package org.elasticsearch.xpack.core.security.authz.permission;

import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.util.Accountable;
import org.apache.lucene.util.RamUsageEstimator;
import org.apache.lucene.util.automaton.Automata;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.CharacterRunAutomaton;
import org.apache.lucene.util.automaton.MinimizationOperations;
import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.regex.Regex;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.FieldSubsetReader;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
import org.elasticsearch.xpack.core.security.authz.support.SecurityQueryTemplateEvaluator;
import org.elasticsearch.xpack.core.security.support.Automatons;
import org.elasticsearch.xpack.core.security.support.CacheKey;

/* loaded from: input_file:lib/x-pack-core-7.17.14.jar:org/elasticsearch/xpack/core/security/authz/permission/FieldPermissions.class */
public final class FieldPermissions implements Accountable, CacheKey {
    public static final FieldPermissions DEFAULT;
    private static final long BASE_FIELD_PERM_DEF_BYTES;
    private static final long BASE_FIELD_GROUP_BYTES;
    private static final long BASE_HASHSET_ENTRY_SIZE;
    private final FieldPermissionsDefinition fieldPermissionsDefinition;

    @Nullable
    private final FieldPermissionsDefinition limitedByFieldPermissionsDefinition;
    private final CharacterRunAutomaton permittedFieldsAutomaton;
    private final boolean permittedFieldsAutomatonIsTotal;
    private final Automaton originalAutomaton;
    private final long ramBytesUsed;
    static final /* synthetic */ boolean $assertionsDisabled;

    public FieldPermissions() {
        this(new FieldPermissionsDefinition(null, null), Automatons.MATCH_ALL);
    }

    public FieldPermissions(FieldPermissionsDefinition fieldPermissionsDefinition) {
        this(fieldPermissionsDefinition, initializePermittedFieldsAutomaton(fieldPermissionsDefinition));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FieldPermissions(FieldPermissionsDefinition fieldPermissionsDefinition, Automaton automaton) {
        this(fieldPermissionsDefinition, null, automaton);
    }

    private FieldPermissions(FieldPermissionsDefinition fieldPermissionsDefinition, @Nullable FieldPermissionsDefinition fieldPermissionsDefinition2, Automaton automaton) {
        if (!automaton.isDeterministic() && automaton.getNumStates() > 1) {
            throw new IllegalArgumentException("Only accepts deterministic automata");
        }
        this.fieldPermissionsDefinition = (FieldPermissionsDefinition) Objects.requireNonNull(fieldPermissionsDefinition, "field permission definition cannot be null");
        this.limitedByFieldPermissionsDefinition = fieldPermissionsDefinition2;
        this.originalAutomaton = automaton;
        this.permittedFieldsAutomaton = new CharacterRunAutomaton(automaton);
        this.permittedFieldsAutomatonIsTotal = Operations.isTotal(automaton);
        long ramBytesUsedForFieldPermissionsDefinition = BASE_FIELD_PERM_DEF_BYTES + ramBytesUsedForFieldPermissionsDefinition(this.fieldPermissionsDefinition);
        this.ramBytesUsed = (this.limitedByFieldPermissionsDefinition != null ? ramBytesUsedForFieldPermissionsDefinition + ramBytesUsedForFieldPermissionsDefinition(this.limitedByFieldPermissionsDefinition) : ramBytesUsedForFieldPermissionsDefinition) + automaton.ramBytesUsed() + runAutomatonRamBytesUsed(automaton);
    }

    private static long ramBytesUsedForFieldPermissionsDefinition(FieldPermissionsDefinition fieldPermissionsDefinition) {
        long j = 0;
        for (FieldPermissionsDefinition.FieldGrantExcludeGroup fieldGrantExcludeGroup : fieldPermissionsDefinition.getFieldGrantExcludeGroups()) {
            j += BASE_FIELD_GROUP_BYTES + BASE_HASHSET_ENTRY_SIZE;
            if (fieldGrantExcludeGroup.getGrantedFields() != null) {
                j += RamUsageEstimator.shallowSizeOf((Object[]) fieldGrantExcludeGroup.getGrantedFields());
            }
            if (fieldGrantExcludeGroup.getExcludedFields() != null) {
                j += RamUsageEstimator.shallowSizeOf((Object[]) fieldGrantExcludeGroup.getExcludedFields());
            }
        }
        return j;
    }

    private static long runAutomatonRamBytesUsed(Automaton automaton) {
        return automaton.getNumStates() * 5;
    }

    public static Automaton initializePermittedFieldsAutomaton(FieldPermissionsDefinition fieldPermissionsDefinition) {
        Set<FieldPermissionsDefinition.FieldGrantExcludeGroup> fieldGrantExcludeGroups = fieldPermissionsDefinition.getFieldGrantExcludeGroups();
        if ($assertionsDisabled || fieldGrantExcludeGroups.size() > 0) {
            return Automatons.unionAndMinimize((List) fieldGrantExcludeGroups.stream().map(fieldGrantExcludeGroup -> {
                return buildPermittedFieldsAutomaton(fieldGrantExcludeGroup.getGrantedFields(), fieldGrantExcludeGroup.getExcludedFields());
            }).collect(Collectors.toList()));
        }
        throw new AssertionError("there must always be a single group for field inclusion/exclusion");
    }

