package org.elasticsearch.xpack.security.authc;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.Closeable;
import java.io.IOException;
import java.io.OutputStream;
import java.io.UncheckedIOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.time.Clock;
import java.time.DateTimeException;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicLong;
import java.util.function.Consumer;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Stream;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.BytesRef;
import org.apache.lucene.util.BytesRefBuilder;
import org.apache.lucene.util.UnicodeUtil;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.TransportVersions;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.admin.indices.refresh.RefreshRequestBuilder;
import org.elasticsearch.action.bulk.BackoffPolicy;
import org.elasticsearch.action.bulk.BulkItemResponse;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkRequestBuilder;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexAction;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.action.support.TransportActions;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.action.update.UpdateRequestBuilder;
import org.elasticsearch.action.update.UpdateResponse;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateUpdateTask;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Priority;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.io.stream.InputStreamStreamInput;
import org.elasticsearch.common.io.stream.OutputStreamStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Streams;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.engine.VersionConflictEngineException;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.indices.IndexClosedException;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.SearchService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.XPackPlugin;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.ScrollHelper;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.KeyAndTimestamp;
import org.elasticsearch.xpack.core.security.authc.TokenMetadata;
import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.authc.support.TokensInvalidationResult;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;
import org.elasticsearch.xpack.security.support.FeatureNotEnabledException;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService.class */
public final class TokenService {
    static final int TOKEN_SERVICE_KEY_ITERATIONS = 100000;
    static final int TOKENS_ENCRYPTION_KEY_ITERATIONS = 1024;
    private static final String KDF_ALGORITHM = "PBKDF2withHMACSHA512";
    static final int SALT_BYTES = 32;
    private static final int KEY_BYTES = 64;
    static final int IV_BYTES = 12;
    private static final int VERSION_BYTES = 4;
    private static final String ENCRYPTION_CIPHER = "AES/GCM/NoPadding";
    private static final String EXPIRED_TOKEN_WWW_AUTH_VALUE;
    private static final BackoffPolicy DEFAULT_BACKOFF;
    public static final String THREAD_POOL_NAME = "security-token-key";
    public static final Setting<TimeValue> TOKEN_EXPIRATION;
    public static final Setting<TimeValue> DELETE_INTERVAL;
    public static final Setting<TimeValue> DELETE_TIMEOUT;
    static final String TOKEN_DOC_TYPE = "token";
    static final int RAW_TOKEN_BYTES_LENGTH = 16;
    static final int RAW_TOKEN_DOC_ID_BYTES_LENGTH = 8;
    static final int RAW_TOKEN_BYTES_TOTAL_LENGTH = 24;
    private static final int TOKEN_LENGTH = 22;
    private static final String TOKEN_DOC_ID_PREFIX = "token_";
    static final int LEGACY_MINIMUM_BYTES = 49;
    static final int MINIMUM_BYTES = 27;
    static final int LEGACY_MINIMUM_BASE64_BYTES;
    public static final int MINIMUM_BASE64_BYTES;
    static final TransportVersion VERSION_HASHED_TOKENS;
    static final TransportVersion VERSION_TOKENS_INDEX_INTRODUCED;
    static final TransportVersion VERSION_ACCESS_TOKENS_AS_UUIDS;
    static final TransportVersion VERSION_MULTIPLE_CONCURRENT_REFRESHES;
    static final TransportVersion VERSION_CLIENT_AUTH_FOR_REFRESH;
    static final TransportVersion VERSION_GET_TOKEN_DOC_FOR_REFRESH;
    private static final Logger logger;
    private final Settings settings;
    private final ClusterService clusterService;
    private final Clock clock;
    private final TimeValue expirationDelay;
    private final TimeValue deleteInterval;
    private final Client client;
    private final SecurityIndexManager securityMainIndex;
    private final SecurityIndexManager securityTokensIndex;
    private final ExpiredTokenRemover expiredTokenRemover;
    private final boolean enabled;
    private final XPackLicenseState licenseState;
    private final SecurityContext securityContext;
    private volatile TokenKeys keyCache;
    private volatile long lastExpirationRunMs;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final SecureRandom secureRandom = new SecureRandom();
    private final AtomicLong createdTimeStamps = new AtomicLong(-1);
    private final AtomicBoolean installTokenMetadataInProgress = new AtomicBoolean(false);

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$CreateTokenResult.class */
    public static final class CreateTokenResult {
        private final String accessToken;
        private final String refreshToken;
        private final Authentication authentication;

        public CreateTokenResult(String str, String str2, Authentication authentication) {
            this.accessToken = str;
            this.refreshToken = str2;
            this.authentication = authentication;
        }

        public String getAccessToken() {
            return this.accessToken;
        }

        public String getRefreshToken() {
            return this.refreshToken;
        }

        public Authentication getAuthentication() {
            return this.authentication;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$Doc.class */
    public static final class Doc extends Record {
        private final String id;
        private final Map<String, Object> sourceAsMap;
        private final long seqNo;
        private final long primaryTerm;

        Doc(SearchHit searchHit) {
            this(searchHit.getId(), searchHit.getSourceAsMap(), searchHit.getSeqNo(), searchHit.getPrimaryTerm());
        }

        Doc(GetResponse getResponse) {
            this(getResponse.getId(), getResponse.getSource(), getResponse.getSeqNo(), getResponse.getPrimaryTerm());
        }

        Doc(String str, Map<String, Object> map, long j, long j2) {
            this.id = str;
            this.sourceAsMap = map;
            this.seqNo = j;
            this.primaryTerm = j2;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Doc.class), Doc.class, "id;sourceAsMap;seqNo;primaryTerm", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->id:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->sourceAsMap:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->seqNo:J", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->primaryTerm:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Doc.class), Doc.class, "id;sourceAsMap;seqNo;primaryTerm", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->id:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->sourceAsMap:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->seqNo:J", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->primaryTerm:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Doc.class, Object.class), Doc.class, "id;sourceAsMap;seqNo;primaryTerm", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->id:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->sourceAsMap:Ljava/util/Map;", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->seqNo:J", "FIELD:Lorg/elasticsearch/xpack/security/authc/TokenService$Doc;->primaryTerm:J").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String id() {
            return this.id;
        }

        public Map<String, Object> sourceAsMap() {
            return this.sourceAsMap;
        }

        public long seqNo() {
            return this.seqNo;
        }

        public long primaryTerm() {
            return this.primaryTerm;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$KeyAndCache.class */
    public static final class KeyAndCache implements Closeable {
        private final KeyAndTimestamp keyAndTimestamp;
        private final Cache<BytesKey, SecretKey> keyCache = CacheBuilder.builder().setExpireAfterAccess(TimeValue.timeValueMinutes(60)).setMaximumWeight(500).build();
        private final BytesKey salt;
        private final BytesKey keyHash;

        private KeyAndCache(KeyAndTimestamp keyAndTimestamp, BytesKey bytesKey) {
            this.keyAndTimestamp = keyAndTimestamp;
            try {
                this.keyCache.put(bytesKey, TokenService.computeSecretKey(keyAndTimestamp.getKey().getChars(), bytesKey.bytes, TokenService.TOKEN_SERVICE_KEY_ITERATIONS));
                this.salt = bytesKey;
                this.keyHash = calculateKeyHash(keyAndTimestamp.getKey());
            } catch (Exception e) {
                throw new IllegalStateException(e);
            }
        }

        private SecretKey getKey(BytesKey bytesKey) {
            return (SecretKey) this.keyCache.get(bytesKey);
        }

        public SecretKey getOrComputeKey(BytesKey bytesKey) throws ExecutionException {
            return (SecretKey) this.keyCache.computeIfAbsent(bytesKey, bytesKey2 -> {
                SecureString clone = this.keyAndTimestamp.getKey().clone();
                try {
                    SecretKey computeSecretKey = TokenService.computeSecretKey(clone.getChars(), bytesKey2.bytes, TokenService.TOKEN_SERVICE_KEY_ITERATIONS);
                    if (clone != null) {
                        clone.close();
                    }
                    return computeSecretKey;
                } catch (Throwable th) {
                    if (clone != null) {
                        try {
                            clone.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            });
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() {
            this.keyAndTimestamp.getKey().close();
        }

        BytesKey getKeyHash() {
            return this.keyHash;
        }

        private static BytesKey calculateKeyHash(SecureString secureString) {
            MessageDigest sha256 = MessageDigests.sha256();
            BytesRefBuilder bytesRefBuilder = new BytesRefBuilder();
            try {
                bytesRefBuilder.copyChars(secureString);
                BytesRef bytesRef = bytesRefBuilder.toBytesRef();
                try {
                    sha256.update(bytesRef.bytes, bytesRef.offset, bytesRef.length);
                    BytesKey bytesKey = new BytesKey(Arrays.copyOfRange(sha256.digest(), 0, TokenService.RAW_TOKEN_DOC_ID_BYTES_LENGTH));
                    Arrays.fill(bytesRef.bytes, (byte) 0);
                    Arrays.fill(bytesRefBuilder.bytes(), (byte) 0);
                    return bytesKey;
                } catch (Throwable th) {
                    Arrays.fill(bytesRef.bytes, (byte) 0);
                    throw th;
                }
            } catch (Throwable th2) {
                Arrays.fill(bytesRefBuilder.bytes(), (byte) 0);
                throw th2;
            }
        }

        BytesKey getSalt() {
            return this.salt;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$KeyComputingRunnable.class */
    public static class KeyComputingRunnable extends AbstractRunnable {
        private final BytesKey decodedSalt;
        private final KeyAndCache keyAndCache;
        private final ActionListener<SecretKey> listener;

        KeyComputingRunnable(BytesKey bytesKey, KeyAndCache keyAndCache, ActionListener<SecretKey> actionListener) {
            this.decodedSalt = bytesKey;
            this.keyAndCache = keyAndCache;
            this.listener = actionListener;
        }

        protected void doRun() {
            try {
                this.listener.onResponse(this.keyAndCache.getOrComputeKey(this.decodedSalt));
            } catch (ExecutionException e) {
                if (e.getCause() == null || !((e.getCause() instanceof GeneralSecurityException) || (e.getCause() instanceof IOException) || (e.getCause() instanceof IllegalArgumentException))) {
                    this.listener.onFailure(e);
                } else {
                    TokenService.logger.debug("unable to decode bearer token", e);
                    this.listener.onResponse((Object) null);
                }
            }
        }

        public void onFailure(Exception exc) {
            this.listener.onFailure(exc);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$RefreshTokenStatus.class */
    public static final class RefreshTokenStatus {
        private final boolean invalidated;
        private final String associatedUser;
        private final String associatedRealm;

        @Nullable
        private final Authentication associatedAuthentication;
        private final boolean refreshed;

        @Nullable
        private final Instant refreshInstant;

        @Nullable
        private final String supersedingTokens;

        @Nullable
        private final String iv;

        @Nullable
        private final String salt;
        private TransportVersion version;
        static final /* synthetic */ boolean $assertionsDisabled;

        RefreshTokenStatus(boolean z, Authentication authentication, boolean z2, Instant instant, String str, String str2, String str3) {
            if (!$assertionsDisabled && !authentication.getEffectiveSubject().getTransportVersion().onOrAfter(TokenService.VERSION_CLIENT_AUTH_FOR_REFRESH)) {
                throw new AssertionError();
            }
            this.invalidated = z;
            this.associatedUser = authentication.getEffectiveSubject().getUser().principal();
            this.associatedRealm = authentication.getAuthenticatingSubject().getRealm().getName();
            this.associatedAuthentication = authentication;
            this.refreshed = z2;
            this.refreshInstant = instant;
            this.supersedingTokens = str;
            this.iv = str2;
            this.salt = str3;
        }

        @Deprecated
        RefreshTokenStatus(boolean z, String str, String str2, boolean z2, Instant instant, String str3, String str4, String str5) {
            this.invalidated = z;
            this.associatedUser = str;
            this.associatedRealm = str2;
            this.associatedAuthentication = null;
            this.refreshed = z2;
            this.refreshInstant = instant;
            this.supersedingTokens = str3;
            this.iv = str4;
            this.salt = str5;
        }

        boolean isInvalidated() {
            return this.invalidated;
        }

        String getAssociatedUser() {
            return this.associatedUser;
        }

        String getAssociatedRealm() {
            return this.associatedRealm;
        }

        Authentication getAssociatedAuthentication() {
            return this.associatedAuthentication;
        }

        boolean isRefreshed() {
            return this.refreshed;
        }

        @Nullable
        Instant getRefreshInstant() {
            return this.refreshInstant;
        }

        @Nullable
        String getSupersedingTokens() {
            return this.supersedingTokens;
        }

