package org.elasticsearch.xpack.core.security.authc;

import java.io.IOException;
import java.util.Base64;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import org.elasticsearch.Version;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.ToXContentObject;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.xpack.core.ml.process.writer.RecordWriter;
import org.elasticsearch.xpack.core.security.authc.esnative.NativeRealmSettings;
import org.elasticsearch.xpack.core.security.authc.file.FileRealmSettings;
import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountSettings;
import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
import org.elasticsearch.xpack.core.security.authz.privilege.ManageOwnApiKeyClusterPrivilege;
import org.elasticsearch.xpack.core.security.user.InternalUserSerializationHelper;
import org.elasticsearch.xpack.core.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication.class */
public class Authentication implements ToXContentObject {
    public static final Version VERSION_API_KEY_ROLES_AS_BYTES;
    private final User user;
    private final RealmRef authenticatedBy;
    private final RealmRef lookedUpBy;
    private final Version version;
    private final AuthenticationType type;
    private final Map<String, Object> metadata;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication$AuthenticationType.class */
    public enum AuthenticationType {
        REALM,
        API_KEY,
        TOKEN,
        ANONYMOUS,
        INTERNAL
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/Authentication$RealmRef.class */
    public static class RealmRef {
        private final String nodeName;
        private final String name;
        private final String type;

        public RealmRef(String str, String str2, String str3) {
            this.nodeName = str3;
            this.name = str;
            this.type = str2;
        }

        public RealmRef(StreamInput streamInput) throws IOException {
            this.nodeName = streamInput.readString();
            this.name = streamInput.readString();
            this.type = streamInput.readString();
        }

        void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeString(this.nodeName);
            streamOutput.writeString(this.name);
            streamOutput.writeString(this.type);
        }

        public String getNodeName() {
            return this.nodeName;
        }

        public String getName() {
            return this.name;
        }

        public String getType() {
            return this.type;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            RealmRef realmRef = (RealmRef) obj;
            if (this.nodeName.equals(realmRef.nodeName) && this.name.equals(realmRef.name)) {
                return this.type.equals(realmRef.type);
            }
            return false;
        }

        public int hashCode() {
            return (31 * ((31 * this.nodeName.hashCode()) + this.name.hashCode())) + this.type.hashCode();
        }

        public String toString() {
            return "{Realm[" + this.type + RecordWriter.CONTROL_FIELD_NAME + this.name + "] on Node[" + this.nodeName + "]}";
        }
    }

    public Authentication(User user, RealmRef realmRef, RealmRef realmRef2) {
        this(user, realmRef, realmRef2, Version.CURRENT);
    }

    public Authentication(User user, RealmRef realmRef, RealmRef realmRef2, Version version) {
        this(user, realmRef, realmRef2, version, AuthenticationType.REALM, Collections.emptyMap());
    }

    public Authentication(User user, RealmRef realmRef, RealmRef realmRef2, Version version, AuthenticationType authenticationType, Map<String, Object> map) {
        this.user = (User) Objects.requireNonNull(user);
        this.authenticatedBy = (RealmRef) Objects.requireNonNull(realmRef);
        this.lookedUpBy = realmRef2;
        this.version = version;
        this.type = authenticationType;
        this.metadata = map;
    }

    public Authentication(StreamInput streamInput) throws IOException {
        this.user = InternalUserSerializationHelper.readFrom(streamInput);
        this.authenticatedBy = new RealmRef(streamInput);
        if (streamInput.readBoolean()) {
            this.lookedUpBy = new RealmRef(streamInput);
        } else {
            this.lookedUpBy = null;
        }
        this.version = streamInput.getVersion();
        if (streamInput.getVersion().onOrAfter(Version.V_6_7_0)) {
            this.type = AuthenticationType.values()[streamInput.readVInt()];
            this.metadata = streamInput.readMap();
        } else {
            this.type = AuthenticationType.REALM;
            this.metadata = Collections.emptyMap();
        }
    }

