package org.elasticsearch.xpack.security.authz.store;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ReleasableLock;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.core.common.IteratingActionListener;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.DocumentSubsetBitsetCache;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache;
import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
import org.elasticsearch.xpack.core.security.authz.permission.LimitedRole;
import org.elasticsearch.xpack.core.security.authz.permission.Role;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.Privilege;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.core.security.authz.store.RoleRetrievalResult;
import org.elasticsearch.xpack.core.security.support.CacheIteratorHelper;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.AsyncSearchUser;
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.security.user.XPackSecurityUser;
import org.elasticsearch.xpack.core.security.user.XPackUser;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountService;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.class */
public class CompositeRolesStore {
    private static final String ROLES_STORE_SOURCE = "roles_stores";
    private static final Setting<Integer> CACHE_SIZE_SETTING;
    private static final Setting<Integer> NEGATIVE_LOOKUP_CACHE_SIZE_SETTING;
    private static final Logger logger;
    private final FileRolesStore fileRolesStore;
    private final NativeRolesStore nativeRolesStore;
    private final NativePrivilegeStore privilegeStore;
    private final XPackLicenseState licenseState;
    private final Consumer<Collection<RoleDescriptor>> effectiveRoleDescriptorsConsumer;
    private final FieldPermissionsCache fieldPermissionsCache;
    private final Cache<RoleKey, Role> roleCache;
    private final CacheIteratorHelper<RoleKey, Role> roleCacheHelper;
    private final Cache<String, Boolean> negativeLookupCache;
    private final DocumentSubsetBitsetCache dlsBitsetCache;
    private final ThreadContext threadContext;
    private final AnonymousUser anonymousUser;
    private final ApiKeyService apiKeyService;
    private final ServiceAccountService serviceAccountService;
    private final boolean isAnonymousEnabled;
    private final List<BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>>> builtInRoleProviders;
    private final List<BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>>> allRoleProviders;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(CompositeRolesStore.class);
    private final AtomicLong numInvalidation = new AtomicLong();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/CompositeRolesStore$MergeableIndicesPrivilege.class */
    public static class MergeableIndicesPrivilege {
        private Set<String> indices;
        private Set<String> privileges;
        private FieldPermissionsDefinition fieldPermissionsDefinition;
        private Set<BytesReference> query;
        static final /* synthetic */ boolean $assertionsDisabled;

        MergeableIndicesPrivilege(String[] strArr, String[] strArr2, @Nullable String[] strArr3, @Nullable String[] strArr4, @Nullable BytesReference bytesReference) {
            this.query = null;
            this.indices = Sets.newHashSet((String[]) Objects.requireNonNull(strArr));
            this.privileges = Sets.newHashSet((String[]) Objects.requireNonNull(strArr2));
            this.fieldPermissionsDefinition = new FieldPermissionsDefinition(strArr3, strArr4);
            if (bytesReference != null) {
                this.query = Sets.newHashSet(new BytesReference[]{bytesReference});
            }
        }

        void merge(MergeableIndicesPrivilege mergeableIndicesPrivilege) {
            if (!$assertionsDisabled && !this.indices.equals(mergeableIndicesPrivilege.indices)) {
                throw new AssertionError("index names must be equivalent in order to merge");
            }
            HashSet hashSet = new HashSet();
            hashSet.addAll(this.fieldPermissionsDefinition.getFieldGrantExcludeGroups());
            hashSet.addAll(mergeableIndicesPrivilege.fieldPermissionsDefinition.getFieldGrantExcludeGroups());
            this.fieldPermissionsDefinition = new FieldPermissionsDefinition(hashSet);
            this.privileges.addAll(mergeableIndicesPrivilege.privileges);
            if (this.query == null || mergeableIndicesPrivilege.query == null) {
                this.query = null;
            } else {
                this.query.addAll(mergeableIndicesPrivilege.query);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static void collatePrivilegesByIndices(RoleDescriptor.IndicesPrivileges[] indicesPrivilegesArr, boolean z, Map<Set<String>, MergeableIndicesPrivilege> map) {
            for (RoleDescriptor.IndicesPrivileges indicesPrivileges : indicesPrivilegesArr) {
                if (!(indicesPrivilegesArr.length == 1 && "none".equalsIgnoreCase(indicesPrivileges.getPrivileges()[0])) && indicesPrivileges.allowRestrictedIndices() == z) {
                    map.compute(Sets.newHashSet(indicesPrivileges.getIndices()), (set, mergeableIndicesPrivilege) -> {
                        if (mergeableIndicesPrivilege == null) {
                            return new MergeableIndicesPrivilege(indicesPrivileges.getIndices(), indicesPrivileges.getPrivileges(), indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields(), indicesPrivileges.getQuery());
                        }
                        mergeableIndicesPrivilege.merge(new MergeableIndicesPrivilege(indicesPrivileges.getIndices(), indicesPrivileges.getPrivileges(), indicesPrivileges.getGrantedFields(), indicesPrivileges.getDeniedFields(), indicesPrivileges.getQuery()));
                        return mergeableIndicesPrivilege;
                    });
                }
            }
        }

