package org.elasticsearch.xpack.core.security.authz.permission;

import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.function.Function;
import java.util.stream.Stream;
import org.apache.lucene.search.BooleanClause;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.Query;
import org.apache.lucene.search.join.ToChildBlockJoinQuery;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.lucene.search.Queries;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.index.mapper.NestedLookup;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryRewriteContext;
import org.elasticsearch.index.query.Rewriteable;
import org.elasticsearch.index.query.SearchExecutionContext;
import org.elasticsearch.index.search.NestedHelper;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xcontent.XContentParserConfiguration;
import org.elasticsearch.xpack.core.security.authz.support.DLSRoleQueryValidator;
import org.elasticsearch.xpack.core.security.authz.support.SecurityQueryTemplateEvaluator;
import org.elasticsearch.xpack.core.security.support.CacheKey;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissions.class */
public final class DocumentPermissions implements CacheKey {

    @Nullable
    private final List<Set<BytesReference>> listOfQueries;

    @Nullable
    private List<List<String>> listOfEvaluatedQueries;
    private static final DocumentPermissions ALLOW_ALL;
    static final /* synthetic */ boolean $assertionsDisabled;

    private DocumentPermissions() {
        this.listOfQueries = null;
    }

    private DocumentPermissions(Set<BytesReference> set) {
        if (!$assertionsDisabled && (set == null || false != set.isEmpty())) {
            throw new AssertionError("null or empty queries not permitted");
        }
        this.listOfQueries = List.of(new TreeSet(set));
    }

    private DocumentPermissions(List<Set<BytesReference>> list) {
        if (!$assertionsDisabled && (list == null || false != list.isEmpty())) {
            throw new AssertionError("null or empty list of queries not permitted");
        }
        if (!$assertionsDisabled && !list.stream().allMatch(set -> {
            return set != null && false == set.isEmpty();
        })) {
            throw new AssertionError("null or empty queries not permitted");
        }
        this.listOfQueries = list.stream().map(set2 -> {
            return set2 instanceof SortedSet ? set2 : new TreeSet(set2);
        }).toList();
    }

    public List<Set<BytesReference>> getListOfQueries() {
        return this.listOfQueries;
    }

    public Set<BytesReference> getSingleSetOfQueries() {
        if ($assertionsDisabled || (this.listOfQueries != null && this.listOfQueries.size() == 1)) {
            return this.listOfQueries.get(0);
        }
        throw new AssertionError("the list of queries does not have a single member");
    }

    public boolean hasDocumentLevelPermissions() {
        return this.listOfQueries != null;
    }

    public boolean hasStoredScript() throws IOException {
        if (this.listOfQueries == null) {
            return false;
        }
        Iterator<Set<BytesReference>> it = this.listOfQueries.iterator();
        while (it.hasNext()) {
            Iterator<BytesReference> it2 = it.next().iterator();
            while (it2.hasNext()) {
                if (DLSRoleQueryValidator.hasStoredScript(it2.next(), NamedXContentRegistry.EMPTY)) {
                    return true;
                }
            }
        }
        return false;
    }

    public BooleanQuery filter(User user, ScriptService scriptService, ShardId shardId, Function<ShardId, SearchExecutionContext> function) throws IOException {
        if (!hasDocumentLevelPermissions()) {
            return null;
        }
        evaluateQueries(SecurityQueryTemplateEvaluator.wrap(user, scriptService));
        if (!$assertionsDisabled && this.listOfEvaluatedQueries == null) {
            throw new AssertionError("evaluated queries must not be null");
        }
        if (!$assertionsDisabled && false != this.listOfEvaluatedQueries.isEmpty()) {
            throw new AssertionError("evaluated queries must not be empty");
        }
        BooleanQuery.Builder builder = new BooleanQuery.Builder();
        for (int size = this.listOfEvaluatedQueries.size() - 1; size > 0; size--) {
            BooleanQuery.Builder builder2 = new BooleanQuery.Builder();
            buildRoleQuery(shardId, function, this.listOfEvaluatedQueries.get(size), builder2);
            builder.add(builder2.build(), BooleanClause.Occur.FILTER);
        }
        buildRoleQuery(shardId, function, this.listOfEvaluatedQueries.get(0), builder);
        return builder.build();
    }

