package org.elasticsearch.xpack.core.security.authz;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.elasticsearch.ElasticsearchParseException;
import org.elasticsearch.Version;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.ParseField;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.ValidationException;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.xcontent.LoggingDeprecationHandler;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.common.xcontent.ObjectParser;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.ToXContentObject;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.common.xcontent.json.JsonXContent;
import org.elasticsearch.env.NodeEnvironment;
import org.elasticsearch.search.aggregations.bucket.global.GlobalAggregationBuilder;
import org.elasticsearch.xpack.core.ml.job.persistence.ElasticsearchMappings;
import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.ExceptExpression;
import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivileges;
import org.elasticsearch.xpack.core.security.support.Validation;
import org.elasticsearch.xpack.core.security.xcontent.XContentUtils;

/* loaded from: input_file:lib/org.elasticsearch.xpack.core-7.3.0.jar:org/elasticsearch/xpack/core/security/authz/RoleDescriptor.class */
public class RoleDescriptor implements ToXContentObject, Writeable {
    public static final String ROLE_TYPE = "role";
    private final String name;
    private final String[] clusterPrivileges;
    private final ConditionalClusterPrivilege[] conditionalClusterPrivileges;
    private final IndicesPrivileges[] indicesPrivileges;
    private final ApplicationResourcePrivileges[] applicationPrivileges;
    private final String[] runAs;
    private final Map<String, Object> metadata;
    private final Map<String, Object> transientMetadata;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:lib/org.elasticsearch.xpack.core-7.3.0.jar:org/elasticsearch/xpack/core/security/authz/RoleDescriptor$ApplicationResourcePrivileges.class */
    public static class ApplicationResourcePrivileges implements ToXContentObject, Writeable {
        private static final ApplicationResourcePrivileges[] NONE = new ApplicationResourcePrivileges[0];
        private static final ObjectParser<Builder, Void> PARSER = new ObjectParser<>("application", ApplicationResourcePrivileges::builder);
        private String application;
        private String[] privileges;
        private String[] resources;

        /* loaded from: input_file:lib/org.elasticsearch.xpack.core-7.3.0.jar:org/elasticsearch/xpack/core/security/authz/RoleDescriptor$ApplicationResourcePrivileges$Builder.class */
        public static class Builder {
            private ApplicationResourcePrivileges applicationPrivileges;

            private Builder() {
                this.applicationPrivileges = new ApplicationResourcePrivileges();
            }

            public Builder application(String str) {
                this.applicationPrivileges.application = str;
                return this;
            }

            public Builder resources(String... strArr) {
                this.applicationPrivileges.resources = strArr;
                return this;
            }

            public Builder resources(Collection<String> collection) {
                return resources((String[]) collection.toArray(new String[collection.size()]));
            }

            public Builder privileges(String... strArr) {
                this.applicationPrivileges.privileges = strArr;
                return this;
            }

            public Builder privileges(Collection<String> collection) {
                return privileges((String[]) collection.toArray(new String[collection.size()]));
            }

            public boolean hasResources() {
                return this.applicationPrivileges.resources != null;
            }

            public boolean hasPrivileges() {
                return this.applicationPrivileges.privileges != null;
            }

            public ApplicationResourcePrivileges build() {
                if (Strings.isNullOrEmpty(this.applicationPrivileges.application)) {
                    throw new IllegalArgumentException("application privileges must have an application name");
                }
                if (this.applicationPrivileges.privileges == null || this.applicationPrivileges.privileges.length == 0) {
                    throw new IllegalArgumentException("application privileges must define at least one privilege");
                }
                if (this.applicationPrivileges.resources == null || this.applicationPrivileges.resources.length == 0) {
                    throw new IllegalArgumentException("application privileges must refer to at least one resource");
                }
                return this.applicationPrivileges;
            }
        }

        private ApplicationResourcePrivileges() {
        }

        public ApplicationResourcePrivileges(StreamInput streamInput) throws IOException {
            this.application = streamInput.readString();
            this.privileges = streamInput.readStringArray();
            this.resources = streamInput.readStringArray();
        }

        @Override // org.elasticsearch.common.io.stream.Writeable
        public void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeString(this.application);
            streamOutput.writeStringArray(this.privileges);
            streamOutput.writeStringArray(this.resources);
        }

        public static Builder builder() {
            return new Builder();
        }

        public String getApplication() {
            return this.application;
        }

        public String[] getResources() {
            return this.resources;
        }

        public String[] getPrivileges() {
            return this.privileges;
        }

        public String toString() {
            return getClass().getSimpleName() + "[application=" + this.application + ", privileges=[" + Strings.arrayToCommaDelimitedString(this.privileges) + "], resources=[" + Strings.arrayToCommaDelimitedString(this.resources) + "]]";
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            ApplicationResourcePrivileges applicationResourcePrivileges = (ApplicationResourcePrivileges) obj;
            return Objects.equals(this.application, applicationResourcePrivileges.application) && Arrays.equals(this.resources, applicationResourcePrivileges.resources) && Arrays.equals(this.privileges, applicationResourcePrivileges.privileges);
        }

        public int hashCode() {
            return (31 * Arrays.hashCode(this.resources)) + Arrays.hashCode(this.privileges);
        }

