package org.elasticsearch.xpack.security.support;

import java.io.IOException;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import org.apache.lucene.search.Query;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.IdsQueryBuilder;
import org.elasticsearch.index.query.MatchAllQueryBuilder;
import org.elasticsearch.index.query.PrefixQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.index.query.QueryRewriteContext;
import org.elasticsearch.index.query.RangeQueryBuilder;
import org.elasticsearch.index.query.SearchExecutionContext;
import org.elasticsearch.index.query.TermQueryBuilder;
import org.elasticsearch.index.query.TermsQueryBuilder;
import org.elasticsearch.index.query.WildcardQueryBuilder;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.security.authc.ApiKeyService;

/* loaded from: input_file:org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilder.class */
public class ApiKeyBoolQueryBuilder extends BoolQueryBuilder {
    private static final Set<String> ALLOWED_EXACT_INDEX_FIELD_NAMES;
    static final /* synthetic */ boolean $assertionsDisabled;

    private ApiKeyBoolQueryBuilder() {
    }

    public static ApiKeyBoolQueryBuilder build(QueryBuilder queryBuilder, @Nullable Authentication authentication) {
        ApiKeyBoolQueryBuilder apiKeyBoolQueryBuilder = new ApiKeyBoolQueryBuilder();
        if (queryBuilder != null) {
            apiKeyBoolQueryBuilder.must(doProcess(queryBuilder));
        }
        apiKeyBoolQueryBuilder.filter(QueryBuilders.termQuery("doc_type", "api_key"));
        if (authentication != null) {
            if (authentication.isApiKey()) {
                String str = (String) authentication.getMetadata().get("_security_api_key_id");
                if (!$assertionsDisabled && str == null) {
                    throw new AssertionError("api key id must be present in the metadata");
                }
                apiKeyBoolQueryBuilder.filter(QueryBuilders.idsQuery().addIds(new String[]{str}));
            } else {
                apiKeyBoolQueryBuilder.filter(QueryBuilders.termQuery("creator.principal", authentication.getUser().principal()));
                QueryBuilder filterForRealmNames = ApiKeyService.filterForRealmNames(ApiKeyService.getOwnersRealmNames(authentication));
                if (!$assertionsDisabled && filterForRealmNames == null) {
                    throw new AssertionError();
                }
                apiKeyBoolQueryBuilder.filter(filterForRealmNames);
            }
        }
        return apiKeyBoolQueryBuilder;
    }

