package org.elasticsearch.xpack.security.authz.permission;

import dk.brics.automaton.Automaton;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.regex.Regex;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.index.mapper.MapperService;
import org.elasticsearch.xpack.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.security.support.Automatons;
import org.elasticsearch.xpack.watcher.watch.Watch;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/permission/FieldPermissions.class */
public class FieldPermissions implements Writeable, ToXContent {
    String[] grantedFieldsArray;
    String[] deniedFieldsArray;
    Automaton permittedFieldsAutomaton;
    boolean allFieldIsAllowed;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/permission/FieldPermissions$MergedFieldPermissions.class */
    public static class MergedFieldPermissions extends FieldPermissions {
        static final /* synthetic */ boolean $assertionsDisabled;

        public MergedFieldPermissions(Automaton automaton, boolean z) {
            if (!$assertionsDisabled && automaton == null) {
                throw new AssertionError();
            }
            this.permittedFieldsAutomaton = automaton;
            this.grantedFieldsArray = null;
            this.deniedFieldsArray = null;
            this.allFieldIsAllowed = z;
        }

        @Override // org.elasticsearch.xpack.security.authz.permission.FieldPermissions
        public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
            throw new UnsupportedOperationException("Cannot build xcontent for merged field permissions");
        }

        @Override // org.elasticsearch.xpack.security.authz.permission.FieldPermissions
        public String toString() {
            throw new UnsupportedOperationException("Cannot build string for merged field permissions");
        }

        @Override // org.elasticsearch.xpack.security.authz.permission.FieldPermissions
        public void writeTo(StreamOutput streamOutput) throws IOException {
            throw new UnsupportedOperationException("Cannot stream for merged field permissions");
        }

        @Override // org.elasticsearch.xpack.security.authz.permission.FieldPermissions
        @Nullable
        public String[] getGrantedFieldsArray() {
            throw new UnsupportedOperationException("Merged field permissions does not maintain sets");
        }

        @Override // org.elasticsearch.xpack.security.authz.permission.FieldPermissions
        @Nullable
        public String[] getDeniedFieldsArray() {
            throw new UnsupportedOperationException("Merged field permissions does not maintain sets");
        }

        static {
            $assertionsDisabled = !FieldPermissions.class.desiredAssertionStatus();
        }
    }

    public FieldPermissions(StreamInput streamInput) throws IOException {
        this(streamInput.readOptionalStringArray(), streamInput.readOptionalStringArray());
    }

    public FieldPermissions(@Nullable String[] strArr, @Nullable String[] strArr2) {
        this.allFieldIsAllowed = false;
        this.grantedFieldsArray = strArr;
        this.deniedFieldsArray = strArr2;
        this.permittedFieldsAutomaton = initializePermittedFieldsAutomaton(strArr, strArr2);
        this.allFieldIsAllowed = checkAllFieldIsAllowed(strArr, strArr2);
    }

    private static boolean checkAllFieldIsAllowed(String[] strArr, String[] strArr2) {
        if (strArr2 != null) {
            for (String str : strArr2) {
                if (str.equals(Watch.ALL_ACTIONS_ID)) {
                    return false;
                }
            }
        }
        if (strArr == null) {
            return false;
        }
        for (String str2 : strArr) {
            if (str2.equals(Watch.ALL_ACTIONS_ID)) {
                return true;
            }
        }
        return false;
    }

    private static Automaton initializePermittedFieldsAutomaton(String[] strArr, String[] strArr2) {
        Automaton patterns = (strArr == null || containsWildcard(strArr)) ? Automatons.MATCH_ALL : Automatons.patterns(strArr);
        Automaton patterns2 = (strArr2 == null || strArr2.length == 0) ? Automatons.EMPTY : Automatons.patterns(strArr2);
        if (!patterns2.subsetOf(patterns)) {
            throw new ElasticsearchSecurityException("Exceptions for field permissions must be a subset of the granted fields but " + Arrays.toString(strArr2) + " is not a subset of " + Arrays.toString(strArr), new Object[0]);
        }
        Automaton minus = patterns.minus(patterns2);
        minus.minimize();
        return minus;
    }

    private static boolean containsWildcard(String[] strArr) {
        for (String str : strArr) {
            if (Regex.isMatchAllPattern(str)) {
                return true;
            }
        }
        return false;
    }

    public FieldPermissions() {
        this(null, null);
    }

    public void writeTo(StreamOutput streamOutput) throws IOException {
        streamOutput.writeOptionalStringArray(this.grantedFieldsArray);
        streamOutput.writeOptionalStringArray(this.deniedFieldsArray);
    }

