package org.elasticsearch.xpack.core.security.authz.permission;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Predicate;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations;
import org.apache.lucene.util.automaton.TooComplexToDeterminizeException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.regex.Regex;
import org.elasticsearch.xpack.core.ml.process.writer.RecordWriter;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivilegesMap;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.core.security.index.RestrictedIndicesNames;
import org.elasticsearch.xpack.core.security.support.Automatons;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.class */
public final class IndicesPermission {
    private static final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(IndicesPermission.class);
    public static final IndicesPermission NONE = new IndicesPermission(new Group[0]);
    private static final Set<String> PRIVILEGE_NAME_SET_BWC_ALLOW_MAPPING_UPDATE = Collections.unmodifiableSet(new HashSet(Arrays.asList("create", "create_doc", "index", "write")));
    private final Map<String, Predicate<IndexAbstraction>> allowedIndicesMatchersForAction = new ConcurrentHashMap();
    private final Group[] groups;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission$DocumentLevelPermissions.class */
    public static class DocumentLevelPermissions {
        private Set<BytesReference> queries;
        private boolean allowAll;

        private DocumentLevelPermissions() {
            this.queries = null;
            this.allowAll = false;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void addAll(Set<BytesReference> set) {
            if (this.allowAll) {
                return;
            }
            if (this.queries == null) {
                this.queries = new HashSet();
            }
            this.queries.addAll(set);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isAllowAll() {
            return this.allowAll;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void setAllowAll(boolean z) {
            this.allowAll = z;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission$Group.class */
    public static class Group {
        private final IndexPrivilege privilege;
        private final Predicate<String> actionMatcher;
        private final String[] indices;
        private final Predicate<String> indexNameMatcher;
        private final FieldPermissions fieldPermissions;
        private final Set<BytesReference> query;
        private final boolean allowRestrictedIndices;
        static final /* synthetic */ boolean $assertionsDisabled;

        public Group(IndexPrivilege indexPrivilege, FieldPermissions fieldPermissions, @Nullable Set<BytesReference> set, boolean z, String... strArr) {
            if (!$assertionsDisabled && strArr.length == 0) {
                throw new AssertionError();
            }
            this.privilege = indexPrivilege;
            this.actionMatcher = indexPrivilege.predicate();
            this.indices = strArr;
            this.indexNameMatcher = IndicesPermission.indexMatcher(Arrays.asList(strArr));
            this.fieldPermissions = (FieldPermissions) Objects.requireNonNull(fieldPermissions);
            this.query = set;
            this.allowRestrictedIndices = z;
        }

        public IndexPrivilege privilege() {
            return this.privilege;
        }

        public String[] indices() {
            return this.indices;
        }

        @Nullable
        public Set<BytesReference> getQuery() {
            return this.query;
        }

        public FieldPermissions getFieldPermissions() {
            return this.fieldPermissions;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean checkAction(String str) {
            return this.actionMatcher.test(str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean checkIndex(String str) {
            if ($assertionsDisabled || str != null) {
                return this.indexNameMatcher.test(str) && (this.allowRestrictedIndices || false == RestrictedIndicesNames.isRestricted(str));
            }
            throw new AssertionError();
        }

        boolean hasQuery() {
            return this.query != null;
        }

        public boolean allowRestrictedIndices() {
            return this.allowRestrictedIndices;
        }