    public User getUser() {
        return this.user;
    }

    public RealmRef getAuthenticatedBy() {
        return this.authenticatedBy;
    }

    public RealmRef getLookedUpBy() {
        return this.lookedUpBy;
    }

    public RealmRef getSourceRealm() {
        return this.lookedUpBy == null ? this.authenticatedBy : this.lookedUpBy;
    }

    public Version getVersion() {
        return this.version;
    }

    public AuthenticationType getAuthenticationType() {
        return this.type;
    }

    public Map<String, Object> getMetadata() {
        return this.metadata;
    }

    public boolean isServiceAccount() {
        return "_service_account".equals(getAuthenticatedBy().getType()) && null == getLookedUpBy();
    }

    public void writeToContext(ThreadContext threadContext) throws IOException, IllegalArgumentException {
        new AuthenticationContextSerializer().writeToContext(this, threadContext);
    }

    public String encode() throws IOException {
        BytesStreamOutput bytesStreamOutput = new BytesStreamOutput();
        bytesStreamOutput.setVersion(this.version);
        Version.writeVersion(this.version, bytesStreamOutput);
        writeTo(bytesStreamOutput);
        return Base64.getEncoder().encodeToString(BytesReference.toBytes(bytesStreamOutput.bytes()));
    }

    public void writeTo(StreamOutput streamOutput) throws IOException {
        InternalUserSerializationHelper.writeTo(this.user, streamOutput);
        this.authenticatedBy.writeTo(streamOutput);
        if (this.lookedUpBy != null) {
            streamOutput.writeBoolean(true);
            this.lookedUpBy.writeTo(streamOutput);
        } else {
            streamOutput.writeBoolean(false);
        }
        if (streamOutput.getVersion().onOrAfter(Version.V_6_7_0)) {
            streamOutput.writeVInt(this.type.ordinal());
            streamOutput.writeMap(this.metadata);
        }
    }

    public boolean canAccessResourcesOf(Authentication authentication) {
        if (AuthenticationType.API_KEY == getAuthenticationType() && AuthenticationType.API_KEY == authentication.getAuthenticationType()) {
            boolean equals = getMetadata().get(ManageOwnApiKeyClusterPrivilege.API_KEY_ID_KEY).equals(authentication.getMetadata().get(ManageOwnApiKeyClusterPrivilege.API_KEY_ID_KEY));
            if (!equals || $assertionsDisabled || getUser().principal().equals(authentication.getUser().principal())) {
                return equals;
            }
            throw new AssertionError("The same API key ID cannot be attributed to two different usernames");
        }
        if (!getAuthenticationType().equals(authentication.getAuthenticationType()) && ((AuthenticationType.REALM != getAuthenticationType() || AuthenticationType.TOKEN != authentication.getAuthenticationType()) && (AuthenticationType.TOKEN != getAuthenticationType() || AuthenticationType.REALM != authentication.getAuthenticationType()))) {
            if ($assertionsDisabled || EnumSet.of(AuthenticationType.REALM, AuthenticationType.API_KEY, AuthenticationType.TOKEN, AuthenticationType.ANONYMOUS, AuthenticationType.INTERNAL).containsAll(EnumSet.of(getAuthenticationType(), authentication.getAuthenticationType()))) {
                return false;
            }
            throw new AssertionError("cross AuthenticationType comparison for canAccessResourcesOf is not applicable for: " + EnumSet.of(getAuthenticationType(), authentication.getAuthenticationType()));
        }
        if (false == getUser().principal().equals(authentication.getUser().principal())) {
            return false;
        }
        RealmRef sourceRealm = getSourceRealm();
        RealmRef sourceRealm2 = authentication.getSourceRealm();
        return (FileRealmSettings.TYPE.equals(sourceRealm.getType()) || NativeRealmSettings.TYPE.equals(sourceRealm.getType())) ? sourceRealm.getType().equals(sourceRealm2.getType()) : sourceRealm.getName().equals(sourceRealm2.getName()) && sourceRealm.getType().equals(sourceRealm2.getType());
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        Authentication authentication = (Authentication) obj;
        return this.user.equals(authentication.user) && this.authenticatedBy.equals(authentication.authenticatedBy) && Objects.equals(this.lookedUpBy, authentication.lookedUpBy) && this.version.equals(authentication.version) && this.type == authentication.type && this.metadata.equals(authentication.metadata);
    }

