package org.elasticsearch.xpack.core.security.authc;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.Base64;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.TransportVersions;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.util.ArrayUtils;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.core.Assertions;
import org.elasticsearch.core.CheckedFunction;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Strings;
import org.elasticsearch.license.License;
import org.elasticsearch.transport.RemoteClusterPortSettings;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.ParseField;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.ToXContentObject;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.security.authc.CrossClusterAccessSubjectInfo;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings;
import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings;
import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountSettings;
import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.InternalUser;
import org.elasticsearch.xpack.core.security.user.InternalUsers;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication.class */
public final class Authentication implements ToXContentObject {
    private static final Logger logger;
    private static final TransportVersion VERSION_AUTHENTICATION_TYPE;
    public static final TransportVersion VERSION_API_KEY_ROLES_AS_BYTES;
    public static final TransportVersion VERSION_REALM_DOMAINS;
    public static final TransportVersion VERSION_METADATA_BEYOND_GENERIC_MAP;
    private final AuthenticationType type;
    private final Subject authenticatingSubject;
    private final Subject effectiveSubject;
    private static final Map<String, CheckedFunction<StreamInput, Object, IOException>> METADATA_VALUE_READER;
    private static final Map<String, Writeable.Writer<?>> METADATA_VALUE_WRITER;
    public static ConstructingObjectParser<RealmRef, Void> REALM_REF_PARSER;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.elasticsearch.xpack.core.security.authc.Authentication$1, reason: invalid class name */
    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$xpack$core$security$authc$Authentication$AuthenticationType = new int[AuthenticationType.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$Authentication$AuthenticationType[AuthenticationType.ANONYMOUS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$Authentication$AuthenticationType[AuthenticationType.INTERNAL.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$Authentication$AuthenticationType[AuthenticationType.API_KEY.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$Authentication$AuthenticationType[AuthenticationType.REALM.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$Authentication$AuthenticationType[AuthenticationType.TOKEN.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication$AuthenticationSerializationHelper.class */
    public static class AuthenticationSerializationHelper {
        static final /* synthetic */ boolean $assertionsDisabled;

        private AuthenticationSerializationHelper() {
        }

        public static User readUserFrom(StreamInput streamInput) throws IOException {
            User readUserWithoutTrailingBoolean = readUserWithoutTrailingBoolean(streamInput);
            if (false == (readUserWithoutTrailingBoolean instanceof InternalUser)) {
                boolean readBoolean = streamInput.readBoolean();
                if (!$assertionsDisabled && false != readBoolean) {
                    throw new AssertionError("inner user is not allowed");
                }
                if (readBoolean) {
                    throw new IllegalStateException("inner user is not allowed");
                }
            }
            return readUserWithoutTrailingBoolean;
        }

        public static void writeUserTo(User user, StreamOutput streamOutput) throws IOException {
            if (user instanceof InternalUser) {
                writeInternalUser((InternalUser) user, streamOutput);
            } else {
                User.writeUser(user, streamOutput);
                streamOutput.writeBoolean(false);
            }
        }

        private static User readUserWithoutTrailingBoolean(StreamInput streamInput) throws IOException {
            boolean readBoolean = streamInput.readBoolean();
            String readString = streamInput.readString();
            if (readBoolean) {
                return InternalUsers.getUser(readString);
            }
            return new User(readString, streamInput.readStringArray(), streamInput.readOptionalString(), streamInput.readOptionalString(), streamInput.readGenericMap(), streamInput.readBoolean());
        }

        private static void writeInternalUser(InternalUser internalUser, StreamOutput streamOutput) throws IOException {
            streamOutput.writeBoolean(true);
            streamOutput.writeString(internalUser.principal());
        }

        static {
            $assertionsDisabled = !Authentication.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication$AuthenticationType.class */
    public enum AuthenticationType {
        REALM,
        API_KEY,
        TOKEN,
        ANONYMOUS,
        INTERNAL
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication$RealmRef.class */
    public static class RealmRef implements Writeable, ToXContentObject {
        private final String nodeName;
        private final String name;
        private final String type;

        @Nullable
        private final RealmDomain domain;

        public RealmRef(String str, String str2, String str3) {
            this(str, str2, str3, null);
        }

        public RealmRef(String str, String str2, String str3, @Nullable RealmDomain realmDomain) {
            this.nodeName = (String) Objects.requireNonNull(str3, "node name cannot be null");
            this.name = (String) Objects.requireNonNull(str, "realm name cannot be null");
            this.type = (String) Objects.requireNonNull(str2, "realm type cannot be null");
            this.domain = realmDomain;
        }

        public RealmRef(StreamInput streamInput) throws IOException {
            this.nodeName = streamInput.readString();
            this.name = streamInput.readString();
            this.type = streamInput.readString();
            if (streamInput.getTransportVersion().onOrAfter(Authentication.VERSION_REALM_DOMAINS)) {
                this.domain = (RealmDomain) streamInput.readOptionalWriteable(RealmDomain::readFrom);
            } else {
                this.domain = null;
            }
        }

        public void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeString(this.nodeName);
            streamOutput.writeString(this.name);
            streamOutput.writeString(this.type);
            if (streamOutput.getTransportVersion().onOrAfter(Authentication.VERSION_REALM_DOMAINS)) {
                streamOutput.writeOptionalWriteable(this.domain);
            }
        }

        public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
            xContentBuilder.startObject();
            xContentBuilder.field("name", this.name);
            xContentBuilder.field("type", this.type);
            xContentBuilder.field("node_name", this.nodeName);
            if (this.domain != null) {
                xContentBuilder.field("domain", this.domain);
            }
            xContentBuilder.endObject();
            return xContentBuilder;
        }

