package org.elasticsearch.xpack.security.authz;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
import java.util.function.Predicate;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRunnable;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.search.SearchScrollRequest;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.regex.Regex;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.index.Index;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.action.GetApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesResponse;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesResponse;
import org.elasticsearch.xpack.core.security.action.user.UserRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.ResolvedIndices;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission;
import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivilegesMap;
import org.elasticsearch.xpack.core.security.authz.permission.Role;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.NamedClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.Privilege;
import org.elasticsearch.xpack.core.security.support.StringMatcher;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.action.user.TransportHasPrivilegesAction;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/RBACEngine.class */
public class RBACEngine implements AuthorizationEngine {
    private static final Predicate<String> SAME_USER_PRIVILEGE;
    private static final String INDEX_SUB_REQUEST_PRIMARY = "indices:data/write/index[p]";
    private static final String INDEX_SUB_REQUEST_REPLICA = "indices:data/write/index[r]";
    private static final String DELETE_SUB_REQUEST_PRIMARY = "indices:data/write/delete[p]";
    private static final String DELETE_SUB_REQUEST_REPLICA = "indices:data/write/delete[r]";
    private static final Logger logger;
    private final CompositeRolesStore rolesStore;
    private final FieldPermissionsCache fieldPermissionsCache;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/RBACEngine$RBACAuthorizationInfo.class */
    public static class RBACAuthorizationInfo implements AuthorizationEngine.AuthorizationInfo {
        private final Role role;
        private final Map<String, Object> info;
        private final RBACAuthorizationInfo authenticatedUserAuthorizationInfo;

        RBACAuthorizationInfo(Role role, Role role2) {
            this.role = (Role) Objects.requireNonNull(role);
            this.info = Collections.singletonMap(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME, role.names());
            this.authenticatedUserAuthorizationInfo = role2 == null ? this : new RBACAuthorizationInfo(role2, null);
        }

        Role getRole() {
            return this.role;
        }

        public Map<String, Object> asMap() {
            return this.info;
        }

        /* renamed from: getAuthenticatedUserAuthorizationInfo, reason: merged with bridge method [inline-methods] */
        public RBACAuthorizationInfo m85getAuthenticatedUserAuthorizationInfo() {
            return this.authenticatedUserAuthorizationInfo;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            RBACAuthorizationInfo rBACAuthorizationInfo = (RBACAuthorizationInfo) obj;
            if (this.role.equals(rBACAuthorizationInfo.role)) {
                return this.authenticatedUserAuthorizationInfo == this ? rBACAuthorizationInfo.authenticatedUserAuthorizationInfo == rBACAuthorizationInfo : this.authenticatedUserAuthorizationInfo.equals(rBACAuthorizationInfo.authenticatedUserAuthorizationInfo);
            }
            return false;
        }

        public int hashCode() {
            return this.authenticatedUserAuthorizationInfo == this ? Objects.hashCode(this.role) : Objects.hash(this.role, this.authenticatedUserAuthorizationInfo);
        }
    }

    public RBACEngine(Settings settings, CompositeRolesStore compositeRolesStore) {
        this.rolesStore = compositeRolesStore;
        this.fieldPermissionsCache = new FieldPermissionsCache(settings);
    }

    public void resolveAuthorizationInfo(AuthorizationEngine.RequestInfo requestInfo, ActionListener<AuthorizationEngine.AuthorizationInfo> actionListener) {
        Authentication authentication = requestInfo.getAuthentication();
        User user = authentication.getUser();
        CheckedConsumer checkedConsumer = role -> {
            if (!authentication.getUser().isRunAs()) {
                actionListener.onResponse(new RBACAuthorizationInfo(role, role));
                return;
            }
            User authenticatedUser = authentication.getUser().authenticatedUser();
            CheckedConsumer checkedConsumer2 = role -> {
                actionListener.onResponse(new RBACAuthorizationInfo(role, role));
            };
            Objects.requireNonNull(actionListener);
            getRoles(authenticatedUser, authentication, ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
        };
        Objects.requireNonNull(actionListener);
        getRoles(user, authentication, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void getRoles(User user, Authentication authentication, ActionListener<Role> actionListener) {
        this.rolesStore.getRoles(user, authentication, actionListener);
    }

