package org.elasticsearch.xpack.security.profile;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.time.Clock;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.TreeMap;
import java.util.function.Function;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.search.TotalHits;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.ResourceNotFoundException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.bulk.BackoffPolicy;
import org.elasticsearch.action.bulk.BulkAction;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.TransportBulkAction;
import org.elasticsearch.action.bulk.TransportSingleItemBulkWriteAction;
import org.elasticsearch.action.get.GetAction;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.MultiGetItemResponse;
import org.elasticsearch.action.get.MultiGetRequestBuilder;
import org.elasticsearch.action.search.MultiSearchAction;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.MultiSearchResponse;
import org.elasticsearch.action.search.SearchAction;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.support.master.AcknowledgedResponse;
import org.elasticsearch.action.update.UpdateAction;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.action.update.UpdateRequestBuilder;
import org.elasticsearch.action.update.UpdateResponse;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.client.internal.OriginSettingClient;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.Fuzziness;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.index.engine.VersionConflictEngineException;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.MultiMatchQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.SearchHits;
import org.elasticsearch.search.sort.SortOrder;
import org.elasticsearch.tasks.TaskId;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentParserConfiguration;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.common.ResultsAndErrors;
import org.elasticsearch.xpack.core.security.action.profile.Profile;
import org.elasticsearch.xpack.core.security.action.profile.SuggestProfilesRequest;
import org.elasticsearch.xpack.core.security.action.profile.SuggestProfilesResponse;
import org.elasticsearch.xpack.core.security.action.profile.UpdateProfileDataRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.DomainConfig;
import org.elasticsearch.xpack.core.security.authc.RealmDomain;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.user.InternalUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.profile.ProfileDocument;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;

/* loaded from: input_file:org/elasticsearch/xpack/security/profile/ProfileService.class */
public class ProfileService {
    private static final Logger logger;
    private static final String DOC_ID_PREFIX = "profile_";
    private static final BackoffPolicy DEFAULT_BACKOFF;
    private static final int DIFFERENTIATOR_UPPER_LIMIT = 9;
    private static final long ACTIVATE_INTERVAL_IN_MS;
    private final Settings settings;
    private final Clock clock;
    private final Client client;
    private final SecurityIndexManager profileIndex;
    private final ClusterService clusterService;
    private final Function<String, DomainConfig> domainConfigLookup;
    private final ThreadPool threadPool;
    private static final Pattern VALID_LITERAL_USERNAME;
    private static final String INVALID_USERNAME_MESSAGE = "Security domain [%s] is configured to use literal username. As a result, creating new user profile requires the username to be at least 1 and no more than 256 characters. The username must begin with an alphanumeric character (a-z, A-Z, 0-9) and followed by any alphanumeric or dash (-) characters.";
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/profile/ProfileService$SubjectSearchResultsAndErrors.class */
    public static final class SubjectSearchResultsAndErrors<T> extends Record {
        private final List<Tuple<Subject, T>> results;
        private final Map<Subject, Exception> errors;

        public SubjectSearchResultsAndErrors(List<Tuple<Subject, T>> list, Map<Subject, Exception> map) {
            this.results = list;
            this.errors = map;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, SubjectSearchResultsAndErrors.class), SubjectSearchResultsAndErrors.class, "results;errors", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$SubjectSearchResultsAndErrors;->results:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$SubjectSearchResultsAndErrors;->errors:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, SubjectSearchResultsAndErrors.class), SubjectSearchResultsAndErrors.class, "results;errors", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$SubjectSearchResultsAndErrors;->results:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$SubjectSearchResultsAndErrors;->errors:Ljava/util/Map;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, SubjectSearchResultsAndErrors.class, Object.class), SubjectSearchResultsAndErrors.class, "results;errors", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$SubjectSearchResultsAndErrors;->results:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$SubjectSearchResultsAndErrors;->errors:Ljava/util/Map;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public List<Tuple<Subject, T>> results() {
            return this.results;
        }

        public Map<Subject, Exception> errors() {
            return this.errors;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument.class */
    public static final class VersionedDocument extends Record {
        private final ProfileDocument doc;
        private final long primaryTerm;
        private final long seqNo;
        static final /* synthetic */ boolean $assertionsDisabled;

        VersionedDocument(ProfileDocument profileDocument, long j, long j2) {
            this.doc = profileDocument;
            this.primaryTerm = j;
            this.seqNo = j2;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Profile toProfile(Set<String> set) {
            if ($assertionsDisabled || set != null) {
                return new Profile(this.doc.uid(), this.doc.enabled(), this.doc.lastSynchronized(), this.doc.user().toProfileUser(), this.doc.labels(), set.isEmpty() ? Map.of() : (Map) XContentHelper.convertToMap(this.doc.applicationData(), false, XContentType.JSON, set, (Set) null).v2(), new Profile.VersionControl(this.primaryTerm, this.seqNo));
            }
            throw new AssertionError("data keys must not be null");
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, VersionedDocument.class), VersionedDocument.class, "doc;primaryTerm;seqNo", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->doc:Lorg/elasticsearch/xpack/security/profile/ProfileDocument;", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->primaryTerm:J", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->seqNo:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, VersionedDocument.class), VersionedDocument.class, "doc;primaryTerm;seqNo", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->doc:Lorg/elasticsearch/xpack/security/profile/ProfileDocument;", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->primaryTerm:J", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->seqNo:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, VersionedDocument.class, Object.class), VersionedDocument.class, "doc;primaryTerm;seqNo", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->doc:Lorg/elasticsearch/xpack/security/profile/ProfileDocument;", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->primaryTerm:J", "FIELD:Lorg/elasticsearch/xpack/security/profile/ProfileService$VersionedDocument;->seqNo:J").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public ProfileDocument doc() {
            return this.doc;
        }

