package com.floragunn.searchguard.enterprise.dlsfls;

import com.floragunn.codova.config.templates.ExpressionEvaluationException;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.VariableResolvers;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.fluent.collections.UnmodifiableIterator;
import com.floragunn.searchguard.SearchGuardModulesRegistry;
import com.floragunn.searchguard.authz.PrivilegesEvaluationContext;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.actions.Action;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.authz.actions.ResolvedIndices;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.StaticSettings;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.meta.Meta;
import com.floragunn.searchsupport.queries.Query;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.elasticsearch.index.query.BaseTermQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.TermQueryBuilder;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xcontent.ParseField;
import org.hamcrest.BaseMatcher;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Description;
import org.hamcrest.DiagnosingMatcher;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.junit.runners.Suite;

@RunWith(Suite.class)
@Suite.SuiteClasses({IndicesAndAliases_getRestriction.class, IndicesAndAliases_hasRestriction.class, DataStreams_getRestriction.class})
/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorizationTest.class */
public class RoleBasedDocumentAuthorizationTest {
    static NamedXContentRegistry xContentRegistry = new NamedXContentRegistry(ImmutableList.of(new NamedXContentRegistry.Entry(QueryBuilder.class, new ParseField("term", new String[0]), xContentParser -> {
        return TermQueryBuilder.fromXContent(xContentParser);
    })));
    static ConfigurationRepository.Context parserContext = new ConfigurationRepository.Context((VariableResolvers) null, (SearchGuardModulesRegistry) null, (StaticSettings) null, xContentRegistry, (ImmutableMap) null);

    @RunWith(Parameterized.class)
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorizationTest$DataStreams_getRestriction.class */
    public static class DataStreams_getRestriction {
        static final Meta BASIC = Meta.Mock.dataStream("datastream_a1").of(new String[]{".ds-datastream_a1_backing_0001", ".ds-datastream_a1_backing_0002"}).dataStream("datastream_a2").of(new String[]{".ds-datastream_a2_backing_0001", ".ds-datastream_a2_backing_0002"}).dataStream("datastream_b1").of(new String[]{".ds-datastream_b1_backing_0001", ".ds-datastream_b1_backing_0002"}).dataStream("datastream_b2").of(new String[]{".ds-datastream_b2_backing_0001", ".ds-datastream_b2_backing_0002"}).alias("alias_a").of(new String[]{"datastream_a1", "datastream_a2"});
        static final Meta.Index datastream_a1_backing = BASIC.getIndexOrLike(".ds-datastream_a1_backing_0001");
        static final Meta.Index datastream_a2_backing = BASIC.getIndexOrLike(".ds-datastream_a2_backing_0001");
        static final Meta.Index datastream_b1_backing = BASIC.getIndexOrLike(".ds-datastream_b1_backing_0001");
        final Statefulness statefulness;
        final UserSpec userSpec;
        final User user;
        final IndexSpec indexSpec;
        final Meta.Index index;
        final PrivilegesEvaluationContext context;

        @Test
        public void wildcard() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"*"}), new TestSgConfig.Role("dls_role_2").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"*"}), new TestSgConfig.Role("non_dls_role").dataStreamPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                return;
            }
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                return;
            }
            if (this.userSpec.roles.contains("dls_role_1")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
            } else if (this.userSpec.roles.contains("dls_role_2")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
            } else {
                Assert.fail("Unhandled case " + this.userSpec);
            }
        }

        @Test
        public void wildcard_negation() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"*", "-datastream_b*"}), new TestSgConfig.Role("dls_role_2").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"*", "-datastream_a*"}), new TestSgConfig.Role("non_dls_role").dataStreamPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                return;
            }
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == datastream_a1_backing || this.index == datastream_a2_backing) {
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    return;
                }
            }
            if (this.index == datastream_b1_backing) {
                if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            }
        }

        @Test
        public void indexPattern() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"datastream_a*"}), new TestSgConfig.Role("dls_role_2").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"datastream_b*"}), new TestSgConfig.Role("non_dls_role").dataStreamPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                return;
            }
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == datastream_a1_backing || this.index == datastream_a2_backing) {
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    return;
                }
            }
            if (this.index == datastream_b1_backing) {
                if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            }
        }

        @Test
        public void indexPattern_negation() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"datastream_*", "-datastream_b*"}), new TestSgConfig.Role("dls_role_2").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"datastream_*", "-datastream_a*"}), new TestSgConfig.Role("non_dls_role").dataStreamPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                return;
            }
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == datastream_a1_backing || this.index == datastream_a2_backing) {
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    return;
                }
            }
            if (this.index == datastream_b1_backing) {
                if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            }
        }

