package org.elasticsearch.xpack.security.authc;

import java.io.Closeable;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.security.MessageDigest;
import java.time.Clock;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.LongAdder;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.ResourceNotFoundException;
import org.elasticsearch.TransportVersion;
import org.elasticsearch.TransportVersions;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRunnable;
import org.elasticsearch.action.ActionType;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.bulk.BulkItemResponse;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkRequestBuilder;
import org.elasticsearch.action.bulk.BulkResponse;
import org.elasticsearch.action.bulk.TransportBulkAction;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.TransportSearchAction;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.update.UpdateResponse;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.cache.RemovalListener;
import org.elasticsearch.common.cache.RemovalNotification;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.logging.HeaderWarning;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.EsRejectedExecutionException;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.LoggingDeprecationHandler;
import org.elasticsearch.common.xcontent.ObjectParserHelper;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.core.CharArrays;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.SearchService;
import org.elasticsearch.search.aggregations.InternalAggregations;
import org.elasticsearch.telemetry.metric.MeterRegistry;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.RemoteClusterPortSettings;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.DeprecationHandler;
import org.elasticsearch.xcontent.InstantiatingObjectParser;
import org.elasticsearch.xcontent.ObjectParser;
import org.elasticsearch.xcontent.ParseField;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentLocation;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentParserConfiguration;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.ScrollHelper;
import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheAction;
import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheRequest;
import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheResponse;
import org.elasticsearch.xpack.core.security.action.apikey.AbstractCreateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.ApiKey;
import org.elasticsearch.xpack.core.security.action.apikey.BaseBulkUpdateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.BaseUpdateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.BulkUpdateApiKeyResponse;
import org.elasticsearch.xpack.core.security.action.apikey.CreateApiKeyResponse;
import org.elasticsearch.xpack.core.security.action.apikey.InvalidateApiKeyResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.RealmDomain;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.authz.permission.RemoteClusterPermissions;
import org.elasticsearch.xpack.core.security.authz.privilege.ClusterPrivilegeResolver;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivilege;
import org.elasticsearch.xpack.core.security.authz.privilege.ConfigurableClusterPrivileges;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.core.security.authz.store.RoleReference;
import org.elasticsearch.xpack.core.security.support.MetadataUtils;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.metric.SecurityCacheMetrics;
import org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry;
import org.elasticsearch.xpack.security.support.FeatureNotEnabledException;
import org.elasticsearch.xpack.security.support.FieldNameTranslators;
import org.elasticsearch.xpack.security.support.LockingAtomicCounter;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService.class */
public class ApiKeyService implements Closeable {
    private static final Logger logger;
    private static final DeprecationLogger deprecationLogger;
    public static final Setting<String> PASSWORD_HASHING_ALGORITHM;
    public static final Setting<TimeValue> DELETE_TIMEOUT;
    public static final Setting<TimeValue> DELETE_INTERVAL;
    public static final Setting<TimeValue> DELETE_RETENTION_PERIOD;
    public static final Setting<String> CACHE_HASH_ALGO_SETTING;
    public static final Setting<TimeValue> CACHE_TTL_SETTING;
    public static final Setting<Integer> CACHE_MAX_KEYS_SETTING;
    public static final Setting<TimeValue> DOC_CACHE_TTL_SETTING;
    private static final RoleDescriptor.Parser ROLE_DESCRIPTOR_PARSER;
    private final Clock clock;
    private final Client client;
    private final SecurityIndexManager securityIndex;
    private final ClusterService clusterService;
    private final Hasher hasher;
    private final boolean enabled;
    private final Settings settings;
    private final InactiveApiKeysRemover inactiveApiKeysRemover;
    private final Cache<String, ListenableFuture<CachedApiKeyHashResult>> apiKeyAuthCache;
    private final Hasher cacheHasher;
    private final ThreadPool threadPool;
    private final ApiKeyDocCache apiKeyDocCache;
    private static final int API_KEY_SECRET_LENGTH = 22;
    private static final long EVICTION_MONITOR_INTERVAL_SECONDS = 300;
    private static final long EVICTION_MONITOR_INTERVAL_NANOS = 300000000000L;
    private static final long EVICTION_WARNING_THRESHOLD = 4500;
    private final AtomicLong lastEvictionCheckedAt = new AtomicLong(0);
    private final LongAdder evictionCounter = new LongAdder();
    private final List<AutoCloseable> cacheMetrics;
    static final RoleDescriptor LEGACY_SUPERUSER_ROLE_DESCRIPTOR;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyCredentials.class */
    public static final class ApiKeyCredentials implements AuthenticationToken, Closeable {
        private final String id;
        private final SecureString key;
        private final ApiKey.Type expectedType;

        public ApiKeyCredentials(String str, SecureString secureString, ApiKey.Type type) {
            this.id = str;
            this.key = secureString;
            this.expectedType = type;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getId() {
            return this.id;
        }

