package org.elasticsearch.xpack.core.security.authz.permission;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.TransportVersions;
import org.elasticsearch.common.io.stream.NamedWriteable;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.ToXContentObject;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/RemoteClusterPermissions.class */
public class RemoteClusterPermissions implements NamedWriteable, ToXContentObject {
    public static final TransportVersion ROLE_REMOTE_CLUSTER_PRIVS;
    public static final String NAME = "remote_cluster_permissions";
    private static final Logger logger;
    private final List<RemoteClusterPermissionGroup> remoteClusterPermissionGroups;
    static Map<TransportVersion, Set<String>> allowedRemoteClusterPermissions;
    static final TransportVersion lastTransportVersionPermission;
    public static final RemoteClusterPermissions NONE;
    static final /* synthetic */ boolean $assertionsDisabled;

    public static Set<String> getSupportedRemoteClusterPermissions() {
        return (Set) allowedRemoteClusterPermissions.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toCollection(TreeSet::new));
    }

    public RemoteClusterPermissions(StreamInput streamInput) throws IOException {
        this.remoteClusterPermissionGroups = streamInput.readNamedWriteableCollectionAsList(RemoteClusterPermissionGroup.class);
    }

    public RemoteClusterPermissions(List<Map<String, List<String>>> list) {
        this.remoteClusterPermissionGroups = new ArrayList();
        Iterator<Map<String, List<String>>> it = list.iterator();
        while (it.hasNext()) {
            this.remoteClusterPermissionGroups.add(new RemoteClusterPermissionGroup(it.next()));
        }
    }

    public RemoteClusterPermissions() {
        this.remoteClusterPermissionGroups = new ArrayList();
    }

    public RemoteClusterPermissions addGroup(RemoteClusterPermissionGroup remoteClusterPermissionGroup) {
        Objects.requireNonNull(remoteClusterPermissionGroup, "remoteClusterPermissionGroup must not be null");
        if (this == NONE) {
            throw new IllegalArgumentException("Cannot add a group to the `NONE` instance");
        }
        this.remoteClusterPermissionGroups.add(remoteClusterPermissionGroup);
        return this;
    }

    public RemoteClusterPermissions removeUnsupportedPrivileges(TransportVersion transportVersion) {
        Objects.requireNonNull(transportVersion, "outboundVersion must not be null");
        if (transportVersion.onOrAfter(lastTransportVersionPermission)) {
            return this;
        }
        RemoteClusterPermissions remoteClusterPermissions = new RemoteClusterPermissions();
        Set<String> allowedPermissionsPerVersion = getAllowedPermissionsPerVersion(transportVersion);
        for (RemoteClusterPermissionGroup remoteClusterPermissionGroup : this.remoteClusterPermissionGroups) {
            String[] clusterPrivileges = remoteClusterPermissionGroup.clusterPrivileges();
            ArrayList arrayList = new ArrayList(clusterPrivileges.length);
            for (String str : clusterPrivileges) {
                if (allowedPermissionsPerVersion.contains(str.toLowerCase(Locale.ROOT))) {
                    arrayList.add(str);
                }
            }
            if (arrayList.isEmpty()) {
                logger.debug("Removed all remote cluster permissions for remote cluster [{}]. Due to the remote cluster version, only the following permissions are allowed: {}", remoteClusterPermissionGroup.remoteClusterAliases(), allowedPermissionsPerVersion);
            } else {
                RemoteClusterPermissionGroup remoteClusterPermissionGroup2 = new RemoteClusterPermissionGroup((String[]) arrayList.toArray(new String[0]), remoteClusterPermissionGroup.remoteClusterAliases());
                remoteClusterPermissions.addGroup(remoteClusterPermissionGroup2);
                if (logger.isDebugEnabled() && !remoteClusterPermissionGroup.equals(remoteClusterPermissionGroup2)) {
                    logger.debug("Removed unsupported remote cluster permissions. Remaining {} for remote cluster [{}] for version [{}].Due to the remote cluster version, only the following permissions are allowed: {}", arrayList, remoteClusterPermissionGroup.remoteClusterAliases(), transportVersion, allowedPermissionsPerVersion);
                }
            }
        }
        return remoteClusterPermissions;
    }

