package org.elasticsearch.xpack.security.authz;

import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import java.util.SortedSet;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authz.RBACEngine;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.class */
public interface AuthorizationDenialMessages {

    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages$Default.class */
    public static class Default implements AuthorizationDenialMessages {
        static final /* synthetic */ boolean $assertionsDisabled;

        @Override // org.elasticsearch.xpack.security.authz.AuthorizationDenialMessages
        public String runAsDenied(Authentication authentication, @Nullable AuthorizationEngine.AuthorizationInfo authorizationInfo, String str) {
            if (!$assertionsDisabled && !authentication.isRunAs()) {
                throw new AssertionError("constructing run as denied message but authentication for action was not run as");
            }
            String authenticatedUserDescription = authenticatedUserDescription(authentication);
            return actionIsUnauthorizedMessage(str, authenticatedUserDescription) + rolesDescription(authentication.getAuthenticatingSubject(), authorizationInfo.getAuthenticatedUserAuthorizationInfo()) + ", " + ("because " + authenticatedUserDescription + " is unauthorized to run as [" + authentication.getEffectiveSubject().getUser().principal() + "]");
        }

        @Override // org.elasticsearch.xpack.security.authz.AuthorizationDenialMessages
        public String actionDenied(Authentication authentication, @Nullable AuthorizationEngine.AuthorizationInfo authorizationInfo, String str, TransportRequest transportRequest, @Nullable String str2) {
            Collection<String> findIndexPrivilegesThatGrant;
            String actionIsUnauthorizedMessage = actionIsUnauthorizedMessage(str, authentication.isCrossClusterAccess() ? remoteClusterText(null) : "", successfulAuthenticationDescription(authentication, authorizationInfo));
            if (str2 != null) {
                actionIsUnauthorizedMessage = actionIsUnauthorizedMessage + " " + str2;
            }
            if (ClusterPrivilegeResolver.isClusterAction(str)) {
                Collection<String> findClusterPrivilegesThatGrant = findClusterPrivilegesThatGrant(authentication, str, transportRequest);
                if (findClusterPrivilegesThatGrant != null && findClusterPrivilegesThatGrant.size() > 0) {
                    actionIsUnauthorizedMessage = actionIsUnauthorizedMessage + ", this action is granted by the cluster privileges [" + Strings.collectionToCommaDelimitedString(findClusterPrivilegesThatGrant) + "]";
                }
            } else if (AuthorizationService.isIndexAction(str) && (findIndexPrivilegesThatGrant = findIndexPrivilegesThatGrant(str)) != null && findIndexPrivilegesThatGrant.size() > 0) {
                actionIsUnauthorizedMessage = actionIsUnauthorizedMessage + ", this action is granted by the index privileges [" + Strings.collectionToCommaDelimitedString(findIndexPrivilegesThatGrant) + "]";
            }
            return actionIsUnauthorizedMessage;
        }

        @Override // org.elasticsearch.xpack.security.authz.AuthorizationDenialMessages
        public String remoteActionDenied(Authentication authentication, @Nullable AuthorizationEngine.AuthorizationInfo authorizationInfo, String str, String str2) {
            String successfulAuthenticationDescription = successfulAuthenticationDescription(authentication, authorizationInfo);
            return actionIsUnauthorizedMessage(str, remoteClusterText(str2), successfulAuthenticationDescription) + (AuthorizationService.isIndexAction(str) ? " because no remote indices privileges apply for the target cluster" : " because no remote cluster privileges apply for the target cluster");
        }

        protected Collection<String> findClusterPrivilegesThatGrant(Authentication authentication, String str, TransportRequest transportRequest) {
            return ClusterPrivilegeResolver.findPrivilegesThatGrant(str, transportRequest, authentication);
        }

        protected Collection<String> findIndexPrivilegesThatGrant(String str) {
            return IndexPrivilege.findPrivilegesThatGrant(str);
        }

        private String remoteClusterText(@Nullable String str) {
            Object[] objArr = new Object[1];
            objArr[0] = str == null ? "" : " [" + str + "]";
            return Strings.format("towards remote cluster%s ", objArr);
        }

