package org.elasticsearch.xpack.security.authz;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
import java.util.function.Consumer;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.Operations;
import org.elasticsearch.ElasticsearchRoleRestrictionException;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRunnable;
import org.elasticsearch.action.AliasesRequest;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.search.SearchScrollRequest;
import org.elasticsearch.action.search.TransportClosePointInTimeAction;
import org.elasticsearch.action.search.TransportSearchScrollAction;
import org.elasticsearch.cluster.metadata.IndexAbstraction;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.regex.Regex;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.CachedSupplier;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.index.Index;
import org.elasticsearch.index.shard.ShardId;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.async.TransportDeleteAsyncResultAction;
import org.elasticsearch.xpack.core.security.action.apikey.GetApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.user.AuthenticateRequest;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesResponse;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.user.UserRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.ResolvedIndices;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission;
import org.elasticsearch.xpack.core.security.authz.permission.RemoteIndicesPermission;
import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivilegesMap;
import org.elasticsearch.xpack.core.security.authz.permission.Role;
import org.elasticsearch.xpack.core.security.authz.permission.SimpleRole;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.NamedClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.Privilege;
import org.elasticsearch.xpack.core.security.support.StringMatcher;
import org.elasticsearch.xpack.security.action.user.TransportChangePasswordAction;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authz.LoadAuthorizedIndicesTimeChecker;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/RBACEngine.class */
public class RBACEngine implements AuthorizationEngine {
    private static final Predicate<String> SAME_USER_PRIVILEGE;
    private static final String INDEX_SUB_REQUEST_PRIMARY = "indices:data/write/index[p]";
    private static final String INDEX_SUB_REQUEST_REPLICA = "indices:data/write/index[r]";
    private static final String DELETE_SUB_REQUEST_PRIMARY = "indices:data/write/delete[p]";
    private static final String DELETE_SUB_REQUEST_REPLICA = "indices:data/write/delete[r]";
    private static final Logger logger;
    private final Settings settings;
    private final CompositeRolesStore rolesStore;
    private final FieldPermissionsCache fieldPermissionsCache;
    private final LoadAuthorizedIndicesTimeChecker.Factory authzIndicesTimerFactory;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/RBACEngine$AuthorizedIndices.class */
    public static final class AuthorizedIndices implements AuthorizationEngine.AuthorizedIndices {
        private final CachedSupplier<Set<String>> allAuthorizedAndAvailableSupplier;
        private final Predicate<String> isAuthorizedPredicate;

        AuthorizedIndices(Supplier<Set<String>> supplier, Predicate<String> predicate) {
            this.allAuthorizedAndAvailableSupplier = CachedSupplier.wrap(supplier);
            this.isAuthorizedPredicate = (Predicate) Objects.requireNonNull(predicate);
        }

        public Supplier<Set<String>> all() {
            return this.allAuthorizedAndAvailableSupplier;
        }

        public boolean check(String str) {
            return this.isAuthorizedPredicate.test(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/RBACEngine$RBACAuthorizationInfo.class */
    public static class RBACAuthorizationInfo implements AuthorizationEngine.AuthorizationInfo {
        private final Role role;
        private final Map<String, Object> info;
        private final RBACAuthorizationInfo authenticatedUserAuthorizationInfo;

        RBACAuthorizationInfo(Role role, Role role2) {
            this.role = (Role) Objects.requireNonNull(role);
            this.info = Collections.singletonMap(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME, role.names());
            this.authenticatedUserAuthorizationInfo = role2 == null ? this : new RBACAuthorizationInfo(role2, null);
        }

        Role getRole() {
            return this.role;
        }

        public Map<String, Object> asMap() {
            return this.info;
        }

        /* renamed from: getAuthenticatedUserAuthorizationInfo, reason: merged with bridge method [inline-methods] */
        public RBACAuthorizationInfo m146getAuthenticatedUserAuthorizationInfo() {
            return this.authenticatedUserAuthorizationInfo;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            RBACAuthorizationInfo rBACAuthorizationInfo = (RBACAuthorizationInfo) obj;
            if (this.role.equals(rBACAuthorizationInfo.role)) {
                return this.authenticatedUserAuthorizationInfo == this ? rBACAuthorizationInfo.authenticatedUserAuthorizationInfo == rBACAuthorizationInfo : this.authenticatedUserAuthorizationInfo.equals(rBACAuthorizationInfo.authenticatedUserAuthorizationInfo);
            }
            return false;
        }

        public int hashCode() {
            return this.authenticatedUserAuthorizationInfo == this ? Objects.hashCode(this.role) : Objects.hash(this.role, this.authenticatedUserAuthorizationInfo);
        }
    }