        public String getNodeName() {
            return this.nodeName;
        }

        public String getName() {
            return this.name;
        }

        public String getType() {
            return this.type;
        }

        @Nullable
        public RealmDomain getDomain() {
            return this.domain;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            RealmRef realmRef = (RealmRef) obj;
            if (this.nodeName.equals(realmRef.nodeName) && this.type.equals(realmRef.type)) {
                return Objects.equals(this.domain, realmRef.domain);
            }
            return false;
        }

        public int hashCode() {
            int hashCode = (31 * ((31 * this.nodeName.hashCode()) + this.name.hashCode())) + this.type.hashCode();
            if (this.domain != null) {
                hashCode = (31 * hashCode) + this.domain.hashCode();
            }
            return hashCode;
        }

        public String toString() {
            return this.domain != null ? "{Realm[" + this.type + "." + this.name + "] under Domain[" + this.domain.name() + "] on Node[" + this.nodeName + "]}" : "{Realm[" + this.type + "." + this.name + "] on Node[" + this.nodeName + "]}";
        }

        private boolean isFallbackRealm() {
            return "__fallback".equals(this.name) && "__fallback".equals(this.type);
        }

        private boolean isAttachRealm() {
            return "__attach".equals(this.name) && "__attach".equals(this.type);
        }

        private boolean isAnonymousRealm() {
            return "__anonymous".equals(this.name) && "__anonymous".equals(this.type);
        }

        private boolean isApiKeyRealm() {
            return "_es_api_key".equals(this.name) && "_es_api_key".equals(this.type);
        }

        private boolean isCrossClusterAccessRealm() {
            return "_es_cross_cluster_access".equals(this.name) && "_es_cross_cluster_access".equals(this.type);
        }

        static RealmRef newInternalAttachRealmRef(String str) {
            return new RealmRef("__attach", "__attach", str, null);
        }

        static RealmRef newInternalFallbackRealmRef(String str) {
            return new RealmRef("__fallback", "__fallback", str, null);
        }

        public static RealmRef newAnonymousRealmRef(String str) {
            return new RealmRef("__anonymous", "__anonymous", str, null);
        }

        static RealmRef newServiceAccountRealmRef(String str) {
            return new RealmRef("_service_account", "_service_account", str, null);
        }

        static RealmRef newApiKeyRealmRef(String str) {
            return new RealmRef("_es_api_key", "_es_api_key", str, null);
        }

        static RealmRef newCrossClusterAccessRealmRef(String str) {
            return new RealmRef("_es_cross_cluster_access", "_es_cross_cluster_access", str, null);
        }
    }

    private Authentication(Subject subject, AuthenticationType authenticationType) {
        this(subject, subject, authenticationType);
    }

    private Authentication(Subject subject, Subject subject2, AuthenticationType authenticationType) {
        this.effectiveSubject = (Subject) Objects.requireNonNull(subject, "effective subject cannot be null");
        this.authenticatingSubject = (Subject) Objects.requireNonNull(subject2, "authenticating subject cannot be null");
        this.type = (AuthenticationType) Objects.requireNonNull(authenticationType, "authentication type cannot be null");
        if (Assertions.ENABLED) {
            checkConsistency();
        }
    }

    public Authentication(StreamInput streamInput) throws IOException {
        User user;
        Map<String, Object> of;
        User readUserWithoutTrailingBoolean = AuthenticationSerializationHelper.readUserWithoutTrailingBoolean(streamInput);
        if (readUserWithoutTrailingBoolean instanceof InternalUser ? false : streamInput.readBoolean()) {
            user = AuthenticationSerializationHelper.readUserFrom(streamInput);
            if (!$assertionsDisabled && false != (user instanceof InternalUser)) {
                throw new AssertionError("internal users cannot participate in run-as [" + user + "]");
            }
        } else {
            user = null;
        }
        RealmRef realmRef = new RealmRef(streamInput);
        RealmRef realmRef2 = streamInput.readBoolean() ? new RealmRef(streamInput) : null;
        if (!$assertionsDisabled && user == null && realmRef2 != null) {
            throw new AssertionError("Authentication has no inner-user, but looked-up-by is [" + realmRef2 + "]");
        }
        TransportVersion transportVersion = streamInput.getTransportVersion();
        if (transportVersion.onOrAfter(VERSION_AUTHENTICATION_TYPE)) {
            this.type = AuthenticationType.values()[streamInput.readVInt()];
            of = readMetadata(streamInput);
        } else {
            this.type = AuthenticationType.REALM;
            of = Map.of();
        }
        if (user != null) {
            this.authenticatingSubject = new Subject(user, realmRef, transportVersion, of);
            this.effectiveSubject = new Subject(readUserWithoutTrailingBoolean, realmRef2, transportVersion, Map.of());
        } else {
            Subject subject = new Subject(readUserWithoutTrailingBoolean, realmRef, transportVersion, of);
            this.effectiveSubject = subject;
            this.authenticatingSubject = subject;
        }
        if (Assertions.ENABLED) {
            checkConsistency();
        }
    }

    public Subject getAuthenticatingSubject() {
        return this.authenticatingSubject;
    }

    public Subject getEffectiveSubject() {
        return this.effectiveSubject;
    }

    public AuthenticationType getAuthenticationType() {
        return this.type;
    }

    public boolean isRunAs() {
        return this.authenticatingSubject != this.effectiveSubject;
    }

    public boolean isFailedRunAs() {
        return isRunAs() && this.effectiveSubject.getRealm() == null;
    }

    public Authentication maybeRewriteForOlderVersion(TransportVersion transportVersion) {
        if (isCrossClusterAccess() && transportVersion.before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY)) {
            throw new IllegalArgumentException("versions of Elasticsearch before [" + RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY + "] can't handle cross cluster access authentication and attempted to rewrite for [" + transportVersion + "]");
        }
        Map<String, Object> maybeRewriteMetadata = maybeRewriteMetadata(transportVersion, this);
        return isRunAs() ? new Authentication(new Subject(this.effectiveSubject.getUser(), maybeRewriteRealmRef(transportVersion, this.effectiveSubject.getRealm()), transportVersion, this.effectiveSubject.getMetadata()), new Subject(this.authenticatingSubject.getUser(), maybeRewriteRealmRef(transportVersion, this.authenticatingSubject.getRealm()), transportVersion, maybeRewriteMetadata), this.type) : new Authentication(new Subject(this.authenticatingSubject.getUser(), maybeRewriteRealmRef(transportVersion, this.authenticatingSubject.getRealm()), transportVersion, maybeRewriteMetadata), this.type);
    }

