package org.elasticsearch.xpack.core.security.authz.permission;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Stream;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.regex.Regex;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.index.Index;
import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivilegesMap;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.core.security.support.Automatons;
import org.elasticsearch.xpack.core.security.support.StringMatcher;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.class */
public final class IndicesPermission {
    private static final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(IndicesPermission.class);
    public static final IndicesPermission NONE = new IndicesPermission(new RestrictedIndices(Automatons.EMPTY), Group.EMPTY_ARRAY);
    private static final Set<String> PRIVILEGE_NAME_SET_BWC_ALLOW_MAPPING_UPDATE = Set.of("create", "create_doc", "index", "write");
    private final Map<String, Predicate<IndexAbstraction>> allowedIndicesMatchersForAction = new ConcurrentHashMap();
    private final RestrictedIndices restrictedIndices;
    private final Group[] groups;
    private final boolean hasFieldOrDocumentLevelSecurity;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission$1, reason: invalid class name */
    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$cluster$metadata$IndexAbstraction$Type = new int[IndexAbstraction.Type.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$cluster$metadata$IndexAbstraction$Type[IndexAbstraction.Type.DATA_STREAM.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$elasticsearch$cluster$metadata$IndexAbstraction$Type[IndexAbstraction.Type.CONCRETE_INDEX.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission$Builder.class */
    public static class Builder {
        RestrictedIndices restrictedIndices;
        List<Group> groups = new ArrayList();

        public Builder(RestrictedIndices restrictedIndices) {
            this.restrictedIndices = restrictedIndices;
        }

        public Builder addGroup(IndexPrivilege indexPrivilege, FieldPermissions fieldPermissions, @Nullable Set<BytesReference> set, boolean z, String... strArr) {
            this.groups.add(new Group(indexPrivilege, fieldPermissions, set, z, this.restrictedIndices, strArr));
            return this;
        }

        public IndicesPermission build() {
            return new IndicesPermission(this.restrictedIndices, (Group[]) this.groups.toArray(Group.EMPTY_ARRAY));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission$DocumentLevelPermissions.class */
    public static class DocumentLevelPermissions {
        public static final DocumentLevelPermissions ALLOW_ALL = new DocumentLevelPermissions();
        private Set<BytesReference> queries = null;
        private boolean allowAll = false;

        private DocumentLevelPermissions() {
        }

        private void addAll(Set<BytesReference> set) {
            if (this.allowAll) {
                return;
            }
            if (this.queries == null) {
                this.queries = new HashSet(set.size());
            }
            this.queries.addAll(set);
        }

        private boolean isAllowAll() {
            return this.allowAll;
        }

        static {
            ALLOW_ALL.allowAll = true;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission$Group.class */
    public static class Group {
        public static final Group[] EMPTY_ARRAY;
        private final IndexPrivilege privilege;
        private final Predicate<String> actionMatcher;
        private final String[] indices;
        private final StringMatcher indexNameMatcher;
        private final Supplier<Automaton> indexNameAutomaton;
        private final FieldPermissions fieldPermissions;
        private final Set<BytesReference> query;
        private final boolean allowRestrictedIndices;
        static final /* synthetic */ boolean $assertionsDisabled;

        /* JADX WARN: Type inference failed for: r1v8, types: [org.elasticsearch.xpack.core.security.support.StringMatcher] */
        public Group(IndexPrivilege indexPrivilege, FieldPermissions fieldPermissions, @Nullable Set<BytesReference> set, boolean z, RestrictedIndices restrictedIndices, String... strArr) {
            if (!$assertionsDisabled && strArr.length == 0) {
                throw new AssertionError();
            }
            this.privilege = indexPrivilege;
            this.actionMatcher = indexPrivilege.predicate();
            this.indices = strArr;
            this.allowRestrictedIndices = z;
            ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap(1);
            if (z) {
                this.indexNameMatcher = StringMatcher.of(strArr);
                this.indexNameAutomaton = () -> {
                    return (Automaton) concurrentHashMap.computeIfAbsent(strArr, strArr2 -> {
                        return Automatons.patterns(strArr);
                    });
                };
            } else {
                this.indexNameMatcher = StringMatcher.of(strArr).and2(str -> {
                    return !restrictedIndices.isRestricted(str);
                });
                this.indexNameAutomaton = () -> {
                    return (Automaton) concurrentHashMap.computeIfAbsent(strArr, strArr2 -> {
                        return Automatons.minusAndMinimize(Automatons.patterns(strArr), restrictedIndices.getAutomaton());
                    });
                };
            }
            this.fieldPermissions = (FieldPermissions) Objects.requireNonNull(fieldPermissions);
            this.query = set;
        }