    public String[] collapseAndRemoveUnsupportedPrivileges(String str, TransportVersion transportVersion) {
        Set set = (Set) this.remoteClusterPermissionGroups.stream().filter(remoteClusterPermissionGroup -> {
            return remoteClusterPermissionGroup.hasPrivileges(str);
        }).flatMap(remoteClusterPermissionGroup2 -> {
            return Arrays.stream(remoteClusterPermissionGroup2.clusterPrivileges());
        }).distinct().map(str2 -> {
            return str2.toLowerCase(Locale.ROOT);
        }).collect(Collectors.toSet());
        Set<String> allowedPermissionsPerVersion = getAllowedPermissionsPerVersion(transportVersion);
        HashSet hashSet = new HashSet(set);
        if (hashSet.retainAll(allowedPermissionsPerVersion)) {
            HashSet hashSet2 = new HashSet(set);
            hashSet2.removeAll(allowedPermissionsPerVersion);
            logger.info("Removed unsupported remote cluster permissions {} for remote cluster [{}]. Due to the remote cluster version, only the following permissions are allowed: {}", hashSet2, str, hashSet);
        }
        return (String[]) hashSet.stream().sorted().toArray(i -> {
            return new String[i];
        });
    }

    public List<Map<String, List<String>>> toMap() {
        return this.remoteClusterPermissionGroups.stream().map((v0) -> {
            return v0.toMap();
        }).toList();
    }

    public void validate() {
        if (!$assertionsDisabled && !hasAnyPrivileges()) {
            throw new AssertionError();
        }
        Set<String> unsupportedPrivileges = getUnsupportedPrivileges();
        if (!unsupportedPrivileges.isEmpty()) {
            throw new IllegalArgumentException("Invalid remote_cluster permissions found. Please remove the following: " + String.valueOf(unsupportedPrivileges) + " Only " + String.valueOf(getSupportedRemoteClusterPermissions()) + " are allowed");
        }
    }

    private Set<String> getUnsupportedPrivileges() {
        HashSet hashSet = new HashSet();
        Iterator<RemoteClusterPermissionGroup> it = this.remoteClusterPermissionGroups.iterator();
        while (it.hasNext()) {
            for (String str : it.next().clusterPrivileges()) {
                if (!getSupportedRemoteClusterPermissions().contains(str.toLowerCase(Locale.ROOT))) {
                    hashSet.add(str);
                }
            }
        }
        return hashSet;
    }

    public boolean hasAnyPrivileges(String str) {
        return this.remoteClusterPermissionGroups.stream().anyMatch(remoteClusterPermissionGroup -> {
            return remoteClusterPermissionGroup.hasPrivileges(str);
        });
    }

    public boolean hasAnyPrivileges() {
        return !this.remoteClusterPermissionGroups.isEmpty();
    }

    public List<RemoteClusterPermissionGroup> groups() {
        return Collections.unmodifiableList(this.remoteClusterPermissionGroups);
    }

    private Set<String> getAllowedPermissionsPerVersion(TransportVersion transportVersion) {
        return (Set) allowedRemoteClusterPermissions.entrySet().stream().filter(entry -> {
            return ((TransportVersion) entry.getKey()).onOrBefore(transportVersion);
        }).map((v0) -> {
            return v0.getValue();
        }).flatMap((v0) -> {
            return v0.stream();
        }).map(str -> {
            return str.toLowerCase(Locale.ROOT);
        }).collect(Collectors.toSet());
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        Iterator<RemoteClusterPermissionGroup> it = this.remoteClusterPermissionGroups.iterator();
        while (it.hasNext()) {
            xContentBuilder.value(it.next());
        }
        return xContentBuilder;
    }

    public void writeTo(StreamOutput streamOutput) throws IOException {
        streamOutput.writeNamedWriteableCollection(this.remoteClusterPermissionGroups);
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        return Objects.equals(this.remoteClusterPermissionGroups, ((RemoteClusterPermissions) obj).remoteClusterPermissionGroups);
    }

    public int hashCode() {
        return Objects.hash(this.remoteClusterPermissionGroups);
    }

    public String toString() {
        return "RemoteClusterPermissions{remoteClusterPermissionGroups=" + String.valueOf(this.remoteClusterPermissionGroups) + "}";
    }

    public String getWriteableName() {
        return NAME;
    }

    static {
        $assertionsDisabled = !RemoteClusterPermissions.class.desiredAssertionStatus();
        ROLE_REMOTE_CLUSTER_PRIVS = TransportVersions.V_8_15_0;
        logger = LogManager.getLogger(RemoteClusterPermissions.class);
        allowedRemoteClusterPermissions = Map.of(ROLE_REMOTE_CLUSTER_PRIVS, Set.of(ClusterPrivilegeResolver.MONITOR_ENRICH.name()), TransportVersions.ROLE_MONITOR_STATS, Set.of(ClusterPrivilegeResolver.MONITOR_STATS.name()));
        lastTransportVersionPermission = allowedRemoteClusterPermissions.keySet().stream().max((v0, v1) -> {
            return v0.compareTo(v1);
        }).orElseThrow();
        NONE = new RemoteClusterPermissions();
    }
}
