package org.elasticsearch.xpack.core.security.authz.support;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.common.ParsingException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.xcontent.LoggingDeprecationHandler;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.index.query.AbstractQueryBuilder;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.BoostingQueryBuilder;
import org.elasticsearch.index.query.ConstantScoreQueryBuilder;
import org.elasticsearch.index.query.GeoShapeQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.TermsQueryBuilder;
import org.elasticsearch.index.query.functionscore.FunctionScoreQueryBuilder;
import org.elasticsearch.script.Script;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.script.ScriptType;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentParseException;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/support/DLSRoleQueryValidator.class */
public final class DLSRoleQueryValidator {
    private DLSRoleQueryValidator() {
    }

    public static void validateQueryField(RoleDescriptor.IndicesPrivileges[] indicesPrivilegesArr, NamedXContentRegistry namedXContentRegistry) {
        if (indicesPrivilegesArr != null) {
            for (int i = 0; i < indicesPrivilegesArr.length; i++) {
                BytesReference query = indicesPrivilegesArr[i].getQuery();
                if (query != null) {
                    try {
                        if (!isTemplateQuery(query, namedXContentRegistry)) {
                            evaluateAndVerifyRoleQuery(query.utf8ToString(), namedXContentRegistry);
                        }
                    } catch (ParsingException | IOException | IllegalArgumentException e) {
                        throw new ElasticsearchParseException("failed to parse field 'query' for indices [" + Strings.arrayToCommaDelimitedString(indicesPrivilegesArr[i].getIndices()) + "] at index privilege [" + i + "] of role descriptor", e, new Object[0]);
                    }
                }
            }
        }
    }

    private static boolean isTemplateQuery(BytesReference bytesReference, NamedXContentRegistry namedXContentRegistry) throws IOException {
        XContentParser createParser = XContentType.JSON.xContent().createParser(namedXContentRegistry, LoggingDeprecationHandler.INSTANCE, bytesReference.utf8ToString());
        try {
            boolean isTemplateQuery = isTemplateQuery(createParser);
            if (createParser != null) {
                createParser.close();
            }
            return isTemplateQuery;
        } catch (Throwable th) {
            if (createParser != null) {
                try {
                    createParser.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static boolean isTemplateQuery(XContentParser xContentParser) throws IOException {
        XContentParser.Token nextToken = xContentParser.nextToken();
        if (nextToken != XContentParser.Token.START_OBJECT) {
            throw new XContentParseException(xContentParser.getTokenLocation(), "expected [" + XContentParser.Token.START_OBJECT + "] but found [" + nextToken + "] instead");
        }
        XContentParser.Token nextToken2 = xContentParser.nextToken();
        if (nextToken2 != XContentParser.Token.FIELD_NAME) {
            throw new XContentParseException(xContentParser.getTokenLocation(), "expected [" + XContentParser.Token.FIELD_NAME + "] with value a query name or 'template' but found [" + nextToken2 + "] instead");
        }
        return "template".equals(xContentParser.currentName());
    }

    public static boolean hasStoredScript(BytesReference bytesReference, NamedXContentRegistry namedXContentRegistry) throws IOException {
        XContentParser createParser = XContentType.JSON.xContent().createParser(namedXContentRegistry, LoggingDeprecationHandler.INSTANCE, bytesReference.utf8ToString());
        try {
            if (false == isTemplateQuery(createParser)) {
                if (createParser != null) {
                    createParser.close();
                }
                return false;
            }
            if (createParser.nextToken() != XContentParser.Token.START_OBJECT) {
                throw new XContentParseException(createParser.getTokenLocation(), "expected [" + XContentParser.Token.START_OBJECT + "] but found [" + createParser.currentToken() + "] instead");
            }
            boolean z = ScriptType.STORED == Script.parse(createParser).getType();
            if (createParser != null) {
                createParser.close();
            }
            return z;
        } catch (Throwable th) {
            if (createParser != null) {
                try {
                    createParser.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Nullable
    public static QueryBuilder evaluateAndVerifyRoleQuery(BytesReference bytesReference, ScriptService scriptService, NamedXContentRegistry namedXContentRegistry, User user) {
        if (bytesReference == null) {
            return null;
        }
        try {
            return evaluateAndVerifyRoleQuery(SecurityQueryTemplateEvaluator.evaluateTemplate(bytesReference.utf8ToString(), scriptService, user), namedXContentRegistry);
        } catch (ElasticsearchParseException | ParsingException | XContentParseException | IOException e) {
            throw new ElasticsearchParseException("failed to parse field 'query' from the role descriptor", e, new Object[0]);
        }
    }

    @Nullable
    public static QueryBuilder evaluateAndVerifyRoleQuery(String str, NamedXContentRegistry namedXContentRegistry) throws IOException {
        if (str == null) {
            return null;
        }
        XContentParser createParser = XContentFactory.xContent(str).createParser(namedXContentRegistry, LoggingDeprecationHandler.INSTANCE, str);
        try {
            QueryBuilder parseInnerQueryBuilder = AbstractQueryBuilder.parseInnerQueryBuilder(createParser);
            verifyRoleQuery(parseInnerQueryBuilder);
            if (createParser != null) {
                createParser.close();
            }
            return parseInnerQueryBuilder;
        } catch (Throwable th) {
            if (createParser != null) {
                try {
                    createParser.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    static void verifyRoleQuery(QueryBuilder queryBuilder) {
        if (queryBuilder instanceof TermsQueryBuilder) {
            if (((TermsQueryBuilder) queryBuilder).termsLookup() != null) {
                throw new IllegalArgumentException("terms query with terms lookup isn't supported as part of a role query");
            }
            return;
        }
        if (queryBuilder instanceof GeoShapeQueryBuilder) {
            if (((GeoShapeQueryBuilder) queryBuilder).shape() == null) {
                throw new IllegalArgumentException("geoshape query referring to indexed shapes isn't supported as part of a role query");
            }
            return;
        }
        if (queryBuilder.getName().equals("percolate")) {
            throw new IllegalArgumentException("percolate query isn't supported as part of a role query");
        }
        if (queryBuilder.getName().equals("has_child")) {
            throw new IllegalArgumentException("has_child query isn't supported as part of a role query");
        }
        if (queryBuilder.getName().equals("has_parent")) {
            throw new IllegalArgumentException("has_parent query isn't supported as part of a role query");
        }
        if (queryBuilder instanceof BoolQueryBuilder) {
            BoolQueryBuilder boolQueryBuilder = (BoolQueryBuilder) queryBuilder;
            ArrayList arrayList = new ArrayList();
            arrayList.addAll(boolQueryBuilder.filter());
            arrayList.addAll(boolQueryBuilder.must());
            arrayList.addAll(boolQueryBuilder.mustNot());
            arrayList.addAll(boolQueryBuilder.should());
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                verifyRoleQuery((QueryBuilder) it.next());
            }
            return;
        }
        if (queryBuilder instanceof ConstantScoreQueryBuilder) {
            verifyRoleQuery(((ConstantScoreQueryBuilder) queryBuilder).innerQuery());
            return;
        }
        if (queryBuilder instanceof FunctionScoreQueryBuilder) {
            verifyRoleQuery(((FunctionScoreQueryBuilder) queryBuilder).query());
        } else if (queryBuilder instanceof BoostingQueryBuilder) {
            verifyRoleQuery(((BoostingQueryBuilder) queryBuilder).negativeQuery());
            verifyRoleQuery(((BoostingQueryBuilder) queryBuilder).positiveQuery());
        }
    }
}
