package org.elasticsearch.xpack.core.security.authz.permission;

import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.lucene.search.BooleanClause;
import org.apache.lucene.search.BooleanQuery;
import org.apache.lucene.search.Query;
import org.apache.lucene.search.join.ToChildBlockJoinQuery;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.lucene.search.Queries;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryRewriteContext;
import org.elasticsearch.index.query.Rewriteable;
import org.elasticsearch.index.query.SearchExecutionContext;
import org.elasticsearch.index.search.NestedHelper;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xpack.core.security.authz.support.DLSRoleQueryValidator;
import org.elasticsearch.xpack.core.security.authz.support.SecurityQueryTemplateEvaluator;
import org.elasticsearch.xpack.core.security.support.CacheKey;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:lib/x-pack-core-7.17.18.jar:org/elasticsearch/xpack/core/security/authz/permission/DocumentPermissions.class */
public final class DocumentPermissions implements CacheKey {
    private final SortedSet<BytesReference> queries;
    private final SortedSet<BytesReference> limitedByQueries;
    private List<String> evaluatedQueries;
    private List<String> evaluatedLimitedByQueries;
    private static DocumentPermissions ALLOW_ALL;
    static final /* synthetic */ boolean $assertionsDisabled;

    DocumentPermissions() {
        this.queries = null;
        this.limitedByQueries = null;
    }

    DocumentPermissions(Set<BytesReference> set) {
        this(set, null);
    }

    DocumentPermissions(Set<BytesReference> set, Set<BytesReference> set2) {
        if (set == null && set2 == null) {
            throw new IllegalArgumentException("one of the queries or scoped queries must be provided");
        }
        this.queries = set != null ? new TreeSet(set) : null;
        this.limitedByQueries = set2 != null ? new TreeSet(set2) : null;
    }

    public Set<BytesReference> getQueries() {
        if (this.queries == null) {
            return null;
        }
        return org.elasticsearch.core.Set.copyOf(this.queries);
    }

    public Set<BytesReference> getLimitedByQueries() {
        if (this.limitedByQueries == null) {
            return null;
        }
        return org.elasticsearch.core.Set.copyOf(this.limitedByQueries);
    }

    public boolean hasDocumentLevelPermissions() {
        return (this.queries == null && this.limitedByQueries == null) ? false : true;
    }

    public boolean hasStoredScript() throws IOException {
        if (this.queries != null) {
            Iterator<BytesReference> it = this.queries.iterator();
            while (it.hasNext()) {
                if (DLSRoleQueryValidator.hasStoredScript(it.next(), NamedXContentRegistry.EMPTY)) {
                    return true;
                }
            }
        }
        if (this.limitedByQueries == null) {
            return false;
        }
        Iterator<BytesReference> it2 = this.limitedByQueries.iterator();
        while (it2.hasNext()) {
            if (DLSRoleQueryValidator.hasStoredScript(it2.next(), NamedXContentRegistry.EMPTY)) {
                return true;
            }
        }
        return false;
    }

    public BooleanQuery filter(User user, ScriptService scriptService, ShardId shardId, Function<ShardId, SearchExecutionContext> function) throws IOException {
        BooleanQuery.Builder builder;
        if (!hasDocumentLevelPermissions()) {
            return null;
        }
        evaluateQueries(SecurityQueryTemplateEvaluator.wrap(user, scriptService));
        if (this.evaluatedQueries != null && this.evaluatedLimitedByQueries != null) {
            builder = new BooleanQuery.Builder();
            BooleanQuery.Builder builder2 = new BooleanQuery.Builder();
            buildRoleQuery(shardId, function, this.evaluatedLimitedByQueries, builder2);
            builder.add(builder2.build(), BooleanClause.Occur.FILTER);
            buildRoleQuery(shardId, function, this.evaluatedQueries, builder);
        } else if (this.evaluatedQueries != null) {
            builder = new BooleanQuery.Builder();
            buildRoleQuery(shardId, function, this.evaluatedQueries, builder);
        } else {
            if (this.evaluatedLimitedByQueries == null) {
                if ($assertionsDisabled) {
                    return null;
                }
                throw new AssertionError("one of queries and limited-by queries must be non-null");
            }
            builder = new BooleanQuery.Builder();
            buildRoleQuery(shardId, function, this.evaluatedLimitedByQueries, builder);
        }
        return builder.build();
    }

    private void evaluateQueries(SecurityQueryTemplateEvaluator.DlsQueryEvaluationContext dlsQueryEvaluationContext) {
        if (this.queries != null && this.evaluatedQueries == null) {
            Stream stream = this.queries.stream();
            Objects.requireNonNull(dlsQueryEvaluationContext);
            this.evaluatedQueries = (List) stream.map(dlsQueryEvaluationContext::evaluate).collect(Collectors.toList());
        }
        if (this.limitedByQueries == null || this.evaluatedLimitedByQueries != null) {
            return;
        }
        Stream stream2 = this.limitedByQueries.stream();
        Objects.requireNonNull(dlsQueryEvaluationContext);
        this.evaluatedLimitedByQueries = (List) stream2.map(dlsQueryEvaluationContext::evaluate).collect(Collectors.toList());
    }