        @Test
        public void template() throws Exception {
            try {
                DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"datastream_${user.attrs.attr_a}1"}), new TestSgConfig.Role("dls_role_2").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"datastream_a*"}), new TestSgConfig.Role("non_dls_role").dataStreamPermissions(new String[]{"*"}).on(new String[]{"datastream_${user.attrs.attr_a}1"}))).getRestriction(this.context, this.index, Meter.NO_OP);
                if (this.userSpec.roles.isEmpty()) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                } else if (this.index == datastream_a1_backing) {
                    if (this.userSpec.roles.contains("non_dls_role")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    } else if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    } else if (this.userSpec.roles.contains("dls_role_1")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    } else {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    }
                } else if (this.index == datastream_a2_backing) {
                    if (this.userSpec.roles.contains("dls_role_2")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    } else {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    }
                } else if (this.index == datastream_b1_backing) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            } catch (PrivilegesEvaluationException e) {
                if ((this.userSpec.roles.contains("non_dls_role") || this.userSpec.roles.contains("dls_role_1")) && !this.userSpec.attributes.containsKey("attr_a")) {
                    MatcherAssert.assertThat(e.getCause(), CoreMatchers.is(CoreMatchers.instanceOf(ExpressionEvaluationException.class)));
                } else {
                    Assert.fail("Unexpected exception: " + e);
                }
            }
        }

        @Test
        public void alias_static() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_a"}), new TestSgConfig.Role("dls_role_2").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"datastream_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"alias_a"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == datastream_a1_backing) {
                if (this.userSpec.roles.contains("non_dls_role")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                } else if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                }
            }
            if (this.index != datastream_a2_backing) {
                if (this.index == datastream_b1_backing) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            } else {
                if (this.userSpec.roles.contains("non_dls_role")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                }
                if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    return;
                }
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                } else if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                }
            }
        }

        @Test
        public void alias_template() throws Exception {
            try {
                DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_${user.attrs.attr_a}"}), new TestSgConfig.Role("dls_role_2").dataStreamPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"datastream_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"alias_${user.attrs.attr_a}"}))).getRestriction(this.context, this.index, Meter.NO_OP);
                if (this.userSpec.roles.isEmpty()) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                } else if (this.index == datastream_a1_backing) {
                    if (this.userSpec.roles.contains("non_dls_role")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    } else if (this.userSpec.roles.contains("dls_role_1")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    } else {
                        Assert.fail("Unhandled case " + this.userSpec);
                    }
                } else if (this.index == datastream_a2_backing) {
                    if (this.userSpec.roles.contains("non_dls_role")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    } else if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    } else if (this.userSpec.roles.contains("dls_role_1")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    } else if (this.userSpec.roles.contains("dls_role_2")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    } else {
                        Assert.fail("Unhandled case " + this.userSpec);
                    }
                } else if (this.index == datastream_b1_backing) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            } catch (PrivilegesEvaluationException e) {
                if ((this.userSpec.roles.contains("non_dls_role") || this.userSpec.roles.contains("dls_role_1")) && !this.userSpec.attributes.containsKey("attr_a")) {
                    MatcherAssert.assertThat(e.getCause(), CoreMatchers.is(CoreMatchers.instanceOf(ExpressionEvaluationException.class)));
                } else {
                    Assert.fail("Unexpected exception: " + e);
                }
            }
        }

        @Test
        public void wildcardOnIndices() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.userSpec.roles.contains("non_dls_role")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                return;
            }
            if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
            } else if (this.userSpec.roles.contains("dls_role_1")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
            } else if (this.userSpec.roles.contains("dls_role_2")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
            }
        }

