package org.elasticsearch.xpack.security.authc.support;

import java.util.Iterator;
import java.util.Set;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.support.DLSRoleQueryValidator;
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/ApiKeyUserRoleDescriptorResolver.class */
public class ApiKeyUserRoleDescriptorResolver {
    private final CompositeRolesStore rolesStore;
    private final NamedXContentRegistry xContentRegistry;

    public ApiKeyUserRoleDescriptorResolver(CompositeRolesStore compositeRolesStore, NamedXContentRegistry namedXContentRegistry) {
        this.rolesStore = compositeRolesStore;
        this.xContentRegistry = namedXContentRegistry;
    }

    public void resolveUserRoleDescriptors(Authentication authentication, ActionListener<Set<RoleDescriptor>> actionListener) {
        Subject effectiveSubject = authentication.getEffectiveSubject();
        if (effectiveSubject.getType() == Subject.Type.API_KEY) {
            actionListener.onResponse(Set.of());
        } else {
            this.rolesStore.getRoleDescriptors(effectiveSubject, actionListener.delegateFailureAndWrap(this::handleRoleDescriptors));
        }
    }

    private void handleRoleDescriptors(ActionListener<Set<RoleDescriptor>> actionListener, Set<RoleDescriptor> set) {
        Iterator<RoleDescriptor> it = set.iterator();
        while (it.hasNext()) {
            DLSRoleQueryValidator.validateQueryField(it.next().getIndicesPrivileges(), this.xContentRegistry);
        }
        actionListener.onResponse(set);
    }
}
