package org.elasticsearch.xpack.security.authc.support;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.Security;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/DelegatedAuthorizationSupport.class */
public class DelegatedAuthorizationSupport {
    private final RealmUserLookup lookup;
    private final Logger logger;
    private final XPackLicenseState licenseState;
    static final /* synthetic */ boolean $assertionsDisabled;

    public DelegatedAuthorizationSupport(Iterable<? extends Realm> iterable, RealmConfig realmConfig, XPackLicenseState xPackLicenseState) {
        this(iterable, (List) realmConfig.getSetting(DelegatedAuthorizationSettings.AUTHZ_REALMS), realmConfig.settings(), realmConfig.threadContext(), xPackLicenseState);
        if (this.lookup.hasRealms()) {
            this.logger.info("Realm [{}] is delegating authorization to [{}]", realmConfig.identifier(), Strings.collectionToCommaDelimitedString(this.lookup.getRealms()));
        }
    }

    protected DelegatedAuthorizationSupport(Iterable<? extends Realm> iterable, List<String> list, Settings settings, ThreadContext threadContext, XPackLicenseState xPackLicenseState) {
        List<Realm> resolveRealms = resolveRealms(iterable, list);
        checkForRealmChains(resolveRealms, settings);
        this.lookup = new RealmUserLookup(resolveRealms, threadContext);
        this.logger = LogManager.getLogger(getClass());
        this.licenseState = xPackLicenseState;
    }

    public boolean hasDelegation() {
        return this.lookup.hasRealms();
    }

    public void resolve(String str, ActionListener<AuthenticationResult<User>> actionListener) {
        if (!Security.DELEGATED_AUTHORIZATION_FEATURE.check(this.licenseState)) {
            actionListener.onResponse(AuthenticationResult.unsuccessful("authorization_realms are not permitted", LicenseUtils.newComplianceException("authorization_realms")));
            return;
        }
        if (!hasDelegation()) {
            actionListener.onResponse(AuthenticationResult.unsuccessful("No [authorization_realms] have been configured", (Exception) null));
            return;
        }
        CheckedConsumer checkedConsumer = tuple -> {
            if (tuple == null) {
                actionListener.onResponse(AuthenticationResult.unsuccessful("the principal [" + str + "] was authenticated, but no user could be found in realms [" + Strings.collectionToDelimitedString(this.lookup.getRealms(), ",") + "]", (Exception) null));
            } else {
                this.logger.trace("Found user " + tuple.v1() + " in realm " + tuple.v2());
                actionListener.onResponse(AuthenticationResult.success((User) tuple.v1()));
            }
        };
        Objects.requireNonNull(actionListener);
        this.lookup.lookup(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private List<Realm> resolveRealms(Iterable<? extends Realm> iterable, List<String> list) {
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(findRealm(it.next(), iterable));
        }
        if ($assertionsDisabled || arrayList.size() == list.size()) {
            return arrayList;
        }
        throw new AssertionError();
    }

    private void checkForRealmChains(Iterable<Realm> iterable, Settings settings) {
        for (Realm realm : iterable) {
            Setting concreteSettingForNamespace = ((Setting.AffixSetting) DelegatedAuthorizationSettings.AUTHZ_REALMS.apply(realm.type())).getConcreteSettingForNamespace(realm.name());
            if (concreteSettingForNamespace.exists(settings)) {
                throw new IllegalArgumentException("cannot use realm [" + realm + "] as an authorization realm - it is already delegating authorization to [" + concreteSettingForNamespace.get(settings) + "]");
            }
        }
    }

    private Realm findRealm(String str, Iterable<? extends Realm> iterable) {
        for (Realm realm : iterable) {
            if (str.equals(realm.name())) {
                return realm;
            }
        }
        throw new IllegalArgumentException("configured authorization realm [" + str + "] does not exist (or is not enabled)");
    }

    public String toString() {
        return "security-delegated-authorization: available [" + Security.DELEGATED_AUTHORIZATION_FEATURE.checkWithoutTracking(this.licenseState) + "], lookup-realms [" + Strings.collectionToDelimitedString(this.lookup.getRealms(), ",") + "]";
    }

    static {
        $assertionsDisabled = !DelegatedAuthorizationSupport.class.desiredAssertionStatus();
    }
}
