package org.elasticsearch.xpack.security.action.token;

import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.action.token.CreateTokenRequest;
import org.elasticsearch.xpack.core.security.action.token.CreateTokenResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/token/TransportCreateTokenAction.class */
public final class TransportCreateTokenAction extends HandledTransportAction<CreateTokenRequest, CreateTokenResponse> {
    private static final String DEFAULT_SCOPE = "full";
    private final ThreadPool threadPool;
    private final TokenService tokenService;
    private final AuthenticationService authenticationService;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.elasticsearch.xpack.security.action.token.TransportCreateTokenAction$1, reason: invalid class name */
    /* loaded from: input_file:org/elasticsearch/xpack/security/action/token/TransportCreateTokenAction$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$xpack$core$security$action$token$CreateTokenRequest$GrantType = new int[CreateTokenRequest.GrantType.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$action$token$CreateTokenRequest$GrantType[CreateTokenRequest.GrantType.PASSWORD.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$action$token$CreateTokenRequest$GrantType[CreateTokenRequest.GrantType.KERBEROS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$action$token$CreateTokenRequest$GrantType[CreateTokenRequest.GrantType.CLIENT_CREDENTIALS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    @Inject
    public TransportCreateTokenAction(ThreadPool threadPool, TransportService transportService, ActionFilters actionFilters, TokenService tokenService, AuthenticationService authenticationService) {
        super("cluster:admin/xpack/security/token/create", transportService, actionFilters, CreateTokenRequest::new);
        this.threadPool = threadPool;
        this.tokenService = tokenService;
        this.authenticationService = authenticationService;
    }

    protected void doExecute(Task task, CreateTokenRequest createTokenRequest, ActionListener<CreateTokenResponse> actionListener) {
        CreateTokenRequest.GrantType fromString = CreateTokenRequest.GrantType.fromString(createTokenRequest.getGrantType());
        if (!$assertionsDisabled && fromString == null) {
            throw new AssertionError("type should have been validated in the action");
        }
        switch (AnonymousClass1.$SwitchMap$org$elasticsearch$xpack$core$security$action$token$CreateTokenRequest$GrantType[fromString.ordinal()]) {
            case 1:
            case 2:
                authenticateAndCreateToken(fromString, createTokenRequest, actionListener);
                return;
            case 3:
                Authentication authentication = Authentication.getAuthentication(this.threadPool.getThreadContext());
                createToken(fromString, createTokenRequest, authentication, authentication, false, actionListener);
                return;
            default:
                actionListener.onFailure(new IllegalStateException("grant_type [" + createTokenRequest.getGrantType() + "] is not supported by the create token action"));
                return;
        }
    }

    private void authenticateAndCreateToken(CreateTokenRequest.GrantType grantType, CreateTokenRequest createTokenRequest, ActionListener<CreateTokenResponse> actionListener) {
        Authentication authentication = Authentication.getAuthentication(this.threadPool.getThreadContext());
        ThreadContext.StoredContext stashContext = this.threadPool.getThreadContext().stashContext();
        try {
            AuthenticationToken extractAuthenticationToken = extractAuthenticationToken(grantType, createTokenRequest, actionListener);
            if (extractAuthenticationToken == null) {
                actionListener.onFailure(new IllegalStateException("grant_type [" + createTokenRequest.getGrantType() + "] is not supported by the create token action"));
                if (stashContext != null) {
                    stashContext.close();
                    return;
                }
                return;
            }
            this.authenticationService.authenticate("cluster:admin/xpack/security/token/create", (TransportMessage) createTokenRequest, extractAuthenticationToken, ActionListener.wrap(authentication2 -> {
                clearCredentialsFromRequest(grantType, createTokenRequest);
                if (authentication2 != null) {
                    createToken(grantType, createTokenRequest, authentication2, authentication, true, actionListener);
                } else {
                    actionListener.onFailure(new UnsupportedOperationException("cannot create token if authentication is not allowed"));
                }
            }, exc -> {
                clearCredentialsFromRequest(grantType, createTokenRequest);
                actionListener.onFailure(exc);
            }));
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private AuthenticationToken extractAuthenticationToken(CreateTokenRequest.GrantType grantType, CreateTokenRequest createTokenRequest, ActionListener<CreateTokenResponse> actionListener) {
        UsernamePasswordToken usernamePasswordToken = null;
        if (grantType == CreateTokenRequest.GrantType.PASSWORD) {
            usernamePasswordToken = new UsernamePasswordToken(createTokenRequest.getUsername(), createTokenRequest.getPassword());
        } else if (grantType == CreateTokenRequest.GrantType.KERBEROS) {
            String secureString = createTokenRequest.getKerberosTicket().toString();
            byte[] bArr = null;
            try {
                bArr = Base64.getDecoder().decode(secureString);
            } catch (IllegalArgumentException e) {
                actionListener.onFailure(new UnsupportedOperationException("could not decode base64 kerberos ticket " + secureString));
            }
            usernamePasswordToken = new KerberosAuthenticationToken(bArr);
        }
        return usernamePasswordToken;
    }

    private void clearCredentialsFromRequest(CreateTokenRequest.GrantType grantType, CreateTokenRequest createTokenRequest) {
        if (grantType == CreateTokenRequest.GrantType.PASSWORD) {
            createTokenRequest.getPassword().close();
        } else if (grantType == CreateTokenRequest.GrantType.KERBEROS) {
            createTokenRequest.getKerberosTicket().close();
        }
    }

    private void createToken(CreateTokenRequest.GrantType grantType, CreateTokenRequest createTokenRequest, Authentication authentication, Authentication authentication2, boolean z, ActionListener<CreateTokenResponse> actionListener) {
        TokenService tokenService = this.tokenService;
        Map<String, Object> emptyMap = Collections.emptyMap();
        CheckedConsumer checkedConsumer = tuple -> {
            actionListener.onResponse(new CreateTokenResponse((String) tuple.v1(), this.tokenService.getExpirationDelay(), getResponseScopeValue(createTokenRequest.getScope()), (String) tuple.v2(), grantType == CreateTokenRequest.GrantType.KERBEROS ? extractOutToken() : null));
        };
        Objects.requireNonNull(actionListener);
        tokenService.createOAuth2Tokens(authentication, authentication2, emptyMap, z, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private String extractOutToken() {
        List list = (List) this.threadPool.getThreadContext().getResponseHeaders().get(KerberosAuthenticationToken.WWW_AUTHENTICATE);
        if (list != null && list.size() == 1) {
            String str = (String) list.get(0);
            if (str.startsWith(KerberosAuthenticationToken.NEGOTIATE_AUTH_HEADER_PREFIX)) {
                return str.substring(KerberosAuthenticationToken.NEGOTIATE_AUTH_HEADER_PREFIX.length()).trim();
            }
        }
        this.threadPool.getThreadContext().getResponseHeaders().remove(KerberosAuthenticationToken.WWW_AUTHENTICATE);
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getResponseScopeValue(String str) {
        return str != null ? DEFAULT_SCOPE : null;
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (CreateTokenRequest) actionRequest, (ActionListener<CreateTokenResponse>) actionListener);
    }

    static {
        $assertionsDisabled = !TransportCreateTokenAction.class.desiredAssertionStatus();
    }
}
