package org.elasticsearch.xpack.security.action.oidc;

import com.nimbusds.jwt.JWTParser;
import java.text.ParseException;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutRequest;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.support.TokensInvalidationResult;
import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectLogoutAction.class */
public class TransportOpenIdConnectLogoutAction extends HandledTransportAction<OpenIdConnectLogoutRequest, OpenIdConnectLogoutResponse> {
    private final Realms realms;
    private final TokenService tokenService;
    private static final Logger logger = LogManager.getLogger(TransportOpenIdConnectLogoutAction.class);

    @Inject
    public TransportOpenIdConnectLogoutAction(TransportService transportService, ActionFilters actionFilters, Realms realms, TokenService tokenService) {
        super("cluster:admin/xpack/security/oidc/logout", transportService, actionFilters, OpenIdConnectLogoutRequest::new);
        this.realms = realms;
        this.tokenService = tokenService;
    }

    protected void doExecute(Task task, OpenIdConnectLogoutRequest openIdConnectLogoutRequest, ActionListener<OpenIdConnectLogoutResponse> actionListener) {
        String refreshToken = openIdConnectLogoutRequest.getRefreshToken();
        CheckedConsumer checkedConsumer = tokensInvalidationResult -> {
            String token = openIdConnectLogoutRequest.getToken();
            TokenService tokenService = this.tokenService;
            CheckedConsumer checkedConsumer2 = tuple -> {
                Authentication authentication = (Authentication) tuple.v1();
                Map<String, Object> map = (Map) tuple.v2();
                validateAuthenticationAndMetadata(authentication, map);
                TokenService tokenService2 = this.tokenService;
                CheckedConsumer checkedConsumer3 = tokensInvalidationResult -> {
                    if (logger.isTraceEnabled()) {
                        logger.trace("OpenID Connect Logout for user [{}] and token [{}...{}]", authentication.getUser().principal(), token.substring(0, 8), token.substring(token.length() - 8));
                    }
                    actionListener.onResponse(buildResponse(authentication, map));
                };
                Objects.requireNonNull(actionListener);
                tokenService2.invalidateAccessToken(token, ActionListener.wrap(checkedConsumer3, actionListener::onFailure));
            };
            Objects.requireNonNull(actionListener);
            tokenService.getAuthenticationAndMetadata(token, ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
        };
        Objects.requireNonNull(actionListener);
        invalidateRefreshToken(refreshToken, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private OpenIdConnectLogoutResponse buildResponse(Authentication authentication, Map<String, Object> map) {
        String str = (String) getFromMetadata(map, "id_token_hint");
        Realm realm = this.realms.realm(authentication.getAuthenticatedBy().getName());
        try {
            return ((OpenIdConnectRealm) realm).buildLogoutResponse(JWTParser.parse(str));
        } catch (ParseException e) {
            throw new ElasticsearchSecurityException("Token Metadata did not contain a valid IdToken", e, new Object[0]);
        }
    }

    private void validateAuthenticationAndMetadata(Authentication authentication, Map<String, Object> map) {
        if (map == null) {
            throw new ElasticsearchSecurityException("Authentication did not contain metadata", new Object[0]);
        }
        if (authentication == null) {
            throw new ElasticsearchSecurityException("No active authentication", new Object[0]);
        }
        if (authentication.getUser() == null) {
            throw new ElasticsearchSecurityException("No active user", new Object[0]);
        }
        Authentication.RealmRef authenticatedBy = authentication.getAuthenticatedBy();
        if (authenticatedBy == null || Strings.isNullOrEmpty(authenticatedBy.getName())) {
            throw new ElasticsearchSecurityException("Authentication {} has no authenticating realm", new Object[]{authentication});
        }
        Realm realm = this.realms.realm(authentication.getAuthenticatedBy().getName());
        if (realm == null) {
            throw new ElasticsearchSecurityException("Authenticating realm {} does not exist", new Object[]{authenticatedBy.getName()});
        }
        if (!(realm instanceof OpenIdConnectRealm)) {
            throw new IllegalArgumentException("Access token is not valid for an OpenID Connect realm");
        }
    }

    private Object getFromMetadata(Map<String, Object> map, String str) {
        if (!map.containsKey(str)) {
            throw new ElasticsearchSecurityException("Authentication token does not have OpenID Connect metadata [{}]", new Object[]{str});
        }
        Object obj = map.get(str);
        if (null == obj || (obj instanceof String)) {
            return obj;
        }
        throw new ElasticsearchSecurityException("In authentication token, OpenID Connect metadata [{}] is [{}] rather than String", new Object[]{str, obj.getClass()});
    }

    private void invalidateRefreshToken(String str, ActionListener<TokensInvalidationResult> actionListener) {
        if (str == null) {
            actionListener.onResponse((Object) null);
        } else {
            this.tokenService.invalidateRefreshToken(str, actionListener);
        }
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (OpenIdConnectLogoutRequest) actionRequest, (ActionListener<OpenIdConnectLogoutResponse>) actionListener);
    }
}