        @Override // org.elasticsearch.common.xcontent.ToXContent
        public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
            xContentBuilder.startObject();
            xContentBuilder.field(Fields.APPLICATION.getPreferredName(), this.application);
            xContentBuilder.array(Fields.PRIVILEGES.getPreferredName(), this.privileges);
            xContentBuilder.array(Fields.RESOURCES.getPreferredName(), this.resources);
            return xContentBuilder.endObject();
        }

        public static void write(StreamOutput streamOutput, ApplicationResourcePrivileges applicationResourcePrivileges) throws IOException {
            applicationResourcePrivileges.writeTo(streamOutput);
        }

        static {
            PARSER.declareString((v0, v1) -> {
                v0.application(v1);
            }, Fields.APPLICATION);
            PARSER.declareStringArray((v0, v1) -> {
                v0.privileges(v1);
            }, Fields.PRIVILEGES);
            PARSER.declareStringArray((v0, v1) -> {
                v0.resources(v1);
            }, Fields.RESOURCES);
        }
    }

    /* loaded from: input_file:lib/org.elasticsearch.xpack.core-7.3.0.jar:org/elasticsearch/xpack/core/security/authz/RoleDescriptor$Fields.class */
    public interface Fields {
        public static final ParseField CLUSTER = new ParseField("cluster", new String[0]);
        public static final ParseField GLOBAL = new ParseField(GlobalAggregationBuilder.NAME, new String[0]);
        public static final ParseField INDEX = new ParseField("index", new String[0]);
        public static final ParseField INDICES = new ParseField(NodeEnvironment.INDICES_FOLDER, new String[0]);
        public static final ParseField APPLICATIONS = new ParseField("applications", new String[0]);
        public static final ParseField RUN_AS = new ParseField("run_as", new String[0]);
        public static final ParseField NAMES = new ParseField("names", new String[0]);
        public static final ParseField ALLOW_RESTRICTED_INDICES = new ParseField("allow_restricted_indices", new String[0]);
        public static final ParseField RESOURCES = new ParseField("resources", new String[0]);
        public static final ParseField QUERY = new ParseField("query", new String[0]);
        public static final ParseField PRIVILEGES = new ParseField("privileges", new String[0]);
        public static final ParseField APPLICATION = new ParseField("application", new String[0]);
        public static final ParseField FIELD_PERMISSIONS = new ParseField("field_security", new String[0]);
        public static final ParseField FIELD_PERMISSIONS_2X = new ParseField(ElasticsearchMappings.FIELDS, new String[0]);
        public static final ParseField GRANT_FIELDS = new ParseField("grant", new String[0]);
        public static final ParseField EXCEPT_FIELDS = new ParseField(ExceptExpression.NAME, new String[0]);
        public static final ParseField METADATA = new ParseField("metadata", new String[0]);
        public static final ParseField TRANSIENT_METADATA = new ParseField("transient_metadata", new String[0]);
        public static final ParseField TYPE = new ParseField("type", new String[0]);
    }

    /* loaded from: input_file:lib/org.elasticsearch.xpack.core-7.3.0.jar:org/elasticsearch/xpack/core/security/authz/RoleDescriptor$IndicesPrivileges.class */
    public static class IndicesPrivileges implements ToXContentObject, Writeable {
        private static final IndicesPrivileges[] NONE = new IndicesPrivileges[0];
        private String[] indices;
        private String[] privileges;
        private String[] grantedFields;
        private String[] deniedFields;
        private BytesReference query;
        private boolean allowRestrictedIndices;

        /* loaded from: input_file:lib/org.elasticsearch.xpack.core-7.3.0.jar:org/elasticsearch/xpack/core/security/authz/RoleDescriptor$IndicesPrivileges$Builder.class */
        public static class Builder {
            private IndicesPrivileges indicesPrivileges;

            private Builder() {
                this.indicesPrivileges = new IndicesPrivileges();
            }

            public Builder indices(String... strArr) {
                this.indicesPrivileges.indices = strArr;
                return this;
            }

            public Builder privileges(String... strArr) {
                this.indicesPrivileges.privileges = strArr;
                return this;
            }

            public Builder privileges(Collection<String> collection) {
                return privileges((String[]) collection.toArray(new String[collection.size()]));
            }

            public Builder grantedFields(String... strArr) {
                this.indicesPrivileges.grantedFields = strArr;
                return this;
            }

            public Builder deniedFields(String... strArr) {
                this.indicesPrivileges.deniedFields = strArr;
                return this;
            }

            public Builder query(@Nullable String str) {
                return query(str == null ? null : new BytesArray(str));
            }

            public Builder allowRestrictedIndices(boolean z) {
                this.indicesPrivileges.allowRestrictedIndices = z;
                return this;
            }

            public Builder query(@Nullable BytesReference bytesReference) {
                if (bytesReference == null) {
                    this.indicesPrivileges.query = null;
                } else {
                    this.indicesPrivileges.query = bytesReference;
                }
                return this;
            }

            public IndicesPrivileges build() {
                if (this.indicesPrivileges.indices == null || this.indicesPrivileges.indices.length == 0) {
                    throw new IllegalArgumentException("indices privileges must refer to at least one index name or index name pattern");
                }
                if (this.indicesPrivileges.privileges == null || this.indicesPrivileges.privileges.length == 0) {
                    throw new IllegalArgumentException("indices privileges must define at least one privilege");
                }
                return this.indicesPrivileges;
            }
        }

