package org.elasticsearch.xpack.security.authz.store;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.GroupedActionListener;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ReleasableLock;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authz.RestrictedIndices;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.DocumentSubsetBitsetCache;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
import org.elasticsearch.xpack.core.security.authz.permission.Role;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.Privilege;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.core.security.authz.store.RoleKey;
import org.elasticsearch.xpack.core.security.authz.store.RoleReference;
import org.elasticsearch.xpack.core.security.authz.store.RolesRetrievalResult;
import org.elasticsearch.xpack.core.security.support.CacheIteratorHelper;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.AsyncSearchUser;
import org.elasticsearch.xpack.core.security.user.SecurityProfileUser;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.security.user.XPackSecurityUser;
import org.elasticsearch.xpack.core.security.user.XPackUser;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountService;
import org.elasticsearch.xpack.security.authz.store.RoleProviders;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.class */
public class CompositeRolesStore {
    static final Setting<Integer> NEGATIVE_LOOKUP_CACHE_SIZE_SETTING;
    private static final Setting<Integer> CACHE_SIZE_SETTING;
    private static final Logger logger;
    private final RoleProviders roleProviders;
    private final NativePrivilegeStore privilegeStore;
    private final FieldPermissionsCache fieldPermissionsCache;
    private final Cache<RoleKey, Role> roleCache;
    private final CacheIteratorHelper<RoleKey, Role> roleCacheHelper;
    private final Cache<String, Boolean> negativeLookupCache;
    private final DocumentSubsetBitsetCache dlsBitsetCache;
    private final AnonymousUser anonymousUser;
    private final AtomicLong numInvalidation = new AtomicLong();
    private final RoleDescriptorStore roleReferenceResolver;
    private final Role superuserRole;
    private final Role xpackSecurityRole;
    private final Role securityProfileRole;
    private final Role xpackUserRole;
    private final Role asyncSearchUserRole;
    private final RestrictedIndices restrictedIndices;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/CompositeRolesStore$MergeableIndicesPrivilege.class */
    public static class MergeableIndicesPrivilege {
        private final Set<String> indices;
        private final Set<String> privileges;
        private FieldPermissionsDefinition fieldPermissionsDefinition;
        private Set<BytesReference> query;
        static final /* synthetic */ boolean $assertionsDisabled;

        MergeableIndicesPrivilege(String[] strArr, String[] strArr2, @Nullable String[] strArr3, @Nullable String[] strArr4, @Nullable BytesReference bytesReference) {
            this.query = null;
            this.indices = Sets.newHashSet((String[]) Objects.requireNonNull(strArr));
            this.privileges = Sets.newHashSet((String[]) Objects.requireNonNull(strArr2));
            this.fieldPermissionsDefinition = new FieldPermissionsDefinition(strArr3, strArr4);
            if (bytesReference != null) {
                this.query = Sets.newHashSet(new BytesReference[]{bytesReference});
            }
        }

        void merge(MergeableIndicesPrivilege mergeableIndicesPrivilege) {
            if (!$assertionsDisabled && !this.indices.equals(mergeableIndicesPrivilege.indices)) {
                throw new AssertionError("index names must be equivalent in order to merge");
            }
            HashSet hashSet = new HashSet();
            hashSet.addAll(this.fieldPermissionsDefinition.getFieldGrantExcludeGroups());
            hashSet.addAll(mergeableIndicesPrivilege.fieldPermissionsDefinition.getFieldGrantExcludeGroups());
            this.fieldPermissionsDefinition = new FieldPermissionsDefinition(hashSet);
            this.privileges.addAll(mergeableIndicesPrivilege.privileges);
            if (this.query == null || mergeableIndicesPrivilege.query == null) {
                this.query = null;
            } else {
                this.query.addAll(mergeableIndicesPrivilege.query);
            }
        }