        @Nullable
        String getIv() {
            return this.iv;
        }

        @Nullable
        String getSalt() {
            return this.salt;
        }

        TransportVersion getTransportVersion() {
            return this.version;
        }

        void setTransportVersion(TransportVersion transportVersion) {
            this.version = transportVersion;
        }

        static RefreshTokenStatus fromSourceMap(Map<String, Object> map) {
            Boolean bool = (Boolean) map.get("invalidated");
            if (bool == null) {
                throw new IllegalStateException("token document is missing the \"invalidated\" field");
            }
            Map map2 = (Map) map.get("client");
            if (map2 == null) {
                throw new IllegalStateException("token document is missing the \"client\" field");
            }
            Boolean bool2 = (Boolean) map.get("refreshed");
            if (bool2 == null) {
                throw new IllegalStateException("token document is missing the \"refreshed\" field");
            }
            Long l = (Long) map.get("refresh_time");
            Instant ofEpochMilli = l == null ? null : Instant.ofEpochMilli(l.longValue());
            String str = (String) map.get("superseding.encrypted_tokens");
            String str2 = (String) map.get("superseding.encryption_iv");
            String str3 = (String) map.get("superseding.encryption_salt");
            if (!map2.containsKey("authentication")) {
                if (false == map2.containsKey("user")) {
                    throw new IllegalStateException("token document must contain the \"client.user\" field if the associated \"authentication\" field does not exist");
                }
                String str4 = (String) map2.get("user");
                if (false == map2.containsKey(LoggingAuditTrail.REALM_FIELD_NAME)) {
                    throw new IllegalStateException("token document must contain the \"client.realm\" field if the associated \"authentication\" field does not exist");
                }
                return new RefreshTokenStatus(bool.booleanValue(), str4, (String) map2.get(LoggingAuditTrail.REALM_FIELD_NAME), bool2.booleanValue(), ofEpochMilli, str, str2, str3);
            }
            try {
                Authentication decode = AuthenticationContextSerializer.decode((String) map2.get("authentication"));
                if (map2.containsKey("user") || map2.containsKey(LoggingAuditTrail.REALM_FIELD_NAME)) {
                    throw new IllegalStateException("user and/or associated realm must not be present when associated authentication is");
                }
                return new RefreshTokenStatus(bool.booleanValue(), decode, bool2.booleanValue(), ofEpochMilli, str, str2, str3);
            } catch (IOException e) {
                throw new IllegalStateException("invalid client authentication for refresh", e);
            }
        }

        static {
            $assertionsDisabled = !TokenService.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$TokenKeys.class */
    public static final class TokenKeys {
        final Map<BytesKey, KeyAndCache> cache;
        final BytesKey currentTokenKeyHash;
        final KeyAndCache activeKeyCache;

        private TokenKeys(Map<BytesKey, KeyAndCache> map, BytesKey bytesKey) {
            this.cache = map;
            this.currentTokenKeyHash = bytesKey;
            this.activeKeyCache = map.get(bytesKey);
        }

        KeyAndCache get(BytesKey bytesKey) {
            return this.cache.get(bytesKey);
        }
    }

    public TokenService(Settings settings, Clock clock, Client client, XPackLicenseState xPackLicenseState, SecurityContext securityContext, SecurityIndexManager securityIndexManager, SecurityIndexManager securityIndexManager2, ClusterService clusterService) throws GeneralSecurityException {
        byte[] bArr = new byte[SALT_BYTES];
        this.secureRandom.nextBytes(bArr);
        SecureString generateTokenKey = generateTokenKey();
        this.settings = settings;
        this.clock = clock.withZone(ZoneOffset.UTC);
        this.expirationDelay = (TimeValue) TOKEN_EXPIRATION.get(settings);
        this.client = client;
        this.licenseState = xPackLicenseState;
        this.securityContext = securityContext;
        this.securityMainIndex = securityIndexManager;
        this.securityTokensIndex = securityIndexManager2;
        this.lastExpirationRunMs = client.threadPool().relativeTimeInMillis();
        this.deleteInterval = (TimeValue) DELETE_INTERVAL.get(settings);
        this.enabled = isTokenServiceEnabled(settings).booleanValue();
        this.expiredTokenRemover = new ExpiredTokenRemover(settings, client, this.securityMainIndex, securityIndexManager2);
        ensureEncryptionCiphersSupported();
        KeyAndCache keyAndCache = new KeyAndCache(new KeyAndTimestamp(generateTokenKey, this.createdTimeStamps.incrementAndGet()), new BytesKey(bArr));
        this.keyCache = new TokenKeys(Collections.singletonMap(keyAndCache.getKeyHash(), keyAndCache), keyAndCache.getKeyHash());
        this.clusterService = clusterService;
        initialize(clusterService);
        getTokenMetadata();
    }

    public void createOAuth2Tokens(Authentication authentication, Authentication authentication2, Map<String, Object> map, boolean z, ActionListener<CreateTokenResult> actionListener) {
        TransportVersion tokenVersionCompatibility = getTokenVersionCompatibility();
        Tuple<byte[], byte[]> randomTokenBytes = getRandomTokenBytes(tokenVersionCompatibility, z);
        createOAuth2Tokens((byte[]) randomTokenBytes.v1(), (byte[]) randomTokenBytes.v2(), tokenVersionCompatibility, authentication, authentication2, map, actionListener);
    }

    public void createOAuth2Tokens(byte[] bArr, @Nullable byte[] bArr2, Authentication authentication, Authentication authentication2, Map<String, Object> map, ActionListener<CreateTokenResult> actionListener) {
        createOAuth2Tokens(bArr, bArr2, getTokenVersionCompatibility(), authentication, authentication2, map, actionListener);
    }

    private void createOAuth2Tokens(byte[] bArr, @Nullable byte[] bArr2, TransportVersion transportVersion, Authentication authentication, Authentication authentication2, Map<String, Object> map, ActionListener<CreateTokenResult> actionListener) {
        String encodeToString;
        String str;
        String str2;
        String str3;
        ensureEnabled();
        if (authentication == null) {
            actionListener.onFailure((Exception) traceLog("create token", new IllegalArgumentException("authentication must be provided")));
            return;
        }
        if (authentication2 == null) {
            actionListener.onFailure((Exception) traceLog("create token", new IllegalArgumentException("originating client authentication must be provided")));
            return;
        }
        Authentication maybeRewriteForOlderVersion = authentication.token().maybeRewriteForOlderVersion(transportVersion);
        try {
            if (transportVersion.onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH)) {
                if (!$assertionsDisabled && bArr.length != RAW_TOKEN_BYTES_TOTAL_LENGTH) {
                    throw new AssertionError();
                }
                MessageDigest sha256 = MessageDigests.sha256();
                sha256.update(bArr, RAW_TOKEN_BYTES_LENGTH, RAW_TOKEN_DOC_ID_BYTES_LENGTH);
                encodeToString = Base64.getUrlEncoder().withoutPadding().encodeToString(sha256.digest());
                str = Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigests.sha256().digest(bArr));
                if (bArr2 == null) {
                    str2 = null;
                    str3 = null;
                } else {
                    if (!$assertionsDisabled && bArr2.length != RAW_TOKEN_BYTES_TOTAL_LENGTH) {
                        throw new AssertionError();
                    }
                    if (!$assertionsDisabled && !Arrays.equals(bArr2, RAW_TOKEN_BYTES_LENGTH, RAW_TOKEN_BYTES_TOTAL_LENGTH, bArr, RAW_TOKEN_BYTES_LENGTH, RAW_TOKEN_BYTES_TOTAL_LENGTH)) {
                        throw new AssertionError("the last bytes of paired access and refresh tokens should be the same");
                    }
                    str3 = Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigests.sha256().digest(bArr2));
                    str2 = prependVersionAndEncodeRefreshToken(transportVersion, bArr2);
                }
            } else if (transportVersion.onOrAfter(VERSION_HASHED_TOKENS)) {
                if (!$assertionsDisabled && bArr.length != RAW_TOKEN_BYTES_LENGTH) {
                    throw new AssertionError();
                }
                encodeToString = hashTokenString(Base64.getUrlEncoder().withoutPadding().encodeToString(bArr));
                str = null;
                if (bArr2 == null) {
                    str2 = null;
                    str3 = null;
                } else {
                    if (!$assertionsDisabled && bArr2.length != RAW_TOKEN_BYTES_LENGTH) {
                        throw new AssertionError();
                    }
                    str3 = hashTokenString(Base64.getUrlEncoder().withoutPadding().encodeToString(bArr2));
                    str2 = prependVersionAndEncodeRefreshToken(transportVersion, bArr2);
                }
            } else {
                if (!$assertionsDisabled && bArr.length != RAW_TOKEN_BYTES_LENGTH) {
                    throw new AssertionError();
                }
                encodeToString = Base64.getUrlEncoder().withoutPadding().encodeToString(bArr);
                str = null;
                if (bArr2 == null) {
                    str2 = null;
                    str3 = null;
                } else {
                    if (!$assertionsDisabled && bArr2.length != RAW_TOKEN_BYTES_LENGTH) {
                        throw new AssertionError();
                    }
                    String encodeToString2 = Base64.getUrlEncoder().withoutPadding().encodeToString(bArr2);
                    str2 = encodeToString2;
                    str3 = encodeToString2;
                }
            }
            UserToken userToken = new UserToken(encodeToString, transportVersion, maybeRewriteForOlderVersion, getExpirationTime(), map);
            BytesReference createTokenDocument = createTokenDocument(userToken, str, str3, authentication2);
            String tokenDocumentId = getTokenDocumentId(userToken);
            WriteRequest.RefreshPolicy refreshPolicy = transportVersion.onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH) ? WriteRequest.RefreshPolicy.NONE : WriteRequest.RefreshPolicy.WAIT_UNTIL;
            SecurityIndexManager tokensIndexForVersion = getTokensIndexForVersion(transportVersion);
            logger.debug(() -> {
                return Strings.format("Using refresh policy [%s] when creating token doc [%s] in the security index [%s]", new Object[]{refreshPolicy, tokenDocumentId, tokensIndexForVersion.aliasName()});
            });
            IndexRequest request = this.client.prepareIndex(tokensIndexForVersion.aliasName()).setId(tokenDocumentId).setOpType(DocWriteRequest.OpType.CREATE).setSource(createTokenDocument, XContentType.JSON).setRefreshPolicy(refreshPolicy).request();
            String str4 = str2;
            tokensIndexForVersion.prepareIndexIfNeededThenExecute(exc -> {
                actionListener.onFailure((Exception) traceLog("prepare tokens index [" + tokensIndexForVersion.aliasName() + "]", tokenDocumentId, exc));
            }, () -> {
                Client client = this.client;
                IndexAction indexAction = IndexAction.INSTANCE;
                CheckedConsumer checkedConsumer = docWriteResponse -> {
                    if (docWriteResponse.getResult() == DocWriteResponse.Result.CREATED) {
                        actionListener.onResponse(new CreateTokenResult(prependVersionAndEncodeAccessToken(transportVersion, bArr), str4, authentication));
                    } else {
                        actionListener.onFailure((Exception) traceLog("create token", new ElasticsearchException("failed to create token document [{}]", new Object[]{docWriteResponse})));
                    }
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, "security", indexAction, request, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        } catch (IOException e) {
            logger.error("Could not encode access or refresh token", e);
            actionListener.onFailure((Exception) traceLog("create token", e));
        }
    }

    public static String hashTokenString(String str) {
        return new String(Hasher.SHA256.hash(new SecureString(str.toCharArray())));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void tryAuthenticateToken(SecureString secureString, ActionListener<UserToken> actionListener) {
        if (!isEnabled() || secureString == null) {
            actionListener.onResponse((Object) null);
        } else {
            decodeToken(secureString.toString(), true, actionListener.delegateResponse((actionListener2, exc) -> {
                if (TransportActions.isShardNotAvailableException(exc)) {
                    actionListener2.onResponse((Object) null);
                } else {
                    actionListener2.onFailure(exc);
                }
            }));
        }
    }