    public void authorizeRunAs(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<AuthorizationEngine.AuthorizationResult> actionListener) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            actionListener.onResponse(new AuthorizationEngine.AuthorizationResult(((RBACAuthorizationInfo) authorizationInfo).m85getAuthenticatedUserAuthorizationInfo().getRole().checkRunAs(requestInfo.getAuthentication().getUser().principal())));
        } else {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
        }
    }

    public void authorizeClusterAction(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<AuthorizationEngine.AuthorizationResult> actionListener) {
        if (!(authorizationInfo instanceof RBACAuthorizationInfo)) {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
            return;
        }
        if (((RBACAuthorizationInfo) authorizationInfo).getRole().checkClusterAction(requestInfo.getAction(), requestInfo.getRequest(), requestInfo.getAuthentication())) {
            actionListener.onResponse(AuthorizationEngine.AuthorizationResult.granted());
        } else if (checkSameUserPermissions(requestInfo.getAction(), requestInfo.getRequest(), requestInfo.getAuthentication())) {
            actionListener.onResponse(AuthorizationEngine.AuthorizationResult.granted());
        } else {
            actionListener.onResponse(AuthorizationEngine.AuthorizationResult.deny());
        }
    }

    boolean checkSameUserPermissions(String str, TransportRequest transportRequest, Authentication authentication) {
        if (!SAME_USER_PRIVILEGE.test(str)) {
            return false;
        }
        if (!(transportRequest instanceof UserRequest)) {
            if (!(transportRequest instanceof GetApiKeyRequest)) {
                if ($assertionsDisabled) {
                    return false;
                }
                throw new AssertionError("right now only a user request or get api key request should be allowed");
            }
            GetApiKeyRequest getApiKeyRequest = (GetApiKeyRequest) transportRequest;
            if (Authentication.AuthenticationType.API_KEY != authentication.getAuthenticationType()) {
                return false;
            }
            if (!$assertionsDisabled && authentication.getLookedUpBy() != null) {
                throw new AssertionError("runAs not supported for api key authentication");
            }
            String str2 = (String) authentication.getMetadata().get(ApiKeyService.API_KEY_ID_KEY);
            if (Strings.hasText(getApiKeyRequest.getApiKeyId())) {
                return getApiKeyRequest.getApiKeyId().equals(str2);
            }
            return false;
        }
        String[] usernames = ((UserRequest) transportRequest).usernames();
        if (usernames == null || usernames.length != 1 || usernames[0] == null) {
            if ($assertionsDisabled) {
                return false;
            }
            throw new AssertionError("this role should only be used for actions to apply to a single user");
        }
        boolean equals = authentication.getUser().principal().equals(usernames[0]);
        if (equals && "cluster:admin/xpack/security/user/change_password".equals(str)) {
            return checkChangePasswordAction(authentication);
        }
        if ($assertionsDisabled || "cluster:admin/xpack/security/user/authenticate".equals(str) || "cluster:admin/xpack/security/user/has_privileges".equals(str) || "cluster:admin/xpack/security/user/list_privileges".equals(str) || !equals) {
            return equals;
        }
        throw new AssertionError("Action '" + str + "' should not be possible when sameUsername=" + equals);
    }