    private static Map<String, Object> maybeRewriteMetadata(TransportVersion transportVersion, Authentication authentication) {
        return authentication.isAuthenticatedAsApiKey() ? maybeRewriteMetadataForApiKeyRoleDescriptors(transportVersion, authentication) : authentication.isCrossClusterAccess() ? maybeRewriteMetadataForCrossClusterAccessAuthentication(transportVersion, authentication) : authentication.getAuthenticatingSubject().getMetadata();
    }

    public Authentication copyWithFilteredMetadataFields(Set<String> set) {
        Objects.requireNonNull(set);
        if (set.isEmpty()) {
            return copyWithEmptyMetadata();
        }
        HashMap hashMap = new HashMap(this.authenticatingSubject.getMetadata());
        boolean retainAll = hashMap.keySet().retainAll(set);
        if (logger.isTraceEnabled() && retainAll) {
            logger.trace("Authentication metadata [{}] for subject [{}] contains fields other than [{}]. These will be removed in the copy.", this.authenticatingSubject.getMetadata().keySet(), this.authenticatingSubject.getUser().principal(), set);
        }
        return copyWithMetadata(Collections.unmodifiableMap(hashMap));
    }

    public Authentication copyWithEmptyMetadata() {
        if (logger.isTraceEnabled() && false == this.authenticatingSubject.getMetadata().isEmpty()) {
            logger.trace("Authentication metadata [{}] for subject [{}] is not empty. All fields will be removed in the copy.", this.authenticatingSubject.getMetadata().keySet(), this.authenticatingSubject.getUser().principal());
        }
        return copyWithMetadata(Collections.emptyMap());
    }

    private Authentication copyWithMetadata(Map<String, Object> map) {
        Objects.requireNonNull(map);
        return isRunAs() ? new Authentication(this.effectiveSubject, new Subject(this.authenticatingSubject.getUser(), this.authenticatingSubject.getRealm(), this.authenticatingSubject.getTransportVersion(), map), this.type) : new Authentication(new Subject(this.authenticatingSubject.getUser(), this.authenticatingSubject.getRealm(), this.authenticatingSubject.getTransportVersion(), map), this.type);
    }

    public Authentication runAs(User user, @Nullable RealmRef realmRef) {
        if (!$assertionsDisabled && !supportsRunAs(null)) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != (user instanceof AnonymousUser)) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != hasSyntheticRealmNameOrType(realmRef)) {
            throw new AssertionError("should not use synthetic realm name/type for lookup realms");
        }
        Objects.requireNonNull(user);
        return new Authentication(new Subject(user, realmRef, getEffectiveSubject().getTransportVersion(), Map.of()), this.authenticatingSubject, this.type);
    }

    public Authentication token() {
        if (!$assertionsDisabled && false != isAuthenticatedInternally()) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != isServiceAccount()) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || false == isCrossClusterAccess()) {
            return new Authentication(this.effectiveSubject, this.authenticatingSubject, AuthenticationType.TOKEN);
        }
        throw new AssertionError();
    }

    public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUser) {
        if (false == (anonymousUser != null && anonymousUser.enabled() && false == anonymousUser.equals(getEffectiveSubject().getUser()) && false == (getEffectiveSubject().getUser() instanceof InternalUser) && false == isApiKey() && false == isCrossClusterAccess() && false == isServiceAccount())) {
            return this;
        }
        if (anonymousUser.roles().length == 0) {
            throw new IllegalStateException("anonymous is only enabled when the anonymous user has roles");
        }
        String[] strArr = (String[]) ArrayUtils.concat(getEffectiveSubject().getUser().roles(), anonymousUser.roles());
        if (isRunAs()) {
            User user = this.effectiveSubject.getUser();
            return new Authentication(new Subject(new User(user.principal(), strArr, user.fullName(), user.email(), user.metadata(), user.enabled()), this.effectiveSubject.getRealm(), this.effectiveSubject.getTransportVersion(), this.effectiveSubject.getMetadata()), this.authenticatingSubject, this.type);
        }
        User user2 = this.authenticatingSubject.getUser();
        return new Authentication(new Subject(new User(user2.principal(), strArr, user2.fullName(), user2.email(), user2.metadata(), user2.enabled()), this.authenticatingSubject.getRealm(), this.authenticatingSubject.getTransportVersion(), this.authenticatingSubject.getMetadata()), this.type);
    }

    boolean isAssignedToDomain() {
        return getDomain() != null;
    }

    @Nullable
    RealmDomain getDomain() {
        if (isFailedRunAs()) {
            return null;
        }
        return getEffectiveSubject().getRealm().getDomain();
    }

    public boolean isAuthenticatedAsApiKey() {
        return this.authenticatingSubject.getType() == Subject.Type.API_KEY;
    }

    private boolean isAuthenticatedAnonymously() {
        return AuthenticationType.ANONYMOUS.equals(getAuthenticationType());
    }

    private boolean isAuthenticatedInternally() {
        return AuthenticationType.INTERNAL.equals(getAuthenticationType());
    }

    public boolean isServiceAccount() {
        return this.effectiveSubject.getType() == Subject.Type.SERVICE_ACCOUNT;
    }

    public boolean isApiKey() {
        return this.effectiveSubject.getType() == Subject.Type.API_KEY;
    }

    public boolean isCrossClusterAccess() {
        return this.effectiveSubject.getType() == Subject.Type.CROSS_CLUSTER_ACCESS;
    }

