package org.elasticsearch.xpack.core.security.authz.privilege;

import java.util.Arrays;
import org.elasticsearch.common.Strings;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.GetApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission;
import org.elasticsearch.xpack.core.security.support.Automatons;

/* loaded from: input_file:lib/x-pack-core-7.17.13.jar:org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.class */
public class ManageOwnApiKeyClusterPrivilege implements NamedClusterPrivilege {
    public static final ManageOwnApiKeyClusterPrivilege INSTANCE = new ManageOwnApiKeyClusterPrivilege();
    private static final String PRIVILEGE_NAME = "manage_own_api_key";
    public static final String API_KEY_ID_KEY = "_security_api_key_id";
    private final ClusterPermission permission = buildPermission(ClusterPermission.builder()).build();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/x-pack-core-7.17.13.jar:org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege$ManageOwnClusterPermissionCheck.class */
    public static final class ManageOwnClusterPermissionCheck extends ClusterPermission.ActionBasedPermissionCheck {
        public static final ManageOwnClusterPermissionCheck INSTANCE = new ManageOwnClusterPermissionCheck();

        private ManageOwnClusterPermissionCheck() {
            super(Automatons.patterns("cluster:admin/xpack/security/api_key/*"));
        }

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.ActionBasedPermissionCheck
        protected boolean extendedCheck(String str, TransportRequest transportRequest, Authentication authentication) {
            if (transportRequest instanceof CreateApiKeyRequest) {
                return true;
            }
            if (transportRequest instanceof GetApiKeyRequest) {
                GetApiKeyRequest getApiKeyRequest = (GetApiKeyRequest) transportRequest;
                return checkIfUserIsOwnerOfApiKeys(authentication, getApiKeyRequest.getApiKeyId(), getApiKeyRequest.getUserName(), getApiKeyRequest.getRealmName(), getApiKeyRequest.ownedByAuthenticatedUser());
            }
            if (transportRequest instanceof InvalidateApiKeyRequest) {
                InvalidateApiKeyRequest invalidateApiKeyRequest = (InvalidateApiKeyRequest) transportRequest;
                String[] ids = invalidateApiKeyRequest.getIds();
                return ids == null ? checkIfUserIsOwnerOfApiKeys(authentication, null, invalidateApiKeyRequest.getUserName(), invalidateApiKeyRequest.getRealmName(), invalidateApiKeyRequest.ownedByAuthenticatedUser()) : Arrays.stream(ids).allMatch(str2 -> {
                    return checkIfUserIsOwnerOfApiKeys(authentication, str2, invalidateApiKeyRequest.getUserName(), invalidateApiKeyRequest.getRealmName(), invalidateApiKeyRequest.ownedByAuthenticatedUser());
                });
            }
            if (transportRequest instanceof QueryApiKeyRequest) {
                return ((QueryApiKeyRequest) transportRequest).isFilterForCurrentUser();
            }
            throw new IllegalArgumentException("manage own api key privilege only supports API key requests (not " + transportRequest.getClass().getName() + ")");
        }

        @Override // org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission.ActionBasedPermissionCheck
        protected boolean doImplies(ClusterPermission.ActionBasedPermissionCheck actionBasedPermissionCheck) {
            return actionBasedPermissionCheck instanceof ManageOwnClusterPermissionCheck;
        }

        private boolean checkIfUserIsOwnerOfApiKeys(Authentication authentication, String str, String str2, String str3, boolean z) {
            if (isCurrentAuthenticationUsingSameApiKeyIdFromRequest(authentication, str)) {
                return true;
            }
            if (Authentication.AuthenticationType.API_KEY == authentication.getAuthenticationType()) {
                return false;
            }
            if (z) {
                return true;
            }
            if (Strings.hasText(str2) && Strings.hasText(str3)) {
                return str2.equals(authentication.getUser().principal()) && str3.equals(authentication.getSourceRealm().getName());
            }
            return false;
        }

        private boolean isCurrentAuthenticationUsingSameApiKeyIdFromRequest(Authentication authentication, String str) {
            if (Authentication.AuthenticationType.API_KEY != authentication.getAuthenticationType()) {
                return false;
            }
            String str2 = (String) authentication.getMetadata().get(ManageOwnApiKeyClusterPrivilege.API_KEY_ID_KEY);
            if (Strings.hasText(str)) {
                return str.equals(str2);
            }
            return false;
        }
    }

    private ManageOwnApiKeyClusterPrivilege() {
    }

    @Override // org.elasticsearch.xpack.core.security.authz.privilege.NamedClusterPrivilege
    public String name() {
        return PRIVILEGE_NAME;
    }

    @Override // org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilege
    public ClusterPermission.Builder buildPermission(ClusterPermission.Builder builder) {
        return builder.add(this, ManageOwnClusterPermissionCheck.INSTANCE);
    }

    @Override // org.elasticsearch.xpack.core.security.authz.privilege.NamedClusterPrivilege
    public ClusterPermission permission() {
        return this.permission;
    }
}