        private static void collatePrivilegesByIndices(RoleDescriptor.IndicesPrivileges[] indicesPrivilegesArr, boolean z, Map<Set<String>, MergeableIndicesPrivilege> map) {
            if (indicesPrivilegesArr.length == 1 && "none".equalsIgnoreCase(indicesPrivilegesArr[0].getPrivileges()[0])) {
                return;
            }
            for (RoleDescriptor.IndicesPrivileges indicesPrivileges : indicesPrivilegesArr) {
                if (indicesPrivileges.allowRestrictedIndices() == z) {
                    map.compute(Sets.newHashSet(indicesPrivileges.getIndices()), (set, mergeableIndicesPrivilege) -> {
                        if (mergeableIndicesPrivilege == null) {
                            return new MergeableIndicesPrivilege(indicesPrivileges.getIndices(), indicesPrivileges.getPrivileges(), indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields(), indicesPrivileges.getQuery());
                        }
                        mergeableIndicesPrivilege.merge(new MergeableIndicesPrivilege(indicesPrivileges.getIndices(), indicesPrivileges.getPrivileges(), indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields(), indicesPrivileges.getQuery()));
                        return mergeableIndicesPrivilege;
                    });
                }
            }
        }

        static {
            $assertionsDisabled = !CompositeRolesStore.class.desiredAssertionStatus();
        }
    }

    public CompositeRolesStore(Settings settings, RoleProviders roleProviders, NativePrivilegeStore nativePrivilegeStore, ThreadContext threadContext, XPackLicenseState xPackLicenseState, FieldPermissionsCache fieldPermissionsCache, ApiKeyService apiKeyService, ServiceAccountService serviceAccountService, DocumentSubsetBitsetCache documentSubsetBitsetCache, RestrictedIndices restrictedIndices, Consumer<Collection<RoleDescriptor>> consumer) {
        this.roleProviders = roleProviders;
        roleProviders.addChangeListener(new RoleProviders.ChangeListener() { // from class: org.elasticsearch.xpack.security.authz.store.CompositeRolesStore.1
            @Override // org.elasticsearch.xpack.security.authz.store.RoleProviders.ChangeListener
            public void rolesChanged(Set<String> set) {
                CompositeRolesStore.this.invalidate(set);
            }

            @Override // org.elasticsearch.xpack.security.authz.store.RoleProviders.ChangeListener
            public void providersChanged() {
                CompositeRolesStore.this.invalidateAll();
            }
        });
        this.privilegeStore = (NativePrivilegeStore) Objects.requireNonNull(nativePrivilegeStore);
        this.dlsBitsetCache = (DocumentSubsetBitsetCache) Objects.requireNonNull(documentSubsetBitsetCache);
        this.fieldPermissionsCache = (FieldPermissionsCache) Objects.requireNonNull(fieldPermissionsCache);
        CacheBuilder builder = CacheBuilder.builder();
        int intValue = ((Integer) CACHE_SIZE_SETTING.get(settings)).intValue();
        if (intValue >= 0) {
            builder.setMaximumWeight(intValue);
        }
        this.roleCache = builder.build();
        this.roleCacheHelper = new CacheIteratorHelper<>(this.roleCache);
        CacheBuilder builder2 = CacheBuilder.builder();
        int intValue2 = ((Integer) NEGATIVE_LOOKUP_CACHE_SIZE_SETTING.get(settings)).intValue();
        if (intValue2 >= 0) {
            builder2.setMaximumWeight(intValue2);
        }
        this.negativeLookupCache = builder2.build();
        this.restrictedIndices = restrictedIndices;
        this.superuserRole = Role.buildFromRoleDescriptor(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices);
        this.xpackSecurityRole = Role.buildFromRoleDescriptor(XPackSecurityUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices);
        this.securityProfileRole = Role.buildFromRoleDescriptor(SecurityProfileUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices);
        this.xpackUserRole = Role.buildFromRoleDescriptor(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices);
        this.asyncSearchUserRole = Role.buildFromRoleDescriptor(AsyncSearchUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices);
        this.roleReferenceResolver = new RoleDescriptorStore(roleProviders, apiKeyService, serviceAccountService, this.negativeLookupCache, xPackLicenseState, threadContext, consumer);
        this.anonymousUser = new AnonymousUser(settings);
    }

