package org.elasticsearch.xpack.core.security.authz.accesscontrol;

import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xpack.core.security.authz.IndicesAndAliasesResolverField;
import org.elasticsearch.xpack.core.security.authz.permission.DocumentPermissions;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions;
import org.elasticsearch.xpack.core.security.authz.support.SecurityQueryTemplateEvaluator;
import org.elasticsearch.xpack.core.security.support.CacheKey;

/* loaded from: input_file:lib/x-pack-core-7.17.14.jar:org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.class */
public class IndicesAccessControl {
    public static final IndicesAccessControl ALLOW_NO_INDICES = new IndicesAccessControl(true, Collections.singletonMap(IndicesAndAliasesResolverField.NO_INDEX_PLACEHOLDER, new IndexAccessControl(true, new FieldPermissions(), DocumentPermissions.allowAll())));
    public static final IndicesAccessControl DENIED = new IndicesAccessControl(false, Collections.emptyMap());
    private final boolean granted;
    private final Map<String, IndexAccessControl> indexPermissions;

    /* loaded from: input_file:lib/x-pack-core-7.17.14.jar:org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl$AllowAllIndicesAccessControl.class */
    private static class AllowAllIndicesAccessControl extends IndicesAccessControl {
        private static final IndicesAccessControl INSTANCE = new AllowAllIndicesAccessControl();
        private final IndexAccessControl allowAllIndexAccessControl;

        private AllowAllIndicesAccessControl() {
            super(true, org.elasticsearch.core.Map.of());
            this.allowAllIndexAccessControl = new IndexAccessControl(true, null, null);
        }

        @Override // org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl
        public IndexAccessControl getIndexPermissions(String str) {
            return this.allowAllIndexAccessControl;
        }

        @Override // org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl
        public String toString() {
            return "AllowAllIndicesAccessControl{}";
        }
    }

    /* loaded from: input_file:lib/x-pack-core-7.17.14.jar:org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl$DlsFlsUsage.class */
    public enum DlsFlsUsage {
        NONE,
        DLS { // from class: org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.DlsFlsUsage.1
            @Override // org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.DlsFlsUsage
            public boolean hasDocumentLevelSecurity() {
                return true;
            }
        },
        FLS { // from class: org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.DlsFlsUsage.2
            @Override // org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.DlsFlsUsage
            public boolean hasFieldLevelSecurity() {
                return true;
            }
        },
        BOTH { // from class: org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.DlsFlsUsage.3
            @Override // org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.DlsFlsUsage
            public boolean hasFieldLevelSecurity() {
                return true;
            }

            @Override // org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.DlsFlsUsage
            public boolean hasDocumentLevelSecurity() {
                return true;
            }
        };

        public boolean hasFieldLevelSecurity() {
            return false;
        }

        public boolean hasDocumentLevelSecurity() {
            return false;
        }
    }

    /* loaded from: input_file:lib/x-pack-core-7.17.14.jar:org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl$IndexAccessControl.class */
    public static class IndexAccessControl implements CacheKey {
        private final boolean granted;
        private final FieldPermissions fieldPermissions;
        private final DocumentPermissions documentPermissions;

        public IndexAccessControl(boolean z, FieldPermissions fieldPermissions, DocumentPermissions documentPermissions) {
            this.granted = z;
            this.fieldPermissions = fieldPermissions == null ? FieldPermissions.DEFAULT : fieldPermissions;
            this.documentPermissions = documentPermissions == null ? DocumentPermissions.allowAll() : documentPermissions;
        }

        public boolean isGranted() {
            return this.granted;
        }

        public FieldPermissions getFieldPermissions() {
            return this.fieldPermissions;
        }

        @Nullable
        public DocumentPermissions getDocumentPermissions() {
            return this.documentPermissions;
        }

        public IndexAccessControl limitIndexAccessControl(IndexAccessControl indexAccessControl) {
            return new IndexAccessControl(this.granted == indexAccessControl.granted ? this.granted : false, getFieldPermissions().limitFieldPermissions(indexAccessControl.fieldPermissions), getDocumentPermissions().limitDocumentPermissions(indexAccessControl.getDocumentPermissions()));
        }

        public String toString() {
            return "IndexAccessControl{granted=" + this.granted + ", fieldPermissions=" + this.fieldPermissions + ", documentPermissions=" + this.documentPermissions + '}';
        }

