package org.elasticsearch.xpack.core.security.authc;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.util.ArrayUtils;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.license.License;
import org.elasticsearch.transport.RemoteClusterPortSettings;
import org.elasticsearch.xpack.core.security.action.apikey.ApiKey;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.CrossClusterAccessSubjectInfo;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authz.store.RoleReference;
import org.elasticsearch.xpack.core.security.authz.store.RoleReferenceIntersection;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.InternalUser;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Subject.class */
public class Subject {
    private final TransportVersion version;
    private final User user;
    private final Authentication.RealmRef realm;
    private final Type type;
    private final Map<String, Object> metadata;
    static final BytesArray FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* renamed from: org.elasticsearch.xpack.core.security.authc.Subject$1, reason: invalid class name */
    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Subject$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$xpack$core$security$authc$Subject$Type = new int[Type.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$Subject$Type[Type.USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$Subject$Type[Type.API_KEY.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$Subject$Type[Type.SERVICE_ACCOUNT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$Subject$Type[Type.CROSS_CLUSTER_ACCESS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Subject$Type.class */
    public enum Type {
        USER,
        API_KEY,
        SERVICE_ACCOUNT,
        CROSS_CLUSTER_ACCESS
    }

    public Subject(User user, Authentication.RealmRef realmRef) {
        this(user, realmRef, TransportVersion.current(), Map.of());
    }

    public Subject(User user, Authentication.RealmRef realmRef, TransportVersion transportVersion, Map<String, Object> map) {
        this.version = transportVersion;
        this.user = user;
        this.realm = realmRef;
        if (realmRef == null) {
            this.type = Type.USER;
        } else if ("_es_api_key".equals(realmRef.getType())) {
            if (!$assertionsDisabled && !"_es_api_key".equals(realmRef.getName())) {
                throw new AssertionError("api key realm name mismatch");
            }
            this.type = Type.API_KEY;
        } else if ("_service_account".equals(realmRef.getType())) {
            if (!$assertionsDisabled && !"_service_account".equals(realmRef.getName())) {
                throw new AssertionError("service account realm name mismatch");
            }
            this.type = Type.SERVICE_ACCOUNT;
        } else if (!"_es_cross_cluster_access".equals(realmRef.getType())) {
            this.type = Type.USER;
        } else {
            if (!$assertionsDisabled && !"_es_cross_cluster_access".equals(realmRef.getName())) {
                throw new AssertionError("cross cluster access realm name mismatch");
            }
            this.type = Type.CROSS_CLUSTER_ACCESS;
        }
        this.metadata = map;
    }

    public User getUser() {
        return this.user;
    }

    public Authentication.RealmRef getRealm() {
        return this.realm;
    }

    public Type getType() {
        return this.type;
    }

    public Map<String, Object> getMetadata() {
        return this.metadata;
    }

    public TransportVersion getTransportVersion() {
        return this.version;
    }

    public RoleReferenceIntersection getRoleReferenceIntersection(@Nullable AnonymousUser anonymousUser) {
        switch (AnonymousClass1.$SwitchMap$org$elasticsearch$xpack$core$security$authc$Subject$Type[this.type.ordinal()]) {
            case 1:
                return buildRoleReferencesForUser(anonymousUser);
            case 2:
                return buildRoleReferencesForApiKey();
            case 3:
                return new RoleReferenceIntersection(new RoleReference.ServiceAccountRoleReference(this.user.principal()));
            case License.VERSION_CRYPTO_ALGORITHMS /* 4 */:
                return buildRoleReferencesForCrossClusterAccess();
            default:
                if ($assertionsDisabled) {
                    throw new IllegalStateException("unknown subject type: [" + this.type + "]");
                }
                throw new AssertionError("unknown subject type: [" + this.type + "]");
        }
    }