        SecureString getKey() {
            return this.key;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() {
            this.key.close();
        }

        public String principal() {
            return this.id;
        }

        public Object credentials() {
            return this.key;
        }

        public void clearCredentials() {
            close();
        }

        public ApiKey.Type getExpectedType() {
            return this.expectedType;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyDoc.class */
    public static final class ApiKeyDoc {
        private static final BytesReference NULL_BYTES = new BytesArray("null");
        static final InstantiatingObjectParser<ApiKeyDoc, Void> PARSER;
        final String docType;
        final ApiKey.Type type;
        final long creationTime;
        final long expirationTime;
        final Boolean invalidated;
        final long invalidation;
        final String hash;

        @Nullable
        final String name;
        final int version;
        final BytesReference roleDescriptorsBytes;
        final BytesReference limitedByRoleDescriptorsBytes;
        final Map<String, Object> creator;

        @Nullable
        final BytesReference metadataFlattened;

        public ApiKeyDoc(String str, ApiKey.Type type, long j, long j2, Boolean bool, @Nullable Long l, String str2, @Nullable String str3, int i, BytesReference bytesReference, BytesReference bytesReference2, Map<String, Object> map, @Nullable BytesReference bytesReference3) {
            this.docType = str;
            if (type == null) {
                ApiKeyService.logger.trace("API key document with [null] type defaults to [rest] type");
                this.type = ApiKey.Type.REST;
            } else {
                this.type = type;
            }
            this.creationTime = j;
            this.expirationTime = j2;
            this.invalidated = bool;
            this.invalidation = l == null ? -1L : l.longValue();
            this.hash = str2;
            this.name = str3;
            this.version = i;
            this.roleDescriptorsBytes = bytesReference;
            this.limitedByRoleDescriptorsBytes = bytesReference2;
            this.creator = map;
            this.metadataFlattened = NULL_BYTES.equals(bytesReference3) ? null : bytesReference3;
        }

        public CachedApiKeyDoc toCachedApiKeyDoc() {
            MessageDigest sha256 = MessageDigests.sha256();
            String hexString = MessageDigests.toHexString(MessageDigests.digest(this.roleDescriptorsBytes, sha256));
            sha256.reset();
            return new CachedApiKeyDoc(this.type, this.creationTime, this.expirationTime, this.invalidated, this.invalidation, this.hash, this.name, this.version, this.creator, hexString, MessageDigests.toHexString(MessageDigests.digest(this.limitedByRoleDescriptorsBytes, sha256)), this.metadataFlattened);
        }

        static ApiKeyDoc fromXContent(XContentParser xContentParser) {
            return (ApiKeyDoc) PARSER.apply(xContentParser, (Object) null);
        }

        static {
            InstantiatingObjectParser.Builder builder = InstantiatingObjectParser.builder("api_key_doc", true, ApiKeyDoc.class);
            builder.declareString(ConstructingObjectParser.constructorArg(), new ParseField("doc_type", new String[0]));
            builder.declareField(ConstructingObjectParser.optionalConstructorArg(), ApiKey.Type::fromXContent, new ParseField(LoggingAuditTrail.LOG_TYPE, new String[0]), ObjectParser.ValueType.STRING);
            builder.declareLong(ConstructingObjectParser.constructorArg(), new ParseField("creation_time", new String[0]));
            builder.declareLongOrNull(ConstructingObjectParser.constructorArg(), -1L, new ParseField("expiration_time", new String[0]));
            builder.declareBoolean(ConstructingObjectParser.constructorArg(), new ParseField("api_key_invalidated", new String[0]));
            builder.declareLong(ConstructingObjectParser.optionalConstructorArg(), new ParseField("invalidation_time", new String[0]));
            builder.declareString(ConstructingObjectParser.constructorArg(), new ParseField("api_key_hash", new String[0]));
            builder.declareStringOrNull(ConstructingObjectParser.optionalConstructorArg(), new ParseField("name", new String[0]));
            builder.declareInt(ConstructingObjectParser.constructorArg(), new ParseField("version", new String[0]));
            ObjectParserHelper.declareRawObject(builder, ConstructingObjectParser.constructorArg(), new ParseField("role_descriptors", new String[0]));
            ObjectParserHelper.declareRawObject(builder, ConstructingObjectParser.constructorArg(), new ParseField("limited_by_role_descriptors", new String[0]));
            builder.declareObject(ConstructingObjectParser.constructorArg(), (xContentParser, r3) -> {
                return xContentParser.map();
            }, new ParseField("creator", new String[0]));
            ObjectParserHelper.declareRawObjectOrNull(builder, ConstructingObjectParser.optionalConstructorArg(), new ParseField(FieldNameTranslators.FLATTENED_METADATA_INDEX_FIELD_NAME, new String[0]));
            PARSER = builder.build();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyDocCache.class */
    public static final class ApiKeyDocCache {
        private final Cache<String, CachedApiKeyDoc> docCache;
        private final Cache<String, BytesReference> roleDescriptorsBytesCache;
        private final LockingAtomicCounter lockingAtomicCounter = new LockingAtomicCounter();