    public void getAuthenticationAndMetadata(String str, ActionListener<Tuple<Authentication, Map<String, Object>>> actionListener) {
        CheckedConsumer checkedConsumer = userToken -> {
            if (userToken == null) {
                actionListener.onFailure(new ElasticsearchSecurityException("supplied token is not valid", new Object[0]));
            } else {
                actionListener.onResponse(new Tuple(userToken.getAuthentication(), userToken.getMetadata()));
            }
        };
        Objects.requireNonNull(actionListener);
        decodeToken(str, false, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void getAndValidateUserToken(String str, TransportVersion transportVersion, @Nullable String str2, boolean z, ActionListener<UserToken> actionListener) {
        CheckedConsumer checkedConsumer = doc -> {
            if (doc == null) {
                actionListener.onResponse((Object) null);
                return;
            }
            Map map = (Map) doc.sourceAsMap().get("access_token");
            if (!z) {
                actionListener.onResponse(UserToken.fromSourceMap((Map) map.get("user_token")));
                return;
            }
            Boolean bool = (Boolean) map.get("invalidated");
            if (bool == null) {
                actionListener.onFailure(new IllegalStateException("token document is missing invalidated field"));
                return;
            }
            if (bool.booleanValue()) {
                actionListener.onFailure(expiredTokenException());
                return;
            }
            UserToken fromSourceMap = UserToken.fromSourceMap((Map) map.get("user_token"));
            if (this.clock.instant().isAfter(fromSourceMap.getExpirationTime())) {
                actionListener.onFailure((Exception) traceLog("validate token", fromSourceMap.getId(), expiredTokenException()));
            } else {
                actionListener.onResponse(fromSourceMap);
            }
        };
        Objects.requireNonNull(actionListener);
        getTokenDocById(str, transportVersion, str2, null, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void getTokenDocById(String str, TransportVersion transportVersion, @Nullable String str2, @Nullable String str3, ActionListener<Doc> actionListener) {
        SecurityIndexManager tokensIndexForVersion = getTokensIndexForVersion(transportVersion);
        SecurityIndexManager freeze = tokensIndexForVersion.freeze();
        if (!freeze.isAvailable()) {
            logger.warn("failed to get access token [{}] because index [{}] is not available", str, tokensIndexForVersion.aliasName());
            actionListener.onFailure(freeze.getUnavailableReason());
        } else {
            GetRequest request = this.client.prepareGet(tokensIndexForVersion.aliasName(), getTokenDocumentId(str)).request();
            Consumer consumer = exc -> {
                actionListener.onFailure((Exception) traceLog("get token from id", str, exc));
            };
            tokensIndexForVersion.checkIndexVersionThenExecute(exc2 -> {
                actionListener.onFailure((Exception) traceLog("prepare tokens index [" + tokensIndexForVersion.aliasName() + "]", str, exc2));
            }, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                ActionListener wrap = ActionListener.wrap(getResponse -> {
                    if (!getResponse.isExists()) {
                        logger.trace("The token [{}] probably expired and has already been deleted", str);
                        actionListener.onResponse((Object) null);
                        return;
                    }
                    Map map = (Map) getResponse.getSource().get("access_token");
                    Map map2 = (Map) getResponse.getSource().get("refresh_token");
                    boolean onOrAfter = transportVersion.onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH);
                    if (map == null) {
                        consumer.accept(new IllegalStateException("token document is missing the access_token field"));
                        return;
                    }
                    if (!map.containsKey("user_token")) {
                        consumer.accept(new IllegalStateException("token document is missing the user_token field"));
                        return;
                    }
                    if (onOrAfter && !map.containsKey(TOKEN_DOC_TYPE)) {
                        consumer.accept(new IllegalStateException("token document is missing the user_token.token field"));
                        return;
                    }
                    if (onOrAfter && map2 != null && !map2.containsKey(TOKEN_DOC_TYPE)) {
                        consumer.accept(new IllegalStateException("token document is missing the refresh_token.token field"));
                        return;
                    }
                    if (str2 != null && !str2.equals(map.get(TOKEN_DOC_TYPE))) {
                        logger.error("The stored access token [{}] for token doc id [{}] could not be verified", str2, str);
                        actionListener.onResponse((Object) null);
                    } else if (str3 == null || (map2 != null && str3.equals(map2.get(TOKEN_DOC_TYPE)))) {
                        actionListener.onResponse(new Doc(getResponse));
                    } else {
                        logger.error("The stored refresh token [{}] for token doc id [{}] could not be verified", str3, str);
                        actionListener.onResponse((Object) null);
                    }
                }, exc3 -> {
                    if (TransportActions.isShardNotAvailableException(exc3)) {
                        logger.warn("failed to get token doc [{}] because index [{}] is not available", str, tokensIndexForVersion.aliasName());
                    } else {
                        logger.error(() -> {
                            return "failed to get token doc [" + str + "]";
                        }, exc3);
                    }
                    actionListener.onFailure(exc3);
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::get);
            });
        }
    }

    void decodeToken(String str, boolean z, ActionListener<UserToken> actionListener) {
        try {
            InputStreamStreamInput inputStreamStreamInput = new InputStreamStreamInput(Base64.getDecoder().wrap(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))), r0.length);
            try {
                TransportVersion readVersion = TransportVersion.readVersion(inputStreamStreamInput);
                inputStreamStreamInput.setTransportVersion(readVersion);
                if (readVersion.onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH)) {
                    byte[] readByteArray = inputStreamStreamInput.readByteArray();
                    if (readByteArray.length != RAW_TOKEN_BYTES_TOTAL_LENGTH) {
                        logger.debug("invalid token, received size [{}] bytes is different from expect size [{}]", Integer.valueOf(readByteArray.length), Integer.valueOf(RAW_TOKEN_BYTES_TOTAL_LENGTH));
                        actionListener.onResponse((Object) null);
                        inputStreamStreamInput.close();
                        return;
                    } else {
                        MessageDigest sha256 = MessageDigests.sha256();
                        sha256.update(readByteArray, RAW_TOKEN_BYTES_LENGTH, RAW_TOKEN_DOC_ID_BYTES_LENGTH);
                        getAndValidateUserToken(Base64.getUrlEncoder().withoutPadding().encodeToString(sha256.digest()), readVersion, Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigests.sha256().digest(readByteArray)), z, actionListener);
                    }
                } else if (readVersion.onOrAfter(VERSION_ACCESS_TOKENS_AS_UUIDS)) {
                    if (inputStreamStreamInput.available() < MINIMUM_BYTES) {
                        logger.debug("invalid token, smaller than [{}] bytes", Integer.valueOf(MINIMUM_BYTES));
                        actionListener.onResponse((Object) null);
                        inputStreamStreamInput.close();
                        return;
                    }
                    getAndValidateUserToken(hashTokenString(inputStreamStreamInput.readString()), readVersion, null, z, actionListener);
                } else {
                    if (inputStreamStreamInput.available() < LEGACY_MINIMUM_BYTES) {
                        logger.debug("invalid token, smaller than [{}] bytes", Integer.valueOf(LEGACY_MINIMUM_BYTES));
                        actionListener.onResponse((Object) null);
                        inputStreamStreamInput.close();
                        return;
                    }
                    BytesKey bytesKey = new BytesKey(inputStreamStreamInput.readByteArray());
                    BytesKey bytesKey2 = new BytesKey(inputStreamStreamInput.readByteArray());
                    byte[] readByteArray2 = inputStreamStreamInput.readByteArray();
                    BytesStreamOutput bytesStreamOutput = new BytesStreamOutput();
                    Streams.copy(inputStreamStreamInput, bytesStreamOutput);
                    byte[] bytes = BytesReference.toBytes(bytesStreamOutput.bytes());
                    KeyAndCache keyAndCache = this.keyCache.get(bytesKey2);
                    if (keyAndCache != null) {
                        CheckedConsumer checkedConsumer = secretKey -> {
                            if (secretKey == null) {
                                actionListener.onResponse((Object) null);
                                return;
                            }
                            try {
                                getAndValidateUserToken(decryptTokenId(bytes, getDecryptionCipher(readByteArray2, secretKey, readVersion, bytesKey), readVersion), readVersion, null, z, actionListener);
                            } catch (IOException | GeneralSecurityException e) {
                                logger.warn("invalid token", e);
                                actionListener.onResponse((Object) null);
                            }
                        };
                        Objects.requireNonNull(actionListener);
                        getKeyAsync(bytesKey, keyAndCache, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
                    } else {
                        logger.debug(() -> {
                            return Strings.format("invalid key %s key: %s", new Object[]{bytesKey2, this.keyCache.cache.keySet()});
                        });
                        actionListener.onResponse((Object) null);
                    }
                }
                inputStreamStreamInput.close();
            } finally {
            }
        } catch (Exception e) {
            logger.debug("built in token service unable to decode token", e);
            actionListener.onResponse((Object) null);
        }
    }

    public void invalidateAccessToken(String str, ActionListener<TokensInvalidationResult> actionListener) {
        ensureEnabled();
        if (org.elasticsearch.common.Strings.isNullOrEmpty(str)) {
            actionListener.onFailure((Exception) traceLog("invalidate access token", new IllegalArgumentException("access token must be provided")));
            return;
        }
        maybeStartTokenRemover();
        Iterator it = DEFAULT_BACKOFF.iterator();
        decodeToken(str, false, ActionListener.wrap(userToken -> {
            if (userToken != null) {
                indexInvalidation(Collections.singleton(userToken), it, "access_token", null, actionListener);
            } else {
                logger.trace("The access token [{}] is expired and already deleted", str);
                actionListener.onResponse(TokensInvalidationResult.emptyResult(RestStatus.NOT_FOUND));
            }
        }, exc -> {
            if ((exc instanceof IndexNotFoundException) || (exc instanceof IndexClosedException)) {
                actionListener.onFailure(new ElasticsearchSecurityException("failed to invalidate token", RestStatus.BAD_REQUEST, new Object[0]));
            } else {
                actionListener.onFailure(unableToPerformAction(exc));
            }
        }));
    }

    public void invalidateRefreshToken(String str, ActionListener<TokensInvalidationResult> actionListener) {
        ensureEnabled();
        if (org.elasticsearch.common.Strings.isNullOrEmpty(str)) {
            logger.trace("No refresh token provided");
            actionListener.onFailure(new IllegalArgumentException("refresh token must be provided"));
        } else {
            maybeStartTokenRemover();
            Iterator<TimeValue> it = DEFAULT_BACKOFF.iterator();
            findTokenFromRefreshToken(str, it, ActionListener.wrap(doc -> {
                if (doc == null) {
                    logger.debug("could not find token document for refresh token");
                    actionListener.onResponse(TokensInvalidationResult.emptyResult(RestStatus.NOT_FOUND));
                    return;
                }
                Tuple<UserToken, RefreshTokenStatus> parseTokenAndRefreshStatus = parseTokenAndRefreshStatus(doc.sourceAsMap());
                UserToken userToken = (UserToken) parseTokenAndRefreshStatus.v1();
                if (((RefreshTokenStatus) parseTokenAndRefreshStatus.v2()).isInvalidated()) {
                    actionListener.onResponse(new TokensInvalidationResult(List.of(), List.of(userToken.getId()), (List) null, RestStatus.OK));
                } else {
                    indexInvalidation(Collections.singletonList(userToken), it, "refresh_token", null, actionListener);
                }
            }, exc -> {
                if ((exc instanceof IndexNotFoundException) || (exc instanceof IndexClosedException)) {
                    actionListener.onFailure(new ElasticsearchSecurityException("failed to invalidate token", RestStatus.BAD_REQUEST, new Object[0]));
                } else {
                    actionListener.onFailure(unableToPerformAction(exc));
                }
            }));
        }
    }