    public boolean canAccessResourcesOf(Subject subject) {
        if (eitherIsAnApiKey(subject)) {
            if (bothAreApiKeys(subject)) {
                return isTheSameApiKey(subject);
            }
            return false;
        }
        if (eitherIsCrossClusterAccess(subject)) {
            if (!bothAreCrossClusterAccess(subject) || false == isTheSameApiKey(subject)) {
                return false;
            }
            return ((Authentication) getMetadata().get(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY)).canAccessResourcesOf((Authentication) subject.getMetadata().get(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY));
        }
        if (false == getUser().principal().equals(subject.getUser().principal())) {
            return false;
        }
        Authentication.RealmRef realm = getRealm();
        Authentication.RealmRef realm2 = subject.getRealm();
        if (null == realm.getDomain()) {
            return Authentication.equivalentRealms(realm.getName(), realm.getType(), realm2.getName(), realm2.getType());
        }
        for (RealmConfig.RealmIdentifier realmIdentifier : realm.getDomain().realms()) {
            if (Authentication.equivalentRealms(realmIdentifier.getName(), realmIdentifier.getType(), realm2.getName(), realm2.getType())) {
                return true;
            }
        }
        return false;
    }

    private boolean isTheSameApiKey(Subject subject) {
        boolean equals = getMetadata().get(AuthenticationField.API_KEY_ID_KEY).equals(subject.getMetadata().get(AuthenticationField.API_KEY_ID_KEY));
        if ($assertionsDisabled || false == equals || getUser().principal().equals(subject.getUser().principal())) {
            return equals;
        }
        throw new AssertionError("The same API key ID cannot be attributed to two different usernames");
    }

    private boolean eitherIsAnApiKey(Subject subject) {
        return Type.API_KEY.equals(getType()) || Type.API_KEY.equals(subject.getType());
    }

    private boolean bothAreApiKeys(Subject subject) {
        return Type.API_KEY.equals(getType()) && Type.API_KEY.equals(subject.getType());
    }

    private boolean eitherIsCrossClusterAccess(Subject subject) {
        return Type.CROSS_CLUSTER_ACCESS.equals(getType()) || Type.CROSS_CLUSTER_ACCESS.equals(subject.getType());
    }

    private boolean bothAreCrossClusterAccess(Subject subject) {
        return Type.CROSS_CLUSTER_ACCESS.equals(getType()) && Type.CROSS_CLUSTER_ACCESS.equals(subject.getType());
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        Subject subject = (Subject) obj;
        return this.version.equals(subject.version) && this.user.equals(subject.user) && Objects.equals(this.realm, subject.realm) && this.type == subject.type && this.metadata.equals(subject.metadata);
    }

    public int hashCode() {
        return Objects.hash(this.version, this.user, this.realm, this.type, this.metadata);
    }

    public String toString() {
        return "Subject{version=" + this.version + ", user=" + this.user + ", realm=" + this.realm + ", type=" + this.type + ", metadata=" + this.metadata + "}";
    }

    private RoleReferenceIntersection buildRoleReferencesForUser(AnonymousUser anonymousUser) {
        String[] roles;
        if (this.user.equals(anonymousUser)) {
            return new RoleReferenceIntersection(new RoleReference.NamedRoleReference(this.user.roles()));
        }
        if (anonymousUser == null || false == anonymousUser.enabled()) {
            roles = this.user.roles();
        } else {
            if (anonymousUser.roles().length == 0) {
                throw new IllegalStateException("anonymous is only enabled when the anonymous user has roles");
            }
            roles = ArrayUtils.concat(this.user.roles(), anonymousUser.roles());
        }
        return new RoleReferenceIntersection(new RoleReference.NamedRoleReference(roles));
    }