    public void getRoles(Authentication authentication, ActionListener<Tuple<Role, Role>> actionListener) {
        Subject effectiveSubject = authentication.getEffectiveSubject();
        CheckedConsumer checkedConsumer = role -> {
            if (!authentication.isRunAs()) {
                actionListener.onResponse(new Tuple(role, role));
                return;
            }
            Subject authenticatingSubject = authentication.getAuthenticatingSubject();
            CheckedConsumer checkedConsumer2 = role -> {
                actionListener.onResponse(new Tuple(role, role));
            };
            Objects.requireNonNull(actionListener);
            getRole(authenticatingSubject, ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
        };
        Objects.requireNonNull(actionListener);
        getRole(effectiveSubject, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void getRole(Subject subject, ActionListener<Role> actionListener) {
        Role tryGetRoleForInternalUser = tryGetRoleForInternalUser(subject);
        if (tryGetRoleForInternalUser != null) {
            actionListener.onResponse(tryGetRoleForInternalUser);
        } else {
            if (!$assertionsDisabled && false != User.isInternal(subject.getUser())) {
                throw new AssertionError("Internal user should not pass here");
            }
            subject.getRoleReferenceIntersection(this.anonymousUser).buildRole(this::buildRoleFromRoleReference, actionListener);
        }
    }

    Role tryGetRoleForInternalUser(Subject subject) {
        User user = subject.getUser();
        if (SystemUser.is(user)) {
            throw new IllegalArgumentException("the user [" + user.principal() + "] is the system user and we should never try to get its roles");
        }
        if (XPackUser.is(user)) {
            return this.xpackUserRole;
        }
        if (XPackSecurityUser.is(user)) {
            return this.xpackSecurityRole;
        }
        if (SecurityProfileUser.is(user)) {
            return this.securityProfileRole;
        }
        if (AsyncSearchUser.is(user)) {
            return this.asyncSearchUserRole;
        }
        return null;
    }

    public void buildRoleFromRoleReference(RoleReference roleReference, ActionListener<Role> actionListener) {
        RoleKey id = roleReference.id();
        if (id == RoleKey.ROLE_KEY_SUPERUSER) {
            actionListener.onResponse(this.superuserRole);
            return;
        }
        if (id == RoleKey.ROLE_KEY_EMPTY) {
            actionListener.onResponse(Role.EMPTY);
            return;
        }
        Role role = (Role) this.roleCache.get(id);
        if (role != null) {
            actionListener.onResponse(role);
            return;
        }
        long j = this.numInvalidation.get();
        Consumer consumer = exc -> {
            if (!includesSuperuserRole(roleReference)) {
                actionListener.onFailure(exc);
            } else {
                logger.warn(() -> {
                    return Strings.format("there was a failure resolving the roles [%s], falling back to the [%s] role instead", new Object[]{roleReference.id(), org.elasticsearch.common.Strings.arrayToCommaDelimitedString(this.superuserRole.names())});
                }, exc);
                actionListener.onResponse(this.superuserRole);
            }
        };
        roleReference.resolve(this.roleReferenceResolver, ActionListener.wrap(rolesRetrievalResult -> {
            if (RolesRetrievalResult.EMPTY == rolesRetrievalResult) {
                actionListener.onResponse(Role.EMPTY);
                return;
            }
            if (RolesRetrievalResult.SUPERUSER == rolesRetrievalResult) {
                actionListener.onResponse(this.superuserRole);
                return;
            }
            Set roleDescriptors = rolesRetrievalResult.getRoleDescriptors();
            Set<String> missingRoles = rolesRetrievalResult.getMissingRoles();
            boolean isSuccess = rolesRetrievalResult.isSuccess();
            Objects.requireNonNull(actionListener);
            buildThenMaybeCacheRole(id, roleDescriptors, missingRoles, isSuccess, j, ActionListener.wrap((v1) -> {
                r6.onResponse(v1);
            }, consumer));
        }, consumer));
    }

    private static boolean includesSuperuserRole(RoleReference roleReference) {
        if (roleReference instanceof RoleReference.NamedRoleReference) {
            return Arrays.asList(((RoleReference.NamedRoleReference) roleReference).getRoleNames()).contains(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR.getName());
        }
        return false;
    }

    RoleDescriptorStore getRoleReferenceResolver() {
        return this.roleReferenceResolver;
    }