    public void invalidateActiveTokens(@Nullable String str, @Nullable String str2, @Nullable Predicate<Map<String, Object>> predicate, ActionListener<TokensInvalidationResult> actionListener) {
        ensureEnabled();
        maybeStartTokenRemover();
        if (org.elasticsearch.common.Strings.isNullOrEmpty(str) && org.elasticsearch.common.Strings.isNullOrEmpty(str2)) {
            logger.trace("No realm name or username provided");
            actionListener.onFailure(new IllegalArgumentException("realm name or username must be provided"));
            return;
        }
        if (org.elasticsearch.common.Strings.hasText(str2)) {
            predicate = predicate == null ? isOfUser(str2) : predicate.and(isOfUser(str2));
        }
        CheckedConsumer checkedConsumer = collection -> {
            if (!collection.isEmpty()) {
                invalidateTokens(collection, actionListener);
            } else {
                logger.warn("No tokens to invalidate for realm [{}] and username [{}]", str, str2);
                actionListener.onResponse(TokensInvalidationResult.emptyResult(RestStatus.OK));
            }
        };
        Objects.requireNonNull(actionListener);
        searchActiveTokens(str, predicate, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void invalidateTokens(Collection<Tuple<UserToken, String>> collection, ActionListener<TokensInvalidationResult> actionListener) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        collection.forEach(tuple -> {
            arrayList.add((UserToken) tuple.v1());
            if (tuple.v2() != null) {
                arrayList2.add((UserToken) tuple.v1());
            }
        });
        Iterator<TimeValue> it = DEFAULT_BACKOFF.iterator();
        if (false != arrayList2.isEmpty()) {
            indexInvalidation(arrayList, it, "access_token", null, actionListener);
            return;
        }
        CheckedConsumer checkedConsumer = tokensInvalidationResult -> {
            indexInvalidation(arrayList, it, "access_token", tokensInvalidationResult, actionListener);
        };
        Objects.requireNonNull(actionListener);
        indexInvalidation(arrayList2, it, "refresh_token", null, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void indexInvalidation(Collection<UserToken> collection, Iterator<TimeValue> it, String str, @Nullable TokensInvalidationResult tokensInvalidationResult, ActionListener<TokensInvalidationResult> actionListener) {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        boolean z = false;
        for (UserToken userToken : collection) {
            if (userToken.getTransportVersion().onOrAfter(VERSION_TOKENS_INDEX_INTRODUCED)) {
                hashSet.add(userToken.getId());
            } else {
                hashSet2.add(userToken.getId());
            }
            z |= userToken.getTransportVersion().before(VERSION_GET_TOKEN_DOC_FOR_REFRESH);
        }
        WriteRequest.RefreshPolicy refreshPolicy = z ? WriteRequest.RefreshPolicy.WAIT_UNTIL : WriteRequest.RefreshPolicy.NONE;
        if (false != hashSet2.isEmpty()) {
            indexInvalidation(hashSet, this.securityTokensIndex, it, str, tokensInvalidationResult, refreshPolicy, actionListener);
            return;
        }
        SecurityIndexManager securityIndexManager = this.securityMainIndex;
        WriteRequest.RefreshPolicy refreshPolicy2 = WriteRequest.RefreshPolicy.WAIT_UNTIL;
        CheckedConsumer checkedConsumer = tokensInvalidationResult2 -> {
            if (false == hashSet.isEmpty()) {
                indexInvalidation(hashSet, this.securityTokensIndex, it, str, tokensInvalidationResult2, refreshPolicy, actionListener);
            } else {
                actionListener.onResponse(tokensInvalidationResult2);
            }
        };
        Objects.requireNonNull(actionListener);
        indexInvalidation(hashSet2, securityIndexManager, it, str, tokensInvalidationResult, refreshPolicy2, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void indexInvalidation(Collection<String> collection, SecurityIndexManager securityIndexManager, Iterator<TimeValue> it, String str, @Nullable TokensInvalidationResult tokensInvalidationResult, WriteRequest.RefreshPolicy refreshPolicy, ActionListener<TokensInvalidationResult> actionListener) {
        if (collection.isEmpty()) {
            logger.warn("No [{}] tokens provided for invalidation", str);
            actionListener.onFailure(invalidGrantException("No tokens provided for invalidation"));
            return;
        }
        BulkRequestBuilder prepareBulk = this.client.prepareBulk();
        Iterator<String> it2 = collection.iterator();
        while (it2.hasNext()) {
            prepareBulk.add(this.client.prepareUpdate(securityIndexManager.aliasName(), getTokenDocumentId(it2.next())).setDoc(new Object[]{str, Collections.singletonMap("invalidated", true)}).setFetchSource(str, (String) null).request());
        }
        logger.debug(() -> {
            return Strings.format("Using refresh policy [%s] when updating token docs [%s] for invalidation in the security index [%s]", new Object[]{refreshPolicy, collection, securityIndexManager.aliasName()});
        });
        prepareBulk.setRefreshPolicy(refreshPolicy);
        securityIndexManager.prepareIndexIfNeededThenExecute(exc -> {
            actionListener.onFailure((Exception) traceLog("prepare index [" + securityIndexManager.aliasName() + "]", exc));
        }, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            BulkRequest request = prepareBulk.request();
            ActionListener wrap = ActionListener.wrap(bulkResponse -> {
                ArrayList arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                ArrayList arrayList3 = new ArrayList();
                ArrayList arrayList4 = new ArrayList();
                if (null != tokensInvalidationResult) {
                    arrayList2.addAll(tokensInvalidationResult.getErrors());
                    arrayList3.addAll(tokensInvalidationResult.getPreviouslyInvalidatedTokens());
                    arrayList4.addAll(tokensInvalidationResult.getInvalidatedTokens());
                }
                for (BulkItemResponse bulkItemResponse : bulkResponse.getItems()) {
                    if (bulkItemResponse.isFailed()) {
                        Exception cause = bulkItemResponse.getFailure().getCause();
                        String tokenIdFromDocumentId = getTokenIdFromDocumentId(bulkItemResponse.getFailure().getId());
                        if (TransportActions.isShardNotAvailableException(cause)) {
                            arrayList.add(tokenIdFromDocumentId);
                        } else {
                            traceLog("invalidate access token", tokenIdFromDocumentId, cause);
                            arrayList2.add(new ElasticsearchException("Error invalidating " + str + ": ", cause, new Object[0]));
                        }
                    } else {
                        UpdateResponse response = bulkItemResponse.getResponse();
                        if (response.getResult() == DocWriteResponse.Result.UPDATED) {
                            logger.debug(() -> {
                                return Strings.format("Invalidated [%s] for doc [%s]", new Object[]{str, response.getGetResult().getId()});
                            });
                            arrayList4.add(response.getGetResult().getId());
                        } else if (response.getResult() == DocWriteResponse.Result.NOOP) {
                            arrayList3.add(response.getGetResult().getId());
                        }
                    }
                }
                if (!arrayList.isEmpty() && it.hasNext()) {
                    logger.debug("failed to invalidate [{}] tokens out of [{}], retrying to invalidate these too", Integer.valueOf(arrayList.size()), Integer.valueOf(collection.size()));
                    TokensInvalidationResult tokensInvalidationResult2 = new TokensInvalidationResult(arrayList4, arrayList3, arrayList2, RestStatus.OK);
                    this.client.threadPool().schedule(() -> {
                        indexInvalidation(arrayList, securityIndexManager, it, str, tokensInvalidationResult2, refreshPolicy, actionListener);
                    }, (TimeValue) it.next(), this.client.threadPool().generic());
                } else {
                    if (!arrayList.isEmpty()) {
                        logger.warn("failed to invalidate [{}] tokens out of [{}] after all retries", Integer.valueOf(arrayList.size()), Integer.valueOf(collection.size()));
                        Iterator it3 = arrayList.iterator();
                        while (it3.hasNext()) {
                            arrayList2.add(new ElasticsearchException("Error invalidating [{}] with doc id [{}] after retries exhausted", new Object[]{str, (String) it3.next()}));
                        }
                    }
                    actionListener.onResponse(new TokensInvalidationResult(arrayList4, arrayList3, arrayList2, RestStatus.OK));
                }
            }, exc2 -> {
                Throwable unwrapCause = ExceptionsHelper.unwrapCause(exc2);
                traceLog("invalidate tokens", unwrapCause);
                if (!TransportActions.isShardNotAvailableException(unwrapCause) || !it.hasNext()) {
                    actionListener.onFailure(exc2);
                } else {
                    logger.debug("failed to invalidate tokens, retrying ");
                    this.client.threadPool().schedule(() -> {
                        indexInvalidation(collection, securityIndexManager, it, str, tokensInvalidationResult, refreshPolicy, actionListener);
                    }, (TimeValue) it.next(), this.client.threadPool().generic());
                }
            });
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::bulk);
        });
    }

    public void refreshToken(String str, ActionListener<CreateTokenResult> actionListener) {
        ensureEnabled();
        Instant instant = this.clock.instant();
        Iterator<TimeValue> it = DEFAULT_BACKOFF.iterator();
        Consumer consumer = exc -> {
            actionListener.onFailure((Exception) traceLog("find token by refresh token", str, exc));
        };
        findTokenFromRefreshToken(str, it, ActionListener.wrap(doc -> {
            if (doc != null) {
                innerRefresh(str, doc, this.securityContext.getAuthentication(), it, instant, actionListener);
            } else {
                logger.warn("could not find token document for refresh token");
                consumer.accept(invalidGrantException("could not refresh the requested token"));
            }
        }, exc2 -> {
            actionListener.onFailure(invalidGrantException("could not refresh the requested token"));
        }));
    }

    private void findTokenFromRefreshToken(String str, Iterator<TimeValue> it, ActionListener<Doc> actionListener) {
        if (str.length() == TOKEN_LENGTH) {
            logger.debug("Assuming an unversioned refresh token [{}], generated for node versions prior to the introduction of the version-header format.", str);
            findTokenFromRefreshToken(str, this.securityMainIndex, it, actionListener);
            return;
        }
        try {
            InputStreamStreamInput inputStreamStreamInput = new InputStreamStreamInput(Base64.getDecoder().wrap(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))), r0.length);
            try {
                TransportVersion readVersion = TransportVersion.readVersion(inputStreamStreamInput);
                inputStreamStreamInput.setTransportVersion(readVersion);
                if (readVersion.onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH)) {
                    byte[] readByteArray = inputStreamStreamInput.readByteArray();
                    if (readByteArray.length != RAW_TOKEN_BYTES_TOTAL_LENGTH) {
                        logger.debug("Refresh token with version [{}] has length [{}] but expect length is [{}].", readVersion, Integer.valueOf(readByteArray.length), Integer.valueOf(RAW_TOKEN_BYTES_LENGTH));
                        actionListener.onResponse((Object) null);
                    } else {
                        MessageDigest sha256 = MessageDigests.sha256();
                        sha256.update(readByteArray, RAW_TOKEN_BYTES_LENGTH, RAW_TOKEN_DOC_ID_BYTES_LENGTH);
                        getTokenDocById(Base64.getUrlEncoder().withoutPadding().encodeToString(sha256.digest()), readVersion, null, Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigests.sha256().digest(readByteArray)), actionListener);
                    }
                } else if (readVersion.onOrAfter(VERSION_HASHED_TOKENS)) {
                    String readString = inputStreamStreamInput.readString();
                    if (readString.length() != TOKEN_LENGTH) {
                        logger.debug("Decoded refresh token [{}] with version [{}] is invalid.", readString, readVersion);
                        actionListener.onResponse((Object) null);
                    } else {
                        findTokenFromRefreshToken(hashTokenString(readString), this.securityTokensIndex, it, actionListener);
                    }
                } else {
                    logger.debug("Unrecognized refresh token version [{}].", readVersion);
                    actionListener.onResponse((Object) null);
                }
                inputStreamStreamInput.close();
            } finally {
            }
        } catch (IOException e) {
            logger.debug(() -> {
                return "Could not decode refresh token [" + str + "].";
            }, e);
            actionListener.onResponse((Object) null);
        }
    }

    private void findTokenFromRefreshToken(String str, SecurityIndexManager securityIndexManager, Iterator<TimeValue> it, ActionListener<Doc> actionListener) {
        Consumer consumer = exc -> {
            actionListener.onFailure((Exception) traceLog("find token by refresh token", str, exc));
        };
        Consumer consumer2 = exc2 -> {
            if (!it.hasNext()) {
                logger.warn("failed to find token from refresh token after all retries");
                consumer.accept(exc2);
            } else {
                TimeValue timeValue = (TimeValue) it.next();
                logger.debug("retrying after [{}] back off", timeValue);
                this.client.threadPool().schedule(() -> {
                    findTokenFromRefreshToken(str, securityIndexManager, it, actionListener);
                }, timeValue, this.client.threadPool().generic());
            }
        };
        SecurityIndexManager freeze = securityIndexManager.freeze();
        if (!freeze.indexExists()) {
            logger.warn("index [{}] does not exist so we can't find token from refresh token", freeze.aliasName());
            actionListener.onFailure(freeze.getUnavailableReason());
        } else if (!freeze.isAvailable()) {
            logger.debug("index [{}] is not available to find token from refresh token, retrying", freeze.aliasName());
            consumer2.accept(freeze.getUnavailableReason());
        } else {
            SearchRequest request = this.client.prepareSearch(new String[]{securityIndexManager.aliasName()}).setQuery(QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("doc_type", TOKEN_DOC_TYPE)).filter(QueryBuilders.termQuery("refresh_token.token", str))).seqNoAndPrimaryTerm(true).request();
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                ActionListener wrap = ActionListener.wrap(searchResponse -> {
                    if (searchResponse.isTimedOut()) {
                        logger.debug("find token from refresh token response timed out, retrying");
                        consumer2.accept(invalidGrantException("could not refresh the requested token"));
                    } else if (searchResponse.getHits().getHits().length > 1) {
                        actionListener.onFailure(new IllegalStateException("multiple tokens share the same refresh token"));
                    } else if (searchResponse.getHits().getHits().length >= 1) {
                        actionListener.onResponse(new Doc(searchResponse.getHits().getAt(0)));
                    } else {
                        logger.debug("could not find token document for refresh token");
                        actionListener.onResponse((Object) null);
                    }
                }, exc3 -> {
                    if (!TransportActions.isShardNotAvailableException(exc3)) {
                        consumer.accept(exc3);
                    } else {
                        logger.debug("find token from refresh token request failed because of unavailable shards, retrying");
                        consumer2.accept(invalidGrantException("could not refresh the requested token"));
                    }
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::search);
            });
        }
    }