    private RoleReferenceIntersection buildRoleReferencesForApiKey() {
        if (this.version.before(Authentication.VERSION_API_KEY_ROLES_AS_BYTES)) {
            return buildRolesReferenceForApiKeyBwc();
        }
        String str = (String) this.metadata.get(AuthenticationField.API_KEY_ID_KEY);
        if (!$assertionsDisabled && ApiKey.Type.REST != getApiKeyType()) {
            throw new AssertionError("only a REST API key should have its role built here");
        }
        BytesReference bytesReference = (BytesReference) this.metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY);
        BytesReference limitedByRoleDescriptorsBytes = getLimitedByRoleDescriptorsBytes();
        if (bytesReference == null && limitedByRoleDescriptorsBytes == null) {
            throw new ElasticsearchSecurityException("no role descriptors found for API key", new Object[0]);
        }
        RoleReference.ApiKeyRoleReference apiKeyRoleReference = new RoleReference.ApiKeyRoleReference(str, limitedByRoleDescriptorsBytes, RoleReference.ApiKeyRoleType.LIMITED_BY);
        return isEmptyRoleDescriptorsBytes(bytesReference) ? new RoleReferenceIntersection(apiKeyRoleReference) : new RoleReferenceIntersection(new RoleReference.ApiKeyRoleReference(str, bytesReference, RoleReference.ApiKeyRoleType.ASSIGNED), apiKeyRoleReference);
    }

    RoleReference.ApiKeyRoleReference buildRoleReferenceForCrossClusterApiKey() {
        if (!$assertionsDisabled && !this.version.onOrAfter(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY_CCR)) {
            throw new AssertionError();
        }
        String str = (String) this.metadata.get(AuthenticationField.API_KEY_ID_KEY);
        if (!$assertionsDisabled && ApiKey.Type.CROSS_CLUSTER != getApiKeyType()) {
            throw new AssertionError("cross cluster access must use cross-cluster API keys");
        }
        BytesReference bytesReference = (BytesReference) this.metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY);
        if (bytesReference == null) {
            throw new ElasticsearchSecurityException("no role descriptors found for API key", new Object[0]);
        }
        BytesReference bytesReference2 = (BytesReference) this.metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY);
        if ($assertionsDisabled || isEmptyRoleDescriptorsBytes(bytesReference2)) {
            return new RoleReference.ApiKeyRoleReference(str, bytesReference, RoleReference.ApiKeyRoleType.ASSIGNED);
        }
        throw new AssertionError("cross cluster API keys must have empty limited-by role descriptors");
    }

    private RoleReferenceIntersection buildRoleReferencesForCrossClusterAccess() {
        if (!$assertionsDisabled && ApiKey.Type.CROSS_CLUSTER != getApiKeyType()) {
            throw new AssertionError("cross cluster access must use cross-cluster API keys");
        }
        ArrayList arrayList = new ArrayList(4);
        List list = (List) this.metadata.get(AuthenticationField.CROSS_CLUSTER_ACCESS_ROLE_DESCRIPTORS_KEY);
        User user = ((Authentication) this.metadata.get(AuthenticationField.CROSS_CLUSTER_ACCESS_AUTHENTICATION_KEY)).getEffectiveSubject().getUser();
        if (user instanceof InternalUser) {
            InternalUser internalUser = (InternalUser) user;
            if (!$assertionsDisabled && !list.isEmpty()) {
                throw new AssertionError("role descriptors bytes list for internal cross cluster access user must be empty");
            }
            arrayList.add(new RoleReference.FixedRoleReference(internalUser.getRemoteAccessRoleDescriptor().orElseThrow(() -> {
                return new ElasticsearchSecurityException("The internal user [" + internalUser + "] is not permitted to perform cross cluster actions", new Object[0]);
            }), "cross_cluster_access_internal"));
        } else if (list.isEmpty()) {
            arrayList.add(new RoleReference.CrossClusterAccessRoleReference(user.principal(), CrossClusterAccessSubjectInfo.RoleDescriptorsBytes.EMPTY));
        } else {
            if (!$assertionsDisabled && list.size() > 2) {
                throw new AssertionError("not expected to have list of cross cluster access role descriptors bytes which have more than 2 elements");
            }
            Iterator it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(new RoleReference.CrossClusterAccessRoleReference(user.principal(), (CrossClusterAccessSubjectInfo.RoleDescriptorsBytes) it.next()));
            }
        }
        arrayList.add(buildRoleReferenceForCrossClusterApiKey());
        return new RoleReferenceIntersection((List<RoleReference>) List.copyOf(arrayList));
    }