        static {
            $assertionsDisabled = !CompositeRolesStore.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/CompositeRolesStore$RoleKey.class */
    public static final class RoleKey {
        private final Set<String> names;
        private final String source;

        private RoleKey(Set<String> set, String str) {
            this.names = (Set) Objects.requireNonNull(set);
            this.source = (String) Objects.requireNonNull(str);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            RoleKey roleKey = (RoleKey) obj;
            return this.names.equals(roleKey.names) && this.source.equals(roleKey.source);
        }

        public int hashCode() {
            return Objects.hash(this.names, this.source);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/CompositeRolesStore$RolesRetrievalResult.class */
    public static final class RolesRetrievalResult {
        private final Set<RoleDescriptor> roleDescriptors;
        private Set<String> missingRoles;
        private boolean success;

        private RolesRetrievalResult() {
            this.roleDescriptors = new HashSet();
            this.missingRoles = Collections.emptySet();
            this.success = true;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void addDescriptors(Set<RoleDescriptor> set) {
            this.roleDescriptors.addAll(set);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<RoleDescriptor> getRoleDescriptors() {
            return this.roleDescriptors;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void setFailure() {
            this.success = false;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isSuccess() {
            return this.success;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void setMissingRoles(Set<String> set) {
            this.missingRoles = set;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<String> getMissingRoles() {
            return this.missingRoles;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public CompositeRolesStore(Settings settings, FileRolesStore fileRolesStore, NativeRolesStore nativeRolesStore, ReservedRolesStore reservedRolesStore, NativePrivilegeStore nativePrivilegeStore, List<BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>>> list, ThreadContext threadContext, XPackLicenseState xPackLicenseState, FieldPermissionsCache fieldPermissionsCache, ApiKeyService apiKeyService, ServiceAccountService serviceAccountService, DocumentSubsetBitsetCache documentSubsetBitsetCache, Consumer<Collection<RoleDescriptor>> consumer) {
        this.fileRolesStore = (FileRolesStore) Objects.requireNonNull(fileRolesStore);
        this.dlsBitsetCache = (DocumentSubsetBitsetCache) Objects.requireNonNull(documentSubsetBitsetCache);
        fileRolesStore.addListener(this::invalidate);
        this.nativeRolesStore = (NativeRolesStore) Objects.requireNonNull(nativeRolesStore);
        this.privilegeStore = (NativePrivilegeStore) Objects.requireNonNull(nativePrivilegeStore);
        this.licenseState = (XPackLicenseState) Objects.requireNonNull(xPackLicenseState);
        this.fieldPermissionsCache = (FieldPermissionsCache) Objects.requireNonNull(fieldPermissionsCache);
        this.apiKeyService = (ApiKeyService) Objects.requireNonNull(apiKeyService);
        this.serviceAccountService = (ServiceAccountService) Objects.requireNonNull(serviceAccountService);
        this.effectiveRoleDescriptorsConsumer = (Consumer) Objects.requireNonNull(consumer);
        CacheBuilder builder = CacheBuilder.builder();
        int intValue = ((Integer) CACHE_SIZE_SETTING.get(settings)).intValue();
        if (intValue >= 0) {
            builder.setMaximumWeight(intValue);
        }
        this.roleCache = builder.build();
        this.roleCacheHelper = new CacheIteratorHelper<>(this.roleCache);
        this.threadContext = threadContext;
        CacheBuilder builder2 = CacheBuilder.builder();
        int intValue2 = ((Integer) NEGATIVE_LOOKUP_CACHE_SIZE_SETTING.get(settings)).intValue();
        if (intValue2 >= 0) {
            builder2.setMaximumWeight(intValue2);
        }
        this.negativeLookupCache = builder2.build();
        this.builtInRoleProviders = Collections.unmodifiableList(Arrays.asList(reservedRolesStore, fileRolesStore, nativeRolesStore));
        if (list.isEmpty()) {
            this.allRoleProviders = this.builtInRoleProviders;
        } else {
            ArrayList arrayList = new ArrayList(this.builtInRoleProviders.size() + list.size());
            arrayList.addAll(this.builtInRoleProviders);
            arrayList.addAll(list);
            this.allRoleProviders = Collections.unmodifiableList(arrayList);
        }
        this.anonymousUser = new AnonymousUser(settings);
        this.isAnonymousEnabled = AnonymousUser.isAnonymousEnabled(settings);
    }