    public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {
        if (isRunAs() || isServiceAccount() || isCrossClusterAccess() || (getEffectiveSubject().getUser() instanceof InternalUser)) {
            return false;
        }
        if (!getEffectiveSubject().getUser().equals(anonymousUser)) {
            return AuthenticationType.REALM == getAuthenticationType() || AuthenticationType.API_KEY == getAuthenticationType() || AuthenticationType.TOKEN == getAuthenticationType();
        }
        if ($assertionsDisabled) {
            return false;
        }
        if ("__anonymous".equals(getAuthenticatingSubject().getRealm().getType()) && "__anonymous".equals(getAuthenticatingSubject().getRealm().getName())) {
            return false;
        }
        throw new AssertionError();
    }

    public void writeToContext(ThreadContext threadContext) throws IOException, IllegalArgumentException {
        new AuthenticationContextSerializer().writeToContext(this, threadContext);
    }

    public String encode() throws IOException {
        return doEncode(this.effectiveSubject, this.authenticatingSubject, this.type);
    }

    static String doEncode(Subject subject, Subject subject2, AuthenticationType authenticationType) throws IOException {
        BytesStreamOutput bytesStreamOutput = new BytesStreamOutput();
        bytesStreamOutput.setTransportVersion(subject.getTransportVersion());
        TransportVersion.writeVersion(subject.getTransportVersion(), bytesStreamOutput);
        doWriteTo(subject, subject2, authenticationType, bytesStreamOutput);
        return Base64.getEncoder().encodeToString(BytesReference.toBytes(bytesStreamOutput.bytes()));
    }

    public void writeTo(StreamOutput streamOutput) throws IOException {
        doWriteTo(this.effectiveSubject, this.authenticatingSubject, this.type, streamOutput);
    }

    private static void doWriteTo(Subject subject, Subject subject2, AuthenticationType authenticationType, StreamOutput streamOutput) throws IOException {
        if ((subject.getType() == Subject.Type.CROSS_CLUSTER_ACCESS) && streamOutput.getTransportVersion().before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY)) {
            throw new IllegalArgumentException("versions of Elasticsearch before [" + RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY + "] can't handle cross cluster access authentication and attempted to send to [" + streamOutput.getTransportVersion() + "]");
        }
        boolean z = subject2 != subject;
        if (z) {
            User user = subject.getUser();
            User user2 = subject2.getUser();
            if (!$assertionsDisabled && (false != (user instanceof InternalUser) || false != (user2 instanceof InternalUser))) {
                throw new AssertionError("internal users cannot participate in run-as (outer=[" + user + "] inner=[" + user2 + "])");
            }
            User.writeUser(user, streamOutput);
            streamOutput.writeBoolean(true);
            User.writeUser(user2, streamOutput);
            streamOutput.writeBoolean(false);
        } else {
            AuthenticationSerializationHelper.writeUserTo(subject.getUser(), streamOutput);
        }
        subject2.getRealm().writeTo(streamOutput);
        RealmRef realm = z ? subject.getRealm() : null;
        if (realm != null) {
            streamOutput.writeBoolean(true);
            realm.writeTo(streamOutput);
        } else {
            streamOutput.writeBoolean(false);
        }
        Map<String, Object> metadata = subject2.getMetadata();
        if (streamOutput.getTransportVersion().onOrAfter(VERSION_AUTHENTICATION_TYPE)) {
            streamOutput.writeVInt(authenticationType.ordinal());
            writeMetadata(streamOutput, metadata);
        } else {
            if ($assertionsDisabled) {
                return;
            }
            if (authenticationType != AuthenticationType.REALM || !metadata.isEmpty()) {
                throw new AssertionError(Strings.format("authentication with version [%s] must have authentication type %s and empty metadata, but got [%s] and [%s]", new Object[]{streamOutput.getTransportVersion(), AuthenticationType.REALM, authenticationType, metadata}));
            }
        }
    }

    public boolean canAccessResourcesOf(Authentication authentication) {
        if ($assertionsDisabled || EnumSet.of(AuthenticationType.REALM, AuthenticationType.API_KEY, AuthenticationType.TOKEN, AuthenticationType.ANONYMOUS, AuthenticationType.INTERNAL).containsAll(EnumSet.of(getAuthenticationType(), authentication.getAuthenticationType()))) {
            return getEffectiveSubject().canAccessResourcesOf(authentication.getEffectiveSubject());
        }
        throw new AssertionError("cross AuthenticationType comparison for canAccessResourcesOf is not applicable for: " + EnumSet.of(getAuthenticationType(), authentication.getAuthenticationType()));
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        Authentication authentication = (Authentication) obj;
        return this.type == authentication.type && this.authenticatingSubject.equals(authentication.authenticatingSubject) && this.effectiveSubject.equals(authentication.effectiveSubject);
    }

    public int hashCode() {
        return Objects.hash(this.type, this.authenticatingSubject, this.effectiveSubject);
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        xContentBuilder.startObject();
        toXContentFragment(xContentBuilder);
        return xContentBuilder.endObject();
    }