        public long primaryTerm() {
            return this.primaryTerm;
        }

        public long seqNo() {
            return this.seqNo;
        }

        static {
            $assertionsDisabled = !ProfileService.class.desiredAssertionStatus();
        }
    }

    public ProfileService(Settings settings, Clock clock, Client client, SecurityIndexManager securityIndexManager, ClusterService clusterService, Function<String, DomainConfig> function, ThreadPool threadPool) {
        this.settings = settings;
        this.clock = clock;
        this.client = client;
        this.profileIndex = securityIndexManager;
        this.clusterService = clusterService;
        this.domainConfigLookup = function;
        this.threadPool = threadPool;
    }

    public void getProfiles(List<String> list, Set<String> set, ActionListener<ResultsAndErrors<Profile>> actionListener) {
        getVersionedDocuments(list, actionListener.map(resultsAndErrors -> {
            return resultsAndErrors != null ? new ResultsAndErrors(resultsAndErrors.results().stream().map(versionedDocument -> {
                return versionedDocument.toProfile(set);
            }).toList(), resultsAndErrors.errors()) : new ResultsAndErrors(List.of(), (Map) list.stream().collect(Collectors.toUnmodifiableMap(Function.identity(), str -> {
                return new ElasticsearchException("profile index does not exist", new Object[0]);
            })));
        }));
    }

    public void getProfileSubjects(Collection<String> collection, ActionListener<ResultsAndErrors<Map.Entry<String, Subject>>> actionListener) {
        getVersionedDocuments(collection, actionListener.map(resultsAndErrors -> {
            return resultsAndErrors != null ? new ResultsAndErrors(resultsAndErrors.results().stream().map((v0) -> {
                return v0.doc();
            }).filter((v0) -> {
                return v0.enabled();
            }).map(profileDocument -> {
                return Map.entry(profileDocument.uid(), profileDocument.user().toSubject());
            }).toList(), resultsAndErrors.errors()) : new ResultsAndErrors(List.of(), Map.of());
        }));
    }

    public void activateProfile(Authentication authentication, ActionListener<Profile> actionListener) {
        Subject effectiveSubject = authentication.getEffectiveSubject();
        if (Subject.Type.USER != effectiveSubject.getType()) {
            actionListener.onFailure(new IllegalArgumentException("profile is supported for user only, but subject is a [" + effectiveSubject.getType().name().toLowerCase(Locale.ROOT) + "]"));
        } else {
            if (effectiveSubject.getUser() instanceof InternalUser) {
                actionListener.onFailure(new IllegalStateException("profile should not be created for internal user [" + effectiveSubject.getUser().principal() + "]"));
                return;
            }
            CheckedConsumer checkedConsumer = versionedDocument -> {
                if (versionedDocument != null) {
                    updateProfileForActivate(effectiveSubject, versionedDocument, actionListener);
                    return;
                }
                DomainConfig domainConfigForSubject = getDomainConfigForSubject(effectiveSubject);
                if (domainConfigForSubject == null || false == domainConfigForSubject.literalUsername()) {
                    if (!$assertionsDisabled && domainConfigForSubject != null && domainConfigForSubject.suffix() != null) {
                        throw new AssertionError();
                    }
                    createNewProfile(effectiveSubject, ProfileDocument.computeBaseUidForSubject(effectiveSubject) + "_0", actionListener);
                    return;
                }
                if (!$assertionsDisabled && domainConfigForSubject.suffix() == null) {
                    throw new AssertionError();
                }
                validateUsername(effectiveSubject);
                createNewProfile(effectiveSubject, "u_" + effectiveSubject.getUser().principal() + "_" + domainConfigForSubject.suffix(), actionListener);
            };
            Objects.requireNonNull(actionListener);
            searchVersionedDocumentForSubject(effectiveSubject, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }
    }

    public void updateProfileData(UpdateProfileDataRequest updateProfileDataRequest, ActionListener<AcknowledgedResponse> actionListener) {
        try {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            jsonBuilder.startObject();
            jsonBuilder.field("user_profile");
            jsonBuilder.startObject();
            if (false == updateProfileDataRequest.getLabels().isEmpty()) {
                jsonBuilder.field("labels", updateProfileDataRequest.getLabels());
            }
            if (false == updateProfileDataRequest.getData().isEmpty()) {
                jsonBuilder.field("application_data", updateProfileDataRequest.getData());
            }
            jsonBuilder.endObject();
            jsonBuilder.endObject();
            doUpdate(buildUpdateRequest(updateProfileDataRequest.getUid(), jsonBuilder, updateProfileDataRequest.getRefreshPolicy(), updateProfileDataRequest.getIfPrimaryTerm(), updateProfileDataRequest.getIfSeqNo()), actionListener.map(updateResponse -> {
                return AcknowledgedResponse.TRUE;
            }));
        } catch (IOException e) {
            actionListener.onFailure(e);
        }
    }

