package org.elasticsearch.xpack.core.security.action;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.TransportVersions;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.action.ValidateActions;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtAuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.BearerToken;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/action/Grant.class */
public class Grant implements Writeable {
    public static final String PASSWORD_GRANT_TYPE = "password";
    public static final String ACCESS_TOKEN_GRANT_TYPE = "access_token";
    private String type;
    private String username;
    private SecureString password;
    private SecureString accessToken;
    private String runAsUsername;
    private ClientAuthentication clientAuthentication;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/action/Grant$ClientAuthentication.class */
    public static final class ClientAuthentication extends Record implements Writeable {
        private final String scheme;
        private final SecureString value;

        public ClientAuthentication(SecureString secureString) {
            this(JwtRealmSettings.HEADER_SHARED_SECRET_AUTHENTICATION_SCHEME, secureString);
        }

        ClientAuthentication(StreamInput streamInput) throws IOException {
            this(streamInput.readString(), streamInput.readSecureString());
        }

        public ClientAuthentication(String str, SecureString secureString) {
            this.scheme = str;
            this.value = secureString;
        }

        public void writeTo(StreamOutput streamOutput) throws IOException {
            streamOutput.writeString(this.scheme);
            streamOutput.writeSecureString(this.value);
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ClientAuthentication.class), ClientAuthentication.class, "scheme;value", "FIELD:Lorg/elasticsearch/xpack/core/security/action/Grant$ClientAuthentication;->scheme:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/core/security/action/Grant$ClientAuthentication;->value:Lorg/elasticsearch/common/settings/SecureString;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ClientAuthentication.class), ClientAuthentication.class, "scheme;value", "FIELD:Lorg/elasticsearch/xpack/core/security/action/Grant$ClientAuthentication;->scheme:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/core/security/action/Grant$ClientAuthentication;->value:Lorg/elasticsearch/common/settings/SecureString;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ClientAuthentication.class, Object.class), ClientAuthentication.class, "scheme;value", "FIELD:Lorg/elasticsearch/xpack/core/security/action/Grant$ClientAuthentication;->scheme:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/core/security/action/Grant$ClientAuthentication;->value:Lorg/elasticsearch/common/settings/SecureString;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String scheme() {
            return this.scheme;
        }

        public SecureString value() {
            return this.value;
        }
    }

    public Grant() {
    }

    public Grant(StreamInput streamInput) throws IOException {
        this.type = streamInput.readString();
        this.username = streamInput.readOptionalString();
        this.password = streamInput.readOptionalSecureString();
        this.accessToken = streamInput.readOptionalSecureString();
        if (streamInput.getTransportVersion().onOrAfter(TransportVersions.V_8_4_0)) {
            this.runAsUsername = streamInput.readOptionalString();
        } else {
            this.runAsUsername = null;
        }
        if (streamInput.getTransportVersion().onOrAfter(TransportVersions.V_8_12_0)) {
            this.clientAuthentication = (ClientAuthentication) streamInput.readOptionalWriteable(ClientAuthentication::new);
        } else {
            this.clientAuthentication = null;
        }
    }

    public void writeTo(StreamOutput streamOutput) throws IOException {
        streamOutput.writeString(this.type);
        streamOutput.writeOptionalString(this.username);
        streamOutput.writeOptionalSecureString(this.password);
        streamOutput.writeOptionalSecureString(this.accessToken);
        if (streamOutput.getTransportVersion().onOrAfter(TransportVersions.V_8_4_0)) {
            streamOutput.writeOptionalString(this.runAsUsername);
        }
        if (streamOutput.getTransportVersion().onOrAfter(TransportVersions.V_8_12_0)) {
            streamOutput.writeOptionalWriteable(this.clientAuthentication);
        }
    }

    public String getType() {
        return this.type;
    }

    public String getUsername() {
        return this.username;
    }

    public SecureString getPassword() {
        return this.password;
    }

    public SecureString getAccessToken() {
        return this.accessToken;
    }

    public String getRunAsUsername() {
        return this.runAsUsername;
    }

    public ClientAuthentication getClientAuthentication() {
        return this.clientAuthentication;
    }

