package org.elasticsearch.xpack.core.security.authc;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.Base64;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.Assertions;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.util.ArrayUtils;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Strings;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.ParseField;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.ToXContentObject;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings;
import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings;
import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountSettings;
import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.AsyncSearchUser;
import org.elasticsearch.xpack.core.security.user.SecurityProfileUser;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.security.user.XPackSecurityUser;
import org.elasticsearch.xpack.core.security.user.XPackUser;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication.class */
public final class Authentication implements ToXContentObject {
    private static final Logger logger;
    private static final TransportVersion VERSION_AUTHENTICATION_TYPE;
    public static final TransportVersion VERSION_REMOTE_ACCESS_REALM;
    public static final TransportVersion VERSION_API_KEY_ROLES_AS_BYTES;
    public static final TransportVersion VERSION_REALM_DOMAINS;
    private final AuthenticationType type;
    private final Subject authenticatingSubject;
    private final Subject effectiveSubject;
    public static ConstructingObjectParser<RealmRef, Void> REALM_REF_PARSER;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication$AuthenticationSerializationHelper.class */
    public static class AuthenticationSerializationHelper {
        static final /* synthetic */ boolean $assertionsDisabled;

        private AuthenticationSerializationHelper() {
        }

        public static User readUserFrom(StreamInput streamInput) throws IOException {
            User readUserWithoutTrailingBoolean = readUserWithoutTrailingBoolean(streamInput);
            if (false == User.isInternal(readUserWithoutTrailingBoolean)) {
                boolean readBoolean = streamInput.readBoolean();
                if (!$assertionsDisabled && false != readBoolean) {
                    throw new AssertionError("no inner user is possible, otherwise use UserTuple.readFrom");
                }
            }
            return readUserWithoutTrailingBoolean;
        }

        public static void writeUserTo(User user, StreamOutput streamOutput) throws IOException {
            if (User.isInternal(user)) {
                writeInternalUser(user, streamOutput);
            } else {
                User.writeUser(user, streamOutput);
                streamOutput.writeBoolean(false);
            }
        }

        private static User readUserWithoutTrailingBoolean(StreamInput streamInput) throws IOException {
            boolean readBoolean = streamInput.readBoolean();
            String readString = streamInput.readString();
            if (!readBoolean) {
                return new User(readString, streamInput.readStringArray(), streamInput.readOptionalString(), streamInput.readOptionalString(), streamInput.readMap(), streamInput.readBoolean());
            }
            if ("_system".equals(readString)) {
                return SystemUser.INSTANCE;
            }
            if ("_xpack".equals(readString)) {
                return XPackUser.INSTANCE;
            }
            if ("_xpack_security".equals(readString)) {
                return XPackSecurityUser.INSTANCE;
            }
            if ("_security_profile".equals(readString)) {
                return SecurityProfileUser.INSTANCE;
            }
            if ("_async_search".equals(readString)) {
                return AsyncSearchUser.INSTANCE;
            }
            throw new IllegalStateException("username [" + readString + "] does not match any internal user");
        }

        private static void writeInternalUser(User user, StreamOutput streamOutput) throws IOException {
            if (!$assertionsDisabled && !User.isInternal(user)) {
                throw new AssertionError();
            }
            streamOutput.writeBoolean(true);
            if (SystemUser.is(user)) {
                streamOutput.writeString("_system");
                return;
            }
            if (XPackUser.is(user)) {
                streamOutput.writeString("_xpack");
                return;
            }
            if (XPackSecurityUser.is(user)) {
                streamOutput.writeString("_xpack_security");
                return;
            }
            if (SecurityProfileUser.is(user)) {
                streamOutput.writeString("_security_profile");
            } else if (AsyncSearchUser.is(user)) {
                streamOutput.writeString("_async_search");
            } else {
                if (!$assertionsDisabled) {
                    throw new AssertionError();
                }
                throw new IllegalStateException("user [" + user + "] is not internal");
            }
        }

        static {
            $assertionsDisabled = !Authentication.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication$AuthenticationType.class */
    public enum AuthenticationType {
        REALM,
        API_KEY,
        TOKEN,
        ANONYMOUS,
        INTERNAL
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication$RealmRef.class */
    public static class RealmRef implements Writeable, ToXContentObject {
        private final String nodeName;
        private final String name;
        private final String type;