    public void suggestProfile(SuggestProfilesRequest suggestProfilesRequest, TaskId taskId, ActionListener<SuggestProfilesResponse> actionListener) {
        tryFreezeAndCheckIndex(actionListener.map(obj -> {
            if ($assertionsDisabled || obj == null) {
                return new SuggestProfilesResponse(new SuggestProfilesResponse.ProfileHit[0], 0L, new TotalHits(0L, TotalHits.Relation.EQUAL_TO));
            }
            throw new AssertionError("only null response can reach here");
        })).ifPresent(securityIndexManager -> {
            SearchRequest buildSearchRequestForSuggest = buildSearchRequestForSuggest(suggestProfilesRequest, taskId);
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Client client = this.client;
                String actionOrigin = getActionOrigin();
                SearchAction searchAction = SearchAction.INSTANCE;
                CheckedConsumer checkedConsumer = searchResponse -> {
                    SuggestProfilesResponse.ProfileHit[] profileHitArr;
                    SearchHits hits = searchResponse.getHits();
                    SearchHit[] hits2 = hits.getHits();
                    if (hits2.length == 0) {
                        profileHitArr = new SuggestProfilesResponse.ProfileHit[0];
                    } else {
                        profileHitArr = new SuggestProfilesResponse.ProfileHit[hits2.length];
                        for (int i = 0; i < hits2.length; i++) {
                            SearchHit searchHit = hits2[i];
                            profileHitArr[i] = new SuggestProfilesResponse.ProfileHit(new VersionedDocument(buildProfileDocument(searchHit.getSourceRef()), searchHit.getPrimaryTerm(), searchHit.getSeqNo()).toProfile(suggestProfilesRequest.getDataKeys()), searchHit.getScore());
                        }
                    }
                    actionListener.onResponse(new SuggestProfilesResponse(profileHitArr, searchResponse.getTook().millis(), hits.getTotalHits()));
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, actionOrigin, searchAction, buildSearchRequestForSuggest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        });
    }

    public void setEnabled(String str, boolean z, WriteRequest.RefreshPolicy refreshPolicy, ActionListener<AcknowledgedResponse> actionListener) {
        try {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            jsonBuilder.startObject().field("user_profile", Map.of("enabled", Boolean.valueOf(z))).endObject();
            doUpdate(buildUpdateRequest(str, jsonBuilder, refreshPolicy), actionListener.map(updateResponse -> {
                return AcknowledgedResponse.TRUE;
            }));
        } catch (IOException e) {
            actionListener.onFailure(e);
        }
    }

    public void searchProfilesForSubjects(List<Subject> list, ActionListener<SubjectSearchResultsAndErrors<Profile>> actionListener) {
        CheckedConsumer checkedConsumer = subjectSearchResultsAndErrors -> {
            if (subjectSearchResultsAndErrors == null) {
                actionListener.onResponse((Object) null);
            } else {
                actionListener.onResponse(new SubjectSearchResultsAndErrors(subjectSearchResultsAndErrors.results().stream().map(tuple -> {
                    return tuple.v2() != null ? new Tuple((Subject) tuple.v1(), ((VersionedDocument) tuple.v2()).toProfile(Set.of())) : new Tuple((Subject) tuple.v1(), (Profile) null);
                }).toList(), subjectSearchResultsAndErrors.errors()));
            }
        };
        Objects.requireNonNull(actionListener);
        searchVersionedDocumentsForSubjects(list, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        tryFreezeAndCheckIndex(actionListener.map(obj -> {
            if ($assertionsDisabled || obj == null) {
                return Map.of("total", 0L, "enabled", 0L, "recent", 0L);
            }
            throw new AssertionError("only null response can reach here");
        })).ifPresent(securityIndexManager -> {
            MultiSearchRequest request = this.client.prepareMultiSearch().add(this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_PROFILE_ALIAS}).setQuery(QueryBuilders.boolQuery().filter(QueryBuilders.existsQuery("user_profile.uid"))).setSize(0).setTrackTotalHits(true).request()).add(this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_PROFILE_ALIAS}).setQuery(QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("user_profile.enabled", true))).setSize(0).setTrackTotalHits(true).request()).add(this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_PROFILE_ALIAS}).setQuery(QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("user_profile.enabled", true)).filter(QueryBuilders.rangeQuery("user_profile.last_synchronized").gt(Long.valueOf(Instant.now().minus(30L, (TemporalUnit) ChronoUnit.DAYS).toEpochMilli())))).setSize(0).setTrackTotalHits(true).request()).request();
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Client client = this.client;
                String actionOrigin = getActionOrigin();
                MultiSearchAction multiSearchAction = MultiSearchAction.INSTANCE;
                CheckedConsumer checkedConsumer = multiSearchResponse -> {
                    MultiSearchResponse.Item[] responses = multiSearchResponse.getResponses();
                    if (!$assertionsDisabled && responses.length != 3) {
                        throw new AssertionError();
                    }
                    HashMap hashMap = new HashMap();
                    if (responses[0].isFailure()) {
                        logger.debug("error on counting total profiles", responses[0].getFailure());
                        hashMap.put("total", 0L);
                    } else {
                        hashMap.put("total", Long.valueOf(responses[0].getResponse().getHits().getTotalHits().value));
                    }
                    if (responses[1].isFailure()) {
                        logger.debug("error on counting enabled profiles", responses[0].getFailure());
                        hashMap.put("enabled", 0L);
                    } else {
                        hashMap.put("enabled", Long.valueOf(responses[1].getResponse().getHits().getTotalHits().value));
                    }
                    if (responses[2].isFailure()) {
                        logger.debug("error on counting recent profiles", responses[0].getFailure());
                        hashMap.put("recent", 0L);
                    } else {
                        hashMap.put("recent", Long.valueOf(responses[2].getResponse().getHits().getTotalHits().value));
                    }
                    actionListener.onResponse(hashMap);
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, actionOrigin, multiSearchAction, request, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        });
    }