        private IndicesPrivileges() {
            this.grantedFields = null;
            this.deniedFields = null;
            this.allowRestrictedIndices = false;
        }

        public IndicesPrivileges(StreamInput streamInput) throws IOException {
            this.grantedFields = null;
            this.deniedFields = null;
            this.allowRestrictedIndices = false;
            this.indices = streamInput.readStringArray();
            this.grantedFields = streamInput.readOptionalStringArray();
            this.deniedFields = streamInput.readOptionalStringArray();
            this.privileges = streamInput.readStringArray();
            this.query = streamInput.readOptionalBytesReference();
            if (streamInput.getVersion().onOrAfter(Version.V_6_7_0)) {
                this.allowRestrictedIndices = streamInput.readBoolean();
            } else {
                this.allowRestrictedIndices = false;
            }
        }

        @Override // org.elasticsearch.common.io.stream.Writeable
        public void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeStringArray(this.indices);
            streamOutput.writeOptionalStringArray(this.grantedFields);
            streamOutput.writeOptionalStringArray(this.deniedFields);
            streamOutput.writeStringArray(this.privileges);
            streamOutput.writeOptionalBytesReference(this.query);
            if (streamOutput.getVersion().onOrAfter(Version.V_6_7_0)) {
                streamOutput.writeBoolean(this.allowRestrictedIndices);
            }
        }

        public static Builder builder() {
            return new Builder();
        }

        public String[] getIndices() {
            return this.indices;
        }

        public String[] getPrivileges() {
            return this.privileges;
        }

        @Nullable
        public String[] getGrantedFields() {
            return this.grantedFields;
        }

        @Nullable
        public String[] getDeniedFields() {
            return this.deniedFields;
        }

        @Nullable
        public BytesReference getQuery() {
            return this.query;
        }

        public boolean isUsingDocumentLevelSecurity() {
            return this.query != null;
        }

        public boolean isUsingFieldLevelSecurity() {
            return hasDeniedFields() || hasGrantedFields();
        }

        public boolean allowRestrictedIndices() {
            return this.allowRestrictedIndices;
        }

        private boolean hasDeniedFields() {
            return this.deniedFields != null && this.deniedFields.length > 0;
        }

        private boolean hasGrantedFields() {
            if (this.grantedFields == null || this.grantedFields.length < 0) {
                return false;
            }
            return (this.grantedFields.length == 1 && "*".equals(this.grantedFields[0])) ? false : true;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder("IndicesPrivileges[");
            sb.append("indices=[").append(Strings.arrayToCommaDelimitedString(this.indices));
            sb.append("], allowRestrictedIndices=[").append(this.allowRestrictedIndices);
            sb.append("], privileges=[").append(Strings.arrayToCommaDelimitedString(this.privileges));
            sb.append("], ");
            if (this.grantedFields != null || this.deniedFields != null) {
                sb.append(Fields.FIELD_PERMISSIONS).append("=[");
                if (this.grantedFields == null) {
                    sb.append(Fields.GRANT_FIELDS).append("=null");
                } else {
                    sb.append(Fields.GRANT_FIELDS).append("=[").append(Strings.arrayToCommaDelimitedString(this.grantedFields));
                    sb.append("]");
                }
                if (this.deniedFields == null) {
                    sb.append(", ").append(Fields.EXCEPT_FIELDS).append("=null");
                } else {
                    sb.append(", ").append(Fields.EXCEPT_FIELDS).append("=[").append(Strings.arrayToCommaDelimitedString(this.deniedFields));
                    sb.append("]");
                }
                sb.append("]");
            }
            if (this.query != null) {
                sb.append(", query=");
                sb.append(this.query.utf8ToString());
            }
            sb.append("]");
            return sb.toString();
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            IndicesPrivileges indicesPrivileges = (IndicesPrivileges) obj;
            if (Arrays.equals(this.indices, indicesPrivileges.indices) && this.allowRestrictedIndices == indicesPrivileges.allowRestrictedIndices && Arrays.equals(this.privileges, indicesPrivileges.privileges) && Arrays.equals(this.grantedFields, indicesPrivileges.grantedFields) && Arrays.equals(this.deniedFields, indicesPrivileges.deniedFields)) {
                return this.query == null ? indicesPrivileges.query == null : this.query.equals(indicesPrivileges.query);
            }
            return false;
        }

        public int hashCode() {
            return (31 * ((31 * ((31 * ((31 * ((31 * Arrays.hashCode(this.indices)) + (this.allowRestrictedIndices ? 1 : 0))) + Arrays.hashCode(this.privileges))) + Arrays.hashCode(this.grantedFields))) + Arrays.hashCode(this.deniedFields))) + (this.query != null ? this.query.hashCode() : 0);
        }