        ApiKeyDocCache(TimeValue timeValue, int i) {
            this.docCache = CacheBuilder.builder().setMaximumWeight(i).setExpireAfterWrite(timeValue).build();
            this.roleDescriptorsBytesCache = CacheBuilder.builder().setExpireAfterAccess(TimeValue.timeValueHours(1L)).setMaximumWeight(i * 2).build();
        }

        public ApiKeyDoc get(String str) {
            CachedApiKeyDoc cachedApiKeyDoc = (CachedApiKeyDoc) this.docCache.get(str);
            if (cachedApiKeyDoc == null) {
                return null;
            }
            BytesReference bytesReference = (BytesReference) this.roleDescriptorsBytesCache.get(cachedApiKeyDoc.roleDescriptorsHash);
            BytesReference bytesReference2 = (BytesReference) this.roleDescriptorsBytesCache.get(cachedApiKeyDoc.limitedByRoleDescriptorsHash);
            if (bytesReference == null || bytesReference2 == null) {
                return null;
            }
            return cachedApiKeyDoc.toApiKeyDoc(bytesReference, bytesReference2);
        }

        public long getInvalidationCount() {
            return this.lockingAtomicCounter.get();
        }

        public void putIfNoInvalidationSince(String str, ApiKeyDoc apiKeyDoc, long j) {
            CachedApiKeyDoc cachedApiKeyDoc = apiKeyDoc.toCachedApiKeyDoc();
            this.lockingAtomicCounter.compareAndRun(j, () -> {
                this.docCache.put(str, cachedApiKeyDoc);
                try {
                    this.roleDescriptorsBytesCache.computeIfAbsent(cachedApiKeyDoc.roleDescriptorsHash, str2 -> {
                        return apiKeyDoc.roleDescriptorsBytes;
                    });
                    this.roleDescriptorsBytesCache.computeIfAbsent(cachedApiKeyDoc.limitedByRoleDescriptorsHash, str3 -> {
                        return apiKeyDoc.limitedByRoleDescriptorsBytes;
                    });
                } catch (ExecutionException e) {
                    throw new RuntimeException(e);
                }
            });
        }

        public void invalidate(Collection<String> collection) {
            this.lockingAtomicCounter.increment();
            ApiKeyService.logger.debug("Invalidating API key doc cache with ids: [{}]", Strings.collectionToCommaDelimitedString(collection));
            Cache<String, CachedApiKeyDoc> cache = this.docCache;
            Objects.requireNonNull(cache);
            collection.forEach((v1) -> {
                r1.invalidate(v1);
            });
        }

        public void invalidateAll() {
            this.lockingAtomicCounter.increment();
            ApiKeyService.logger.debug("Invalidating all API key doc cache and descriptor cache");
            this.docCache.invalidateAll();
            this.roleDescriptorsBytesCache.invalidateAll();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyLoggingDeprecationHandler.class */
    public static class ApiKeyLoggingDeprecationHandler implements DeprecationHandler {
        private final DeprecationLogger deprecationLogger;
        private final String apiKeyId;

        private ApiKeyLoggingDeprecationHandler(DeprecationLogger deprecationLogger, String str) {
            this.deprecationLogger = deprecationLogger;
            this.apiKeyId = str;
        }

        public void logRenamedField(String str, Supplier<XContentLocation> supplier, String str2, String str3) {
            this.deprecationLogger.warn(DeprecationCategory.API, "api_key_field", "{}Deprecated field [{}] used in api key [{}], expected [{}] instead", new Object[]{str == null ? "" : "[" + str + "][" + supplier.get() + "] ", str2, this.apiKeyId, str3});
        }

        public void logReplacedField(String str, Supplier<XContentLocation> supplier, String str2, String str3) {
            this.deprecationLogger.warn(DeprecationCategory.API, "api_key_field", "{}Deprecated field [{}] used in api key [{}], replaced by [{}]", new Object[]{str == null ? "" : "[" + str + "][" + supplier.get() + "] ", str2, this.apiKeyId, str3});
        }

        public void logRemovedField(String str, Supplier<XContentLocation> supplier, String str2) {
            this.deprecationLogger.warn(DeprecationCategory.API, "api_key_field", "{}Deprecated field [{}] used in api key [{}], which is unused and will be removed entirely", new Object[]{str == null ? "" : "[" + str + "][" + supplier.get() + "] ", str2, this.apiKeyId});
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$CachedApiKeyDoc.class */
    public static final class CachedApiKeyDoc {
        final ApiKey.Type type;
        final long creationTime;
        final long expirationTime;
        final Boolean invalidated;
        final long invalidation;
        final String hash;
        final String name;
        final int version;
        final Map<String, Object> creator;
        final String roleDescriptorsHash;
        final String limitedByRoleDescriptorsHash;