    SearchRequest buildSearchRequestForSuggest(SuggestProfilesRequest suggestProfilesRequest, TaskId taskId) {
        BoolQueryBuilder filter = QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("user_profile.enabled", true));
        if (Strings.hasText(suggestProfilesRequest.getName())) {
            filter.must(QueryBuilders.multiMatchQuery(suggestProfilesRequest.getName(), new String[]{"user_profile.user.username", "user_profile.user.username._2gram", "user_profile.user.username._3gram", "user_profile.user.full_name", "user_profile.user.full_name._2gram", "user_profile.user.full_name._3gram", "user_profile.user.email"}).type(MultiMatchQueryBuilder.Type.BOOL_PREFIX).fuzziness(Fuzziness.AUTO));
        }
        SuggestProfilesRequest.Hint hint = suggestProfilesRequest.getHint();
        if (hint != null) {
            List uids = hint.getUids();
            if (uids != null) {
                if (!$assertionsDisabled && false != uids.isEmpty()) {
                    throw new AssertionError("uids hint cannot be empty");
                }
                filter.should(QueryBuilders.termsQuery("user_profile.uid", uids));
            }
            Tuple singleLabel = hint.getSingleLabel();
            if (singleLabel != null) {
                filter.should(QueryBuilders.termsQuery("user_profile.labels." + ((String) singleLabel.v1()), (List) singleLabel.v2()));
            }
            filter.minimumShouldMatch(0);
        }
        SearchRequest request = this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_PROFILE_ALIAS}).setQuery(filter).setSize(suggestProfilesRequest.getSize()).addSort("_score", SortOrder.DESC).addSort("user_profile.last_synchronized", SortOrder.DESC).request();
        request.setParentTask(taskId);
        return request;
    }

    private void getVersionedDocument(String str, ActionListener<VersionedDocument> actionListener) {
        tryFreezeAndCheckIndex(actionListener).ifPresent(securityIndexManager -> {
            GetRequest getRequest = new GetRequest(SecuritySystemIndices.SECURITY_PROFILE_ALIAS, uidToDocId(str));
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Client client = this.client;
                String actionOrigin = getActionOrigin();
                GetAction getAction = GetAction.INSTANCE;
                CheckedConsumer checkedConsumer = getResponse -> {
                    if (false != getResponse.isExists()) {
                        actionListener.onResponse(new VersionedDocument(buildProfileDocument(getResponse.getSourceAsBytesRef()), getResponse.getPrimaryTerm(), getResponse.getSeqNo()));
                    } else {
                        logger.debug("profile with uid [{}] does not exist", str);
                        actionListener.onResponse((Object) null);
                    }
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, actionOrigin, getAction, getRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        });
    }

    private void getVersionedDocuments(Collection<String> collection, ActionListener<ResultsAndErrors<VersionedDocument>> actionListener) {
        if (collection.isEmpty()) {
            actionListener.onResponse(ResultsAndErrors.empty());
        } else {
            tryFreezeAndCheckIndex(actionListener).ifPresent(securityIndexManager -> {
                Objects.requireNonNull(actionListener);
                securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                    MultiGetRequestBuilder addIds = new OriginSettingClient(this.client, getActionOrigin()).prepareMultiGet().addIds(securityIndexManager.aliasName(), (String[]) collection.stream().map(ProfileService::uidToDocId).toArray(i -> {
                        return new String[i];
                    }));
                    CheckedConsumer checkedConsumer = multiGetResponse -> {
                        ArrayList arrayList = new ArrayList(multiGetResponse.getResponses().length);
                        TreeMap treeMap = new TreeMap();
                        for (MultiGetItemResponse multiGetItemResponse : multiGetResponse.getResponses()) {
                            String docIdToUid = docIdToUid(multiGetItemResponse.getId());
                            if (multiGetItemResponse.isFailed()) {
                                logger.debug("Failed to retrieve profile [{}]", docIdToUid);
                                treeMap.put(docIdToUid, multiGetItemResponse.getFailure().getFailure());
                            } else if (multiGetItemResponse.getResponse() == null) {
                                if (!$assertionsDisabled) {
                                    throw new AssertionError("Inconsistent mget item response [" + multiGetItemResponse.getIndex() + "] [" + multiGetItemResponse.getId() + "]");
                                }
                                logger.error("Inconsistent mget item response [{}] [{}]", multiGetItemResponse.getIndex(), multiGetItemResponse.getId());
                            } else if (multiGetItemResponse.getResponse().isExists()) {
                                arrayList.add(new VersionedDocument(buildProfileDocument(multiGetItemResponse.getResponse().getSourceAsBytesRef()), multiGetItemResponse.getResponse().getPrimaryTerm(), multiGetItemResponse.getResponse().getSeqNo()));
                            } else {
                                logger.debug("Profile [{}] not found", docIdToUid);
                                treeMap.put(docIdToUid, new ResourceNotFoundException("profile document not found", new Object[0]));
                            }
                        }
                        actionListener.onResponse(new ResultsAndErrors(arrayList, treeMap));
                    };
                    Objects.requireNonNull(actionListener);
                    addIds.execute(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
                });
            });
        }
    }