    private void innerRefresh(String str, Doc doc, Authentication authentication, Iterator<TimeValue> it, Instant instant, ActionListener<CreateTokenResult> actionListener) {
        logger.debug("Attempting to refresh token stored in token document [{}]", doc.id());
        Consumer consumer = exc -> {
            actionListener.onFailure((Exception) traceLog("refresh token", doc.id(), exc));
        };
        try {
            Tuple<RefreshTokenStatus, Optional<ElasticsearchSecurityException>> checkTokenDocumentForRefresh = checkTokenDocumentForRefresh(instant, authentication, doc.sourceAsMap());
            if (((Optional) checkTokenDocumentForRefresh.v2()).isPresent()) {
                consumer.accept((Exception) ((Optional) checkTokenDocumentForRefresh.v2()).get());
                return;
            }
            RefreshTokenStatus refreshTokenStatus = (RefreshTokenStatus) checkTokenDocumentForRefresh.v1();
            SecurityIndexManager tokensIndexForVersion = getTokensIndexForVersion(refreshTokenStatus.getTransportVersion());
            if (refreshTokenStatus.isRefreshed()) {
                logger.debug("Token document [{}] was recently refreshed, when a new token document was generated. Reusing that result.", doc.id());
                decryptAndReturnSupersedingTokens(str, refreshTokenStatus, tokensIndexForVersion, ((UserToken) parseTokensFromDocument(doc.sourceAsMap(), null).v1()).getAuthentication(), actionListener);
                return;
            }
            TransportVersion tokenVersionCompatibility = getTokenVersionCompatibility();
            Tuple<byte[], byte[]> randomTokenBytes = getRandomTokenBytes(tokenVersionCompatibility, true);
            HashMap hashMap = new HashMap();
            hashMap.put("refreshed", true);
            if (tokenVersionCompatibility.onOrAfter(VERSION_MULTIPLE_CONCURRENT_REFRESHES)) {
                hashMap.put("refresh_time", Long.valueOf(this.clock.instant().toEpochMilli()));
                try {
                    byte[] randomBytes = getRandomBytes(IV_BYTES);
                    byte[] randomBytes2 = getRandomBytes(SALT_BYTES);
                    hashMap.put("superseding.encrypted_tokens", encryptSupersedingTokens((byte[]) randomTokenBytes.v1(), (byte[]) randomTokenBytes.v2(), str, randomBytes, randomBytes2));
                    hashMap.put("superseding.encryption_iv", Base64.getEncoder().encodeToString(randomBytes));
                    hashMap.put("superseding.encryption_salt", Base64.getEncoder().encodeToString(randomBytes2));
                } catch (GeneralSecurityException e) {
                    logger.warn("could not encrypt access token and refresh token string", e);
                    consumer.accept(invalidGrantException("could not refresh the requested token"));
                }
            }
            if (!$assertionsDisabled && doc.seqNo() == -2) {
                throw new AssertionError("expected an assigned sequence number");
            }
            if (!$assertionsDisabled && doc.primaryTerm() == 0) {
                throw new AssertionError("expected an assigned primary term");
            }
            WriteRequest.RefreshPolicy refreshPolicy = refreshTokenStatus.getTransportVersion().onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH) ? WriteRequest.RefreshPolicy.NONE : WriteRequest.RefreshPolicy.IMMEDIATE;
            logger.debug(() -> {
                return Strings.format("Using refresh policy [%s] when updating token doc [%s] for refresh in the security index [%s]", new Object[]{refreshPolicy, doc.id(), tokensIndexForVersion.aliasName()});
            });
            UpdateRequestBuilder ifPrimaryTerm = this.client.prepareUpdate(tokensIndexForVersion.aliasName(), doc.id()).setDoc(new Object[]{"refresh_token", hashMap}).setFetchSource(logger.isDebugEnabled()).setRefreshPolicy(refreshPolicy).setIfSeqNo(doc.seqNo()).setIfPrimaryTerm(doc.primaryTerm());
            tokensIndexForVersion.prepareIndexIfNeededThenExecute(exc2 -> {
                actionListener.onFailure((Exception) traceLog("prepare index [" + tokensIndexForVersion.aliasName() + "]", exc2));
            }, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                UpdateRequest request = ifPrimaryTerm.request();
                ActionListener wrap = ActionListener.wrap(updateResponse -> {
                    if (updateResponse.getResult() == DocWriteResponse.Result.UPDATED) {
                        logger.debug(() -> {
                            return Strings.format("updated the original token document to %s", new Object[]{updateResponse.getGetResult().sourceAsMap()});
                        });
                        UserToken userToken = (UserToken) parseTokensFromDocument(doc.sourceAsMap(), null).v1();
                        createOAuth2Tokens((byte[]) randomTokenBytes.v1(), (byte[]) randomTokenBytes.v2(), tokenVersionCompatibility, userToken.getAuthentication(), authentication, userToken.getMetadata(), actionListener);
                    } else if (it.hasNext()) {
                        logger.info("failed to update the original token document [{}], the update result was [{}]. Retrying", doc.id(), updateResponse.getResult());
                        this.client.threadPool().schedule(() -> {
                            innerRefresh(str, doc, authentication, it, instant, actionListener);
                        }, (TimeValue) it.next(), this.client.threadPool().generic());
                    } else {
                        logger.info("failed to update the original token document [{}] after all retries, the update result was [{}]. ", doc.id(), updateResponse.getResult());
                        actionListener.onFailure(invalidGrantException("could not refresh the requested token"));
                    }
                }, exc3 -> {
                    if (ExceptionsHelper.unwrapCause(exc3) instanceof VersionConflictEngineException) {
                        logger.debug("version conflict while updating document [{}], attempting to get it again", doc.id());
                        getTokenDocAsync(doc.id(), tokensIndexForVersion, true, new ActionListener<GetResponse>() { // from class: org.elasticsearch.xpack.security.authc.TokenService.1
                            static final /* synthetic */ boolean $assertionsDisabled;

                            public void onResponse(GetResponse getResponse) {
                                if (!getResponse.isExists()) {
                                    TokenService.logger.warn("could not find token document [{}] for refresh", doc.id());
                                    consumer.accept(TokenService.invalidGrantException("could not refresh the requested token"));
                                } else {
                                    if (!$assertionsDisabled && !getResponse.getId().equals(doc.id())) {
                                        throw new AssertionError();
                                    }
                                    TokenService.this.innerRefresh(str, new Doc(getResponse), authentication, it, instant, actionListener);
                                }
                            }

                            public void onFailure(Exception exc3) {
                                if (!TransportActions.isShardNotAvailableException(exc3)) {
                                    consumer.accept(exc3);
                                    return;
                                }
                                if (!it.hasNext()) {
                                    TokenService.logger.warn("could not get token document [{}] for refresh after all retries", doc.id());
                                    consumer.accept(TokenService.invalidGrantException("could not refresh the requested token"));
                                    return;
                                }
                                TokenService.logger.info("could not get token document [{}] for refresh, retrying", doc.id());
                                ThreadPool threadPool = TokenService.this.client.threadPool();
                                Doc doc2 = doc;
                                SecurityIndexManager securityIndexManager = tokensIndexForVersion;
                                threadPool.schedule(() -> {
                                    TokenService.this.getTokenDocAsync(doc2.id(), securityIndexManager, true, this);
                                }, (TimeValue) it.next(), TokenService.this.client.threadPool().generic());
                            }

                            static {
                                $assertionsDisabled = !TokenService.class.desiredAssertionStatus();
                            }
                        });
                    } else if (!TransportActions.isShardNotAvailableException(exc3)) {
                        consumer.accept(exc3);
                    } else if (it.hasNext()) {
                        logger.debug("failed to update the original token document [{}], retrying", doc.id());
                        this.client.threadPool().schedule(() -> {
                            innerRefresh(str, doc, authentication, it, instant, actionListener);
                        }, (TimeValue) it.next(), this.client.threadPool().generic());
                    } else {
                        logger.warn("failed to update the original token document [{}], after all retries", doc.id());
                        consumer.accept(invalidGrantException("could not refresh the requested token"));
                    }
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::update);
            });
        } catch (IllegalStateException | DateTimeException e2) {
            consumer.accept(new ElasticsearchSecurityException("invalid token document", e2, new Object[0]));
        }
    }

    void decryptAndReturnSupersedingTokens(String str, final RefreshTokenStatus refreshTokenStatus, SecurityIndexManager securityIndexManager, final Authentication authentication, final ActionListener<CreateTokenResult> actionListener) {
        String tokenDocumentId;
        byte[] decode = Base64.getDecoder().decode(refreshTokenStatus.getIv());
        byte[] decode2 = Base64.getDecoder().decode(refreshTokenStatus.getSalt());
        try {
            final String[] split = new String(getDecryptionCipher(decode, str, decode2).doFinal(Base64.getDecoder().decode(refreshTokenStatus.getSupersedingTokens())), StandardCharsets.UTF_8).split("\\|");
            if (split.length != 2) {
                logger.warn("Decrypted tokens string is not correctly formatted");
                actionListener.onFailure(invalidGrantException("could not refresh the requested token"));
            } else {
                Iterator it = BackoffPolicy.exponentialBackoff(TimeValue.timeValueMillis(10L), RAW_TOKEN_DOC_ID_BYTES_LENGTH).iterator();
                if (refreshTokenStatus.getTransportVersion().onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH)) {
                    MessageDigest sha256 = MessageDigests.sha256();
                    sha256.update(Base64.getUrlDecoder().decode(split[0]), RAW_TOKEN_BYTES_LENGTH, RAW_TOKEN_DOC_ID_BYTES_LENGTH);
                    tokenDocumentId = getTokenDocumentId(Base64.getUrlEncoder().withoutPadding().encodeToString(sha256.digest()));
                } else {
                    tokenDocumentId = getTokenDocumentId(hashTokenString(split[0]));
                }
                String str2 = tokenDocumentId;
                final Consumer consumer = exc -> {
                    actionListener.onFailure((Exception) traceLog("decrypt and get superseding token", str2, exc));
                };
                String str3 = tokenDocumentId;
                final Consumer consumer2 = actionListener2 -> {
                    if (it.hasNext()) {
                        logger.info("could not get token document [{}] that should have been created, retrying", str3);
                        this.client.threadPool().schedule(() -> {
                            getTokenDocAsync(str3, securityIndexManager, false, actionListener2);
                        }, (TimeValue) it.next(), this.client.threadPool().generic());
                    } else {
                        logger.warn("could not get token document [{}] that should have been created after all retries", str3);
                        consumer.accept(invalidGrantException("could not refresh the requested token"));
                    }
                };
                getTokenDocAsync(tokenDocumentId, securityIndexManager, false, new ActionListener<GetResponse>() { // from class: org.elasticsearch.xpack.security.authc.TokenService.2
                    public void onResponse(GetResponse getResponse) {
                        if (!getResponse.isExists()) {
                            consumer2.accept(this);
                            return;
                        }
                        try {
                            TokenService.logger.debug("Found superseding document: index=[{}] id=[{}] primTerm=[{}] seqNo=[{}]", getResponse.getIndex(), getResponse.getId(), Long.valueOf(getResponse.getPrimaryTerm()), Long.valueOf(getResponse.getSeqNo()));
                            actionListener.onResponse(new CreateTokenResult(TokenService.this.prependVersionAndEncodeAccessToken(refreshTokenStatus.getTransportVersion(), Base64.getUrlDecoder().decode(split[0])), TokenService.prependVersionAndEncodeRefreshToken(refreshTokenStatus.getTransportVersion(), Base64.getUrlDecoder().decode(split[1])), authentication));
                        } catch (IOException | GeneralSecurityException e) {
                            TokenService.logger.warn("Could not format stored superseding token values", e);
                            consumer.accept(TokenService.invalidGrantException("could not refresh the requested token"));
                        }
                    }

                    public void onFailure(Exception exc2) {
                        if (TransportActions.isShardNotAvailableException(exc2)) {
                            consumer2.accept(this);
                        } else {
                            consumer.accept(exc2);
                        }
                    }
                });
            }
        } catch (GeneralSecurityException e) {
            logger.warn("Could not get stored superseding token values", e);
            actionListener.onFailure(invalidGrantException("could not refresh the requested token"));
        }
    }

