package org.elasticsearch.xpack.security.authc.service;

import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.elasticsearch.common.Strings;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.authc.service.ServiceAccount;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts.class */
final class ElasticServiceAccounts {
    static final String NAMESPACE = "elastic";
    private static final ServiceAccount ENTERPRISE_SEARCH_ACCOUNT = new ElasticServiceAccount("enterprise-search-server", new RoleDescriptor("elastic/enterprise-search-server", new String[]{"manage", "manage_security"}, new RoleDescriptor.IndicesPrivileges[]{RoleDescriptor.IndicesPrivileges.builder().indices(new String[]{"search-*", ".elastic-analytics-collections", ".ent-search-*", ".monitoring-ent-search-*", "metricbeat-ent-search-*", "enterprise-search-*", "logs-app_search.analytics-default", "logs-elastic_analytics.events-*-*", "logs-enterprise_search.api-default", "logs-enterprise_search.audit-default", "logs-app_search.search_relevance_suggestions-default", "logs-crawler-default", "logs-elastic_crawler-default", "logs-workplace_search.analytics-default", "logs-workplace_search.content_events-default", ".elastic-connectors*"}).privileges(new String[]{"manage", "read", "write"}).build()}, (RoleDescriptor.ApplicationResourcePrivileges[]) null, (ConfigurableClusterPrivilege[]) null, (String[]) null, (Map) null, (Map) null));
    private static final ServiceAccount FLEET_ACCOUNT = new ElasticServiceAccount("fleet-server", new RoleDescriptor("elastic/fleet-server", new String[]{"monitor", "manage_own_api_key"}, new RoleDescriptor.IndicesPrivileges[]{RoleDescriptor.IndicesPrivileges.builder().indices(new String[]{"logs-*", "metrics-*", "traces-*", ".logs-endpoint.diagnostic.collection-*", ".logs-endpoint.action.responses-*"}).privileges(new String[]{"write", "create_index", "auto_configure"}).build(), RoleDescriptor.IndicesPrivileges.builder().indices(new String[]{"traces-apm.sampled-*"}).privileges(new String[]{"read", "monitor", "maintenance"}).build(), RoleDescriptor.IndicesPrivileges.builder().indices(new String[]{".fleet-*"}).privileges(new String[]{"read", "write", "monitor", "create_index", "auto_configure", "maintenance"}).allowRestrictedIndices(true).build(), RoleDescriptor.IndicesPrivileges.builder().indices(new String[]{"synthetics-*"}).privileges(new String[]{"read", "write", "create_index", "auto_configure"}).allowRestrictedIndices(false).build()}, new RoleDescriptor.ApplicationResourcePrivileges[]{RoleDescriptor.ApplicationResourcePrivileges.builder().application("kibana-*").resources(new String[]{"*"}).privileges(new String[]{"reserved_fleet-setup"}).build()}, (ConfigurableClusterPrivilege[]) null, (String[]) null, (Map) null, (Map) null));
    private static final ServiceAccount KIBANA_SYSTEM_ACCOUNT = new ElasticServiceAccount("kibana", ReservedRolesStore.kibanaSystemRoleDescriptor("elastic/kibana"));
    static final Map<String, ServiceAccount> ACCOUNTS = (Map) List.of(ENTERPRISE_SEARCH_ACCOUNT, FLEET_ACCOUNT, KIBANA_SYSTEM_ACCOUNT).stream().collect(Collectors.toMap(serviceAccount -> {
        return serviceAccount.id().asPrincipal();
    }, Function.identity()));

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/ElasticServiceAccounts$ElasticServiceAccount.class */
    static class ElasticServiceAccount implements ServiceAccount {
        private final ServiceAccount.ServiceAccountId id;
        private final RoleDescriptor roleDescriptor;
        private final User user;

        ElasticServiceAccount(String str, RoleDescriptor roleDescriptor) {
            this.id = new ServiceAccount.ServiceAccountId(ElasticServiceAccounts.NAMESPACE, str);
            this.roleDescriptor = (RoleDescriptor) Objects.requireNonNull(roleDescriptor, "Role descriptor cannot be null");
            if (!roleDescriptor.getName().equals(this.id.asPrincipal())) {
                throw new IllegalArgumentException("the provided role descriptor [" + roleDescriptor.getName() + "] must have the same name as the service account [" + this.id.asPrincipal() + "]");
            }
            this.user = new User(this.id.asPrincipal(), Strings.EMPTY_ARRAY, "Service account - " + this.id, (String) null, Map.of("_elastic_service_account", true), true);
        }

        @Override // org.elasticsearch.xpack.security.authc.service.ServiceAccount
        public ServiceAccount.ServiceAccountId id() {
            return this.id;
        }

        @Override // org.elasticsearch.xpack.security.authc.service.ServiceAccount
        public RoleDescriptor roleDescriptor() {
            return this.roleDescriptor;
        }

        @Override // org.elasticsearch.xpack.security.authc.service.ServiceAccount
        public User asUser() {
            return this.user;
        }
    }

    private ElasticServiceAccounts() {
    }
}