    void searchVersionedDocumentForSubject(Subject subject, ActionListener<VersionedDocument> actionListener) {
        List<Subject> of = List.of(subject);
        CheckedConsumer checkedConsumer = subjectSearchResultsAndErrors -> {
            if (subjectSearchResultsAndErrors == null) {
                actionListener.onResponse((Object) null);
                return;
            }
            if (!$assertionsDisabled && subjectSearchResultsAndErrors.results().size() + subjectSearchResultsAndErrors.errors().size() != 1) {
                throw new AssertionError("a single subject must have either a single result or error");
            }
            if (subjectSearchResultsAndErrors.results().size() == 1) {
                actionListener.onResponse((VersionedDocument) ((Tuple) subjectSearchResultsAndErrors.results().iterator().next()).v2());
                return;
            }
            if (subjectSearchResultsAndErrors.errors().size() == 1) {
                Exception next = subjectSearchResultsAndErrors.errors().values().iterator().next();
                logger.error(next.getMessage());
                actionListener.onFailure(next);
            } else {
                if (!$assertionsDisabled) {
                    throw new AssertionError("a single subject must have either a single result or error");
                }
                actionListener.onFailure(new ElasticsearchException("a single subject must have either a single result or error", new Object[0]));
            }
        };
        Objects.requireNonNull(actionListener);
        searchVersionedDocumentsForSubjects(of, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void searchVersionedDocumentsForSubjects(List<Subject> list, ActionListener<SubjectSearchResultsAndErrors<VersionedDocument>> actionListener) {
        if (list.isEmpty()) {
            actionListener.onResponse(new SubjectSearchResultsAndErrors(List.of(), Map.of()));
        } else {
            tryFreezeAndCheckIndex(actionListener).ifPresent(securityIndexManager -> {
                Objects.requireNonNull(actionListener);
                securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                    MultiSearchRequest multiSearchRequest = new MultiSearchRequest();
                    list.forEach(subject -> {
                        multiSearchRequest.add(buildSearchRequestForSubject(subject));
                    });
                    Client client = this.client;
                    String actionOrigin = getActionOrigin();
                    MultiSearchAction multiSearchAction = MultiSearchAction.INSTANCE;
                    CheckedConsumer checkedConsumer = multiSearchResponse -> {
                        actionListener.onResponse(convertSubjectMultiSearchResponse(multiSearchResponse, list));
                    };
                    Objects.requireNonNull(actionListener);
                    ClientHelper.executeAsyncWithOrigin(client, actionOrigin, multiSearchAction, multiSearchRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
                });
            });
        }
    }

    private static SubjectSearchResultsAndErrors<VersionedDocument> convertSubjectMultiSearchResponse(MultiSearchResponse multiSearchResponse, List<Subject> list) throws IOException {
        MultiSearchResponse.Item[] responses = multiSearchResponse.getResponses();
        if (!$assertionsDisabled && responses.length != list.size()) {
            throw new AssertionError("size of responses does not match size of subjects");
        }
        ArrayList arrayList = new ArrayList(responses.length);
        HashMap hashMap = new HashMap();
        for (int i = 0; i < responses.length; i++) {
            MultiSearchResponse.Item item = responses[i];
            Subject subject = list.get(i);
            if (item.isFailure()) {
                hashMap.put(subject, item.getFailure());
            } else {
                SearchHit[] hits = item.getResponse().getHits().getHits();
                if (hits.length < 1) {
                    logger.debug("profile does not exist for username [{}] and realm name [{}]", subject.getUser().principal(), subject.getRealm().getName());
                    arrayList.add(new Tuple(subject, (Object) null));
                } else if (hits.length == 1) {
                    SearchHit searchHit = hits[0];
                    ProfileDocument buildProfileDocument = buildProfileDocument(searchHit.getSourceRef());
                    if (subject.canAccessResourcesOf(buildProfileDocument.user().toSubject())) {
                        arrayList.add(new Tuple(subject, new VersionedDocument(buildProfileDocument, searchHit.getPrimaryTerm(), searchHit.getSeqNo())));
                    } else {
                        if (!$assertionsDisabled) {
                            throw new AssertionError("this should not happen");
                        }
                        hashMap.put(subject, new ElasticsearchException(org.elasticsearch.core.Strings.format("profile [%s] matches search criteria but is not accessible to the current subject with username [%s] and realm name [%s]", new Object[]{buildProfileDocument.uid(), subject.getUser().principal(), subject.getRealm().getName()}), new Object[0]));
                    }
                } else {
                    Object[] objArr = new Object[5];
                    objArr[0] = Integer.valueOf(hits.length);
                    objArr[1] = Arrays.stream(hits).map((v0) -> {
                        return v0.getId();
                    }).map(ProfileService::docIdToUid).sorted().collect(Collectors.joining(","));
                    objArr[2] = subject.getUser().principal();
                    objArr[3] = subject.getRealm().getName();
                    objArr[4] = subject.getRealm().getDomain() == null ? "" : " under domain [" + subject.getRealm().getDomain().name() + "]";
                    hashMap.put(subject, new ElasticsearchException(org.elasticsearch.core.Strings.format("multiple [%s] profiles [%s] found for user [%s] from realm [%s]%s", objArr), new Object[0]));
                }
            }
        }
        return new SubjectSearchResultsAndErrors<>(arrayList, hashMap);
    }

