package org.elasticsearch.xpack.security.action;

import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.CreateApiKeyResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authc.support.ApiKeyGenerator;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/TransportCreateApiKeyAction.class */
public final class TransportCreateApiKeyAction extends HandledTransportAction<CreateApiKeyRequest, CreateApiKeyResponse> {
    private final ApiKeyGenerator generator;
    private final SecurityContext securityContext;

    @Inject
    public TransportCreateApiKeyAction(TransportService transportService, ActionFilters actionFilters, ApiKeyService apiKeyService, SecurityContext securityContext, CompositeRolesStore compositeRolesStore, NamedXContentRegistry namedXContentRegistry) {
        super("cluster:admin/xpack/security/api_key/create", transportService, actionFilters, CreateApiKeyRequest::new);
        this.generator = new ApiKeyGenerator(apiKeyService, compositeRolesStore, namedXContentRegistry);
        this.securityContext = securityContext;
    }

    protected void doExecute(Task task, CreateApiKeyRequest createApiKeyRequest, ActionListener<CreateApiKeyResponse> actionListener) {
        Authentication authentication = this.securityContext.getAuthentication();
        if (authentication == null) {
            actionListener.onFailure(new IllegalStateException("authentication is required"));
        } else if (Authentication.AuthenticationType.API_KEY == authentication.getAuthenticationType() && grantsAnyPrivileges(createApiKeyRequest)) {
            actionListener.onFailure(new IllegalArgumentException("creating derived api keys requires an explicit role descriptor that is empty (has no privileges)"));
        } else {
            this.generator.generateApiKey(authentication, createApiKeyRequest, actionListener);
        }
    }

    private boolean grantsAnyPrivileges(CreateApiKeyRequest createApiKeyRequest) {
        return createApiKeyRequest.getRoleDescriptors() == null || createApiKeyRequest.getRoleDescriptors().isEmpty() || false == createApiKeyRequest.getRoleDescriptors().stream().allMatch((v0) -> {
            return v0.isEmpty();
        });
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (CreateApiKeyRequest) actionRequest, (ActionListener<CreateApiKeyResponse>) actionListener);
    }
}
