package org.elasticsearch.xpack.core.security.action.apikey;

import java.io.IOException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.elasticsearch.common.xcontent.XContentParserUtils;
import org.elasticsearch.core.Assertions;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xcontent.AbstractObjectParser;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.ObjectParser;
import org.elasticsearch.xcontent.ParseField;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.ToXContentObject;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/action/apikey/ApiKey.class */
public final class ApiKey implements ToXContentObject {
    private final String name;
    private final String id;
    private final Type type;
    private final Instant creation;
    private final Instant expiration;
    private final boolean invalidated;
    private final Instant invalidation;
    private final String username;
    private final String realm;

    @Nullable
    private final String realmType;
    private final Map<String, Object> metadata;

    @Nullable
    private final List<RoleDescriptor> roleDescriptors;

    @Nullable
    private final RoleDescriptorsIntersection limitedBy;
    private static final RoleDescriptor.Parser ROLE_DESCRIPTOR_PARSER;
    static final ConstructingObjectParser<ApiKey, Void> PARSER;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/action/apikey/ApiKey$Type.class */
    public enum Type {
        REST,
        CROSS_CLUSTER;

        public static Type parse(String str) {
            String lowerCase = str.toLowerCase(Locale.ROOT);
            boolean z = -1;
            switch (lowerCase.hashCode()) {
                case 3496916:
                    if (lowerCase.equals("rest")) {
                        z = false;
                        break;
                    }
                    break;
                case 1362563323:
                    if (lowerCase.equals(CrossClusterApiKeyRoleDescriptorBuilder.ROLE_DESCRIPTOR_NAME)) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return REST;
                case true:
                    return CROSS_CLUSTER;
                default:
                    throw new IllegalArgumentException("invalid API key type [" + str + "] expected one of [" + ((String) Stream.of((Object[]) values()).map((v0) -> {
                        return v0.value();
                    }).collect(Collectors.joining(","))) + "]");
            }
        }

        public static Type fromXContent(XContentParser xContentParser) throws IOException {
            XContentParser.Token currentToken = xContentParser.currentToken();
            if (currentToken == null) {
                currentToken = xContentParser.nextToken();
            }
            XContentParserUtils.ensureExpectedToken(XContentParser.Token.VALUE_STRING, currentToken, xContentParser);
            return parse(xContentParser.text());
        }

        public String value() {
            return name().toLowerCase(Locale.ROOT);
        }
    }

    public ApiKey(String str, String str2, Type type, Instant instant, Instant instant2, boolean z, @Nullable Instant instant3, String str3, String str4, @Nullable String str5, @Nullable Map<String, Object> map, @Nullable List<RoleDescriptor> list, @Nullable List<RoleDescriptor> list2) {
        this(str, str2, type, instant, instant2, z, instant3, str3, str4, str5, map, list, list2 == null ? null : new RoleDescriptorsIntersection(List.of(Set.copyOf(list2))));
    }

    private ApiKey(String str, String str2, Type type, Instant instant, Instant instant2, boolean z, Instant instant3, String str3, String str4, @Nullable String str5, @Nullable Map<String, Object> map, @Nullable List<RoleDescriptor> list, @Nullable RoleDescriptorsIntersection roleDescriptorsIntersection) {
        this.name = str;
        this.id = str2;
        this.type = type;
        this.creation = Instant.ofEpochMilli(instant.toEpochMilli());
        this.expiration = instant2 != null ? Instant.ofEpochMilli(instant2.toEpochMilli()) : null;
        this.invalidated = z;
        this.invalidation = instant3 != null ? Instant.ofEpochMilli(instant3.toEpochMilli()) : null;
        this.username = str3;
        this.realm = str4;
        this.realmType = str5;
        this.metadata = map == null ? Map.of() : map;
        this.roleDescriptors = list != null ? List.copyOf(list) : null;
        if (!$assertionsDisabled && roleDescriptorsIntersection != null && roleDescriptorsIntersection.roleDescriptorsList().size() != 1) {
            throw new AssertionError("can only have one set of limited-by role descriptors");
        }
        this.limitedBy = roleDescriptorsIntersection;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ApiKey(Object[] objArr) {
        this((String) objArr[0], (String) objArr[1], (Type) objArr[2], Instant.ofEpochMilli(((Long) objArr[3]).longValue()), objArr[4] == null ? null : Instant.ofEpochMilli(((Long) objArr[4]).longValue()), ((Boolean) objArr[5]).booleanValue(), objArr[6] == null ? null : Instant.ofEpochMilli(((Long) objArr[6]).longValue()), (String) objArr[7], (String) objArr[8], (String) objArr[9], (Map<String, Object>) (objArr[10] == null ? null : (Map) objArr[10]), (List<RoleDescriptor>) objArr[11], (RoleDescriptorsIntersection) objArr[12]);
    }