    private SearchRequest buildSearchRequestForSubject(Subject subject) {
        BoolQueryBuilder filter = QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("user_profile.user.username.keyword", subject.getUser().principal()));
        if (subject.getRealm().getDomain() == null) {
            filter.filter(QueryBuilders.termQuery("user_profile.user.realm.type", subject.getRealm().getType()));
            if (false == Authentication.isFileOrNativeRealm(subject.getRealm().getType())) {
                filter.filter(QueryBuilders.termQuery("user_profile.user.realm.name", subject.getRealm().getName()));
            }
        } else {
            logger.debug(() -> {
                return org.elasticsearch.core.Strings.format("searching existing profile document for user [%s] from any of the realms [%s] under domain [%s]", new Object[]{subject.getUser().principal(), Strings.collectionToCommaDelimitedString(subject.getRealm().getDomain().realms()), subject.getRealm().getDomain().name()});
            });
            subject.getRealm().getDomain().realms().forEach(realmIdentifier -> {
                BoolQueryBuilder filter2 = QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("user_profile.user.realm.type", realmIdentifier.getType()));
                if (false == Authentication.isFileOrNativeRealm(realmIdentifier.getType())) {
                    filter2.filter(QueryBuilders.termQuery("user_profile.user.realm.name", realmIdentifier.getName()));
                }
                filter.should(filter2);
            });
            filter.minimumShouldMatch(1);
        }
        return this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_PROFILE_ALIAS}).setQuery(filter).seqNoAndPrimaryTerm(true).request();
    }

    private void validateUsername(Subject subject) {
        RealmDomain domain = subject.getRealm().getDomain();
        if (!$assertionsDisabled && domain == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.domainConfigLookup.apply(domain.name()) == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && !this.domainConfigLookup.apply(domain.name()).literalUsername()) {
            throw new AssertionError();
        }
        String principal = subject.getUser().principal();
        if (!$assertionsDisabled && principal == null) {
            throw new AssertionError();
        }
        if (false == VALID_LITERAL_USERNAME.matcher(principal).matches()) {
            throw new ElasticsearchException(String.format(Locale.ROOT, INVALID_USERNAME_MESSAGE, domain.name()), new Object[0]);
        }
    }

    void createNewProfile(Subject subject, String str, ActionListener<Profile> actionListener) throws IOException {
        ProfileDocument fromSubjectWithUid = ProfileDocument.fromSubjectWithUid(subject, str);
        String uidToDocId = uidToDocId(fromSubjectWithUid.uid());
        BulkRequest singleItemBulkRequest = TransportSingleItemBulkWriteAction.toSingleItemBulkRequest(this.client.prepareIndex(SecuritySystemIndices.SECURITY_PROFILE_ALIAS).setId(uidToDocId).setSource(wrapProfileDocument(fromSubjectWithUid)).setOpType(DocWriteRequest.OpType.CREATE).setRefreshPolicy(WriteRequest.RefreshPolicy.WAIT_UNTIL).request());
        SecurityIndexManager securityIndexManager = this.profileIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            ClientHelper.executeAsyncWithOrigin(this.client, getActionOrigin(), BulkAction.INSTANCE, singleItemBulkRequest, TransportBulkAction.unwrappingSingleItemBulkResponse(ActionListener.wrap(indexResponse -> {
                if (!$assertionsDisabled && !uidToDocId.equals(indexResponse.getId())) {
                    throw new AssertionError();
                }
                actionListener.onResponse(new VersionedDocument(fromSubjectWithUid, indexResponse.getPrimaryTerm(), indexResponse.getSeqNo()).toProfile(Set.of()));
            }, exc -> {
                if (ExceptionsHelper.unwrapCause(exc) instanceof VersionConflictEngineException) {
                    getOrCreateProfileWithBackoff(subject, fromSubjectWithUid, DEFAULT_BACKOFF.iterator(), actionListener);
                } else {
                    actionListener.onFailure(exc);
                }
            })));
        });
    }