        @Override // org.elasticsearch.common.xcontent.ToXContent
        public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
            xContentBuilder.startObject();
            xContentBuilder.array("names", this.indices);
            xContentBuilder.array("privileges", this.privileges);
            if (this.grantedFields != null || this.deniedFields != null) {
                xContentBuilder.startObject(Fields.FIELD_PERMISSIONS.getPreferredName());
                if (this.grantedFields != null) {
                    xContentBuilder.array(Fields.GRANT_FIELDS.getPreferredName(), this.grantedFields);
                }
                if (this.deniedFields != null) {
                    xContentBuilder.array(Fields.EXCEPT_FIELDS.getPreferredName(), this.deniedFields);
                }
                xContentBuilder.endObject();
            }
            if (this.query != null) {
                xContentBuilder.field("query", this.query.utf8ToString());
            }
            xContentBuilder.field(Fields.ALLOW_RESTRICTED_INDICES.getPreferredName(), this.allowRestrictedIndices);
            return xContentBuilder.endObject();
        }
    }

    public RoleDescriptor(String str, @Nullable String[] strArr, @Nullable IndicesPrivileges[] indicesPrivilegesArr, @Nullable String[] strArr2) {
        this(str, strArr, indicesPrivilegesArr, strArr2, null);
    }

    @Deprecated
    public RoleDescriptor(String str, @Nullable String[] strArr, @Nullable IndicesPrivileges[] indicesPrivilegesArr, @Nullable String[] strArr2, @Nullable Map<String, Object> map) {
        this(str, strArr, indicesPrivilegesArr, strArr2, map, null);
    }

    @Deprecated
    public RoleDescriptor(String str, @Nullable String[] strArr, @Nullable IndicesPrivileges[] indicesPrivilegesArr, @Nullable String[] strArr2, @Nullable Map<String, Object> map, @Nullable Map<String, Object> map2) {
        this(str, strArr, indicesPrivilegesArr, null, null, strArr2, map, map2);
    }

    public RoleDescriptor(String str, @Nullable String[] strArr, @Nullable IndicesPrivileges[] indicesPrivilegesArr, @Nullable ApplicationResourcePrivileges[] applicationResourcePrivilegesArr, @Nullable ConditionalClusterPrivilege[] conditionalClusterPrivilegeArr, @Nullable String[] strArr2, @Nullable Map<String, Object> map, @Nullable Map<String, Object> map2) {
        this.name = str;
        this.clusterPrivileges = strArr != null ? strArr : Strings.EMPTY_ARRAY;
        this.conditionalClusterPrivileges = conditionalClusterPrivilegeArr != null ? conditionalClusterPrivilegeArr : ConditionalClusterPrivileges.EMPTY_ARRAY;
        this.indicesPrivileges = indicesPrivilegesArr != null ? indicesPrivilegesArr : IndicesPrivileges.NONE;
        this.applicationPrivileges = applicationResourcePrivilegesArr != null ? applicationResourcePrivilegesArr : ApplicationResourcePrivileges.NONE;
        this.runAs = strArr2 != null ? strArr2 : Strings.EMPTY_ARRAY;
        this.metadata = map != null ? Collections.unmodifiableMap(map) : Collections.emptyMap();
        this.transientMetadata = map2 != null ? Collections.unmodifiableMap(map2) : Collections.singletonMap(ElasticsearchMappings.ENABLED, true);
    }

    public RoleDescriptor(StreamInput streamInput) throws IOException {
        this.name = streamInput.readString();
        this.clusterPrivileges = streamInput.readStringArray();
        int readVInt = streamInput.readVInt();
        this.indicesPrivileges = new IndicesPrivileges[readVInt];
        for (int i = 0; i < readVInt; i++) {
            this.indicesPrivileges[i] = new IndicesPrivileges(streamInput);
        }
        this.runAs = streamInput.readStringArray();
        this.metadata = streamInput.readMap();
        this.transientMetadata = streamInput.readMap();
        if (streamInput.getVersion().onOrAfter(Version.V_6_4_0)) {
            this.applicationPrivileges = (ApplicationResourcePrivileges[]) streamInput.readArray(ApplicationResourcePrivileges::new, i2 -> {
                return new ApplicationResourcePrivileges[i2];
            });
            this.conditionalClusterPrivileges = ConditionalClusterPrivileges.readArray(streamInput);
        } else {
            this.applicationPrivileges = ApplicationResourcePrivileges.NONE;
            this.conditionalClusterPrivileges = ConditionalClusterPrivileges.EMPTY_ARRAY;
        }
    }

    public String getName() {
        return this.name;
    }

    public String[] getClusterPrivileges() {
        return this.clusterPrivileges;
    }

    public ConditionalClusterPrivilege[] getConditionalClusterPrivileges() {
        return this.conditionalClusterPrivileges;
    }

    public IndicesPrivileges[] getIndicesPrivileges() {
        return this.indicesPrivileges;
    }

    public ApplicationResourcePrivileges[] getApplicationPrivileges() {
        return this.applicationPrivileges;
    }

    public String[] getRunAs() {
        return this.runAs;
    }

    public Map<String, Object> getMetadata() {
        return this.metadata;
    }

    public Map<String, Object> getTransientMetadata() {
        return this.transientMetadata;
    }

    public boolean isUsingDocumentOrFieldLevelSecurity() {
        return Arrays.stream(this.indicesPrivileges).anyMatch(indicesPrivileges -> {
            return indicesPrivileges.isUsingDocumentLevelSecurity() || indicesPrivileges.isUsingFieldLevelSecurity();
        });
    }