    public RBACEngine(Settings settings, CompositeRolesStore compositeRolesStore, FieldPermissionsCache fieldPermissionsCache, LoadAuthorizedIndicesTimeChecker.Factory factory) {
        this.settings = settings;
        this.rolesStore = compositeRolesStore;
        this.fieldPermissionsCache = fieldPermissionsCache;
        this.authzIndicesTimerFactory = factory;
    }

    public void resolveAuthorizationInfo(AuthorizationEngine.RequestInfo requestInfo, ActionListener<AuthorizationEngine.AuthorizationInfo> actionListener) {
        this.rolesStore.getRoles(requestInfo.getAuthentication(), actionListener.delegateFailureAndWrap((actionListener2, tuple) -> {
            if (tuple.v1() == Role.EMPTY_RESTRICTED_BY_WORKFLOW || tuple.v2() == Role.EMPTY_RESTRICTED_BY_WORKFLOW) {
                actionListener2.onFailure(new ElasticsearchRoleRestrictionException("access restricted by workflow", new Object[0]));
            } else {
                actionListener2.onResponse(new RBACAuthorizationInfo((Role) tuple.v1(), (Role) tuple.v2()));
            }
        }));
    }

    public void resolveAuthorizationInfo(Subject subject, ActionListener<AuthorizationEngine.AuthorizationInfo> actionListener) {
        this.rolesStore.getRole(subject, actionListener.map(role -> {
            return new RBACAuthorizationInfo(role, role);
        }));
    }

    public void authorizeRunAs(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<AuthorizationEngine.AuthorizationResult> actionListener) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            actionListener.onResponse(new AuthorizationEngine.AuthorizationResult(((RBACAuthorizationInfo) authorizationInfo).m146getAuthenticatedUserAuthorizationInfo().getRole().checkRunAs(requestInfo.getAuthentication().getEffectiveSubject().getUser().principal())));
        } else {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
        }
    }

    public void authorizeClusterAction(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<AuthorizationEngine.AuthorizationResult> actionListener) {
        if (!(authorizationInfo instanceof RBACAuthorizationInfo)) {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
            return;
        }
        Role role = ((RBACAuthorizationInfo) authorizationInfo).getRole();
        if (role.checkClusterAction(requestInfo.getAction(), requestInfo.getRequest(), requestInfo.getAuthentication())) {
            actionListener.onResponse(AuthorizationEngine.AuthorizationResult.granted());
            return;
        }
        if (checkSameUserPermissions(requestInfo.getAction(), requestInfo.getRequest(), requestInfo.getAuthentication())) {
            actionListener.onResponse(AuthorizationEngine.AuthorizationResult.granted());
        } else if ("cluster:monitor/async_search/status".equals(requestInfo.getAction()) && role.checkIndicesAction("indices:data/read/async_search/submit")) {
            actionListener.onResponse(AuthorizationEngine.AuthorizationResult.granted());
        } else {
            actionListener.onResponse(AuthorizationEngine.AuthorizationResult.deny());
        }
    }

    static boolean checkSameUserPermissions(String str, TransportRequest transportRequest, Authentication authentication) {
        if (!SAME_USER_PRIVILEGE.test(str)) {
            return false;
        }
        if (transportRequest instanceof AuthenticateRequest) {
            return true;
        }
        if (!(transportRequest instanceof UserRequest)) {
            if (!(transportRequest instanceof GetApiKeyRequest)) {
                if ($assertionsDisabled) {
                    return false;
                }
                throw new AssertionError("right now only a user request or get api key request should be allowed");
            }
            GetApiKeyRequest getApiKeyRequest = (GetApiKeyRequest) transportRequest;
            if (authentication.isApiKey()) {
                return Strings.hasText(getApiKeyRequest.getApiKeyId()) && getApiKeyRequest.getApiKeyId().equals((String) authentication.getAuthenticatingSubject().getMetadata().get("_security_api_key_id")) && false == getApiKeyRequest.withLimitedBy();
            }
            return false;
        }
        String[] usernames = ((UserRequest) transportRequest).usernames();
        if (usernames == null || usernames.length != 1 || usernames[0] == null) {
            if ($assertionsDisabled) {
                return false;
            }
            throw new AssertionError("this role should only be used for actions to apply to a single user");
        }
        String str2 = usernames[0];
        if (authentication.isCrossClusterAccess() && "cluster:admin/xpack/security/user/has_privileges".equals(str)) {
            if ($assertionsDisabled || (transportRequest instanceof HasPrivilegesRequest)) {
                return Authentication.getAuthenticationFromCrossClusterAccessMetadata(authentication).getEffectiveSubject().getUser().principal().equals(str2);
            }
            throw new AssertionError();
        }
        boolean equals = authentication.getEffectiveSubject().getUser().principal().equals(str2);
        if (equals && TransportChangePasswordAction.TYPE.name().equals(str)) {
            return checkChangePasswordAction(authentication);
        }
        if ($assertionsDisabled || "cluster:admin/xpack/security/user/authenticate".equals(str) || "cluster:admin/xpack/security/user/has_privileges".equals(str) || "cluster:admin/xpack/security/user/list_privileges".equals(str) || !equals) {
            return equals;
        }
        throw new AssertionError("Action '" + str + "' should not be possible when sameUsername=" + equals);
    }

