package org.elasticsearch.xpack.core.security.authc;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.lucene.util.BytesRef;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.common.bytes.AbstractBytesReference;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentParserConfiguration;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/RemoteAccessAuthentication.class */
public final class RemoteAccessAuthentication {
    public static final String REMOTE_ACCESS_AUTHENTICATION_HEADER_KEY = "_remote_access_authentication";
    private final Authentication authentication;
    private final List<RoleDescriptorsBytes> roleDescriptorsBytesList;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/RemoteAccessAuthentication$RoleDescriptorsBytes.class */
    public static final class RoleDescriptorsBytes extends AbstractBytesReference {
        public static final RoleDescriptorsBytes EMPTY = new RoleDescriptorsBytes((BytesReference) new BytesArray("{}"));
        private final BytesReference rawBytes;

        public RoleDescriptorsBytes(BytesReference bytesReference) {
            this.rawBytes = bytesReference;
        }

        public RoleDescriptorsBytes(StreamInput streamInput) throws IOException {
            this(streamInput.readBytesReference());
        }

        public static RoleDescriptorsBytes fromRoleDescriptors(Set<RoleDescriptor> set) throws IOException {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            jsonBuilder.startObject();
            for (RoleDescriptor roleDescriptor : set) {
                jsonBuilder.field(roleDescriptor.getName(), roleDescriptor);
            }
            jsonBuilder.endObject();
            return new RoleDescriptorsBytes(BytesReference.bytes(jsonBuilder));
        }

        public Set<RoleDescriptor> toRoleDescriptors() {
            try {
                XContentParser createParser = XContentHelper.createParser(XContentParserConfiguration.EMPTY, this.rawBytes, XContentType.JSON);
                try {
                    ArrayList arrayList = new ArrayList();
                    createParser.nextToken();
                    while (createParser.nextToken() != XContentParser.Token.END_OBJECT) {
                        createParser.nextToken();
                        arrayList.add(RoleDescriptor.parse(createParser.currentName(), createParser, false));
                    }
                    Set<RoleDescriptor> copyOf = Set.copyOf(arrayList);
                    if (createParser != null) {
                        createParser.close();
                    }
                    return copyOf;
                } finally {
                }
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        }

        public byte get(int i) {
            return this.rawBytes.get(i);
        }

        public int length() {
            return this.rawBytes.length();
        }

        public BytesReference slice(int i, int i2) {
            return this.rawBytes.slice(i, i2);
        }

        public long ramBytesUsed() {
            return this.rawBytes.ramBytesUsed();
        }

        public BytesRef toBytesRef() {
            return this.rawBytes.toBytesRef();
        }
    }

    public RemoteAccessAuthentication(Authentication authentication, RoleDescriptorsIntersection roleDescriptorsIntersection) throws IOException {
        this(authentication, toRoleDescriptorsBytesList(roleDescriptorsIntersection));
    }

    private RemoteAccessAuthentication(Authentication authentication, List<RoleDescriptorsBytes> list) {
        this.authentication = authentication;
        this.roleDescriptorsBytesList = list;
    }

    public void writeToContext(ThreadContext threadContext) throws IOException {
        threadContext.putHeader(REMOTE_ACCESS_AUTHENTICATION_HEADER_KEY, encode());
    }

    public static RemoteAccessAuthentication readFromContext(ThreadContext threadContext) throws IOException {
        return decode(threadContext.getHeader(REMOTE_ACCESS_AUTHENTICATION_HEADER_KEY));
    }

    public Authentication getAuthentication() {
        return this.authentication;
    }

    public List<RoleDescriptorsBytes> getRoleDescriptorsBytesList() {
        return this.roleDescriptorsBytesList;
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        RemoteAccessAuthentication remoteAccessAuthentication = (RemoteAccessAuthentication) obj;
        if (false == this.authentication.equals(remoteAccessAuthentication.authentication)) {
            return false;
        }
        return this.roleDescriptorsBytesList.equals(remoteAccessAuthentication.roleDescriptorsBytesList);
    }

    public int hashCode() {
        return (31 * this.authentication.hashCode()) + this.roleDescriptorsBytesList.hashCode();
    }

    public String toString() {
        return "RemoteAccessAuthentication{authentication=" + this.authentication + ", roleDescriptorsBytesList=" + this.roleDescriptorsBytesList + "}";
    }

    private static List<RoleDescriptorsBytes> toRoleDescriptorsBytesList(RoleDescriptorsIntersection roleDescriptorsIntersection) throws IOException {
        if (!$assertionsDisabled && !roleDescriptorsIntersection.roleDescriptorsList().stream().noneMatch(set -> {
            return set.size() > 1;
        })) {
            throw new AssertionError("sets with more than one role descriptor are not supported for remote access authentication");
        }
        ArrayList arrayList = new ArrayList();
        Iterator<Set<RoleDescriptor>> it = roleDescriptorsIntersection.roleDescriptorsList().iterator();
        while (it.hasNext()) {
            arrayList.add(RoleDescriptorsBytes.fromRoleDescriptors(it.next()));
        }
        return arrayList;
    }

    public String encode() throws IOException {
        StreamOutput bytesStreamOutput = new BytesStreamOutput();
        bytesStreamOutput.setTransportVersion(this.authentication.getEffectiveSubject().getTransportVersion());
        TransportVersion.writeVersion(this.authentication.getEffectiveSubject().getTransportVersion(), bytesStreamOutput);
        this.authentication.writeTo(bytesStreamOutput);
        bytesStreamOutput.writeCollection(this.roleDescriptorsBytesList, (v0, v1) -> {
            v0.writeBytesReference(v1);
        });
        return Base64.getEncoder().encodeToString(BytesReference.toBytes(bytesStreamOutput.bytes()));
    }

    public static RemoteAccessAuthentication decode(String str) throws IOException {
        Objects.requireNonNull(str);
        StreamInput wrap = StreamInput.wrap(Base64.getDecoder().decode(str));
        wrap.setTransportVersion(TransportVersion.readVersion(wrap));
        return new RemoteAccessAuthentication(new Authentication(wrap), (List<RoleDescriptorsBytes>) wrap.readImmutableList(RoleDescriptorsBytes::new));
    }

    public Map<String, Object> copyWithRemoteAccessEntries(Map<String, Object> map) {
        if (!$assertionsDisabled && false != map.containsKey(AuthenticationField.REMOTE_ACCESS_AUTHENTICATION_KEY)) {
            throw new AssertionError("metadata already contains [_security_remote_access_authentication] entry");
        }
        if (!$assertionsDisabled && false != map.containsKey(AuthenticationField.REMOTE_ACCESS_ROLE_DESCRIPTORS_KEY)) {
            throw new AssertionError("metadata already contains [_security_remote_access_role_descriptors] entry");
        }
        if (!$assertionsDisabled && false != getAuthentication().isRemoteAccess()) {
            throw new AssertionError("authentication included in remote access header cannot itself be remote access");
        }
        HashMap hashMap = new HashMap(map);
        try {
            hashMap.put(AuthenticationField.REMOTE_ACCESS_AUTHENTICATION_KEY, getAuthentication().encode());
            hashMap.put(AuthenticationField.REMOTE_ACCESS_ROLE_DESCRIPTORS_KEY, getRoleDescriptorsBytesList());
            return Collections.unmodifiableMap(hashMap);
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    static {
        $assertionsDisabled = !RemoteAccessAuthentication.class.desiredAssertionStatus();
    }
}