    private static QueryBuilder doProcess(QueryBuilder queryBuilder) {
        if (queryBuilder instanceof BoolQueryBuilder) {
            BoolQueryBuilder boolQueryBuilder = (BoolQueryBuilder) queryBuilder;
            BoolQueryBuilder adjustPureNegative = QueryBuilders.boolQuery().minimumShouldMatch(boolQueryBuilder.minimumShouldMatch()).adjustPureNegative(boolQueryBuilder.adjustPureNegative());
            Stream map = boolQueryBuilder.must().stream().map(ApiKeyBoolQueryBuilder::doProcess);
            Objects.requireNonNull(adjustPureNegative);
            map.forEach(adjustPureNegative::must);
            Stream map2 = boolQueryBuilder.should().stream().map(ApiKeyBoolQueryBuilder::doProcess);
            Objects.requireNonNull(adjustPureNegative);
            map2.forEach(adjustPureNegative::should);
            Stream map3 = boolQueryBuilder.mustNot().stream().map(ApiKeyBoolQueryBuilder::doProcess);
            Objects.requireNonNull(adjustPureNegative);
            map3.forEach(adjustPureNegative::mustNot);
            Stream map4 = boolQueryBuilder.filter().stream().map(ApiKeyBoolQueryBuilder::doProcess);
            Objects.requireNonNull(adjustPureNegative);
            map4.forEach(adjustPureNegative::filter);
            return adjustPureNegative;
        }
        if (!(queryBuilder instanceof MatchAllQueryBuilder) && !(queryBuilder instanceof IdsQueryBuilder)) {
            if (queryBuilder instanceof TermQueryBuilder) {
                TermQueryBuilder termQueryBuilder = (TermQueryBuilder) queryBuilder;
                return QueryBuilders.termQuery(ApiKeyFieldNameTranslators.translate(termQueryBuilder.fieldName()), termQueryBuilder.value()).caseInsensitive(termQueryBuilder.caseInsensitive());
            }
            if (queryBuilder instanceof TermsQueryBuilder) {
                TermsQueryBuilder termsQueryBuilder = (TermsQueryBuilder) queryBuilder;
                if (termsQueryBuilder.termsLookup() != null) {
                    throw new IllegalArgumentException("terms query with terms lookup is not supported for API Key query");
                }
                return QueryBuilders.termsQuery(ApiKeyFieldNameTranslators.translate(termsQueryBuilder.fieldName()), termsQueryBuilder.getValues());
            }
            if (queryBuilder instanceof PrefixQueryBuilder) {
                PrefixQueryBuilder prefixQueryBuilder = (PrefixQueryBuilder) queryBuilder;
                return QueryBuilders.prefixQuery(ApiKeyFieldNameTranslators.translate(prefixQueryBuilder.fieldName()), prefixQueryBuilder.value()).caseInsensitive(prefixQueryBuilder.caseInsensitive());
            }
            if (queryBuilder instanceof WildcardQueryBuilder) {
                WildcardQueryBuilder wildcardQueryBuilder = (WildcardQueryBuilder) queryBuilder;
                return QueryBuilders.wildcardQuery(ApiKeyFieldNameTranslators.translate(wildcardQueryBuilder.fieldName()), wildcardQueryBuilder.value()).caseInsensitive(wildcardQueryBuilder.caseInsensitive()).rewrite(wildcardQueryBuilder.rewrite());
            }
            if (!(queryBuilder instanceof RangeQueryBuilder)) {
                throw new IllegalArgumentException("Query type [" + queryBuilder.getName() + "] is not supported for API Key query");
            }
            RangeQueryBuilder rangeQueryBuilder = (RangeQueryBuilder) queryBuilder;
            String translate = ApiKeyFieldNameTranslators.translate(rangeQueryBuilder.fieldName());
            if (rangeQueryBuilder.relation() != null) {
                throw new IllegalArgumentException("range query with relation is not supported for API Key query");
            }
            RangeQueryBuilder rangeQuery = QueryBuilders.rangeQuery(translate);
            if (rangeQueryBuilder.format() != null) {
                rangeQuery.format(rangeQueryBuilder.format());
            }
            if (rangeQueryBuilder.timeZone() != null) {
                rangeQuery.timeZone(rangeQueryBuilder.timeZone());
            }
            if (rangeQueryBuilder.from() != null) {
                rangeQuery.from(rangeQueryBuilder.from()).includeLower(rangeQueryBuilder.includeLower());
            }
            if (rangeQueryBuilder.to() != null) {
                rangeQuery.to(rangeQueryBuilder.to()).includeUpper(rangeQueryBuilder.includeUpper());
            }
            return rangeQuery.boost(rangeQueryBuilder.boost());
        }
        return queryBuilder;
    }

    protected Query doToQuery(SearchExecutionContext searchExecutionContext) throws IOException {
        searchExecutionContext.setAllowedFields(ApiKeyBoolQueryBuilder::isIndexFieldNameAllowed);
        return super.doToQuery(searchExecutionContext);
    }

    protected QueryBuilder doRewrite(QueryRewriteContext queryRewriteContext) throws IOException {
        if (queryRewriteContext instanceof SearchExecutionContext) {
            ((SearchExecutionContext) queryRewriteContext).setAllowedFields(ApiKeyBoolQueryBuilder::isIndexFieldNameAllowed);
        }
        return super.doRewrite(queryRewriteContext);
    }

    static boolean isIndexFieldNameAllowed(String str) {
        return ALLOWED_EXACT_INDEX_FIELD_NAMES.contains(str) || str.startsWith("metadata_flattened.") || str.startsWith("creator.");
    }

    static {
        $assertionsDisabled = !ApiKeyBoolQueryBuilder.class.desiredAssertionStatus();
        ALLOWED_EXACT_INDEX_FIELD_NAMES = Set.of("_id", "doc_type", "name", "api_key_invalidated", "creation_time", "expiration_time");
    }
}