    private void evaluateQueries(SecurityQueryTemplateEvaluator.DlsQueryEvaluationContext dlsQueryEvaluationContext) {
        if (this.listOfQueries == null || this.listOfEvaluatedQueries != null) {
            return;
        }
        this.listOfEvaluatedQueries = this.listOfQueries.stream().map(set -> {
            Stream stream = set.stream();
            Objects.requireNonNull(dlsQueryEvaluationContext);
            return stream.map(dlsQueryEvaluationContext::evaluate).toList();
        }).toList();
    }

    private static void buildRoleQuery(ShardId shardId, Function<ShardId, SearchExecutionContext> function, List<String> list, BooleanQuery.Builder builder) throws IOException {
        for (String str : list) {
            SearchExecutionContext apply = function.apply(shardId);
            QueryBuilder evaluateAndVerifyRoleQuery = DLSRoleQueryValidator.evaluateAndVerifyRoleQuery(str, apply.getParserConfig().registry());
            if (evaluateAndVerifyRoleQuery != null) {
                failIfQueryUsesClient(evaluateAndVerifyRoleQuery, apply);
                Query query = apply.toQuery(evaluateAndVerifyRoleQuery).query();
                NestedLookup nestedLookup = apply.nestedLookup();
                if (nestedLookup == NestedLookup.EMPTY) {
                    builder.add(query, BooleanClause.Occur.SHOULD);
                } else {
                    Objects.requireNonNull(apply);
                    if (new NestedHelper(nestedLookup, apply::isFieldMapped).mightMatchNestedDocs(query)) {
                        query = new BooleanQuery.Builder().add(query, BooleanClause.Occur.FILTER).add(Queries.newNonNestedFilter(apply.indexVersionCreated()), BooleanClause.Occur.FILTER).build();
                    }
                    builder.add(query, BooleanClause.Occur.SHOULD);
                    builder.add(new ToChildBlockJoinQuery(query, apply.bitsetFilter(Queries.newNonNestedFilter(apply.indexVersionCreated()))), BooleanClause.Occur.SHOULD);
                }
            }
        }
        builder.setMinimumNumberShouldMatch(1);
    }

    static void failIfQueryUsesClient(QueryBuilder queryBuilder, QueryRewriteContext queryRewriteContext) throws IOException {
        XContentParserConfiguration parserConfig = queryRewriteContext.getParserConfig();
        Objects.requireNonNull(queryRewriteContext);
        QueryRewriteContext queryRewriteContext2 = new QueryRewriteContext(parserConfig, (Client) null, queryRewriteContext::nowInMillis);
        Rewriteable.rewrite(queryBuilder, queryRewriteContext2);
        if (queryRewriteContext2.hasAsyncActions()) {
            throw new IllegalStateException("role queries are not allowed to execute additional requests");
        }
    }

    public static DocumentPermissions filteredBy(Set<BytesReference> set) {
        return new DocumentPermissions(set);
    }

    public static DocumentPermissions allowAll() {
        return ALLOW_ALL;
    }

    public DocumentPermissions limitDocumentPermissions(DocumentPermissions documentPermissions) {
        return (hasDocumentLevelPermissions() && documentPermissions.hasDocumentLevelPermissions()) ? new DocumentPermissions((List<Set<BytesReference>>) Stream.concat(getListOfQueries().stream(), documentPermissions.getListOfQueries().stream()).toList()) : hasDocumentLevelPermissions() ? new DocumentPermissions(getListOfQueries()) : documentPermissions.hasDocumentLevelPermissions() ? new DocumentPermissions(documentPermissions.getListOfQueries()) : allowAll();
    }

    public String toString() {
        return "DocumentPermissions [listOfQueries=" + String.valueOf(this.listOfQueries) + "]";
    }

    @Override // org.elasticsearch.xpack.core.security.support.CacheKey
    public void buildCacheKey(StreamOutput streamOutput, SecurityQueryTemplateEvaluator.DlsQueryEvaluationContext dlsQueryEvaluationContext) throws IOException {
        if (!$assertionsDisabled && !hasDocumentLevelPermissions()) {
            throw new AssertionError("document permissions should not contribute to cache key when there is no DLS query");
        }
        evaluateQueries(dlsQueryEvaluationContext);
        streamOutput.writeCollection(this.listOfEvaluatedQueries, (v0, v1) -> {
            v0.writeStringCollection(v1);
        });
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        return Objects.equals(this.listOfQueries, ((DocumentPermissions) obj).listOfQueries);
    }

    public int hashCode() {
        return Objects.hash(this.listOfQueries);
    }

    static {
        $assertionsDisabled = !DocumentPermissions.class.desiredAssertionStatus();
        ALLOW_ALL = new DocumentPermissions();
    }
}
