWorkflowByName(str3);
                } catch (IllegalArgumentException e7) {
                    actionRequestValidationException = ValidateActions.addValidationError(e7.getMessage(), actionRequestValidationException);
                }
            }
        }
        if (roleDescriptor.hasDescription() && (validateRoleDescription = Validation.Roles.validateRoleDescription(roleDescriptor.getDescription())) != null) {
            actionRequestValidationException = ValidateActions.addValidationError(validateRoleDescription.toString(), actionRequestValidationException);
        }
        return actionRequestValidationException;
    }
}