    private static boolean shouldAuthorizeIndexActionNameOnly(String str, TransportRequest transportRequest) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -2072666648:
                if (str.equals("indices:data/read/mtv")) {
                    z = 8;
                    break;
                }
                break;
            case -2072660985:
                if (str.equals("indices:data/read/sql")) {
                    z = 14;
                    break;
                }
                break;
            case -1921067251:
                if (str.equals("indices:data/write/delete")) {
                    z = 2;
                    break;
                }
                break;
            case -1581112528:
                if (str.equals("indices:data/write/index")) {
                    z = true;
                    break;
                }
                break;
            case -1052794295:
                if (str.equals("indices:data/read/mpercolate")) {
                    z = 10;
                    break;
                }
                break;
            case -257043954:
                if (str.equals("indices:data/read/msearch")) {
                    z = 9;
                    break;
                }
                break;
            case -75164325:
                if (str.equals(DELETE_SUB_REQUEST_PRIMARY)) {
                    z = 5;
                    break;
                }
                break;
            case -75164263:
                if (str.equals(DELETE_SUB_REQUEST_REPLICA)) {
                    z = 6;
                    break;
                }
                break;
            case -16895400:
                if (str.equals(INDEX_SUB_REQUEST_PRIMARY)) {
                    z = 3;
                    break;
                }
                break;
            case -16895338:
                if (str.equals(INDEX_SUB_REQUEST_REPLICA)) {
                    z = 4;
                    break;
                }
                break;
            case 109955931:
                if (str.equals("indices:data/read/msearch/template")) {
                    z = 11;
                    break;
                }
                break;
            case 114089309:
                if (str.equals("indices:data/write/reindex")) {
                    z = 13;
                    break;
                }
                break;
            case 171830448:
                if (str.equals("indices:data/read/mget")) {
                    z = 7;
                    break;
                }
                break;
            case 778194246:
                if (str.equals("indices:data/read/sql/translate")) {
                    z = 15;
                    break;
                }
                break;
            case 1888457460:
                if (str.equals("indices:data/write/bulk")) {
                    z = false;
                    break;
                }
                break;
            case 1984171450:
                if (str.equals("indices:data/read/search/template")) {
                    z = 12;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
            case true:
            case true:
            case true:
            case SecurityIndexManager.INTERNAL_MAIN_INDEX_FORMAT /* 6 */:
            case SecurityIndexManager.INTERNAL_TOKENS_INDEX_FORMAT /* 7 */:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
                if (transportRequest instanceof BulkShardRequest) {
                    return false;
                }
                if (transportRequest instanceof CompositeIndicesRequest) {
                    return true;
                }
                throw new IllegalStateException("Composite and bulk actions must implement " + CompositeIndicesRequest.class.getSimpleName() + ", " + transportRequest.getClass().getSimpleName() + " doesn't. Action " + str);
            default:
                return false;
        }
    }

