package org.elasticsearch.xpack.security.authc.support;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.CreateApiKeyResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.support.DLSRoleQueryValidator;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/ApiKeyGenerator.class */
public class ApiKeyGenerator {
    private final ApiKeyService apiKeyService;
    private final CompositeRolesStore rolesStore;
    private final NamedXContentRegistry xContentRegistry;

    public ApiKeyGenerator(ApiKeyService apiKeyService, CompositeRolesStore compositeRolesStore, NamedXContentRegistry namedXContentRegistry) {
        this.apiKeyService = apiKeyService;
        this.rolesStore = compositeRolesStore;
        this.xContentRegistry = namedXContentRegistry;
    }

    public void generateApiKey(Authentication authentication, CreateApiKeyRequest createApiKeyRequest, ActionListener<CreateApiKeyResponse> actionListener) {
        if (authentication == null) {
            actionListener.onFailure(new ElasticsearchSecurityException("no authentication available to generate API key", new Object[0]));
            return;
        }
        this.apiKeyService.ensureEnabled();
        if (Authentication.AuthenticationType.API_KEY == authentication.getAuthenticationType() && grantsAnyPrivileges(createApiKeyRequest)) {
            actionListener.onFailure(new IllegalArgumentException("creating derived api keys requires an explicit role descriptor that is empty (has no privileges)"));
            return;
        }
        CompositeRolesStore compositeRolesStore = this.rolesStore;
        HashSet hashSet = new HashSet(Arrays.asList(authentication.getUser().roles()));
        CheckedConsumer checkedConsumer = set -> {
            Iterator it = set.iterator();
            while (it.hasNext()) {
                try {
                    DLSRoleQueryValidator.validateQueryField(((RoleDescriptor) it.next()).getIndicesPrivileges(), this.xContentRegistry);
                } catch (ElasticsearchException | IllegalArgumentException e) {
                    actionListener.onFailure(e);
                    return;
                }
            }
            this.apiKeyService.createApiKey(authentication, createApiKeyRequest, set, actionListener);
        };
        Objects.requireNonNull(actionListener);
        compositeRolesStore.getRoleDescriptors(hashSet, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private boolean grantsAnyPrivileges(CreateApiKeyRequest createApiKeyRequest) {
        return createApiKeyRequest.getRoleDescriptors() == null || createApiKeyRequest.getRoleDescriptors().isEmpty() || false == createApiKeyRequest.getRoleDescriptors().stream().allMatch((v0) -> {
            return v0.isEmpty();
        });
    }
}
