package org.elasticsearch.entitlement.initialization;

import java.nio.file.Path;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.elasticsearch.core.Strings;
import org.elasticsearch.entitlement.runtime.policy.FileAccessTree;
import org.elasticsearch.entitlement.runtime.policy.PathLookup;
import org.elasticsearch.entitlement.runtime.policy.Policy;
import org.elasticsearch.entitlement.runtime.policy.Scope;
import org.elasticsearch.entitlement.runtime.policy.entitlements.FilesEntitlement;

/* loaded from: input_file:org/elasticsearch/entitlement/initialization/FilesEntitlementsValidation.class */
class FilesEntitlementsValidation {
    FilesEntitlementsValidation() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void validate(Map<String, Policy> map, PathLookup pathLookup) {
        HashSet hashSet = new HashSet();
        pathLookup.getBaseDirPaths(PathLookup.BaseDir.PLUGINS).forEach(path -> {
            hashSet.add(path.toAbsolutePath().normalize());
        });
        pathLookup.getBaseDirPaths(PathLookup.BaseDir.MODULES).forEach(path2 -> {
            hashSet.add(path2.toAbsolutePath().normalize());
        });
        pathLookup.getBaseDirPaths(PathLookup.BaseDir.LIB).forEach(path3 -> {
            hashSet.add(path3.toAbsolutePath().normalize());
        });
        HashSet hashSet2 = new HashSet();
        pathLookup.getBaseDirPaths(PathLookup.BaseDir.CONFIG).forEach(path4 -> {
            hashSet2.add(path4.toAbsolutePath().normalize());
        });
        for (Map.Entry<String, Policy> entry : map.entrySet()) {
            for (Scope scope : entry.getValue().scopes()) {
                Optional findFirst = scope.entitlements().stream().filter(entitlement -> {
                    return entitlement instanceof FilesEntitlement;
                }).map(entitlement2 -> {
                    return (FilesEntitlement) entitlement2;
                }).findFirst();
                if (findFirst.isPresent()) {
                    FileAccessTree withoutExclusivePaths = FileAccessTree.withoutExclusivePaths((FilesEntitlement) findFirst.get(), pathLookup, null);
                    validateReadFilesEntitlements(entry.getKey(), scope.moduleName(), withoutExclusivePaths, hashSet);
                    validateWriteFilesEntitlements(entry.getKey(), scope.moduleName(), withoutExclusivePaths, hashSet2);
                }
            }
        }
    }

    private static IllegalArgumentException buildValidationException(String str, String str2, Path path, FilesEntitlement.Mode mode) {
        return new IllegalArgumentException(Strings.format("policy for module [%s] in [%s] has an invalid file entitlement. Any path under [%s] is forbidden for mode [%s].", new Object[]{str2, str, path, mode}));
    }

    private static void validateReadFilesEntitlements(String str, String str2, FileAccessTree fileAccessTree, Set<Path> set) {
        for (Path path : set) {
            if (fileAccessTree.canRead(path)) {
                throw buildValidationException(str, str2, path, FilesEntitlement.Mode.READ);
            }
        }
    }

    private static void validateWriteFilesEntitlements(String str, String str2, FileAccessTree fileAccessTree, Set<Path> set) {
        for (Path path : set) {
            if (fileAccessTree.canWrite(path)) {
                throw buildValidationException(str, str2, path, FilesEntitlement.Mode.READ_WRITE);
            }
        }
    }
}