    public void authorizeIndexAction(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine.AsyncSupplier<ResolvedIndices> asyncSupplier, Map<String, IndexAbstraction> map, ActionListener<AuthorizationEngine.IndexAuthorizationResult> actionListener) {
        String action = requestInfo.getAction();
        SearchScrollRequest request = requestInfo.getRequest();
        if (TransportActionProxy.isProxyAction(action) || shouldAuthorizeIndexActionNameOnly(action, request)) {
            try {
                actionListener.onResponse(authorizeIndexActionName(action, authorizationInfo, null));
                return;
            } catch (Exception e) {
                actionListener.onFailure(e);
                return;
            }
        }
        if (request instanceof IndicesRequest) {
            if (isChildActionAuthorizedByParent(requestInfo, authorizationInfo)) {
                actionListener.onResponse(new AuthorizationEngine.IndexAuthorizationResult(true, requestInfo.getOriginatingAuthorizationContext().getIndicesAccessControl()));
                return;
            }
            if ((request instanceof IndicesRequest.Replaceable) && ((IndicesRequest.Replaceable) request).allowsRemoteIndices()) {
                CheckedConsumer checkedConsumer = resolvedIndices -> {
                    if (!$assertionsDisabled && resolvedIndices.isEmpty()) {
                        throw new AssertionError("every indices request needs to have its indices set thus the resolved indices must not be empty");
                    }
                    if (resolvedIndices.isNoIndicesPlaceholder()) {
                        actionListener.onResponse(authorizeIndexActionName(action, authorizationInfo, IndicesAccessControl.ALLOW_NO_INDICES));
                    } else {
                        actionListener.onResponse(buildIndicesAccessControl(action, authorizationInfo, Sets.newHashSet(resolvedIndices.getLocal()), map));
                    }
                };
                Objects.requireNonNull(actionListener);
                asyncSupplier.getAsync(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
                return;
            }
            try {
                AuthorizationEngine.IndexAuthorizationResult authorizeIndexActionName = authorizeIndexActionName(action, authorizationInfo, IndicesAccessControl.ALLOW_NO_INDICES);
                if (authorizeIndexActionName.isGranted()) {
                    CheckedConsumer checkedConsumer2 = resolvedIndices2 -> {
                        if (!$assertionsDisabled && resolvedIndices2.isEmpty()) {
                            throw new AssertionError("every indices request needs to have its indices set thus the resolved indices must not be empty");
                        }
                        if (resolvedIndices2.isNoIndicesPlaceholder()) {
                            actionListener.onResponse(new AuthorizationEngine.IndexAuthorizationResult(true, IndicesAccessControl.ALLOW_NO_INDICES));
                        } else {
                            actionListener.onResponse(buildIndicesAccessControl(action, authorizationInfo, Sets.newHashSet(resolvedIndices2.getLocal()), map));
                        }
                    };
                    Objects.requireNonNull(actionListener);
                    asyncSupplier.getAsync(ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
                } else {
                    actionListener.onResponse(authorizeIndexActionName);
                }
                return;
            } catch (Exception e2) {
                actionListener.onFailure(e2);
                return;
            }
        }
        if (isScrollRelatedAction(action)) {
            if (!"indices:data/read/scroll".equals(action)) {
                actionListener.onResponse(new AuthorizationEngine.IndexAuthorizationResult(true, (IndicesAccessControl) null));
                return;
            }
            CheckedConsumer checkedConsumer3 = parsedScrollId -> {
                if (parsedScrollId.hasLocalIndices()) {
                    actionListener.onResponse(authorizeIndexActionName(action, authorizationInfo, null));
                } else {
                    actionListener.onResponse(new AuthorizationEngine.IndexAuthorizationResult(true, (IndicesAccessControl) null));
                }
            };
            Objects.requireNonNull(actionListener);
            ActionListener wrap = ActionListener.wrap(checkedConsumer3, actionListener::onFailure);
            SearchScrollRequest searchScrollRequest = request;
            Objects.requireNonNull(searchScrollRequest);
            ActionRunnable.supply(wrap, searchScrollRequest::parseScrollId).run();
            return;
        }
        if (isAsyncRelatedAction(action)) {
            if ("indices:data/read/async_search/submit".equals(action)) {
                actionListener.onResponse(new AuthorizationEngine.IndexAuthorizationResult(true, (IndicesAccessControl) null));
                return;
            } else {
                actionListener.onResponse(new AuthorizationEngine.IndexAuthorizationResult(true, IndicesAccessControl.ALLOW_NO_INDICES));
                return;
            }
        }
        if (action.equals("indices:data/read/close_point_in_time")) {
            actionListener.onResponse(new AuthorizationEngine.IndexAuthorizationResult(true, IndicesAccessControl.ALLOW_NO_INDICES));
        } else {
            if (!$assertionsDisabled) {
                throw new AssertionError("only scroll and async-search related requests are known indices api that don't support retrieving the indices they relate to");
            }
            actionListener.onFailure(new IllegalStateException("only scroll and async-search related requests are known indices api that don't support retrieving the indices they relate to"));
        }
    }

    private boolean isChildActionAuthorizedByParent(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        IndicesAccessControl indicesAccessControl;
        String[] indices;
        AuthorizationEngine.AuthorizationContext originatingAuthorizationContext = requestInfo.getOriginatingAuthorizationContext();
        if (originatingAuthorizationContext == null || (indicesAccessControl = originatingAuthorizationContext.getIndicesAccessControl()) == null || !requestInfo.getAction().startsWith(originatingAuthorizationContext.getAction()) || !authorizationInfo.equals(originatingAuthorizationContext.getAuthorizationInfo()) || !(requestInfo.getRequest() instanceof IndicesRequest) || (indices = requestInfo.getRequest().indices()) == null || indices.length == 0 || Arrays.equals(IndicesAndAliasesResolver.NO_INDICES_OR_ALIASES_ARRAY, indices)) {
            return false;
        }
        for (String str : indices) {
            if (!$assertionsDisabled && Regex.isSimpleMatchPattern(str)) {
                throw new AssertionError("Wildcards should already be expanded but action [" + requestInfo.getAction() + "] has index [" + str + "]");
            }
            IndicesAccessControl.IndexAccessControl indexPermissions = indicesAccessControl.getIndexPermissions(str);
            if (indexPermissions == null || !indexPermissions.isGranted()) {
                return false;
            }
        }
        return true;
    }