        @Nullable
        final BytesReference metadataFlattened;

        public CachedApiKeyDoc(ApiKey.Type type, long j, long j2, Boolean bool, long j3, String str, String str2, int i, Map<String, Object> map, String str3, String str4, @Nullable BytesReference bytesReference) {
            this.type = type;
            this.creationTime = j;
            this.expirationTime = j2;
            this.invalidated = bool;
            this.invalidation = j3;
            this.hash = str;
            this.name = str2;
            this.version = i;
            this.creator = map;
            this.roleDescriptorsHash = str3;
            this.limitedByRoleDescriptorsHash = str4;
            this.metadataFlattened = bytesReference;
        }

        public ApiKeyDoc toApiKeyDoc(BytesReference bytesReference, BytesReference bytesReference2) {
            return new ApiKeyDoc("api_key", this.type, this.creationTime, this.expirationTime, this.invalidated, Long.valueOf(this.invalidation), this.hash, this.name, this.version, bytesReference, bytesReference2, this.creator, this.metadataFlattened);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$CachedApiKeyHashResult.class */
    public final class CachedApiKeyHashResult {
        final boolean success;
        final char[] hash;

        CachedApiKeyHashResult(boolean z, SecureString secureString) {
            this.success = z;
            this.hash = ApiKeyService.this.cacheHasher.hash(secureString);
        }

        boolean verify(SecureString secureString) {
            return this.hash != null && ApiKeyService.this.cacheHasher.verify(secureString, this.hash);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult.class */
    public static final class QueryApiKeysResult extends Record {
        private final long total;
        private final Collection<ApiKey> apiKeyInfos;
        private final Collection<Object[]> sortValues;

        @Nullable
        private final InternalAggregations aggregations;
        static final QueryApiKeysResult EMPTY = new QueryApiKeysResult(0, List.of(), List.of(), null);

        public QueryApiKeysResult(long j, Collection<ApiKey> collection, Collection<Object[]> collection2, @Nullable InternalAggregations internalAggregations) {
            this.total = j;
            this.apiKeyInfos = collection;
            this.sortValues = collection2;
            this.aggregations = internalAggregations;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, QueryApiKeysResult.class), QueryApiKeysResult.class, "total;apiKeyInfos;sortValues;aggregations", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->total:J", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->apiKeyInfos:Ljava/util/Collection;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->sortValues:Ljava/util/Collection;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->aggregations:Lorg/elasticsearch/search/aggregations/InternalAggregations;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, QueryApiKeysResult.class), QueryApiKeysResult.class, "total;apiKeyInfos;sortValues;aggregations", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->total:J", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->apiKeyInfos:Ljava/util/Collection;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->sortValues:Ljava/util/Collection;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->aggregations:Lorg/elasticsearch/search/aggregations/InternalAggregations;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, QueryApiKeysResult.class, Object.class), QueryApiKeysResult.class, "total;apiKeyInfos;sortValues;aggregations", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->total:J", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->apiKeyInfos:Ljava/util/Collection;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->sortValues:Ljava/util/Collection;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$QueryApiKeysResult;->aggregations:Lorg/elasticsearch/search/aggregations/InternalAggregations;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public long total() {
            return this.total;
        }

        public Collection<ApiKey> apiKeyInfos() {
            return this.apiKeyInfos;
        }

        public Collection<Object[]> sortValues() {
            return this.sortValues;
        }

        @Nullable
        public InternalAggregations aggregations() {
            return this.aggregations;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc.class */
    public static final class VersionedApiKeyDoc extends Record {
        private final ApiKeyDoc doc;
        private final String id;
        private final long seqNo;
        private final long primaryTerm;

        private VersionedApiKeyDoc(ApiKeyDoc apiKeyDoc, String str, long j, long j2) {
            this.doc = apiKeyDoc;
            this.id = str;
            this.seqNo = j;
            this.primaryTerm = j2;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, VersionedApiKeyDoc.class), VersionedApiKeyDoc.class, "doc;id;seqNo;primaryTerm", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->doc:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyDoc;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->id:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->seqNo:J", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->primaryTerm:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, VersionedApiKeyDoc.class), VersionedApiKeyDoc.class, "doc;id;seqNo;primaryTerm", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->doc:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyDoc;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->id:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->seqNo:J", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->primaryTerm:J").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, VersionedApiKeyDoc.class, Object.class), VersionedApiKeyDoc.class, "doc;id;seqNo;primaryTerm", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->doc:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyDoc;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->id:Ljava/lang/String;", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->seqNo:J", "FIELD:Lorg/elasticsearch/xpack/security/authc/ApiKeyService$VersionedApiKeyDoc;->primaryTerm:J").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public ApiKeyDoc doc() {
            return this.doc;
        }

