package org.elasticsearch.xpack.core.security.authz.permission;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import org.apache.lucene.util.automaton.Automaton;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission;
import org.elasticsearch.xpack.core.security.authz.permission.RemoteIndicesPermission;
import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivilegesMap;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/SimpleRole.class */
public class SimpleRole implements Role {
    public static final Setting<Integer> CACHE_SIZE_SETTING;
    private final String[] names;
    private final ClusterPermission cluster;
    private final IndicesPermission indices;
    private final ApplicationPermission application;
    private final RunAsPermission runAs;
    private final RemoteIndicesPermission remoteIndices;
    private final AtomicReference<Cache<AuthorizationEngine.PrivilegesToCheck, AuthorizationEngine.PrivilegesCheckResult>> hasPrivilegesCacheReference = new AtomicReference<>();
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SimpleRole(String[] strArr, ClusterPermission clusterPermission, IndicesPermission indicesPermission, ApplicationPermission applicationPermission, RunAsPermission runAsPermission, RemoteIndicesPermission remoteIndicesPermission) {
        this.names = strArr;
        this.cluster = (ClusterPermission) Objects.requireNonNull(clusterPermission);
        this.indices = (IndicesPermission) Objects.requireNonNull(indicesPermission);
        this.application = (ApplicationPermission) Objects.requireNonNull(applicationPermission);
        this.runAs = (RunAsPermission) Objects.requireNonNull(runAsPermission);
        this.remoteIndices = (RemoteIndicesPermission) Objects.requireNonNull(remoteIndicesPermission);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public String[] names() {
        return this.names;
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public ClusterPermission cluster() {
        return this.cluster;
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public IndicesPermission indices() {
        return this.indices;
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public ApplicationPermission application() {
        return this.application;
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public RunAsPermission runAs() {
        return this.runAs;
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public RemoteIndicesPermission remoteIndices() {
        return this.remoteIndices;
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean hasFieldOrDocumentLevelSecurity() {
        return this.indices.hasFieldOrDocumentLevelSecurity();
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public IndicesPermission.IsResourceAuthorizedPredicate allowedIndicesMatcher(String str) {
        return this.indices.allowedIndicesMatcher(str);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public Automaton allowedActionsMatcher(String str) {
        return this.indices.allowedActionsMatcher(str);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkRunAs(String str) {
        return this.runAs.check(str);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkIndicesAction(String str) {
        return this.indices.check(str);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkIndicesPrivileges(Set<String> set, boolean z, Set<String> set2, @Nullable ResourcePrivilegesMap.Builder builder) {
        return this.indices.checkResourcePrivileges(set, z, set2, builder);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkClusterAction(String str, TransportRequest transportRequest, Authentication authentication) {
        return this.cluster.check(str, transportRequest, authentication);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean grants(ClusterPrivilege clusterPrivilege) {
        return this.cluster.implies(clusterPrivilege.buildPermission(ClusterPermission.builder()).build());
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public boolean checkApplicationResourcePrivileges(String str, Set<String> set, Set<String> set2, Collection<ApplicationPrivilegeDescriptor> collection, @Nullable ResourcePrivilegesMap.Builder builder) {
        return this.application.checkResourcePrivileges(str, set, set2, collection, builder);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public IndicesAccessControl authorize(String str, Set<String> set, Map<String, IndexAbstraction> map, FieldPermissionsCache fieldPermissionsCache) {
        return this.indices.authorize(str, set, map, fieldPermissionsCache);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.permission.Role
    public RoleDescriptorsIntersection getRoleDescriptorsIntersectionForRemoteCluster(String str) {
        RemoteIndicesPermission forCluster = this.remoteIndices.forCluster(str);
        if (forCluster.remoteIndicesGroups().isEmpty()) {
            return RoleDescriptorsIntersection.EMPTY;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<RemoteIndicesPermission.RemoteIndicesGroup> it = forCluster.remoteIndicesGroups().iterator();
        while (it.hasNext()) {
            Iterator<IndicesPermission.Group> it2 = it.next().indicesPermissionGroups().iterator();
            while (it2.hasNext()) {
                arrayList.add(toIndicesPrivileges(it2.next()));
            }
        }
        return new RoleDescriptorsIntersection(new RoleDescriptor(Role.REMOTE_USER_ROLE_NAME, null, (RoleDescriptor.IndicesPrivileges[]) arrayList.stream().sorted().toArray(i -> {
            return new RoleDescriptor.IndicesPrivileges[i];
        }), null, null, null, null, null));
    }