    private static AuthorizationEngine.IndexAuthorizationResult authorizeIndexActionName(String str, AuthorizationEngine.AuthorizationInfo authorizationInfo, IndicesAccessControl indicesAccessControl) {
        return new AuthorizationEngine.IndexAuthorizationResult(true, ensureRBAC(authorizationInfo).getRole().checkIndicesAction(str) ? indicesAccessControl : IndicesAccessControl.DENIED);
    }

    public void loadAuthorizedIndices(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, Map<String, IndexAbstraction> map, ActionListener<Set<String>> actionListener) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            actionListener.onResponse(resolveAuthorizedIndicesFromRole(((RBACAuthorizationInfo) authorizationInfo).getRole(), requestInfo, map));
        } else {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
        }
    }

    public void validateIndexPermissionsAreSubset(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, Map<String, List<String>> map, ActionListener<AuthorizationEngine.AuthorizationResult> actionListener) {
        if (!(authorizationInfo instanceof RBACAuthorizationInfo)) {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
            return;
        }
        Role role = ((RBACAuthorizationInfo) authorizationInfo).getRole();
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, List<String>> entry : map.entrySet()) {
            String key = entry.getKey();
            Objects.requireNonNull(role);
            Automaton automaton = (Automaton) hashMap.computeIfAbsent(key, role::allowedActionsMatcher);
            for (String str : entry.getValue()) {
                Objects.requireNonNull(role);
                if (!Operations.subsetOf((Automaton) hashMap.computeIfAbsent(str, role::allowedActionsMatcher), automaton)) {
                    actionListener.onResponse(AuthorizationEngine.AuthorizationResult.deny());
                    return;
                }
            }
        }
        actionListener.onResponse(AuthorizationEngine.AuthorizationResult.granted());
    }

    public void checkPrivileges(Authentication authentication, AuthorizationEngine.AuthorizationInfo authorizationInfo, HasPrivilegesRequest hasPrivilegesRequest, Collection<ApplicationPrivilegeDescriptor> collection, ActionListener<HasPrivilegesResponse> actionListener) {
        if (!(authorizationInfo instanceof RBACAuthorizationInfo)) {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
            return;
        }
        Role role = ((RBACAuthorizationInfo) authorizationInfo).getRole();
        logger.trace(() -> {
            return new ParameterizedMessage("Check whether role [{}] has privileges cluster=[{}] index=[{}] application=[{}]", new Object[]{Strings.arrayToCommaDelimitedString(role.names()), Strings.arrayToCommaDelimitedString(hasPrivilegesRequest.clusterPrivileges()), Strings.arrayToCommaDelimitedString(hasPrivilegesRequest.indexPrivileges()), Strings.arrayToCommaDelimitedString(hasPrivilegesRequest.applicationPrivileges())});
        });
        HashMap hashMap = new HashMap();
        for (String str : hasPrivilegesRequest.clusterPrivileges()) {
            hashMap.put(str, Boolean.valueOf(role.grants(ClusterPrivilegeResolver.resolve(str))));
        }
        boolean allMatch = hashMap.values().stream().allMatch((v0) -> {
            return v0.booleanValue();
        });
        ResourcePrivilegesMap.Builder builder = ResourcePrivilegesMap.builder();
        for (RoleDescriptor.IndicesPrivileges indicesPrivileges : hasPrivilegesRequest.indexPrivileges()) {
            ResourcePrivilegesMap checkIndicesPrivileges = role.checkIndicesPrivileges(Sets.newHashSet(indicesPrivileges.getIndices()), indicesPrivileges.allowRestrictedIndices(), Sets.newHashSet(indicesPrivileges.getPrivileges()));
            allMatch = allMatch && checkIndicesPrivileges.allAllowed();
            builder.addResourcePrivilegesMap(checkIndicesPrivileges);
        }
        ResourcePrivilegesMap build = builder.build();
        boolean z = allMatch && build.allAllowed();
        HashMap hashMap2 = new HashMap();
        for (String str2 : TransportHasPrivilegesAction.getApplicationNames(hasPrivilegesRequest)) {
            logger.debug("Checking privileges for application {}", str2);
            ResourcePrivilegesMap.Builder builder2 = ResourcePrivilegesMap.builder();
            for (RoleDescriptor.ApplicationResourcePrivileges applicationResourcePrivileges : hasPrivilegesRequest.applicationPrivileges()) {
                if (str2.equals(applicationResourcePrivileges.getApplication())) {
                    builder2.addResourcePrivilegesMap(role.checkApplicationResourcePrivileges(str2, Sets.newHashSet(applicationResourcePrivileges.getResources()), Sets.newHashSet(applicationResourcePrivileges.getPrivileges()), collection));
                }
            }
            ResourcePrivilegesMap build2 = builder2.build();
            z = z && build2.allAllowed();
            hashMap2.put(str2, build2.getResourceToResourcePrivileges().values());
        }
        actionListener.onResponse(new HasPrivilegesResponse(hasPrivilegesRequest.username(), z, hashMap, build.getResourceToResourcePrivileges().values(), hashMap2));
    }

