package org.elasticsearch.xpack.security.authz.store;

import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Strings;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.core.common.IteratingActionListener;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.core.security.authz.store.RoleReference;
import org.elasticsearch.xpack.core.security.authz.store.RoleReferenceResolver;
import org.elasticsearch.xpack.core.security.authz.store.RoleRetrievalResult;
import org.elasticsearch.xpack.core.security.authz.store.RolesRetrievalResult;
import org.elasticsearch.xpack.security.authc.ApiKeyService;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountService;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/store/RoleDescriptorStore.class */
public class RoleDescriptorStore implements RoleReferenceResolver {
    private static final Logger logger = LogManager.getLogger(RoleDescriptorStore.class);
    private final DeprecationLogger deprecationLogger = DeprecationLogger.getLogger(RoleDescriptorStore.class);
    private final RoleProviders roleProviders;
    private final ApiKeyService apiKeyService;
    private final ServiceAccountService serviceAccountService;
    private final XPackLicenseState licenseState;
    private final ThreadContext threadContext;
    private final Consumer<Collection<RoleDescriptor>> effectiveRoleDescriptorsConsumer;
    private final Cache<String, Boolean> negativeLookupCache;

    public RoleDescriptorStore(RoleProviders roleProviders, ApiKeyService apiKeyService, ServiceAccountService serviceAccountService, Cache<String, Boolean> cache, XPackLicenseState xPackLicenseState, ThreadContext threadContext, Consumer<Collection<RoleDescriptor>> consumer) {
        this.roleProviders = roleProviders;
        this.apiKeyService = (ApiKeyService) Objects.requireNonNull(apiKeyService);
        this.serviceAccountService = (ServiceAccountService) Objects.requireNonNull(serviceAccountService);
        this.licenseState = (XPackLicenseState) Objects.requireNonNull(xPackLicenseState);
        this.threadContext = threadContext;
        this.effectiveRoleDescriptorsConsumer = (Consumer) Objects.requireNonNull(consumer);
        this.negativeLookupCache = cache;
    }

    public void resolveNamedRoleReference(RoleReference.NamedRoleReference namedRoleReference, ActionListener<RolesRetrievalResult> actionListener) {
        Set<String> copyOf = Set.copyOf(new HashSet(List.of((Object[]) namedRoleReference.getRoleNames())));
        if (copyOf.isEmpty()) {
            actionListener.onResponse(RolesRetrievalResult.EMPTY);
        } else if (copyOf.equals(Set.of(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR.getName()))) {
            actionListener.onResponse(RolesRetrievalResult.SUPERUSER);
        } else {
            resolveRoleNames(copyOf, actionListener);
        }
    }

    public void resolveApiKeyRoleReference(RoleReference.ApiKeyRoleReference apiKeyRoleReference, ActionListener<RolesRetrievalResult> actionListener) {
        List<RoleDescriptor> parseRoleDescriptorsBytes = this.apiKeyService.parseRoleDescriptorsBytes(apiKeyRoleReference.getApiKeyId(), apiKeyRoleReference.getRoleDescriptorsBytes(), apiKeyRoleReference.getRoleType());
        RolesRetrievalResult rolesRetrievalResult = new RolesRetrievalResult();
        rolesRetrievalResult.addDescriptors(Set.copyOf(parseRoleDescriptorsBytes));
        actionListener.onResponse(rolesRetrievalResult);
    }

    public void resolveBwcApiKeyRoleReference(RoleReference.BwcApiKeyRoleReference bwcApiKeyRoleReference, ActionListener<RolesRetrievalResult> actionListener) {
        List<RoleDescriptor> parseRoleDescriptors = this.apiKeyService.parseRoleDescriptors(bwcApiKeyRoleReference.getApiKeyId(), bwcApiKeyRoleReference.getRoleDescriptorsMap(), bwcApiKeyRoleReference.getRoleType());
        RolesRetrievalResult rolesRetrievalResult = new RolesRetrievalResult();
        rolesRetrievalResult.addDescriptors(Set.copyOf(parseRoleDescriptors));
        actionListener.onResponse(rolesRetrievalResult);
    }

    public void resolveServiceAccountRoleReference(RoleReference.ServiceAccountRoleReference serviceAccountRoleReference, ActionListener<RolesRetrievalResult> actionListener) {
        this.serviceAccountService.getRoleDescriptorForPrincipal(serviceAccountRoleReference.getPrincipal(), actionListener.map(roleDescriptor -> {
            RolesRetrievalResult rolesRetrievalResult = new RolesRetrievalResult();
            rolesRetrievalResult.addDescriptors(Set.of(roleDescriptor));
            return rolesRetrievalResult;
        }));
    }