    void getOrCreateProfileWithBackoff(Subject subject, ProfileDocument profileDocument, Iterator<TimeValue> it, ActionListener<Profile> actionListener) {
        String uid = profileDocument.uid();
        CheckedConsumer checkedConsumer = versionedDocument -> {
            if (versionedDocument != null) {
                if (!subject.canAccessResourcesOf(versionedDocument.doc.user().toSubject())) {
                    maybeIncrementDifferentiatorAndCreateNewProfile(subject, profileDocument, actionListener);
                    return;
                } else {
                    logger.debug("found existing profile document [{}] accessible to the current subject with username [{}] and realm name [{}]", versionedDocument.doc.uid(), subject.getUser().principal(), subject.getRealm().getName());
                    updateProfileForActivate(subject, versionedDocument, actionListener);
                    return;
                }
            }
            if (!it.hasNext()) {
                actionListener.onFailure(new ElasticsearchException("failed to retrieving profile [{}] after all retries", new Object[]{profileDocument.uid()}));
                return;
            }
            TimeValue timeValue = (TimeValue) it.next();
            logger.debug("retrying get profile document [{}] after [{}] backoff", profileDocument.uid(), timeValue);
            this.client.threadPool().schedule(() -> {
                getOrCreateProfileWithBackoff(subject, profileDocument, it, actionListener);
            }, timeValue, this.client.threadPool().generic());
        };
        Objects.requireNonNull(actionListener);
        getVersionedDocument(uid, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    void maybeIncrementDifferentiatorAndCreateNewProfile(Subject subject, ProfileDocument profileDocument, ActionListener<Profile> actionListener) throws IOException {
        String uid = profileDocument.uid();
        int lastIndexOf = uid.lastIndexOf("_");
        if (lastIndexOf == -1) {
            actionListener.onFailure(new ElasticsearchException("profile uid [{}] does not contain any underscore character", new Object[]{uid}));
            return;
        }
        String substring = uid.substring(0, lastIndexOf);
        String substring2 = uid.substring(lastIndexOf + 1);
        if (substring2.isBlank()) {
            actionListener.onFailure(new ElasticsearchException("profile uid [{}] does not contain a differentiator", new Object[]{uid}));
            return;
        }
        DomainConfig domainConfigForSubject = getDomainConfigForSubject(subject);
        if (domainConfigForSubject != null && domainConfigForSubject.suffix() != null) {
            if (!$assertionsDisabled && !substring2.equals(domainConfigForSubject.suffix())) {
                throw new AssertionError();
            }
            actionListener.onFailure(new ElasticsearchException("cannot create new profile for [" + subject.getUser().principal() + "]. A profile with uid [" + profileDocument.uid() + "] already exists and suffix setting of domain [" + domainConfigForSubject.name() + "] does not support auto-increment.", new Object[0]));
            return;
        }
        try {
            int parseInt = Integer.parseInt(substring2);
            if (parseInt >= DIFFERENTIATOR_UPPER_LIMIT) {
                actionListener.onFailure(new ElasticsearchException("profile differentiator value is too high for base Uid [{}]", new Object[]{uid.substring(0, lastIndexOf)}));
            } else {
                createNewProfile(subject, substring + "_" + (parseInt + 1), actionListener);
            }
        } catch (NumberFormatException e) {
            actionListener.onFailure(new ElasticsearchException("profile uid [{}] differentiator is not a number", e, new Object[]{uid}));
        }
    }

    private DomainConfig getDomainConfigForSubject(Subject subject) {
        RealmDomain domain = subject.getRealm().getDomain();
        if (domain == null) {
            return null;
        }
        DomainConfig apply = this.domainConfigLookup.apply(domain.name());
        if (apply == null) {
            throw new ElasticsearchException("subject realm is under a domain [" + domain.name() + "], but no associated domain config is found", new Object[0]);
        }
        return apply;
    }

    void updateProfileForActivate(Subject subject, VersionedDocument versionedDocument, ActionListener<Profile> actionListener) throws IOException {
        ProfileDocument updateWithSubject = updateWithSubject(versionedDocument.doc, subject);
        if (!shouldSkipUpdateForActivate(versionedDocument.doc, updateWithSubject)) {
            doUpdate(buildUpdateRequest(updateWithSubject.uid(), wrapProfileDocumentWithoutApplicationData(updateWithSubject), WriteRequest.RefreshPolicy.WAIT_UNTIL), ActionListener.wrap(updateResponse -> {
                actionListener.onResponse(new VersionedDocument(updateWithSubject, updateResponse.getPrimaryTerm(), updateResponse.getSeqNo()).toProfile(Set.of()));
            }, exc -> {
                if (ExceptionsHelper.unwrapCause(exc) instanceof VersionConflictEngineException) {
                    getVersionedDocument(versionedDocument.doc.uid(), ActionListener.wrap(versionedDocument2 -> {
                        if (!shouldSkipUpdateForActivate(versionedDocument2.doc, updateWithSubject)) {
                            actionListener.onFailure(exc);
                        } else {
                            logger.debug("suppress version conflict for activate update because last_synchronized [{}] is within grace period", Long.valueOf(versionedDocument2.doc.lastSynchronized()));
                            actionListener.onResponse(versionedDocument2.toProfile(Set.of()));
                        }
                    }, exc -> {
                        exc.addSuppressed(exc);
                        actionListener.onFailure(exc);
                    }));
                } else {
                    actionListener.onFailure(exc);
                }
            }));
        } else {
            logger.debug("skip user profile activate update because last_synchronized [{}] is within grace period", Long.valueOf(versionedDocument.doc.lastSynchronized()));
            actionListener.onResponse(versionedDocument.toProfile(Set.of()));
        }
    }

    boolean shouldSkipUpdateForActivate(ProfileDocument profileDocument, ProfileDocument profileDocument2) {
        if ($assertionsDisabled || profileDocument2.enabled()) {
            return profileDocument2.user().equals(profileDocument.user()) && profileDocument2.enabled() == profileDocument.enabled() && profileDocument2.lastSynchronized() - profileDocument.lastSynchronized() < ACTIVATE_INTERVAL_IN_MS;
        }
        throw new AssertionError("new profile document must be enabled");
    }