    public void toXContentFragment(XContentBuilder xContentBuilder) throws IOException {
        User user = this.effectiveSubject.getUser();
        xContentBuilder.field(User.Fields.USERNAME.getPreferredName(), user.principal());
        xContentBuilder.array(User.Fields.ROLES.getPreferredName(), user.roles());
        xContentBuilder.field(User.Fields.FULL_NAME.getPreferredName(), user.fullName());
        xContentBuilder.field(User.Fields.EMAIL.getPreferredName(), user.email());
        if (isServiceAccount()) {
            String str = (String) getAuthenticatingSubject().getMetadata().get(ServiceAccountSettings.TOKEN_NAME_FIELD);
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError("token name cannot be null");
            }
            String str2 = (String) getAuthenticatingSubject().getMetadata().get(ServiceAccountSettings.TOKEN_SOURCE_FIELD);
            if (!$assertionsDisabled && str2 == null) {
                throw new AssertionError("token source cannot be null");
            }
            xContentBuilder.field(User.Fields.TOKEN.getPreferredName(), Map.of("name", str, "type", "_service_account_" + str2));
        }
        xContentBuilder.field(User.Fields.METADATA.getPreferredName(), user.metadata());
        xContentBuilder.field(User.Fields.ENABLED.getPreferredName(), user.enabled());
        xContentBuilder.startObject(User.Fields.AUTHENTICATION_REALM.getPreferredName());
        xContentBuilder.field(User.Fields.REALM_NAME.getPreferredName(), getAuthenticatingSubject().getRealm().getName());
        xContentBuilder.field(User.Fields.REALM_TYPE.getPreferredName(), getAuthenticatingSubject().getRealm().getType());
        if (getAuthenticatingSubject().getRealm().getDomain() != null) {
            xContentBuilder.field(User.Fields.REALM_DOMAIN.getPreferredName(), getAuthenticatingSubject().getRealm().getDomain().name());
        }
        xContentBuilder.endObject();
        xContentBuilder.startObject(User.Fields.LOOKUP_REALM.getPreferredName());
        RealmRef realm = isRunAs() ? getEffectiveSubject().getRealm() : null;
        if (realm != null) {
            xContentBuilder.field(User.Fields.REALM_NAME.getPreferredName(), realm.getName());
            xContentBuilder.field(User.Fields.REALM_TYPE.getPreferredName(), realm.getType());
            if (realm.getDomain() != null) {
                xContentBuilder.field(User.Fields.REALM_DOMAIN.getPreferredName(), realm.getDomain().name());
            }
        } else {
            xContentBuilder.field(User.Fields.REALM_NAME.getPreferredName(), getAuthenticatingSubject().getRealm().getName());
            xContentBuilder.field(User.Fields.REALM_TYPE.getPreferredName(), getAuthenticatingSubject().getRealm().getType());
            if (getAuthenticatingSubject().getRealm().getDomain() != null) {
                xContentBuilder.field(User.Fields.REALM_DOMAIN.getPreferredName(), getAuthenticatingSubject().getRealm().getDomain().name());
            }
        }
        xContentBuilder.endObject();
        xContentBuilder.field(User.Fields.AUTHENTICATION_TYPE.getPreferredName(), getAuthenticationType().name().toLowerCase(Locale.ROOT));
        if (isApiKey() || isCrossClusterAccess()) {
            String str3 = (String) getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ID_KEY);
            String str4 = (String) getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_NAME_KEY);
            if (str4 == null) {
                xContentBuilder.field("api_key", Map.of("id", str3));
            } else {
                xContentBuilder.field("api_key", Map.of("id", str3, "name", str4));
            }
        }
    }

    public static Authentication getAuthenticationFromCrossClusterAccessMetadata(Authentication authentication) {
        if (authentication.isCrossClusterAccess()) {
            return (Authentication) authentication.getAuthenticatingSubject().getMetadata().get(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY);
        }
        if ($assertionsDisabled) {
            throw new IllegalArgumentException("authentication is not cross_cluster_access");
        }
        throw new AssertionError("authentication is not cross_cluster_access");
    }

    private static Map<String, Object> readMetadata(StreamInput streamInput) throws IOException {
        if (!streamInput.getTransportVersion().onOrAfter(VERSION_METADATA_BEYOND_GENERIC_MAP)) {
            return streamInput.readGenericMap();
        }
        int readVInt = streamInput.readVInt();
        Map<String, Object> newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(readVInt);
        for (int i = 0; i < readVInt; i++) {
            String readString = streamInput.readString();
            newHashMapWithExpectedSize.put(readString, METADATA_VALUE_READER.getOrDefault(readString, (v0) -> {
                return v0.readGenericValue();
            }).apply(streamInput));
        }
        return newHashMapWithExpectedSize;
    }

    private static void writeMetadata(StreamOutput streamOutput, Map<String, Object> map) throws IOException {
        if (!streamOutput.getTransportVersion().onOrAfter(VERSION_METADATA_BEYOND_GENERIC_MAP)) {
            streamOutput.writeGenericMap(map);
            return;
        }
        streamOutput.writeVInt(map.size());
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            streamOutput.writeString(entry.getKey());
            METADATA_VALUE_WRITER.getOrDefault(entry.getKey(), (v0, v1) -> {
                v0.writeGenericValue(v1);
            }).write(streamOutput, entry.getValue());
        }
    }

    public void checkConsistency() {
        if (isRunAs()) {
            if (!$assertionsDisabled && this.authenticatingSubject == this.effectiveSubject) {
                throw new AssertionError("isRunAs logic does not hold");
            }
        } else if (!$assertionsDisabled && this.authenticatingSubject != this.effectiveSubject) {
            throw new AssertionError("isRunAs logic does not hold");
        }
        switch (AnonymousClass1.$SwitchMap$org$elasticsearch$xpack$core$security$authc$Authentication$AuthenticationType[getAuthenticationType().ordinal()]) {
            case 1:
                checkConsistencyForAnonymousAuthenticationType();
                return;
            case 2:
                checkConsistencyForInternalAuthenticationType();
                return;
            case 3:
                checkConsistencyForApiKeyAuthenticationType();
                return;
            case License.VERSION_CRYPTO_ALGORITHMS /* 4 */:
                checkConsistencyForRealmAuthenticationType();
                return;
            case 5:
                checkConsistencyForTokenAuthenticationType();
                return;
            default:
                if (!$assertionsDisabled) {
                    throw new AssertionError("unknown authentication type " + this.type);
                }
                return;
        }
    }