    private static boolean shouldAuthorizeIndexActionNameOnly(String str, TransportRequest transportRequest) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -2072666648:
                if (str.equals("indices:data/read/mtv")) {
                    z = 9;
                    break;
                }
                break;
            case -2072660985:
                if (str.equals("indices:data/read/sql")) {
                    z = 15;
                    break;
                }
                break;
            case -1921067251:
                if (str.equals("indices:data/write/delete")) {
                    z = 3;
                    break;
                }
                break;
            case -1581112528:
                if (str.equals("indices:data/write/index")) {
                    z = 2;
                    break;
                }
                break;
            case -1550249349:
                if (str.equals("indices:data/write/simulate/bulk")) {
                    z = true;
                    break;
                }
                break;
            case -1052794295:
                if (str.equals("indices:data/read/mpercolate")) {
                    z = 11;
                    break;
                }
                break;
            case -257043954:
                if (str.equals("indices:data/read/msearch")) {
                    z = 10;
                    break;
                }
                break;
            case -75164325:
                if (str.equals(DELETE_SUB_REQUEST_PRIMARY)) {
                    z = 6;
                    break;
                }
                break;
            case -75164263:
                if (str.equals(DELETE_SUB_REQUEST_REPLICA)) {
                    z = 7;
                    break;
                }
                break;
            case -16895400:
                if (str.equals(INDEX_SUB_REQUEST_PRIMARY)) {
                    z = 4;
                    break;
                }
                break;
            case -16895338:
                if (str.equals(INDEX_SUB_REQUEST_REPLICA)) {
                    z = 5;
                    break;
                }
                break;
            case 109955931:
                if (str.equals("indices:data/read/msearch/template")) {
                    z = 12;
                    break;
                }
                break;
            case 114089309:
                if (str.equals("indices:data/write/reindex")) {
                    z = 14;
                    break;
                }
                break;
            case 171604016:
                if (str.equals("indices:data/read/esql")) {
                    z = 17;
                    break;
                }
                break;
            case 171830448:
                if (str.equals("indices:data/read/mget")) {
                    z = 8;
                    break;
                }
                break;
            case 778194246:
                if (str.equals("indices:data/read/sql/translate")) {
                    z = 16;
                    break;
                }
                break;
            case 1544949080:
                if (str.equals("indices:data/read/esql/compute")) {
                    z = 18;
                    break;
                }
                break;
            case 1888457460:
                if (str.equals("indices:data/write/bulk")) {
                    z = false;
                    break;
                }
                break;
            case 1984171450:
                if (str.equals("indices:data/read/search/template")) {
                    z = 13;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
            case true:
            case true:
            case true:
            case SecuritySystemIndices.INTERNAL_MAIN_INDEX_FORMAT /* 6 */:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
                if (transportRequest instanceof BulkShardRequest) {
                    return false;
                }
                if (transportRequest instanceof CompositeIndicesRequest) {
                    return true;
                }
                throw new IllegalStateException("Composite and bulk actions must implement " + CompositeIndicesRequest.class.getSimpleName() + ", " + transportRequest.getClass().getSimpleName() + " doesn't. Action " + str);
            default:
                return false;
        }
    }