        @Nullable
        private final RealmDomain domain;

        public RealmRef(String str, String str2, String str3) {
            this(str, str2, str3, null);
        }

        public RealmRef(String str, String str2, String str3, @Nullable RealmDomain realmDomain) {
            this.nodeName = (String) Objects.requireNonNull(str3, "node name cannot be null");
            this.name = (String) Objects.requireNonNull(str, "realm name cannot be null");
            this.type = (String) Objects.requireNonNull(str2, "realm type cannot be null");
            this.domain = realmDomain;
        }

        public RealmRef(StreamInput streamInput) throws IOException {
            this.nodeName = streamInput.readString();
            this.name = streamInput.readString();
            this.type = streamInput.readString();
            if (streamInput.getTransportVersion().onOrAfter(Authentication.VERSION_REALM_DOMAINS)) {
                this.domain = (RealmDomain) streamInput.readOptionalWriteable(RealmDomain::readFrom);
            } else {
                this.domain = null;
            }
        }

        public void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeString(this.nodeName);
            streamOutput.writeString(this.name);
            streamOutput.writeString(this.type);
            if (streamOutput.getTransportVersion().onOrAfter(Authentication.VERSION_REALM_DOMAINS)) {
                streamOutput.writeOptionalWriteable(this.domain);
            }
        }

        public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
            xContentBuilder.startObject();
            xContentBuilder.field("name", this.name);
            xContentBuilder.field("type", this.type);
            xContentBuilder.field("node_name", this.nodeName);
            if (this.domain != null) {
                xContentBuilder.field("domain", this.domain);
            }
            xContentBuilder.endObject();
            return xContentBuilder;
        }

        public String getNodeName() {
            return this.nodeName;
        }

        public String getName() {
            return this.name;
        }

        public String getType() {
            return this.type;
        }

        @Nullable
        public RealmDomain getDomain() {
            return this.domain;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            RealmRef realmRef = (RealmRef) obj;
            if (this.nodeName.equals(realmRef.nodeName) && this.type.equals(realmRef.type)) {
                return Objects.equals(this.domain, realmRef.domain);
            }
            return false;
        }

        public int hashCode() {
            int hashCode = (31 * ((31 * this.nodeName.hashCode()) + this.name.hashCode())) + this.type.hashCode();
            if (this.domain != null) {
                hashCode = (31 * hashCode) + this.domain.hashCode();
            }
            return hashCode;
        }

        public String toString() {
            return this.domain != null ? "{Realm[" + this.type + "." + this.name + "] under Domain[" + this.domain.name() + "] on Node[" + this.nodeName + "]}" : "{Realm[" + this.type + "." + this.name + "] on Node[" + this.nodeName + "]}";
        }

        static RealmRef newInternalAttachRealmRef(String str) {
            return new RealmRef("__attach", "__attach", str, null);
        }

        static RealmRef newInternalFallbackRealmRef(String str) {
            return new RealmRef("__fallback", "__fallback", str, null);
        }

        public static RealmRef newAnonymousRealmRef(String str) {
            return new RealmRef("__anonymous", "__anonymous", str, null);
        }

        static RealmRef newServiceAccountRealmRef(String str) {
            return new RealmRef("_service_account", "_service_account", str, null);
        }

        static RealmRef newApiKeyRealmRef(String str) {
            return new RealmRef("_es_api_key", "_es_api_key", str, null);
        }

        static RealmRef newRemoteAccessRealmRef(String str) {
            return new RealmRef("_es_remote_access", "_es_remote_access", str, null);
        }
    }

    private Authentication(Subject subject, AuthenticationType authenticationType) {
        this(subject, subject, authenticationType);
    }

    private Authentication(Subject subject, Subject subject2, AuthenticationType authenticationType) {
        this.effectiveSubject = subject;
        this.authenticatingSubject = subject2;
        this.type = authenticationType;
        assertInternalConsistency();
    }

    public Authentication(StreamInput streamInput) throws IOException {
        User user;
        Map of;
        User readUserWithoutTrailingBoolean = AuthenticationSerializationHelper.readUserWithoutTrailingBoolean(streamInput);
        if (User.isInternal(readUserWithoutTrailingBoolean) ? false : streamInput.readBoolean()) {
            user = AuthenticationSerializationHelper.readUserFrom(streamInput);
            if (!$assertionsDisabled && false != User.isInternal(user)) {
                throw new AssertionError("internal users cannot participate in run-as");
            }
        } else {
            user = null;
        }
        RealmRef realmRef = new RealmRef(streamInput);
        RealmRef realmRef2 = streamInput.readBoolean() ? new RealmRef(streamInput) : null;
        if (!$assertionsDisabled && user == null && realmRef2 != null) {
            throw new AssertionError("Authentication has no inner-user, but looked-up-by is [" + realmRef2 + "]");
        }
        TransportVersion transportVersion = streamInput.getTransportVersion();
        if (transportVersion.onOrAfter(VERSION_AUTHENTICATION_TYPE)) {
            this.type = AuthenticationType.values()[streamInput.readVInt()];
            of = streamInput.readMap();
        } else {
            this.type = AuthenticationType.REALM;
            of = Map.of();
        }
        if (user != null) {
            this.authenticatingSubject = new Subject(user, realmRef, transportVersion, of);
            this.effectiveSubject = new Subject(readUserWithoutTrailingBoolean, realmRef2, transportVersion, Map.of());
        } else {
            Subject subject = new Subject(readUserWithoutTrailingBoolean, realmRef, transportVersion, of);
            this.effectiveSubject = subject;
            this.authenticatingSubject = subject;
        }
        assertInternalConsistency();
    }