    private void checkConsistencyForAnonymousAuthenticationType() {
        RealmRef realm = this.authenticatingSubject.getRealm();
        if (false == realm.isAnonymousRealm()) {
            throw new IllegalArgumentException(Strings.format("Anonymous authentication cannot have realm type [%s]", new Object[]{realm.type}));
        }
        checkNoDomain(realm, "Anonymous");
        checkNoInternalUser(this.authenticatingSubject, "Anonymous");
        checkNoRunAs(this, "Anonymous");
    }

    private void checkConsistencyForInternalAuthenticationType() {
        RealmRef realm = this.authenticatingSubject.getRealm();
        if (false == realm.isFallbackRealm() && false == realm.isAttachRealm()) {
            throw new IllegalArgumentException(Strings.format("Internal authentication cannot have realm type [%s]", new Object[]{realm.type}));
        }
        checkNoDomain(realm, "Internal");
        if (false == (this.authenticatingSubject.getUser() instanceof InternalUser)) {
            throw new IllegalArgumentException("Internal authentication must have internal user");
        }
        checkNoRunAs(this, "Internal");
    }

    private void checkConsistencyForApiKeyAuthenticationType() {
        RealmRef realm = this.authenticatingSubject.getRealm();
        if (false == realm.isApiKeyRealm() && false == realm.isCrossClusterAccessRealm()) {
            throw new IllegalArgumentException(Strings.format("API key authentication cannot have realm type [%s]", new Object[]{realm.type}));
        }
        checkConsistencyForApiKeyAuthenticatingSubject("API key");
        if (Subject.Type.CROSS_CLUSTER_ACCESS != this.authenticatingSubject.getType()) {
            if (isRunAs()) {
                checkRunAsConsistency(this.effectiveSubject, this.authenticatingSubject);
            }
        } else {
            if (this.authenticatingSubject.getMetadata().get(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY) == null) {
                throw new IllegalArgumentException("Cross cluster access authentication requires metadata to contain a non-null serialized cross cluster access authentication field");
            }
            if (((Authentication) this.authenticatingSubject.getMetadata().get(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY)).isCrossClusterAccess()) {
                throw new IllegalArgumentException("Cross cluster access authentication cannot contain another cross cluster access authentication in its metadata");
            }
            if (this.authenticatingSubject.getMetadata().get(AuthenticationField.CROSS_CLUSTER_ACCESS_ROLE_DESCRIPTORS_KEY) == null) {
                throw new IllegalArgumentException("Cross cluster access authentication requires metadata to contain a non-null serialized cross cluster access role descriptors field");
            }
            checkNoRunAs(this, "Cross cluster access");
        }
    }

    private void checkConsistencyForRealmAuthenticationType() {
        if (Subject.Type.USER != this.authenticatingSubject.getType()) {
            throw new IllegalArgumentException("Realm authentication must have subject type of user");
        }
        if (isRunAs()) {
            checkRunAsConsistency(this.effectiveSubject, this.authenticatingSubject);
        }
    }

    private void checkConsistencyForTokenAuthenticationType() {
        RealmRef realm = this.authenticatingSubject.getRealm();
        if (!$assertionsDisabled && (false != realm.isAttachRealm() || false != realm.isFallbackRealm() || false != realm.isCrossClusterAccessRealm())) {
            throw new AssertionError("Token authentication cannot have authenticating realm " + realm);
        }
        checkNoInternalUser(this.authenticatingSubject, "Token");
        if (Subject.Type.SERVICE_ACCOUNT == this.authenticatingSubject.getType()) {
            checkNoDomain(realm, "Service account");
            checkNoRole(this.authenticatingSubject, "Service account");
            checkNoRunAs(this, "Service account");
        } else {
            if (Subject.Type.API_KEY == this.authenticatingSubject.getType()) {
                checkConsistencyForApiKeyAuthenticatingSubject("API key token");
            }
            if (isRunAs()) {
                checkRunAsConsistency(this.effectiveSubject, this.authenticatingSubject);
            }
        }
    }

    private static void checkRunAsConsistency(Subject subject, Subject subject2) {
        if (false == subject.getTransportVersion().equals(subject2.getTransportVersion())) {
            throw new IllegalArgumentException(Strings.format("inconsistent versions between effective subject [%s] and authenticating subject [%s]", new Object[]{subject.getTransportVersion(), subject2.getTransportVersion()}));
        }
        if (Subject.Type.USER != subject.getType()) {
            throw new IllegalArgumentException(Strings.format("Run-as subject type cannot be [%s]", new Object[]{subject.getType()}));
        }
        if (false == subject.getMetadata().isEmpty()) {
            throw new IllegalArgumentException("Run-as subject must have empty metadata");
        }
        if (!$assertionsDisabled && false != hasSyntheticRealmNameOrType(subject.getRealm())) {
            throw new AssertionError("run-as subject cannot be from a synthetic realm");
        }
    }

    private void checkConsistencyForApiKeyAuthenticatingSubject(String str) {
        checkNoDomain(this.authenticatingSubject.getRealm(), str);
        checkNoInternalUser(this.authenticatingSubject, str);
        checkNoRole(this.authenticatingSubject, str);
        if (this.authenticatingSubject.getMetadata().get(AuthenticationField.API_KEY_ID_KEY) == null) {
            throw new IllegalArgumentException(str + " authentication requires metadata to contain a non-null API key ID");
        }
    }

    private static void checkNoInternalUser(Subject subject, String str) {
        if (subject.getUser() instanceof InternalUser) {
            throw new IllegalArgumentException(Strings.format(str + " authentication cannot have internal user [%s]", new Object[]{subject.getUser().principal()}));
        }
    }

    private static void checkNoDomain(RealmRef realmRef, String str) {
        if (realmRef.getDomain() != null) {
            throw new IllegalArgumentException(str + " authentication cannot have domain");
        }
    }

    private static void checkNoRole(Subject subject, String str) {
        if (subject.getUser().roles().length != 0) {
            throw new IllegalArgumentException(str + " authentication user must have no role");
        }
    }