    public void authorizeIndexAction(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine.AsyncSupplier<ResolvedIndices> asyncSupplier, Map<String, IndexAbstraction> map, ActionListener<AuthorizationEngine.IndexAuthorizationResult> actionListener) {
        String action = requestInfo.getAction();
        SearchScrollRequest request = requestInfo.getRequest();
        try {
            Role role = ensureRBAC(authorizationInfo).getRole();
            if (TransportActionProxy.isProxyAction(action) || shouldAuthorizeIndexActionNameOnly(action, request)) {
                actionListener.onResponse(role.checkIndicesAction(action) ? AuthorizationEngine.IndexAuthorizationResult.EMPTY : AuthorizationEngine.IndexAuthorizationResult.DENIED);
                return;
            }
            if (request instanceof IndicesRequest) {
                if (isChildActionAuthorizedByParentOnLocalNode(requestInfo, authorizationInfo)) {
                    actionListener.onResponse(new AuthorizationEngine.IndexAuthorizationResult(requestInfo.getOriginatingAuthorizationContext().getIndicesAccessControl()));
                    return;
                }
                if (PreAuthorizationUtils.shouldPreAuthorizeChildByParentAction(requestInfo, authorizationInfo)) {
                    actionListener.onResponse(new AuthorizationEngine.IndexAuthorizationResult(IndicesAccessControl.allowAll()));
                    return;
                } else if (allowsRemoteIndices(request) || role.checkIndicesAction(action)) {
                    asyncSupplier.getAsync(actionListener.delegateFailureAndWrap((actionListener2, resolvedIndices) -> {
                        if (!$assertionsDisabled && resolvedIndices.isEmpty()) {
                            throw new AssertionError("every indices request needs to have its indices set thus the resolved indices must not be empty");
                        }
                        if (resolvedIndices.isNoIndicesPlaceholder()) {
                            if (!allowsRemoteIndices(request) || role.checkIndicesAction(action)) {
                                actionListener2.onResponse(AuthorizationEngine.IndexAuthorizationResult.ALLOW_NO_INDICES);
                                return;
                            } else {
                                actionListener2.onResponse(AuthorizationEngine.IndexAuthorizationResult.DENIED);
                                return;
                            }
                        }
                        if (!$assertionsDisabled) {
                            if (!(resolvedIndices.getLocal().stream().noneMatch(Regex::isSimpleMatchPattern) || !((IndicesRequest) request).indicesOptions().expandWildcardExpressions() || ((request instanceof AliasesRequest) && !((AliasesRequest) request).expandAliasesWildcards()) || ((request instanceof IndicesAliasesRequest) && false == ((IndicesAliasesRequest) request).getAliasActions().stream().allMatch((v0) -> {
                                return v0.expandAliasesWildcards();
                            })))) {
                                throw new AssertionError("expanded wildcards for local indices OR the request should not expand wildcards at all");
                            }
                        }
                        AuthorizationEngine.IndexAuthorizationResult buildIndicesAccessControl = buildIndicesAccessControl(action, role, resolvedIndices, map);
                        if (requestInfo.getAuthentication().isCrossClusterAccess() && (request instanceof IndicesRequest.RemoteClusterShardRequest)) {
                            IndicesRequest.RemoteClusterShardRequest remoteClusterShardRequest = (IndicesRequest.RemoteClusterShardRequest) request;
                            if (remoteClusterShardRequest.shards() != null) {
                                for (ShardId shardId : remoteClusterShardRequest.shards()) {
                                    if (shardId != null && !shardIdAuthorized(remoteClusterShardRequest, shardId, buildIndicesAccessControl.getIndicesAccessControl())) {
                                        actionListener.onResponse(AuthorizationEngine.IndexAuthorizationResult.DENIED);
                                        return;
                                    }
                                }
                            }
                        }
                        actionListener2.onResponse(buildIndicesAccessControl);
                    }));
                    return;
                } else {
                    actionListener.onResponse(AuthorizationEngine.IndexAuthorizationResult.DENIED);
                    return;
                }
            }
            if (isScrollRelatedAction(action)) {
                if (!TransportSearchScrollAction.TYPE.name().equals(action)) {
                    actionListener.onResponse(AuthorizationEngine.IndexAuthorizationResult.EMPTY);
                    return;
                }
                ActionListener delegateFailureAndWrap = actionListener.delegateFailureAndWrap((actionListener3, parsedScrollId) -> {
                    if (parsedScrollId.hasLocalIndices()) {
                        actionListener3.onResponse(role.checkIndicesAction(action) ? AuthorizationEngine.IndexAuthorizationResult.EMPTY : AuthorizationEngine.IndexAuthorizationResult.DENIED);
                    } else {
                        actionListener3.onResponse(AuthorizationEngine.IndexAuthorizationResult.EMPTY);
                    }
                });
                SearchScrollRequest searchScrollRequest = request;
                Objects.requireNonNull(searchScrollRequest);
                ActionRunnable.supply(delegateFailureAndWrap, searchScrollRequest::parseScrollId).run();
                return;
            }
            if (isAsyncRelatedAction(action)) {
                if ("indices:data/read/async_search/submit".equals(action)) {
                    actionListener.onResponse(AuthorizationEngine.IndexAuthorizationResult.EMPTY);
                    return;
                } else {
                    actionListener.onResponse(AuthorizationEngine.IndexAuthorizationResult.ALLOW_NO_INDICES);
                    return;
                }
            }
            if (action.equals(TransportClosePointInTimeAction.TYPE.name())) {
                actionListener.onResponse(AuthorizationEngine.IndexAuthorizationResult.ALLOW_NO_INDICES);
            } else {
                if (!$assertionsDisabled) {
                    throw new AssertionError("only scroll and async-search related requests are known indices api that don't support retrieving the indices they relate to");
                }
                actionListener.onFailure(new IllegalStateException("only scroll and async-search related requests are known indices api that don't support retrieving the indices they relate to"));
            }
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    private static boolean shardIdAuthorized(IndicesRequest indicesRequest, ShardId shardId, IndicesAccessControl indicesAccessControl) {
        if (indicesAccessControl.getIndexPermissions(shardId.getIndexName()) != null) {
            return true;
        }
        logger.warn(Strings.format("bad request of type [%s], request's stated indices %s are authorized but specified internal shard ID %s is not authorized", new Object[]{indicesRequest.getClass().getCanonicalName(), indicesRequest.indices(), shardId}));
        return false;
    }