        public IndexPrivilege privilege() {
            return this.privilege;
        }

        public String[] indices() {
            return this.indices;
        }

        @Nullable
        public Set<BytesReference> getQuery() {
            return this.query;
        }

        public FieldPermissions getFieldPermissions() {
            return this.fieldPermissions;
        }

        private boolean checkAction(String str) {
            return this.actionMatcher.test(str);
        }

        private boolean checkIndex(String str) {
            if ($assertionsDisabled || str != null) {
                return this.indexNameMatcher.test(str);
            }
            throw new AssertionError();
        }

        boolean hasQuery() {
            return this.query != null;
        }

        public boolean allowRestrictedIndices() {
            return this.allowRestrictedIndices;
        }

        public Automaton getIndexMatcherAutomaton() {
            return this.indexNameAutomaton.get();
        }

        boolean isTotal() {
            return this.allowRestrictedIndices && this.indexNameMatcher.isTotal() && this.privilege == IndexPrivilege.ALL && this.query == null && false == this.fieldPermissions.hasFieldLevelSecurity();
        }

        static {
            $assertionsDisabled = !IndicesPermission.class.desiredAssertionStatus();
            EMPTY_ARRAY = new Group[0];
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission$IndexResource.class */
    public static class IndexResource {
        private final String name;

        @Nullable
        private final IndexAbstraction indexAbstraction;
        public Collection<String> concreteIndices;
        static final /* synthetic */ boolean $assertionsDisabled;

        private IndexResource(String str, @Nullable IndexAbstraction indexAbstraction) {
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError("Resource name cannot be null");
            }
            if (!$assertionsDisabled && indexAbstraction != null && !indexAbstraction.getName().equals(str)) {
                throw new AssertionError("Index abstraction has unexpected name [" + indexAbstraction.getName() + "] vs [" + str + "]");
            }
            this.name = str;
            this.indexAbstraction = indexAbstraction;
        }

        public boolean isPartOfDataStream() {
            if (this.indexAbstraction == null) {
                return false;
            }
            switch (AnonymousClass1.$SwitchMap$org$elasticsearch$cluster$metadata$IndexAbstraction$Type[this.indexAbstraction.getType().ordinal()]) {
                case 1:
                    return true;
                case 2:
                    return this.indexAbstraction.getParentDataStream() != null;
                default:
                    return false;
            }
        }

        public boolean checkIndex(Group group) {
            IndexAbstraction.DataStream parentDataStream = this.indexAbstraction == null ? null : this.indexAbstraction.getParentDataStream();
            if (parentDataStream == null || !group.checkIndex(parentDataStream.getName())) {
                return group.checkIndex(this.name);
            }
            return true;
        }

        public int size() {
            if (this.indexAbstraction == null || this.indexAbstraction.getType() == IndexAbstraction.Type.CONCRETE_INDEX) {
                return 1;
            }
            return 1 + this.indexAbstraction.getIndices().size();
        }

        public Collection<String> resolveConcreteIndices() {
            if (this.indexAbstraction == null) {
                return List.of();
            }
            if (this.indexAbstraction.getType() == IndexAbstraction.Type.CONCRETE_INDEX) {
                return List.of(this.indexAbstraction.getName());
            }
            List indices = this.indexAbstraction.getIndices();
            ArrayList arrayList = new ArrayList(indices.size());
            Iterator it = indices.iterator();
            while (it.hasNext()) {
                arrayList.add(((Index) it.next()).getName());
            }
            return arrayList;
        }

