package org.elasticsearch.xpack.security.authz;

import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Predicate;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.util.concurrent.CountDown;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.xpack.ClientHelper;
import org.elasticsearch.xpack.security.SecurityContext;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.support.Automatons;
import org.elasticsearch.xpack.security.user.SystemUser;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.security.user.XPackSecurityUser;
import org.elasticsearch.xpack.security.user.XPackUser;

/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authz/AuthorizationUtils.class */
public final class AuthorizationUtils {
    private static final Predicate<String> INTERNAL_PREDICATE;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authz/AuthorizationUtils$AsyncAuthorizer.class */
    public static class AsyncAuthorizer {
        private final ActionListener listener;
        private final BiConsumer<Role, Role> consumer;
        private final Authentication authentication;
        private volatile Role userRoles;
        private volatile Role runAsRoles;
        private CountDown countDown = new CountDown(2);
        static final /* synthetic */ boolean $assertionsDisabled;

        public AsyncAuthorizer(Authentication authentication, ActionListener actionListener, BiConsumer<Role, Role> biConsumer) {
            this.consumer = biConsumer;
            this.listener = actionListener;
            this.authentication = authentication;
        }

        public void authorize(AuthorizationService authorizationService) {
            if (SystemUser.is(this.authentication.getUser().authenticatedUser())) {
                if (!$assertionsDisabled && this.authentication.getUser().isRunAs()) {
                    throw new AssertionError();
                }
                setUserRoles(null);
                setRunAsRoles(null);
                return;
            }
            User authenticatedUser = this.authentication.getUser().authenticatedUser();
            CheckedConsumer checkedConsumer = this::setUserRoles;
            ActionListener actionListener = this.listener;
            actionListener.getClass();
            authorizationService.roles(authenticatedUser, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            if (!this.authentication.getUser().isRunAs()) {
                setRunAsRoles(null);
                return;
            }
            User user = this.authentication.getUser();
            CheckedConsumer checkedConsumer2 = this::setRunAsRoles;
            ActionListener actionListener2 = this.listener;
            actionListener2.getClass();
            authorizationService.roles(user, ActionListener.wrap(checkedConsumer2, actionListener2::onFailure));
        }

        private void setUserRoles(Role role) {
            this.userRoles = role;
            maybeRun();
        }

        private void setRunAsRoles(Role role) {
            this.runAsRoles = role;
            maybeRun();
        }

        private void maybeRun() {
            if (this.countDown.countDown()) {
                try {
                    this.consumer.accept(this.userRoles, this.runAsRoles);
                } catch (Exception e) {
                    this.listener.onFailure(e);
                }
            }
        }

        static {
            $assertionsDisabled = !AuthorizationUtils.class.desiredAssertionStatus();
        }
    }

    private AuthorizationUtils() {
    }

    public static boolean shouldReplaceUserWithSystem(ThreadContext threadContext, String str) {
        if (!threadContext.isSystemContext() && !isInternalAction(str)) {
            return false;
        }
        if (((Authentication) threadContext.getTransient(Authentication.AUTHENTICATION_KEY)) == null && threadContext.getTransient(ClientHelper.ACTION_ORIGIN_TRANSIENT_NAME) == null) {
            return true;
        }
        String str2 = (String) threadContext.getTransient(AuthorizationService.ORIGINATING_ACTION_KEY);
        return (str2 == null || isInternalAction(str2)) ? false : true;
    }

    public static boolean shouldSetUserBasedOnActionOrigin(ThreadContext threadContext) {
        return ((String) threadContext.getTransient(ClientHelper.ACTION_ORIGIN_TRANSIENT_NAME)) != null && ((Authentication) threadContext.getTransient(Authentication.AUTHENTICATION_KEY)) == null;
    }

    public static void switchUserBasedOnActionOriginAndExecute(ThreadContext threadContext, SecurityContext securityContext, Consumer<ThreadContext.StoredContext> consumer) {
        String str = (String) threadContext.getTransient(ClientHelper.ACTION_ORIGIN_TRANSIENT_NAME);
        if (str == null) {
            if (!$assertionsDisabled) {
                throw new AssertionError("cannot switch user if there is no action origin");
            }
            throw new IllegalStateException("cannot switch user if there is no action origin");
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case 3487:
                if (str.equals("ml")) {
                    z = 2;
                    break;
                }
                break;
            case 936927604:
                if (str.equals("deprecation")) {
                    z = 4;
                    break;
                }
                break;
            case 949122880:
                if (str.equals("security")) {
                    z = false;
                    break;
                }
                break;
            case 1125964220:
                if (str.equals("watcher")) {
                    z = true;
                    break;
                }
                break;
            case 1537400806:
                if (str.equals("persistent_tasks")) {
                    z = 5;
                    break;
                }
                break;
            case 1852089416:
                if (str.equals("monitoring")) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                securityContext.executeAsUser(XPackSecurityUser.INSTANCE, consumer, Version.CURRENT);
                return;
            case true:
            case true:
            case true:
            case true:
            case true:
                securityContext.executeAsUser(XPackUser.INSTANCE, consumer, Version.CURRENT);
                return;
            default:
                if (!$assertionsDisabled) {
                    throw new AssertionError("action.origin [" + str + "] is unknown!");
                }
                throw new IllegalStateException("action.origin [" + str + "] should always be a known value");
        }
    }

    private static boolean isInternalAction(String str) {
        return INTERNAL_PREDICATE.test(str);
    }

    static {
        $assertionsDisabled = !AuthorizationUtils.class.desiredAssertionStatus();
        INTERNAL_PREDICATE = Automatons.predicate("internal:*");
    }
}
