package org.elasticsearch.xpack.core.security.authz.permission;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiPredicate;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.automaton.Automaton;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.common.Strings;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission;
import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivilegesMap;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege;
import org.elasticsearch.xpack.core.security.support.Automatons;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.class */
public final class LimitedRole implements Role {
    private static final Logger logger = LogManager.getLogger(LimitedRole.class);
    private final Role baseRole;
    private final Role limitedByRole;

    public LimitedRole(Role role, Role role2) {
        this.baseRole = (Role) Objects.requireNonNull(role);
        this.limitedByRole = (Role) Objects.requireNonNull(role2, "limited by role is required to create limited role");
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public String[] names() {
        return this.limitedByRole.names();
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public ClusterPermission cluster() {
        throw new UnsupportedOperationException("cannot retrieve cluster permission on limited role");
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public IndicesPermission indices() {
        throw new UnsupportedOperationException("cannot retrieve indices permission on limited role");
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public RemoteIndicesPermission remoteIndices() {
        throw new UnsupportedOperationException("cannot retrieve remote indices permission on limited role");
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public ApplicationPermission application() {
        throw new UnsupportedOperationException("cannot retrieve application permission on limited role");
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public RunAsPermission runAs() {
        throw new UnsupportedOperationException("cannot retrieve run_as permission on limited role");
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean hasFieldOrDocumentLevelSecurity() {
        return this.baseRole.hasFieldOrDocumentLevelSecurity() || this.limitedByRole.hasFieldOrDocumentLevelSecurity();
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        LimitedRole limitedRole = (LimitedRole) obj;
        return this.baseRole.equals(limitedRole.baseRole) && this.limitedByRole.equals(limitedRole.limitedByRole);
    }

    public int hashCode() {
        return Objects.hash(this.baseRole, this.limitedByRole);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public IndicesAccessControl authorize(String str, Set<String> set, Map<String, IndexAbstraction> map, FieldPermissionsCache fieldPermissionsCache) {
        return this.baseRole.authorize(str, set, map, fieldPermissionsCache).limitIndicesAccessControl(this.limitedByRole.authorize(str, set, map, fieldPermissionsCache));
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public RoleDescriptorsIntersection getRoleDescriptorsIntersectionForRemoteCluster(String str) {
        RoleDescriptorsIntersection roleDescriptorsIntersectionForRemoteCluster = this.baseRole.getRoleDescriptorsIntersectionForRemoteCluster(str);
        if (roleDescriptorsIntersectionForRemoteCluster.roleDescriptorsList().isEmpty()) {
            logger.trace(() -> {
                return "Base role [" + Strings.arrayToCommaDelimitedString(this.baseRole.names()) + "] does not define any role descriptors for remote cluster alias [" + str + "]";
            });
            return RoleDescriptorsIntersection.EMPTY;
        }
        RoleDescriptorsIntersection roleDescriptorsIntersectionForRemoteCluster2 = this.limitedByRole.getRoleDescriptorsIntersectionForRemoteCluster(str);
        if (roleDescriptorsIntersectionForRemoteCluster2.roleDescriptorsList().isEmpty()) {
            logger.trace(() -> {
                return "Limited-by role [" + Strings.arrayToCommaDelimitedString(this.limitedByRole.names()) + "] does not define any role descriptors for remote cluster alias [" + str + "]";
            });
            return RoleDescriptorsIntersection.EMPTY;
        }
        ArrayList arrayList = new ArrayList(roleDescriptorsIntersectionForRemoteCluster.roleDescriptorsList().size() + roleDescriptorsIntersectionForRemoteCluster2.roleDescriptorsList().size());
        arrayList.addAll(roleDescriptorsIntersectionForRemoteCluster.roleDescriptorsList());
        arrayList.addAll(roleDescriptorsIntersectionForRemoteCluster2.roleDescriptorsList());
        return new RoleDescriptorsIntersection(Collections.unmodifiableList(arrayList));
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission$IsResourceAuthorizedPredicate] */
    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public IndicesPermission.IsResourceAuthorizedPredicate allowedIndicesMatcher(String str) {
        return this.baseRole.allowedIndicesMatcher(str).and2((BiPredicate<? super String, ? super IndexAbstraction>) this.limitedByRole.allowedIndicesMatcher(str));
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public Automaton allowedActionsMatcher(String str) {
        return Automatons.intersectAndMinimize(this.baseRole.allowedActionsMatcher(str), this.limitedByRole.allowedActionsMatcher(str));
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkIndicesAction(String str) {
        return this.baseRole.checkIndicesAction(str) && this.limitedByRole.checkIndicesAction(str);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkIndicesPrivileges(Set<String> set, boolean z, Set<String> set2, @Nullable ResourcePrivilegesMap.Builder builder) {
        boolean checkIndicesPrivileges = this.baseRole.checkIndicesPrivileges(set, z, set2, builder);
        if (false == checkIndicesPrivileges && null == builder) {
            return false;
        }
        return checkIndicesPrivileges && this.limitedByRole.checkIndicesPrivileges(set, z, set2, builder);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkClusterAction(String str, TransportRequest transportRequest, Authentication authentication) {
        return this.baseRole.checkClusterAction(str, transportRequest, authentication) && this.limitedByRole.checkClusterAction(str, transportRequest, authentication);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean grants(ClusterPrivilege clusterPrivilege) {
        return this.baseRole.grants(clusterPrivilege) && this.limitedByRole.grants(clusterPrivilege);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkApplicationResourcePrivileges(String str, Set<String> set, Set<String> set2, Collection<ApplicationPrivilegeDescriptor> collection, @Nullable ResourcePrivilegesMap.Builder builder) {
        boolean checkResourcePrivileges = this.baseRole.application().checkResourcePrivileges(str, set, set2, collection, builder);
        if (false == checkResourcePrivileges && null == builder) {
            return false;
        }
        return checkResourcePrivileges && this.limitedByRole.application().checkResourcePrivileges(str, set, set2, collection, builder);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkRunAs(String str) {
        return this.baseRole.checkRunAs(str) && this.limitedByRole.checkRunAs(str);
    }
}