    String encryptSupersedingTokens(byte[] bArr, byte[] bArr2, String str, byte[] bArr3, byte[] bArr4) throws GeneralSecurityException {
        return Base64.getEncoder().encodeToString(getEncryptionCipher(bArr3, str, bArr4).doFinal((Base64.getUrlEncoder().withoutPadding().encodeToString(bArr) + "|" + Base64.getUrlEncoder().withoutPadding().encodeToString(bArr2)).getBytes(StandardCharsets.UTF_8)));
    }

    private void getTokenDocAsync(String str, SecurityIndexManager securityIndexManager, boolean z, ActionListener<GetResponse> actionListener) {
        GetRequest request = this.client.prepareGet(securityIndexManager.aliasName(), str).setFetchSource(z).request();
        securityIndexManager.checkIndexVersionThenExecute(exc -> {
            actionListener.onFailure((Exception) traceLog("prepare tokens index [" + securityIndexManager.aliasName() + "]", str, exc));
        }, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener, client::get);
        });
    }

    public TransportVersion getTokenVersionCompatibility() {
        return this.clusterService.state().getMinTransportVersion();
    }

    public static Boolean isTokenServiceEnabled(Settings settings) {
        return (Boolean) XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get(settings);
    }

    private static Optional<ElasticsearchSecurityException> checkTokenDocumentExpired(Instant instant, Map<String, Object> map) {
        Long l = (Long) map.get("creation_time");
        if (l == null) {
            throw new IllegalStateException("token document is missing creation time value");
        }
        return instant.isAfter(Instant.ofEpochMilli(l.longValue()).plus(24L, (TemporalUnit) ChronoUnit.HOURS)) ? Optional.of(invalidGrantException("token document has expired")) : Optional.empty();
    }

    private static Tuple<RefreshTokenStatus, Optional<ElasticsearchSecurityException>> checkTokenDocumentForRefresh(Instant instant, Authentication authentication, Map<String, Object> map) throws IllegalStateException, DateTimeException {
        RefreshTokenStatus refreshTokenStatus = (RefreshTokenStatus) parseTokenAndRefreshStatus(map).v2();
        return new Tuple<>(refreshTokenStatus, Optional.ofNullable(checkTokenDocumentExpired(instant, map).orElseGet(() -> {
            return refreshTokenStatus.isInvalidated() ? invalidGrantException("token has been invalidated") : checkClientCanRefresh(refreshTokenStatus, authentication).orElse(checkMultipleRefreshes(instant, refreshTokenStatus).orElse(null));
        })));
    }

    private static Tuple<UserToken, RefreshTokenStatus> parseTokenAndRefreshStatus(Map<String, Object> map) {
        RefreshTokenStatus fromSourceMap = RefreshTokenStatus.fromSourceMap(getRefreshTokenSourceMap(map));
        UserToken fromSourceMap2 = UserToken.fromSourceMap(getUserTokenSourceMap(map));
        fromSourceMap.setTransportVersion(fromSourceMap2.getTransportVersion());
        return new Tuple<>(fromSourceMap2, fromSourceMap);
    }

    private static Optional<ElasticsearchSecurityException> checkClientCanRefresh(RefreshTokenStatus refreshTokenStatus, Authentication authentication) {
        if (refreshTokenStatus.getAssociatedAuthentication() != null) {
            if (authentication.canAccessResourcesOf(refreshTokenStatus.getAssociatedAuthentication())) {
                return Optional.empty();
            }
            logger.warn("Token was originally created by [{}] but [{}] attempted to refresh it", refreshTokenStatus.getAssociatedAuthentication(), authentication);
            return Optional.of(invalidGrantException("tokens must be refreshed by the creating client"));
        }
        if (!authentication.getEffectiveSubject().getUser().principal().equals(refreshTokenStatus.getAssociatedUser())) {
            logger.warn("Token was originally created by [{}] but [{}] attempted to refresh it", refreshTokenStatus.getAssociatedUser(), authentication.getEffectiveSubject().getUser().principal());
            return Optional.of(invalidGrantException("tokens must be refreshed by the creating client"));
        }
        if (authentication.getAuthenticatingSubject().getRealm().getName().equals(refreshTokenStatus.getAssociatedRealm())) {
            return Optional.empty();
        }
        logger.warn("[{}] created the refresh token while authenticated by [{}] but is now authenticated by [{}]", refreshTokenStatus.getAssociatedUser(), refreshTokenStatus.getAssociatedRealm(), authentication.getAuthenticatingSubject().getRealm().getName());
        return Optional.of(invalidGrantException("tokens must be refreshed by the creating client"));
    }

    private static Map<String, Object> getRefreshTokenSourceMap(Map<String, Object> map) {
        Map<String, Object> map2 = (Map) map.get("refresh_token");
        if (map2 == null || map2.isEmpty()) {
            throw new IllegalStateException("token document is missing the refresh_token object");
        }
        return map2;
    }

    private static Map<String, Object> getUserTokenSourceMap(Map<String, Object> map) {
        Map map2 = (Map) map.get("access_token");
        if (map2 == null || map2.isEmpty()) {
            throw new IllegalStateException("token document is missing the access_token object");
        }
        Map<String, Object> map3 = (Map) map2.get("user_token");
        if (map3 == null || map3.isEmpty()) {
            throw new IllegalStateException("token document is missing the user token info");
        }
        return map3;
    }

    private static Optional<ElasticsearchSecurityException> checkMultipleRefreshes(Instant instant, RefreshTokenStatus refreshTokenStatus) {
        if (refreshTokenStatus.isRefreshed()) {
            if (!refreshTokenStatus.getTransportVersion().onOrAfter(VERSION_MULTIPLE_CONCURRENT_REFRESHES)) {
                return Optional.of(invalidGrantException("token has already been refreshed"));
            }
            if (instant.isAfter(refreshTokenStatus.getRefreshInstant().plus(30L, (TemporalUnit) ChronoUnit.SECONDS))) {
                return Optional.of(invalidGrantException("token has already been refreshed more than 30 seconds in the past"));
            }
            if (instant.isBefore(refreshTokenStatus.getRefreshInstant().minus(30L, (TemporalUnit) ChronoUnit.SECONDS))) {
                return Optional.of(invalidGrantException("token has been refreshed more than 30 seconds in the future, clock skew too great"));
            }
        }
        return Optional.empty();
    }

    private void searchActiveTokens(@Nullable String str, @Nullable Predicate<Map<String, Object>> predicate, ActionListener<Collection<Tuple<UserToken, String>>> actionListener) {
        CheckedConsumer checkedConsumer = list -> {
            if (list.isEmpty()) {
                actionListener.onResponse(Collections.emptyList());
                return;
            }
            Instant instant = this.clock.instant();
            BoolQueryBuilder filter = QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("doc_type", TOKEN_DOC_TYPE));
            if (!org.elasticsearch.common.Strings.isNullOrEmpty(str)) {
                filter.filter(QueryBuilders.termQuery("access_token.realm", str));
            }
            filter.filter(QueryBuilders.boolQuery().should(QueryBuilders.boolQuery().must(QueryBuilders.termQuery("access_token.invalidated", false)).must(QueryBuilders.rangeQuery("access_token.user_token.expiration_time").gte(Long.valueOf(instant.toEpochMilli())))).should(QueryBuilders.boolQuery().must(QueryBuilders.termQuery("refresh_token.invalidated", false)).must(QueryBuilders.rangeQuery("creation_time").gte(Long.valueOf(instant.toEpochMilli() - TimeValue.timeValueHours(24L).millis())))));
            Supplier newRestorableContext = this.client.threadPool().getThreadContext().newRestorableContext(false);
            ThreadContext.StoredContext stashWithOrigin = this.client.threadPool().getThreadContext().stashWithOrigin("security");
            try {
                RefreshRequestBuilder prepareRefresh = this.client.admin().indices().prepareRefresh(new String[]{this.securityTokensIndex.aliasName()});
                CheckedConsumer checkedConsumer2 = refreshResponse -> {
                    if (refreshResponse.getFailedShards() > 0 && logger.isDebugEnabled()) {
                        logger.debug("Failure to refresh tokens index {}", Arrays.toString(refreshResponse.getShardFailures()));
                    }
                    ScrollHelper.fetchAllByEntity(this.client, this.client.prepareSearch((String[]) list.toArray(new String[0])).setScroll((TimeValue) SearchService.DEFAULT_KEEPALIVE_SETTING.get(this.settings)).setQuery(filter).setVersion(false).setSize(1000).setFetchSource(true).request(), new ContextPreservingActionListener(newRestorableContext, actionListener), searchHit -> {
                        return filterAndParseHit(searchHit, predicate);
                    });
                };
                Objects.requireNonNull(actionListener);
                prepareRefresh.execute(ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
                if (stashWithOrigin != null) {
                    stashWithOrigin.close();
                }
            } catch (Throwable th) {
                if (stashWithOrigin != null) {
                    try {
                        stashWithOrigin.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        };
        Objects.requireNonNull(actionListener);
        sourceIndicesWithTokensAndRun(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void sourceIndicesWithTokensAndRun(ActionListener<List<String>> actionListener) {
        ArrayList arrayList = new ArrayList(2);
        SecurityIndexManager freeze = this.securityTokensIndex.freeze();
        if (freeze.indexExists()) {
            if (false == freeze.isAvailable()) {
                actionListener.onFailure(freeze.getUnavailableReason());
                return;
            } else {
                if (false == freeze.isIndexUpToDate()) {
                    actionListener.onFailure(new IllegalStateException("Index [" + freeze.aliasName() + "] is not on the current version. Features relying on the index will not be available until the upgrade API is run on the index"));
                    return;
                }
                arrayList.add(freeze.aliasName());
            }
        }
        SecurityIndexManager freeze2 = this.securityMainIndex.freeze();
        if (freeze2.indexExists() && (false == freeze.indexExists() || freeze.getCreationTime().isAfter(this.clock.instant().minus(24L, (TemporalUnit) ChronoUnit.HOURS)))) {
            if (false == freeze2.isAvailable()) {
                actionListener.onFailure(freeze2.getUnavailableReason());
                return;
            } else {
                if (false == freeze2.isIndexUpToDate()) {
                    actionListener.onFailure(new IllegalStateException("Index [" + freeze2.aliasName() + "] is not on the current version. Features relying on the index will not be available until the upgrade API is run on the index"));
                    return;
                }
                arrayList.add(freeze2.aliasName());
            }
        }
        actionListener.onResponse(arrayList);
    }

    private BytesReference createTokenDocument(UserToken userToken, @Nullable String str, @Nullable String str2, @Nullable Authentication authentication) {
        return createTokenDocument(userToken, str, str2, authentication, getCreationTime(userToken.getExpirationTime()));
    }

    static BytesReference createTokenDocument(UserToken userToken, @Nullable String str, @Nullable String str2, @Nullable Authentication authentication, Instant instant) {
        if (!$assertionsDisabled && str2 != null && authentication == null) {
            throw new AssertionError("non-null refresh token " + str2 + " requires non-null client authn " + authentication);
        }
        try {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            try {
                jsonBuilder.startObject();
                jsonBuilder.field("doc_type", TOKEN_DOC_TYPE);
                jsonBuilder.field("creation_time", instant.toEpochMilli());
                if (str2 != null) {
                    jsonBuilder.startObject("refresh_token").field(TOKEN_DOC_TYPE, str2).field("invalidated", false).field("refreshed", false).startObject("client").field(LoggingAuditTrail.LOG_TYPE, "unassociated_client");
                    if (userToken.getTransportVersion().onOrAfter(VERSION_CLIENT_AUTH_FOR_REFRESH)) {
                        jsonBuilder.field("authentication", authentication.maybeRewriteForOlderVersion(userToken.getTransportVersion()).encode());
                    } else {
                        jsonBuilder.field("user", authentication.getEffectiveSubject().getUser().principal()).field(LoggingAuditTrail.REALM_FIELD_NAME, authentication.getAuthenticatingSubject().getRealm().getName());
                        if (authentication.getAuthenticatingSubject().getRealm().getDomain() != null) {
                            jsonBuilder.field("realm_domain", authentication.getAuthenticatingSubject().getRealm().getDomain());
                        }
                    }
                    jsonBuilder.endObject().endObject();
                }
                Authentication.RealmRef realm = userToken.getAuthentication().getEffectiveSubject().getRealm();
                jsonBuilder.startObject("access_token").field("invalidated", false).field("user_token", userToken).field(LoggingAuditTrail.REALM_FIELD_NAME, realm.getName());
                if (realm.getDomain() != null) {
                    jsonBuilder.field("realm_domain", realm.getDomain());
                }
                if (str != null) {
                    jsonBuilder.field(TOKEN_DOC_TYPE, str);
                }
                jsonBuilder.endObject().endObject();
                BytesReference bytes = BytesReference.bytes(jsonBuilder);
                if (jsonBuilder != null) {
                    jsonBuilder.close();
                }
                return bytes;
            } finally {
            }
        } catch (IOException e) {
            throw new RuntimeException("Unexpected exception when constructing a JSON document.", e);
        }
    }