    private void resolveRoleNames(Set<String> set, ActionListener<RolesRetrievalResult> actionListener) {
        CheckedConsumer checkedConsumer = rolesRetrievalResult -> {
            logDeprecatedRoles(rolesRetrievalResult.getRoleDescriptors());
            if (!rolesRetrievalResult.getMissingRoles().isEmpty()) {
                logger.debug(() -> {
                    return Strings.format("Could not find roles with names %s", new Object[]{rolesRetrievalResult.getMissingRoles()});
                });
            }
            Set<RoleDescriptor> maybeSkipRolesUsingDocumentOrFieldLevelSecurity = maybeSkipRolesUsingDocumentOrFieldLevelSecurity(rolesRetrievalResult.getRoleDescriptors());
            logger.trace(() -> {
                return Strings.format("Exposing effective role descriptors [%s] for role names [%s]", new Object[]{maybeSkipRolesUsingDocumentOrFieldLevelSecurity, set});
            });
            this.effectiveRoleDescriptorsConsumer.accept(Collections.unmodifiableCollection(maybeSkipRolesUsingDocumentOrFieldLevelSecurity));
            RolesRetrievalResult rolesRetrievalResult = new RolesRetrievalResult();
            rolesRetrievalResult.addDescriptors(maybeSkipRolesUsingDocumentOrFieldLevelSecurity);
            rolesRetrievalResult.setMissingRoles(rolesRetrievalResult.getMissingRoles());
            if (false == rolesRetrievalResult.isSuccess()) {
                rolesRetrievalResult.setFailure();
            }
            actionListener.onResponse(rolesRetrievalResult);
        };
        Objects.requireNonNull(actionListener);
        roleDescriptors(set, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private Set<RoleDescriptor> maybeSkipRolesUsingDocumentOrFieldLevelSecurity(Set<RoleDescriptor> set) {
        if (!shouldSkipRolesUsingDocumentOrFieldLevelSecurity(set)) {
            return set;
        }
        Map map = (Map) set.stream().collect(Collectors.partitioningBy((v0) -> {
            return v0.isUsingDocumentOrFieldLevelSecurity();
        }, Collectors.toSet()));
        logger.warn("User roles [{}] are disabled because they require field or document level security. The current license is non-compliant for [field and document level security].", ((Set) map.get(true)).stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.joining(",")));
        return (Set) map.get(false);
    }

    private boolean shouldSkipRolesUsingDocumentOrFieldLevelSecurity(Set<RoleDescriptor> set) {
        return set.stream().anyMatch((v0) -> {
            return v0.isUsingDocumentOrFieldLevelSecurity();
        }) && !SecurityField.DOCUMENT_LEVEL_SECURITY_FEATURE.checkWithoutTracking(this.licenseState);
    }

    private void roleDescriptors(Set<String> set, ActionListener<RolesRetrievalResult> actionListener) {
        loadRoleDescriptorsAsync((Set) set.stream().filter(str -> {
            if (this.negativeLookupCache.get(str) == null) {
                return true;
            }
            logger.debug(() -> {
                return "Requested role [" + str + "] does not exist (cached)";
            });
            return false;
        }).collect(Collectors.toSet()), actionListener);
    }

    void logDeprecatedRoles(Set<RoleDescriptor> set) {
        set.stream().filter(roleDescriptor -> {
            return Boolean.TRUE.equals(roleDescriptor.getMetadata().get("_deprecated"));
        }).forEach(roleDescriptor2 -> {
            this.deprecationLogger.critical(DeprecationCategory.SECURITY, "deprecated_role-" + roleDescriptor2.getName(), "The role [" + roleDescriptor2.getName() + "] is deprecated and will be removed in a future version of Elasticsearch. " + Objects.toString(roleDescriptor2.getMetadata().get("_deprecated_reason"), "Please check the documentation"), new Object[0]);
        });
    }

    private void loadRoleDescriptorsAsync(Set<String> set, ActionListener<RolesRetrievalResult> actionListener) {
        RolesRetrievalResult rolesRetrievalResult = new RolesRetrievalResult();
        List<BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>>> providers = this.roleProviders.getProviders();
        CheckedConsumer checkedConsumer = roleRetrievalResult -> {
            rolesRetrievalResult.setMissingRoles(set);
            actionListener.onResponse(rolesRetrievalResult);
        };
        Objects.requireNonNull(actionListener);
        new IteratingActionListener(ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(checkedConsumer, actionListener::onFailure), this.threadContext), (biConsumer, actionListener2) -> {
            CheckedConsumer checkedConsumer2 = roleRetrievalResult2 -> {
                if (roleRetrievalResult2.isSuccess()) {
                    logger.debug(() -> {
                        return Strings.format("Roles [%s] were resolved by [%s]", new Object[]{roleRetrievalResult2.getDescriptors().stream().map((v0) -> {
                            return v0.getName();
                        }).collect(Collectors.joining(",")), biConsumer});
                    });
                    Set descriptors = roleRetrievalResult2.getDescriptors();
                    rolesRetrievalResult.addDescriptors(descriptors);
                    Iterator it = descriptors.iterator();
                    while (it.hasNext()) {
                        set.remove(((RoleDescriptor) it.next()).getName());
                    }
                } else {
                    logger.warn(new ParameterizedMessage("role [{}] retrieval failed from [{}]", set, biConsumer), roleRetrievalResult2.getFailure());
                    rolesRetrievalResult.setFailure();
                }
                actionListener2.onResponse(roleRetrievalResult2);
            };
            Objects.requireNonNull(actionListener2);
            biConsumer.accept(set, ActionListener.wrap(checkedConsumer2, actionListener2::onFailure));
        }, providers, this.threadContext, Function.identity(), roleRetrievalResult2 -> {
            return !set.isEmpty();
        }).run();
    }
}