    public void roles(Set<String> set, ActionListener<Role> actionListener) {
        RoleKey roleKey = new RoleKey(set, ROLES_STORE_SOURCE);
        Role role = (Role) this.roleCache.get(roleKey);
        if (role != null) {
            actionListener.onResponse(role);
            return;
        }
        long j = this.numInvalidation.get();
        CheckedConsumer checkedConsumer = rolesRetrievalResult -> {
            logDeprecatedRoles(rolesRetrievalResult.roleDescriptors);
            if (!rolesRetrievalResult.getMissingRoles().isEmpty()) {
                logger.debug(() -> {
                    return new ParameterizedMessage("Could not find roles with names {}", rolesRetrievalResult.getMissingRoles());
                });
            }
            Set roleDescriptors = rolesRetrievalResult.getRoleDescriptors();
            Set set2 = (!roleDescriptors.stream().anyMatch((v0) -> {
                return v0.isUsingDocumentOrFieldLevelSecurity();
            }) || this.licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_DLS_FLS)) ? roleDescriptors : (Set) roleDescriptors.stream().filter(roleDescriptor -> {
                return !roleDescriptor.isUsingDocumentOrFieldLevelSecurity();
            }).collect(Collectors.toSet());
            Set set3 = set2;
            logger.trace(() -> {
                return new ParameterizedMessage("Exposing effective role descriptors [{}] for role names [{}]", set3, set);
            });
            this.effectiveRoleDescriptorsConsumer.accept(Collections.unmodifiableCollection(set2));
            Set set4 = set2;
            logger.trace(() -> {
                return new ParameterizedMessage("Building role from descriptors [{}] for role names [{}]", set4, set);
            });
            buildThenMaybeCacheRole(roleKey, set2, rolesRetrievalResult.getMissingRoles(), rolesRetrievalResult.isSuccess(), j, actionListener);
        };
        Objects.requireNonNull(actionListener);
        roleDescriptors(set, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    void logDeprecatedRoles(Set<RoleDescriptor> set) {
        set.stream().filter(roleDescriptor -> {
            return Boolean.TRUE.equals(roleDescriptor.getMetadata().get("_deprecated"));
        }).forEach(roleDescriptor2 -> {
            this.deprecationLogger.deprecate(DeprecationCategory.SECURITY, "deprecated_role-" + roleDescriptor2.getName(), "The role [" + roleDescriptor2.getName() + "] is deprecated and will be removed in a future version of Elasticsearch. " + Objects.toString(roleDescriptor2.getMetadata().get("_deprecated_reason"), "Please check the documentation"), new Object[0]);
        });
    }

    public void getRoles(User user, Authentication authentication, ActionListener<Role> actionListener) {
        if (SystemUser.is(user)) {
            throw new IllegalArgumentException("the user [" + user.principal() + "] is the system user and we should never try to get its roles");
        }
        if (XPackUser.is(user)) {
            if (!$assertionsDisabled && XPackUser.INSTANCE.roles().length != 1) {
                throw new AssertionError();
            }
            actionListener.onResponse(XPackUser.ROLE);
            return;
        }
        if (XPackSecurityUser.is(user)) {
            actionListener.onResponse(ReservedRolesStore.SUPERUSER_ROLE);
            return;
        }
        if (AsyncSearchUser.is(user)) {
            actionListener.onResponse(AsyncSearchUser.ROLE);
            return;
        }
        if (authentication.isServiceAccount()) {
            getRolesForServiceAccount(authentication, actionListener);
            return;
        }
        if (ApiKeyService.isApiKeyAuthentication(authentication)) {
            getRolesForApiKey(authentication, actionListener);
            return;
        }
        HashSet hashSet = new HashSet(Arrays.asList(user.roles()));
        if (this.isAnonymousEnabled && !this.anonymousUser.equals(user)) {
            if (this.anonymousUser.roles().length == 0) {
                throw new IllegalStateException("anonymous is only enabled when the anonymous user has roles");
            }
            Collections.addAll(hashSet, this.anonymousUser.roles());
        }
        if (hashSet.isEmpty()) {
            actionListener.onResponse(Role.EMPTY);
        } else if (hashSet.contains(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR.getName())) {
            actionListener.onResponse(ReservedRolesStore.SUPERUSER_ROLE);
        } else {
            roles(hashSet, actionListener);
        }
    }