    Role getXpackUserRole() {
        return this.xpackUserRole;
    }

    Role getAsyncSearchUserRole() {
        return this.asyncSearchUserRole;
    }

    Role getXpackSecurityRole() {
        return this.xpackSecurityRole;
    }

    Role getSecurityProfileRole() {
        return this.securityProfileRole;
    }

    private void buildThenMaybeCacheRole(RoleKey roleKey, Collection<RoleDescriptor> collection, Set<String> set, boolean z, long j, ActionListener<Role> actionListener) {
        logger.trace("Building role from descriptors [{}] for names [{}] from source [{}]", collection, roleKey.getNames(), roleKey.getSource());
        FieldPermissionsCache fieldPermissionsCache = this.fieldPermissionsCache;
        NativePrivilegeStore nativePrivilegeStore = this.privilegeStore;
        RestrictedIndices restrictedIndices = this.restrictedIndices;
        CheckedConsumer checkedConsumer = role -> {
            if (role != null && z) {
                ReleasableLock acquireUpdateLock = this.roleCacheHelper.acquireUpdateLock();
                try {
                    if (j == this.numInvalidation.get()) {
                        this.roleCache.computeIfAbsent(roleKey, roleKey2 -> {
                            return role;
                        });
                    }
                    if (acquireUpdateLock != null) {
                        acquireUpdateLock.close();
                    }
                    Iterator it = set.iterator();
                    while (it.hasNext()) {
                        this.negativeLookupCache.computeIfAbsent((String) it.next(), str -> {
                            return Boolean.TRUE;
                        });
                    }
                } catch (Throwable th) {
                    if (acquireUpdateLock != null) {
                        try {
                            acquireUpdateLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            actionListener.onResponse(role);
        };
        Objects.requireNonNull(actionListener);
        buildRoleFromDescriptors(collection, fieldPermissionsCache, nativePrivilegeStore, restrictedIndices, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void getRoleDescriptorsList(Subject subject, ActionListener<Collection<Set<RoleDescriptor>>> actionListener) {
        tryGetRoleDescriptorForInternalUser(subject).ifPresentOrElse(roleDescriptor -> {
            actionListener.onResponse(List.of(Set.of(roleDescriptor)));
        }, () -> {
            List roleReferences = subject.getRoleReferenceIntersection(this.anonymousUser).getRoleReferences();
            GroupedActionListener groupedActionListener = new GroupedActionListener(roleReferences.size(), actionListener);
            roleReferences.forEach(roleReference -> {
                RoleDescriptorStore roleDescriptorStore = this.roleReferenceResolver;
                CheckedConsumer checkedConsumer = rolesRetrievalResult -> {
                    if (rolesRetrievalResult.isSuccess()) {
                        groupedActionListener.onResponse(rolesRetrievalResult.getRoleDescriptors());
                    } else {
                        groupedActionListener.onFailure(new ElasticsearchException("role retrieval had one or more failures", new Object[0]));
                    }
                };
                Objects.requireNonNull(groupedActionListener);
                roleReference.resolve(roleDescriptorStore, ActionListener.wrap(checkedConsumer, groupedActionListener::onFailure));
            });
        });
    }

    static Optional<RoleDescriptor> tryGetRoleDescriptorForInternalUser(Subject subject) {
        User user = subject.getUser();
        if (SystemUser.is(user)) {
            throw new IllegalArgumentException("the user [" + user.principal() + "] is the system user and we should never try to get its role descriptors");
        }
        return XPackUser.is(user) ? Optional.of(XPackUser.ROLE_DESCRIPTOR) : XPackSecurityUser.is(user) ? Optional.of(XPackSecurityUser.ROLE_DESCRIPTOR) : SecurityProfileUser.is(user) ? Optional.of(SecurityProfileUser.ROLE_DESCRIPTOR) : AsyncSearchUser.is(user) ? Optional.of(AsyncSearchUser.ROLE_DESCRIPTOR) : Optional.empty();
    }