    public Subject getAuthenticatingSubject() {
        return this.authenticatingSubject;
    }

    public Subject getEffectiveSubject() {
        return this.effectiveSubject;
    }

    public AuthenticationType getAuthenticationType() {
        return this.type;
    }

    public boolean isRunAs() {
        return this.authenticatingSubject != this.effectiveSubject;
    }

    public boolean isFailedRunAs() {
        return isRunAs() && this.effectiveSubject.getRealm() == null;
    }

    public Authentication maybeRewriteForOlderVersion(TransportVersion transportVersion) {
        return maybeRewriteForOlderVersion(transportVersion, VERSION_REMOTE_ACCESS_REALM);
    }

    Authentication maybeRewriteForOlderVersion(TransportVersion transportVersion, TransportVersion transportVersion2) {
        if (isRemoteAccess() && transportVersion.before(transportVersion2)) {
            throw new IllegalArgumentException("versions of Elasticsearch before [" + transportVersion2 + "] can't handle remote access authentication and attempted to rewrite for [" + transportVersion + "]");
        }
        Map<String, Object> maybeRewriteMetadata = maybeRewriteMetadata(transportVersion, this);
        return isRunAs() ? new Authentication(new Subject(this.effectiveSubject.getUser(), maybeRewriteRealmRef(transportVersion, this.effectiveSubject.getRealm()), transportVersion, this.effectiveSubject.getMetadata()), new Subject(this.authenticatingSubject.getUser(), maybeRewriteRealmRef(transportVersion, this.authenticatingSubject.getRealm()), transportVersion, maybeRewriteMetadata), this.type) : new Authentication(new Subject(this.authenticatingSubject.getUser(), maybeRewriteRealmRef(transportVersion, this.authenticatingSubject.getRealm()), transportVersion, maybeRewriteMetadata), this.type);
    }

    private static Map<String, Object> maybeRewriteMetadata(TransportVersion transportVersion, Authentication authentication) {
        return authentication.isAuthenticatedAsApiKey() ? maybeRewriteMetadataForApiKeyRoleDescriptors(transportVersion, authentication) : authentication.isRemoteAccess() ? maybeRewriteMetadataForRemoteAccessAuthentication(transportVersion, authentication) : authentication.getAuthenticatingSubject().getMetadata();
    }

    public Authentication runAs(User user, @Nullable RealmRef realmRef) {
        if (!$assertionsDisabled && !supportsRunAs(null)) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != (user instanceof AnonymousUser)) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != hasSyntheticRealmNameOrType(realmRef)) {
            throw new AssertionError("should not use synthetic realm name/type for lookup realms");
        }
        Objects.requireNonNull(user);
        return new Authentication(new Subject(user, realmRef, getEffectiveSubject().getTransportVersion(), Map.of()), this.authenticatingSubject, this.type);
    }

    public Authentication token() {
        if (!$assertionsDisabled && false != isServiceAccount()) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || false == isRemoteAccess()) {
            return new Authentication(this.effectiveSubject, this.authenticatingSubject, AuthenticationType.TOKEN);
        }
        throw new AssertionError();
    }

    public Authentication maybeAddAnonymousRoles(@Nullable AnonymousUser anonymousUser) {
        if (false == (anonymousUser != null && anonymousUser.enabled() && false == anonymousUser.equals(getEffectiveSubject().getUser()) && false == User.isInternal(getEffectiveSubject().getUser()) && false == isApiKey() && false == isRemoteAccess() && false == isServiceAccount())) {
            return this;
        }
        if (anonymousUser.roles().length == 0) {
            throw new IllegalStateException("anonymous is only enabled when the anonymous user has roles");
        }
        String[] concat = ArrayUtils.concat(getEffectiveSubject().getUser().roles(), anonymousUser.roles());
        if (isRunAs()) {
            User user = this.effectiveSubject.getUser();
            return new Authentication(new Subject(new User(user.principal(), concat, user.fullName(), user.email(), user.metadata(), user.enabled()), this.effectiveSubject.getRealm(), this.effectiveSubject.getTransportVersion(), this.effectiveSubject.getMetadata()), this.authenticatingSubject, this.type);
        }
        User user2 = this.authenticatingSubject.getUser();
        return new Authentication(new Subject(new User(user2.principal(), concat, user2.fullName(), user2.email(), user2.metadata(), user2.enabled()), this.authenticatingSubject.getRealm(), this.authenticatingSubject.getTransportVersion(), this.authenticatingSubject.getMetadata()), this.type);
    }