    private void getRolesForServiceAccount(Authentication authentication, ActionListener<Role> actionListener) {
        ServiceAccountService serviceAccountService = this.serviceAccountService;
        CheckedConsumer checkedConsumer = roleDescriptor -> {
            RoleKey roleKey = new RoleKey(org.elasticsearch.core.Set.of(roleDescriptor.getName()), "service_account");
            Role role = (Role) this.roleCache.get(roleKey);
            if (role != null) {
                actionListener.onResponse(role);
            } else {
                buildThenMaybeCacheRole(roleKey, org.elasticsearch.core.List.of(roleDescriptor), org.elasticsearch.core.Set.of(), true, this.numInvalidation.get(), actionListener);
            }
        };
        Objects.requireNonNull(actionListener);
        serviceAccountService.getRoleDescriptor(authentication, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void getRolesForApiKey(Authentication authentication, ActionListener<Role> actionListener) {
        if (authentication.getVersion().onOrAfter(Authentication.VERSION_API_KEY_ROLES_AS_BYTES)) {
            CheckedConsumer checkedConsumer = role -> {
                if (role == Role.EMPTY) {
                    buildAndCacheRoleForApiKey(authentication, true, actionListener);
                    return;
                }
                CheckedConsumer checkedConsumer2 = role -> {
                    actionListener.onResponse(LimitedRole.createLimitedRole(role, role));
                };
                Objects.requireNonNull(actionListener);
                buildAndCacheRoleForApiKey(authentication, true, ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
            };
            Objects.requireNonNull(actionListener);
            buildAndCacheRoleForApiKey(authentication, false, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } else {
            ApiKeyService apiKeyService = this.apiKeyService;
            CheckedConsumer checkedConsumer2 = apiKeyRoleDescriptors -> {
                List<RoleDescriptor> roleDescriptors = apiKeyRoleDescriptors.getRoleDescriptors();
                if (roleDescriptors == null) {
                    actionListener.onFailure(new IllegalStateException("missing role descriptors"));
                    return;
                }
                if (apiKeyRoleDescriptors.getLimitedByRoleDescriptors() == null) {
                    buildAndCacheRoleFromDescriptors(roleDescriptors, apiKeyRoleDescriptors.getApiKeyId() + "_role_desc", actionListener);
                    return;
                }
                String str = apiKeyRoleDescriptors.getApiKeyId() + "_role_desc";
                CheckedConsumer checkedConsumer3 = role2 -> {
                    List<RoleDescriptor> limitedByRoleDescriptors = apiKeyRoleDescriptors.getLimitedByRoleDescriptors();
                    String str2 = apiKeyRoleDescriptors.getApiKeyId() + "_limited_role_desc";
                    CheckedConsumer checkedConsumer4 = role2 -> {
                        actionListener.onResponse(LimitedRole.createLimitedRole(role2, role2));
                    };
                    Objects.requireNonNull(actionListener);
                    buildAndCacheRoleFromDescriptors(limitedByRoleDescriptors, str2, ActionListener.wrap(checkedConsumer4, actionListener::onFailure));
                };
                Objects.requireNonNull(actionListener);
                buildAndCacheRoleFromDescriptors(roleDescriptors, str, ActionListener.wrap(checkedConsumer3, actionListener::onFailure));
            };
            Objects.requireNonNull(actionListener);
            apiKeyService.getRoleForApiKey(authentication, ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
        }
    }

    public void buildAndCacheRoleFromDescriptors(Collection<RoleDescriptor> collection, String str, ActionListener<Role> actionListener) {
        if (ROLES_STORE_SOURCE.equals(str)) {
            throw new IllegalArgumentException("source [roles_stores] is reserved for internal use");
        }
        RoleKey roleKey = new RoleKey((Set) collection.stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()), str);
        Role role = (Role) this.roleCache.get(roleKey);
        if (role != null) {
            actionListener.onResponse(role);
        } else {
            buildThenMaybeCacheRole(roleKey, collection, Collections.emptySet(), true, this.numInvalidation.get(), actionListener);
        }
    }