    public static void buildRoleFromDescriptors(Collection<RoleDescriptor> collection, FieldPermissionsCache fieldPermissionsCache, NativePrivilegeStore nativePrivilegeStore, RestrictedIndices restrictedIndices, ActionListener<Role> actionListener) {
        if (collection.isEmpty()) {
            actionListener.onResponse(Role.EMPTY);
            return;
        }
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        HashSet hashSet2 = new HashSet();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        HashMap hashMap4 = new HashMap();
        ArrayList arrayList2 = new ArrayList(collection.size());
        for (RoleDescriptor roleDescriptor : collection) {
            arrayList2.add(roleDescriptor.getName());
            if (roleDescriptor.getClusterPrivileges() != null) {
                hashSet.addAll(Arrays.asList(roleDescriptor.getClusterPrivileges()));
            }
            if (roleDescriptor.getConditionalClusterPrivileges() != null) {
                arrayList.addAll(Arrays.asList(roleDescriptor.getConditionalClusterPrivileges()));
            }
            if (roleDescriptor.getRunAs() != null) {
                hashSet2.addAll(Arrays.asList(roleDescriptor.getRunAs()));
            }
            MergeableIndicesPrivilege.collatePrivilegesByIndices(roleDescriptor.getIndicesPrivileges(), true, hashMap2);
            MergeableIndicesPrivilege.collatePrivilegesByIndices(roleDescriptor.getIndicesPrivileges(), false, hashMap);
            if (roleDescriptor.hasRemoteIndicesPrivileges()) {
                groupIndexPrivilegesByCluster(roleDescriptor.getRemoteIndicesPrivileges(), hashMap3);
            }
            for (RoleDescriptor.ApplicationResourcePrivileges applicationResourcePrivileges : roleDescriptor.getApplicationPrivileges()) {
                hashMap4.compute(new Tuple(applicationResourcePrivileges.getApplication(), Sets.newHashSet(applicationResourcePrivileges.getResources())), (tuple, set) -> {
                    if (set == null) {
                        return Sets.newHashSet(applicationResourcePrivileges.getPrivileges());
                    }
                    set.addAll(Arrays.asList(applicationResourcePrivileges.getPrivileges()));
                    return set;
                });
            }
        }
        Role.Builder runAs = Role.builder(restrictedIndices, (String[]) arrayList2.toArray(org.elasticsearch.common.Strings.EMPTY_ARRAY)).cluster(hashSet, arrayList).runAs(hashSet2.isEmpty() ? Privilege.NONE : new Privilege(hashSet2, (String[]) hashSet2.toArray(org.elasticsearch.common.Strings.EMPTY_ARRAY)));
        hashMap.forEach((set2, mergeableIndicesPrivilege) -> {
            runAs.add(fieldPermissionsCache.getFieldPermissions(mergeableIndicesPrivilege.fieldPermissionsDefinition), mergeableIndicesPrivilege.query, IndexPrivilege.get(mergeableIndicesPrivilege.privileges), false, (String[]) mergeableIndicesPrivilege.indices.toArray(org.elasticsearch.common.Strings.EMPTY_ARRAY));
        });
        hashMap2.forEach((set3, mergeableIndicesPrivilege2) -> {
            runAs.add(fieldPermissionsCache.getFieldPermissions(mergeableIndicesPrivilege2.fieldPermissionsDefinition), mergeableIndicesPrivilege2.query, IndexPrivilege.get(mergeableIndicesPrivilege2.privileges), true, (String[]) mergeableIndicesPrivilege2.indices.toArray(org.elasticsearch.common.Strings.EMPTY_ARRAY));
        });
        hashMap3.forEach((set4, set5) -> {
            set5.forEach(indicesPrivileges -> {
                runAs.addRemoteGroup(set4, fieldPermissionsCache.getFieldPermissions(new FieldPermissionsDefinition(indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields())), indicesPrivileges.getQuery() == null ? null : Sets.newHashSet(new BytesReference[]{indicesPrivileges.getQuery()}), IndexPrivilege.get(Sets.newHashSet((String[]) Objects.requireNonNull(indicesPrivileges.getPrivileges()))), indicesPrivileges.allowRestrictedIndices(), (String[]) Sets.newHashSet((String[]) Objects.requireNonNull(indicesPrivileges.getIndices())).toArray(new String[0]));
            });
        });
        if (hashMap4.isEmpty()) {
            actionListener.onResponse(runAs.build());
            return;
        }
        Set set6 = (Set) hashMap4.keySet().stream().map((v0) -> {
            return v0.v1();
        }).collect(Collectors.toSet());
        Set set7 = (Set) hashMap4.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet());
        CheckedConsumer checkedConsumer = collection2 -> {
            hashMap4.forEach((tuple2, set8) -> {
                ApplicationPrivilege.get((String) tuple2.v1(), set8, collection2).forEach(applicationPrivilege -> {
                    runAs.addApplicationPrivilege(applicationPrivilege, (Set) tuple2.v2());
                });
            });
            actionListener.onResponse(runAs.build());
        };
        Objects.requireNonNull(actionListener);
        nativePrivilegeStore.getPrivileges(set6, set7, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void invalidateAll() {
        this.numInvalidation.incrementAndGet();
        this.negativeLookupCache.invalidateAll();
        ReleasableLock acquireUpdateLock = this.roleCacheHelper.acquireUpdateLock();
        try {
            this.roleCache.invalidateAll();
            if (acquireUpdateLock != null) {
                acquireUpdateLock.close();
            }
            this.dlsBitsetCache.clear("role store invalidation");
        } catch (Throwable th) {
            if (acquireUpdateLock != null) {
                try {
                    acquireUpdateLock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void invalidate(String str) {
        this.numInvalidation.incrementAndGet();
        this.roleCacheHelper.removeKeysIf(roleKey -> {
            return roleKey.getNames().contains(str);
        });
        this.negativeLookupCache.invalidate(str);
    }