    public String toString() {
        StringBuilder sb = new StringBuilder("Role[");
        sb.append("name=").append(this.name);
        sb.append(", cluster=[").append(Strings.arrayToCommaDelimitedString(this.clusterPrivileges));
        sb.append("], global=[").append(Strings.arrayToCommaDelimitedString(this.conditionalClusterPrivileges));
        sb.append("], indicesPrivileges=[");
        for (IndicesPrivileges indicesPrivileges : this.indicesPrivileges) {
            sb.append(indicesPrivileges.toString()).append(",");
        }
        sb.append("], applicationPrivileges=[");
        for (ApplicationResourcePrivileges applicationResourcePrivileges : this.applicationPrivileges) {
            sb.append(applicationResourcePrivileges.toString()).append(",");
        }
        sb.append("], runAs=[").append(Strings.arrayToCommaDelimitedString(this.runAs));
        sb.append("], metadata=[");
        sb.append(this.metadata);
        sb.append("]]");
        return sb.toString();
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        RoleDescriptor roleDescriptor = (RoleDescriptor) obj;
        if (this.name.equals(roleDescriptor.name) && Arrays.equals(this.clusterPrivileges, roleDescriptor.clusterPrivileges) && Arrays.equals(this.conditionalClusterPrivileges, roleDescriptor.conditionalClusterPrivileges) && Arrays.equals(this.indicesPrivileges, roleDescriptor.indicesPrivileges) && Arrays.equals(this.applicationPrivileges, roleDescriptor.applicationPrivileges) && this.metadata.equals(roleDescriptor.getMetadata())) {
            return Arrays.equals(this.runAs, roleDescriptor.runAs);
        }
        return false;
    }

    public int hashCode() {
        return (31 * ((31 * ((31 * ((31 * ((31 * ((31 * this.name.hashCode()) + Arrays.hashCode(this.clusterPrivileges))) + Arrays.hashCode(this.conditionalClusterPrivileges))) + Arrays.hashCode(this.indicesPrivileges))) + Arrays.hashCode(this.applicationPrivileges))) + Arrays.hashCode(this.runAs))) + this.metadata.hashCode();
    }

    @Override // org.elasticsearch.common.xcontent.ToXContent
    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        return toXContent(xContentBuilder, params, false);
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params, boolean z) throws IOException {
        xContentBuilder.startObject();
        xContentBuilder.array(Fields.CLUSTER.getPreferredName(), this.clusterPrivileges);
        if (this.conditionalClusterPrivileges.length != 0) {
            xContentBuilder.field(Fields.GLOBAL.getPreferredName());
            ConditionalClusterPrivileges.toXContent(xContentBuilder, params, Arrays.asList(this.conditionalClusterPrivileges));
        }
        xContentBuilder.array(Fields.INDICES.getPreferredName(), this.indicesPrivileges);
        xContentBuilder.array(Fields.APPLICATIONS.getPreferredName(), this.applicationPrivileges);
        if (this.runAs != null) {
            xContentBuilder.array(Fields.RUN_AS.getPreferredName(), this.runAs);
        }
        xContentBuilder.field(Fields.METADATA.getPreferredName(), this.metadata);
        if (z) {
            xContentBuilder.field(Fields.TYPE.getPreferredName(), ROLE_TYPE);
        } else {
            xContentBuilder.field(Fields.TRANSIENT_METADATA.getPreferredName(), this.transientMetadata);
        }
        return xContentBuilder.endObject();
    }

    @Override // org.elasticsearch.common.io.stream.Writeable
    public void writeTo(StreamOutput streamOutput) throws IOException {
        streamOutput.writeString(this.name);
        streamOutput.writeStringArray(this.clusterPrivileges);
        streamOutput.writeVInt(this.indicesPrivileges.length);
        for (IndicesPrivileges indicesPrivileges : this.indicesPrivileges) {
            indicesPrivileges.writeTo(streamOutput);
        }
        streamOutput.writeStringArray(this.runAs);
        streamOutput.writeMap(this.metadata);
        streamOutput.writeMap(this.transientMetadata);
        if (streamOutput.getVersion().onOrAfter(Version.V_6_4_0)) {
            streamOutput.writeArray(ApplicationResourcePrivileges::write, this.applicationPrivileges);
            ConditionalClusterPrivileges.writeArray(streamOutput, getConditionalClusterPrivileges());
        }
    }