        public String id() {
            return this.id;
        }

        public long seqNo() {
            return this.seqNo;
        }

        public long primaryTerm() {
            return this.primaryTerm;
        }
    }

    public ApiKeyService(Settings settings, Clock clock, Client client, SecurityIndexManager securityIndexManager, ClusterService clusterService, CacheInvalidatorRegistry cacheInvalidatorRegistry, ThreadPool threadPool, MeterRegistry meterRegistry) {
        this.clock = clock;
        this.client = client;
        this.securityIndex = securityIndexManager;
        this.clusterService = clusterService;
        this.enabled = ((Boolean) XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.get(settings)).booleanValue();
        this.hasher = Hasher.resolve((String) PASSWORD_HASHING_ALGORITHM.get(settings));
        this.settings = settings;
        this.inactiveApiKeysRemover = new InactiveApiKeysRemover(settings, client, clusterService);
        this.threadPool = threadPool;
        this.cacheHasher = Hasher.resolve((String) CACHE_HASH_ALGO_SETTING.get(settings));
        TimeValue timeValue = (TimeValue) CACHE_TTL_SETTING.get(settings);
        int intValue = ((Integer) CACHE_MAX_KEYS_SETTING.get(settings)).intValue();
        if (timeValue.getNanos() > 0) {
            this.apiKeyAuthCache = CacheBuilder.builder().setExpireAfterAccess(timeValue).setMaximumWeight(intValue).removalListener(getAuthCacheRemovalListener(intValue)).build();
            TimeValue timeValue2 = (TimeValue) DOC_CACHE_TTL_SETTING.get(settings);
            this.apiKeyDocCache = timeValue2.getNanos() == 0 ? null : new ApiKeyDocCache(timeValue2, intValue);
            cacheInvalidatorRegistry.registerCacheInvalidator("api_key", new CacheInvalidatorRegistry.CacheInvalidator() { // from class: org.elasticsearch.xpack.security.authc.ApiKeyService.1
                @Override // org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry.CacheInvalidator
                public void invalidate(Collection<String> collection) {
                    if (ApiKeyService.this.apiKeyDocCache != null) {
                        ApiKeyService.this.apiKeyDocCache.invalidate(collection);
                    }
                    Cache<String, ListenableFuture<CachedApiKeyHashResult>> cache = ApiKeyService.this.apiKeyAuthCache;
                    Objects.requireNonNull(cache);
                    collection.forEach((v1) -> {
                        r1.invalidate(v1);
                    });
                }

                @Override // org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry.CacheInvalidator
                public void invalidateAll() {
                    if (ApiKeyService.this.apiKeyDocCache != null) {
                        ApiKeyService.this.apiKeyDocCache.invalidateAll();
                    }
                    ApiKeyService.this.apiKeyAuthCache.invalidateAll();
                }
            });
            cacheInvalidatorRegistry.registerCacheInvalidator("api_key_doc", new CacheInvalidatorRegistry.CacheInvalidator() { // from class: org.elasticsearch.xpack.security.authc.ApiKeyService.2
                @Override // org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry.CacheInvalidator
                public void invalidate(Collection<String> collection) {
                    if (ApiKeyService.this.apiKeyDocCache != null) {
                        ApiKeyService.this.apiKeyDocCache.invalidate(collection);
                    }
                }

                @Override // org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry.CacheInvalidator
                public void invalidateAll() {
                    if (ApiKeyService.this.apiKeyDocCache != null) {
                        ApiKeyService.this.apiKeyDocCache.invalidateAll();
                    }
                }
            });
        } else {
            this.apiKeyAuthCache = null;
            this.apiKeyDocCache = null;
        }
        if (!this.enabled) {
            this.cacheMetrics = List.of();
            return;
        }
        ArrayList arrayList = new ArrayList();
        if (this.apiKeyAuthCache != null) {
            arrayList.addAll(SecurityCacheMetrics.registerAsyncCacheMetrics(meterRegistry, this.apiKeyAuthCache, SecurityCacheMetrics.CacheType.API_KEY_AUTH_CACHE));
        }
        if (this.apiKeyDocCache != null) {
            arrayList.addAll(SecurityCacheMetrics.registerAsyncCacheMetrics(meterRegistry, this.apiKeyDocCache.docCache, SecurityCacheMetrics.CacheType.API_KEY_DOCS_CACHE));
            arrayList.addAll(SecurityCacheMetrics.registerAsyncCacheMetrics(meterRegistry, this.apiKeyDocCache.roleDescriptorsBytesCache, SecurityCacheMetrics.CacheType.API_KEY_ROLE_DESCRIPTORS_CACHE));
        }
        this.cacheMetrics = List.copyOf(arrayList);
    }

