package org.elasticsearch.xpack.security.authz.permission;

import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.security.action.user.AuthenticateAction;
import org.elasticsearch.xpack.security.action.user.ChangePasswordAction;
import org.elasticsearch.xpack.security.action.user.UserRequest;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.authc.esnative.NativeRealm;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.security.authz.permission.ClusterPermission;
import org.elasticsearch.xpack.security.authz.permission.IndicesPermission;
import org.elasticsearch.xpack.security.authz.permission.RunAsPermission;
import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege;
import org.elasticsearch.xpack.security.authz.privilege.Privilege;

/* loaded from: input_file:org/elasticsearch/xpack/security/authz/permission/DefaultRole.class */
public class DefaultRole extends Role {
    private static final ClusterPermission.Core CLUSTER_PERMISSION;
    private static final IndicesPermission.Core INDICES_PERMISSION;
    private static final RunAsPermission.Core RUN_AS_PERMISSION;
    public static final String NAME = "__default_role";
    public static final DefaultRole INSTANCE;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authz/permission/DefaultRole$SameUserClusterPermission.class */
    private static class SameUserClusterPermission extends ClusterPermission.Core {
        static final /* synthetic */ boolean $assertionsDisabled;

        private SameUserClusterPermission(ClusterPrivilege clusterPrivilege) {
            super(clusterPrivilege);
        }

        @Override // org.elasticsearch.xpack.security.authz.permission.ClusterPermission.Core, org.elasticsearch.xpack.security.authz.permission.ClusterPermission
        public boolean check(String str, TransportRequest transportRequest, Authentication authentication) {
            if (!super.check(str, transportRequest, authentication)) {
                return false;
            }
            if (!(transportRequest instanceof UserRequest)) {
                if ($assertionsDisabled) {
                    return false;
                }
                throw new AssertionError("right now only a user request should be allowed");
            }
            String[] usernames = ((UserRequest) transportRequest).usernames();
            if (usernames == null || usernames.length != 1 || usernames[0] == null) {
                if ($assertionsDisabled) {
                    return false;
                }
                throw new AssertionError("this role should only be used for actions to apply to a single user");
            }
            boolean equals = authentication.getRunAsUser().principal().equals(usernames[0]);
            if (equals && ChangePasswordAction.NAME.equals(str)) {
                return DefaultRole.checkChangePasswordAction(authentication);
            }
            if ($assertionsDisabled || AuthenticateAction.NAME.equals(str) || !equals) {
                return equals;
            }
            throw new AssertionError();
        }

        static {
            $assertionsDisabled = !DefaultRole.class.desiredAssertionStatus();
        }
    }

    private DefaultRole() {
        super(NAME, CLUSTER_PERMISSION, INDICES_PERMISSION, RUN_AS_PERMISSION);
    }

    static boolean checkChangePasswordAction(Authentication authentication) {
        String type = authentication.getUser() != authentication.getRunAsUser() ? authentication.getLookedUpBy().getType() : authentication.getAuthenticatedBy().getType();
        if ($assertionsDisabled || type != null) {
            return ReservedRealm.TYPE.equals(type) || NativeRealm.TYPE.equals(type);
        }
        throw new AssertionError();
    }

    static {
        $assertionsDisabled = !DefaultRole.class.desiredAssertionStatus();
        CLUSTER_PERMISSION = new SameUserClusterPermission(ClusterPrivilege.get(new Privilege.Name(ChangePasswordAction.NAME, AuthenticateAction.NAME)));
        INDICES_PERMISSION = IndicesPermission.Core.NONE;
        RUN_AS_PERMISSION = RunAsPermission.Core.NONE;
        INSTANCE = new DefaultRole();
    }
}