        private String authenticatedUserDescription(Authentication authentication) {
            String str = (authentication.isServiceAccount() ? "service account" : NativeUsersStore.USER_DOC_TYPE) + " [" + authentication.getAuthenticatingSubject().getUser().principal() + "]";
            if (authentication.isAuthenticatedAsApiKey() || authentication.isCrossClusterAccess()) {
                String str2 = (String) authentication.getAuthenticatingSubject().getMetadata().get("_security_api_key_id");
                if (!$assertionsDisabled && str2 == null) {
                    throw new AssertionError("api key id must be present in the metadata");
                }
                str = "API key id [" + str2 + "] of " + str;
                if (authentication.isCrossClusterAccess()) {
                    Authentication authentication2 = (Authentication) authentication.getAuthenticatingSubject().getMetadata().get("_security_cross_cluster_access_authentication");
                    if (!$assertionsDisabled && authentication2 == null) {
                        throw new AssertionError("cross cluster access authentication must be present in the metadata");
                    }
                    str = successfulAuthenticationDescription(authentication2, null) + " authenticated by " + str;
                }
            }
            return str;
        }

        String rolesDescription(Subject subject, @Nullable AuthorizationEngine.AuthorizationInfo authorizationInfo) {
            if (subject.getType() != Subject.Type.USER) {
                return "";
            }
            StringBuilder sb = new StringBuilder();
            List<String> extractEffectiveRoleNames = extractEffectiveRoleNames(authorizationInfo);
            if (extractEffectiveRoleNames == null) {
                sb.append(" with assigned roles [").append(Strings.arrayToCommaDelimitedString(subject.getUser().roles())).append("]");
            } else {
                sb.append(" with effective roles [").append(Strings.collectionToCommaDelimitedString(extractEffectiveRoleNames)).append("]");
                SortedSet sortedDifference = Sets.sortedDifference(Set.of((Object[]) subject.getUser().roles()), Set.copyOf(extractEffectiveRoleNames));
                if (false == sortedDifference.isEmpty()) {
                    sb.append(" (assigned roles [").append(Strings.collectionToCommaDelimitedString(sortedDifference)).append("] were not found)");
                }
            }
            return sb.toString();
        }

        String successfulAuthenticationDescription(Authentication authentication, @Nullable AuthorizationEngine.AuthorizationInfo authorizationInfo) {
            String authenticatedUserDescription = authenticatedUserDescription(authentication);
            if (authentication.isRunAs()) {
                authenticatedUserDescription = authenticatedUserDescription + " run as [" + authentication.getEffectiveSubject().getUser().principal() + "]";
            }
            return authenticatedUserDescription + rolesDescription(authentication.getEffectiveSubject(), authorizationInfo);
        }

        private List<String> extractEffectiveRoleNames(@Nullable AuthorizationEngine.AuthorizationInfo authorizationInfo) {
            if (authorizationInfo == null) {
                return null;
            }
            Object obj = authorizationInfo.asMap().get(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME);
            if (false != (obj instanceof String[])) {
                return Arrays.stream((String[]) obj).sorted().toList();
            }
            if ($assertionsDisabled || false == (authorizationInfo instanceof RBACEngine.RBACAuthorizationInfo)) {
                return null;
            }
            throw new AssertionError("unexpected user.roles field [" + obj + "] for RBACAuthorizationInfo");
        }

        private String actionIsUnauthorizedMessage(String str, String str2) {
            return actionIsUnauthorizedMessage(str, "", str2);
        }

        private String actionIsUnauthorizedMessage(String str, String str2, String str3) {
            return "action [" + str + "] " + str2 + "is unauthorized for " + str3;
        }

        static {
            $assertionsDisabled = !AuthorizationDenialMessages.class.desiredAssertionStatus();
        }
    }

    String actionDenied(Authentication authentication, @Nullable AuthorizationEngine.AuthorizationInfo authorizationInfo, String str, TransportRequest transportRequest, @Nullable String str2);

    String runAsDenied(Authentication authentication, @Nullable AuthorizationEngine.AuthorizationInfo authorizationInfo, String str);

    String remoteActionDenied(Authentication authentication, @Nullable AuthorizationEngine.AuthorizationInfo authorizationInfo, String str, String str2);
}