    public void createApiKey(Authentication authentication, AbstractCreateApiKeyRequest abstractCreateApiKeyRequest, Set<RoleDescriptor> set, ActionListener<CreateApiKeyResponse> actionListener) {
        if (!$assertionsDisabled && abstractCreateApiKeyRequest.getType() == ApiKey.Type.CROSS_CLUSTER && false != authentication.isApiKey()) {
            throw new AssertionError("cannot create derived cross-cluster API keys (name=[" + abstractCreateApiKeyRequest.getName() + "], type=[" + abstractCreateApiKeyRequest.getType() + "], auth=[" + authentication + "])");
        }
        if (!$assertionsDisabled && abstractCreateApiKeyRequest.getType() == ApiKey.Type.CROSS_CLUSTER && !set.isEmpty()) {
            throw new AssertionError("owner user role descriptor must be empty for cross-cluster API keys (name=[" + abstractCreateApiKeyRequest.getName() + "], type=[" + abstractCreateApiKeyRequest.getType() + "], roles=[" + set + "])");
        }
        ensureEnabled();
        if (authentication == null) {
            actionListener.onFailure(new IllegalArgumentException("authentication must be provided"));
            return;
        }
        TransportVersion minTransportVersion = getMinTransportVersion();
        if (validateRoleDescriptorsForMixedCluster(actionListener, abstractCreateApiKeyRequest.getRoleDescriptors(), minTransportVersion)) {
            if (minTransportVersion.before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY) && abstractCreateApiKeyRequest.getType() == ApiKey.Type.CROSS_CLUSTER) {
                actionListener.onFailure(new IllegalArgumentException("all nodes must have version [" + RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY.toReleaseVersion() + "] or higher to support creating cross cluster API keys"));
                return;
            }
            IllegalArgumentException validateWorkflowsRestrictionConstraints = validateWorkflowsRestrictionConstraints(minTransportVersion, abstractCreateApiKeyRequest.getRoleDescriptors(), set);
            if (validateWorkflowsRestrictionConstraints != null) {
                actionListener.onFailure(validateWorkflowsRestrictionConstraints);
            } else {
                createApiKeyAndIndexIt(authentication, abstractCreateApiKeyRequest, filterRoleDescriptorsForMixedCluster(set, minTransportVersion, abstractCreateApiKeyRequest.getId()), actionListener);
            }
        }
    }

    private Set<RoleDescriptor> filterRoleDescriptorsForMixedCluster(Set<RoleDescriptor> set, TransportVersion transportVersion, String... strArr) {
        return maybeRemoveRemotePrivileges(removeUserRoleDescriptorDescriptions(set), transportVersion, strArr);
    }

    private boolean validateRoleDescriptorsForMixedCluster(ActionListener<?> actionListener, List<RoleDescriptor> list, TransportVersion transportVersion) {
        if (transportVersion.before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY) && hasRemoteIndices(list)) {
            actionListener.onFailure(new IllegalArgumentException("all nodes must have version [" + RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY.toReleaseVersion() + "] or higher to support remote indices privileges for API keys"));
            return false;
        }
        if (transportVersion.before(RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS) && hasRemoteCluster(list)) {
            actionListener.onFailure(new IllegalArgumentException("all nodes must have version [" + RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS + "] or higher to support remote cluster privileges for API keys"));
            return false;
        }
        if (!transportVersion.before(TransportVersions.ADD_MANAGE_ROLES_PRIVILEGE) || !hasGlobalManageRolesPrivilege(list)) {
            return true;
        }
        actionListener.onFailure(new IllegalArgumentException("all nodes must have version [" + TransportVersions.ADD_MANAGE_ROLES_PRIVILEGE + "] or higher to support the manage roles privilege for API keys"));
        return false;
    }

    static Set<RoleDescriptor> removeUserRoleDescriptorDescriptions(Set<RoleDescriptor> set) {
        return (Set) set.stream().map(roleDescriptor -> {
            return roleDescriptor.hasDescription() ? new RoleDescriptor(roleDescriptor.getName(), roleDescriptor.getClusterPrivileges(), roleDescriptor.getIndicesPrivileges(), roleDescriptor.getApplicationPrivileges(), roleDescriptor.getConditionalClusterPrivileges(), roleDescriptor.getRunAs(), roleDescriptor.getMetadata(), roleDescriptor.getTransientMetadata(), roleDescriptor.getRemoteIndicesPrivileges(), roleDescriptor.getRemoteClusterPermissions(), roleDescriptor.getRestriction(), (String) null) : roleDescriptor;
        }).collect(Collectors.toSet());
    }

    private TransportVersion getMinTransportVersion() {
        return this.clusterService.state().getMinTransportVersion();
    }

    private static boolean hasRemoteIndices(Collection<RoleDescriptor> collection) {
        return collection != null && collection.stream().anyMatch((v0) -> {
            return v0.hasRemoteIndicesPrivileges();
        });
    }

    private static boolean hasRemoteCluster(Collection<RoleDescriptor> collection) {
        return collection != null && collection.stream().anyMatch((v0) -> {
            return v0.hasRemoteClusterPermissions();
        });
    }

