package org.elasticsearch.xpack.security.rest.action.oauth2;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.client.node.NodeClient;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.core.RestApiVersion;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.BaseRestHandler;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestRequestFilter;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.ObjectParser;
import org.elasticsearch.xcontent.ParseField;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xpack.core.security.action.token.CreateTokenAction;
import org.elasticsearch.xpack.core.security.action.token.CreateTokenRequest;
import org.elasticsearch.xpack.core.security.action.token.CreateTokenResponse;
import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/rest/action/oauth2/RestGetTokenAction.class */
public final class RestGetTokenAction extends TokenBaseRestHandler implements RestRequestFilter {
    static final ConstructingObjectParser<CreateTokenRequest, Void> PARSER = new ConstructingObjectParser<>("token_request", objArr -> {
        return new CreateTokenRequest((String) objArr[0], (String) objArr[1], (SecureString) objArr[2], (SecureString) objArr[3], (String) objArr[4], (String) objArr[5]);
    });
    private static final Set<String> FILTERED_FIELDS;

    /* loaded from: input_file:org/elasticsearch/xpack/security/rest/action/oauth2/RestGetTokenAction$CreateTokenResponseActionListener.class */
    static class CreateTokenResponseActionListener implements ActionListener<CreateTokenResponse> {
        private final RestChannel channel;
        private final RestRequest request;
        private final Logger logger;

        CreateTokenResponseActionListener(RestChannel restChannel, RestRequest restRequest, Logger logger) {
            this.channel = restChannel;
            this.request = restRequest;
            this.logger = logger;
        }

        public void onResponse(CreateTokenResponse createTokenResponse) {
            try {
                XContentBuilder newBuilder = this.channel.newBuilder();
                try {
                    this.channel.sendResponse(new BytesRestResponse(RestStatus.OK, createTokenResponse.toXContent(newBuilder, this.request)));
                    if (newBuilder != null) {
                        newBuilder.close();
                    }
                } finally {
                }
            } catch (IOException e) {
                onFailure(e);
            }
        }

        public void onFailure(Exception exc) {
            this.logger.debug("Failed to create token", exc);
            if (exc instanceof ActionRequestValidationException) {
                ActionRequestValidationException actionRequestValidationException = (ActionRequestValidationException) exc;
                sendTokenErrorResponse(actionRequestValidationException.validationErrors().stream().anyMatch(str -> {
                    return str.contains("grant_type");
                }) ? TokenRequestError.UNSUPPORTED_GRANT_TYPE : TokenRequestError.INVALID_REQUEST, actionRequestValidationException.getMessage(), exc);
            } else if ((exc instanceof ElasticsearchSecurityException) && "invalid_grant".equals(exc.getMessage()) && ((ElasticsearchSecurityException) exc).getHeader("error_description").size() == 1) {
                sendTokenErrorResponse(TokenRequestError.INVALID_GRANT, (String) ((ElasticsearchSecurityException) exc).getHeader("error_description").get(0), exc);
            } else if ((exc instanceof ElasticsearchSecurityException) && "failed to authenticate user, gss context negotiation not complete".equals(exc.getMessage())) {
                sendTokenErrorResponse(TokenRequestError._UNAUTHORIZED, extractBase64EncodedToken((ElasticsearchSecurityException) exc), exc);
            } else {
                sendFailure(exc);
            }
        }

        private String extractBase64EncodedToken(ElasticsearchSecurityException elasticsearchSecurityException) {
            String str = null;
            List header = elasticsearchSecurityException.getHeader(KerberosAuthenticationToken.WWW_AUTHENTICATE);
            if (header != null && header.size() == 1) {
                String str2 = (String) header.get(0);
                if (str2.startsWith(KerberosAuthenticationToken.NEGOTIATE_AUTH_HEADER_PREFIX)) {
                    str = str2.substring(KerberosAuthenticationToken.NEGOTIATE_AUTH_HEADER_PREFIX.length()).trim();
                }
            }
            return str;
        }

