package org.elasticsearch.xpack.security.support;

import java.io.IOException;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.lucene.search.Query;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.index.query.QueryRewriteContext;
import org.elasticsearch.index.query.SearchExecutionContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.security.action.apikey.TransportQueryApiKeyAction;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.ApiKeyService;

/* loaded from: input_file:org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilder.class */
public class ApiKeyBoolQueryBuilder extends BoolQueryBuilder {
    private static final Set<String> ALLOWED_EXACT_INDEX_FIELD_NAMES;
    static final /* synthetic */ boolean $assertionsDisabled;

    private ApiKeyBoolQueryBuilder() {
    }

    public static ApiKeyBoolQueryBuilder build(QueryBuilder queryBuilder, Consumer<String> consumer, @Nullable Authentication authentication) {
        ApiKeyBoolQueryBuilder apiKeyBoolQueryBuilder = new ApiKeyBoolQueryBuilder();
        if (queryBuilder != null) {
            apiKeyBoolQueryBuilder.must(ApiKeyFieldNameTranslators.translateQueryBuilderFields(queryBuilder, consumer));
        }
        apiKeyBoolQueryBuilder.filter(QueryBuilders.termQuery("doc_type", "api_key"));
        consumer.accept("doc_type");
        if (authentication != null) {
            if (authentication.isApiKey()) {
                String str = (String) authentication.getAuthenticatingSubject().getMetadata().get("_security_api_key_id");
                if (!$assertionsDisabled && str == null) {
                    throw new AssertionError("api key id must be present in the metadata");
                }
                apiKeyBoolQueryBuilder.filter(QueryBuilders.idsQuery().addIds(new String[]{str}));
            } else {
                apiKeyBoolQueryBuilder.filter(QueryBuilders.termQuery("creator.principal", authentication.getEffectiveSubject().getUser().principal()));
                consumer.accept("creator.principal");
                QueryBuilder filterForRealmNames = ApiKeyService.filterForRealmNames(ApiKeyService.getOwnersRealmNames(authentication));
                consumer.accept("creator.realm");
                if (!$assertionsDisabled && filterForRealmNames == null) {
                    throw new AssertionError();
                }
                apiKeyBoolQueryBuilder.filter(filterForRealmNames);
            }
        }
        return apiKeyBoolQueryBuilder;
    }

    protected Query doToQuery(SearchExecutionContext searchExecutionContext) throws IOException {
        searchExecutionContext.setAllowedFields(ApiKeyBoolQueryBuilder::isIndexFieldNameAllowed);
        return super.doToQuery(searchExecutionContext);
    }

    protected QueryBuilder doRewrite(QueryRewriteContext queryRewriteContext) throws IOException {
        if (queryRewriteContext instanceof SearchExecutionContext) {
            ((SearchExecutionContext) queryRewriteContext).setAllowedFields(ApiKeyBoolQueryBuilder::isIndexFieldNameAllowed);
        }
        return super.doRewrite(queryRewriteContext);
    }

    static boolean isIndexFieldNameAllowed(String str) {
        return ALLOWED_EXACT_INDEX_FIELD_NAMES.contains(str) || str.startsWith("metadata_flattened.");
    }

    static {
        $assertionsDisabled = !ApiKeyBoolQueryBuilder.class.desiredAssertionStatus();
        ALLOWED_EXACT_INDEX_FIELD_NAMES = Set.of((Object[]) new String[]{"_id", "doc_type", "name", LoggingAuditTrail.LOG_TYPE, TransportQueryApiKeyAction.API_KEY_TYPE_RUNTIME_MAPPING_FIELD, "api_key_invalidated", "invalidation_time", "creation_time", "expiration_time", "metadata_flattened", "creator.principal", "creator.realm"});
    }
}
