package org.elasticsearch.xpack.security.action.apikey;

import java.util.Objects;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.apikey.InvalidateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.InvalidateApiKeyResponse;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
import org.elasticsearch.xpack.security.authc.ApiKeyService;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/apikey/TransportInvalidateApiKeyAction.class */
public final class TransportInvalidateApiKeyAction extends HandledTransportAction<InvalidateApiKeyRequest, InvalidateApiKeyResponse> {
    private final ApiKeyService apiKeyService;
    private final SecurityContext securityContext;
    private final Client client;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public TransportInvalidateApiKeyAction(TransportService transportService, ActionFilters actionFilters, ApiKeyService apiKeyService, SecurityContext securityContext, Client client) {
        super("cluster:admin/xpack/security/api_key/invalidate", transportService, actionFilters, InvalidateApiKeyRequest::new, EsExecutors.DIRECT_EXECUTOR_SERVICE);
        this.apiKeyService = apiKeyService;
        this.securityContext = securityContext;
        this.client = client;
    }

    protected void doExecute(Task task, InvalidateApiKeyRequest invalidateApiKeyRequest, ActionListener<InvalidateApiKeyResponse> actionListener) {
        Authentication authentication = this.securityContext.getAuthentication();
        if (authentication == null) {
            actionListener.onFailure(new IllegalStateException("authentication is required"));
            return;
        }
        String[] ids = invalidateApiKeyRequest.getIds();
        String name = invalidateApiKeyRequest.getName();
        String username = getUsername(authentication, invalidateApiKeyRequest);
        String[] realms = getRealms(authentication, invalidateApiKeyRequest);
        CheckedConsumer checkedConsumer = hasPrivilegesResponse -> {
            this.apiKeyService.invalidateApiKeys(realms, username, name, ids, hasPrivilegesResponse.isCompleteMatch(), actionListener);
        };
        Objects.requireNonNull(actionListener);
        checkHasManageSecurityPrivilege(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private String getUsername(Authentication authentication, InvalidateApiKeyRequest invalidateApiKeyRequest) {
        if (!invalidateApiKeyRequest.ownedByAuthenticatedUser()) {
            return invalidateApiKeyRequest.getUserName();
        }
        if ($assertionsDisabled || invalidateApiKeyRequest.getUserName() == null) {
            return authentication.getEffectiveSubject().getUser().principal();
        }
        throw new AssertionError();
    }

    private String[] getRealms(Authentication authentication, InvalidateApiKeyRequest invalidateApiKeyRequest) {
        if (!invalidateApiKeyRequest.ownedByAuthenticatedUser()) {
            if (Strings.hasText(invalidateApiKeyRequest.getRealmName())) {
                return new String[]{invalidateApiKeyRequest.getRealmName()};
            }
            return null;
        }
        if ($assertionsDisabled || invalidateApiKeyRequest.getRealmName() == null) {
            return ApiKeyService.getOwnersRealmNames(authentication);
        }
        throw new AssertionError();
    }

    private void checkHasManageSecurityPrivilege(ActionListener<HasPrivilegesResponse> actionListener) {
        HasPrivilegesRequest hasPrivilegesRequest = new HasPrivilegesRequest();
        hasPrivilegesRequest.username(this.securityContext.getUser().principal());
        hasPrivilegesRequest.clusterPrivileges(new String[]{ClusterPrivilegeResolver.MANAGE_SECURITY.name()});
        hasPrivilegesRequest.indexPrivileges(new RoleDescriptor.IndicesPrivileges[0]);
        hasPrivilegesRequest.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[0]);
        Client client = this.client;
        HasPrivilegesAction hasPrivilegesAction = HasPrivilegesAction.INSTANCE;
        Objects.requireNonNull(actionListener);
        CheckedConsumer checkedConsumer = (v1) -> {
            r3.onResponse(v1);
        };
        Objects.requireNonNull(actionListener);
        client.execute(hasPrivilegesAction, hasPrivilegesRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (InvalidateApiKeyRequest) actionRequest, (ActionListener<InvalidateApiKeyResponse>) actionListener);
    }

    static {
        $assertionsDisabled = !TransportInvalidateApiKeyAction.class.desiredAssertionStatus();
    }
}