    private void buildThenMaybeCacheRole(RoleKey roleKey, Collection<RoleDescriptor> collection, Set<String> set, boolean z, long j, ActionListener<Role> actionListener) {
        logger.trace("Building role from descriptors [{}] for names [{}] from source [{}]", collection, roleKey.names, roleKey.source);
        FieldPermissionsCache fieldPermissionsCache = this.fieldPermissionsCache;
        NativePrivilegeStore nativePrivilegeStore = this.privilegeStore;
        CheckedConsumer checkedConsumer = role -> {
            if (role != null && z) {
                ReleasableLock acquireUpdateLock = this.roleCacheHelper.acquireUpdateLock();
                try {
                    if (j == this.numInvalidation.get()) {
                        this.roleCache.computeIfAbsent(roleKey, roleKey2 -> {
                            return role;
                        });
                    }
                    if (acquireUpdateLock != null) {
                        acquireUpdateLock.close();
                    }
                    Iterator it = set.iterator();
                    while (it.hasNext()) {
                        this.negativeLookupCache.computeIfAbsent((String) it.next(), str -> {
                            return Boolean.TRUE;
                        });
                    }
                } catch (Throwable th) {
                    if (acquireUpdateLock != null) {
                        try {
                            acquireUpdateLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            actionListener.onResponse(role);
        };
        Objects.requireNonNull(actionListener);
        buildRoleFromDescriptors(collection, fieldPermissionsCache, nativePrivilegeStore, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void buildAndCacheRoleForApiKey(Authentication authentication, boolean z, ActionListener<Role> actionListener) {
        Tuple<String, BytesReference> apiKeyIdAndRoleBytes = this.apiKeyService.getApiKeyIdAndRoleBytes(authentication, z);
        RoleKey roleKey = new RoleKey(org.elasticsearch.core.Set.of("apikey:" + MessageDigests.toHexString(MessageDigests.digest((BytesReference) apiKeyIdAndRoleBytes.v2(), MessageDigests.sha256()))), z ? "apikey_limited_role" : "apikey_role");
        Role role = (Role) this.roleCache.get(roleKey);
        if (role == null) {
            buildThenMaybeCacheRole(roleKey, this.apiKeyService.parseRoleDescriptors((String) apiKeyIdAndRoleBytes.v1(), (BytesReference) apiKeyIdAndRoleBytes.v2()), Collections.emptySet(), true, this.numInvalidation.get(), actionListener);
        } else {
            actionListener.onResponse(role);
        }
    }

    public void getRoleDescriptors(Set<String> set, ActionListener<Set<RoleDescriptor>> actionListener) {
        CheckedConsumer checkedConsumer = rolesRetrievalResult -> {
            if (rolesRetrievalResult.isSuccess()) {
                actionListener.onResponse(rolesRetrievalResult.getRoleDescriptors());
            } else {
                actionListener.onFailure(new ElasticsearchException("role retrieval had one or more failures", new Object[0]));
            }
        };
        Objects.requireNonNull(actionListener);
        roleDescriptors(set, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void roleDescriptors(Set<String> set, ActionListener<RolesRetrievalResult> actionListener) {
        loadRoleDescriptorsAsync((Set) set.stream().filter(str -> {
            if (this.negativeLookupCache.get(str) == null) {
                return true;
            }
            logger.debug(() -> {
                return new ParameterizedMessage("Requested role [{}] does not exist (cached)", str);
            });
            return false;
        }).collect(Collectors.toSet()), actionListener);
    }