    public void invalidate(Set<String> set) {
        this.numInvalidation.incrementAndGet();
        this.roleCacheHelper.removeKeysIf(roleKey -> {
            return !Sets.haveEmptyIntersection(roleKey.getNames(), set);
        });
        Cache<String, Boolean> cache = this.negativeLookupCache;
        Objects.requireNonNull(cache);
        set.forEach((v1) -> {
            r1.invalidate(v1);
        });
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        HashMap hashMap = new HashMap();
        hashMap.put("dls", Map.of("bit_set_cache", this.dlsBitsetCache.usageStats()));
        this.roleProviders.usageStats(actionListener.map(map -> {
            hashMap.putAll(map);
            return hashMap;
        }));
    }

    public void onSecurityIndexStateChange(SecurityIndexManager.State state, SecurityIndexManager.State state2) {
        if (SecurityIndexManager.isMoveFromRedToNonRed(state, state2) || SecurityIndexManager.isIndexDeleted(state, state2) || !Objects.equals(state.indexUUID, state2.indexUUID) || state.isIndexUpToDate != state2.isIndexUpToDate) {
            invalidateAll();
        }
    }

    boolean isValueInNegativeLookupCache(String str) {
        return this.negativeLookupCache.get(str) != null;
    }

    private static void groupIndexPrivilegesByCluster(RoleDescriptor.RemoteIndicesPrivileges[] remoteIndicesPrivilegesArr, Map<Set<String>, Set<RoleDescriptor.IndicesPrivileges>> map) {
        if (!$assertionsDisabled && remoteIndicesPrivilegesArr == null) {
            throw new AssertionError();
        }
        if (remoteIndicesPrivilegesArr.length == 1 && "none".equalsIgnoreCase(remoteIndicesPrivilegesArr[0].indicesPrivileges().getPrivileges()[0])) {
            return;
        }
        for (RoleDescriptor.RemoteIndicesPrivileges remoteIndicesPrivileges : remoteIndicesPrivilegesArr) {
            map.computeIfAbsent(Sets.newHashSet(remoteIndicesPrivileges.remoteClusters()), set -> {
                return new HashSet();
            }).add(remoteIndicesPrivileges.indicesPrivileges());
        }
    }

    public static List<Setting<?>> getSettings() {
        return Arrays.asList(CACHE_SIZE_SETTING, NEGATIVE_LOOKUP_CACHE_SIZE_SETTING);
    }

    static {
        $assertionsDisabled = !CompositeRolesStore.class.desiredAssertionStatus();
        NEGATIVE_LOOKUP_CACHE_SIZE_SETTING = Setting.intSetting("xpack.security.authz.store.roles.negative_lookup_cache.max_size", 10000, new Setting.Property[]{Setting.Property.NodeScope});
        CACHE_SIZE_SETTING = Setting.intSetting("xpack.security.authz.store.roles.cache.max_size", 10000, new Setting.Property[]{Setting.Property.NodeScope});
        logger = LogManager.getLogger(CompositeRolesStore.class);
    }
}