    private static boolean allowsRemoteIndices(TransportRequest transportRequest) {
        return transportRequest instanceof IndicesRequest.SingleIndexNoWildcards ? ((IndicesRequest.SingleIndexNoWildcards) transportRequest).allowsRemoteIndices() : (transportRequest instanceof IndicesRequest.Replaceable) && ((IndicesRequest.Replaceable) transportRequest).allowsRemoteIndices();
    }

    /* JADX WARN: Code restructure failed: missing block: B:16:0x003d, code lost:
    
        r0 = (org.elasticsearch.action.IndicesRequest) r6.getRequest();
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static boolean isChildActionAuthorizedByParentOnLocalNode(org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestInfo r6, org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo r7) {
        /*
            Method dump skipped, instructions count: 278
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.elasticsearch.xpack.security.authz.RBACEngine.isChildActionAuthorizedByParentOnLocalNode(org.elasticsearch.xpack.core.security.authz.AuthorizationEngine$RequestInfo, org.elasticsearch.xpack.core.security.authz.AuthorizationEngine$AuthorizationInfo):boolean");
    }

    public void loadAuthorizedIndices(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, Map<String, IndexAbstraction> map, ActionListener<AuthorizationEngine.AuthorizedIndices> actionListener) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            actionListener.onResponse(resolveAuthorizedIndicesFromRole(((RBACAuthorizationInfo) authorizationInfo).getRole(), requestInfo, map, () -> {
                return this.authzIndicesTimerFactory.newTimer(requestInfo);
            }));
        } else {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
        }
    }

    public void validateIndexPermissionsAreSubset(AuthorizationEngine.RequestInfo requestInfo, AuthorizationEngine.AuthorizationInfo authorizationInfo, Map<String, List<String>> map, ActionListener<AuthorizationEngine.AuthorizationResult> actionListener) {
        if (!(authorizationInfo instanceof RBACAuthorizationInfo)) {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
            return;
        }
        Role role = ((RBACAuthorizationInfo) authorizationInfo).getRole();
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, List<String>> entry : map.entrySet()) {
            String key = entry.getKey();
            Objects.requireNonNull(role);
            Automaton automaton = (Automaton) hashMap.computeIfAbsent(key, role::allowedActionsMatcher);
            for (String str : entry.getValue()) {
                Objects.requireNonNull(role);
                if (!Operations.subsetOf((Automaton) hashMap.computeIfAbsent(str, role::allowedActionsMatcher), automaton)) {
                    actionListener.onResponse(AuthorizationEngine.AuthorizationResult.deny());
                    return;
                }
            }
        }
        actionListener.onResponse(AuthorizationEngine.AuthorizationResult.granted());
    }