    public void getUserPrivileges(Authentication authentication, AuthorizationEngine.AuthorizationInfo authorizationInfo, GetUserPrivilegesRequest getUserPrivilegesRequest, ActionListener<GetUserPrivilegesResponse> actionListener) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            actionListener.onResponse(buildUserPrivilegesResponseObject(((RBACAuthorizationInfo) authorizationInfo).getRole()));
        } else {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
        }
    }

    GetUserPrivilegesResponse buildUserPrivilegesResponseObject(Role role) {
        Set emptySet;
        logger.trace(() -> {
            return new ParameterizedMessage("List privileges for role [{}]", Strings.arrayToCommaDelimitedString(role.names()));
        });
        TreeSet treeSet = new TreeSet();
        HashSet hashSet = new HashSet();
        for (ConfigurableClusterPrivilege configurableClusterPrivilege : role.cluster().privileges()) {
            if (configurableClusterPrivilege instanceof NamedClusterPrivilege) {
                treeSet.add(((NamedClusterPrivilege) configurableClusterPrivilege).name());
            } else {
                if (!(configurableClusterPrivilege instanceof ConfigurableClusterPrivilege)) {
                    throw new IllegalArgumentException("found unsupported cluster privilege : " + configurableClusterPrivilege + (configurableClusterPrivilege != null ? " of type " + configurableClusterPrivilege.getClass().getSimpleName() : ""));
                }
                hashSet.add(configurableClusterPrivilege);
            }
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (IndicesPermission.Group group : role.indices().groups()) {
            Set emptySet2 = group.getQuery() == null ? Collections.emptySet() : group.getQuery();
            if (group.getFieldPermissions().hasFieldLevelSecurity()) {
                FieldPermissionsDefinition fieldPermissionsDefinition = group.getFieldPermissions().getFieldPermissionsDefinition();
                if (!$assertionsDisabled && group.getFieldPermissions().getLimitedByFieldPermissionsDefinition() != null) {
                    throw new AssertionError("limited-by field must not exist since we do not support reporting user privileges for limited roles");
                }
                emptySet = fieldPermissionsDefinition.getFieldGrantExcludeGroups();
            } else {
                emptySet = Collections.emptySet();
            }
            linkedHashSet.add(new GetUserPrivilegesResponse.Indices(Arrays.asList(group.indices()), group.privilege().name(), emptySet, emptySet2, group.allowRestrictedIndices()));
        }
        LinkedHashSet linkedHashSet2 = new LinkedHashSet();
        for (String str : role.application().getApplicationNames()) {
            for (ApplicationPrivilege applicationPrivilege : role.application().getPrivileges(str)) {
                Set resourcePatterns = role.application().getResourcePatterns(applicationPrivilege);
                if (resourcePatterns.isEmpty()) {
                    logger.trace("No resources defined in application privilege {}", applicationPrivilege);
                } else {
                    linkedHashSet2.add(RoleDescriptor.ApplicationResourcePrivileges.builder().application(str).privileges(applicationPrivilege.name()).resources(resourcePatterns).build());
                }
            }
        }
        Privilege privilege = role.runAs().getPrivilege();
        return new GetUserPrivilegesResponse(treeSet, hashSet, linkedHashSet, linkedHashSet2, Operations.isEmpty(privilege.getAutomaton()) ? Collections.emptySet() : privilege.name());
    }

