package org.elasticsearch.xpack.security.authz;

import java.util.Collection;
import java.util.Collections;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Predicate;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.util.concurrent.CountDown;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.authz.permission.Role;
import org.elasticsearch.xpack.security.support.AutomatonPredicate;
import org.elasticsearch.xpack.security.support.Automatons;
import org.elasticsearch.xpack.security.user.SystemUser;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/AuthorizationUtils.class */
public final class AuthorizationUtils {
    private static final Predicate<String> INTERNAL_PREDICATE = new AutomatonPredicate(Automatons.patterns("internal:*"));

    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/AuthorizationUtils$AsyncAuthorizer.class */
    public static class AsyncAuthorizer {
        private final ActionListener listener;
        private final BiConsumer<Collection<Role>, Collection<Role>> consumer;
        private final Authentication authentication;
        private volatile Collection<Role> userRoles;
        private volatile Collection<Role> runAsRoles;
        private CountDown countDown = new CountDown(2);
        static final /* synthetic */ boolean $assertionsDisabled;

        public AsyncAuthorizer(Authentication authentication, ActionListener actionListener, BiConsumer<Collection<Role>, Collection<Role>> biConsumer) {
            this.consumer = biConsumer;
            this.listener = actionListener;
            this.authentication = authentication;
        }

        public void authorize(AuthorizationService authorizationService) {
            if (SystemUser.is(this.authentication.getUser())) {
                setUserRoles(Collections.emptyList());
                setRunAsRoles(Collections.emptyList());
                return;
            }
            User user = this.authentication.getUser();
            Consumer consumer = this::setUserRoles;
            ActionListener actionListener = this.listener;
            actionListener.getClass();
            authorizationService.roles(user, ActionListener.wrap(consumer, actionListener::onFailure));
            if (!this.authentication.isRunAs()) {
                setRunAsRoles(Collections.emptyList());
                return;
            }
            if (!$assertionsDisabled && this.authentication.getRunAsUser() == null) {
                throw new AssertionError("runAs user is null but shouldn't");
            }
            User runAsUser = this.authentication.getRunAsUser();
            Consumer consumer2 = this::setRunAsRoles;
            ActionListener actionListener2 = this.listener;
            actionListener2.getClass();
            authorizationService.roles(runAsUser, ActionListener.wrap(consumer2, actionListener2::onFailure));
        }

        private void setUserRoles(Collection<Role> collection) {
            this.userRoles = collection;
            maybeRun();
        }

        private void setRunAsRoles(Collection<Role> collection) {
            this.runAsRoles = collection;
            maybeRun();
        }

        private void maybeRun() {
            if (this.countDown.countDown()) {
                try {
                    this.consumer.accept(this.userRoles, this.runAsRoles);
                } catch (Exception e) {
                    this.listener.onFailure(e);
                }
            }
        }

        static {
            $assertionsDisabled = !AuthorizationUtils.class.desiredAssertionStatus();
        }
    }

    private AuthorizationUtils() {
    }

    public static boolean shouldReplaceUserWithSystem(ThreadContext threadContext, String str) {
        if (!isInternalAction(str)) {
            return false;
        }
        if (((Authentication) threadContext.getTransient(Authentication.AUTHENTICATION_KEY)) == null) {
            return true;
        }
        String str2 = (String) threadContext.getTransient(AuthorizationService.ORIGINATING_ACTION_KEY);
        return (str2 == null || isInternalAction(str2)) ? false : true;
    }

    private static boolean isInternalAction(String str) {
        return INTERNAL_PREDICATE.test(str);
    }
}