    boolean isAssignedToDomain() {
        return getDomain() != null;
    }

    @Nullable
    RealmDomain getDomain() {
        if (isFailedRunAs()) {
            return null;
        }
        return getEffectiveSubject().getRealm().getDomain();
    }

    public boolean isAuthenticatedWithServiceAccount() {
        return "_service_account".equals(getAuthenticatingSubject().getRealm().getType());
    }

    public boolean isAuthenticatedAsApiKey() {
        return this.authenticatingSubject.getType() == Subject.Type.API_KEY;
    }

    private boolean isAuthenticatedAnonymously() {
        return AuthenticationType.ANONYMOUS.equals(getAuthenticationType());
    }

    private boolean isAuthenticatedInternally() {
        return AuthenticationType.INTERNAL.equals(getAuthenticationType());
    }

    public boolean isServiceAccount() {
        return this.effectiveSubject.getType() == Subject.Type.SERVICE_ACCOUNT;
    }

    public boolean isApiKey() {
        return this.effectiveSubject.getType() == Subject.Type.API_KEY;
    }

    public boolean isRemoteAccess() {
        return this.effectiveSubject.getType() == Subject.Type.REMOTE_ACCESS;
    }

    public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {
        if (isRunAs() || isServiceAccount() || isRemoteAccess() || User.isInternal(getEffectiveSubject().getUser())) {
            return false;
        }
        if (!getEffectiveSubject().getUser().equals(anonymousUser)) {
            return AuthenticationType.REALM == getAuthenticationType() || AuthenticationType.API_KEY == getAuthenticationType() || AuthenticationType.TOKEN == getAuthenticationType();
        }
        if ($assertionsDisabled) {
            return false;
        }
        if ("__anonymous".equals(getAuthenticatingSubject().getRealm().getType()) && "__anonymous".equals(getAuthenticatingSubject().getRealm().getName())) {
            return false;
        }
        throw new AssertionError();
    }

    public void writeToContext(ThreadContext threadContext) throws IOException, IllegalArgumentException {
        new AuthenticationContextSerializer().writeToContext(this, threadContext);
    }

    public String encode() throws IOException {
        BytesStreamOutput bytesStreamOutput = new BytesStreamOutput();
        bytesStreamOutput.setTransportVersion(getEffectiveSubject().getTransportVersion());
        TransportVersion.writeVersion(getEffectiveSubject().getTransportVersion(), bytesStreamOutput);
        writeTo(bytesStreamOutput);
        return Base64.getEncoder().encodeToString(BytesReference.toBytes(bytesStreamOutput.bytes()));
    }

    public void writeTo(StreamOutput streamOutput) throws IOException {
        if (isRemoteAccess() && streamOutput.getTransportVersion().before(VERSION_REMOTE_ACCESS_REALM)) {
            throw new IllegalArgumentException("versions of Elasticsearch before [" + VERSION_REMOTE_ACCESS_REALM + "] can't handle remote access authentication and attempted to send to [" + streamOutput.getTransportVersion() + "]");
        }
        if (isRunAs()) {
            User user = this.effectiveSubject.getUser();
            User user2 = this.authenticatingSubject.getUser();
            if (!$assertionsDisabled && (false != User.isInternal(user) || false != User.isInternal(user2))) {
                throw new AssertionError("internal users cannot participate in run-as");
            }
            User.writeUser(user, streamOutput);
            streamOutput.writeBoolean(true);
            User.writeUser(user2, streamOutput);
            streamOutput.writeBoolean(false);
        } else {
            AuthenticationSerializationHelper.writeUserTo(this.effectiveSubject.getUser(), streamOutput);
        }
        this.authenticatingSubject.getRealm().writeTo(streamOutput);
        RealmRef realm = isRunAs() ? this.effectiveSubject.getRealm() : null;
        if (realm != null) {
            streamOutput.writeBoolean(true);
            realm.writeTo(streamOutput);
        } else {
            streamOutput.writeBoolean(false);
        }
        Map<String, Object> metadata = getAuthenticatingSubject().getMetadata();
        if (streamOutput.getTransportVersion().onOrAfter(VERSION_AUTHENTICATION_TYPE)) {
            streamOutput.writeVInt(this.type.ordinal());
            streamOutput.writeGenericMap(metadata);
        } else {
            if ($assertionsDisabled) {
                return;
            }
            if (this.type != AuthenticationType.REALM || !metadata.isEmpty()) {
                throw new AssertionError(Strings.format("authentication with version [%s] must have authentication type %s and empty metadata, but got [%s] and [%s]", new Object[]{streamOutput.getTransportVersion(), AuthenticationType.REALM, this.type, metadata}));
            }
        }
    }