    public static RoleDescriptor parse(String str, BytesReference bytesReference, boolean z, XContentType xContentType) throws IOException {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        StreamInput streamInput = bytesReference.streamInput();
        try {
            XContentParser createParser = xContentType.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, streamInput);
            try {
                RoleDescriptor parse = parse(str, createParser, z);
                if (createParser != null) {
                    createParser.close();
                }
                if (streamInput != null) {
                    streamInput.close();
                }
                return parse;
            } finally {
            }
        } catch (Throwable th) {
            if (streamInput != null) {
                try {
                    streamInput.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public static RoleDescriptor parse(String str, XContentParser xContentParser, boolean z) throws IOException {
        Validation.Error validateRoleName = Validation.Roles.validateRoleName(str, true);
        if (validateRoleName != null) {
            ValidationException validationException = new ValidationException();
            validationException.addValidationError(validateRoleName.toString());
            throw validationException;
        }
        XContentParser.Token nextToken = xContentParser.currentToken() == null ? xContentParser.nextToken() : xContentParser.currentToken();
        if (nextToken != XContentParser.Token.START_OBJECT) {
            throw new ElasticsearchParseException("failed to parse role [{}]. expected an object but found [{}] instead", str, nextToken);
        }
        String str2 = null;
        IndicesPrivileges[] indicesPrivilegesArr = null;
        String[] strArr = null;
        List<ConditionalClusterPrivilege> emptyList = Collections.emptyList();
        ApplicationResourcePrivileges[] applicationResourcePrivilegesArr = null;
        String[] strArr2 = null;
        Map<String, Object> map = null;
        while (true) {
            XContentParser.Token nextToken2 = xContentParser.nextToken();
            if (nextToken2 == XContentParser.Token.END_OBJECT) {
                return new RoleDescriptor(str, strArr, indicesPrivilegesArr, applicationResourcePrivilegesArr, (ConditionalClusterPrivilege[]) emptyList.toArray(new ConditionalClusterPrivilege[emptyList.size()]), strArr2, map, null);
            }
            if (nextToken2 == XContentParser.Token.FIELD_NAME) {
                str2 = xContentParser.currentName();
            } else if (Fields.INDEX.match(str2, xContentParser.getDeprecationHandler()) || Fields.INDICES.match(str2, xContentParser.getDeprecationHandler())) {
                indicesPrivilegesArr = parseIndices(str, xContentParser, z);
            } else if (Fields.RUN_AS.match(str2, xContentParser.getDeprecationHandler())) {
                strArr2 = readStringArray(str, xContentParser, true);
            } else if (Fields.CLUSTER.match(str2, xContentParser.getDeprecationHandler())) {
                strArr = readStringArray(str, xContentParser, true);
            } else if (Fields.APPLICATIONS.match(str2, xContentParser.getDeprecationHandler()) || Fields.APPLICATION.match(str2, xContentParser.getDeprecationHandler())) {
                applicationResourcePrivilegesArr = parseApplicationPrivileges(str, xContentParser);
            } else if (Fields.GLOBAL.match(str2, xContentParser.getDeprecationHandler())) {
                emptyList = ConditionalClusterPrivileges.parse(xContentParser);
            } else if (Fields.METADATA.match(str2, xContentParser.getDeprecationHandler())) {
                if (nextToken2 != XContentParser.Token.START_OBJECT) {
                    throw new ElasticsearchParseException("expected field [{}] to be of type object, but found [{}] instead", str2, nextToken2);
                }
                map = xContentParser.map();
            } else if (Fields.TRANSIENT_METADATA.match(str2, xContentParser.getDeprecationHandler())) {
                if (nextToken2 != XContentParser.Token.START_OBJECT) {
                    throw new ElasticsearchParseException("failed to parse role [{}]. unexpected field [{}]", str, str2);
                }
                xContentParser.map();
            } else if (!Fields.TYPE.match(str2, xContentParser.getDeprecationHandler())) {
                throw new ElasticsearchParseException("failed to parse role [{}]. unexpected field [{}]", str, str2);
            }
        }
    }

    private static String[] readStringArray(String str, XContentParser xContentParser, boolean z) throws IOException {
        try {
            return XContentUtils.readStringArray(xContentParser, z);
        } catch (ElasticsearchParseException e) {
            throw new ElasticsearchParseException("failed to parse role [{}]", e, str);
        }
    }

    public static RoleDescriptor parsePrivilegesCheck(String str, BytesReference bytesReference, XContentType xContentType) throws IOException {
        StreamInput streamInput = bytesReference.streamInput();
        try {
            XContentParser createParser = xContentType.xContent().createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, streamInput);
            try {
                XContentParser.Token nextToken = createParser.nextToken();
                if (nextToken != XContentParser.Token.START_OBJECT) {
                    throw new ElasticsearchParseException("failed to parse privileges check [{}]. expected an object but found [{}] instead", str, nextToken);
                }
                String str2 = null;
                IndicesPrivileges[] indicesPrivilegesArr = null;
                String[] strArr = null;
                ApplicationResourcePrivileges[] applicationResourcePrivilegesArr = null;
                while (true) {
                    XContentParser.Token nextToken2 = createParser.nextToken();
                    if (nextToken2 == XContentParser.Token.END_OBJECT) {
                        if (indicesPrivilegesArr == null && strArr == null && applicationResourcePrivilegesArr == null) {
                            throw new ElasticsearchParseException("failed to parse privileges check [{}]. All privilege fields [{},{},{}] are missing", str, Fields.CLUSTER, Fields.INDEX, Fields.APPLICATIONS);
                        }
                        if (indicesPrivilegesArr != null) {
                            if (Arrays.stream(indicesPrivilegesArr).anyMatch((v0) -> {
                                return v0.isUsingFieldLevelSecurity();
                            })) {
                                throw new ElasticsearchParseException("Field [{}] is not supported in a has_privileges request", Fields.FIELD_PERMISSIONS);
                            }
                            if (Arrays.stream(indicesPrivilegesArr).anyMatch((v0) -> {
                                return v0.isUsingDocumentLevelSecurity();
                            })) {
                                throw new ElasticsearchParseException("Field [{}] is not supported in a has_privileges request", Fields.QUERY);
                            }
                        }
                        RoleDescriptor roleDescriptor = new RoleDescriptor(str, strArr, indicesPrivilegesArr, applicationResourcePrivilegesArr, null, null, null, null);
                        if (createParser != null) {
                            createParser.close();
                        }
                        if (streamInput != null) {
                            streamInput.close();
                        }
                        return roleDescriptor;
                    }
                    if (nextToken2 == XContentParser.Token.FIELD_NAME) {
                        str2 = createParser.currentName();
                    } else if (Fields.INDEX.match(str2, createParser.getDeprecationHandler())) {
                        indicesPrivilegesArr = parseIndices(str, createParser, false);
                    } else if (Fields.CLUSTER.match(str2, createParser.getDeprecationHandler())) {
                        strArr = readStringArray(str, createParser, true);
                    } else {
                        if (!Fields.APPLICATIONS.match(str2, createParser.getDeprecationHandler()) && !Fields.APPLICATION.match(str2, createParser.getDeprecationHandler())) {
                            throw new ElasticsearchParseException("failed to parse privileges check [{}]. unexpected field [{}]", str, str2);
                        }
                        applicationResourcePrivilegesArr = parseApplicationPrivileges(str, createParser);
                    }
                }
            } finally {
            }
        } catch (Throwable th) {
            if (streamInput != null) {
                try {
                    streamInput.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static IndicesPrivileges[] parseIndices(String str, XContentParser xContentParser, boolean z) throws IOException {
        if (xContentParser.currentToken() != XContentParser.Token.START_ARRAY) {
            throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. expected field [{}] value to be an array, but found [{}] instead", str, xContentParser.currentName(), xContentParser.currentToken());
        }
        ArrayList arrayList = new ArrayList();
        while (xContentParser.nextToken() != XContentParser.Token.END_ARRAY) {
            arrayList.add(parseIndex(str, xContentParser, z));
        }
        return (IndicesPrivileges[]) arrayList.toArray(new IndicesPrivileges[arrayList.size()]);
    }