    private static boolean hasGlobalManageRolesPrivilege(Collection<RoleDescriptor> collection) {
        return collection != null && collection.stream().flatMap(roleDescriptor -> {
            return Arrays.stream(roleDescriptor.getConditionalClusterPrivileges());
        }).anyMatch(configurableClusterPrivilege -> {
            return configurableClusterPrivilege instanceof ConfigurableClusterPrivileges.ManageRolesPrivilege;
        });
    }

    private static IllegalArgumentException validateWorkflowsRestrictionConstraints(TransportVersion transportVersion, List<RoleDescriptor> list, Set<RoleDescriptor> set) {
        if (getNumberOfRoleDescriptorsWithRestriction(set) > 0) {
            return new IllegalArgumentException("owner user role descriptors must not include restriction");
        }
        long numberOfRoleDescriptorsWithRestriction = getNumberOfRoleDescriptorsWithRestriction(list);
        if (numberOfRoleDescriptorsWithRestriction <= 0) {
            return null;
        }
        if (transportVersion.before(RoleDescriptor.WORKFLOWS_RESTRICTION_VERSION)) {
            return new IllegalArgumentException("all nodes must have version [" + RoleDescriptor.WORKFLOWS_RESTRICTION_VERSION.toReleaseVersion() + "] or higher to support restrictions for API keys");
        }
        if (numberOfRoleDescriptorsWithRestriction != 1) {
            return new IllegalArgumentException("more than one role descriptor with restriction is not supported");
        }
        if (numberOfRoleDescriptorsWithRestriction != list.size()) {
            return new IllegalArgumentException("combining role descriptors with and without restriction is not supported");
        }
        return null;
    }

    private static long getNumberOfRoleDescriptorsWithRestriction(Collection<RoleDescriptor> collection) {
        if (collection == null || collection.isEmpty()) {
            return 0L;
        }
        return collection.stream().filter((v0) -> {
            return v0.hasRestriction();
        }).count();
    }

    private void createApiKeyAndIndexIt(Authentication authentication, AbstractCreateApiKeyRequest abstractCreateApiKeyRequest, Set<RoleDescriptor> set, ActionListener<CreateApiKeyResponse> actionListener) {
        Instant instant = this.clock.instant();
        Instant apiKeyExpiration = getApiKeyExpiration(instant, abstractCreateApiKeyRequest.getExpiration());
        SecureString randomBase64UUIDSecureString = UUIDs.randomBase64UUIDSecureString();
        if (!$assertionsDisabled && ApiKey.Type.CROSS_CLUSTER == abstractCreateApiKeyRequest.getType() && API_KEY_SECRET_LENGTH != randomBase64UUIDSecureString.length()) {
            throw new AssertionError("Invalid API key (name=[" + abstractCreateApiKeyRequest.getName() + "], type=[" + abstractCreateApiKeyRequest.getType() + "], length=[" + randomBase64UUIDSecureString.length() + "])");
        }
        computeHashForApiKey(randomBase64UUIDSecureString, actionListener.delegateFailure((actionListener2, cArr) -> {
            try {
                try {
                    XContentBuilder newDocument = newDocument(cArr, abstractCreateApiKeyRequest.getName(), authentication, set, instant, apiKeyExpiration, abstractCreateApiKeyRequest.getRoleDescriptors(), abstractCreateApiKeyRequest.getType(), ApiKey.CURRENT_API_KEY_VERSION, abstractCreateApiKeyRequest.getMetadata());
                    try {
                        BulkRequestBuilder prepareBulk = this.client.prepareBulk();
                        prepareBulk.add(this.client.prepareIndex(SecuritySystemIndices.SECURITY_MAIN_ALIAS).setSource(newDocument).setId(abstractCreateApiKeyRequest.getId()).setOpType(DocWriteRequest.OpType.CREATE).request());
                        prepareBulk.setRefreshPolicy(abstractCreateApiKeyRequest.getRefreshPolicy());
                        BulkRequest request = prepareBulk.request();
                        SecurityIndexManager securityIndexManager = this.securityIndex;
                        Objects.requireNonNull(actionListener);
                        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
                            Client client = this.client;
                            ActionType actionType = TransportBulkAction.TYPE;
                            CheckedConsumer checkedConsumer = indexResponse -> {
                                if (!$assertionsDisabled && !abstractCreateApiKeyRequest.getId().equals(indexResponse.getId())) {
                                    throw new AssertionError("Mismatched API key (request=[" + abstractCreateApiKeyRequest.getId() + "](name=[" + abstractCreateApiKeyRequest.getName() + "]) index=[" + indexResponse.getId() + "])");
                                }
                                if (!$assertionsDisabled && indexResponse.getResult() != DocWriteResponse.Result.CREATED) {
                                    throw new AssertionError("Index response was [" + indexResponse.getResult() + "]");
                                }
                                ListenableFuture listenableFuture = new ListenableFuture();
                                listenableFuture.onResponse(new CachedApiKeyHashResult(true, randomBase64UUIDSecureString));
                                this.apiKeyAuthCache.put(abstractCreateApiKeyRequest.getId(), listenableFuture);
                                actionListener.onResponse(new CreateApiKeyResponse(abstractCreateApiKeyRequest.getName(), abstractCreateApiKeyRequest.getId(), randomBase64UUIDSecureString, apiKeyExpiration));
                            };
                            Objects.requireNonNull(actionListener);
                            ClientHelper.executeAsyncWithOrigin(client, "security", actionType, request, TransportBulkAction.unwrappingSingleItemBulkResponse(ActionListener.wrap(checkedConsumer, actionListener::onFailure)));
                        });
                        if (newDocument != null) {
                            newDocument.close();
                        }
                        Arrays.fill(cArr, (char) 0);
                    } catch (Throwable th) {
                        if (newDocument != null) {
                            try {
                                newDocument.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (IOException e) {
                    actionListener.onFailure(e);
                    Arrays.fill(cArr, (char) 0);
                }
            } catch (Throwable th3) {
                Arrays.fill(cArr, (char) 0);
                throw th3;
            }
        }));
    }