    private static void checkNoRunAs(Authentication authentication, String str) {
        if (authentication.isRunAs()) {
            throw new IllegalArgumentException(str + " authentication cannot run-as other user");
        }
    }

    private static boolean hasSyntheticRealmNameOrType(@Nullable RealmRef realmRef) {
        if (realmRef == null) {
            return false;
        }
        return List.of("_es_api_key", "_service_account", "__anonymous", "__fallback", "__attach", "_es_cross_cluster_access").contains(realmRef.getName()) || List.of("_es_api_key", "_service_account", "__anonymous", "__fallback", "__attach", "_es_cross_cluster_access").contains(realmRef.getType());
    }

    public String toString() {
        StringBuilder append = new StringBuilder("Authentication[effectiveSubject=").append(this.effectiveSubject);
        if (isRunAs()) {
            append.append(",authenticatingSubject=").append(this.authenticatingSubject);
        }
        append.append(",type=").append(this.type);
        append.append("]");
        return append.toString();
    }

    public static boolean isFileOrNativeRealm(String str) {
        return FileRealmSettings.TYPE.equals(str) || NativeRealmSettings.TYPE.equals(str);
    }

    public static Authentication newInternalAuthentication(InternalUser internalUser, TransportVersion transportVersion, String str) {
        return new Authentication(new Subject(internalUser, RealmRef.newInternalAttachRealmRef(str), transportVersion, Map.of()), AuthenticationType.INTERNAL);
    }

    public static Authentication newInternalFallbackAuthentication(User user, String str) {
        return new Authentication(new Subject(user, RealmRef.newInternalFallbackRealmRef(str), TransportVersion.current(), Map.of()), AuthenticationType.INTERNAL);
    }

    public static Authentication newAnonymousAuthentication(AnonymousUser anonymousUser, String str) {
        return new Authentication(new Subject(anonymousUser, RealmRef.newAnonymousRealmRef(str), TransportVersion.current(), Map.of()), AuthenticationType.ANONYMOUS);
    }

    public static Authentication newServiceAccountAuthentication(User user, String str, Map<String, Object> map) {
        return new Authentication(new Subject(user, RealmRef.newServiceAccountRealmRef(str), TransportVersion.current(), map), AuthenticationType.TOKEN);
    }

    public static Authentication newRealmAuthentication(User user, RealmRef realmRef) {
        Authentication authentication = new Authentication(new Subject(user, realmRef, TransportVersion.current(), Map.of()), AuthenticationType.REALM);
        if (!$assertionsDisabled && false != authentication.isServiceAccount()) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != authentication.isApiKey()) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != authentication.isCrossClusterAccess()) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != authentication.isAuthenticatedInternally()) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || false == authentication.isAuthenticatedAnonymously()) {
            return authentication;
        }
        throw new AssertionError();
    }

    public static Authentication newApiKeyAuthentication(AuthenticationResult<User> authenticationResult, String str) {
        if (!$assertionsDisabled && !authenticationResult.isAuthenticated()) {
            throw new AssertionError("API Key authn result must be successful");
        }
        User value = authenticationResult.getValue();
        if ($assertionsDisabled || value.roles().length == 0) {
            return new Authentication(new Subject(value, RealmRef.newApiKeyRealmRef(str), TransportVersion.current(), authenticationResult.getMetadata()), AuthenticationType.API_KEY);
        }
        throw new AssertionError("The user associated to an API key authentication must have no role");
    }

    public Authentication toCrossClusterAccess(CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo) {
        if (!$assertionsDisabled && !isApiKey()) {
            throw new AssertionError("can only convert API key authentication to cross cluster access");
        }
        if (!$assertionsDisabled && false != isRunAs()) {
            throw new AssertionError("cross cluster access does not support authentication with run-as");
        }
        if (!$assertionsDisabled && getEffectiveSubject().getUser().roles().length != 0) {
            throw new AssertionError("the user associated with a cross cluster access authentication must have no role");
        }
        HashMap hashMap = new HashMap(getAuthenticatingSubject().getMetadata());
        return new Authentication(new Subject(getEffectiveSubject().getUser(), RealmRef.newCrossClusterAccessRealmRef(getAuthenticatingSubject().getRealm().getNodeName()), TransportVersion.current(), crossClusterAccessSubjectInfo.copyWithCrossClusterAccessEntries(hashMap)), getAuthenticationType());
    }

    static RealmRef maybeRewriteRealmRef(TransportVersion transportVersion, RealmRef realmRef) {
        if (realmRef == null || realmRef.getDomain() == null || !transportVersion.before(VERSION_REALM_DOMAINS)) {
            return realmRef;
        }
        logger.info("Rewriting realm [" + realmRef + "] without domain");
        return new RealmRef(realmRef.getName(), realmRef.getType(), realmRef.getNodeName(), null);
    }

    private static Map<String, Object> maybeRewriteMetadataForApiKeyRoleDescriptors(TransportVersion transportVersion, Authentication authentication) {
        Map<String, Object> metadata = authentication.getAuthenticatingSubject().getMetadata();
        if (authentication.isAuthenticatedAsApiKey()) {
            if (!$assertionsDisabled && !metadata.containsKey(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)) {
                throw new AssertionError("metadata must contain role descriptor for API key authentication");
            }
            if (!$assertionsDisabled && !metadata.containsKey(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)) {
                throw new AssertionError("metadata must contain limited role descriptor for API key authentication");
            }
            if (authentication.getEffectiveSubject().getTransportVersion().onOrAfter(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY) && transportVersion.before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY)) {
                metadata = new HashMap(metadata);
                metadata.put(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, maybeRemoveRemoteIndicesFromRoleDescriptors((BytesReference) metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)));
                metadata.put(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, maybeRemoveRemoteIndicesFromRoleDescriptors((BytesReference) metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)));
            }
            if (authentication.getEffectiveSubject().getTransportVersion().onOrAfter(VERSION_API_KEY_ROLES_AS_BYTES) && transportVersion.before(VERSION_API_KEY_ROLES_AS_BYTES)) {
                metadata = new HashMap(metadata);
                metadata.put(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, convertRoleDescriptorsBytesToMap((BytesReference) metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)));
                metadata.put(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, convertRoleDescriptorsBytesToMap((BytesReference) metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)));
            } else if (authentication.getEffectiveSubject().getTransportVersion().before(VERSION_API_KEY_ROLES_AS_BYTES) && transportVersion.onOrAfter(VERSION_API_KEY_ROLES_AS_BYTES)) {
                metadata = new HashMap(metadata);
                metadata.put(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, convertRoleDescriptorsMapToBytes((Map) metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)));
                metadata.put(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, convertRoleDescriptorsMapToBytes((Map) metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)));
            }
        }
        return metadata;
    }