    public void checkPrivileges(AuthorizationEngine.AuthorizationInfo authorizationInfo, AuthorizationEngine.PrivilegesToCheck privilegesToCheck, Collection<ApplicationPrivilegeDescriptor> collection, ActionListener<AuthorizationEngine.PrivilegesCheckResult> actionListener) {
        ActionListener<AuthorizationEngine.PrivilegesCheckResult> actionListener2;
        if (!(authorizationInfo instanceof RBACAuthorizationInfo)) {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
            return;
        }
        SimpleRole role = ((RBACAuthorizationInfo) authorizationInfo).getRole();
        logger.trace(() -> {
            return org.elasticsearch.core.Strings.format("Check whether role [%s] has privileges [%s]", new Object[]{Strings.arrayToCommaDelimitedString(role.names()), privilegesToCheck});
        });
        if (role instanceof SimpleRole) {
            SimpleRole simpleRole = role;
            AuthorizationEngine.PrivilegesCheckResult checkPrivilegesWithCache = simpleRole.checkPrivilegesWithCache(privilegesToCheck);
            if (checkPrivilegesWithCache != null) {
                logger.debug(() -> {
                    return org.elasticsearch.core.Strings.format("role [%s] has privileges check result in cache for check: [%s]", new Object[]{Strings.arrayToCommaDelimitedString(role.names()), privilegesToCheck});
                });
                actionListener.onResponse(checkPrivilegesWithCache);
                return;
            }
            actionListener2 = actionListener.delegateFailure((actionListener3, privilegesCheckResult) -> {
                try {
                    simpleRole.cacheHasPrivileges(this.settings, privilegesToCheck, privilegesCheckResult);
                    actionListener3.onResponse(privilegesCheckResult);
                } catch (Exception e) {
                    logger.error("Failed to cache check result for [{}]", privilegesToCheck);
                    actionListener3.onFailure(e);
                }
            });
        } else {
            actionListener2 = actionListener;
        }
        boolean z = true;
        HashMap hashMap = new HashMap();
        for (String str : privilegesToCheck.cluster()) {
            boolean grants = role.grants(ClusterPrivilegeResolver.resolve(str));
            z = z && grants;
            if (privilegesToCheck.runDetailedCheck()) {
                hashMap.put(str, Boolean.valueOf(grants));
            } else if (false == z) {
                actionListener2.onResponse(AuthorizationEngine.PrivilegesCheckResult.SOME_CHECKS_FAILURE_NO_DETAILS);
                return;
            }
        }
        ResourcePrivilegesMap.Builder builder = privilegesToCheck.runDetailedCheck() ? ResourcePrivilegesMap.builder() : null;
        for (RoleDescriptor.IndicesPrivileges indicesPrivileges : privilegesToCheck.index()) {
            z = z && role.checkIndicesPrivileges(Sets.newHashSet(indicesPrivileges.getIndices()), indicesPrivileges.allowRestrictedIndices(), Sets.newHashSet(indicesPrivileges.getPrivileges()), builder);
            if (false == privilegesToCheck.runDetailedCheck() && false == z) {
                if (!$assertionsDisabled && builder != null) {
                    throw new AssertionError();
                }
                actionListener2.onResponse(AuthorizationEngine.PrivilegesCheckResult.SOME_CHECKS_FAILURE_NO_DETAILS);
                return;
            }
        }
        HashMap hashMap2 = new HashMap();
        for (String str2 : (Set) Arrays.stream(privilegesToCheck.application()).map((v0) -> {
            return v0.getApplication();
        }).collect(Collectors.toSet())) {
            logger.debug(() -> {
                return org.elasticsearch.core.Strings.format("Checking privileges for application [%s]", new Object[]{str2});
            });
            ResourcePrivilegesMap.Builder builder2 = privilegesToCheck.runDetailedCheck() ? ResourcePrivilegesMap.builder() : null;
            for (RoleDescriptor.ApplicationResourcePrivileges applicationResourcePrivileges : privilegesToCheck.application()) {
                if (str2.equals(applicationResourcePrivileges.getApplication())) {
                    z = z && role.checkApplicationResourcePrivileges(str2, Sets.newHashSet(applicationResourcePrivileges.getResources()), Sets.newHashSet(applicationResourcePrivileges.getPrivileges()), collection, builder2);
                    if (false == privilegesToCheck.runDetailedCheck() && false == z) {
                        actionListener2.onResponse(AuthorizationEngine.PrivilegesCheckResult.SOME_CHECKS_FAILURE_NO_DETAILS);
                        return;
                    }
                }
            }
            if (builder2 != null) {
                hashMap2.put(str2, builder2.build().getResourceToResourcePrivileges().values());
            }
        }
        if (privilegesToCheck.runDetailedCheck()) {
            if (!$assertionsDisabled && builder == null) {
                throw new AssertionError();
            }
            actionListener2.onResponse(new AuthorizationEngine.PrivilegesCheckResult(z, new AuthorizationEngine.PrivilegesCheckResult.Details(hashMap, builder.build().getResourceToResourcePrivileges(), hashMap2)));
            return;
        }
        if (!$assertionsDisabled && !z) {
            throw new AssertionError();
        }
        actionListener2.onResponse(AuthorizationEngine.PrivilegesCheckResult.ALL_CHECKS_SUCCESS_NO_DETAILS);
    }

    public void getUserPrivileges(AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<GetUserPrivilegesResponse> actionListener) {
        if (!(authorizationInfo instanceof RBACAuthorizationInfo)) {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName()));
            return;
        }
        try {
            actionListener.onResponse(buildUserPrivilegesResponseObject(((RBACAuthorizationInfo) authorizationInfo).getRole()));
        } catch (UnsupportedOperationException e) {
            actionListener.onFailure(new IllegalArgumentException("Cannot retrieve privileges for API keys with assigned role descriptors. Please use the Get API key information API https://ela.st/es-api-get-api-key", e));
        }
    }