    private static void buildRoleQuery(ShardId shardId, Function<ShardId, SearchExecutionContext> function, List<String> list, BooleanQuery.Builder builder) throws IOException {
        for (String str : list) {
            SearchExecutionContext apply = function.apply(shardId);
            QueryBuilder evaluateAndVerifyRoleQuery = DLSRoleQueryValidator.evaluateAndVerifyRoleQuery(str, apply.getXContentRegistry());
            if (evaluateAndVerifyRoleQuery != null) {
                failIfQueryUsesClient(evaluateAndVerifyRoleQuery, apply);
                Query query = apply.toQuery(evaluateAndVerifyRoleQuery).query();
                builder.add(query, BooleanClause.Occur.SHOULD);
                if (apply.hasNested()) {
                    Objects.requireNonNull(apply);
                    Function function2 = apply::getObjectMapper;
                    Objects.requireNonNull(apply);
                    if (new NestedHelper(function2, apply::isFieldMapped).mightMatchNestedDocs(query)) {
                        query = new BooleanQuery.Builder().add(query, BooleanClause.Occur.FILTER).add(Queries.newNonNestedFilter(apply.indexVersionCreated()), BooleanClause.Occur.FILTER).build();
                    }
                    builder.add(new ToChildBlockJoinQuery(query, apply.bitsetFilter(Queries.newNonNestedFilter(apply.indexVersionCreated()))), BooleanClause.Occur.SHOULD);
                }
            }
        }
        builder.setMinimumNumberShouldMatch(1);
    }

    static void failIfQueryUsesClient(QueryBuilder queryBuilder, QueryRewriteContext queryRewriteContext) throws IOException {
        NamedXContentRegistry xContentRegistry = queryRewriteContext.getXContentRegistry();
        NamedWriteableRegistry writeableRegistry = queryRewriteContext.getWriteableRegistry();
        Objects.requireNonNull(queryRewriteContext);
        QueryRewriteContext queryRewriteContext2 = new QueryRewriteContext(xContentRegistry, writeableRegistry, null, queryRewriteContext::nowInMillis);
        Rewriteable.rewrite(queryBuilder, queryRewriteContext2);
        if (queryRewriteContext2.hasAsyncActions()) {
            throw new IllegalStateException("role queries are not allowed to execute additional requests");
        }
    }

    public static DocumentPermissions filteredBy(Set<BytesReference> set) {
        if (set == null || set.isEmpty()) {
            throw new IllegalArgumentException("null or empty queries not permitted");
        }
        return new DocumentPermissions(set);
    }

    public static DocumentPermissions allowAll() {
        return ALLOW_ALL;
    }

    public DocumentPermissions limitDocumentPermissions(DocumentPermissions documentPermissions) {
        if ($assertionsDisabled || (this.limitedByQueries == null && documentPermissions.limitedByQueries == null)) {
            return (this.queries == null && documentPermissions.queries == null) ? allowAll() : new DocumentPermissions(this.queries, documentPermissions.queries);
        }
        throw new AssertionError("nested scoping for document permissions is not permitted");
    }

    public String toString() {
        return "DocumentPermissions [queries=" + this.queries + ", scopedByQueries=" + this.limitedByQueries + "]";
    }

    @Override // org.elasticsearch.xpack.core.security.support.CacheKey
    public void buildCacheKey(StreamOutput streamOutput, SecurityQueryTemplateEvaluator.DlsQueryEvaluationContext dlsQueryEvaluationContext) throws IOException {
        if (!$assertionsDisabled) {
            if (false != (this.queries == null && this.limitedByQueries == null)) {
                throw new AssertionError("one of queries and limited-by queries must be non-null");
            }
        }
        evaluateQueries(dlsQueryEvaluationContext);
        if (this.evaluatedQueries != null) {
            streamOutput.writeBoolean(true);
            streamOutput.writeCollection(this.evaluatedQueries, (v0, v1) -> {
                v0.writeString(v1);
            });
        } else {
            streamOutput.writeBoolean(false);
        }
        if (this.evaluatedLimitedByQueries == null) {
            streamOutput.writeBoolean(false);
        } else {
            streamOutput.writeBoolean(true);
            streamOutput.writeCollection(this.evaluatedLimitedByQueries, (v0, v1) -> {
                v0.writeString(v1);
            });
        }
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        DocumentPermissions documentPermissions = (DocumentPermissions) obj;
        return Objects.equals(this.queries, documentPermissions.queries) && Objects.equals(this.limitedByQueries, documentPermissions.limitedByQueries);
    }

    public int hashCode() {
        return Objects.hash(this.queries, this.limitedByQueries);
    }

    static {
        $assertionsDisabled = !DocumentPermissions.class.desiredAssertionStatus();
        ALLOW_ALL = new DocumentPermissions();
    }
}