    static Map<String, Object> maybeRewriteMetadataForCrossClusterAccessAuthentication(TransportVersion transportVersion, Authentication authentication) {
        if (!$assertionsDisabled && !authentication.isCrossClusterAccess()) {
            throw new AssertionError("authentication must be cross cluster access");
        }
        Map<String, Object> metadata = authentication.getAuthenticatingSubject().getMetadata();
        if (!$assertionsDisabled && !metadata.containsKey(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY)) {
            throw new AssertionError("metadata must contain authentication object for cross cluster access authentication");
        }
        Authentication authentication2 = (Authentication) metadata.get(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY);
        TransportVersion transportVersion2 = authentication2.getEffectiveSubject().getTransportVersion();
        if (!transportVersion2.after(transportVersion)) {
            return metadata;
        }
        logger.trace(() -> {
            return "Cross cluster access authentication has authentication field in metadata [" + authentication2 + "] that may require a rewrite from version [" + transportVersion2 + "] to [" + transportVersion + "]";
        });
        HashMap hashMap = new HashMap(metadata);
        hashMap.put(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY, authentication2.maybeRewriteForOlderVersion(transportVersion));
        return hashMap;
    }

    private static Map<String, Object> convertRoleDescriptorsBytesToMap(BytesReference bytesReference) {
        return (Map) XContentHelper.convertToMap(bytesReference, false, XContentType.JSON).v2();
    }

    private static BytesReference convertRoleDescriptorsMapToBytes(Map<String, Object> map) {
        try {
            XContentBuilder builder = XContentBuilder.builder(XContentType.JSON.xContent());
            try {
                builder.map(map);
                BytesReference bytes = BytesReference.bytes(builder);
                if (builder != null) {
                    builder.close();
                }
                return bytes;
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    static BytesReference maybeRemoveRemoteIndicesFromRoleDescriptors(BytesReference bytesReference) {
        if (bytesReference == null || bytesReference.length() == 0) {
            return bytesReference;
        }
        Map<String, Object> convertRoleDescriptorsBytesToMap = convertRoleDescriptorsBytesToMap(bytesReference);
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        convertRoleDescriptorsBytesToMap.forEach((str, obj) -> {
            if (obj instanceof Map) {
                if (((Map) obj).remove(RoleDescriptor.Fields.REMOTE_INDICES.getPreferredName()) != null) {
                    atomicBoolean.set(true);
                }
            }
        });
        return atomicBoolean.get() ? convertRoleDescriptorsMapToBytes(convertRoleDescriptorsBytesToMap) : bytesReference;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean equivalentRealms(String str, String str2, String str3, String str4) {
        if (false == str2.equals(str4)) {
            return false;
        }
        if (isFileOrNativeRealm(str2)) {
            return true;
        }
        return str.equals(str3);
    }

    static {
        $assertionsDisabled = !Authentication.class.desiredAssertionStatus();
        logger = LogManager.getLogger(Authentication.class);
        VERSION_AUTHENTICATION_TYPE = TransportVersion.fromId(6070099);
        VERSION_API_KEY_ROLES_AS_BYTES = TransportVersions.V_7_9_0;
        VERSION_REALM_DOMAINS = TransportVersions.V_8_2_0;
        VERSION_METADATA_BEYOND_GENERIC_MAP = TransportVersions.V_8_8_0;
        METADATA_VALUE_READER = Map.of(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY, Authentication::new, AuthenticationField.CROSS_CLUSTER_ACCESS_ROLE_DESCRIPTORS_KEY, streamInput -> {
            return streamInput.readCollectionAsList(CrossClusterAccessSubjectInfo.RoleDescriptorsBytes::new);
        });
        METADATA_VALUE_WRITER = Map.of(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY, (streamOutput, obj) -> {
            ((Authentication) obj).writeTo(streamOutput);
        }, AuthenticationField.CROSS_CLUSTER_ACCESS_ROLE_DESCRIPTORS_KEY, (streamOutput2, obj2) -> {
            streamOutput2.writeCollection((List) obj2);
        });
        REALM_REF_PARSER = new ConstructingObjectParser<>("realm_ref", false, (objArr, r9) -> {
            return new RealmRef((String) objArr[0], (String) objArr[1], (String) objArr[2], (RealmDomain) objArr[3]);
        });
        REALM_REF_PARSER.declareString(ConstructingObjectParser.constructorArg(), new ParseField("name", new String[0]));
        REALM_REF_PARSER.declareString(ConstructingObjectParser.constructorArg(), new ParseField("type", new String[0]));
        REALM_REF_PARSER.declareString(ConstructingObjectParser.constructorArg(), new ParseField("node_name", new String[0]));
        REALM_REF_PARSER.declareObject(ConstructingObjectParser.optionalConstructorArg(), (xContentParser, r5) -> {
            return (RealmDomain) RealmDomain.REALM_DOMAIN_PARSER.parse(xContentParser, r5);
        }, new ParseField("domain", new String[0]));
    }
}
