package org.elasticsearch.xpack.idp.privileges;

import java.util.Arrays;
import java.util.Collection;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.GroupedActionListener;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.Strings;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.GetUserPrivilegesRequestBuilder;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesResponse;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;

/* loaded from: input_file:org/elasticsearch/xpack/idp/privileges/UserPrivilegeResolver.class */
public class UserPrivilegeResolver {
    private static final Logger logger = LogManager.getLogger(UserPrivilegeResolver.class);
    private final Client client;
    private final SecurityContext securityContext;
    private final ApplicationActionsResolver actionsResolver;

    /* loaded from: input_file:org/elasticsearch/xpack/idp/privileges/UserPrivilegeResolver$UserPrivileges.class */
    public static class UserPrivileges {
        public final String principal;
        public final boolean hasAccess;
        public final Set<String> roles;

        public UserPrivileges(String str, boolean z, Set<String> set) {
            this.principal = (String) Objects.requireNonNull(str, "principal may not be null");
            if (!z && !set.isEmpty()) {
                throw new IllegalArgumentException("a user without access may not have roles ([" + set + "])");
            }
            this.hasAccess = z;
            this.roles = Set.copyOf((Collection) Objects.requireNonNull(set, "roles may not be null"));
        }

        public String toString() {
            StringBuilder append = new StringBuilder().append(getClass().getSimpleName()).append("{").append(this.principal).append(", ").append(this.hasAccess);
            if (this.hasAccess) {
                append.append(", ").append(this.roles);
            }
            append.append("}");
            return append.toString();
        }

        public static UserPrivileges noAccess(String str) {
            return new UserPrivileges(str, false, Set.of());
        }
    }

    public UserPrivilegeResolver(Client client, SecurityContext securityContext, ApplicationActionsResolver applicationActionsResolver) {
        this.client = client;
        this.securityContext = securityContext;
        this.actionsResolver = applicationActionsResolver;
    }

    public void resolve(ServiceProviderPrivileges serviceProviderPrivileges, ActionListener<UserPrivileges> actionListener) {
        buildResourcePrivilege(serviceProviderPrivileges, actionListener.delegateFailureAndWrap((actionListener2, applicationResourcePrivileges) -> {
            String principal = this.securityContext.requireUser().principal();
            if (applicationResourcePrivileges == null) {
                actionListener2.onResponse(UserPrivileges.noAccess(principal));
                return;
            }
            HasPrivilegesRequest hasPrivilegesRequest = new HasPrivilegesRequest();
            hasPrivilegesRequest.username(principal);
            hasPrivilegesRequest.clusterPrivileges(Strings.EMPTY_ARRAY);
            hasPrivilegesRequest.indexPrivileges(new RoleDescriptor.IndicesPrivileges[0]);
            hasPrivilegesRequest.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[]{applicationResourcePrivileges});
            this.client.execute(HasPrivilegesAction.INSTANCE, hasPrivilegesRequest, actionListener2.delegateFailureAndWrap((actionListener2, hasPrivilegesResponse) -> {
                logger.debug("Checking access for user [{}] to application [{}] resource [{}]", principal, serviceProviderPrivileges.getApplicationName(), serviceProviderPrivileges.getResource());
                UserPrivileges buildResult = buildResult(hasPrivilegesResponse, serviceProviderPrivileges);
                logger.debug("Resolved service privileges [{}]", buildResult);
                actionListener2.onResponse(buildResult);
            }));
        }));
    }

    private static UserPrivileges buildResult(HasPrivilegesResponse hasPrivilegesResponse, ServiceProviderPrivileges serviceProviderPrivileges) {
        Set set = (Set) hasPrivilegesResponse.getApplicationPrivileges().get(serviceProviderPrivileges.getApplicationName());
        if (set == null || set.isEmpty()) {
            return UserPrivileges.noAccess(hasPrivilegesResponse.getUsername());
        }
        Set set2 = (Set) set.stream().filter(resourcePrivileges -> {
            return resourcePrivileges.getResource().equals(serviceProviderPrivileges.getResource());
        }).map(resourcePrivileges2 -> {
            return resourcePrivileges2.getPrivileges().entrySet();
        }).flatMap((v0) -> {
            return v0.stream();
        }).filter((v0) -> {
            return v0.getValue();
        }).map((v0) -> {
            return v0.getKey();
        }).map(serviceProviderPrivileges.getRoleMapping()).filter((v0) -> {
            return Objects.nonNull(v0);
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toUnmodifiableSet());
        return new UserPrivileges(hasPrivilegesResponse.getUsername(), !set2.isEmpty(), set2);
    }

    private void buildResourcePrivilege(ServiceProviderPrivileges serviceProviderPrivileges, ActionListener<RoleDescriptor.ApplicationResourcePrivileges> actionListener) {
        ActionListener<Set<String>> groupedActionListener = new GroupedActionListener<>(2, actionListener.delegateFailureAndWrap((actionListener2, collection) -> {
            Set set = (Set) collection.stream().flatMap((v0) -> {
                return v0.stream();
            }).collect(Collectors.toUnmodifiableSet());
            if (set == null || set.isEmpty()) {
                logger.warn("No application-privilege actions defined for application [{}]", serviceProviderPrivileges.getApplicationName());
                actionListener2.onResponse((Object) null);
                return;
            }
            logger.debug("Using actions [{}] for application [{}]", set, serviceProviderPrivileges.getApplicationName());
            RoleDescriptor.ApplicationResourcePrivileges.Builder builder = RoleDescriptor.ApplicationResourcePrivileges.builder();
            builder.application(serviceProviderPrivileges.getApplicationName());
            builder.resources(new String[]{serviceProviderPrivileges.getResource()});
            builder.privileges(set);
            actionListener2.onResponse(builder.build());
        }));
        this.client.execute(GetUserPrivilegesAction.INSTANCE, new GetUserPrivilegesRequestBuilder(this.client).username(this.securityContext.getUser().principal()).request(), groupedActionListener.map(getUserPrivilegesResponse -> {
            return (Set) getUserPrivilegesResponse.getApplicationPrivileges().stream().filter(applicationResourcePrivileges -> {
                return applicationResourcePrivileges.getApplication().equals(serviceProviderPrivileges.getApplicationName());
            }).map(applicationResourcePrivileges2 -> {
                return applicationResourcePrivileges2.getPrivileges();
            }).flatMap((v0) -> {
                return Arrays.stream(v0);
            }).collect(Collectors.toUnmodifiableSet());
        }));
        this.actionsResolver.getActions(serviceProviderPrivileges.getApplicationName(), groupedActionListener);
    }
}
