package org.elasticsearch.xpack.core.security.authz;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.ValidateActions;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.cluster.metadata.Metadata;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivileges;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine.class */
public interface AuthorizationEngine {

    @FunctionalInterface
    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$AsyncSupplier.class */
    public interface AsyncSupplier<V> {
        void getAsync(ActionListener<V> actionListener);
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$AuthorizationContext.class */
    public static final class AuthorizationContext {
        private final String action;
        private final AuthorizationInfo authorizationInfo;
        private final IndicesAccessControl indicesAccessControl;

        public AuthorizationContext(String str, AuthorizationInfo authorizationInfo, IndicesAccessControl indicesAccessControl) {
            this.action = str;
            this.authorizationInfo = authorizationInfo;
            this.indicesAccessControl = indicesAccessControl;
        }

        public String getAction() {
            return this.action;
        }

        public AuthorizationInfo getAuthorizationInfo() {
            return this.authorizationInfo;
        }

        public IndicesAccessControl getIndicesAccessControl() {
            return this.indicesAccessControl;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$AuthorizationInfo.class */
    public interface AuthorizationInfo {
        Map<String, Object> asMap();

        default AuthorizationInfo getAuthenticatedUserAuthorizationInfo() {
            return this;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$AuthorizationResult.class */
    public static class AuthorizationResult {
        private final boolean granted;

        public AuthorizationResult(boolean z) {
            this.granted = z;
        }

        public boolean isGranted() {
            return this.granted;
        }

        @Nullable
        public String getFailureContext(RequestInfo requestInfo, RestrictedIndices restrictedIndices) {
            return null;
        }

        public static AuthorizationResult granted() {
            return new AuthorizationResult(true);
        }

        public static AuthorizationResult deny() {
            return new AuthorizationResult(false);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$AuthorizedIndices.class */
    public interface AuthorizedIndices {
        Supplier<Set<String>> all();

        boolean check(String str);
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$EmptyAuthorizationInfo.class */
    public static final class EmptyAuthorizationInfo implements AuthorizationInfo {
        public static final EmptyAuthorizationInfo INSTANCE = new EmptyAuthorizationInfo();

        private EmptyAuthorizationInfo() {
        }

        @Override // org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo
        public Map<String, Object> asMap() {
            return Collections.emptyMap();
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$IndexAuthorizationResult.class */
    public static class IndexAuthorizationResult extends AuthorizationResult {
        public static final IndexAuthorizationResult DENIED;
        public static final IndexAuthorizationResult EMPTY;
        public static final IndexAuthorizationResult ALLOW_NO_INDICES;
        private final IndicesAccessControl indicesAccessControl;
        static final /* synthetic */ boolean $assertionsDisabled;

        public IndexAuthorizationResult(IndicesAccessControl indicesAccessControl) {
            super(indicesAccessControl == null || indicesAccessControl.isGranted());
            this.indicesAccessControl = indicesAccessControl;
        }

        @Override // org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationResult
        public String getFailureContext(RequestInfo requestInfo, RestrictedIndices restrictedIndices) {
            if (isGranted()) {
                return null;
            }
            if (!$assertionsDisabled && this.indicesAccessControl == null) {
                throw new AssertionError();
            }
            String[] indices = RequestInfo.indices(requestInfo.getRequest());
            if (indices == null || indices.length == 0 || Arrays.equals(IndicesAndAliasesResolverField.NO_INDICES_OR_ALIASES_ARRAY, indices)) {
                return null;
            }
            return getFailureDescription((Set) Arrays.stream(indices).filter(str -> {
                return false == this.indicesAccessControl.hasIndexPermissions(str);
            }).collect(Collectors.toSet()), restrictedIndices);
        }

        public static String getFailureDescription(Collection<String> collection, RestrictedIndices restrictedIndices) {
            if (collection.isEmpty()) {
                return null;
            }
            StringBuilder sb = new StringBuilder();
            StringBuilder sb2 = new StringBuilder();
            for (String str : collection) {
                StringBuilder sb3 = restrictedIndices.isRestricted(str) ? sb2 : sb;
                if (!sb3.isEmpty()) {
                    sb3.append(',');
                }
                sb3.append(str);
            }
            StringBuilder sb4 = new StringBuilder();
            if (!sb.isEmpty()) {
                sb4.append("on indices [").append((CharSequence) sb).append(']');
            }
            if (!sb2.isEmpty()) {
                sb4.append(sb4.length() == 0 ? "on" : " and").append(" restricted indices [").append((CharSequence) sb2).append(']');
            }
            return sb4.toString();
        }

