package org.elasticsearch.xpack.core.security.authz.privilege;

import java.util.Arrays;
import org.elasticsearch.common.Strings;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.action.apikey.BulkUpdateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.CreateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.GetApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.GrantApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.InvalidateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.UpdateApiKeyRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationField;
import org.elasticsearch.xpack.core.security.authc.RealmDomain;
import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission;
import org.elasticsearch.xpack.core.security.support.Automatons;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.class */
public class ManageOwnApiKeyClusterPrivilege implements NamedClusterPrivilege {
    public static final ManageOwnApiKeyClusterPrivilege INSTANCE = new ManageOwnApiKeyClusterPrivilege();
    private static final String PRIVILEGE_NAME = "manage_own_api_key";
    private final ClusterPermission permission = buildPermission(ClusterPermission.builder()).build();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege$ManageOwnClusterPermissionCheck.class */
    public static final class ManageOwnClusterPermissionCheck extends ClusterPermission.ActionBasedPermissionCheck {
        public static final ManageOwnClusterPermissionCheck INSTANCE;
        static final /* synthetic */ boolean $assertionsDisabled;

        private ManageOwnClusterPermissionCheck() {
            super(Automatons.patterns("cluster:admin/xpack/security/api_key/*"));
        }

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.ActionBasedPermissionCheck
        protected boolean extendedCheck(String str, TransportRequest transportRequest, Authentication authentication) {
            if ((transportRequest instanceof CreateApiKeyRequest) || (transportRequest instanceof UpdateApiKeyRequest) || (transportRequest instanceof BulkUpdateApiKeyRequest)) {
                return true;
            }
            if (transportRequest instanceof GetApiKeyRequest) {
                GetApiKeyRequest getApiKeyRequest = (GetApiKeyRequest) transportRequest;
                if (authentication.isApiKey() && getApiKeyRequest.withLimitedBy()) {
                    return false;
                }
                return checkIfUserIsOwnerOfApiKeys(authentication, getApiKeyRequest.getApiKeyId(), getApiKeyRequest.getUserName(), getApiKeyRequest.getRealmName(), getApiKeyRequest.ownedByAuthenticatedUser());
            }
            if (transportRequest instanceof InvalidateApiKeyRequest) {
                InvalidateApiKeyRequest invalidateApiKeyRequest = (InvalidateApiKeyRequest) transportRequest;
                String[] ids = invalidateApiKeyRequest.getIds();
                return ids == null ? checkIfUserIsOwnerOfApiKeys(authentication, null, invalidateApiKeyRequest.getUserName(), invalidateApiKeyRequest.getRealmName(), invalidateApiKeyRequest.ownedByAuthenticatedUser()) : Arrays.stream(ids).allMatch(str2 -> {
                    return checkIfUserIsOwnerOfApiKeys(authentication, str2, invalidateApiKeyRequest.getUserName(), invalidateApiKeyRequest.getRealmName(), invalidateApiKeyRequest.ownedByAuthenticatedUser());
                });
            }
            if (transportRequest instanceof QueryApiKeyRequest) {
                QueryApiKeyRequest queryApiKeyRequest = (QueryApiKeyRequest) transportRequest;
                if (authentication.isApiKey() && queryApiKeyRequest.withLimitedBy()) {
                    return false;
                }
                return queryApiKeyRequest.isFilterForCurrentUser();
            }
            if (transportRequest instanceof GrantApiKeyRequest) {
                return false;
            }
            String str3 = "manage own api key privilege only supports API key requests (not " + transportRequest.getClass().getName() + ")";
            if ($assertionsDisabled) {
                throw new IllegalArgumentException(str3);
            }
            throw new AssertionError(str3);
        }

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.ActionBasedPermissionCheck
        protected boolean doImplies(ClusterPermission.ActionBasedPermissionCheck actionBasedPermissionCheck) {
            return actionBasedPermissionCheck instanceof ManageOwnClusterPermissionCheck;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static boolean checkIfUserIsOwnerOfApiKeys(Authentication authentication, String str, String str2, String str3, boolean z) {
            if (isCurrentAuthenticationUsingSameApiKeyIdFromRequest(authentication, str)) {
                return true;
            }
            if (authentication.isApiKey()) {
                return false;
            }
            if (z) {
                return true;
            }
            if (!Strings.hasText(str2) || !Strings.hasText(str3) || false == str2.equals(authentication.getEffectiveSubject().getUser().principal())) {
                return false;
            }
            RealmDomain domain = authentication.getEffectiveSubject().getRealm().getDomain();
            return domain != null ? domain.realms().stream().anyMatch(realmIdentifier -> {
                return str3.equals(realmIdentifier.getName());
            }) : str3.equals(authentication.getEffectiveSubject().getRealm().getName());
        }

        private static boolean isCurrentAuthenticationUsingSameApiKeyIdFromRequest(Authentication authentication, String str) {
            if (!authentication.isApiKey()) {
                return false;
            }
            String str2 = (String) authentication.getAuthenticatingSubject().getMetadata().get(AuthenticationField.API_KEY_ID_KEY);
            if (Strings.hasText(str)) {
                return str.equals(str2);
            }
            return false;
        }

        static {
            $assertionsDisabled = !ManageOwnApiKeyClusterPrivilege.class.desiredAssertionStatus();
            INSTANCE = new ManageOwnClusterPermissionCheck();
        }
    }

    private ManageOwnApiKeyClusterPrivilege() {
    }

    @Override // org.elasticsearch.xpack.core.security.authz.privilege.NamedClusterPrivilege
    public String name() {
        return PRIVILEGE_NAME;
    }

    @Override // org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege
    public ClusterPermission.Builder buildPermission(ClusterPermission.Builder builder) {
        return builder.add(this, ManageOwnClusterPermissionCheck.INSTANCE);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.privilege.NamedClusterPrivilege
    public ClusterPermission permission() {
        return this.permission;
    }
}
