package org.elasticsearch.xpack.core.security.authz.permission;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import org.apache.lucene.util.automaton.Automaton;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationField;
import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission;
import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission;
import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivilegesMap;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.Privilege;
import org.elasticsearch.xpack.core.security.support.Automatons;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/Role.class */
public interface Role {
    public static final Role EMPTY = builder(new RestrictedIndices(Automatons.EMPTY), AuthenticationField.PRIVILEGE_CATEGORY_VALUE_EMPTY).build();

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/Role$Builder.class */
    public static class Builder {
        private final String[] names;
        private ClusterPermission cluster = ClusterPermission.NONE;
        private RunAsPermission runAs = RunAsPermission.NONE;
        private final List<IndicesPermissionGroupDefinition> groups = new ArrayList();
        private final List<Tuple<ApplicationPrivilege, Set<String>>> applicationPrivs = new ArrayList();
        private final RestrictedIndices restrictedIndices;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/Role$Builder$IndicesPermissionGroupDefinition.class */
        public static class IndicesPermissionGroupDefinition {
            private final IndexPrivilege privilege;
            private final FieldPermissions fieldPermissions;

            @Nullable
            private final Set<BytesReference> query;
            private final boolean allowRestrictedIndices;
            private final String[] indices;

            private IndicesPermissionGroupDefinition(IndexPrivilege indexPrivilege, FieldPermissions fieldPermissions, @Nullable Set<BytesReference> set, boolean z, String... strArr) {
                this.privilege = indexPrivilege;
                this.fieldPermissions = fieldPermissions;
                this.query = set;
                this.allowRestrictedIndices = z;
                this.indices = strArr;
            }
        }

        private Builder(RestrictedIndices restrictedIndices, String[] strArr) {
            this.restrictedIndices = restrictedIndices;
            this.names = strArr;
        }

        private Builder(RoleDescriptor roleDescriptor, @Nullable FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) {
            this.names = new String[]{roleDescriptor.getName()};
            cluster(Sets.newHashSet(roleDescriptor.getClusterPrivileges()), Arrays.asList(roleDescriptor.getConditionalClusterPrivileges()));
            this.groups.addAll(convertFromIndicesPrivileges(roleDescriptor.getIndicesPrivileges(), fieldPermissionsCache));
            for (RoleDescriptor.ApplicationResourcePrivileges applicationResourcePrivileges : roleDescriptor.getApplicationPrivileges()) {
                this.applicationPrivs.add(convertApplicationPrivilege(applicationResourcePrivileges));
            }
            String[] runAs = roleDescriptor.getRunAs();
            if (runAs != null && runAs.length > 0) {
                runAs(new Privilege(Sets.newHashSet(runAs), runAs));
            }
            this.restrictedIndices = restrictedIndices;
        }

        public Builder cluster(Set<String> set, Iterable<ConfigurableClusterPrivilege> iterable) {
            ClusterPermission.Builder builder = ClusterPermission.builder();
            if (!set.isEmpty()) {
                Iterator<String> it = set.iterator();
                while (it.hasNext()) {
                    builder = ClusterPrivilegeResolver.resolve(it.next()).buildPermission(builder);
                }
            }
            Iterator<ConfigurableClusterPrivilege> it2 = iterable.iterator();
            while (it2.hasNext()) {
                builder = it2.next().buildPermission(builder);
            }
            this.cluster = builder.build();
            return this;
        }

        public Builder runAs(Privilege privilege) {
            this.runAs = new RunAsPermission(privilege);
            return this;
        }

        public Builder add(IndexPrivilege indexPrivilege, String... strArr) {
            this.groups.add(new IndicesPermissionGroupDefinition(indexPrivilege, FieldPermissions.DEFAULT, null, false, strArr));
            return this;
        }

        public Builder add(FieldPermissions fieldPermissions, Set<BytesReference> set, IndexPrivilege indexPrivilege, boolean z, String... strArr) {
            this.groups.add(new IndicesPermissionGroupDefinition(indexPrivilege, fieldPermissions, set, z, strArr));
            return this;
        }