        @Parameterized.Parameters(name = "{0}; {1}; {2}")
        public static Collection<Object[]> params() {
            ArrayList arrayList = new ArrayList();
            for (UserSpec userSpec : Arrays.asList(new UserSpec("non_dls_role", "non_dls_role"), new UserSpec("dls_role_1", "dls_role_1"), new UserSpec("dls_role_1 and dls_role_2", "dls_role_1", "dls_role_2"), new UserSpec("dls_role_1 and non_dls_role", "dls_role_1", "non_dls_role"), new UserSpec("non_dls_role, attributes", "non_dls_role").attribute("attr_a", "a"), new UserSpec("dls_role_1, attributes", "dls_role_1").attribute("attr_a", "a"), new UserSpec("dls_role_1 and dls_role_2, attributes", "dls_role_1", "dls_role_2").attribute("attr_a", "a"), new UserSpec("dls_role_1 and non_dls_role, attributes", "dls_role", "non_dls_role").attribute("attr_a", "a"), new UserSpec("no roles", new String[0]))) {
                for (IndexSpec indexSpec : Arrays.asList(new IndexSpec(datastream_a1_backing.name()), new IndexSpec(datastream_a2_backing.name()), new IndexSpec(datastream_b1_backing.name()))) {
                    for (Statefulness statefulness : Statefulness.values()) {
                        arrayList.add(new Object[]{userSpec, indexSpec, statefulness});
                    }
                }
            }
            return arrayList;
        }

        private RoleBasedDocumentAuthorization createSubject(SgDynamicConfiguration<Role> sgDynamicConfiguration) {
            return new RoleBasedDocumentAuthorization(sgDynamicConfiguration, this.statefulness == Statefulness.STATEFUL ? BASIC : null, MetricsLevel.NONE);
        }

        public DataStreams_getRestriction(UserSpec userSpec, IndexSpec indexSpec, Statefulness statefulness) {
            this.userSpec = userSpec;
            this.indexSpec = indexSpec;
            this.user = userSpec.buildUser();
            this.index = BASIC.getIndexOrLike(indexSpec.index);
            this.context = new PrivilegesEvaluationContext(this.user, false, ImmutableSet.of(userSpec.roles), (Action) null, (Object) null, true, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
            this.statefulness = statefulness;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorizationTest$IndexSpec.class */
    public static class IndexSpec {
        final String index;

        IndexSpec(String str) {
            this.index = str;
        }

        public String toString() {
            return this.index;
        }
    }

    @RunWith(Parameterized.class)
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorizationTest$IndicesAndAliases_getRestriction.class */
    public static class IndicesAndAliases_getRestriction {
        static final Meta BASIC = Meta.Mock.indices(new String[]{"index_a1", "index_a2", "index_b1", "index_b2"}).alias("alias_a").of(new String[]{"index_a1", "index_a2"});
        static final Meta.Index index_a1 = BASIC.getIndexOrLike("index_a1");
        static final Meta.Index index_a2 = BASIC.getIndexOrLike("index_a2");
        static final Meta.Index index_b1 = BASIC.getIndexOrLike("index_b1");
        final Statefulness statefulness;
        final UserSpec userSpec;
        final User user;
        final IndexSpec indexSpec;
        final Meta.Index index;
        final PrivilegesEvaluationContext context;

        @Test
        public void wildcard() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                return;
            }
            if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                return;
            }
            if (this.userSpec.roles.contains("dls_role_1")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                return;
            }
            if (this.userSpec.roles.contains("dls_role_2")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
            } else if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
            } else {
                Assert.fail("Missing case for " + this.userSpec);
            }
        }

        @Test
        public void wildcard_negation() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"*", "-index_b*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"*", "-index_a*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                return;
            }
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == index_a1 || this.index == index_a2) {
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    return;
                }
            }
            if (this.index == index_b1) {
                if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            }
        }

        @Test
        public void indexPattern() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"index_a*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_b*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                return;
            }
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == index_a1 || this.index == index_a2) {
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    return;
                }
            }
            if (this.index == index_b1) {
                if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            }
        }

        @Test
        public void indexPattern_negation() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"index_*", "-index_b*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_*", "-index_a*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                return;
            }
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == index_a1 || this.index == index_a2) {
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    return;
                }
            }
            if (this.index == index_b1) {
                if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            }
        }

        @Test
        public void template() throws Exception {
            try {
                DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"index_${user.attrs.attr_a}1"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"index_${user.attrs.attr_a}1"}))).getRestriction(this.context, this.index, Meter.NO_OP);
                if (this.userSpec.roles.isEmpty()) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                } else if (this.index == index_a1) {
                    if (this.userSpec.roles.contains("non_dls_role")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    } else if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    } else if (this.userSpec.roles.contains("dls_role_1")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    } else {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    }
                } else if (this.index == index_a2) {
                    if (this.userSpec.roles.contains("non_dls_role")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    } else if (this.userSpec.roles.contains("dls_role_2")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    } else {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                    }
                } else if (this.index == index_b1) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            } catch (PrivilegesEvaluationException e) {
                if ((this.userSpec.roles.contains("non_dls_role") || this.userSpec.roles.contains("dls_role_1")) && !this.userSpec.attributes.containsKey("attr_a")) {
                    MatcherAssert.assertThat(e.getCause(), CoreMatchers.is(CoreMatchers.instanceOf(ExpressionEvaluationException.class)));
                } else {
                    Assert.fail("Unexpected exception: " + e);
                }
            }
        }

