package org.elasticsearch.xpack.security.action.user;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.function.Predicate;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.security.action.user.HasPrivilegesResponse;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.security.authz.permission.IndicesPermission;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege;
import org.elasticsearch.xpack.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.security.authz.privilege.Privilege;
import org.elasticsearch.xpack.security.support.Automatons;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/user/TransportHasPrivilegesAction.class */
public class TransportHasPrivilegesAction extends HandledTransportAction<HasPrivilegesRequest, HasPrivilegesResponse> {
    private final AuthorizationService authorizationService;

    @Inject
    public TransportHasPrivilegesAction(Settings settings, ThreadPool threadPool, TransportService transportService, ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver, AuthorizationService authorizationService) {
        super(settings, HasPrivilegesAction.NAME, threadPool, transportService, actionFilters, indexNameExpressionResolver, HasPrivilegesRequest::new);
        this.authorizationService = authorizationService;
    }

    protected void doExecute(HasPrivilegesRequest hasPrivilegesRequest, ActionListener<HasPrivilegesResponse> actionListener) {
        String username = hasPrivilegesRequest.username();
        User user = Authentication.getAuthentication(this.threadPool.getThreadContext()).getUser();
        if (!user.principal().equals(username)) {
            actionListener.onFailure(new IllegalArgumentException("users may only check the privileges of their own account"));
            return;
        }
        AuthorizationService authorizationService = this.authorizationService;
        CheckedConsumer checkedConsumer = role -> {
            checkPrivileges(hasPrivilegesRequest, role, actionListener);
        };
        actionListener.getClass();
        authorizationService.roles(user, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void checkPrivileges(HasPrivilegesRequest hasPrivilegesRequest, Role role, ActionListener<HasPrivilegesResponse> actionListener) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Check whether role [{}] has privileges cluster=[{}] index=[{}]", role.name(), Arrays.toString(hasPrivilegesRequest.clusterPrivileges()), Arrays.toString(hasPrivilegesRequest.indexPrivileges()));
        }
        HashMap hashMap = new HashMap();
        for (String str : hasPrivilegesRequest.clusterPrivileges()) {
            hashMap.put(str, Boolean.valueOf(testPrivilege(ClusterPrivilege.get(Collections.singleton(str)), role.cluster().privilege().getAutomaton())));
        }
        HashMap hashMap2 = new HashMap();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        boolean z = true;
        for (RoleDescriptor.IndicesPrivileges indicesPrivileges : hasPrivilegesRequest.indexPrivileges()) {
            for (String str2 : indicesPrivileges.getIndices()) {
                HashMap hashMap3 = new HashMap();
                HasPrivilegesResponse.IndexPrivileges indexPrivileges = (HasPrivilegesResponse.IndexPrivileges) linkedHashMap.get(str2);
                if (indexPrivileges != null) {
                    hashMap3.putAll(indexPrivileges.getPrivileges());
                }
                for (String str3 : indicesPrivileges.getPrivileges()) {
                    if (testIndexMatch(str2, str3, role, hashMap2)) {
                        this.logger.debug("Role [{}] has [{}] on [{}]", role.name(), str3, str2);
                        hashMap3.put(str3, true);
                    } else {
                        this.logger.debug("Role [{}] does not have [{}] on [{}]", role.name(), str3, str2);
                        hashMap3.put(str3, false);
                        z = false;
                    }
                }
                linkedHashMap.put(str2, new HasPrivilegesResponse.IndexPrivileges(str2, hashMap3));
            }
        }
        actionListener.onResponse(new HasPrivilegesResponse(z, hashMap, linkedHashMap.values()));
    }

    private boolean testIndexMatch(String str, String str2, Role role, Map<IndicesPermission.Group, Predicate<String>> map) {
        IndexPrivilege indexPrivilege = IndexPrivilege.get(Collections.singleton(str2));
        ArrayList arrayList = new ArrayList();
        for (IndicesPermission.Group group : role.indices().groups()) {
            if (map.computeIfAbsent(group, group2 -> {
                return Automatons.predicate(group2.indices());
            }).test(str)) {
                IndexPrivilege privilege = group.privilege();
                if (privilege.name().contains(str2)) {
                    return true;
                }
                arrayList.add(privilege.getAutomaton());
            }
        }
        return testPrivilege(indexPrivilege, Automatons.unionAndMinimize(arrayList));
    }

    private boolean testPrivilege(Privilege privilege, Automaton automaton) {
        return Operations.subsetOf(privilege.getAutomaton(), automaton);
    }

    protected /* bridge */ /* synthetic */ void doExecute(ActionRequest actionRequest, ActionListener actionListener) {
        doExecute((HasPrivilegesRequest) actionRequest, (ActionListener<HasPrivilegesResponse>) actionListener);
    }
}