        public Builder addApplicationPrivilege(ApplicationPrivilege applicationPrivilege, Set<String> set) {
            this.applicationPrivs.add(new Tuple<>(applicationPrivilege, set));
            return this;
        }

        public SimpleRole build() {
            IndicesPermission build;
            if (this.groups.isEmpty()) {
                build = IndicesPermission.NONE;
            } else {
                IndicesPermission.Builder builder = new IndicesPermission.Builder(this.restrictedIndices);
                for (IndicesPermissionGroupDefinition indicesPermissionGroupDefinition : this.groups) {
                    builder.addGroup(indicesPermissionGroupDefinition.privilege, indicesPermissionGroupDefinition.fieldPermissions, indicesPermissionGroupDefinition.query, indicesPermissionGroupDefinition.allowRestrictedIndices, indicesPermissionGroupDefinition.indices);
                }
                build = builder.build();
            }
            return new SimpleRole(this.names, this.cluster, build, this.applicationPrivs.isEmpty() ? ApplicationPermission.NONE : new ApplicationPermission(this.applicationPrivs), this.runAs);
        }

        static List<IndicesPermissionGroupDefinition> convertFromIndicesPrivileges(RoleDescriptor.IndicesPrivileges[] indicesPrivilegesArr, @Nullable FieldPermissionsCache fieldPermissionsCache) {
            ArrayList arrayList = new ArrayList(indicesPrivilegesArr.length);
            for (RoleDescriptor.IndicesPrivileges indicesPrivileges : indicesPrivilegesArr) {
                arrayList.add(new IndicesPermissionGroupDefinition(IndexPrivilege.get(Sets.newHashSet(indicesPrivileges.getPrivileges())), fieldPermissionsCache != null ? fieldPermissionsCache.getFieldPermissions(indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields()) : new FieldPermissions(new FieldPermissionsDefinition(indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields())), indicesPrivileges.getQuery() == null ? null : Collections.singleton(indicesPrivileges.getQuery()), indicesPrivileges.allowRestrictedIndices(), indicesPrivileges.getIndices()));
            }
            return arrayList;
        }

        static Tuple<ApplicationPrivilege, Set<String>> convertApplicationPrivilege(RoleDescriptor.ApplicationResourcePrivileges applicationResourcePrivileges) {
            return new Tuple<>(new ApplicationPrivilege(applicationResourcePrivileges.getApplication(), Sets.newHashSet(applicationResourcePrivileges.getPrivileges()), applicationResourcePrivileges.getPrivileges()), Sets.newHashSet(applicationResourcePrivileges.getResources()));
        }
    }

    String[] names();

    ClusterPermission cluster();

    IndicesPermission indices();

    ApplicationPermission application();

    RunAsPermission runAs();

    boolean hasFieldOrDocumentLevelSecurity();

    Predicate<IndexAbstraction> allowedIndicesMatcher(String str);

    Automaton allowedActionsMatcher(String str);

    boolean checkRunAs(String str);

    boolean checkIndicesAction(String str);

    boolean checkIndicesPrivileges(Set<String> set, boolean z, Set<String> set2, @Nullable ResourcePrivilegesMap.Builder builder);

    boolean checkClusterAction(String str, TransportRequest transportRequest, Authentication authentication);

    boolean grants(ClusterPrivilege clusterPrivilege);

    boolean checkApplicationResourcePrivileges(String str, Set<String> set, Set<String> set2, Collection<ApplicationPrivilegeDescriptor> collection, @Nullable ResourcePrivilegesMap.Builder builder);

    IndicesAccessControl authorize(String str, Set<String> set, Map<String, IndexAbstraction> map, FieldPermissionsCache fieldPermissionsCache);

    default LimitedRole limitedBy(Role role) {
        return new LimitedRole(this, role);
    }

    static Builder builder(RestrictedIndices restrictedIndices, String... strArr) {
        return new Builder(restrictedIndices, strArr);
    }

    static Builder builder(RoleDescriptor roleDescriptor, FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) {
        return new Builder(roleDescriptor, fieldPermissionsCache, restrictedIndices);
    }
}
