package org.elasticsearch.xpack.core.security.authz.permission;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege;
import org.elasticsearch.xpack.core.security.support.Automatons;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission.class */
public class ClusterPermission {
    public static final ClusterPermission NONE = new ClusterPermission(Set.of(), List.of());
    private final Set<ClusterPrivilege> clusterPrivileges;
    private final List<PermissionCheck> checks;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission$ActionBasedPermissionCheck.class */
    public static abstract class ActionBasedPermissionCheck implements PermissionCheck {
        private final Automaton automaton;
        private final Predicate<String> actionPredicate;

        public ActionBasedPermissionCheck(Automaton automaton) {
            this.automaton = automaton;
            this.actionPredicate = Automatons.predicate(automaton);
        }

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.PermissionCheck
        public final boolean check(String str, TransportRequest transportRequest, Authentication authentication) {
            return this.actionPredicate.test(str) && extendedCheck(str, transportRequest, authentication);
        }

        protected abstract boolean extendedCheck(String str, TransportRequest transportRequest, Authentication authentication);

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.PermissionCheck
        public final boolean implies(PermissionCheck permissionCheck) {
            return (permissionCheck instanceof ActionBasedPermissionCheck) && Operations.subsetOf(((ActionBasedPermissionCheck) permissionCheck).automaton, this.automaton) && doImplies((ActionBasedPermissionCheck) permissionCheck);
        }

        protected abstract boolean doImplies(ActionBasedPermissionCheck actionBasedPermissionCheck);
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission$ActionRequestBasedPermissionCheck.class */
    private static class ActionRequestBasedPermissionCheck extends ActionBasedPermissionCheck {
        private final ClusterPrivilege clusterPrivilege;
        private final Predicate<TransportRequest> requestPredicate;

        ActionRequestBasedPermissionCheck(ClusterPrivilege clusterPrivilege, Automaton automaton, Predicate<TransportRequest> predicate) {
            super(automaton);
            this.requestPredicate = predicate;
            this.clusterPrivilege = clusterPrivilege;
        }

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.ActionBasedPermissionCheck
        protected boolean extendedCheck(String str, TransportRequest transportRequest, Authentication authentication) {
            return this.requestPredicate.test(transportRequest);
        }

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.ActionBasedPermissionCheck
        protected boolean doImplies(ActionBasedPermissionCheck actionBasedPermissionCheck) {
            if (actionBasedPermissionCheck instanceof ActionRequestBasedPermissionCheck) {
                return this.clusterPrivilege.equals(((ActionRequestBasedPermissionCheck) actionBasedPermissionCheck).clusterPrivilege);
            }
            return false;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission$AutomatonPermissionCheck.class */
    private static class AutomatonPermissionCheck extends ActionBasedPermissionCheck {
        AutomatonPermissionCheck(Automaton automaton) {
            super(automaton);
        }

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.ActionBasedPermissionCheck
        protected boolean extendedCheck(String str, TransportRequest transportRequest, Authentication authentication) {
            return true;
        }

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.ActionBasedPermissionCheck
        protected boolean doImplies(ActionBasedPermissionCheck actionBasedPermissionCheck) {
            return true;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission$Builder.class */
    public static class Builder {
        private final Set<ClusterPrivilege> clusterPrivileges;
        private final List<Automaton> actionAutomatons;
        private final List<PermissionCheck> permissionChecks;
        private final RestrictedIndices restrictedIndices;

        public Builder(RestrictedIndices restrictedIndices) {
            this.clusterPrivileges = new HashSet();
            this.actionAutomatons = new ArrayList();
            this.permissionChecks = new ArrayList();
            this.restrictedIndices = restrictedIndices;
        }

        public Builder() {
            this.clusterPrivileges = new HashSet();
            this.actionAutomatons = new ArrayList();
            this.permissionChecks = new ArrayList();
            this.restrictedIndices = null;
        }

        public Builder add(ClusterPrivilege clusterPrivilege, Set<String> set, Set<String> set2) {
            this.clusterPrivileges.add(clusterPrivilege);
            this.actionAutomatons.add(createAutomaton(set, set2));
            return this;
        }

        public Builder add(ClusterPrivilege clusterPrivilege, Set<String> set, Predicate<TransportRequest> predicate) {
            return add(clusterPrivilege, new ActionRequestBasedPermissionCheck(clusterPrivilege, createAutomaton(set, Set.of()), predicate));
        }

        public Builder add(ClusterPrivilege clusterPrivilege, PermissionCheck permissionCheck) {
            this.clusterPrivileges.add(clusterPrivilege);
            this.permissionChecks.add(permissionCheck);
            return this;
        }

        public Builder addWithPredicateSupplier(ClusterPrivilege clusterPrivilege, Set<String> set, Function<RestrictedIndices, Predicate<TransportRequest>> function) {
            return add(clusterPrivilege, new ActionRequestBasedPermissionCheck(clusterPrivilege, createAutomaton(set, Set.of()), function.apply(this.restrictedIndices)));
        }

        public ClusterPermission build() {
            if (this.clusterPrivileges.isEmpty()) {
                return ClusterPermission.NONE;
            }
            List<PermissionCheck> list = this.permissionChecks;
            if (false == this.actionAutomatons.isEmpty()) {
                Automaton unionAndMinimize = Automatons.unionAndMinimize(this.actionAutomatons);
                list = new ArrayList(this.permissionChecks.size() + 1);
                list.add(new AutomatonPermissionCheck(unionAndMinimize));
                list.addAll(this.permissionChecks);
            }
            return new ClusterPermission(this.clusterPrivileges, list);
        }

        private static Automaton createAutomaton(Set<String> set, Set<String> set2) {
            Set<String> of = set == null ? Set.of() : set;
            Set<String> of2 = set2 == null ? Set.of() : set2;
            return of.isEmpty() ? Automatons.EMPTY : of2.isEmpty() ? Automatons.patterns(of) : Automatons.minusAndMinimize(Automatons.patterns(of), Automatons.patterns(of2));
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission$PermissionCheck.class */
    public interface PermissionCheck {
        boolean check(String str, TransportRequest transportRequest, Authentication authentication);

        boolean implies(PermissionCheck permissionCheck);
    }

    private ClusterPermission(Set<ClusterPrivilege> set, List<PermissionCheck> list) {
        this.clusterPrivileges = Set.copyOf(set);
        this.checks = List.copyOf(list);
    }

    public boolean check(String str, TransportRequest transportRequest, Authentication authentication) {
        Iterator<PermissionCheck> it = this.checks.iterator();
        while (it.hasNext()) {
            if (it.next().check(str, transportRequest, authentication)) {
                return true;
            }
        }
        return false;
    }

    public boolean implies(ClusterPermission clusterPermission) {
        if (clusterPermission.checks.isEmpty()) {
            return true;
        }
        for (PermissionCheck permissionCheck : clusterPermission.checks) {
            if (!this.checks.stream().anyMatch(permissionCheck2 -> {
                return permissionCheck2.implies(permissionCheck);
            })) {
                return false;
            }
        }
        return true;
    }

    public Set<ClusterPrivilege> privileges() {
        return this.clusterPrivileges;
    }

    public static Builder builder() {
        return new Builder();
    }
}
