package org.elasticsearch.xpack.security.action.saml;

import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Predicate;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.security.action.saml.SamlInvalidateSessionRequest;
import org.elasticsearch.xpack.core.security.action.saml.SamlInvalidateSessionResponse;
import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.saml.SamlLogoutRequestHandler;
import org.elasticsearch.xpack.security.authc.saml.SamlRealm;
import org.elasticsearch.xpack.security.authc.saml.SamlRedirect;
import org.elasticsearch.xpack.security.authc.saml.SamlUtils;
import org.opensaml.saml.saml2.core.StatusResponseType;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/saml/TransportSamlInvalidateSessionAction.class */
public final class TransportSamlInvalidateSessionAction extends HandledTransportAction<SamlInvalidateSessionRequest, SamlInvalidateSessionResponse> {
    private static final Logger LOGGER = LogManager.getLogger(TransportSamlInvalidateSessionAction.class);
    private final TokenService tokenService;
    private final Realms realms;

    @Inject
    public TransportSamlInvalidateSessionAction(TransportService transportService, ActionFilters actionFilters, TokenService tokenService, Realms realms) {
        super("cluster:admin/xpack/security/saml/invalidate", transportService, actionFilters, SamlInvalidateSessionRequest::new);
        this.tokenService = tokenService;
        this.realms = realms;
    }

    protected void doExecute(Task task, SamlInvalidateSessionRequest samlInvalidateSessionRequest, ActionListener<SamlInvalidateSessionResponse> actionListener) {
        List<SamlRealm> findSamlRealms = SamlRealm.findSamlRealms(this.realms, samlInvalidateSessionRequest.getRealmName(), samlInvalidateSessionRequest.getAssertionConsumerServiceURL());
        if (findSamlRealms.isEmpty()) {
            actionListener.onFailure(SamlUtils.samlException("Cannot find any matching realm for [{}]", samlInvalidateSessionRequest));
        } else if (findSamlRealms.size() > 1) {
            actionListener.onFailure(SamlUtils.samlException("Found multiple matching realms [{}] for [{}]", findSamlRealms, samlInvalidateSessionRequest));
        } else {
            invalidateSession(findSamlRealms.get(0), samlInvalidateSessionRequest, actionListener);
        }
    }

    private void invalidateSession(SamlRealm samlRealm, SamlInvalidateSessionRequest samlInvalidateSessionRequest, ActionListener<SamlInvalidateSessionResponse> actionListener) {
        try {
            SamlLogoutRequestHandler.Result parseFromQueryString = samlRealm.getLogoutHandler().parseFromQueryString(samlInvalidateSessionRequest.getQueryString());
            CheckedConsumer checkedConsumer = num -> {
                actionListener.onResponse(new SamlInvalidateSessionResponse(samlRealm.name(), num.intValue(), buildLogoutResponseUrl(samlRealm, parseFromQueryString)));
            };
            Objects.requireNonNull(actionListener);
            findAndInvalidateTokens(samlRealm, parseFromQueryString, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } catch (ElasticsearchSecurityException e) {
            LOGGER.info("Failed to invalidate SAML session", e);
            actionListener.onFailure(e);
        }
    }

    private String buildLogoutResponseUrl(SamlRealm samlRealm, SamlLogoutRequestHandler.Result result) {
        return new SamlRedirect((StatusResponseType) samlRealm.buildLogoutResponse(result.getRequestId()), samlRealm.getSigningConfiguration()).getRedirectUrl(result.getRelayState());
    }

    private void findAndInvalidateTokens(SamlRealm samlRealm, SamlLogoutRequestHandler.Result result, ActionListener<Integer> actionListener) {
        Map<String, Object> createTokenMetadata = samlRealm.createTokenMetadata(result.getNameId(), result.getSession());
        if (Strings.isNullOrEmpty((String) createTokenMetadata.get(SamlRealm.TOKEN_METADATA_NAMEID_VALUE))) {
            LOGGER.debug("Logout request [{}] has no NameID value, so cannot invalidate any sessions", result);
            actionListener.onResponse(0);
            return;
        }
        TokenService tokenService = this.tokenService;
        String name = samlRealm.name();
        Predicate<Map<String, Object>> containsMetadata = containsMetadata(createTokenMetadata);
        CheckedConsumer checkedConsumer = tokensInvalidationResult -> {
            if (LOGGER.isInfoEnabled() && !tokensInvalidationResult.getErrors().isEmpty()) {
                XContentBuilder builder = XContentBuilder.builder(XContentType.JSON.xContent());
                try {
                    tokensInvalidationResult.toXContent(builder, ToXContent.EMPTY_PARAMS);
                    LOGGER.info("Failed to invalidate some SAML access or refresh tokens {}", Strings.toString(builder));
                    if (builder != null) {
                        builder.close();
                    }
                } catch (Throwable th) {
                    if (builder != null) {
                        try {
                            builder.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            actionListener.onResponse(Integer.valueOf(tokensInvalidationResult.getInvalidatedTokens().size() + tokensInvalidationResult.getPreviouslyInvalidatedTokens().size() + tokensInvalidationResult.getErrors().size()));
        };
        Objects.requireNonNull(actionListener);
        tokenService.invalidateActiveTokens(name, null, containsMetadata, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private Predicate<Map<String, Object>> containsMetadata(Map<String, Object> map) {
        return map2 -> {
            Map map2 = (Map) map2.get("metadata");
            return map.entrySet().stream().allMatch(entry -> {
                return Objects.equals(map2.get(entry.getKey()), entry.getValue());
            });
        };
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (SamlInvalidateSessionRequest) actionRequest, (ActionListener<SamlInvalidateSessionResponse>) actionListener);
    }
}
