package org.elasticsearch.xpack.core.security.authc;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentParserConfiguration;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountSettings;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
import org.elasticsearch.xpack.core.security.user.CrossClusterAccessUser;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/CrossClusterAccessSubjectInfo.class */
public final class CrossClusterAccessSubjectInfo {
    public static final String CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY = "_cross_cluster_access_subject_info";
    private static final Logger logger;
    private static final Set<String> API_KEY_AUTHENTICATION_METADATA_TO_KEEP;
    private static final Set<String> SERVICE_ACCOUNT_AUTHENTICATION_METADATA_TO_KEEP;
    private final Authentication authentication;
    private final List<RoleDescriptorsBytes> roleDescriptorsBytesList;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/CrossClusterAccessSubjectInfo$RoleDescriptorsBytes.class */
    public static final class RoleDescriptorsBytes implements Writeable {
        public static final RoleDescriptorsBytes EMPTY = new RoleDescriptorsBytes((BytesReference) new BytesArray("{}"));
        private final BytesReference rawBytes;

        public RoleDescriptorsBytes(BytesReference bytesReference) {
            this.rawBytes = bytesReference;
        }

        public RoleDescriptorsBytes(StreamInput streamInput) throws IOException {
            this(streamInput.readBytesReference());
        }

        public void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeBytesReference(this.rawBytes);
        }

        public String digest() {
            return MessageDigests.toHexString(MessageDigests.digest(this.rawBytes, MessageDigests.sha256()));
        }

        public static RoleDescriptorsBytes fromRoleDescriptors(Set<RoleDescriptor> set) throws IOException {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            jsonBuilder.startObject();
            for (RoleDescriptor roleDescriptor : set) {
                jsonBuilder.field(roleDescriptor.getName(), roleDescriptor);
            }
            jsonBuilder.endObject();
            return new RoleDescriptorsBytes(BytesReference.bytes(jsonBuilder));
        }

        public Set<RoleDescriptor> toRoleDescriptors() {
            try {
                XContentParser createParser = XContentHelper.createParser(XContentParserConfiguration.EMPTY, this.rawBytes, XContentType.JSON);
                try {
                    ArrayList arrayList = new ArrayList();
                    createParser.nextToken();
                    while (createParser.nextToken() != XContentParser.Token.END_OBJECT) {
                        createParser.nextToken();
                        arrayList.add(RoleDescriptor.parse(createParser.currentName(), createParser, false));
                    }
                    Set<RoleDescriptor> copyOf = Set.copyOf(arrayList);
                    if (createParser != null) {
                        createParser.close();
                    }
                    return copyOf;
                } finally {
                }
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            return Objects.equals(this.rawBytes, ((RoleDescriptorsBytes) obj).rawBytes);
        }

        public int hashCode() {
            return Objects.hash(this.rawBytes);
        }

        public String toString() {
            return "RoleDescriptorsBytes{rawBytes=" + this.rawBytes + "}";
        }
    }

    public CrossClusterAccessSubjectInfo(Authentication authentication, RoleDescriptorsIntersection roleDescriptorsIntersection) throws IOException {
        this(authentication, toRoleDescriptorsBytesList(roleDescriptorsIntersection));
    }

    private CrossClusterAccessSubjectInfo(Authentication authentication, List<RoleDescriptorsBytes> list) {
        this.authentication = authentication;
        this.roleDescriptorsBytesList = list;
    }

    public void writeToContext(ThreadContext threadContext) throws IOException {
        threadContext.putHeader(CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY, encode());
    }

    public static CrossClusterAccessSubjectInfo readFromContext(ThreadContext threadContext) throws IOException {
        String header = threadContext.getHeader(CROSS_CLUSTER_ACCESS_SUBJECT_INFO_HEADER_KEY);
        if (header == null) {
            throw new IllegalArgumentException("cross cluster access header [_cross_cluster_access_subject_info] is required");
        }
        return decode(header);
    }

    public Authentication getAuthentication() {
        return this.authentication;
    }

    public CrossClusterAccessSubjectInfo cleanAndValidate() {
        if (this.authentication.isCrossClusterAccess()) {
            Subject effectiveSubject = this.authentication.getEffectiveSubject();
            throw new IllegalArgumentException("subject [" + effectiveSubject.getUser().principal() + "] has type [" + effectiveSubject.getType() + "] but nested cross cluster access is not supported");
        }
        CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo = new CrossClusterAccessSubjectInfo(copyAuthenticationWithCleanMetadata(), this.roleDescriptorsBytesList);
        crossClusterAccessSubjectInfo.validate();
        return crossClusterAccessSubjectInfo;
    }

    public List<RoleDescriptorsBytes> getRoleDescriptorsBytesList() {
        return this.roleDescriptorsBytesList;
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        CrossClusterAccessSubjectInfo crossClusterAccessSubjectInfo = (CrossClusterAccessSubjectInfo) obj;
        if (false == this.authentication.equals(crossClusterAccessSubjectInfo.authentication)) {
            return false;
        }
        return this.roleDescriptorsBytesList.equals(crossClusterAccessSubjectInfo.roleDescriptorsBytesList);
    }

    public int hashCode() {
        return (31 * this.authentication.hashCode()) + this.roleDescriptorsBytesList.hashCode();
    }

    public String toString() {
        return "CrossClusterAccessSubjectInfo{authentication=" + this.authentication + ", roleDescriptorsBytesList=" + this.roleDescriptorsBytesList + "}";
    }