    private static IndicesPrivileges parseIndex(String str, XContentParser xContentParser, boolean z) throws IOException {
        XContentParser.Token currentToken = xContentParser.currentToken();
        if (currentToken != XContentParser.Token.START_OBJECT) {
            throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. expected field [{}] value to be an array of objects, but found an array element of type [{}]", str, xContentParser.currentName(), currentToken);
        }
        String str2 = null;
        String[] strArr = null;
        BytesReference bytesReference = null;
        String[] strArr2 = null;
        String[] strArr3 = null;
        String[] strArr4 = null;
        boolean z2 = false;
        while (true) {
            XContentParser.Token nextToken = xContentParser.nextToken();
            if (nextToken == XContentParser.Token.END_OBJECT) {
                if (strArr == null) {
                    throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. missing required [{}] field", str, Fields.NAMES.getPreferredName());
                }
                if (strArr2 == null) {
                    throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. missing required [{}] field", str, Fields.PRIVILEGES.getPreferredName());
                }
                if (strArr4 == null || strArr3 != null) {
                    return IndicesPrivileges.builder().indices(strArr).privileges(strArr2).grantedFields(strArr3).deniedFields(strArr4).query(bytesReference).allowRestrictedIndices(z2).build();
                }
                throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. {} requires {} if {} is given", str, Fields.FIELD_PERMISSIONS, Fields.GRANT_FIELDS, Fields.EXCEPT_FIELDS);
            }
            if (nextToken == XContentParser.Token.FIELD_NAME) {
                str2 = xContentParser.currentName();
            } else if (Fields.NAMES.match(str2, xContentParser.getDeprecationHandler())) {
                if (nextToken == XContentParser.Token.VALUE_STRING) {
                    strArr = new String[]{xContentParser.text()};
                } else {
                    if (nextToken != XContentParser.Token.START_ARRAY) {
                        throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. expected field [{}] value to be a string or an array of strings, but found [{}] instead", str, str2, nextToken);
                    }
                    strArr = readStringArray(str, xContentParser, false);
                    if (strArr.length == 0) {
                        throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. [{}] cannot be an empty array", str, str2);
                    }
                }
            } else if (Fields.ALLOW_RESTRICTED_INDICES.match(str2, xContentParser.getDeprecationHandler())) {
                if (nextToken != XContentParser.Token.VALUE_BOOLEAN) {
                    throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. expected field [{}] value to be a boolean, but found [{}] instead", str, str2, nextToken);
                }
                z2 = xContentParser.booleanValue();
            } else if (Fields.QUERY.match(str2, xContentParser.getDeprecationHandler())) {
                if (nextToken == XContentParser.Token.START_OBJECT) {
                    XContentBuilder contentBuilder = JsonXContent.contentBuilder();
                    contentBuilder.generator().copyCurrentStructure(xContentParser);
                    bytesReference = BytesReference.bytes(contentBuilder);
                } else if (nextToken == XContentParser.Token.VALUE_STRING) {
                    String text = xContentParser.text();
                    if (!text.isEmpty()) {
                        bytesReference = new BytesArray(text);
                    }
                } else if (nextToken != XContentParser.Token.VALUE_NULL) {
                    throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. expected field [{}] value to be null, a string, an array, or an object, but found [{}] instead", str, str2, nextToken);
                }
            } else {
                if (Fields.FIELD_PERMISSIONS.match(str2, xContentParser.getDeprecationHandler())) {
                    if (nextToken != XContentParser.Token.START_OBJECT) {
                        throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. expected {} or {} but got {} in \"{}\".", str, XContentParser.Token.START_OBJECT, XContentParser.Token.START_ARRAY, nextToken, Fields.FIELD_PERMISSIONS);
                    }
                    XContentParser.Token nextToken2 = xContentParser.nextToken();
                    while (nextToken2 == XContentParser.Token.FIELD_NAME) {
                        str2 = xContentParser.currentName();
                        if (Fields.GRANT_FIELDS.match(str2, xContentParser.getDeprecationHandler())) {
                            xContentParser.nextToken();
                            strArr3 = readStringArray(str, xContentParser, true);
                            if (strArr3 == null) {
                                throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. {} must not be null.", str, Fields.GRANT_FIELDS);
                            }
                        } else {
                            if (!Fields.EXCEPT_FIELDS.match(str2, xContentParser.getDeprecationHandler())) {
                                throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. \"{}\" only accepts options {} and {}, but got: {}", str, Fields.FIELD_PERMISSIONS, Fields.GRANT_FIELDS, Fields.EXCEPT_FIELDS, xContentParser.currentName());
                            }
                            xContentParser.nextToken();
                            strArr4 = readStringArray(str, xContentParser, true);
                            if (strArr4 == null) {
                                throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. {} must not be null.", str, Fields.EXCEPT_FIELDS);
                            }
                        }
                        XContentParser.Token nextToken3 = xContentParser.nextToken();
                        nextToken2 = nextToken3;
                        if (nextToken3 == XContentParser.Token.END_OBJECT) {
                            break;
                        }
                    }
                    if (nextToken2 == XContentParser.Token.END_OBJECT) {
                        throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. \"{}\" must not be empty.", str, Fields.FIELD_PERMISSIONS);
                    }
                    throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. expected {} but got {}.", str, XContentParser.Token.FIELD_NAME, nextToken2);
                }
                if (Fields.PRIVILEGES.match(str2, xContentParser.getDeprecationHandler())) {
                    strArr2 = readStringArray(str, xContentParser, true);
                } else if (Fields.FIELD_PERMISSIONS_2X.match(str2, xContentParser.getDeprecationHandler())) {
                    if (!z) {
                        throw new ElasticsearchParseException("[\"fields\": [...]] format has changed for field permissions in role [{}], use [\"{}\": {\"{}\":[...],\"{}\":[...]}] instead", str, Fields.FIELD_PERMISSIONS, Fields.GRANT_FIELDS, Fields.EXCEPT_FIELDS, str);
                    }
                    strArr3 = readStringArray(str, xContentParser, true);
                } else {
                    if (!Fields.TRANSIENT_METADATA.match(str2, xContentParser.getDeprecationHandler())) {
                        throw new ElasticsearchParseException("failed to parse indices privileges for role [{}]. unexpected field [{}]", str, str2);
                    }
                    if (nextToken != XContentParser.Token.START_OBJECT) {
                        throw new ElasticsearchParseException("failed to parse transient metadata for role [{}]. expected {} but got {} in \"{}\".", str, XContentParser.Token.START_OBJECT, nextToken, Fields.TRANSIENT_METADATA);
                    }
                    do {
                    } while (xContentParser.nextToken() != XContentParser.Token.END_OBJECT);
                }
            }
        }
    }