        @Override // org.elasticsearch.xpack.core.security.support.CacheKey
        public void buildCacheKey(StreamOutput streamOutput, SecurityQueryTemplateEvaluator.DlsQueryEvaluationContext dlsQueryEvaluationContext) throws IOException {
            if (this.documentPermissions.hasDocumentLevelPermissions()) {
                streamOutput.writeBoolean(true);
                this.documentPermissions.buildCacheKey(streamOutput, dlsQueryEvaluationContext);
            } else {
                streamOutput.writeBoolean(false);
            }
            if (!this.fieldPermissions.hasFieldLevelSecurity()) {
                streamOutput.writeBoolean(false);
            } else {
                streamOutput.writeBoolean(true);
                this.fieldPermissions.buildCacheKey(streamOutput, dlsQueryEvaluationContext);
            }
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            IndexAccessControl indexAccessControl = (IndexAccessControl) obj;
            return this.granted == indexAccessControl.granted && Objects.equals(this.fieldPermissions, indexAccessControl.fieldPermissions) && Objects.equals(this.documentPermissions, indexAccessControl.documentPermissions);
        }

        public int hashCode() {
            return Objects.hash(Boolean.valueOf(this.granted), this.fieldPermissions, this.documentPermissions);
        }
    }

    public IndicesAccessControl(boolean z, Map<String, IndexAccessControl> map) {
        this.granted = z;
        this.indexPermissions = (Map) Objects.requireNonNull(map);
    }

    @Nullable
    public IndexAccessControl getIndexPermissions(String str) {
        return this.indexPermissions.get(str);
    }

    public boolean isGranted() {
        return this.granted;
    }

    public Collection<?> getDeniedIndices() {
        return Collections.unmodifiableSet((Set) this.indexPermissions.entrySet().stream().filter(entry -> {
            return !((IndexAccessControl) entry.getValue()).granted;
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.toSet()));
    }

    public DlsFlsUsage getFieldAndDocumentLevelSecurityUsage() {
        boolean z = false;
        boolean z2 = false;
        for (IndexAccessControl indexAccessControl : this.indexPermissions.values()) {
            if (indexAccessControl.fieldPermissions.hasFieldLevelSecurity()) {
                z = true;
            }
            if (indexAccessControl.documentPermissions.hasDocumentLevelPermissions()) {
                z2 = true;
            }
            if (z && z2) {
                return DlsFlsUsage.BOTH;
            }
        }
        return z ? DlsFlsUsage.FLS : z2 ? DlsFlsUsage.DLS : DlsFlsUsage.NONE;
    }

    public List<String> getIndicesWithFieldOrDocumentLevelSecurity() {
        return getIndexNames(indexAccessControl -> {
            return indexAccessControl.fieldPermissions.hasFieldLevelSecurity() || indexAccessControl.documentPermissions.hasDocumentLevelPermissions();
        });
    }

    public List<String> getIndicesWithFieldLevelSecurity() {
        return getIndexNames(indexAccessControl -> {
            return indexAccessControl.fieldPermissions.hasFieldLevelSecurity();
        });
    }

    public List<String> getIndicesWithDocumentLevelSecurity() {
        return getIndexNames(indexAccessControl -> {
            return indexAccessControl.documentPermissions.hasDocumentLevelPermissions();
        });
    }

    private List<String> getIndexNames(Predicate<IndexAccessControl> predicate) {
        return (List) this.indexPermissions.entrySet().stream().filter(entry -> {
            return predicate.test((IndexAccessControl) entry.getValue());
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.toList());
    }

    public IndicesAccessControl limitIndicesAccessControl(IndicesAccessControl indicesAccessControl) {
        if (this instanceof AllowAllIndicesAccessControl) {
            return indicesAccessControl;
        }
        if (indicesAccessControl instanceof AllowAllIndicesAccessControl) {
            return this;
        }
        boolean z = this.granted == indicesAccessControl.granted ? this.granted : false;
        Set<String> intersection = Sets.intersection(this.indexPermissions.keySet(), indicesAccessControl.indexPermissions.keySet());
        HashMap hashMap = new HashMap(intersection.size());
        for (String str : intersection) {
            hashMap.put(str, getIndexPermissions(str).limitIndexAccessControl(indicesAccessControl.getIndexPermissions(str)));
        }
        return new IndicesAccessControl(z, hashMap);
    }

    public String toString() {
        return "IndicesAccessControl{granted=" + this.granted + ", indexPermissions=" + this.indexPermissions + '}';
    }

    public static IndicesAccessControl allowAll() {
        return AllowAllIndicesAccessControl.INSTANCE;
    }
}