        public static Automaton buildIndexMatcherAutomaton(boolean z, String... strArr) {
            Automaton patterns = Automatons.patterns(strArr);
            return z ? patterns : Automatons.minusAndMinimize(patterns, RestrictedIndicesNames.NAMES_AUTOMATON);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static Predicate<IndexAbstraction> buildIndexMatcherPredicateForAction(String str, Group... groupArr) {
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            HashSet hashSet3 = new HashSet();
            HashSet hashSet4 = new HashSet();
            boolean isMappingUpdateAction = IndicesPermission.isMappingUpdateAction(str);
            for (Group group : groupArr) {
                if (group.actionMatcher.test(str)) {
                    if (group.allowRestrictedIndices) {
                        hashSet2.addAll(Arrays.asList(group.indices()));
                    } else {
                        hashSet.addAll(Arrays.asList(group.indices()));
                    }
                } else if (isMappingUpdateAction && IndicesPermission.containsPrivilegeThatGrantsMappingUpdatesForBwc(group)) {
                    if (group.allowRestrictedIndices) {
                        hashSet4.addAll(Arrays.asList(group.indices()));
                    } else {
                        hashSet3.addAll(Arrays.asList(group.indices()));
                    }
                }
            }
            Predicate indexMatcher = IndicesPermission.indexMatcher(hashSet, hashSet2);
            Predicate indexMatcher2 = IndicesPermission.indexMatcher(hashSet3, hashSet4);
            return indexAbstraction -> {
                return indexMatcher.test(indexAbstraction.getName()) || (indexAbstraction.getType() != IndexAbstraction.Type.DATA_STREAM && indexAbstraction.getParentDataStream() == null && indexMatcher2.test(indexAbstraction.getName()));
            };
        }

        static {
            $assertionsDisabled = !IndicesPermission.class.desiredAssertionStatus();
        }
    }

    public IndicesPermission(Group... groupArr) {
        this.groups = groupArr;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Predicate<String> indexMatcher(Collection<String> collection, Collection<String> collection2) {
        Predicate<String> and;
        if (collection.isEmpty()) {
            and = indexMatcher(collection2);
        } else {
            and = indexMatcher(collection).and(str -> {
                return false == RestrictedIndicesNames.isRestricted(str);
            });
            if (!collection2.isEmpty()) {
                and = indexMatcher(collection2).or(and);
            }
        }
        return and;
    }

    public static Predicate<String> indexMatcher(Collection<String> collection) {
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        for (String str : collection) {
            if (str.startsWith("/") || str.contains("*") || str.contains("?")) {
                arrayList.add(str);
            } else {
                hashSet.add(str);
            }
        }
        return (hashSet.isEmpty() && arrayList.isEmpty()) ? str2 -> {
            return false;
        } : hashSet.isEmpty() ? buildAutomataPredicate(arrayList) : arrayList.isEmpty() ? buildExactMatchPredicate(hashSet) : buildExactMatchPredicate(hashSet).or(buildAutomataPredicate(arrayList));
    }

    private static Predicate<String> buildExactMatchPredicate(Set<String> set) {
        if (set.size() != 1) {
            Objects.requireNonNull(set);
            return (v1) -> {
                return r0.contains(v1);
            };
        }
        String next = set.iterator().next();
        Objects.requireNonNull(next);
        return (v1) -> {
            return r0.equals(v1);
        };
    }

    private static Predicate<String> buildAutomataPredicate(List<String> list) {
        try {
            return Automatons.predicate(list);
        } catch (TooComplexToDeterminizeException e) {
            LogManager.getLogger(IndicesPermission.class).debug("Index pattern automaton [{}] is too complex", list);
            String collectionToCommaDelimitedString = Strings.collectionToCommaDelimitedString(list);
            if (collectionToCommaDelimitedString.length() > 80) {
                collectionToCommaDelimitedString = Strings.cleanTruncate(collectionToCommaDelimitedString, 80) + RecordWriter.PRETOKENISED_TOKEN_FIELD;
            }
            throw new ElasticsearchSecurityException("The set of permitted index patterns [{}] is too complex to evaluate", e, new Object[]{collectionToCommaDelimitedString});
        }
    }

    public Group[] groups() {
        return this.groups;
    }

    public Predicate<IndexAbstraction> allowedIndicesMatcher(String str) {
        return this.allowedIndicesMatchersForAction.computeIfAbsent(str, str2 -> {
            return Group.buildIndexMatcherPredicateForAction(str2, this.groups);
        });
    }