        @Test
        public void alias_static() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_a"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"alias_a"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == index_a1) {
                if (this.userSpec.roles.contains("non_dls_role")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                } else if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                }
            }
            if (this.index != index_a2) {
                if (this.index == index_b1) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            } else {
                if (this.userSpec.roles.contains("non_dls_role")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                }
                if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    return;
                }
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                } else if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                }
            }
        }

        @Test
        public void alias_static_wildcardNonDls() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_a"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == index_a1) {
                if (this.userSpec.roles.contains("non_dls_role")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                } else if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                }
            }
            if (this.index != index_a2) {
                if (this.index == index_b1) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            } else {
                if (this.userSpec.roles.contains("non_dls_role")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                }
                if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    return;
                }
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                } else if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                }
            }
        }

        @Test
        public void alias_wildcard() throws Exception {
            DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_a*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"alias_a*"}))).getRestriction(this.context, this.index, Meter.NO_OP);
            if (this.userSpec.roles.isEmpty()) {
                MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                return;
            }
            if (this.index == index_a1) {
                if (this.userSpec.roles.contains("non_dls_role")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                } else if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    return;
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                }
            }
            if (this.index != index_a2) {
                if (this.index == index_b1) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            } else {
                if (this.userSpec.roles.contains("non_dls_role")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    return;
                }
                if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    return;
                }
                if (this.userSpec.roles.contains("dls_role_1")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                } else if (this.userSpec.roles.contains("dls_role_2")) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                } else {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                }
            }
        }

        @Test
        public void alias_template() throws Exception {
            try {
                DlsRestriction dlsRestriction = (DlsRestriction) createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_${user.attrs.attr_a}"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"alias_${user.attrs.attr_a}"}))).getRestriction(this.context, this.index, Meter.NO_OP);
                if (this.userSpec.roles.isEmpty()) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                } else if (this.index == index_a1) {
                    if (this.userSpec.roles.contains("non_dls_role")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    } else if (this.userSpec.roles.contains("dls_role_1")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    } else {
                        Assert.fail("Unhandled case " + this.userSpec);
                    }
                } else if (this.index == index_a2) {
                    if (this.userSpec.roles.contains("non_dls_role")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isUnrestricted());
                    } else if (this.userSpec.roles.contains("dls_role_1") && this.userSpec.roles.contains("dls_role_2")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1"), RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    } else if (this.userSpec.roles.contains("dls_role_1")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r1")));
                    } else if (this.userSpec.roles.contains("dls_role_2")) {
                        MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isRestricted(RoleBasedDocumentAuthorizationTest.termQuery("dept", "dept_r2")));
                    } else {
                        Assert.fail("Unhandled case " + this.userSpec);
                    }
                } else if (this.index == index_b1) {
                    MatcherAssert.assertThat(dlsRestriction, RoleBasedDocumentAuthorizationTest.isFullyRestricted());
                }
            } catch (PrivilegesEvaluationException e) {
                if ((this.userSpec.roles.contains("non_dls_role") || this.userSpec.roles.contains("dls_role_1")) && !this.userSpec.attributes.containsKey("attr_a")) {
                    MatcherAssert.assertThat(e.getCause(), CoreMatchers.is(CoreMatchers.instanceOf(ExpressionEvaluationException.class)));
                } else {
                    Assert.fail("Unexpected exception: " + e);
                }
            }
        }

        @Parameterized.Parameters(name = "{0}; {1}; {2}")
        public static Collection<Object[]> params() {
            ArrayList arrayList = new ArrayList();
            for (UserSpec userSpec : Arrays.asList(new UserSpec("non_dls_role", "non_dls_role"), new UserSpec("dls_role_1", "dls_role_1"), new UserSpec("dls_role_1 and dls_role_2", "dls_role_1", "dls_role_2"), new UserSpec("dls_role_1 and non_dls_role", "dls_role_1", "non_dls_role"), new UserSpec("non_dls_role, attributes", "non_dls_role").attribute("attr_a", "a"), new UserSpec("dls_role_1, attributes", "dls_role_1").attribute("attr_a", "a"), new UserSpec("dls_role_1 and dls_role_2, attributes", "dls_role_1", "dls_role_2").attribute("attr_a", "a"), new UserSpec("dls_role_1 and non_dls_role, attributes", "dls_role", "non_dls_role").attribute("attr_a", "a"), new UserSpec("no roles", new String[0]))) {
                for (IndexSpec indexSpec : Arrays.asList(new IndexSpec("index_a1"), new IndexSpec("index_a2"), new IndexSpec("index_b1"))) {
                    for (Statefulness statefulness : Statefulness.values()) {
                        arrayList.add(new Object[]{userSpec, indexSpec, statefulness});
                    }
                }
            }
            return arrayList;
        }