    private static boolean isEmptyRoleDescriptorsBytes(BytesReference bytesReference) {
        return bytesReference == null || (bytesReference.length() == 2 && "{}".equals(bytesReference.utf8ToString()));
    }

    private RoleReferenceIntersection buildRolesReferenceForApiKeyBwc() {
        String str = (String) this.metadata.get(AuthenticationField.API_KEY_ID_KEY);
        Map<String, Object> roleDescriptorMap = getRoleDescriptorMap(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY);
        Map<String, Object> roleDescriptorMap2 = getRoleDescriptorMap(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY);
        if (roleDescriptorMap == null && roleDescriptorMap2 == null) {
            throw new ElasticsearchSecurityException("no role descriptors found for API key", new Object[0]);
        }
        RoleReference.BwcApiKeyRoleReference bwcApiKeyRoleReference = new RoleReference.BwcApiKeyRoleReference(str, roleDescriptorMap2, RoleReference.ApiKeyRoleType.LIMITED_BY);
        return (roleDescriptorMap == null || roleDescriptorMap.isEmpty()) ? new RoleReferenceIntersection(bwcApiKeyRoleReference) : new RoleReferenceIntersection(new RoleReference.BwcApiKeyRoleReference(str, roleDescriptorMap, RoleReference.ApiKeyRoleType.ASSIGNED), bwcApiKeyRoleReference);
    }

    private Map<String, Object> getRoleDescriptorMap(String str) {
        return (Map) this.metadata.get(str);
    }

    private BytesReference getLimitedByRoleDescriptorsBytes() {
        if (!$assertionsDisabled && ApiKey.Type.REST != getApiKeyType()) {
            throw new AssertionError("bug fixing for fleet-server limited-by role descriptors applies only to REST API keys");
        }
        BytesReference bytesReference = (BytesReference) this.metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY);
        return (bytesReference.length() == 2 && "{}".equals(bytesReference.utf8ToString()) && "_service_account".equals(this.metadata.get(AuthenticationField.API_KEY_CREATOR_REALM_NAME)) && "elastic/fleet-server".equals(this.user.principal())) ? FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14 : bytesReference;
    }

    private ApiKey.Type getApiKeyType() {
        String str = (String) this.metadata.get(AuthenticationField.API_KEY_TYPE_KEY);
        if ($assertionsDisabled || str != null || this.version.before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY_CCR)) {
            return str == null ? ApiKey.Type.REST : ApiKey.Type.parse(str);
        }
        throw new AssertionError("API key type must be non-null except for versions older than " + RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY_CCR);
    }

    static {
        $assertionsDisabled = !Subject.class.desiredAssertionStatus();
        FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14 = new BytesArray("{\"elastic/fleet-server\":{\"cluster\":[\"monitor\",\"manage_own_api_key\"],\"indices\":[{\"names\":[\"logs-*\",\"metrics-*\",\"traces-*\",\"synthetics-*\",\".logs-endpoint.diagnostic.collection-*\"],\"privileges\":[\"write\",\"create_index\",\"auto_configure\"],\"allow_restricted_indices\":false},{\"names\":[\".fleet-*\"],\"privileges\":[\"read\",\"write\",\"monitor\",\"create_index\",\"auto_configure\"],\"allow_restricted_indices\":false}],\"applications\":[],\"run_as\":[],\"metadata\":{},\"transient_metadata\":{\"enabled\":true}}}");
    }
}