    public String getId() {
        return this.id;
    }

    public String getName() {
        return this.name;
    }

    public Type getType() {
        return this.type;
    }

    public Instant getCreation() {
        return this.creation;
    }

    public Instant getExpiration() {
        return this.expiration;
    }

    public boolean isInvalidated() {
        return this.invalidated;
    }

    public Instant getInvalidation() {
        return this.invalidation;
    }

    public String getUsername() {
        return this.username;
    }

    public String getRealm() {
        return this.realm;
    }

    @Nullable
    public String getRealmType() {
        return this.realmType;
    }

    @Nullable
    public RealmConfig.RealmIdentifier getRealmIdentifier() {
        if (this.realm == null || this.realmType == null) {
            return null;
        }
        return new RealmConfig.RealmIdentifier(this.realmType, this.realm);
    }

    public Map<String, Object> getMetadata() {
        return this.metadata;
    }

    public List<RoleDescriptor> getRoleDescriptors() {
        return this.roleDescriptors;
    }

    public RoleDescriptorsIntersection getLimitedBy() {
        return this.limitedBy;
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        xContentBuilder.startObject();
        innerToXContent(xContentBuilder, params);
        return xContentBuilder.endObject();
    }

    public XContentBuilder innerToXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        xContentBuilder.field("id", this.id).field("name", this.name);
        xContentBuilder.field("type", this.type.value());
        xContentBuilder.field("creation", this.creation.toEpochMilli());
        if (this.expiration != null) {
            xContentBuilder.field("expiration", this.expiration.toEpochMilli());
        }
        xContentBuilder.field("invalidated", this.invalidated);
        if (this.invalidation != null) {
            xContentBuilder.field("invalidation", this.invalidation.toEpochMilli());
        }
        xContentBuilder.field("username", this.username).field("realm", this.realm);
        if (this.realmType != null) {
            xContentBuilder.field("realm_type", this.realmType);
        }
        xContentBuilder.field("metadata", this.metadata == null ? Map.of() : this.metadata);
        if (this.roleDescriptors != null) {
            xContentBuilder.startObject("role_descriptors");
            for (RoleDescriptor roleDescriptor : this.roleDescriptors) {
                xContentBuilder.field(roleDescriptor.getName(), roleDescriptor);
            }
            xContentBuilder.endObject();
            if (this.type == Type.CROSS_CLUSTER) {
                if (!$assertionsDisabled && this.roleDescriptors.size() != 1) {
                    throw new AssertionError();
                }
                buildXContentForCrossClusterApiKeyAccess(xContentBuilder, this.roleDescriptors.iterator().next());
            }
        }
        if (this.limitedBy != null) {
            if (!$assertionsDisabled && this.type == Type.CROSS_CLUSTER) {
                throw new AssertionError();
            }
            xContentBuilder.field("limited_by", this.limitedBy);
        }
        return xContentBuilder;
    }

    private void buildXContentForCrossClusterApiKeyAccess(XContentBuilder xContentBuilder, RoleDescriptor roleDescriptor) throws IOException {
        if (Assertions.ENABLED) {
            CrossClusterApiKeyRoleDescriptorBuilder.validate(roleDescriptor);
        }
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (RoleDescriptor.IndicesPrivileges indicesPrivileges : roleDescriptor.getIndicesPrivileges()) {
            if (Arrays.equals(CrossClusterApiKeyRoleDescriptorBuilder.CCS_INDICES_PRIVILEGE_NAMES, indicesPrivileges.getPrivileges())) {
                arrayList.add(indicesPrivileges);
            } else {
                if (!$assertionsDisabled && !Arrays.equals(CrossClusterApiKeyRoleDescriptorBuilder.CCR_INDICES_PRIVILEGE_NAMES, indicesPrivileges.getPrivileges())) {
                    throw new AssertionError();
                }
                arrayList2.add(indicesPrivileges);
            }
        }
        xContentBuilder.startObject("access");
        ToXContent.Params mapParams = new ToXContent.MapParams(Map.of("_with_privileges", "false"));
        if (false == arrayList.isEmpty()) {
            xContentBuilder.startArray("search");
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                ((RoleDescriptor.IndicesPrivileges) it.next()).toXContent(xContentBuilder, mapParams);
            }
            xContentBuilder.endArray();
        }
        if (false == arrayList2.isEmpty()) {
            xContentBuilder.startArray("replication");
            Iterator it2 = arrayList2.iterator();
            while (it2.hasNext()) {
                ((RoleDescriptor.IndicesPrivileges) it2.next()).toXContent(xContentBuilder, mapParams);
            }
            xContentBuilder.endArray();
        }
        xContentBuilder.endObject();
    }