    public boolean check(String str) {
        boolean isMappingUpdateAction = isMappingUpdateAction(str);
        for (Group group : this.groups) {
            if (group.checkAction(str)) {
                return true;
            }
            if (isMappingUpdateAction && containsPrivilegeThatGrantsMappingUpdatesForBwc(group)) {
                return true;
            }
        }
        return false;
    }

    public ResourcePrivilegesMap checkResourcePrivileges(Set<String> set, boolean z, Set<String> set2) {
        ResourcePrivilegesMap.Builder builder = ResourcePrivilegesMap.builder();
        HashMap hashMap = new HashMap();
        for (String str : set) {
            Automaton patterns = Automatons.patterns(str);
            if (false == z && false == isConcreteRestrictedIndex(str)) {
                patterns = Automatons.minusAndMinimize(patterns, RestrictedIndicesNames.NAMES_AUTOMATON);
            }
            if (false == Operations.isEmpty(patterns)) {
                Automaton automaton = null;
                for (Group group : this.groups) {
                    if (Operations.subsetOf(patterns, (Automaton) hashMap.computeIfAbsent(group, group2 -> {
                        return Group.buildIndexMatcherAutomaton(group2.allowRestrictedIndices(), group2.indices());
                    }))) {
                        automaton = automaton != null ? Automatons.unionAndMinimize(Arrays.asList(automaton, group.privilege().getAutomaton())) : group.privilege().getAutomaton();
                    }
                }
                for (String str2 : set2) {
                    IndexPrivilege indexPrivilege = IndexPrivilege.get(Collections.singleton(str2));
                    if (automaton == null || !Operations.subsetOf(indexPrivilege.getAutomaton(), automaton)) {
                        builder.addResourcePrivilege(str, str2, Boolean.FALSE);
                    } else {
                        builder.addResourcePrivilege(str, str2, Boolean.TRUE);
                    }
                }
            } else {
                Iterator<String> it = set2.iterator();
                while (it.hasNext()) {
                    builder.addResourcePrivilege(str, it.next(), Boolean.FALSE);
                }
            }
        }
        return builder.build();
    }

    public Automaton allowedActionsMatcher(String str) {
        ArrayList arrayList = new ArrayList();
        for (Group group : this.groups) {
            if (group.indexNameMatcher.test(str)) {
                arrayList.add(group.privilege.getAutomaton());
            }
        }
        return arrayList.isEmpty() ? Automatons.EMPTY : Automatons.unionAndMinimize(arrayList);
    }