    private static Set<FieldPermissionsDefinition.FieldGrantExcludeGroup> getFieldGrantExcludeGroups(IndicesPermission.Group group) {
        if (!group.getFieldPermissions().hasFieldLevelSecurity()) {
            return Collections.emptySet();
        }
        List<FieldPermissionsDefinition> fieldPermissionsDefinitions = group.getFieldPermissions().getFieldPermissionsDefinitions();
        if ($assertionsDisabled || fieldPermissionsDefinitions.size() == 1) {
            return fieldPermissionsDefinitions.get(0).getFieldGrantExcludeGroups();
        }
        throw new AssertionError("a simple role can only have up to one field permissions definition per remote indices privilege");
    }

    private static RoleDescriptor.IndicesPrivileges toIndicesPrivileges(IndicesPermission.Group group) {
        Set<BytesReference> query = group.getQuery();
        Set<FieldPermissionsDefinition.FieldGrantExcludeGroup> fieldGrantExcludeGroups = getFieldGrantExcludeGroups(group);
        if (!$assertionsDisabled && query != null && query.size() > 1) {
            throw new AssertionError("translation from an indices permission group to indices privileges supports up to one DLS query but multiple queries found");
        }
        if (!$assertionsDisabled && fieldGrantExcludeGroups.size() > 1) {
            throw new AssertionError("translation from an indices permission group to indices privileges supports up to one FLS field-grant-exclude group but multiple groups found");
        }
        RoleDescriptor.IndicesPrivileges.Builder query2 = RoleDescriptor.IndicesPrivileges.builder().indices((Collection<String>) Arrays.stream(group.indices()).sorted().collect(Collectors.toList())).privileges((Collection<String>) group.privilege().name().stream().sorted().collect(Collectors.toList())).allowRestrictedIndices(group.allowRestrictedIndices()).query((query == null || false == query.iterator().hasNext()) ? null : query.iterator().next());
        if (false == fieldGrantExcludeGroups.isEmpty()) {
            FieldPermissionsDefinition.FieldGrantExcludeGroup next = fieldGrantExcludeGroups.iterator().next();
            query2.grantedFields(next.getGrantedFields()).deniedFields(next.getExcludedFields());
        }
        return query2.build();
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        SimpleRole simpleRole = (SimpleRole) obj;
        return Arrays.equals(this.names, simpleRole.names) && this.cluster.equals(simpleRole.cluster) && this.indices.equals(simpleRole.indices) && this.application.equals(simpleRole.application) && this.runAs.equals(simpleRole.runAs);
    }

    public int hashCode() {
        return (31 * Objects.hash(this.cluster, this.indices, this.application, this.runAs)) + Arrays.hashCode(this.names);
    }

    public void cacheHasPrivileges(Settings settings, AuthorizationEngine.PrivilegesToCheck privilegesToCheck, AuthorizationEngine.PrivilegesCheckResult privilegesCheckResult) throws ExecutionException {
        Cache<AuthorizationEngine.PrivilegesToCheck, AuthorizationEngine.PrivilegesCheckResult> cache = this.hasPrivilegesCacheReference.get();
        if (cache == null) {
            CacheBuilder builder = CacheBuilder.builder();
            int intValue = ((Integer) CACHE_SIZE_SETTING.get(settings)).intValue();
            if (intValue >= 0) {
                builder.setMaximumWeight(intValue);
            }
            this.hasPrivilegesCacheReference.compareAndSet(null, builder.build());
            cache = this.hasPrivilegesCacheReference.get();
        }
        cache.computeIfAbsent(privilegesToCheck, privilegesToCheck2 -> {
            return privilegesCheckResult;
        });
    }

    public AuthorizationEngine.PrivilegesCheckResult checkPrivilegesWithCache(AuthorizationEngine.PrivilegesToCheck privilegesToCheck) {
        Cache<AuthorizationEngine.PrivilegesToCheck, AuthorizationEngine.PrivilegesCheckResult> cache = this.hasPrivilegesCacheReference.get();
        if (cache == null) {
            return null;
        }
        return (AuthorizationEngine.PrivilegesCheckResult) cache.get(privilegesToCheck);
    }

    Cache<AuthorizationEngine.PrivilegesToCheck, AuthorizationEngine.PrivilegesCheckResult> getHasPrivilegesCache() {
        return this.hasPrivilegesCacheReference.get();
    }

    static {
        $assertionsDisabled = !SimpleRole.class.desiredAssertionStatus();
        CACHE_SIZE_SETTING = Setting.intSetting("xpack.security.authz.store.roles.has_privileges.cache.max_size", 1000, new Setting.Property[]{Setting.Property.NodeScope});
    }
}