    static Set<String> resolveAuthorizedIndicesFromRole(Role role, AuthorizationEngine.RequestInfo requestInfo, Map<String, IndexAbstraction> map) {
        Predicate allowedIndicesMatcher = role.allowedIndicesMatcher(requestInfo.getAction());
        IndicesRequest request = requestInfo.getRequest();
        boolean z = (request instanceof IndicesRequest) && request.includeDataStreams();
        HashSet hashSet = new HashSet();
        if (z) {
            for (IndexAbstraction indexAbstraction : map.values()) {
                if (allowedIndicesMatcher.test(indexAbstraction)) {
                    hashSet.add(indexAbstraction.getName());
                    if (indexAbstraction.getType() == IndexAbstraction.Type.DATA_STREAM) {
                        Iterator it = indexAbstraction.getIndices().iterator();
                        while (it.hasNext()) {
                            hashSet.add(((Index) it.next()).getName());
                        }
                    }
                }
            }
        } else {
            for (IndexAbstraction indexAbstraction2 : map.values()) {
                if (indexAbstraction2.getType() != IndexAbstraction.Type.DATA_STREAM && allowedIndicesMatcher.test(indexAbstraction2)) {
                    hashSet.add(indexAbstraction2.getName());
                }
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }

    private AuthorizationEngine.IndexAuthorizationResult buildIndicesAccessControl(String str, AuthorizationEngine.AuthorizationInfo authorizationInfo, Set<String> set, Map<String, IndexAbstraction> map) {
        return new AuthorizationEngine.IndexAuthorizationResult(true, ensureRBAC(authorizationInfo).getRole().authorize(str, set, map, this.fieldPermissionsCache));
    }

    private static RBACAuthorizationInfo ensureRBAC(AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            return (RBACAuthorizationInfo) authorizationInfo;
        }
        throw new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName());
    }

    public static Role maybeGetRBACEngineRole(AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            return ((RBACAuthorizationInfo) authorizationInfo).getRole();
        }
        return null;
    }

    private static boolean checkChangePasswordAction(Authentication authentication) {
        String type = authentication.getUser().isRunAs() ? authentication.getLookedUpBy().getType() : authentication.getAuthenticatedBy().getType();
        if ($assertionsDisabled || type != null) {
            return authentication.getAuthenticationType().equals(Authentication.AuthenticationType.REALM) && ("reserved".equals(type) || "native".equals(type));
        }
        throw new AssertionError();
    }

    private static boolean isScrollRelatedAction(String str) {
        return str.equals("indices:data/read/scroll") || str.equals("indices:data/read/search[phase/fetch/id/scroll]") || str.equals("indices:data/read/search[phase/query+fetch/scroll]") || str.equals("indices:data/read/search[phase/query/scroll]") || str.equals("indices:data/read/search[free_context/scroll]") || str.equals("indices:data/read/scroll/clear") || str.equals("indices:data/read/sql/close_cursor") || str.equals("indices:data/read/search[clear_scroll_contexts]");
    }

    private static boolean isAsyncRelatedAction(String str) {
        return str.equals("indices:data/read/async_search/submit") || str.equals("indices:data/read/async_search/get") || str.equals("indices:data/read/async_search/delete") || str.equals("indices:data/read/eql/async/get") || str.equals("indices:data/read/sql/async/get");
    }

    static {
        $assertionsDisabled = !RBACEngine.class.desiredAssertionStatus();
        SAME_USER_PRIVILEGE = StringMatcher.of(new String[]{"cluster:admin/xpack/security/user/change_password", "cluster:admin/xpack/security/user/authenticate", "cluster:admin/xpack/security/user/has_privileges", "cluster:admin/xpack/security/user/list_privileges", "cluster:admin/xpack/security/api_key/get"});
        logger = LogManager.getLogger(RBACEngine.class);
    }
}