        @Nullable
        public IndicesAccessControl getIndicesAccessControl() {
            return this.indicesAccessControl;
        }

        static {
            $assertionsDisabled = !AuthorizationEngine.class.desiredAssertionStatus();
            DENIED = new IndexAuthorizationResult(IndicesAccessControl.DENIED);
            EMPTY = new IndexAuthorizationResult(null);
            ALLOW_NO_INDICES = new IndexAuthorizationResult(IndicesAccessControl.ALLOW_NO_INDICES);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$ParentActionAuthorization.class */
    public static final class ParentActionAuthorization extends Record implements Writeable {
        private final String action;
        public static final String THREAD_CONTEXT_KEY = "_xpack_security_parent_action_authz";
        static final /* synthetic */ boolean $assertionsDisabled;

        public ParentActionAuthorization(String str) {
            this.action = str;
        }

        public void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeString(this.action);
        }

        public static ParentActionAuthorization readFrom(StreamInput streamInput) throws IOException {
            return new ParentActionAuthorization(streamInput.readString());
        }

        @Nullable
        public static ParentActionAuthorization readFromThreadContext(ThreadContext threadContext) throws IOException {
            String header = threadContext.getHeader(THREAD_CONTEXT_KEY);
            if (header == null) {
                return null;
            }
            return readFrom(StreamInput.wrap(Base64.getDecoder().decode(header)));
        }

        public void writeToThreadContext(ThreadContext threadContext) throws IOException {
            String encode = encode();
            if (!$assertionsDisabled && encode == null) {
                throw new AssertionError("parent authorization object encoded to null");
            }
            threadContext.putHeader(THREAD_CONTEXT_KEY, encode);
        }

        private String encode() throws IOException {
            BytesStreamOutput bytesStreamOutput = new BytesStreamOutput();
            writeTo(bytesStreamOutput);
            return Base64.getEncoder().encodeToString(BytesReference.toBytes(bytesStreamOutput.bytes()));
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ParentActionAuthorization.class), ParentActionAuthorization.class, "action", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$ParentActionAuthorization;->action:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ParentActionAuthorization.class), ParentActionAuthorization.class, "action", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$ParentActionAuthorization;->action:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ParentActionAuthorization.class, Object.class), ParentActionAuthorization.class, "action", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$ParentActionAuthorization;->action:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String action() {
            return this.action;
        }

        static {
            $assertionsDisabled = !AuthorizationEngine.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult.class */
    public static final class PrivilegesCheckResult {
        public static final PrivilegesCheckResult ALL_CHECKS_SUCCESS_NO_DETAILS = new PrivilegesCheckResult(true, null);
        public static final PrivilegesCheckResult SOME_CHECKS_FAILURE_NO_DETAILS = new PrivilegesCheckResult(false, null);
        private final boolean allChecksSuccess;

        @Nullable
        private final Details details;

        /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details.class */
        public static final class Details extends Record {
            private final Map<String, Boolean> cluster;
            private final Map<String, ResourcePrivileges> index;
            private final Map<String, Collection<ResourcePrivileges>> application;

            public Details(Map<String, Boolean> map, Map<String, ResourcePrivileges> map2, Map<String, Collection<ResourcePrivileges>> map3) {
                Objects.requireNonNull(map);
                Objects.requireNonNull(map2);
                Objects.requireNonNull(map3);
                this.cluster = map;
                this.index = map2;
                this.application = map3;
            }

            @Override // java.lang.Record
            public final String toString() {
                return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Details.class), Details.class, "cluster;index;application", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details;->cluster:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details;->index:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details;->application:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
            }

            @Override // java.lang.Record
            public final int hashCode() {
                return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Details.class), Details.class, "cluster;index;application", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details;->cluster:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details;->index:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details;->application:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
            }

            @Override // java.lang.Record
            public final boolean equals(Object obj) {
                return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Details.class, Object.class), Details.class, "cluster;index;application", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details;->cluster:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details;->index:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesCheckResult$Details;->application:Ljava/util/Map;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
            }

            public Map<String, Boolean> cluster() {
                return this.cluster;
            }

            public Map<String, ResourcePrivileges> index() {
                return this.index;
            }

            public Map<String, Collection<ResourcePrivileges>> application() {
                return this.application;
            }
        }

        public PrivilegesCheckResult(boolean z, Details details) {
            this.allChecksSuccess = z;
            this.details = details;
        }

        public boolean allChecksSuccess() {
            return this.allChecksSuccess;
        }