        public IndicesAndAliases_getRestriction(UserSpec userSpec, IndexSpec indexSpec, Statefulness statefulness) {
            this.userSpec = userSpec;
            this.indexSpec = indexSpec;
            this.user = userSpec.buildUser();
            this.index = BASIC.getIndexOrLike(indexSpec.index);
            this.context = new PrivilegesEvaluationContext(this.user, false, ImmutableSet.of(userSpec.roles), (Action) null, (Object) null, true, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
            this.statefulness = statefulness;
        }

        private RoleBasedDocumentAuthorization createSubject(SgDynamicConfiguration<Role> sgDynamicConfiguration) {
            return new RoleBasedDocumentAuthorization(sgDynamicConfiguration, this.statefulness == Statefulness.STATEFUL ? BASIC : null, MetricsLevel.NONE);
        }
    }

    @RunWith(Parameterized.class)
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorizationTest$IndicesAndAliases_hasRestriction.class */
    public static class IndicesAndAliases_hasRestriction {
        static final Meta BASIC = Meta.Mock.indices(new String[]{"index_a1", "index_a2", "index_b1", "index_b2"}).alias("alias_a").of(new String[]{"index_a1", "index_a2"});
        static final Meta.Index index_a1 = BASIC.getIndexOrLike("index_a1");
        static final Meta.Index index_a2 = BASIC.getIndexOrLike("index_a2");
        static final Meta.Index index_b1 = BASIC.getIndexOrLike("index_b1");
        static final Meta.Alias alias_a = BASIC.getIndexOrLike("alias_a");
        final Statefulness statefulness;
        final UserSpec userSpec;
        final User user;
        final IndicesSpec indicesSpec;
        final ResolvedIndices resolvedIndices;
        final PrivilegesEvaluationContext context;

        @Test
        public void wildcard() throws Exception {
            boolean hasRestrictions = createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"}))).hasRestrictions(this.context, this.resolvedIndices, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                Assert.assertFalse(hasRestrictions);
            } else {
                Assert.assertTrue(hasRestrictions);
            }
        }

        @Test
        public void wildcard_negation() throws Exception {
            boolean hasRestrictions = createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"*", "-index_b*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"*", "-index_a*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"}))).hasRestrictions(this.context, this.resolvedIndices, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                Assert.assertFalse(hasRestrictions);
            } else {
                Assert.assertTrue(hasRestrictions);
            }
        }

        @Test
        public void indexPattern() throws Exception {
            boolean hasRestrictions = new RoleBasedDocumentAuthorization(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"index_a*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_b*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"})), BASIC, MetricsLevel.NONE).hasRestrictions(this.context, this.resolvedIndices, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                Assert.assertFalse(hasRestrictions);
            } else {
                Assert.assertTrue(hasRestrictions);
            }
        }

        @Test
        public void indexPattern_negation() throws Exception {
            boolean hasRestrictions = createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"index_*", "-index_b*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_*", "-index_a*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"*"}))).hasRestrictions(this.context, this.resolvedIndices, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role")) {
                Assert.assertFalse(hasRestrictions);
            } else {
                Assert.assertTrue(hasRestrictions);
            }
        }

        @Test
        public void template() throws Exception {
            try {
                boolean hasRestrictions = createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"index_${user.attrs.attr_a}1"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a*"}), new TestSgConfig.Role("non_dls_role").indexPermissions(new String[]{"*"}).on(new String[]{"index_${user.attrs.attr_a}1"}))).hasRestrictions(this.context, this.resolvedIndices, Meter.NO_OP);
                if (this.userSpec.roles.contains("non_dls_role") && this.resolvedIndices.getLocal().getUnion().equals(ImmutableSet.of(index_a1)) && this.userSpec.attributes.containsKey("attr_a")) {
                    Assert.assertFalse(hasRestrictions);
                } else {
                    Assert.assertTrue(hasRestrictions);
                }
            } catch (PrivilegesEvaluationException e) {
                if ((this.userSpec.roles.contains("non_dls_role") || this.userSpec.roles.contains("dls_role_1")) && !this.userSpec.attributes.containsKey("attr_a")) {
                    MatcherAssert.assertThat(e.getCause(), CoreMatchers.is(CoreMatchers.instanceOf(ExpressionEvaluationException.class)));
                } else {
                    Assert.fail("Unexpected exception: " + e);
                }
            }
        }

