package org.elasticsearch.xpack.transform.action;

import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.IndicesOptions;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.common.Strings;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesRequest;
import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesResponse;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.core.transform.transforms.NullRetentionPolicyConfig;
import org.elasticsearch.xpack.core.transform.transforms.TransformConfig;
import org.elasticsearch.xpack.transform.utils.SecondaryAuthorizationUtils;

/* loaded from: input_file:org/elasticsearch/xpack/transform/action/TransformPrivilegeChecker.class */
final class TransformPrivilegeChecker {
    /* JADX INFO: Access modifiers changed from: package-private */
    public static void checkPrivileges(String str, SecurityContext securityContext, IndexNameExpressionResolver indexNameExpressionResolver, ClusterState clusterState, Client client, TransformConfig transformConfig, boolean z, ActionListener<Void> actionListener) {
        SecondaryAuthorizationUtils.useSecondaryAuthIfAvailable(securityContext, () -> {
            String principal = securityContext.getUser().principal();
            CheckedConsumer checkedConsumer = hasPrivilegesResponse -> {
                handlePrivilegesResponse(str, principal, transformConfig.getId(), hasPrivilegesResponse, actionListener);
            };
            Objects.requireNonNull(actionListener);
            ActionListener wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
            client.execute(HasPrivilegesAction.INSTANCE, buildPrivilegesRequest(transformConfig, indexNameExpressionResolver, clusterState, principal, z), wrap);
        });
    }

    private static HasPrivilegesRequest buildPrivilegesRequest(TransformConfig transformConfig, IndexNameExpressionResolver indexNameExpressionResolver, ClusterState clusterState, String str, boolean z) {
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(RoleDescriptor.IndicesPrivileges.builder().indices(transformConfig.getSource().getIndex()).privileges(new String[]{"read", "view_index_metadata"}).build());
        if (z) {
            String index = transformConfig.getDestination().getIndex();
            String[] concreteIndexNames = indexNameExpressionResolver.concreteIndexNames(clusterState, IndicesOptions.lenientExpandOpen(), new String[]{index});
            ArrayList arrayList2 = new ArrayList(4);
            arrayList2.add("read");
            arrayList2.add("index");
            if (concreteIndexNames.length == 0) {
                arrayList2.add("create_index");
            }
            if (transformConfig.getRetentionPolicyConfig() != null && !(transformConfig.getRetentionPolicyConfig() instanceof NullRetentionPolicyConfig)) {
                arrayList2.add("delete");
            }
            arrayList.add(RoleDescriptor.IndicesPrivileges.builder().indices(new String[]{index}).privileges(arrayList2).build());
        }
        HasPrivilegesRequest hasPrivilegesRequest = new HasPrivilegesRequest();
        hasPrivilegesRequest.username(str);
        hasPrivilegesRequest.applicationPrivileges(new RoleDescriptor.ApplicationResourcePrivileges[0]);
        hasPrivilegesRequest.clusterPrivileges(Strings.EMPTY_ARRAY);
        hasPrivilegesRequest.indexPrivileges((RoleDescriptor.IndicesPrivileges[]) arrayList.toArray(i -> {
            return new RoleDescriptor.IndicesPrivileges[i];
        }));
        return hasPrivilegesRequest;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void handlePrivilegesResponse(String str, String str2, String str3, HasPrivilegesResponse hasPrivilegesResponse, ActionListener<Void> actionListener) {
        if (hasPrivilegesResponse.isCompleteMatch()) {
            actionListener.onResponse((Object) null);
        } else {
            actionListener.onFailure(Exceptions.authorizationError("Cannot {} transform [{}] because user {} lacks the required permissions {}", new Object[]{str, str3, str2, (List) hasPrivilegesResponse.getIndexPrivileges().stream().map(resourcePrivileges -> {
                return (String) resourcePrivileges.getPrivileges().entrySet().stream().filter(entry -> {
                    return !Boolean.TRUE.equals(entry.getValue());
                }).map((v0) -> {
                    return v0.getKey();
                }).collect(Collectors.joining(", ", resourcePrivileges.getResource() + ":[", "]"));
            }).collect(Collectors.toList())}));
        }
    }

    private TransformPrivilegeChecker() {
    }
}
