package org.elasticsearch.xpack.security.authc.support;

import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.support.DLSRoleQueryValidator;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/ApiKeyUserRoleDescriptorResolver.class */
public class ApiKeyUserRoleDescriptorResolver {
    private final CompositeRolesStore rolesStore;
    private final NamedXContentRegistry xContentRegistry;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ApiKeyUserRoleDescriptorResolver(CompositeRolesStore compositeRolesStore, NamedXContentRegistry namedXContentRegistry) {
        this.rolesStore = compositeRolesStore;
        this.xContentRegistry = namedXContentRegistry;
    }

    public void resolveUserRoleDescriptors(Authentication authentication, ActionListener<Set<RoleDescriptor>> actionListener) {
        CheckedConsumer checkedConsumer = set -> {
            Iterator it = set.iterator();
            while (it.hasNext()) {
                try {
                    DLSRoleQueryValidator.validateQueryField(((RoleDescriptor) it.next()).getIndicesPrivileges(), this.xContentRegistry);
                } catch (ElasticsearchException | IllegalArgumentException e) {
                    actionListener.onFailure(e);
                    return;
                }
            }
            actionListener.onResponse(set);
        };
        Objects.requireNonNull(actionListener);
        ActionListener wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
        Subject effectiveSubject = authentication.getEffectiveSubject();
        if (effectiveSubject.getType() == Subject.Type.API_KEY) {
            wrap.onResponse(Set.of());
            return;
        }
        CompositeRolesStore compositeRolesStore = this.rolesStore;
        CheckedConsumer checkedConsumer2 = collection -> {
            if (!$assertionsDisabled && collection.size() != 1) {
                throw new AssertionError();
            }
            wrap.onResponse((Set) collection.iterator().next());
        };
        Objects.requireNonNull(wrap);
        compositeRolesStore.getRoleDescriptorsList(effectiveSubject, ActionListener.wrap(checkedConsumer2, wrap::onFailure));
    }

    static {
        $assertionsDisabled = !ApiKeyUserRoleDescriptorResolver.class.desiredAssertionStatus();
    }
}