    private static Predicate<Map<String, Object>> isOfUser(String str) {
        return map -> {
            String str2 = (String) map.get("authentication");
            TransportVersion fromId = TransportVersion.fromId(((Integer) map.get("version")).intValue());
            try {
                StreamInput wrap = StreamInput.wrap(Base64.getDecoder().decode(str2));
                try {
                    wrap.setTransportVersion(fromId);
                    boolean equals = new Authentication(wrap).getEffectiveSubject().getUser().principal().equals(str);
                    if (wrap != null) {
                        wrap.close();
                    }
                    return equals;
                } finally {
                }
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Tuple<UserToken, String> filterAndParseHit(SearchHit searchHit, @Nullable Predicate<Map<String, Object>> predicate) throws IllegalStateException, DateTimeException {
        Map sourceAsMap = searchHit.getSourceAsMap();
        if (sourceAsMap == null) {
            throw new IllegalStateException("token document did not have source but source should have been fetched");
        }
        return parseTokensFromDocument(sourceAsMap, predicate);
    }

    private static Tuple<UserToken, String> parseTokensFromDocument(Map<String, Object> map, @Nullable Predicate<Map<String, Object>> predicate) throws IllegalStateException, DateTimeException {
        Map map2 = (Map) map.get("refresh_token");
        String str = map2 != null ? (String) map2.get(TOKEN_DOC_TYPE) : null;
        Map<String, Object> map3 = (Map) ((Map) map.get("access_token")).get("user_token");
        if (null == predicate || predicate.test(map3)) {
            return new Tuple<>(UserToken.fromSourceMap(map3), str);
        }
        return null;
    }

    private static String getTokenDocumentId(UserToken userToken) {
        return getTokenDocumentId(userToken.getId());
    }

    private static String getTokenDocumentId(String str) {
        return "token_" + str;
    }

    private static String getTokenIdFromDocumentId(String str) {
        if (str.startsWith(TOKEN_DOC_ID_PREFIX)) {
            return str.substring(TOKEN_DOC_ID_PREFIX.length());
        }
        throw new IllegalStateException("TokenDocument ID [" + str + "] has unexpected value");
    }

    private boolean isEnabled() {
        return this.enabled && Security.TOKEN_SERVICE_FEATURE.check(this.licenseState);
    }

    private void ensureEnabled() {
        if (!Security.TOKEN_SERVICE_FEATURE.check(this.licenseState)) {
            throw LicenseUtils.newComplianceException("security tokens");
        }
        if (!this.enabled) {
            throw new FeatureNotEnabledException(FeatureNotEnabledException.Feature.TOKEN_SERVICE, "security tokens are not enabled", new Object[0]);
        }
    }

    private SecurityIndexManager getTokensIndexForVersion(TransportVersion transportVersion) {
        return transportVersion.onOrAfter(VERSION_TOKENS_INDEX_INTRODUCED) ? this.securityTokensIndex : this.securityMainIndex;
    }

    public TimeValue getExpirationDelay() {
        return this.expirationDelay;
    }

    Instant getExpirationTime() {
        return this.clock.instant().plusSeconds(this.expirationDelay.getSeconds());
    }

    private Instant getCreationTime(Instant instant) {
        return instant.minusSeconds(this.expirationDelay.getSeconds());
    }

    private void maybeStartTokenRemover() {
        if (this.client.threadPool().relativeTimeInMillis() - this.lastExpirationRunMs > this.deleteInterval.getMillis()) {
            this.expiredTokenRemover.submit(this.client.threadPool());
            this.lastExpirationRunMs = this.client.threadPool().relativeTimeInMillis();
        }
    }

    public String prependVersionAndEncodeAccessToken(TransportVersion transportVersion, byte[] bArr) throws IOException, GeneralSecurityException {
        BytesStreamOutput bytesStreamOutput;
        if (transportVersion.onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH)) {
            bytesStreamOutput = new BytesStreamOutput(28);
            try {
                bytesStreamOutput.setTransportVersion(transportVersion);
                TransportVersion.writeVersion(transportVersion, bytesStreamOutput);
                bytesStreamOutput.writeByteArray(bArr);
                String encodeToString = Base64.getEncoder().encodeToString(bytesStreamOutput.bytes().toBytesRef().bytes);
                bytesStreamOutput.close();
                return encodeToString;
            } finally {
            }
        }
        if (transportVersion.onOrAfter(VERSION_ACCESS_TOKENS_AS_UUIDS)) {
            bytesStreamOutput = new BytesStreamOutput(MINIMUM_BASE64_BYTES);
            try {
                bytesStreamOutput.setTransportVersion(transportVersion);
                TransportVersion.writeVersion(transportVersion, bytesStreamOutput);
                bytesStreamOutput.writeString(Base64.getUrlEncoder().withoutPadding().encodeToString(bArr));
                String encodeToString2 = Base64.getEncoder().encodeToString(bytesStreamOutput.bytes().toBytesRef().bytes);
                bytesStreamOutput.close();
                return encodeToString2;
            } finally {
            }
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(LEGACY_MINIMUM_BASE64_BYTES);
        try {
            OutputStream wrap = Base64.getEncoder().wrap(byteArrayOutputStream);
            try {
                OutputStreamStreamOutput outputStreamStreamOutput = new OutputStreamStreamOutput(wrap);
                try {
                    outputStreamStreamOutput.setTransportVersion(transportVersion);
                    KeyAndCache keyAndCache = this.keyCache.activeKeyCache;
                    TransportVersion.writeVersion(transportVersion, outputStreamStreamOutput);
                    outputStreamStreamOutput.writeByteArray(keyAndCache.getSalt().bytes);
                    outputStreamStreamOutput.writeByteArray(keyAndCache.getKeyHash().bytes);
                    byte[] randomBytes = getRandomBytes(IV_BYTES);
                    outputStreamStreamOutput.writeByteArray(randomBytes);
                    CipherOutputStream cipherOutputStream = new CipherOutputStream(outputStreamStreamOutput, getEncryptionCipher(randomBytes, keyAndCache, transportVersion));
                    try {
                        outputStreamStreamOutput = new OutputStreamStreamOutput(cipherOutputStream);
                        try {
                            outputStreamStreamOutput.setTransportVersion(transportVersion);
                            outputStreamStreamOutput.writeString(Base64.getUrlEncoder().withoutPadding().encodeToString(bArr));
                            outputStreamStreamOutput.close();
                            String str = new String(byteArrayOutputStream.toByteArray(), StandardCharsets.UTF_8);
                            outputStreamStreamOutput.close();
                            cipherOutputStream.close();
                            outputStreamStreamOutput.close();
                            if (wrap != null) {
                                wrap.close();
                            }
                            byteArrayOutputStream.close();
                            return str;
                        } finally {
                            try {
                                outputStreamStreamOutput.close();
                            } catch (Throwable th) {
                                th.addSuppressed(th);
                            }
                        }
                    } catch (Throwable th2) {
                        try {
                            cipherOutputStream.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                        throw th2;
                    }
                } catch (Throwable th4) {
                    throw th4;
                }
            } finally {
            }
        } catch (Throwable th5) {
            try {
                byteArrayOutputStream.close();
            } catch (Throwable th6) {
                th5.addSuppressed(th6);
            }
            throw th5;
        }
    }

    public static String prependVersionAndEncodeRefreshToken(TransportVersion transportVersion, byte[] bArr) throws IOException {
        BytesStreamOutput bytesStreamOutput;
        if (transportVersion.onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH)) {
            bytesStreamOutput = new BytesStreamOutput(28);
            try {
                bytesStreamOutput.setTransportVersion(transportVersion);
                TransportVersion.writeVersion(transportVersion, bytesStreamOutput);
                bytesStreamOutput.writeByteArray(bArr);
                String encodeToString = Base64.getEncoder().encodeToString(bytesStreamOutput.bytes().toBytesRef().bytes);
                bytesStreamOutput.close();
                return encodeToString;
            } finally {
            }
        }
        bytesStreamOutput = new BytesStreamOutput(26);
        try {
            bytesStreamOutput.setTransportVersion(transportVersion);
            TransportVersion.writeVersion(transportVersion, bytesStreamOutput);
            bytesStreamOutput.writeString(Base64.getUrlEncoder().withoutPadding().encodeToString(bArr));
            String encodeToString2 = Base64.getEncoder().encodeToString(bytesStreamOutput.bytes().toBytesRef().bytes);
            bytesStreamOutput.close();
            return encodeToString2;
        } finally {
        }
    }

    private static void ensureEncryptionCiphersSupported() throws NoSuchPaddingException, NoSuchAlgorithmException {
        Cipher.getInstance(ENCRYPTION_CIPHER);
        SecretKeyFactory.getInstance(KDF_ALGORITHM);
    }

    Cipher getEncryptionCipher(byte[] bArr, KeyAndCache keyAndCache, TransportVersion transportVersion) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance(ENCRYPTION_CIPHER);
        BytesKey salt = keyAndCache.getSalt();
        try {
            cipher.init(1, keyAndCache.getOrComputeKey(salt), new GCMParameterSpec(128, bArr), this.secureRandom);
            cipher.updateAAD(ByteBuffer.allocate(VERSION_BYTES).putInt(transportVersion.id()).array());
            cipher.updateAAD(salt.bytes);
            return cipher;
        } catch (ExecutionException e) {
            throw new ElasticsearchSecurityException("Failed to compute secret key for active salt", e, new Object[0]);
        }
    }

    Cipher getEncryptionCipher(byte[] bArr, String str, byte[] bArr2) throws GeneralSecurityException {
        SecretKey computeSecretKey = computeSecretKey(str.toCharArray(), bArr2, TOKENS_ENCRYPTION_KEY_ITERATIONS);
        Cipher cipher = Cipher.getInstance(ENCRYPTION_CIPHER);
        cipher.init(1, computeSecretKey, new GCMParameterSpec(128, bArr), this.secureRandom);
        cipher.updateAAD(bArr2);
        return cipher;
    }

    private void getKeyAsync(BytesKey bytesKey, KeyAndCache keyAndCache, ActionListener<SecretKey> actionListener) {
        SecretKey key = keyAndCache.getKey(bytesKey);
        if (key != null) {
            actionListener.onResponse(key);
        } else {
            this.client.threadPool().executor(THREAD_POOL_NAME).submit((Runnable) new KeyComputingRunnable(bytesKey, keyAndCache, actionListener));
        }
    }

    private static String decryptTokenId(byte[] bArr, Cipher cipher, TransportVersion transportVersion) throws IOException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        try {
            CipherInputStream cipherInputStream = new CipherInputStream(byteArrayInputStream, cipher);
            try {
                InputStreamStreamInput inputStreamStreamInput = new InputStreamStreamInput(cipherInputStream);
                try {
                    inputStreamStreamInput.setTransportVersion(transportVersion);
                    String readString = inputStreamStreamInput.readString();
                    inputStreamStreamInput.close();
                    cipherInputStream.close();
                    byteArrayInputStream.close();
                    return readString;
                } catch (Throwable th) {
                    try {
                        inputStreamStreamInput.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            try {
                byteArrayInputStream.close();
            } catch (Throwable th4) {
                th3.addSuppressed(th4);
            }
            throw th3;
        }
    }

    private Cipher getDecryptionCipher(byte[] bArr, SecretKey secretKey, TransportVersion transportVersion, BytesKey bytesKey) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance(ENCRYPTION_CIPHER);
        cipher.init(2, secretKey, new GCMParameterSpec(128, bArr), this.secureRandom);
        cipher.updateAAD(ByteBuffer.allocate(VERSION_BYTES).putInt(transportVersion.id()).array());
        cipher.updateAAD(bytesKey.bytes);
        return cipher;
    }

    private Cipher getDecryptionCipher(byte[] bArr, String str, byte[] bArr2) throws GeneralSecurityException {
        SecretKey computeSecretKey = computeSecretKey(str.toCharArray(), bArr2, TOKENS_ENCRYPTION_KEY_ITERATIONS);
        Cipher cipher = Cipher.getInstance(ENCRYPTION_CIPHER);
        cipher.init(2, computeSecretKey, new GCMParameterSpec(128, bArr), this.secureRandom);
        cipher.updateAAD(bArr2);
        return cipher;
    }

    public Tuple<byte[], byte[]> getRandomTokenBytes(boolean z) {
        return getRandomTokenBytes(getTokenVersionCompatibility(), z);
    }