    public boolean canAccessResourcesOf(Authentication authentication) {
        if ($assertionsDisabled || EnumSet.of(AuthenticationType.REALM, AuthenticationType.API_KEY, AuthenticationType.TOKEN, AuthenticationType.ANONYMOUS, AuthenticationType.INTERNAL).containsAll(EnumSet.of(getAuthenticationType(), authentication.getAuthenticationType()))) {
            return getEffectiveSubject().canAccessResourcesOf(authentication.getEffectiveSubject());
        }
        throw new AssertionError("cross AuthenticationType comparison for canAccessResourcesOf is not applicable for: " + EnumSet.of(getAuthenticationType(), authentication.getAuthenticationType()));
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        Authentication authentication = (Authentication) obj;
        return this.type == authentication.type && this.authenticatingSubject.equals(authentication.authenticatingSubject) && this.effectiveSubject.equals(authentication.effectiveSubject);
    }

    public int hashCode() {
        return Objects.hash(this.type, this.authenticatingSubject, this.effectiveSubject);
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        xContentBuilder.startObject();
        toXContentFragment(xContentBuilder);
        return xContentBuilder.endObject();
    }

    public void toXContentFragment(XContentBuilder xContentBuilder) throws IOException {
        User user = this.effectiveSubject.getUser();
        xContentBuilder.field(User.Fields.USERNAME.getPreferredName(), user.principal());
        xContentBuilder.array(User.Fields.ROLES.getPreferredName(), user.roles());
        xContentBuilder.field(User.Fields.FULL_NAME.getPreferredName(), user.fullName());
        xContentBuilder.field(User.Fields.EMAIL.getPreferredName(), user.email());
        if (isServiceAccount()) {
            String str = (String) getAuthenticatingSubject().getMetadata().get(ServiceAccountSettings.TOKEN_NAME_FIELD);
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError("token name cannot be null");
            }
            String str2 = (String) getAuthenticatingSubject().getMetadata().get(ServiceAccountSettings.TOKEN_SOURCE_FIELD);
            if (!$assertionsDisabled && str2 == null) {
                throw new AssertionError("token source cannot be null");
            }
            xContentBuilder.field(User.Fields.TOKEN.getPreferredName(), Map.of("name", str, "type", "_service_account_" + str2));
        }
        xContentBuilder.field(User.Fields.METADATA.getPreferredName(), user.metadata());
        xContentBuilder.field(User.Fields.ENABLED.getPreferredName(), user.enabled());
        xContentBuilder.startObject(User.Fields.AUTHENTICATION_REALM.getPreferredName());
        xContentBuilder.field(User.Fields.REALM_NAME.getPreferredName(), getAuthenticatingSubject().getRealm().getName());
        xContentBuilder.field(User.Fields.REALM_TYPE.getPreferredName(), getAuthenticatingSubject().getRealm().getType());
        if (getAuthenticatingSubject().getRealm().getDomain() != null) {
            xContentBuilder.field(User.Fields.REALM_DOMAIN.getPreferredName(), getAuthenticatingSubject().getRealm().getDomain().name());
        }
        xContentBuilder.endObject();
        xContentBuilder.startObject(User.Fields.LOOKUP_REALM.getPreferredName());
        RealmRef realm = isRunAs() ? getEffectiveSubject().getRealm() : null;
        if (realm != null) {
            xContentBuilder.field(User.Fields.REALM_NAME.getPreferredName(), realm.getName());
            xContentBuilder.field(User.Fields.REALM_TYPE.getPreferredName(), realm.getType());
            if (realm.getDomain() != null) {
                xContentBuilder.field(User.Fields.REALM_DOMAIN.getPreferredName(), realm.getDomain().name());
            }
        } else {
            xContentBuilder.field(User.Fields.REALM_NAME.getPreferredName(), getAuthenticatingSubject().getRealm().getName());
            xContentBuilder.field(User.Fields.REALM_TYPE.getPreferredName(), getAuthenticatingSubject().getRealm().getType());
            if (getAuthenticatingSubject().getRealm().getDomain() != null) {
                xContentBuilder.field(User.Fields.REALM_DOMAIN.getPreferredName(), getAuthenticatingSubject().getRealm().getDomain().name());
            }
        }
        xContentBuilder.endObject();
        xContentBuilder.field(User.Fields.AUTHENTICATION_TYPE.getPreferredName(), getAuthenticationType().name().toLowerCase(Locale.ROOT));
        if (isApiKey() || isRemoteAccess()) {
            String str3 = (String) getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ID_KEY);
            String str4 = (String) getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_NAME_KEY);
            if (str4 == null) {
                xContentBuilder.field("api_key", Map.of("id", str3));
            } else {
                xContentBuilder.field("api_key", Map.of("id", str3, "name", str4));
            }
        }
    }

