package org.elasticsearch.xpack.security.authz;

import java.util.Collection;
import org.elasticsearch.common.Strings;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
import org.elasticsearch.xpack.core.security.authz.privilege.IndexPrivilege;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/authz/AuthorizationDenialMessages.class */
public class AuthorizationDenialMessages {
    static final /* synthetic */ boolean $assertionsDisabled;

    private AuthorizationDenialMessages() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String runAsDenied(Authentication authentication, String str) {
        if (!$assertionsDisabled && !authentication.isRunAs()) {
            throw new AssertionError("constructing run as denied message but authentication for action was not run as");
        }
        String authenticatedUserDescription = authenticatedUserDescription(authentication);
        return actionIsUnauthorizedMessage(str, authenticatedUserDescription) + " " + ("because " + authenticatedUserDescription + " is unauthorized to run as [" + authentication.getUser().principal() + "]");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String actionDenied(Authentication authentication, String str, TransportRequest transportRequest, @Nullable String str2) {
        Collection findPrivilegesThatGrant;
        String authenticatedUserDescription = authenticatedUserDescription(authentication);
        if (authentication.isRunAs()) {
            authenticatedUserDescription = authenticatedUserDescription + " run as [" + authentication.getUser().principal() + "]";
        }
        if (false == authentication.isServiceAccount() && false == authentication.isApiKey()) {
            authenticatedUserDescription = authenticatedUserDescription + " with roles [" + Strings.arrayToCommaDelimitedString(authentication.getUser().roles()) + "]";
        }
        String actionIsUnauthorizedMessage = actionIsUnauthorizedMessage(str, authenticatedUserDescription);
        if (str2 != null) {
            actionIsUnauthorizedMessage = actionIsUnauthorizedMessage + " " + str2;
        }
        if (ClusterPrivilegeResolver.isClusterAction(str)) {
            Collection findPrivilegesThatGrant2 = ClusterPrivilegeResolver.findPrivilegesThatGrant(str, transportRequest, authentication);
            if (findPrivilegesThatGrant2 != null && findPrivilegesThatGrant2.size() > 0) {
                actionIsUnauthorizedMessage = actionIsUnauthorizedMessage + ", this action is granted by the cluster privileges [" + Strings.collectionToCommaDelimitedString(findPrivilegesThatGrant2) + "]";
            }
        } else if (AuthorizationService.isIndexAction(str) && (findPrivilegesThatGrant = IndexPrivilege.findPrivilegesThatGrant(str)) != null && findPrivilegesThatGrant.size() > 0) {
            actionIsUnauthorizedMessage = actionIsUnauthorizedMessage + ", this action is granted by the index privileges [" + Strings.collectionToCommaDelimitedString(findPrivilegesThatGrant) + "]";
        }
        return actionIsUnauthorizedMessage;
    }

    private static String authenticatedUserDescription(Authentication authentication) {
        String str = (authentication.isAuthenticatedWithServiceAccount() ? "service account" : "user") + " [" + authentication.getAuthenticatingSubject().getUser().principal() + "]";
        if (authentication.isAuthenticatedAsApiKey()) {
            String str2 = (String) authentication.getMetadata().get("_security_api_key_id");
            if (!$assertionsDisabled && str2 == null) {
                throw new AssertionError("api key id must be present in the metadata");
            }
            str = "API key id [" + str2 + "] of " + str;
        }
        return str;
    }

    private static String actionIsUnauthorizedMessage(String str, String str2) {
        return "action [" + str + "] is unauthorized for " + str2;
    }

    static {
        $assertionsDisabled = !AuthorizationDenialMessages.class.desiredAssertionStatus();
    }
}