    public void setType(String str) {
        this.type = str;
    }

    public void setUsername(String str) {
        this.username = str;
    }

    public void setPassword(SecureString secureString) {
        this.password = secureString;
    }

    public void setAccessToken(SecureString secureString) {
        this.accessToken = secureString;
    }

    public void setRunAsUsername(String str) {
        this.runAsUsername = str;
    }

    public void setClientAuthentication(ClientAuthentication clientAuthentication) {
        this.clientAuthentication = clientAuthentication;
    }

    public AuthenticationToken getAuthenticationToken() {
        if (!$assertionsDisabled && validate(null) != null) {
            throw new AssertionError("grant is invalid");
        }
        String str = this.type;
        boolean z = -1;
        switch (str.hashCode()) {
            case -1938933922:
                if (str.equals(ACCESS_TOKEN_GRANT_TYPE)) {
                    z = true;
                    break;
                }
                break;
            case 1216985755:
                if (str.equals(PASSWORD_GRANT_TYPE)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new UsernamePasswordToken(this.username, this.password);
            case true:
                SecureString value = this.clientAuthentication != null ? this.clientAuthentication.value() : null;
                JwtAuthenticationToken tryParseJwt = JwtAuthenticationToken.tryParseJwt(this.accessToken, value);
                if (tryParseJwt != null) {
                    return tryParseJwt;
                }
                if (value == null) {
                    return new BearerToken(this.accessToken);
                }
                value.close();
                throw new ElasticsearchSecurityException("[client_authentication] not supported with the supplied access_token type", RestStatus.BAD_REQUEST, new Object[0]);
            default:
                throw new ElasticsearchSecurityException("the grant type [{}] is not supported", new Object[]{this.type});
        }
    }

    public ActionRequestValidationException validate(ActionRequestValidationException actionRequestValidationException) {
        ActionRequestValidationException addValidationError;
        if (this.type == null) {
            addValidationError = ValidateActions.addValidationError("[grant_type] is required", actionRequestValidationException);
        } else if (this.type.equals(PASSWORD_GRANT_TYPE)) {
            addValidationError = validateUnsupportedField(ACCESS_TOKEN_GRANT_TYPE, this.accessToken, validateRequiredField(PASSWORD_GRANT_TYPE, this.password, validateRequiredField("username", this.username, actionRequestValidationException)));
            if (this.clientAuthentication != null) {
                return ValidateActions.addValidationError("[client_authentication] is not supported for grant_type [" + this.type + "]", addValidationError);
            }
        } else if (this.type.equals(ACCESS_TOKEN_GRANT_TYPE)) {
            addValidationError = validateUnsupportedField(PASSWORD_GRANT_TYPE, this.password, validateUnsupportedField("username", this.username, validateRequiredField(ACCESS_TOKEN_GRANT_TYPE, this.accessToken, actionRequestValidationException)));
            if (this.clientAuthentication != null && !JwtRealmSettings.HEADER_SHARED_SECRET_AUTHENTICATION_SCHEME.equals(this.clientAuthentication.scheme.trim())) {
                return ValidateActions.addValidationError("[client_authentication.scheme] must be set to [SharedSecret]", addValidationError);
            }
        } else {
            addValidationError = ValidateActions.addValidationError("grant_type [" + this.type + "] is not supported", actionRequestValidationException);
        }
        return addValidationError;
    }

    private ActionRequestValidationException validateRequiredField(String str, CharSequence charSequence, ActionRequestValidationException actionRequestValidationException) {
        return (charSequence == null || charSequence.length() == 0) ? ValidateActions.addValidationError("[" + str + "] is required for grant_type [" + this.type + "]", actionRequestValidationException) : actionRequestValidationException;
    }

    private ActionRequestValidationException validateUnsupportedField(String str, CharSequence charSequence, ActionRequestValidationException actionRequestValidationException) {
        return (charSequence == null || charSequence.length() <= 0) ? actionRequestValidationException : ValidateActions.addValidationError("[" + str + "] is not supported for grant_type [" + this.type + "]", actionRequestValidationException);
    }

    static {
        $assertionsDisabled = !Grant.class.desiredAssertionStatus();
    }
}