    public void getRoleDescriptorsIntersectionForRemoteCluster(String str, TransportVersion transportVersion, AuthorizationEngine.AuthorizationInfo authorizationInfo, ActionListener<RoleDescriptorsIntersection> actionListener) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            actionListener.onResponse(((RBACAuthorizationInfo) authorizationInfo).getRole().getRoleDescriptorsIntersectionForRemoteCluster(str, transportVersion));
        } else {
            actionListener.onFailure(new IllegalArgumentException("unsupported authorization info: " + authorizationInfo.getClass().getSimpleName()));
        }
    }

    static GetUserPrivilegesResponse buildUserPrivilegesResponseObject(Role role) {
        logger.trace(() -> {
            return "List privileges for role [" + Strings.arrayToCommaDelimitedString(role.names()) + "]";
        });
        TreeSet treeSet = new TreeSet();
        HashSet hashSet = new HashSet();
        for (ConfigurableClusterPrivilege configurableClusterPrivilege : role.cluster().privileges()) {
            if (configurableClusterPrivilege instanceof NamedClusterPrivilege) {
                treeSet.add(((NamedClusterPrivilege) configurableClusterPrivilege).name());
            } else {
                if (!(configurableClusterPrivilege instanceof ConfigurableClusterPrivilege)) {
                    throw new IllegalArgumentException("found unsupported cluster privilege : " + configurableClusterPrivilege + (configurableClusterPrivilege != null ? " of type " + configurableClusterPrivilege.getClass().getSimpleName() : ""));
                }
                hashSet.add(configurableClusterPrivilege);
            }
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (IndicesPermission.Group group : role.indices().groups()) {
            linkedHashSet.add(toIndices(group));
        }
        LinkedHashSet linkedHashSet2 = new LinkedHashSet();
        for (RemoteIndicesPermission.RemoteIndicesGroup remoteIndicesGroup : role.remoteIndices().remoteIndicesGroups()) {
            Iterator it = remoteIndicesGroup.indicesPermissionGroups().iterator();
            while (it.hasNext()) {
                linkedHashSet2.add(new GetUserPrivilegesResponse.RemoteIndices(toIndices((IndicesPermission.Group) it.next()), remoteIndicesGroup.remoteClusterAliases()));
            }
        }
        LinkedHashSet linkedHashSet3 = new LinkedHashSet();
        for (String str : role.application().getApplicationNames()) {
            for (ApplicationPrivilege applicationPrivilege : role.application().getPrivileges(str)) {
                Set resourcePatterns = role.application().getResourcePatterns(applicationPrivilege);
                if (resourcePatterns.isEmpty()) {
                    logger.trace("No resources defined in application privilege {}", applicationPrivilege);
                } else {
                    linkedHashSet3.add(RoleDescriptor.ApplicationResourcePrivileges.builder().application(str).privileges(applicationPrivilege.name()).resources(resourcePatterns).build());
                }
            }
        }
        Privilege privilege = role.runAs().getPrivilege();
        return new GetUserPrivilegesResponse(treeSet, hashSet, linkedHashSet, linkedHashSet3, Operations.isEmpty(privilege.getAutomaton()) ? Collections.emptySet() : privilege.name(), linkedHashSet2, role.remoteCluster());
    }

    private static GetUserPrivilegesResponse.Indices toIndices(IndicesPermission.Group group) {
        return new GetUserPrivilegesResponse.Indices(Arrays.asList(group.indices()), group.privilege().name(), getFieldGrantExcludeGroups(group), group.getQuery() == null ? Collections.emptySet() : group.getQuery(), group.allowRestrictedIndices());
    }

    private static Set<FieldPermissionsDefinition.FieldGrantExcludeGroup> getFieldGrantExcludeGroups(IndicesPermission.Group group) {
        if (!group.getFieldPermissions().hasFieldLevelSecurity()) {
            return Collections.emptySet();
        }
        List fieldPermissionsDefinitions = group.getFieldPermissions().getFieldPermissionsDefinitions();
        if ($assertionsDisabled || fieldPermissionsDefinitions.size() == 1) {
            return ((FieldPermissionsDefinition) fieldPermissionsDefinitions.get(0)).getFieldGrantExcludeGroups();
        }
        throw new AssertionError("limited-by field must not exist since we do not support reporting user privileges for limited roles");
    }