        @Nullable
        public Details getDetails() {
            return this.details;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            PrivilegesCheckResult privilegesCheckResult = (PrivilegesCheckResult) obj;
            return this.allChecksSuccess == privilegesCheckResult.allChecksSuccess && Objects.equals(this.details, privilegesCheckResult.details);
        }

        public int hashCode() {
            return Objects.hash(Boolean.valueOf(this.allChecksSuccess), this.details);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$PrivilegesToCheck.class */
    public static final class PrivilegesToCheck extends Record {
        private final String[] cluster;
        private final RoleDescriptor.IndicesPrivileges[] index;
        private final RoleDescriptor.ApplicationResourcePrivileges[] application;
        private final boolean runDetailedCheck;

        public PrivilegesToCheck(String[] strArr, RoleDescriptor.IndicesPrivileges[] indicesPrivilegesArr, RoleDescriptor.ApplicationResourcePrivileges[] applicationResourcePrivilegesArr, boolean z) {
            this.cluster = strArr;
            this.index = indicesPrivilegesArr;
            this.application = applicationResourcePrivilegesArr;
            this.runDetailedCheck = z;
        }

        public static PrivilegesToCheck readFrom(StreamInput streamInput) throws IOException {
            return new PrivilegesToCheck(streamInput.readOptionalStringArray(), (RoleDescriptor.IndicesPrivileges[]) streamInput.readOptionalArray(RoleDescriptor.IndicesPrivileges::new, i -> {
                return new RoleDescriptor.IndicesPrivileges[i];
            }), (RoleDescriptor.ApplicationResourcePrivileges[]) streamInput.readOptionalArray(RoleDescriptor.ApplicationResourcePrivileges::new, i2 -> {
                return new RoleDescriptor.ApplicationResourcePrivileges[i2];
            }), streamInput.readBoolean());
        }

        public void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeOptionalStringArray(this.cluster);
            streamOutput.writeOptionalArray(RoleDescriptor.IndicesPrivileges::write, this.index);
            streamOutput.writeOptionalArray(RoleDescriptor.ApplicationResourcePrivileges::write, this.application);
            streamOutput.writeBoolean(this.runDetailedCheck);
        }

        public ActionRequestValidationException validate(ActionRequestValidationException actionRequestValidationException) {
            if (this.cluster == null) {
                actionRequestValidationException = ValidateActions.addValidationError("clusterPrivileges must not be null", actionRequestValidationException);
            }
            if (this.index == null) {
                actionRequestValidationException = ValidateActions.addValidationError("indexPrivileges must not be null", actionRequestValidationException);
            } else {
                for (int i = 0; i < this.index.length; i++) {
                    BytesReference query = this.index[i].getQuery();
                    if (query != null) {
                        actionRequestValidationException = ValidateActions.addValidationError("may only check index privileges without any DLS query [" + query.utf8ToString() + "]", actionRequestValidationException);
                    }
                }
            }
            if (this.application == null) {
                actionRequestValidationException = ValidateActions.addValidationError("applicationPrivileges must not be null", actionRequestValidationException);
            } else {
                for (RoleDescriptor.ApplicationResourcePrivileges applicationResourcePrivileges : this.application) {
                    try {
                        ApplicationPrivilege.validateApplicationName(applicationResourcePrivileges.getApplication());
                    } catch (IllegalArgumentException e) {
                        actionRequestValidationException = ValidateActions.addValidationError(e.getMessage(), actionRequestValidationException);
                    }
                }
            }
            if (this.cluster != null && this.cluster.length == 0 && this.index != null && this.index.length == 0 && this.application != null && this.application.length == 0) {
                actionRequestValidationException = ValidateActions.addValidationError("must specify at least one privilege", actionRequestValidationException);
            }
            return actionRequestValidationException;
        }

        @Override // java.lang.Record
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            PrivilegesToCheck privilegesToCheck = (PrivilegesToCheck) obj;
            return this.runDetailedCheck == privilegesToCheck.runDetailedCheck && Arrays.equals(this.cluster, privilegesToCheck.cluster) && Arrays.equals(this.index, privilegesToCheck.index) && Arrays.equals(this.application, privilegesToCheck.application);
        }

        @Override // java.lang.Record
        public int hashCode() {
            return (31 * ((31 * ((31 * Objects.hash(Boolean.valueOf(this.runDetailedCheck))) + Arrays.hashCode(this.cluster))) + Arrays.hashCode(this.index))) + Arrays.hashCode(this.application);
        }