    private UpdateRequest buildUpdateRequest(String str, XContentBuilder xContentBuilder, WriteRequest.RefreshPolicy refreshPolicy) {
        return buildUpdateRequest(str, xContentBuilder, refreshPolicy, -1L, -1L);
    }

    private UpdateRequest buildUpdateRequest(String str, XContentBuilder xContentBuilder, WriteRequest.RefreshPolicy refreshPolicy, long j, long j2) {
        UpdateRequestBuilder refreshPolicy2 = this.client.prepareUpdate(SecuritySystemIndices.SECURITY_PROFILE_ALIAS, uidToDocId(str)).setDoc(xContentBuilder).setRefreshPolicy(refreshPolicy);
        if (j >= 0) {
            refreshPolicy2.setIfPrimaryTerm(j);
        }
        if (j2 >= 0) {
            refreshPolicy2.setIfSeqNo(j2);
        }
        return refreshPolicy2.request();
    }

    void doUpdate(UpdateRequest updateRequest, ActionListener<UpdateResponse> actionListener) {
        SecurityIndexManager securityIndexManager = this.profileIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
            Client client = this.client;
            String actionOrigin = getActionOrigin();
            UpdateAction updateAction = UpdateAction.INSTANCE;
            CheckedConsumer checkedConsumer = updateResponse -> {
                if (!$assertionsDisabled && updateResponse.getResult() != DocWriteResponse.Result.UPDATED && updateResponse.getResult() != DocWriteResponse.Result.NOOP) {
                    throw new AssertionError();
                }
                actionListener.onResponse(updateResponse);
            };
            Objects.requireNonNull(actionListener);
            ClientHelper.executeAsyncWithOrigin(client, actionOrigin, updateAction, updateRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        });
    }

    private String getActionOrigin() {
        return this.clusterService.state().nodes().getMinNodeVersion().onOrAfter(SecuritySystemIndices.VERSION_SECURITY_PROFILE_ORIGIN) ? "security_profile" : "security";
    }

    private static String uidToDocId(String str) {
        return "profile_" + str;
    }

    private static String docIdToUid(String str) {
        if (str == null || false == str.startsWith(DOC_ID_PREFIX)) {
            throw new IllegalStateException("profile document ID [" + str + "] has unexpected value");
        }
        return str.substring(DOC_ID_PREFIX.length());
    }

    static ProfileDocument buildProfileDocument(BytesReference bytesReference) throws IOException {
        if (bytesReference == null) {
            throw new IllegalStateException("profile document did not have source but source should have been fetched");
        }
        XContentParser createParser = XContentHelper.createParser(XContentParserConfiguration.EMPTY, bytesReference, XContentType.JSON);
        try {
            ProfileDocument fromXContent = ProfileDocument.fromXContent(createParser);
            if (createParser != null) {
                createParser.close();
            }
            return fromXContent;
        } catch (Throwable th) {
            if (createParser != null) {
                try {
                    createParser.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static XContentBuilder wrapProfileDocument(ProfileDocument profileDocument) throws IOException {
        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
        jsonBuilder.startObject();
        jsonBuilder.field("user_profile", profileDocument);
        jsonBuilder.endObject();
        return jsonBuilder;
    }

    private static XContentBuilder wrapProfileDocumentWithoutApplicationData(ProfileDocument profileDocument) throws IOException {
        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
        jsonBuilder.startObject();
        jsonBuilder.field("user_profile", profileDocument, new ToXContent.MapParams(Map.of("include_labels", Boolean.FALSE.toString(), "include_data", Boolean.FALSE.toString())));
        jsonBuilder.endObject();
        return jsonBuilder;
    }

    private <T> Optional<SecurityIndexManager> tryFreezeAndCheckIndex(ActionListener<T> actionListener) {
        SecurityIndexManager freeze = this.profileIndex.freeze();
        if (false == freeze.indexExists()) {
            logger.debug("profile index does not exist");
            actionListener.onResponse((Object) null);
            return Optional.empty();
        }
        if (false != freeze.isAvailable()) {
            return Optional.of(freeze);
        }
        actionListener.onFailure(freeze.getUnavailableReason());
        return Optional.empty();
    }

    private static ProfileDocument updateWithSubject(ProfileDocument profileDocument, Subject subject) {
        User user = subject.getUser();
        return new ProfileDocument(profileDocument.uid(), true, Instant.now().toEpochMilli(), new ProfileDocument.ProfileDocumentUser(user.principal(), Arrays.asList(user.roles()), subject.getRealm(), user.email(), user.fullName()), profileDocument.labels(), profileDocument.applicationData());
    }

    static {
        $assertionsDisabled = !ProfileService.class.desiredAssertionStatus();
        logger = LogManager.getLogger(ProfileService.class);
        DEFAULT_BACKOFF = BackoffPolicy.exponentialBackoff();
        ACTIVATE_INTERVAL_IN_MS = TimeValue.timeValueSeconds(30L).millis();
        VALID_LITERAL_USERNAME = Pattern.compile("^[a-zA-Z0-9][a-zA-Z0-9-]{0,255}$");
    }
}
