package org.elasticsearch.xpack.core.security.authz.permission;

import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.lucene.index.DirectoryReader;
import org.apache.lucene.util.Accountable;
import org.apache.lucene.util.RamUsageEstimator;
import org.apache.lucene.util.automaton.Automata;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.CharacterRunAutomaton;
import org.apache.lucene.util.automaton.MinimizationOperations;
import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.regex.Regex;
import org.elasticsearch.xpack.core.ml.action.util.PageParams;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.FieldSubsetReader;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
import org.elasticsearch.xpack.core.security.support.Automatons;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/permission/FieldPermissions.class */
public final class FieldPermissions implements Accountable {
    public static final FieldPermissions DEFAULT;
    private static final long BASE_FIELD_PERM_DEF_BYTES;
    private static final long BASE_FIELD_GROUP_BYTES;
    private static final long BASE_HASHSET_SIZE;
    private static final long BASE_HASHSET_ENTRY_SIZE;
    private final FieldPermissionsDefinition fieldPermissionsDefinition;
    private final CharacterRunAutomaton permittedFieldsAutomaton;
    private final boolean permittedFieldsAutomatonIsTotal;
    private final Automaton originalAutomaton;
    private final long ramBytesUsed;
    static final /* synthetic */ boolean $assertionsDisabled;

    public FieldPermissions() {
        this(new FieldPermissionsDefinition(null, null), Automatons.MATCH_ALL);
    }

    public FieldPermissions(FieldPermissionsDefinition fieldPermissionsDefinition) {
        this(fieldPermissionsDefinition, initializePermittedFieldsAutomaton(fieldPermissionsDefinition));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FieldPermissions(FieldPermissionsDefinition fieldPermissionsDefinition, Automaton automaton) {
        if (!automaton.isDeterministic() && automaton.getNumStates() > 1) {
            throw new IllegalArgumentException("Only accepts deterministic automata");
        }
        this.fieldPermissionsDefinition = fieldPermissionsDefinition;
        this.originalAutomaton = automaton;
        this.permittedFieldsAutomaton = new CharacterRunAutomaton(automaton);
        this.permittedFieldsAutomatonIsTotal = Operations.isTotal(automaton);
        long j = BASE_FIELD_PERM_DEF_BYTES;
        for (FieldPermissionsDefinition.FieldGrantExcludeGroup fieldGrantExcludeGroup : fieldPermissionsDefinition.getFieldGrantExcludeGroups()) {
            j += BASE_FIELD_GROUP_BYTES + BASE_HASHSET_ENTRY_SIZE;
            j = fieldGrantExcludeGroup.getGrantedFields() != null ? j + RamUsageEstimator.shallowSizeOf(fieldGrantExcludeGroup.getGrantedFields()) : j;
            if (fieldGrantExcludeGroup.getExcludedFields() != null) {
                j += RamUsageEstimator.shallowSizeOf(fieldGrantExcludeGroup.getExcludedFields());
            }
        }
        this.ramBytesUsed = j + automaton.ramBytesUsed() + runAutomatonRamBytesUsed(automaton);
    }

    private static long runAutomatonRamBytesUsed(Automaton automaton) {
        return automaton.getNumStates() * 5;
    }