    public static Automaton buildPermittedFieldsAutomaton(String[] strArr, String[] strArr2) {
        Automaton union = (strArr == null || Arrays.stream(strArr).anyMatch(Regex::isMatchAllPattern)) ? Automatons.MATCH_ALL : Operations.union(Automatons.patterns(strArr), Operations.concatenate(Automata.makeChar(95), Automata.makeAnyString()));
        Automaton patterns = (strArr2 == null || strArr2.length == 0) ? Automatons.EMPTY : Automatons.patterns(strArr2);
        Automaton minimize = MinimizationOperations.minimize(union, 10000);
        Automaton minimize2 = MinimizationOperations.minimize(patterns, 10000);
        if (Operations.subsetOf(minimize2, minimize)) {
            return Automatons.minusAndMinimize(minimize, minimize2);
        }
        throw new ElasticsearchSecurityException("Exceptions for field permissions must be a subset of the granted fields but " + Strings.arrayToCommaDelimitedString(strArr2) + " is not a subset of " + Strings.arrayToCommaDelimitedString(strArr), new Object[0]);
    }

    public FieldPermissions limitFieldPermissions(FieldPermissions fieldPermissions) {
        if (hasFieldLevelSecurity() && fieldPermissions != null && fieldPermissions.hasFieldLevelSecurity()) {
            return new FieldPermissions(this.fieldPermissionsDefinition, fieldPermissions.fieldPermissionsDefinition, Automatons.intersectAndMinimize(getIncludeAutomaton(), fieldPermissions.getIncludeAutomaton()));
        }
        return (fieldPermissions == null || !fieldPermissions.hasFieldLevelSecurity()) ? hasFieldLevelSecurity() ? new FieldPermissions(getFieldPermissionsDefinition(), getIncludeAutomaton()) : DEFAULT : new FieldPermissions(fieldPermissions.getFieldPermissionsDefinition(), fieldPermissions.getIncludeAutomaton());
    }

    public boolean grantsAccessTo(String str) {
        return this.permittedFieldsAutomatonIsTotal || this.permittedFieldsAutomaton.run(str);
    }

    public FieldPermissionsDefinition getFieldPermissionsDefinition() {
        return this.fieldPermissionsDefinition;
    }

    public FieldPermissionsDefinition getLimitedByFieldPermissionsDefinition() {
        return this.limitedByFieldPermissionsDefinition;
    }

    @Override // org.elasticsearch.xpack.core.security.support.CacheKey
    public void buildCacheKey(StreamOutput streamOutput, SecurityQueryTemplateEvaluator.DlsQueryEvaluationContext dlsQueryEvaluationContext) throws IOException {
        this.fieldPermissionsDefinition.buildCacheKey(streamOutput, dlsQueryEvaluationContext);
        if (this.limitedByFieldPermissionsDefinition == null) {
            streamOutput.writeBoolean(false);
        } else {
            streamOutput.writeBoolean(true);
            this.limitedByFieldPermissionsDefinition.buildCacheKey(streamOutput, dlsQueryEvaluationContext);
        }
    }

    public boolean hasFieldLevelSecurity() {
        return !this.permittedFieldsAutomatonIsTotal;
    }

    public DirectoryReader filter(DirectoryReader directoryReader) throws IOException {
        return !hasFieldLevelSecurity() ? directoryReader : FieldSubsetReader.wrap(directoryReader, this.permittedFieldsAutomaton);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Automaton getIncludeAutomaton() {
        return this.originalAutomaton;
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        FieldPermissions fieldPermissions = (FieldPermissions) obj;
        return this.permittedFieldsAutomatonIsTotal == fieldPermissions.permittedFieldsAutomatonIsTotal && this.fieldPermissionsDefinition.equals(fieldPermissions.fieldPermissionsDefinition) && Objects.equals(this.limitedByFieldPermissionsDefinition, fieldPermissions.limitedByFieldPermissionsDefinition);
    }

    public int hashCode() {
        return Objects.hash(this.fieldPermissionsDefinition, this.limitedByFieldPermissionsDefinition, Boolean.valueOf(this.permittedFieldsAutomatonIsTotal));
    }

    @Override // org.apache.lucene.util.Accountable
    public long ramBytesUsed() {
        return this.ramBytesUsed;
    }

    static {
        $assertionsDisabled = !FieldPermissions.class.desiredAssertionStatus();
        DEFAULT = new FieldPermissions();
        BASE_FIELD_PERM_DEF_BYTES = RamUsageEstimator.shallowSizeOf(new FieldPermissionsDefinition(null, null));
        BASE_FIELD_GROUP_BYTES = RamUsageEstimator.shallowSizeOf(new FieldPermissionsDefinition.FieldGrantExcludeGroup(null, null));
        HashMap hashMap = new HashMap();
        hashMap.put(FieldPermissions.class.getName(), new Object());
        BASE_HASHSET_ENTRY_SIZE = RamUsageEstimator.shallowSizeOf(hashMap.entrySet().iterator().next()) + (2 * RamUsageEstimator.NUM_BYTES_OBJECT_REF);
    }
}