    private void assertInternalConsistency() {
        if (false == Assertions.ENABLED) {
            return;
        }
        if (!$assertionsDisabled && this.effectiveSubject == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.authenticatingSubject == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.type == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && !this.effectiveSubject.getTransportVersion().equals(this.authenticatingSubject.getTransportVersion())) {
            throw new AssertionError();
        }
        if (isRunAs()) {
            if (!$assertionsDisabled && this.authenticatingSubject == this.effectiveSubject) {
                throw new AssertionError("isRunAs logic does not hold");
            }
            if (!$assertionsDisabled && (false != User.isInternal(this.effectiveSubject.getUser()) || false != User.isInternal(this.authenticatingSubject.getUser()))) {
                throw new AssertionError("internal users cannot participate in run-as");
            }
        } else if (!$assertionsDisabled && this.authenticatingSubject != this.effectiveSubject) {
            throw new AssertionError("isRunAs logic does not hold");
        }
        if (!$assertionsDisabled) {
            if (false != (isAuthenticatedAsApiKey() || isRemoteAccess()) && getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ID_KEY) == null) {
                throw new AssertionError("API KEY authentication requires metadata to contain API KEY id, and the value must be non-null.");
            }
        }
        if (isRemoteAccess()) {
            if (!$assertionsDisabled && getAuthenticatingSubject().getMetadata().get(AuthenticationField.REMOTE_ACCESS_AUTHENTICATION_KEY) == null) {
                throw new AssertionError("Remote access authentication requires metadata to contain a serialized remote access authentication, and the value must be non-null.");
            }
            if (!$assertionsDisabled && getAuthenticatingSubject().getMetadata().get(AuthenticationField.REMOTE_ACCESS_ROLE_DESCRIPTORS_KEY) == null) {
                throw new AssertionError("Remote access authentication requires metadata to contain a serialized remote access role descriptors, and the value must be non-null.");
            }
        }
        if (isAssignedToDomain()) {
            if (!$assertionsDisabled && false != isApiKey()) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && false != isRemoteAccess()) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && false != isServiceAccount()) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && false != isAuthenticatedAnonymously()) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && false != isAuthenticatedInternally()) {
                throw new AssertionError();
            }
        }
    }

    private boolean hasSyntheticRealmNameOrType(@Nullable RealmRef realmRef) {
        if (realmRef == null) {
            return false;
        }
        return List.of("_es_api_key", "_service_account", "__anonymous", "__fallback", "__attach", "_es_remote_access").contains(realmRef.getName()) || List.of("_es_api_key", "_service_account", "__anonymous", "__fallback", "__attach", "_es_remote_access").contains(realmRef.getType());
    }

    public String toString() {
        StringBuilder append = new StringBuilder("Authentication[effectiveSubject=").append(this.effectiveSubject);
        if (isRunAs()) {
            append.append(",authenticatingSubject=").append(this.authenticatingSubject);
        }
        append.append(",type=").append(this.type);
        append.append("]");
        return append.toString();
    }

    public static boolean isFileOrNativeRealm(String str) {
        return FileRealmSettings.TYPE.equals(str) || NativeRealmSettings.TYPE.equals(str);
    }

    public static Authentication newInternalAuthentication(User user, TransportVersion transportVersion, String str) {
        if (!$assertionsDisabled && !User.isInternal(user)) {
            throw new AssertionError();
        }
        Authentication authentication = new Authentication(new Subject(user, RealmRef.newInternalAttachRealmRef(str), transportVersion, Map.of()), AuthenticationType.INTERNAL);
        if ($assertionsDisabled || false == authentication.isAssignedToDomain()) {
            return authentication;
        }
        throw new AssertionError();
    }

    public static Authentication newInternalFallbackAuthentication(User user, String str) {
        Authentication authentication = new Authentication(new Subject(user, RealmRef.newInternalFallbackRealmRef(str), TransportVersion.CURRENT, Map.of()), AuthenticationType.INTERNAL);
        if ($assertionsDisabled || false == authentication.isAssignedToDomain()) {
            return authentication;
        }
        throw new AssertionError();
    }