    public static Automaton initializePermittedFieldsAutomaton(FieldPermissionsDefinition fieldPermissionsDefinition) {
        Set<FieldPermissionsDefinition.FieldGrantExcludeGroup> fieldGrantExcludeGroups = fieldPermissionsDefinition.getFieldGrantExcludeGroups();
        if ($assertionsDisabled || fieldGrantExcludeGroups.size() > 0) {
            return Automatons.unionAndMinimize((List) fieldGrantExcludeGroups.stream().map(fieldGrantExcludeGroup -> {
                return initializePermittedFieldsAutomaton(fieldGrantExcludeGroup.getGrantedFields(), fieldGrantExcludeGroup.getExcludedFields());
            }).collect(Collectors.toList()));
        }
        throw new AssertionError("there must always be a single group for field inclusion/exclusion");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Automaton initializePermittedFieldsAutomaton(String[] strArr, String[] strArr2) {
        Automaton union = (strArr == null || Arrays.stream(strArr).anyMatch(Regex::isMatchAllPattern)) ? Automatons.MATCH_ALL : Operations.union(Automatons.patterns(strArr), Operations.concatenate(Automata.makeChar(95), Automata.makeAnyString()));
        Automaton patterns = (strArr2 == null || strArr2.length == 0) ? Automatons.EMPTY : Automatons.patterns(strArr2);
        Automaton minimize = MinimizationOperations.minimize(union, PageParams.MAX_FROM_SIZE_SUM);
        Automaton minimize2 = MinimizationOperations.minimize(patterns, PageParams.MAX_FROM_SIZE_SUM);
        if (!Operations.subsetOf(minimize2, minimize)) {
            throw new ElasticsearchSecurityException("Exceptions for field permissions must be a subset of the granted fields but " + Strings.arrayToCommaDelimitedString(strArr2) + " is not a subset of " + Strings.arrayToCommaDelimitedString(strArr), new Object[0]);
        }
        if (!containsAllField(strArr) && !containsAllField(strArr2) && (!Operations.isTotal(minimize) || !Operations.isEmpty(minimize2))) {
            minimize2 = Operations.union(minimize2, Automata.makeString("_all"));
        }
        return Automatons.minusAndMinimize(minimize, minimize2);
    }

    private static boolean containsAllField(String[] strArr) {
        if (strArr != null) {
            String str = "_all";
            if (Arrays.stream(strArr).anyMatch((v1) -> {
                return r1.equals(v1);
            })) {
                return true;
            }
        }
        return false;
    }

    public boolean grantsAccessTo(String str) {
        return this.permittedFieldsAutomatonIsTotal || this.permittedFieldsAutomaton.run(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FieldPermissionsDefinition getFieldPermissionsDefinition() {
        return this.fieldPermissionsDefinition;
    }

    public boolean hasFieldLevelSecurity() {
        return !this.permittedFieldsAutomatonIsTotal;
    }

    public DirectoryReader filter(DirectoryReader directoryReader) throws IOException {
        return !hasFieldLevelSecurity() ? directoryReader : FieldSubsetReader.wrap(directoryReader, this.permittedFieldsAutomaton);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Automaton getIncludeAutomaton() {
        return this.originalAutomaton;
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        FieldPermissions fieldPermissions = (FieldPermissions) obj;
        if (this.permittedFieldsAutomatonIsTotal != fieldPermissions.permittedFieldsAutomatonIsTotal) {
            return false;
        }
        return this.fieldPermissionsDefinition != null ? this.fieldPermissionsDefinition.equals(fieldPermissions.fieldPermissionsDefinition) : fieldPermissions.fieldPermissionsDefinition == null;
    }

    public int hashCode() {
        return (31 * (this.fieldPermissionsDefinition != null ? this.fieldPermissionsDefinition.hashCode() : 0)) + (this.permittedFieldsAutomatonIsTotal ? 1 : 0);
    }

    public long ramBytesUsed() {
        return this.ramBytesUsed;
    }

    static {
        $assertionsDisabled = !FieldPermissions.class.desiredAssertionStatus();
        DEFAULT = new FieldPermissions();
        BASE_FIELD_PERM_DEF_BYTES = RamUsageEstimator.shallowSizeOf(new FieldPermissionsDefinition(null, null));
        BASE_FIELD_GROUP_BYTES = RamUsageEstimator.shallowSizeOf(new FieldPermissionsDefinition.FieldGrantExcludeGroup(null, null));
        BASE_HASHSET_SIZE = RamUsageEstimator.shallowSizeOfInstance(HashSet.class);
        HashMap hashMap = new HashMap();
        hashMap.put(FieldPermissions.class.getName(), new Object());
        BASE_HASHSET_ENTRY_SIZE = RamUsageEstimator.shallowSizeOf(hashMap.entrySet().iterator().next()) + (2 * RamUsageEstimator.NUM_BYTES_OBJECT_REF);
    }
}