        void sendTokenErrorResponse(TokenRequestError tokenRequestError, String str, Exception exc) {
            try {
                XContentBuilder newErrorBuilder = this.channel.newErrorBuilder();
                try {
                    newErrorBuilder.startObject().field("error", tokenRequestError.toString().toLowerCase(Locale.ROOT)).field("error_description", str).endObject();
                    this.channel.sendResponse(new BytesRestResponse(RestStatus.BAD_REQUEST, newErrorBuilder));
                    if (newErrorBuilder != null) {
                        newErrorBuilder.close();
                    }
                } finally {
                }
            } catch (IOException e) {
                e.addSuppressed(exc);
                sendFailure(exc);
            }
        }

        void sendFailure(Exception exc) {
            try {
                this.channel.sendResponse(new BytesRestResponse(this.channel, exc));
            } catch (Exception e) {
                e.addSuppressed(exc);
                this.logger.error("failed to send failure response", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/rest/action/oauth2/RestGetTokenAction$TokenRequestError.class */
    public enum TokenRequestError {
        INVALID_REQUEST,
        INVALID_CLIENT,
        INVALID_GRANT,
        UNAUTHORIZED_CLIENT,
        UNSUPPORTED_GRANT_TYPE,
        INVALID_SCOPE,
        _UNAUTHORIZED
    }

    public RestGetTokenAction(Settings settings, XPackLicenseState xPackLicenseState) {
        super(settings, xPackLicenseState);
    }

    public List<RestHandler.Route> routes() {
        return org.elasticsearch.core.List.of(RestHandler.Route.builder(RestRequest.Method.POST, "/_security/oauth2/token").replaces(RestRequest.Method.POST, "/_xpack/security/oauth2/token", RestApiVersion.V_7).build());
    }

    public String getName() {
        return "security_get_token_action";
    }

    @Override // org.elasticsearch.xpack.security.rest.action.SecurityBaseRestHandler
    protected BaseRestHandler.RestChannelConsumer innerPrepareRequest(RestRequest restRequest, NodeClient nodeClient) throws IOException {
        XContentParser contentParser = restRequest.contentParser();
        try {
            CreateTokenRequest createTokenRequest = (CreateTokenRequest) PARSER.parse(contentParser, (Object) null);
            RefreshTokenAction refreshTokenAction = "refresh_token".equals(createTokenRequest.getGrantType()) ? RefreshTokenAction.INSTANCE : CreateTokenAction.INSTANCE;
            BaseRestHandler.RestChannelConsumer restChannelConsumer = restChannel -> {
                nodeClient.execute(refreshTokenAction, createTokenRequest, new CreateTokenResponseActionListener(restChannel, restRequest, this.logger));
            };
            if (contentParser != null) {
                contentParser.close();
            }
            return restChannelConsumer;
        } catch (Throwable th) {
            if (contentParser != null) {
                try {
                    contentParser.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public Set<String> getFilteredFields() {
        return FILTERED_FIELDS;
    }

    static {
        PARSER.declareString(ConstructingObjectParser.optionalConstructorArg(), new ParseField("grant_type", new String[0]));
        PARSER.declareString(ConstructingObjectParser.optionalConstructorArg(), new ParseField("username", new String[0]));
        PARSER.declareField(ConstructingObjectParser.optionalConstructorArg(), xContentParser -> {
            return new SecureString(Arrays.copyOfRange(xContentParser.textCharacters(), xContentParser.textOffset(), xContentParser.textOffset() + xContentParser.textLength()));
        }, new ParseField("password", new String[0]), ObjectParser.ValueType.STRING);
        PARSER.declareField(ConstructingObjectParser.optionalConstructorArg(), xContentParser2 -> {
            return new SecureString(Arrays.copyOfRange(xContentParser2.textCharacters(), xContentParser2.textOffset(), xContentParser2.textOffset() + xContentParser2.textLength()));
        }, new ParseField("kerberos_ticket", new String[0]), ObjectParser.ValueType.STRING);
        PARSER.declareString(ConstructingObjectParser.optionalConstructorArg(), new ParseField("scope", new String[0]));
        PARSER.declareString(ConstructingObjectParser.optionalConstructorArg(), new ParseField("refresh_token", new String[0]));
        FILTERED_FIELDS = Collections.unmodifiableSet(Sets.newHashSet(new String[]{"password", "kerberos_ticket", "refresh_token"}));
    }
}