    public int hashCode() {
        return Objects.hash(this.user, this.authenticatedBy, this.lookedUpBy, this.version, this.type, this.metadata);
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        xContentBuilder.startObject();
        toXContentFragment(xContentBuilder);
        return xContentBuilder.endObject();
    }

    public void toXContentFragment(XContentBuilder xContentBuilder) throws IOException {
        xContentBuilder.field(User.Fields.USERNAME.getPreferredName(), this.user.principal());
        xContentBuilder.array(User.Fields.ROLES.getPreferredName(), this.user.roles());
        xContentBuilder.field(User.Fields.FULL_NAME.getPreferredName(), this.user.fullName());
        xContentBuilder.field(User.Fields.EMAIL.getPreferredName(), this.user.email());
        if (isServiceAccount()) {
            String str = (String) getMetadata().get(ServiceAccountSettings.TOKEN_NAME_FIELD);
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError("token name cannot be null");
            }
            String str2 = (String) getMetadata().get(ServiceAccountSettings.TOKEN_SOURCE_FIELD);
            if (!$assertionsDisabled && str2 == null) {
                throw new AssertionError("token source cannot be null");
            }
            xContentBuilder.field(User.Fields.TOKEN.getPreferredName(), org.elasticsearch.core.Map.of("name", str, "type", "_service_account_" + str2));
        }
        xContentBuilder.field(User.Fields.METADATA.getPreferredName(), this.user.metadata());
        xContentBuilder.field(User.Fields.ENABLED.getPreferredName(), this.user.enabled());
        xContentBuilder.startObject(User.Fields.AUTHENTICATION_REALM.getPreferredName());
        xContentBuilder.field(User.Fields.REALM_NAME.getPreferredName(), getAuthenticatedBy().getName());
        xContentBuilder.field(User.Fields.REALM_TYPE.getPreferredName(), getAuthenticatedBy().getType());
        xContentBuilder.endObject();
        xContentBuilder.startObject(User.Fields.LOOKUP_REALM.getPreferredName());
        if (getLookedUpBy() != null) {
            xContentBuilder.field(User.Fields.REALM_NAME.getPreferredName(), getLookedUpBy().getName());
            xContentBuilder.field(User.Fields.REALM_TYPE.getPreferredName(), getLookedUpBy().getType());
        } else {
            xContentBuilder.field(User.Fields.REALM_NAME.getPreferredName(), getAuthenticatedBy().getName());
            xContentBuilder.field(User.Fields.REALM_TYPE.getPreferredName(), getAuthenticatedBy().getType());
        }
        xContentBuilder.endObject();
        xContentBuilder.field(User.Fields.AUTHENTICATION_TYPE.getPreferredName(), getAuthenticationType().name().toLowerCase(Locale.ROOT));
    }

    public String toString() {
        StringBuilder append = new StringBuilder("Authentication[").append(this.user).append(",type=").append(this.type).append(",by=").append(this.authenticatedBy);
        if (this.lookedUpBy != null) {
            append.append(",lookup=").append(this.lookedUpBy);
        }
        append.append("]");
        return append.toString();
    }

    static {
        $assertionsDisabled = !Authentication.class.desiredAssertionStatus();
        VERSION_API_KEY_ROLES_AS_BYTES = Version.V_7_9_0;
    }
}
