package org.elasticsearch.xpack.security.action.apikey;

import java.util.Objects;
import java.util.Set;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.apikey.BaseUpdateApiKeyRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.security.authc.support.ApiKeyUserRoleDescriptorResolver;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/apikey/TransportBaseUpdateApiKeyAction.class */
public abstract class TransportBaseUpdateApiKeyAction<Request extends BaseUpdateApiKeyRequest, Response extends ActionResponse> extends HandledTransportAction<Request, Response> {
    private final SecurityContext securityContext;
    private final ApiKeyUserRoleDescriptorResolver resolver;

    /* JADX INFO: Access modifiers changed from: protected */
    public TransportBaseUpdateApiKeyAction(String str, TransportService transportService, ActionFilters actionFilters, Writeable.Reader<Request> reader, SecurityContext securityContext, CompositeRolesStore compositeRolesStore, NamedXContentRegistry namedXContentRegistry) {
        super(str, transportService, actionFilters, reader);
        this.securityContext = securityContext;
        this.resolver = new ApiKeyUserRoleDescriptorResolver(compositeRolesStore, namedXContentRegistry);
    }

    public final void doExecute(Task task, Request request, ActionListener<Response> actionListener) {
        Authentication authentication = this.securityContext.getAuthentication();
        if (authentication == null) {
            actionListener.onFailure(new IllegalStateException("authentication is required"));
            return;
        }
        if (authentication.isApiKey()) {
            actionListener.onFailure(new IllegalArgumentException("authentication via API key not supported: only the owner user can update an API key"));
            return;
        }
        ApiKeyUserRoleDescriptorResolver apiKeyUserRoleDescriptorResolver = this.resolver;
        CheckedConsumer checkedConsumer = set -> {
            doExecuteUpdate(task, request, authentication, set, actionListener);
        };
        Objects.requireNonNull(actionListener);
        apiKeyUserRoleDescriptorResolver.resolveUserRoleDescriptors(authentication, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    abstract void doExecuteUpdate(Task task, Request request, Authentication authentication, Set<RoleDescriptor> set, ActionListener<Response> actionListener);
}