    private void loadRoleDescriptorsAsync(Set<String> set, ActionListener<RolesRetrievalResult> actionListener) {
        RolesRetrievalResult rolesRetrievalResult = new RolesRetrievalResult();
        List<BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>>> list = this.licenseState.checkFeature(XPackLicenseState.Feature.SECURITY_CUSTOM_ROLE_PROVIDERS) ? this.allRoleProviders : this.builtInRoleProviders;
        CheckedConsumer checkedConsumer = roleRetrievalResult -> {
            rolesRetrievalResult.setMissingRoles(set);
            actionListener.onResponse(rolesRetrievalResult);
        };
        Objects.requireNonNull(actionListener);
        new IteratingActionListener(ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(checkedConsumer, actionListener::onFailure), this.threadContext), (biConsumer, actionListener2) -> {
            CheckedConsumer checkedConsumer2 = roleRetrievalResult2 -> {
                if (roleRetrievalResult2.isSuccess()) {
                    logger.debug(() -> {
                        return new ParameterizedMessage("Roles [{}] were resolved by [{}]", names(roleRetrievalResult2.getDescriptors()), biConsumer);
                    });
                    Set descriptors = roleRetrievalResult2.getDescriptors();
                    rolesRetrievalResult.addDescriptors(descriptors);
                    Iterator it = descriptors.iterator();
                    while (it.hasNext()) {
                        set.remove(((RoleDescriptor) it.next()).getName());
                    }
                } else {
                    logger.warn(new ParameterizedMessage("role retrieval failed from [{}]", biConsumer), roleRetrievalResult2.getFailure());
                    rolesRetrievalResult.setFailure();
                }
                actionListener2.onResponse(roleRetrievalResult2);
            };
            Objects.requireNonNull(actionListener2);
            biConsumer.accept(set, ActionListener.wrap(checkedConsumer2, actionListener2::onFailure));
        }, list, this.threadContext, Function.identity(), roleRetrievalResult2 -> {
            return !set.isEmpty();
        }).run();
    }

    private String names(Collection<RoleDescriptor> collection) {
        return (String) collection.stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.joining(","));
    }

    public static void buildRoleFromDescriptors(Collection<RoleDescriptor> collection, FieldPermissionsCache fieldPermissionsCache, NativePrivilegeStore nativePrivilegeStore, ActionListener<Role> actionListener) {
        if (collection.isEmpty()) {
            actionListener.onResponse(Role.EMPTY);
            return;
        }
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        HashSet hashSet2 = new HashSet();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        ArrayList arrayList2 = new ArrayList(collection.size());
        for (RoleDescriptor roleDescriptor : collection) {
            arrayList2.add(roleDescriptor.getName());
            if (roleDescriptor.getClusterPrivileges() != null) {
                hashSet.addAll(Arrays.asList(roleDescriptor.getClusterPrivileges()));
            }
            if (roleDescriptor.getConditionalClusterPrivileges() != null) {
                arrayList.addAll(Arrays.asList(roleDescriptor.getConditionalClusterPrivileges()));
            }
            if (roleDescriptor.getRunAs() != null) {
                hashSet2.addAll(Arrays.asList(roleDescriptor.getRunAs()));
            }
            MergeableIndicesPrivilege.collatePrivilegesByIndices(roleDescriptor.getIndicesPrivileges(), true, hashMap);
            MergeableIndicesPrivilege.collatePrivilegesByIndices(roleDescriptor.getIndicesPrivileges(), false, hashMap2);
            for (RoleDescriptor.ApplicationResourcePrivileges applicationResourcePrivileges : roleDescriptor.getApplicationPrivileges()) {
                hashMap3.compute(new Tuple(applicationResourcePrivileges.getApplication(), Sets.newHashSet(applicationResourcePrivileges.getResources())), (tuple, set) -> {
                    if (set == null) {
                        return Sets.newHashSet(applicationResourcePrivileges.getPrivileges());
                    }
                    set.addAll(Arrays.asList(applicationResourcePrivileges.getPrivileges()));
                    return set;
                });
            }
        }
        Role.Builder runAs = Role.builder((String[]) arrayList2.toArray(new String[arrayList2.size()])).cluster(hashSet, arrayList).runAs(hashSet2.isEmpty() ? Privilege.NONE : new Privilege(hashSet2, (String[]) hashSet2.toArray(Strings.EMPTY_ARRAY)));
        hashMap2.entrySet().forEach(entry -> {
            MergeableIndicesPrivilege mergeableIndicesPrivilege = (MergeableIndicesPrivilege) entry.getValue();
            runAs.add(fieldPermissionsCache.getFieldPermissions(mergeableIndicesPrivilege.fieldPermissionsDefinition), mergeableIndicesPrivilege.query, IndexPrivilege.get(mergeableIndicesPrivilege.privileges), false, (String[]) mergeableIndicesPrivilege.indices.toArray(Strings.EMPTY_ARRAY));
        });
        hashMap.entrySet().forEach(entry2 -> {
            MergeableIndicesPrivilege mergeableIndicesPrivilege = (MergeableIndicesPrivilege) entry2.getValue();
            runAs.add(fieldPermissionsCache.getFieldPermissions(mergeableIndicesPrivilege.fieldPermissionsDefinition), mergeableIndicesPrivilege.query, IndexPrivilege.get(mergeableIndicesPrivilege.privileges), true, (String[]) mergeableIndicesPrivilege.indices.toArray(Strings.EMPTY_ARRAY));
        });
        if (hashMap3.isEmpty()) {
            actionListener.onResponse(runAs.build());
            return;
        }
        Set set2 = (Set) hashMap3.keySet().stream().map((v0) -> {
            return v0.v1();
        }).collect(Collectors.toSet());
        Set set3 = (Set) hashMap3.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet());
        CheckedConsumer checkedConsumer = collection2 -> {
            hashMap3.forEach((tuple2, set4) -> {
                ApplicationPrivilege.get((String) tuple2.v1(), set4, collection2).forEach(applicationPrivilege -> {
                    runAs.addApplicationPrivilege(applicationPrivilege, (Set) tuple2.v2());
                });
            });
            actionListener.onResponse(runAs.build());
        };
        Objects.requireNonNull(actionListener);
        nativePrivilegeStore.getPrivileges(set2, set3, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void invalidateAll() {
        this.numInvalidation.incrementAndGet();
        this.negativeLookupCache.invalidateAll();
        ReleasableLock acquireUpdateLock = this.roleCacheHelper.acquireUpdateLock();
        try {
            this.roleCache.invalidateAll();
            if (acquireUpdateLock != null) {
                acquireUpdateLock.close();
            }
            this.dlsBitsetCache.clear("role store invalidation");
        } catch (Throwable th) {
            if (acquireUpdateLock != null) {
                try {
                    acquireUpdateLock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void invalidate(String str) {
        this.numInvalidation.incrementAndGet();
        this.roleCacheHelper.removeKeysIf(roleKey -> {
            return roleKey.names.contains(str);
        });
        this.negativeLookupCache.invalidate(str);
    }

