package org.elasticsearch.xpack.security.authc.service;

import java.io.ByteArrayOutputStream;
import java.io.Closeable;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.core.CharArrays;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.core.security.support.Validation;
import org.elasticsearch.xpack.security.authc.service.ServiceAccount;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/ServiceAccountToken.class */
public class ServiceAccountToken implements AuthenticationToken, Closeable {
    public static final byte MAGIC_BYTE = 0;
    public static final byte TOKEN_TYPE = 1;
    public static final byte RESERVED_BYTE = 0;
    public static final byte FORMAT_VERSION = 1;
    public static final byte[] PREFIX = {0, 1, 0, 1};
    private static final Logger logger = LogManager.getLogger(ServiceAccountToken.class);
    private final ServiceAccountTokenId tokenId;
    private final SecureString secret;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/ServiceAccountToken$ServiceAccountTokenId.class */
    public static class ServiceAccountTokenId {
        private final ServiceAccount.ServiceAccountId accountId;
        private final String tokenName;

        public ServiceAccountTokenId(ServiceAccount.ServiceAccountId serviceAccountId, String str) {
            this.accountId = (ServiceAccount.ServiceAccountId) Objects.requireNonNull(serviceAccountId, "service account ID cannot be null");
            if (false == Validation.isValidServiceAccountTokenName(str)) {
                throw new IllegalArgumentException(Validation.formatInvalidServiceTokenNameErrorMessage(str));
            }
            this.tokenName = (String) Objects.requireNonNull(str, "service account token name cannot be null");
        }

        public ServiceAccount.ServiceAccountId getAccountId() {
            return this.accountId;
        }

        public String getTokenName() {
            return this.tokenName;
        }

        public String getQualifiedName() {
            return this.accountId.asPrincipal() + "/" + this.tokenName;
        }

        public String toString() {
            return getQualifiedName();
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            ServiceAccountTokenId serviceAccountTokenId = (ServiceAccountTokenId) obj;
            return this.accountId.equals(serviceAccountTokenId.accountId) && this.tokenName.equals(serviceAccountTokenId.tokenName);
        }

        public int hashCode() {
            return Objects.hash(this.accountId, this.tokenName);
        }
    }

    ServiceAccountToken(ServiceAccount.ServiceAccountId serviceAccountId, String str, SecureString secureString) {
        this.tokenId = new ServiceAccountTokenId(serviceAccountId, str);
        this.secret = (SecureString) Objects.requireNonNull(secureString, "service account token secret cannot be null");
    }

    public ServiceAccountTokenId getTokenId() {
        return this.tokenId;
    }

    public SecureString getSecret() {
        return this.secret;
    }

    public ServiceAccount.ServiceAccountId getAccountId() {
        return this.tokenId.getAccountId();
    }

    public String getTokenName() {
        return this.tokenId.getTokenName();
    }

    public String getQualifiedName() {
        return this.tokenId.getQualifiedName();
    }

    public SecureString asBearerString() throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            byteArrayOutputStream.write(PREFIX, 0, PREFIX.length);
            byteArrayOutputStream.write(getQualifiedName().getBytes(StandardCharsets.UTF_8));
            byteArrayOutputStream.write(58);
            byteArrayOutputStream.write(this.secret.toString().getBytes(StandardCharsets.UTF_8));
            SecureString secureString = new SecureString(Base64.getEncoder().withoutPadding().encodeToString(byteArrayOutputStream.toByteArray()).toCharArray());
            byteArrayOutputStream.close();
            return secureString;
        } catch (Throwable th) {
            try {
                byteArrayOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public static ServiceAccountToken fromBearerString(SecureString secureString) throws IOException {
        byte[] utf8Bytes = CharArrays.toUtf8Bytes(secureString.getChars());
        logger.trace("parsing token bytes {}", MessageDigests.toHexString(utf8Bytes));
        byte[] decode = Base64.getDecoder().decode(utf8Bytes);
        byte[] copyOfRange = Arrays.copyOfRange(decode, 0, 4);
        if (decode.length < 4 || false == Arrays.equals(copyOfRange, PREFIX)) {
            logger.trace(() -> {
                return new ParameterizedMessage("service account token expects the 4 leading bytes to be {}, got {}.", Arrays.toString(PREFIX), Arrays.toString(copyOfRange));
            });
            return null;
        }
        char[] utf8BytesToChars = CharArrays.utf8BytesToChars(Arrays.copyOfRange(decode, 4, decode.length));
        int indexOfColon = UsernamePasswordToken.indexOfColon(utf8BytesToChars);
        if (indexOfColon < 0) {
            logger.trace("failed to extract qualified service token name and secret, missing ':'");
            return null;
        }
        String str = new String(Arrays.copyOfRange(utf8BytesToChars, 0, indexOfColon));
        String[] delimitedListToStringArray = Strings.delimitedListToStringArray(str, "/");
        if (delimitedListToStringArray != null && delimitedListToStringArray.length == 3) {
            return new ServiceAccountToken(new ServiceAccount.ServiceAccountId(delimitedListToStringArray[0], delimitedListToStringArray[1]), delimitedListToStringArray[2], new SecureString(Arrays.copyOfRange(utf8BytesToChars, indexOfColon + 1, utf8BytesToChars.length)));
        }
        logger.trace("The qualified name of a service token should take format of 'namespace/service_name/token_name', got [{}]", str);
        return null;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.secret.close();
    }

    public String toString() {
        return getQualifiedName();
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        ServiceAccountToken serviceAccountToken = (ServiceAccountToken) obj;
        return this.tokenId.equals(serviceAccountToken.tokenId) && this.secret.equals(serviceAccountToken.secret);
    }

    public int hashCode() {
        return Objects.hash(this.tokenId, this.secret);
    }

    public static ServiceAccountToken newToken(ServiceAccount.ServiceAccountId serviceAccountId, String str) {
        return new ServiceAccountToken(serviceAccountId, str, UUIDs.randomBase64UUIDSecureString());
    }

    public String principal() {
        return this.tokenId.getAccountId().asPrincipal();
    }

    public Object credentials() {
        return this.secret;
    }

    public void clearCredentials() {
        close();
    }
}