    Tuple<byte[], byte[]> getRandomTokenBytes(TransportVersion transportVersion, boolean z) {
        if (!transportVersion.onOrAfter(VERSION_GET_TOKEN_DOC_FOR_REFRESH)) {
            return z ? new Tuple<>(getRandomBytes(RAW_TOKEN_BYTES_LENGTH), getRandomBytes(RAW_TOKEN_BYTES_LENGTH)) : new Tuple<>(getRandomBytes(RAW_TOKEN_BYTES_LENGTH), (Object) null);
        }
        byte[] randomBytes = getRandomBytes(RAW_TOKEN_BYTES_TOTAL_LENGTH);
        if (!z) {
            return new Tuple<>(randomBytes, (Object) null);
        }
        byte[] bArr = new byte[RAW_TOKEN_BYTES_TOTAL_LENGTH];
        System.arraycopy(getRandomBytes(RAW_TOKEN_BYTES_LENGTH), 0, bArr, 0, RAW_TOKEN_BYTES_LENGTH);
        System.arraycopy(randomBytes, RAW_TOKEN_BYTES_LENGTH, bArr, RAW_TOKEN_BYTES_LENGTH, RAW_TOKEN_DOC_ID_BYTES_LENGTH);
        return new Tuple<>(randomBytes, bArr);
    }

    byte[] getRandomBytes(int i) {
        byte[] bArr = new byte[i];
        this.secureRandom.nextBytes(bArr);
        return bArr;
    }

    static SecretKey computeSecretKey(char[] cArr, byte[] bArr, int i) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return new SecretKeySpec(SecretKeyFactory.getInstance(KDF_ALGORITHM).generateSecret(new PBEKeySpec(cArr, bArr, i, 128)).getEncoded(), "AES");
    }

    private static ElasticsearchSecurityException expiredTokenException() {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("token expired", RestStatus.UNAUTHORIZED, new Object[0]);
        elasticsearchSecurityException.addHeader(KerberosAuthenticationToken.WWW_AUTHENTICATE, new String[]{EXPIRED_TOKEN_WWW_AUTH_VALUE});
        return elasticsearchSecurityException;
    }

    private static ElasticsearchSecurityException invalidGrantException(String str) {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("invalid_grant", RestStatus.BAD_REQUEST, new Object[0]);
        elasticsearchSecurityException.addHeader("error_description", new String[]{str});
        return elasticsearchSecurityException;
    }

    private static ElasticsearchSecurityException unableToPerformAction(@Nullable Throwable th) {
        return new ElasticsearchSecurityException("unable to perform requested action", RestStatus.SERVICE_UNAVAILABLE, th, new Object[0]);
    }

    private static <E extends Throwable> E traceLog(String str, String str2, E e) {
        if (logger.isTraceEnabled()) {
            if (e instanceof ElasticsearchException) {
                ElasticsearchException elasticsearchException = (ElasticsearchException) e;
                List header = elasticsearchException.getHeader("error_description");
                if (header != null) {
                    logger.trace(() -> {
                        return Strings.format("Failure in [%s] for id [%s] - [%s]", new Object[]{str, str2, header});
                    }, elasticsearchException);
                } else {
                    logger.trace(() -> {
                        return Strings.format("Failure in [%s] for id [%s]", new Object[]{str, str2});
                    }, elasticsearchException);
                }
            } else {
                logger.trace(() -> {
                    return Strings.format("Failure in [%s] for id [%s]", new Object[]{str, str2});
                }, e);
            }
        }
        return e;
    }

    private static <E extends Throwable> E traceLog(String str, E e) {
        if (logger.isTraceEnabled()) {
            if (e instanceof ElasticsearchException) {
                ElasticsearchException elasticsearchException = (ElasticsearchException) e;
                List header = elasticsearchException.getHeader("error_description");
                if (header != null) {
                    logger.trace(() -> {
                        return Strings.format("Failure in [%s] - [%s]", new Object[]{str, header});
                    }, elasticsearchException);
                } else {
                    logger.trace(() -> {
                        return "Failure in [" + str + "]";
                    }, elasticsearchException);
                }
            } else {
                logger.trace(() -> {
                    return "Failure in [" + str + "]";
                }, e);
            }
        }
        return e;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isExpiredTokenException(ElasticsearchSecurityException elasticsearchSecurityException) {
        List header = elasticsearchSecurityException.getHeader(KerberosAuthenticationToken.WWW_AUTHENTICATE);
        if (header != null) {
            Stream stream = header.stream();
            String str = EXPIRED_TOKEN_WWW_AUTH_VALUE;
            Objects.requireNonNull(str);
            if (stream.anyMatch((v1) -> {
                return r1.equals(v1);
            })) {
                return true;
            }
        }
        return false;
    }

    boolean isExpirationInProgress() {
        return this.expiredTokenRemover.isExpirationInProgress();
    }

    public synchronized TokenMetadata getTokenMetadata() {
        return newTokenMetadata(this.keyCache.currentTokenKeyHash, this.keyCache.cache.values());
    }

    private static TokenMetadata newTokenMetadata(BytesKey bytesKey, Iterable<KeyAndCache> iterable) {
        ArrayList arrayList = new ArrayList();
        Iterator<KeyAndCache> it = iterable.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().keyAndTimestamp);
        }
        return new TokenMetadata(arrayList, bytesKey.bytes);
    }

    synchronized void refreshMetadata(TokenMetadata tokenMetadata) {
        BytesKey bytesKey = new BytesKey(tokenMetadata.getCurrentKeyHash());
        byte[] bArr = new byte[SALT_BYTES];
        Map newMapWithExpectedSize = Maps.newMapWithExpectedSize(tokenMetadata.getKeys().size());
        long j = this.createdTimeStamps.get();
        for (KeyAndTimestamp keyAndTimestamp : tokenMetadata.getKeys()) {
            this.secureRandom.nextBytes(bArr);
            KeyAndCache keyAndCache = new KeyAndCache(keyAndTimestamp, new BytesKey(bArr));
            j = Math.max(keyAndCache.keyAndTimestamp.getTimestamp(), j);
            if (this.keyCache.cache.containsKey(keyAndCache.getKeyHash())) {
                newMapWithExpectedSize.put(keyAndCache.getKeyHash(), this.keyCache.get(keyAndCache.getKeyHash()));
            } else {
                newMapWithExpectedSize.put(keyAndCache.getKeyHash(), keyAndCache);
            }
        }
        if (!newMapWithExpectedSize.containsKey(bytesKey)) {
            throw new IllegalStateException("Current key is not in the map: " + newMapWithExpectedSize.keySet() + " key: " + bytesKey);
        }
        this.createdTimeStamps.set(j);
        this.keyCache = new TokenKeys(Collections.unmodifiableMap(newMapWithExpectedSize), bytesKey);
        logger.debug(() -> {
            return Strings.format("refreshed keys current: %s, keys: %s", new Object[]{bytesKey, this.keyCache.cache.keySet()});
        });
    }

    private SecureString generateTokenKey() {
        byte[] bArr = new byte[KEY_BYTES];
        byte[] bArr2 = new byte[0];
        char[] cArr = new char[0];
        try {
            this.secureRandom.nextBytes(bArr);
            bArr2 = Base64.getUrlEncoder().withoutPadding().encode(bArr);
            cArr = new char[bArr2.length];
            SecureString secureString = new SecureString(Arrays.copyOfRange(cArr, 0, UnicodeUtil.UTF8toUTF16(bArr2, 0, bArr2.length, cArr)));
            Arrays.fill(bArr, (byte) 0);
            Arrays.fill(bArr2, (byte) 0);
            Arrays.fill(cArr, (char) 0);
            return secureString;
        } catch (Throwable th) {
            Arrays.fill(bArr, (byte) 0);
            Arrays.fill(bArr2, (byte) 0);
            Arrays.fill(cArr, (char) 0);
            throw th;
        }
    }

    @SuppressForbidden(reason = "legacy usage of unbatched task")
    private void submitUnbatchedTask(String str, ClusterStateUpdateTask clusterStateUpdateTask) {
        this.clusterService.submitUnbatchedStateUpdateTask(str, clusterStateUpdateTask);
    }

    private void initialize(ClusterService clusterService) {
        clusterService.addListener(clusterChangedEvent -> {
            ClusterState state = clusterChangedEvent.state();
            if (state.getBlocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
                return;
            }
            if (state.nodes().isLocalNodeElectedMaster()) {
                if (XPackPlugin.isReadyForXPackCustomMetadata(state)) {
                    installTokenMetadata(state);
                } else {
                    logger.debug("cannot add token metadata to cluster as the following nodes might not understand the metadata: {}", new org.apache.logging.log4j.util.Supplier[]{() -> {
                        return XPackPlugin.nodesNotReadyForXPackCustomMetadata(state);
                    }});
                }
            }
            TokenMetadata tokenMetadata = (TokenMetadata) clusterChangedEvent.state().custom("security_tokens");
            if (tokenMetadata == null || tokenMetadata.equals(getTokenMetadata())) {
                return;
            }
            logger.info("refresh keys");
            try {
                refreshMetadata(tokenMetadata);
            } catch (Exception e) {
                logger.warn("refreshing metadata failed", e);
            }
            logger.info("refreshed keys");
        });
    }

    private void installTokenMetadata(ClusterState clusterState) {
        if (clusterState.custom("security_tokens") == null && this.installTokenMetadataInProgress.compareAndSet(false, true)) {
            submitUnbatchedTask("install-token-metadata", new ClusterStateUpdateTask(Priority.URGENT) { // from class: org.elasticsearch.xpack.security.authc.TokenService.3
                public ClusterState execute(ClusterState clusterState2) {
                    XPackPlugin.checkReadyForXPackCustomMetadata(clusterState2);
                    return clusterState2.custom("security_tokens") == null ? ClusterState.builder(clusterState2).putCustom("security_tokens", TokenService.this.getTokenMetadata()).build() : clusterState2;
                }

                public void onFailure(Exception exc) {
                    TokenService.this.installTokenMetadataInProgress.set(false);
                    TokenService.logger.error("unable to install token metadata", exc);
                }

                public void clusterStateProcessed(ClusterState clusterState2, ClusterState clusterState3) {
                    TokenService.this.installTokenMetadataInProgress.set(false);
                }
            });
        }
    }

    void clearActiveKeyCache() {
        this.keyCache.activeKeyCache.keyCache.invalidateAll();
    }

    static {
        $assertionsDisabled = !TokenService.class.desiredAssertionStatus();
        EXPIRED_TOKEN_WWW_AUTH_VALUE = String.format(Locale.ROOT, "Bearer realm=\"%s\", error=\"invalid_token\", error_description=\"The access token expired\"", "security");
        DEFAULT_BACKOFF = BackoffPolicy.exponentialBackoff();
        TOKEN_EXPIRATION = Setting.timeSetting("xpack.security.authc.token.timeout", TimeValue.timeValueMinutes(20L), TimeValue.timeValueSeconds(1L), TimeValue.timeValueHours(1L), new Setting.Property[]{Setting.Property.NodeScope});
        DELETE_INTERVAL = Setting.timeSetting("xpack.security.authc.token.delete.interval", TimeValue.timeValueMinutes(30L), new Setting.Property[]{Setting.Property.NodeScope});
        DELETE_TIMEOUT = Setting.timeSetting("xpack.security.authc.token.delete.timeout", TimeValue.MINUS_ONE, new Setting.Property[]{Setting.Property.NodeScope});
        LEGACY_MINIMUM_BASE64_BYTES = Double.valueOf(Math.ceil(65.0d)).intValue();
        MINIMUM_BASE64_BYTES = Double.valueOf(Math.ceil(36.0d)).intValue();
        VERSION_HASHED_TOKENS = TransportVersions.V_7_2_0;
        VERSION_TOKENS_INDEX_INTRODUCED = TransportVersions.V_7_2_0;
        VERSION_ACCESS_TOKENS_AS_UUIDS = TransportVersions.V_7_2_0;
        VERSION_MULTIPLE_CONCURRENT_REFRESHES = TransportVersions.V_7_2_0;
        VERSION_CLIENT_AUTH_FOR_REFRESH = TransportVersions.V_8_2_0;
        VERSION_GET_TOKEN_DOC_FOR_REFRESH = TransportVersions.V_8_500_040;
        logger = LogManager.getLogger(TokenService.class);
    }
}