    private static ApplicationResourcePrivileges[] parseApplicationPrivileges(String str, XContentParser xContentParser) throws IOException {
        if (xContentParser.currentToken() != XContentParser.Token.START_ARRAY) {
            throw new ElasticsearchParseException("failed to parse application privileges for role [{}]. expected field [{}] value to be an array, but found [{}] instead", str, xContentParser.currentName(), xContentParser.currentToken());
        }
        ArrayList arrayList = new ArrayList();
        while (xContentParser.nextToken() != XContentParser.Token.END_ARRAY) {
            arrayList.add(parseApplicationPrivilege(str, xContentParser));
        }
        return (ApplicationResourcePrivileges[]) arrayList.toArray(new ApplicationResourcePrivileges[arrayList.size()]);
    }

    private static ApplicationResourcePrivileges parseApplicationPrivilege(String str, XContentParser xContentParser) throws IOException {
        XContentParser.Token currentToken = xContentParser.currentToken();
        if (currentToken != XContentParser.Token.START_OBJECT) {
            throw new ElasticsearchParseException("failed to parse application privileges for role [{}]. expected field [{}] value to be an array of objects, but found an array element of type [{}]", str, xContentParser.currentName(), currentToken);
        }
        ApplicationResourcePrivileges.Builder builder = (ApplicationResourcePrivileges.Builder) ApplicationResourcePrivileges.PARSER.parse(xContentParser, null);
        if (!builder.hasResources()) {
            throw new ElasticsearchParseException("failed to parse application privileges for role [{}]. missing required [{}] field", str, Fields.RESOURCES.getPreferredName());
        }
        if (builder.hasPrivileges()) {
            return builder.build();
        }
        throw new ElasticsearchParseException("failed to parse application privileges for role [{}]. missing required [{}] field", str, Fields.PRIVILEGES.getPreferredName());
    }

    static {
        $assertionsDisabled = !RoleDescriptor.class.desiredAssertionStatus();
    }
}