    @Nullable
    String[] getGrantedFieldsArray() {
        return this.grantedFieldsArray;
    }

    @Nullable
    String[] getDeniedFieldsArray() {
        return this.deniedFieldsArray;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        if (this.grantedFieldsArray != null || this.deniedFieldsArray != null) {
            sb.append(RoleDescriptor.Fields.FIELD_PERMISSIONS).append("=[");
            if (this.grantedFieldsArray == null) {
                sb.append(RoleDescriptor.Fields.GRANT_FIELDS).append("=null");
            } else {
                sb.append(RoleDescriptor.Fields.GRANT_FIELDS).append("=[").append(Strings.arrayToCommaDelimitedString(this.grantedFieldsArray));
                sb.append("]");
            }
            if (this.deniedFieldsArray == null) {
                sb.append(", ").append(RoleDescriptor.Fields.EXCEPT_FIELDS).append("=null");
            } else {
                sb.append(", ").append(RoleDescriptor.Fields.EXCEPT_FIELDS).append("=[").append(Strings.arrayToCommaDelimitedString(this.deniedFieldsArray));
                sb.append("]");
            }
            sb.append("]");
        }
        return sb.toString();
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        if (this.grantedFieldsArray != null || this.deniedFieldsArray != null) {
            xContentBuilder.startObject(RoleDescriptor.Fields.FIELD_PERMISSIONS.getPreferredName());
            if (this.grantedFieldsArray != null) {
                xContentBuilder.array(RoleDescriptor.Fields.GRANT_FIELDS.getPreferredName(), this.grantedFieldsArray);
            }
            if (this.deniedFieldsArray != null) {
                xContentBuilder.array(RoleDescriptor.Fields.EXCEPT_FIELDS.getPreferredName(), this.deniedFieldsArray);
            }
            xContentBuilder.endObject();
        }
        return xContentBuilder;
    }

    public boolean grantsAccessTo(String str) {
        if (this.permittedFieldsAutomaton.isTotal()) {
            return true;
        }
        return this.permittedFieldsAutomaton.run(str);
    }

    public static FieldPermissions merge(FieldPermissions fieldPermissions, FieldPermissions fieldPermissions2) {
        Automaton union = fieldPermissions.permittedFieldsAutomaton.union(fieldPermissions2.permittedFieldsAutomaton);
        union.minimize();
        return new MergedFieldPermissions(union, fieldPermissions.allFieldIsAllowed || fieldPermissions2.allFieldIsAllowed);
    }

    public boolean hasFieldLevelSecurity() {
        return !this.permittedFieldsAutomaton.isTotal();
    }

    public Set<String> resolveAllowedFields(Set<String> set, MapperService mapperService) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(set);
        for (String str : mapperService.simpleMatchToIndexNames("*")) {
            if (grantsAccessTo(str)) {
                hashSet.add(str);
            }
        }
        if (!this.allFieldIsAllowed) {
            hashSet.remove(Watch.ALL_ACTIONS_ID);
        }
        return hashSet;
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        FieldPermissions fieldPermissions = (FieldPermissions) obj;
        if (this.allFieldIsAllowed == fieldPermissions.allFieldIsAllowed && Arrays.equals(this.grantedFieldsArray, fieldPermissions.grantedFieldsArray) && Arrays.equals(this.deniedFieldsArray, fieldPermissions.deniedFieldsArray)) {
            return this.permittedFieldsAutomaton.equals(fieldPermissions.permittedFieldsAutomaton);
        }
        return false;
    }

    public int hashCode() {
        return (31 * ((31 * ((31 * Arrays.hashCode(this.grantedFieldsArray)) + Arrays.hashCode(this.deniedFieldsArray))) + this.permittedFieldsAutomaton.hashCode())) + (this.allFieldIsAllowed ? 1 : 0);
    }
}