    private static List<RoleDescriptorsBytes> toRoleDescriptorsBytesList(RoleDescriptorsIntersection roleDescriptorsIntersection) throws IOException {
        if (!$assertionsDisabled && !roleDescriptorsIntersection.roleDescriptorsList().stream().noneMatch(set -> {
            return set.size() > 1;
        })) {
            throw new AssertionError("sets with more than one role descriptor are not supported for cross cluster access authentication");
        }
        ArrayList arrayList = new ArrayList();
        Iterator<Set<RoleDescriptor>> it = roleDescriptorsIntersection.roleDescriptorsList().iterator();
        while (it.hasNext()) {
            arrayList.add(RoleDescriptorsBytes.fromRoleDescriptors(it.next()));
        }
        return arrayList;
    }

    public String encode() throws IOException {
        StreamOutput bytesStreamOutput = new BytesStreamOutput();
        bytesStreamOutput.setTransportVersion(this.authentication.getEffectiveSubject().getTransportVersion());
        TransportVersion.writeVersion(this.authentication.getEffectiveSubject().getTransportVersion(), bytesStreamOutput);
        this.authentication.writeTo(bytesStreamOutput);
        bytesStreamOutput.writeCollection(this.roleDescriptorsBytesList, (streamOutput, roleDescriptorsBytes) -> {
            roleDescriptorsBytes.writeTo(streamOutput);
        });
        return Base64.getEncoder().encodeToString(BytesReference.toBytes(bytesStreamOutput.bytes()));
    }

    public static CrossClusterAccessSubjectInfo decode(String str) throws IOException {
        Objects.requireNonNull(str);
        StreamInput wrap = StreamInput.wrap(Base64.getDecoder().decode(str));
        wrap.setTransportVersion(TransportVersion.readVersion(wrap));
        return new CrossClusterAccessSubjectInfo(new Authentication(wrap), (List<RoleDescriptorsBytes>) wrap.readImmutableList(RoleDescriptorsBytes::new));
    }

    public Map<String, Object> copyWithCrossClusterAccessEntries(Map<String, Object> map) {
        if (!$assertionsDisabled && false != map.containsKey(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY)) {
            throw new AssertionError("metadata already contains [_security_cross_cluster_access_authentication] entry");
        }
        if (!$assertionsDisabled && false != map.containsKey(AuthenticationField.CROSS_CLUSTER_ACCESS_ROLE_DESCRIPTORS_KEY)) {
            throw new AssertionError("metadata already contains [_security_cross_cluster_access_role_descriptors] entry");
        }
        if (!$assertionsDisabled && false != getAuthentication().isCrossClusterAccess()) {
            throw new AssertionError("authentication included in cross cluster access header cannot itself be cross cluster access");
        }
        HashMap hashMap = new HashMap(map);
        hashMap.put(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY, getAuthentication());
        hashMap.put(AuthenticationField.CROSS_CLUSTER_ACCESS_ROLE_DESCRIPTORS_KEY, getRoleDescriptorsBytesList());
        return Collections.unmodifiableMap(hashMap);
    }

    private Authentication copyAuthenticationWithCleanMetadata() {
        if ($assertionsDisabled || false == this.authentication.isCrossClusterAccess()) {
            return this.authentication.isAuthenticatedAsApiKey() ? this.authentication.copyWithFilteredMetadataFields(API_KEY_AUTHENTICATION_METADATA_TO_KEEP) : this.authentication.isServiceAccount() ? this.authentication.copyWithFilteredMetadataFields(SERVICE_ACCOUNT_AUTHENTICATION_METADATA_TO_KEEP) : this.authentication.copyWithEmptyMetadata();
        }
        throw new AssertionError();
    }

    private void validate() {
        if (!$assertionsDisabled && false != this.authentication.isCrossClusterAccess()) {
            throw new AssertionError();
        }
        this.authentication.checkConsistency();
        User user = this.authentication.getEffectiveSubject().getUser();
        if (!CrossClusterAccessUser.is(user)) {
            if (User.isInternal(user)) {
                throw new IllegalArgumentException("received cross cluster request from an unexpected internal user [" + user.principal() + "]");
            }
        } else if (false == getRoleDescriptorsBytesList().isEmpty()) {
            logger.warn("Received non-empty role descriptors bytes list for internal cross cluster access user. These will be ignored during authorization.");
            if (!$assertionsDisabled) {
                throw new AssertionError("role descriptors bytes list for internal cross cluster access user must be empty");
            }
        }
    }

    static {
        $assertionsDisabled = !CrossClusterAccessSubjectInfo.class.desiredAssertionStatus();
        logger = LogManager.getLogger(CrossClusterAccessSubjectInfo.class);
        API_KEY_AUTHENTICATION_METADATA_TO_KEEP = Set.of(AuthenticationField.API_KEY_ID_KEY, AuthenticationField.API_KEY_NAME_KEY, AuthenticationField.API_KEY_CREATOR_REALM_NAME, AuthenticationField.API_KEY_CREATOR_REALM_TYPE);
        SERVICE_ACCOUNT_AUTHENTICATION_METADATA_TO_KEEP = Set.of(ServiceAccountSettings.TOKEN_NAME_FIELD, ServiceAccountSettings.TOKEN_SOURCE_FIELD);
    }
}