        public boolean canHaveBackingIndices() {
            return (this.indexAbstraction == null || this.indexAbstraction.getType() == IndexAbstraction.Type.CONCRETE_INDEX) ? false : true;
        }

        static {
            $assertionsDisabled = !IndicesPermission.class.desiredAssertionStatus();
        }
    }

    private IndicesPermission(RestrictedIndices restrictedIndices, Group[] groupArr) {
        this.restrictedIndices = restrictedIndices;
        this.groups = groupArr;
        this.hasFieldOrDocumentLevelSecurity = Arrays.stream(groupArr).noneMatch((v0) -> {
            return v0.isTotal();
        }) && Arrays.stream(groupArr).anyMatch(group -> {
            return group.hasQuery() || group.fieldPermissions.hasFieldLevelSecurity();
        });
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v10, types: [org.elasticsearch.xpack.core.security.support.StringMatcher] */
    private StringMatcher indexMatcher(Collection<String> collection, Collection<String> collection2) {
        StringMatcher of;
        if (collection.isEmpty()) {
            of = StringMatcher.of(collection2);
        } else {
            of = StringMatcher.of(collection);
            if (this.restrictedIndices != null) {
                of = of.and("<not-restricted>", str -> {
                    return !this.restrictedIndices.isRestricted(str);
                });
            }
            if (!collection2.isEmpty()) {
                of = StringMatcher.of(collection2).or2((Predicate<? super String>) of);
            }
        }
        return of;
    }

    public Group[] groups() {
        return this.groups;
    }

    public Predicate<IndexAbstraction> allowedIndicesMatcher(String str) {
        return this.allowedIndicesMatchersForAction.computeIfAbsent(str, this::buildIndexMatcherPredicateForAction);
    }

    public boolean hasFieldOrDocumentLevelSecurity() {
        return this.hasFieldOrDocumentLevelSecurity;
    }

    private Predicate<IndexAbstraction> buildIndexMatcherPredicateForAction(String str) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        HashSet hashSet4 = new HashSet();
        boolean isMappingUpdateAction = isMappingUpdateAction(str);
        for (Group group : this.groups) {
            if (group.actionMatcher.test(str)) {
                if (group.allowRestrictedIndices) {
                    hashSet2.addAll(Arrays.asList(group.indices()));
                } else {
                    hashSet.addAll(Arrays.asList(group.indices()));
                }
            } else if (isMappingUpdateAction && containsPrivilegeThatGrantsMappingUpdatesForBwc(group)) {
                if (group.allowRestrictedIndices) {
                    hashSet4.addAll(Arrays.asList(group.indices()));
                } else {
                    hashSet3.addAll(Arrays.asList(group.indices()));
                }
            }
        }
        StringMatcher indexMatcher = indexMatcher(hashSet, hashSet2);
        StringMatcher indexMatcher2 = indexMatcher(hashSet3, hashSet4);
        return indexAbstraction -> {
            return indexMatcher.test(indexAbstraction.getName()) || (indexAbstraction.getType() != IndexAbstraction.Type.DATA_STREAM && indexAbstraction.getParentDataStream() == null && indexMatcher2.test(indexAbstraction.getName()));
        };
    }

    public boolean check(String str) {
        boolean isMappingUpdateAction = isMappingUpdateAction(str);
        for (Group group : this.groups) {
            if (group.checkAction(str)) {
                return true;
            }
            if (isMappingUpdateAction && containsPrivilegeThatGrantsMappingUpdatesForBwc(group)) {
                return true;
            }
        }
        return false;
    }

