package org.elasticsearch.xpack.security.action.user;

import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesResponse;
import org.elasticsearch.xpack.core.security.authc.Subject;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.store.NativePrivilegeStore;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/user/TransportHasPrivilegesAction.class */
public class TransportHasPrivilegesAction extends HandledTransportAction<HasPrivilegesRequest, HasPrivilegesResponse> {
    private final AuthorizationService authorizationService;
    private final NativePrivilegeStore privilegeStore;
    private final SecurityContext securityContext;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public TransportHasPrivilegesAction(TransportService transportService, ActionFilters actionFilters, AuthorizationService authorizationService, NativePrivilegeStore nativePrivilegeStore, SecurityContext securityContext) {
        super("cluster:admin/xpack/security/user/has_privileges", transportService, actionFilters, HasPrivilegesRequest::new);
        this.authorizationService = authorizationService;
        this.privilegeStore = nativePrivilegeStore;
        this.securityContext = securityContext;
    }

    protected void doExecute(Task task, HasPrivilegesRequest hasPrivilegesRequest, ActionListener<HasPrivilegesResponse> actionListener) {
        String username = hasPrivilegesRequest.username();
        Subject effectiveSubject = this.securityContext.getAuthentication().getEffectiveSubject();
        if (!effectiveSubject.getUser().principal().equals(username)) {
            actionListener.onFailure(new IllegalArgumentException("users may only check the privileges of their own account"));
            return;
        }
        RoleDescriptor.IndicesPrivileges[] indexPrivileges = hasPrivilegesRequest.indexPrivileges();
        if (indexPrivileges != null) {
            for (RoleDescriptor.IndicesPrivileges indicesPrivileges : indexPrivileges) {
                if (indicesPrivileges.getQuery() != null) {
                    actionListener.onFailure(new IllegalArgumentException("users may only check the index privileges without any DLS role query"));
                    return;
                }
            }
        }
        CheckedConsumer checkedConsumer = collection -> {
            this.authorizationService.checkPrivileges(effectiveSubject, hasPrivilegesRequest.getPrivilegesToCheck(), collection, actionListener.map(privilegesCheckResult -> {
                AuthorizationEngine.PrivilegesCheckResult.Details details = privilegesCheckResult.getDetails();
                if ($assertionsDisabled || details != null) {
                    return new HasPrivilegesResponse(hasPrivilegesRequest.username(), privilegesCheckResult.allChecksSuccess(), details != null ? details.cluster() : Map.of(), details != null ? details.index().values() : List.of(), details != null ? details.application() : Map.of());
                }
                throw new AssertionError("runDetailedCheck is 'true' but the result has no details");
            }));
        };
        Objects.requireNonNull(actionListener);
        resolveApplicationPrivileges(hasPrivilegesRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void resolveApplicationPrivileges(HasPrivilegesRequest hasPrivilegesRequest, ActionListener<Collection<ApplicationPrivilegeDescriptor>> actionListener) {
        this.privilegeStore.getPrivileges(getApplicationNames(hasPrivilegesRequest), null, actionListener);
    }

    public static Set<String> getApplicationNames(HasPrivilegesRequest hasPrivilegesRequest) {
        return (Set) Arrays.stream(hasPrivilegesRequest.applicationPrivileges()).map((v0) -> {
            return v0.getApplication();
        }).collect(Collectors.toSet());
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (HasPrivilegesRequest) actionRequest, (ActionListener<HasPrivilegesResponse>) actionListener);
    }

    static {
        $assertionsDisabled = !TransportHasPrivilegesAction.class.desiredAssertionStatus();
    }
}