        @Override // java.lang.Record
        public String toString() {
            return getClass().getSimpleName() + "{cluster=" + Arrays.toString(this.cluster) + ",index=" + Arrays.toString(this.index) + ",application=" + Arrays.toString(this.application) + ",detailed=" + this.runDetailedCheck + "}";
        }

        public String[] cluster() {
            return this.cluster;
        }

        public RoleDescriptor.IndicesPrivileges[] index() {
            return this.index;
        }

        public RoleDescriptor.ApplicationResourcePrivileges[] application() {
            return this.application;
        }

        public boolean runDetailedCheck() {
            return this.runDetailedCheck;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/AuthorizationEngine$RequestInfo.class */
    public static final class RequestInfo {
        private final Authentication authentication;
        private final TransportRequest request;
        private final String action;

        @Nullable
        private final AuthorizationContext originatingAuthorizationContext;

        @Nullable
        private final ParentActionAuthorization parentAuthorization;

        public RequestInfo(Authentication authentication, TransportRequest transportRequest, String str, AuthorizationContext authorizationContext, ParentActionAuthorization parentActionAuthorization) {
            this.authentication = (Authentication) Objects.requireNonNull(authentication);
            this.request = (TransportRequest) Objects.requireNonNull(transportRequest);
            this.action = (String) Objects.requireNonNull(str);
            this.originatingAuthorizationContext = authorizationContext;
            this.parentAuthorization = parentActionAuthorization;
        }

        public RequestInfo(Authentication authentication, TransportRequest transportRequest, String str, AuthorizationContext authorizationContext) {
            this(authentication, transportRequest, str, authorizationContext, null);
        }

        public String getAction() {
            return this.action;
        }

        public Authentication getAuthentication() {
            return this.authentication;
        }

        public TransportRequest getRequest() {
            return this.request;
        }

        @Nullable
        public AuthorizationContext getOriginatingAuthorizationContext() {
            return this.originatingAuthorizationContext;
        }

        @Nullable
        public ParentActionAuthorization getParentAuthorization() {
            return this.parentAuthorization;
        }

        public String toString() {
            return getClass().getSimpleName() + "{authentication=[" + String.valueOf(this.authentication) + "], request=[" + String.valueOf(this.request) + "], action=[" + this.action + "], originating=[" + String.valueOf(this.originatingAuthorizationContext) + "], parent=[" + String.valueOf(this.parentAuthorization) + "]}";
        }

        @Nullable
        public static String[] indices(TransportRequest transportRequest) {
            if (transportRequest instanceof IndicesRequest) {
                return ((IndicesRequest) transportRequest).indices();
            }
            return null;
        }
    }

    void resolveAuthorizationInfo(RequestInfo requestInfo, ActionListener<AuthorizationInfo> actionListener);

    void resolveAuthorizationInfo(Subject subject, ActionListener<AuthorizationInfo> actionListener);

    void authorizeRunAs(RequestInfo requestInfo, AuthorizationInfo authorizationInfo, ActionListener<AuthorizationResult> actionListener);

    void authorizeClusterAction(RequestInfo requestInfo, AuthorizationInfo authorizationInfo, ActionListener<AuthorizationResult> actionListener);

    void authorizeIndexAction(RequestInfo requestInfo, AuthorizationInfo authorizationInfo, AsyncSupplier<ResolvedIndices> asyncSupplier, Metadata metadata, ActionListener<IndexAuthorizationResult> actionListener);

    void loadAuthorizedIndices(RequestInfo requestInfo, AuthorizationInfo authorizationInfo, Map<String, IndexAbstraction> map, ActionListener<AuthorizedIndices> actionListener);

    void validateIndexPermissionsAreSubset(RequestInfo requestInfo, AuthorizationInfo authorizationInfo, Map<String, List<String>> map, ActionListener<AuthorizationResult> actionListener);

    void checkPrivileges(AuthorizationInfo authorizationInfo, PrivilegesToCheck privilegesToCheck, Collection<ApplicationPrivilegeDescriptor> collection, ActionListener<PrivilegesCheckResult> actionListener);

    void getUserPrivileges(AuthorizationInfo authorizationInfo, ActionListener<GetUserPrivilegesResponse> actionListener);

    default void getRoleDescriptorsIntersectionForRemoteCluster(String str, TransportVersion transportVersion, AuthorizationInfo authorizationInfo, ActionListener<RoleDescriptorsIntersection> actionListener) {
        throw new UnsupportedOperationException("retrieving role descriptors for remote cluster is not supported by this authorization engine");
    }
}