    public static Authentication newAnonymousAuthentication(AnonymousUser anonymousUser, String str) {
        Authentication authentication = new Authentication(new Subject(anonymousUser, RealmRef.newAnonymousRealmRef(str), TransportVersion.CURRENT, Map.of()), AuthenticationType.ANONYMOUS);
        if ($assertionsDisabled || false == authentication.isAssignedToDomain()) {
            return authentication;
        }
        throw new AssertionError();
    }

    public static Authentication newServiceAccountAuthentication(User user, String str, Map<String, Object> map) {
        Authentication authentication = new Authentication(new Subject(user, RealmRef.newServiceAccountRealmRef(str), TransportVersion.CURRENT, map), AuthenticationType.TOKEN);
        if ($assertionsDisabled || false == authentication.isAssignedToDomain()) {
            return authentication;
        }
        throw new AssertionError();
    }

    public static Authentication newRealmAuthentication(User user, RealmRef realmRef) {
        Authentication authentication = new Authentication(new Subject(user, realmRef, TransportVersion.CURRENT, Map.of()), AuthenticationType.REALM);
        if (!$assertionsDisabled && false != authentication.isServiceAccount()) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != authentication.isApiKey()) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != authentication.isRemoteAccess()) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && false != authentication.isAuthenticatedInternally()) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || false == authentication.isAuthenticatedAnonymously()) {
            return authentication;
        }
        throw new AssertionError();
    }

    public static Authentication newApiKeyAuthentication(AuthenticationResult<User> authenticationResult, String str) {
        if (!$assertionsDisabled && !authenticationResult.isAuthenticated()) {
            throw new AssertionError("API Key authn result must be successful");
        }
        User value = authenticationResult.getValue();
        if (!$assertionsDisabled && value.roles().length != 0) {
            throw new AssertionError("The user associated to an API key authentication must have no role");
        }
        Authentication authentication = new Authentication(new Subject(value, RealmRef.newApiKeyRealmRef(str), TransportVersion.CURRENT, authenticationResult.getMetadata()), AuthenticationType.API_KEY);
        if ($assertionsDisabled || false == authentication.isAssignedToDomain()) {
            return authentication;
        }
        throw new AssertionError();
    }

    public Authentication toRemoteAccess(RemoteAccessAuthentication remoteAccessAuthentication) {
        if (!$assertionsDisabled && !isApiKey()) {
            throw new AssertionError("can only convert API key authentication to remote access");
        }
        if (!$assertionsDisabled && false != isRunAs()) {
            throw new AssertionError("remote access does not support authentication with run-as");
        }
        HashMap hashMap = new HashMap(getAuthenticatingSubject().getMetadata());
        RealmRef newRemoteAccessRealmRef = RealmRef.newRemoteAccessRealmRef(getAuthenticatingSubject().getRealm().getNodeName());
        User user = remoteAccessAuthentication.getAuthentication().getEffectiveSubject().getUser();
        if (!$assertionsDisabled && !user.enabled()) {
            throw new AssertionError("the user received from a remote cluster must be enabled");
        }
        Authentication authentication = new Authentication(new Subject(new User(user.principal(), org.elasticsearch.common.Strings.EMPTY_ARRAY, user.fullName(), user.email(), user.metadata(), user.enabled()), newRemoteAccessRealmRef, TransportVersion.CURRENT, remoteAccessAuthentication.copyWithRemoteAccessEntries(hashMap)), getAuthenticationType());
        if ($assertionsDisabled || false == authentication.isAssignedToDomain()) {
            return authentication;
        }
        throw new AssertionError();
    }

    static RealmRef maybeRewriteRealmRef(TransportVersion transportVersion, RealmRef realmRef) {
        if (realmRef == null || realmRef.getDomain() == null || !transportVersion.before(VERSION_REALM_DOMAINS)) {
            return realmRef;
        }
        logger.info("Rewriting realm [" + realmRef + "] without domain");
        return new RealmRef(realmRef.getName(), realmRef.getType(), realmRef.getNodeName(), null);
    }