    public int hashCode() {
        return Objects.hash(this.name, this.id, this.type, this.creation, this.expiration, Boolean.valueOf(this.invalidated), this.invalidation, this.username, this.realm, this.realmType, this.metadata, this.roleDescriptors, this.limitedBy);
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        ApiKey apiKey = (ApiKey) obj;
        return Objects.equals(this.name, apiKey.name) && Objects.equals(this.id, apiKey.id) && Objects.equals(this.type, apiKey.type) && Objects.equals(this.creation, apiKey.creation) && Objects.equals(this.expiration, apiKey.expiration) && Objects.equals(Boolean.valueOf(this.invalidated), Boolean.valueOf(apiKey.invalidated)) && Objects.equals(this.invalidation, apiKey.invalidation) && Objects.equals(this.username, apiKey.username) && Objects.equals(this.realm, apiKey.realm) && Objects.equals(this.realmType, apiKey.realmType) && Objects.equals(this.metadata, apiKey.metadata) && Objects.equals(this.roleDescriptors, apiKey.roleDescriptors) && Objects.equals(this.limitedBy, apiKey.limitedBy);
    }

    public String toString() {
        return "ApiKey [name=" + this.name + ", id=" + this.id + ", type=" + this.type.value() + ", creation=" + this.creation + ", expiration=" + this.expiration + ", invalidated=" + this.invalidated + ", invalidation=" + this.invalidation + ", username=" + this.username + ", realm=" + this.realm + ", realm_type=" + this.realmType + ", metadata=" + this.metadata + ", role_descriptors=" + this.roleDescriptors + ", limited_by=" + this.limitedBy + "]";
    }

    public static ApiKey fromXContent(XContentParser xContentParser) throws IOException {
        return (ApiKey) PARSER.parse(xContentParser, (Object) null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static int initializeParser(AbstractObjectParser<?, Void> abstractObjectParser) {
        abstractObjectParser.declareString(ConstructingObjectParser.constructorArg(), new ParseField("name", new String[0]));
        abstractObjectParser.declareString(ConstructingObjectParser.constructorArg(), new ParseField("id", new String[0]));
        abstractObjectParser.declareField(ConstructingObjectParser.constructorArg(), Type::fromXContent, new ParseField("type", new String[0]), ObjectParser.ValueType.STRING);
        abstractObjectParser.declareLong(ConstructingObjectParser.constructorArg(), new ParseField("creation", new String[0]));
        abstractObjectParser.declareLong(ConstructingObjectParser.optionalConstructorArg(), new ParseField("expiration", new String[0]));
        abstractObjectParser.declareBoolean(ConstructingObjectParser.constructorArg(), new ParseField("invalidated", new String[0]));
        abstractObjectParser.declareLong(ConstructingObjectParser.optionalConstructorArg(), new ParseField("invalidation", new String[0]));
        abstractObjectParser.declareString(ConstructingObjectParser.constructorArg(), new ParseField("username", new String[0]));
        abstractObjectParser.declareString(ConstructingObjectParser.constructorArg(), new ParseField("realm", new String[0]));
        abstractObjectParser.declareStringOrNull(ConstructingObjectParser.optionalConstructorArg(), new ParseField("realm_type", new String[0]));
        abstractObjectParser.declareObject(ConstructingObjectParser.optionalConstructorArg(), (xContentParser, r3) -> {
            return xContentParser.map();
        }, new ParseField("metadata", new String[0]));
        abstractObjectParser.declareNamedObjects(ConstructingObjectParser.optionalConstructorArg(), (xContentParser2, r5, str) -> {
            xContentParser2.nextToken();
            return ROLE_DESCRIPTOR_PARSER.parse(str, xContentParser2);
        }, new ParseField("role_descriptors", new String[0]));
        abstractObjectParser.declareField(ConstructingObjectParser.optionalConstructorArg(), (xContentParser3, r32) -> {
            return RoleDescriptorsIntersection.fromXContent(xContentParser3);
        }, new ParseField("limited_by", new String[0]), ObjectParser.ValueType.OBJECT_ARRAY);
        return 13;
    }

    static {
        $assertionsDisabled = !ApiKey.class.desiredAssertionStatus();
        ROLE_DESCRIPTOR_PARSER = RoleDescriptor.parserBuilder().allowRestriction(true).build();
        PARSER = new ConstructingObjectParser<>("api_key", true, ApiKey::new);
        initializeParser(PARSER);
    }
}