    public boolean checkResourcePrivileges(Set<String> set, boolean z, Set<String> set2, @Nullable ResourcePrivilegesMap.Builder builder) {
        HashMap hashMap = new HashMap();
        boolean z2 = true;
        for (String str : set) {
            Automaton patterns = Automatons.patterns(str);
            if (false == z && false == isConcreteRestrictedIndex(str)) {
                patterns = Automatons.minusAndMinimize(patterns, this.restrictedIndices.getAutomaton());
            }
            if (false == Operations.isEmpty(patterns)) {
                Automaton automaton = null;
                for (Group group : this.groups) {
                    if (Operations.subsetOf(patterns, (Automaton) hashMap.computeIfAbsent(group, (v0) -> {
                        return v0.getIndexMatcherAutomaton();
                    }))) {
                        automaton = automaton != null ? Automatons.unionAndMinimize(Arrays.asList(automaton, group.privilege().getAutomaton())) : group.privilege().getAutomaton();
                    }
                }
                for (String str2 : set2) {
                    IndexPrivilege indexPrivilege = IndexPrivilege.get(Collections.singleton(str2));
                    if (automaton == null || !Operations.subsetOf(indexPrivilege.getAutomaton(), automaton)) {
                        if (builder == null) {
                            return false;
                        }
                        builder.addResourcePrivilege(str, str2, Boolean.FALSE);
                        z2 = false;
                    } else if (builder != null) {
                        builder.addResourcePrivilege(str, str2, Boolean.TRUE);
                    }
                }
            } else {
                if (builder == null) {
                    return false;
                }
                Iterator<String> it = set2.iterator();
                while (it.hasNext()) {
                    builder.addResourcePrivilege(str, it.next(), Boolean.FALSE);
                }
                z2 = false;
            }
        }
        return z2;
    }

    public Automaton allowedActionsMatcher(String str) {
        ArrayList arrayList = new ArrayList();
        for (Group group : this.groups) {
            if (group.indexNameMatcher.test(str)) {
                arrayList.add(group.privilege.getAutomaton());
            }
        }
        return arrayList.isEmpty() ? Automatons.EMPTY : Automatons.unionAndMinimize(arrayList);
    }