    private static Map<String, Object> maybeRewriteMetadataForApiKeyRoleDescriptors(TransportVersion transportVersion, Authentication authentication) {
        Map<String, Object> metadata = authentication.getAuthenticatingSubject().getMetadata();
        if (authentication.isAuthenticatedAsApiKey()) {
            if (!$assertionsDisabled && !metadata.containsKey(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)) {
                throw new AssertionError("metadata must contain role descriptor for API key authentication");
            }
            if (!$assertionsDisabled && !metadata.containsKey(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)) {
                throw new AssertionError("metadata must contain limited role descriptor for API key authentication");
            }
            if (authentication.getEffectiveSubject().getTransportVersion().onOrAfter(VERSION_API_KEY_ROLES_AS_BYTES) && transportVersion.before(VERSION_API_KEY_ROLES_AS_BYTES)) {
                metadata = new HashMap(metadata);
                metadata.put(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, convertRoleDescriptorsBytesToMap((BytesReference) metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)));
                metadata.put(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, convertRoleDescriptorsBytesToMap((BytesReference) metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)));
            } else if (authentication.getEffectiveSubject().getTransportVersion().before(VERSION_API_KEY_ROLES_AS_BYTES) && transportVersion.onOrAfter(VERSION_API_KEY_ROLES_AS_BYTES)) {
                metadata = new HashMap(metadata);
                metadata.put(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, convertRoleDescriptorsMapToBytes((Map) metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)));
                metadata.put(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, convertRoleDescriptorsMapToBytes((Map) metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)));
            }
        }
        return metadata;
    }

    static Map<String, Object> maybeRewriteMetadataForRemoteAccessAuthentication(TransportVersion transportVersion, Authentication authentication) {
        if (!$assertionsDisabled && !authentication.isRemoteAccess()) {
            throw new AssertionError("authentication must be remote access");
        }
        Map<String, Object> metadata = authentication.getAuthenticatingSubject().getMetadata();
        if (!$assertionsDisabled && !metadata.containsKey(AuthenticationField.REMOTE_ACCESS_AUTHENTICATION_KEY)) {
            throw new AssertionError("metadata must contain authentication object for remote access authentication");
        }
        try {
            Authentication decode = AuthenticationContextSerializer.decode((String) metadata.get(AuthenticationField.REMOTE_ACCESS_AUTHENTICATION_KEY));
            if (!decode.getEffectiveSubject().getTransportVersion().after(transportVersion)) {
                return metadata;
            }
            HashMap hashMap = new HashMap(metadata);
            hashMap.put(AuthenticationField.REMOTE_ACCESS_AUTHENTICATION_KEY, decode.maybeRewriteForOlderVersion(transportVersion).encode());
            return hashMap;
        } catch (IOException e) {
            throw new UncheckedIOException("failed serialization while rewriting [_security_remote_access_authentication] metadata field", e);
        }
    }

    private static Map<String, Object> convertRoleDescriptorsBytesToMap(BytesReference bytesReference) {
        return (Map) XContentHelper.convertToMap(bytesReference, false, XContentType.JSON).v2();
    }

    private static BytesReference convertRoleDescriptorsMapToBytes(Map<String, Object> map) {
        try {
            XContentBuilder builder = XContentBuilder.builder(XContentType.JSON.xContent());
            try {
                builder.map(map);
                BytesReference bytes = BytesReference.bytes(builder);
                if (builder != null) {
                    builder.close();
                }
                return bytes;
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean equivalentRealms(String str, String str2, String str3, String str4) {
        if (false == str2.equals(str4)) {
            return false;
        }
        if (isFileOrNativeRealm(str2)) {
            return true;
        }
        return str.equals(str3);
    }

    static {
        $assertionsDisabled = !Authentication.class.desiredAssertionStatus();
        logger = LogManager.getLogger(Authentication.class);
        VERSION_AUTHENTICATION_TYPE = TransportVersion.fromId(6070099);
        VERSION_REMOTE_ACCESS_REALM = TransportVersion.V_8_7_0;
        VERSION_API_KEY_ROLES_AS_BYTES = TransportVersion.V_7_9_0;
        VERSION_REALM_DOMAINS = TransportVersion.V_8_2_0;
        REALM_REF_PARSER = new ConstructingObjectParser<>("realm_ref", false, (objArr, r9) -> {
            return new RealmRef((String) objArr[0], (String) objArr[1], (String) objArr[2], (RealmDomain) objArr[3]);
        });
        REALM_REF_PARSER.declareString(ConstructingObjectParser.constructorArg(), new ParseField("name", new String[0]));
        REALM_REF_PARSER.declareString(ConstructingObjectParser.constructorArg(), new ParseField("type", new String[0]));
        REALM_REF_PARSER.declareString(ConstructingObjectParser.constructorArg(), new ParseField("node_name", new String[0]));
        REALM_REF_PARSER.declareObject(ConstructingObjectParser.optionalConstructorArg(), (xContentParser, r5) -> {
            return (RealmDomain) RealmDomain.REALM_DOMAIN_PARSER.parse(xContentParser, r5);
        }, new ParseField("domain", new String[0]));
    }
}