        @Test
        public void alias_static() throws Exception {
            boolean hasRestrictions = createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_a"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"alias_a"}))).hasRestrictions(this.context, this.resolvedIndices, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role") && this.resolvedIndices.getLocal().getUnion().forAllApplies(indexLikeObject -> {
                return (indexLikeObject instanceof Meta.Alias) || !indexLikeObject.parentAliases().isEmpty();
            })) {
                Assert.assertFalse(hasRestrictions);
            } else {
                Assert.assertTrue(hasRestrictions);
            }
        }

        @Test
        public void alias_static_wildcardNonDls() throws Exception {
            boolean hasRestrictions = createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_a"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"*"}))).hasRestrictions(this.context, this.resolvedIndices, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role") && this.resolvedIndices.getLocal().getUnion().forAllApplies(indexLikeObject -> {
                return !indexLikeObject.parentAliases().isEmpty() || (indexLikeObject instanceof Meta.Alias);
            })) {
                Assert.assertFalse(hasRestrictions);
            } else {
                Assert.assertTrue(hasRestrictions);
            }
        }

        @Test
        public void alias_wildcard() throws Exception {
            boolean hasRestrictions = createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_a*"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"alias_a*"}))).hasRestrictions(this.context, this.resolvedIndices, Meter.NO_OP);
            if (this.userSpec.roles.contains("non_dls_role") && this.resolvedIndices.getLocal().getUnion().forAllApplies(indexLikeObject -> {
                return indexLikeObject == alias_a || indexLikeObject.parentAliases().contains(alias_a);
            })) {
                Assert.assertFalse(hasRestrictions);
            } else {
                Assert.assertTrue(hasRestrictions);
            }
        }

        @Test
        public void alias_template() throws Exception {
            try {
                boolean hasRestrictions = createSubject(RoleBasedDocumentAuthorizationTest.roleConfig(new TestSgConfig.Role("dls_role_1").aliasPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r1")).on(new String[]{"alias_${user.attrs.attr_a}"}), new TestSgConfig.Role("dls_role_2").indexPermissions(new String[]{"*"}).dls(DocNode.of("term.dept.value", "dept_r2")).on(new String[]{"index_a2"}), new TestSgConfig.Role("non_dls_role").aliasPermissions(new String[]{"*"}).on(new String[]{"alias_${user.attrs.attr_a}"}))).hasRestrictions(this.context, this.resolvedIndices, Meter.NO_OP);
                if (this.userSpec.roles.contains("non_dls_role") && this.userSpec.attributes.containsKey("attr_a") && this.resolvedIndices.getLocal().getUnion().forAllApplies(indexLikeObject -> {
                    return indexLikeObject == alias_a || indexLikeObject.parentAliases().contains(alias_a);
                })) {
                    Assert.assertFalse(hasRestrictions);
                } else {
                    Assert.assertTrue(hasRestrictions);
                }
            } catch (PrivilegesEvaluationException e) {
                if ((this.userSpec.roles.contains("non_dls_role") || this.userSpec.roles.contains("dls_role_1")) && !this.userSpec.attributes.containsKey("attr_a")) {
                    MatcherAssert.assertThat(e.getCause(), CoreMatchers.is(CoreMatchers.instanceOf(ExpressionEvaluationException.class)));
                } else {
                    Assert.fail("Unexpected exception: " + e);
                }
            }
        }

