package org.elasticsearch.xpack.security.action.saml;

import java.util.Map;
import java.util.Objects;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.action.saml.SamlLogoutRequest;
import org.elasticsearch.xpack.core.security.action.saml.SamlLogoutResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.support.TokensInvalidationResult;
import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.saml.SamlNameId;
import org.elasticsearch.xpack.security.authc.saml.SamlRealm;
import org.elasticsearch.xpack.security.authc.saml.SamlRedirect;
import org.elasticsearch.xpack.security.authc.saml.SamlUtils;
import org.opensaml.saml.saml2.core.LogoutRequest;
import org.opensaml.saml.saml2.core.RequestAbstractType;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/saml/TransportSamlLogoutAction.class */
public final class TransportSamlLogoutAction extends HandledTransportAction<SamlLogoutRequest, SamlLogoutResponse> {
    private final Realms realms;
    private final TokenService tokenService;

    @Inject
    public TransportSamlLogoutAction(TransportService transportService, ActionFilters actionFilters, Realms realms, TokenService tokenService) {
        super("cluster:admin/xpack/security/saml/logout", transportService, actionFilters, SamlLogoutRequest::new);
        this.realms = realms;
        this.tokenService = tokenService;
    }

    protected void doExecute(Task task, SamlLogoutRequest samlLogoutRequest, ActionListener<SamlLogoutResponse> actionListener) {
        String refreshToken = samlLogoutRequest.getRefreshToken();
        CheckedConsumer checkedConsumer = tokensInvalidationResult -> {
            try {
                String token = samlLogoutRequest.getToken();
                TokenService tokenService = this.tokenService;
                CheckedConsumer checkedConsumer2 = tuple -> {
                    Authentication authentication = (Authentication) tuple.v1();
                    SamlLogoutResponse buildResponse = buildResponse(authentication, (Map) tuple.v2());
                    TokenService tokenService2 = this.tokenService;
                    CheckedConsumer checkedConsumer3 = tokensInvalidationResult -> {
                        if (this.logger.isTraceEnabled()) {
                            this.logger.trace("SAML Logout User [{}], Token [{}...{}]", authentication.getUser().principal(), token.substring(0, 8), token.substring(token.length() - 8));
                        }
                        actionListener.onResponse(buildResponse);
                    };
                    Objects.requireNonNull(actionListener);
                    tokenService2.invalidateAccessToken(token, ActionListener.wrap(checkedConsumer3, actionListener::onFailure));
                };
                Objects.requireNonNull(actionListener);
                tokenService.getAuthenticationAndMetadata(token, ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
            } catch (ElasticsearchException e) {
                this.logger.debug("Internal exception during SAML logout", e);
                actionListener.onFailure(e);
            }
        };
        Objects.requireNonNull(actionListener);
        invalidateRefreshToken(refreshToken, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void invalidateRefreshToken(String str, ActionListener<TokensInvalidationResult> actionListener) {
        if (str == null) {
            actionListener.onResponse((Object) null);
        } else {
            this.tokenService.invalidateRefreshToken(str, actionListener);
        }
    }

    private SamlLogoutResponse buildResponse(Authentication authentication, Map<String, Object> map) {
        if (authentication == null) {
            throw SamlUtils.samlException("No active authentication", new Object[0]);
        }
        if (authentication.getUser() == null) {
            throw SamlUtils.samlException("No active user", new Object[0]);
        }
        SamlRealm findRealm = findRealm(authentication);
        String metadataString = getMetadataString(map, SamlRealm.TOKEN_METADATA_REALM);
        if (!findRealm.name().equals(metadataString)) {
            throw SamlUtils.samlException("Authenticating realm [{}] does not match token realm [{}]", findRealm, metadataString);
        }
        LogoutRequest buildLogoutRequest = findRealm.buildLogoutRequest(new SamlNameId(getMetadataString(map, SamlRealm.TOKEN_METADATA_NAMEID_FORMAT), getMetadataString(map, SamlRealm.TOKEN_METADATA_NAMEID_VALUE), getMetadataString(map, SamlRealm.TOKEN_METADATA_NAMEID_QUALIFIER), getMetadataString(map, SamlRealm.TOKEN_METADATA_NAMEID_SP_QUALIFIER), getMetadataString(map, SamlRealm.TOKEN_METADATA_NAMEID_SP_PROVIDED_ID)).asXml(), getMetadataString(map, SamlRealm.TOKEN_METADATA_SESSION));
        return buildLogoutRequest == null ? new SamlLogoutResponse((String) null, (String) null) : new SamlLogoutResponse(buildLogoutRequest.getID(), new SamlRedirect((RequestAbstractType) buildLogoutRequest, findRealm.getSigningConfiguration()).getRedirectUrl());
    }

    private String getMetadataString(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        if (obj == null) {
            if (map.containsKey(str)) {
                return null;
            }
            throw SamlUtils.samlException("Access token does not have SAML metadata [{}]", str);
        }
        if (obj instanceof String) {
            return (String) obj;
        }
        throw SamlUtils.samlException("In access token, SAML metadata [{}] is [{}] rather than String", str, obj.getClass());
    }

    private SamlRealm findRealm(Authentication authentication) {
        Authentication.RealmRef authenticatedBy = authentication.getAuthenticatedBy();
        if (authenticatedBy == null || Strings.isNullOrEmpty(authenticatedBy.getName())) {
            throw SamlUtils.samlException("Authentication {} has no authenticating realm", authentication);
        }
        Realm realm = this.realms.realm(authenticatedBy.getName());
        if (realm == null) {
            throw SamlUtils.samlException("Authenticating realm {} does not exist", authenticatedBy.getName());
        }
        if (realm instanceof SamlRealm) {
            return (SamlRealm) realm;
        }
        throw SamlUtils.samlException("Authenticating realm {} is not a SAML realm", realm);
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (SamlLogoutRequest) actionRequest, (ActionListener<SamlLogoutResponse>) actionListener);
    }
}