    static AuthorizedIndices resolveAuthorizedIndicesFromRole(Role role, AuthorizationEngine.RequestInfo requestInfo, Map<String, IndexAbstraction> map, Supplier<Consumer<Collection<String>>> supplier) {
        IndicesPermission.IsResourceAuthorizedPredicate allowedIndicesMatcher = role.allowedIndicesMatcher(requestInfo.getAction());
        IndicesRequest request = requestInfo.getRequest();
        boolean z = (request instanceof IndicesRequest) && request.includeDataStreams();
        return new AuthorizedIndices(() -> {
            Consumer consumer = (Consumer) supplier.get();
            HashSet hashSet = new HashSet();
            if (z) {
                for (IndexAbstraction indexAbstraction : map.values()) {
                    if (allowedIndicesMatcher.test(indexAbstraction)) {
                        hashSet.add(indexAbstraction.getName());
                        if (indexAbstraction.getType() == IndexAbstraction.Type.DATA_STREAM) {
                            Iterator it = indexAbstraction.getIndices().iterator();
                            while (it.hasNext()) {
                                hashSet.add(((Index) it.next()).getName());
                            }
                        }
                    }
                }
            } else {
                for (IndexAbstraction indexAbstraction2 : map.values()) {
                    if (indexAbstraction2.getType() != IndexAbstraction.Type.DATA_STREAM && allowedIndicesMatcher.test(indexAbstraction2)) {
                        hashSet.add(indexAbstraction2.getName());
                    }
                }
            }
            consumer.accept(hashSet);
            return hashSet;
        }, str -> {
            IndexAbstraction indexAbstraction = (IndexAbstraction) map.get(str);
            return indexAbstraction == null ? allowedIndicesMatcher.test(str, (IndexAbstraction) null) : (indexAbstraction.getParentDataStream() != null && allowedIndicesMatcher.test(indexAbstraction.getParentDataStream())) || allowedIndicesMatcher.test(indexAbstraction);
        });
    }

    private AuthorizationEngine.IndexAuthorizationResult buildIndicesAccessControl(String str, Role role, ResolvedIndices resolvedIndices, Map<String, IndexAbstraction> map) {
        return new AuthorizationEngine.IndexAuthorizationResult(role.authorize(str, Sets.newHashSet(resolvedIndices.getLocal()), map, this.fieldPermissionsCache));
    }

    private static RBACAuthorizationInfo ensureRBAC(AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            return (RBACAuthorizationInfo) authorizationInfo;
        }
        throw new IllegalArgumentException("unsupported authorization info:" + authorizationInfo.getClass().getSimpleName());
    }

    public static Role maybeGetRBACEngineRole(AuthorizationEngine.AuthorizationInfo authorizationInfo) {
        if (authorizationInfo instanceof RBACAuthorizationInfo) {
            return ((RBACAuthorizationInfo) authorizationInfo).getRole();
        }
        return null;
    }

    private static boolean checkChangePasswordAction(Authentication authentication) {
        String type = authentication.isRunAs() ? authentication.getEffectiveSubject().getRealm().getType() : authentication.getAuthenticatingSubject().getRealm().getType();
        if ($assertionsDisabled || type != null) {
            return authentication.getAuthenticationType().equals(Authentication.AuthenticationType.REALM) && ("reserved".equals(type) || "native".equals(type));
        }
        throw new AssertionError();
    }

    private static boolean isScrollRelatedAction(String str) {
        return str.equals(TransportSearchScrollAction.TYPE.name()) || str.equals("indices:data/read/search[phase/fetch/id/scroll]") || str.equals("indices:data/read/search[phase/query+fetch/scroll]") || str.equals("indices:data/read/search[phase/query/scroll]") || str.equals("indices:data/read/search[free_context/scroll]") || str.equals("indices:data/read/scroll/clear") || str.equals("indices:data/read/sql/close_cursor") || str.equals("indices:data/read/search[clear_scroll_contexts]");
    }

    private static boolean isAsyncRelatedAction(String str) {
        return str.equals("indices:data/read/async_search/submit") || str.equals("indices:data/read/async_search/get") || str.equals(TransportDeleteAsyncResultAction.TYPE.name()) || str.equals("indices:data/read/eql/async/get") || str.equals("indices:data/read/esql/async/get") || str.equals("indices:data/read/sql/async/get");
    }

    static {
        $assertionsDisabled = !RBACEngine.class.desiredAssertionStatus();
        SAME_USER_PRIVILEGE = StringMatcher.of(new String[]{TransportChangePasswordAction.TYPE.name(), "cluster:admin/xpack/security/user/authenticate", "cluster:admin/xpack/security/user/has_privileges", "cluster:admin/xpack/security/user/list_privileges", "cluster:admin/xpack/security/api_key/get"});
        logger = LogManager.getLogger(RBACEngine.class);
    }
}