    public Map<String, IndicesAccessControl.IndexAccessControl> authorize(String str, Set<String> set, Map<String, IndexAbstraction> map, FieldPermissionsCache fieldPermissionsCache) {
        boolean z;
        boolean z2;
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        boolean isMappingUpdateAction = isMappingUpdateAction(str);
        for (String str2 : set) {
            HashSet<String> hashSet = new HashSet();
            IndexAbstraction indexAbstraction = map.get(str2);
            if (indexAbstraction != null) {
                Iterator it = indexAbstraction.getIndices().iterator();
                while (it.hasNext()) {
                    hashSet.add(((IndexMetadata) it.next()).getIndex().getName());
                }
                z2 = indexAbstraction.getType() == IndexAbstraction.Type.CONCRETE_INDEX && indexAbstraction.getParentDataStream() != null;
                z = indexAbstraction.getType() == IndexAbstraction.Type.DATA_STREAM;
            } else {
                z = false;
                z2 = false;
            }
            boolean z3 = false;
            boolean z4 = false;
            ArrayList arrayList = new ArrayList();
            for (Group group : this.groups) {
                if (group.checkIndex(str2) || (z2 && group.checkIndex(indexAbstraction.getParentDataStream().getName()))) {
                    boolean checkAction = group.checkAction(str);
                    z3 = z3 || checkAction;
                    boolean z5 = isMappingUpdateAction && false == z && false == z2 && containsPrivilegeThatGrantsMappingUpdatesForBwc(group);
                    z4 = z4 || z5;
                    if (checkAction || z5) {
                        for (String str3 : hashSet) {
                            Set set2 = (Set) hashMap.computeIfAbsent(str3, str4 -> {
                                return new HashSet();
                            });
                            hashMap.put(str2, set2);
                            set2.add(group.getFieldPermissions());
                            DocumentLevelPermissions documentLevelPermissions = (DocumentLevelPermissions) hashMap2.computeIfAbsent(str3, str5 -> {
                                return new DocumentLevelPermissions();
                            });
                            hashMap2.putIfAbsent(str2, documentLevelPermissions);
                            if (group.hasQuery()) {
                                documentLevelPermissions.addAll(group.getQuery());
                            } else {
                                documentLevelPermissions.setAllowAll(true);
                            }
                        }
                        if (false == checkAction) {
                            for (String str6 : group.privilege.name()) {
                                if (PRIVILEGE_NAME_SET_BWC_ALLOW_MAPPING_UPDATE.contains(str6)) {
                                    arrayList.add(() -> {
                                        deprecationLogger.deprecate("[" + str2 + "] mapping update for ingest privilege [" + str6 + "]", "the index privilege [" + str6 + "] allowed the update mapping action [" + str + "] on index [" + str2 + "], this privilege will not permit mapping updates in the next major release - users who require access to update mappings must be granted explicit privileges", new Object[0]);
                                    });
                                }
                            }
                        }
                    }
                }
            }
            if (false == z3 && z4) {
                z3 = true;
                arrayList.forEach(runnable -> {
                    runnable.run();
                });
            }
            if (hashSet.isEmpty()) {
                hashMap3.put(str2, Boolean.valueOf(z3));
            } else {
                hashMap3.put(str2, Boolean.valueOf(z3));
                Iterator it2 = hashSet.iterator();
                while (it2.hasNext()) {
                    hashMap3.put((String) it2.next(), Boolean.valueOf(z3));
                }
            }
        }
        HashMap hashMap4 = new HashMap();
        for (Map.Entry entry : hashMap3.entrySet()) {
            String str7 = (String) entry.getKey();
            DocumentLevelPermissions documentLevelPermissions2 = (DocumentLevelPermissions) hashMap2.get(str7);
            Set unmodifiableSet = (documentLevelPermissions2 == null || documentLevelPermissions2.isAllowAll()) ? null : Collections.unmodifiableSet(documentLevelPermissions2.queries);
            Set set3 = (Set) hashMap.get(str7);
            hashMap4.put(str7, new IndicesAccessControl.IndexAccessControl(((Boolean) entry.getValue()).booleanValue(), (set3 == null || set3.isEmpty()) ? FieldPermissions.DEFAULT : set3.size() == 1 ? (FieldPermissions) set3.iterator().next() : fieldPermissionsCache.getFieldPermissions(set3), unmodifiableSet != null ? DocumentPermissions.filteredBy(unmodifiableSet) : DocumentPermissions.allowAll()));
        }
        return Collections.unmodifiableMap(hashMap4);
    }

    private boolean isConcreteRestrictedIndex(String str) {
        if (Regex.isSimpleMatchPattern(str) || Automatons.isLuceneRegex(str)) {
            return false;
        }
        return RestrictedIndicesNames.isRestricted(str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isMappingUpdateAction(String str) {
        return str.equals("indices:admin/mapping/put") || str.equals("indices:admin/mapping/auto_put");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean containsPrivilegeThatGrantsMappingUpdatesForBwc(Group group) {
        Stream<String> stream = group.privilege().name().stream();
        Set<String> set = PRIVILEGE_NAME_SET_BWC_ALLOW_MAPPING_UPDATE;
        Objects.requireNonNull(set);
        return stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }
}