    public IndicesAccessControl authorize(String str, Set<String> set, Map<String, IndexAbstraction> map, FieldPermissionsCache fieldPermissionsCache) {
        DocumentLevelPermissions documentLevelPermissions;
        if (Arrays.stream(this.groups).anyMatch((v0) -> {
            return v0.isTotal();
        })) {
            return IndicesAccessControl.allowAll();
        }
        ArrayList<IndexResource> arrayList = new ArrayList(set.size());
        int i = 0;
        for (String str2 : set) {
            IndexResource indexResource = new IndexResource(str2, map.get(str2));
            arrayList.add(indexResource);
            i += indexResource.size();
        }
        Map newMapWithExpectedSize = Maps.newMapWithExpectedSize(i);
        Map newMapWithExpectedSize2 = Maps.newMapWithExpectedSize(i);
        Map newMapWithExpectedSize3 = Maps.newMapWithExpectedSize(i);
        boolean isMappingUpdateAction = isMappingUpdateAction(str);
        for (IndexResource indexResource2 : arrayList) {
            boolean z = false;
            boolean z2 = false;
            ArrayList arrayList2 = new ArrayList();
            Collection<String> resolveConcreteIndices = indexResource2.resolveConcreteIndices();
            for (Group group : this.groups) {
                if (indexResource2.checkIndex(group)) {
                    boolean checkAction = group.checkAction(str);
                    z = z || checkAction;
                    boolean z3 = isMappingUpdateAction && false == indexResource2.isPartOfDataStream() && containsPrivilegeThatGrantsMappingUpdatesForBwc(group);
                    z2 = z2 || z3;
                    if (checkAction || z3) {
                        for (String str3 : resolveConcreteIndices) {
                            Set set2 = (Set) newMapWithExpectedSize.compute(str3, (str4, set3) -> {
                                if (set3 == null) {
                                    return Set.of(group.getFieldPermissions());
                                }
                                if (set3.size() != 1) {
                                    set3.add(group.getFieldPermissions());
                                    return set3;
                                }
                                FieldPermissions fieldPermissions = group.getFieldPermissions();
                                if (set3.contains(fieldPermissions)) {
                                    return set3;
                                }
                                HashSet hashSet = new HashSet(set3);
                                hashSet.add(fieldPermissions);
                                return hashSet;
                            });
                            if (group.hasQuery()) {
                                documentLevelPermissions = (DocumentLevelPermissions) newMapWithExpectedSize2.computeIfAbsent(str3, str5 -> {
                                    return new DocumentLevelPermissions();
                                });
                                documentLevelPermissions.addAll(group.getQuery());
                            } else {
                                documentLevelPermissions = DocumentLevelPermissions.ALLOW_ALL;
                                newMapWithExpectedSize2.put(str3, documentLevelPermissions);
                            }
                            if (!str3.equals(indexResource2.name)) {
                                newMapWithExpectedSize.put(indexResource2.name, set2);
                                newMapWithExpectedSize2.put(indexResource2.name, documentLevelPermissions);
                            }
                        }
                        if (false == checkAction) {
                            for (String str6 : group.privilege.name()) {
                                if (PRIVILEGE_NAME_SET_BWC_ALLOW_MAPPING_UPDATE.contains(str6)) {
                                    arrayList2.add(() -> {
                                        deprecationLogger.warn(DeprecationCategory.SECURITY, "[" + indexResource2.name + "] mapping update for ingest privilege [" + str6 + "]", "the index privilege [" + str6 + "] allowed the update mapping action [" + str + "] on index [" + indexResource2.name + "], this privilege will not permit mapping updates in the next major release - users who require access to update mappings must be granted explicit privileges", new Object[0]);
                                    });
                                }
                            }
                        }
                    }
                }
            }
            if (false == z && z2) {
                z = true;
                arrayList2.forEach((v0) -> {
                    v0.run();
                });
            }
            newMapWithExpectedSize3.put(indexResource2.name, Boolean.valueOf(z));
            if (indexResource2.canHaveBackingIndices()) {
                for (String str7 : resolveConcreteIndices) {
                    if (false == set.contains(str7)) {
                        newMapWithExpectedSize3.merge(str7, Boolean.valueOf(z), (v0, v1) -> {
                            return Boolean.logicalOr(v0, v1);
                        });
                    }
                }
            }
        }
        boolean z4 = true;
        Map newMapWithExpectedSize4 = Maps.newMapWithExpectedSize(newMapWithExpectedSize3.size());
        for (Map.Entry entry : newMapWithExpectedSize3.entrySet()) {
            String str8 = (String) entry.getKey();
            DocumentLevelPermissions documentLevelPermissions2 = (DocumentLevelPermissions) newMapWithExpectedSize2.get(str8);
            Set unmodifiableSet = (documentLevelPermissions2 == null || documentLevelPermissions2.isAllowAll()) ? null : Collections.unmodifiableSet(documentLevelPermissions2.queries);
            Set set4 = (Set) newMapWithExpectedSize.get(str8);
            FieldPermissions fieldPermissions = (set4 == null || set4.isEmpty()) ? FieldPermissions.DEFAULT : set4.size() == 1 ? (FieldPermissions) set4.iterator().next() : fieldPermissionsCache.getFieldPermissions(set4);
            if (!((Boolean) entry.getValue()).booleanValue()) {
                z4 = false;
            }
            newMapWithExpectedSize4.put(str8, new IndicesAccessControl.IndexAccessControl(((Boolean) entry.getValue()).booleanValue(), fieldPermissions, unmodifiableSet != null ? DocumentPermissions.filteredBy(unmodifiableSet) : DocumentPermissions.allowAll()));
        }
        return new IndicesAccessControl(z4, Collections.unmodifiableMap(newMapWithExpectedSize4));
    }

    private boolean isConcreteRestrictedIndex(String str) {
        if (Regex.isSimpleMatchPattern(str) || Automatons.isLuceneRegex(str)) {
            return false;
        }
        return this.restrictedIndices.isRestricted(str);
    }

    private static boolean isMappingUpdateAction(String str) {
        return str.equals("indices:admin/mapping/put") || str.equals("indices:admin/mapping/auto_put");
    }

    private static boolean containsPrivilegeThatGrantsMappingUpdatesForBwc(Group group) {
        Stream<String> stream = group.privilege().name().stream();
        Set<String> set = PRIVILEGE_NAME_SET_BWC_ALLOW_MAPPING_UPDATE;
        Objects.requireNonNull(set);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }
}