        @Parameterized.Parameters(name = "{0}; {1}; {2}")
        public static Collection<Object[]> params() {
            ArrayList arrayList = new ArrayList();
            for (UserSpec userSpec : Arrays.asList(new UserSpec("non_dls_role", "non_dls_role"), new UserSpec("dls_role_1", "dls_role_1"), new UserSpec("dls_role_1 and dls_role_2", "dls_role_1", "dls_role_2"), new UserSpec("dls_role_1 and non_dls_role", "dls_role_1", "non_dls_role"), new UserSpec("non_dls_role, attributes", "non_dls_role").attribute("attr_a", "a"), new UserSpec("dls_role_1, attributes", "dls_role_1").attribute("attr_a", "a"), new UserSpec("dls_role_1 and dls_role_2, attributes", "dls_role_1", "dls_role_2").attribute("attr_a", "a"), new UserSpec("dls_role_1 and non_dls_role, attributes", "dls_role", "non_dls_role").attribute("attr_a", "a"), new UserSpec("no roles", new String[0]))) {
                for (IndicesSpec indicesSpec : Arrays.asList(new IndicesSpec("index_a1"), new IndicesSpec("index_a2"), new IndicesSpec("index_b1"), new IndicesSpec("alias_a"), new IndicesSpec("index_a1", "index_a2"), new IndicesSpec("index_a1", "index_b1"), new IndicesSpec("alias_a", "index_b1"))) {
                    for (Statefulness statefulness : Statefulness.values()) {
                        arrayList.add(new Object[]{userSpec, indicesSpec, statefulness});
                    }
                }
            }
            return arrayList;
        }

        public IndicesAndAliases_hasRestriction(UserSpec userSpec, IndicesSpec indicesSpec, Statefulness statefulness) {
            this.userSpec = userSpec;
            this.indicesSpec = indicesSpec;
            this.user = userSpec.buildUser();
            this.resolvedIndices = ResolvedIndices.of(BASIC, (String[]) indicesSpec.indices.toArray(new String[0]));
            this.context = new PrivilegesEvaluationContext(this.user, false, ImmutableSet.of(userSpec.roles), (Action) null, (Object) null, true, (ActionRequestIntrospector) null, (SpecialPrivilegesEvaluationContext) null);
            this.statefulness = statefulness;
        }

        private RoleBasedDocumentAuthorization createSubject(SgDynamicConfiguration<Role> sgDynamicConfiguration) {
            return new RoleBasedDocumentAuthorization(sgDynamicConfiguration, this.statefulness == Statefulness.STATEFUL ? BASIC : null, MetricsLevel.NONE);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorizationTest$IndicesSpec.class */
    public static class IndicesSpec {
        final ImmutableList<String> indices;

        IndicesSpec(String... strArr) {
            this.indices = ImmutableList.ofArray(strArr);
        }

        public String toString() {
            return this.indices.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorizationTest$Statefulness.class */
    public enum Statefulness {
        STATEFUL,
        NON_STATEFUL
    }

    /* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/RoleBasedDocumentAuthorizationTest$UserSpec.class */
    public static class UserSpec {
        final List<String> roles;
        final String description;
        final Map<String, Object> attributes = new HashMap();

        UserSpec(String str, String... strArr) {
            this.description = str;
            this.roles = Arrays.asList(strArr);
        }

        UserSpec attribute(String str, Object obj) {
            this.attributes.put(str, obj);
            return this;
        }

        User buildUser() {
            return new User.Builder().name("test_user_" + this.description).attributes(this.attributes).build();
        }

        public String toString() {
            return this.description;
        }
    }

    static SgDynamicConfiguration<Role> roleConfig(TestSgConfig.Role... roleArr) throws ConfigValidationException {
        return TestSgConfig.Role.toActualRole(parserContext, roleArr);
    }

    static DiagnosingMatcher<DlsRestriction> isUnrestricted() {
        return new DiagnosingMatcher<DlsRestriction>() { // from class: com.floragunn.searchguard.enterprise.dlsfls.RoleBasedDocumentAuthorizationTest.1
            public void describeTo(Description description) {
                description.appendText("A DlsRestriction object that has no restrictions");
            }

            protected boolean matches(Object obj, Description description) {
                if (!(obj instanceof DlsRestriction)) {
                    description.appendValue(obj).appendText(" is not a DlsRestriction object");
                    return false;
                }
                DlsRestriction dlsRestriction = (DlsRestriction) obj;
                if (dlsRestriction.isUnrestricted()) {
                    return true;
                }
                description.appendText("The DlsRestriction object is not unrestricted:").appendValue(dlsRestriction);
                return false;
            }
        };
    }

    static DiagnosingMatcher<DlsRestriction> isRestricted() {
        return new DiagnosingMatcher<DlsRestriction>() { // from class: com.floragunn.searchguard.enterprise.dlsfls.RoleBasedDocumentAuthorizationTest.2
            public void describeTo(Description description) {
                description.appendText("A DlsRestriction object that has at least one restrictions");
            }

            protected boolean matches(Object obj, Description description) {
                if (!(obj instanceof DlsRestriction)) {
                    description.appendValue(obj).appendText(" is not a DlsRestriction object");
                    return false;
                }
                DlsRestriction dlsRestriction = (DlsRestriction) obj;
                if (!dlsRestriction.isUnrestricted()) {
                    return true;
                }
                description.appendText("The DlsRestriction object is not restricted:").appendValue(dlsRestriction);
                return false;
            }
        };
    }