    public void invalidate(Set<String> set) {
        this.numInvalidation.incrementAndGet();
        this.roleCacheHelper.removeKeysIf(roleKey -> {
            return !Sets.haveEmptyIntersection(roleKey.names, set);
        });
        Cache<String, Boolean> cache = this.negativeLookupCache;
        Objects.requireNonNull(cache);
        set.forEach((v1) -> {
            r1.invalidate(v1);
        });
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        HashMap hashMap = new HashMap(2);
        hashMap.put("file", this.fileRolesStore.usageStats());
        hashMap.put("dls", Collections.singletonMap("bit_set_cache", this.dlsBitsetCache.usageStats()));
        NativeRolesStore nativeRolesStore = this.nativeRolesStore;
        CheckedConsumer checkedConsumer = map -> {
            hashMap.put("native", map);
            actionListener.onResponse(hashMap);
        };
        Objects.requireNonNull(actionListener);
        nativeRolesStore.usageStats(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void onSecurityIndexStateChange(SecurityIndexManager.State state, SecurityIndexManager.State state2) {
        if (SecurityIndexManager.isMoveFromRedToNonRed(state, state2) || SecurityIndexManager.isIndexDeleted(state, state2) || !Objects.equals(state.indexUUID, state2.indexUUID) || state.isIndexUpToDate != state2.isIndexUpToDate) {
            invalidateAll();
        }
    }

    boolean isValueInNegativeLookupCache(String str) {
        return this.negativeLookupCache.get(str) != null;
    }

    public static List<Setting<?>> getSettings() {
        return Arrays.asList(CACHE_SIZE_SETTING, NEGATIVE_LOOKUP_CACHE_SIZE_SETTING);
    }

    static {
        $assertionsDisabled = !CompositeRolesStore.class.desiredAssertionStatus();
        CACHE_SIZE_SETTING = Setting.intSetting("xpack.security.authz.store.roles.cache.max_size", 10000, new Setting.Property[]{Setting.Property.NodeScope});
        NEGATIVE_LOOKUP_CACHE_SIZE_SETTING = Setting.intSetting("xpack.security.authz.store.roles.negative_lookup_cache.max_size", 10000, new Setting.Property[]{Setting.Property.NodeScope});
        logger = LogManager.getLogger(CompositeRolesStore.class);
    }
}