    @SafeVarargs
    static DiagnosingMatcher<DlsRestriction> isRestricted(final Matcher<QueryBuilder>... matcherArr) {
        return new DiagnosingMatcher<DlsRestriction>() { // from class: com.floragunn.searchguard.enterprise.dlsfls.RoleBasedDocumentAuthorizationTest.3
            public void describeTo(Description description) {
                description.appendText("A DlsRestriction object that has the restrictions: ").appendList("", "", ", ", Arrays.asList(matcherArr));
            }

            protected boolean matches(Object obj, Description description) {
                if (!(obj instanceof DlsRestriction)) {
                    description.appendValue(obj).appendText(" is not a DlsRestriction object");
                    return false;
                }
                DlsRestriction dlsRestriction = (DlsRestriction) obj;
                if (dlsRestriction.isUnrestricted()) {
                    description.appendText("The DlsRestriction object is not restricted:").appendValue(dlsRestriction);
                    return false;
                }
                HashSet hashSet = new HashSet(Arrays.asList(matcherArr));
                HashSet hashSet2 = new HashSet((Collection) dlsRestriction.getQueries());
                UnmodifiableIterator it = dlsRestriction.getQueries().iterator();
                while (it.hasNext()) {
                    Query query = (Query) it.next();
                    Iterator it2 = hashSet.iterator();
                    while (true) {
                        if (it2.hasNext()) {
                            Matcher matcher = (Matcher) it2.next();
                            if (matcher.matches(query.getQueryBuilder())) {
                                hashSet2.remove(query);
                                hashSet.remove(matcher);
                                break;
                            }
                        }
                    }
                }
                if (hashSet2.isEmpty() && hashSet.isEmpty()) {
                    return true;
                }
                if (!hashSet2.isEmpty()) {
                    description.appendText("The DlsRestriction contains unexpected queries:").appendValue(hashSet2).appendText("\n");
                }
                if (hashSet.isEmpty()) {
                    return false;
                }
                description.appendText("The DlsRestriction does not contain expected queries: ").appendValue(hashSet).appendText("\n");
                return false;
            }
        };
    }

    static DiagnosingMatcher<DlsRestriction> isFullyRestricted() {
        return new DiagnosingMatcher<DlsRestriction>() { // from class: com.floragunn.searchguard.enterprise.dlsfls.RoleBasedDocumentAuthorizationTest.4
            public void describeTo(Description description) {
                description.appendText("A DlsRestriction object that has full restrictions");
            }

            protected boolean matches(Object obj, Description description) {
                if (!(obj instanceof DlsRestriction)) {
                    description.appendValue(obj).appendText(" is not a DlsRestriction object");
                    return false;
                }
                DlsRestriction dlsRestriction = (DlsRestriction) obj;
                if (dlsRestriction.getQueries().size() == 0) {
                    description.appendText("The DlsRestriction object is not fully restricted:").appendValue(dlsRestriction);
                    return false;
                }
                UnmodifiableIterator it = dlsRestriction.getQueries().iterator();
                while (it.hasNext()) {
                    if (!((Query) it.next()).getQueryBuilder().equals(Query.MATCH_NONE.getQueryBuilder())) {
                        description.appendText("The DlsRestriction object is not fully restricted:").appendValue(dlsRestriction);
                        return false;
                    }
                }
                return true;
            }
        };
    }

    static BaseMatcher<QueryBuilder> termQuery(final String str, final Object obj) {
        return new BaseMatcher<QueryBuilder>() { // from class: com.floragunn.searchguard.enterprise.dlsfls.RoleBasedDocumentAuthorizationTest.5
            public void describeTo(Description description) {
                description.appendText("A TermQueryBuilder object with ").appendValue(str).appendText("=").appendValue(obj);
            }

            public boolean matches(Object obj2) {
                if (!(obj2 instanceof BaseTermQueryBuilder)) {
                    return false;
                }
                BaseTermQueryBuilder baseTermQueryBuilder = (BaseTermQueryBuilder) obj2;
                return baseTermQueryBuilder.fieldName().equals(str) && baseTermQueryBuilder.value().equals(obj);
            }
        };
    }
}