    public void updateApiKeys(Authentication authentication, BaseBulkUpdateApiKeyRequest baseBulkUpdateApiKeyRequest, Set<RoleDescriptor> set, ActionListener<BulkUpdateApiKeyResponse> actionListener) {
        if (!$assertionsDisabled && baseBulkUpdateApiKeyRequest.getType() == ApiKey.Type.CROSS_CLUSTER && !set.isEmpty()) {
            throw new AssertionError("owner user role descriptor must be empty for cross-cluster API keys (ids=[" + (baseBulkUpdateApiKeyRequest.getIds().size() <= 10 ? baseBulkUpdateApiKeyRequest.getIds() : baseBulkUpdateApiKeyRequest.getIds().size() + " including " + baseBulkUpdateApiKeyRequest.getIds().subList(0, 10)) + "], type=[" + baseBulkUpdateApiKeyRequest.getType() + "], roles=[" + set + "])");
        }
        ensureEnabled();
        if (authentication == null) {
            actionListener.onFailure(new IllegalArgumentException("authentication must be provided"));
            return;
        }
        if (authentication.isApiKey()) {
            actionListener.onFailure(new IllegalArgumentException("authentication via API key not supported: only the owner user can update an API key"));
            return;
        }
        TransportVersion minTransportVersion = getMinTransportVersion();
        if (validateRoleDescriptorsForMixedCluster(actionListener, baseBulkUpdateApiKeyRequest.getRoleDescriptors(), minTransportVersion)) {
            IllegalArgumentException validateWorkflowsRestrictionConstraints = validateWorkflowsRestrictionConstraints(minTransportVersion, baseBulkUpdateApiKeyRequest.getRoleDescriptors(), set);
            if (validateWorkflowsRestrictionConstraints != null) {
                actionListener.onFailure(validateWorkflowsRestrictionConstraints);
                return;
            }
            String[] strArr = (String[]) baseBulkUpdateApiKeyRequest.getIds().toArray(i -> {
                return new String[i];
            });
            if (logger.isDebugEnabled()) {
                logger.debug("Updating [{}] API keys", buildDelimitedStringWithLimit(10, strArr));
            }
            Set<RoleDescriptor> filterRoleDescriptorsForMixedCluster = filterRoleDescriptorsForMixedCluster(set, minTransportVersion, strArr);
            findVersionedApiKeyDocsForSubject(authentication, strArr, ActionListener.wrap(collection -> {
                updateApiKeys(authentication, baseBulkUpdateApiKeyRequest, filterRoleDescriptorsForMixedCluster, collection, actionListener);
            }, exc -> {
                actionListener.onFailure((Exception) traceLog("bulk update", exc));
            }));
        }
    }

    private void updateApiKeys(Authentication authentication, BaseBulkUpdateApiKeyRequest baseBulkUpdateApiKeyRequest, Set<RoleDescriptor> set, Collection<VersionedApiKeyDoc> collection, ActionListener<BulkUpdateApiKeyResponse> actionListener) {
        logger.trace("Found [{}] API keys of [{}] requested for update", Integer.valueOf(collection.size()), Integer.valueOf(baseBulkUpdateApiKeyRequest.getIds().size()));
        if (!$assertionsDisabled && collection.size() > baseBulkUpdateApiKeyRequest.getIds().size()) {
            throw new AssertionError("more docs were found for update than were requested. found [" + collection.size() + "] requested [" + baseBulkUpdateApiKeyRequest.getIds().size() + "]");
        }
        BulkUpdateApiKeyResponse.Builder builder = BulkUpdateApiKeyResponse.builder();
        BulkRequestBuilder prepareBulk = this.client.prepareBulk();
        for (VersionedApiKeyDoc versionedApiKeyDoc : collection) {
            String id = versionedApiKeyDoc.id();
            try {
                validateForUpdate(id, baseBulkUpdateApiKeyRequest.getType(), authentication, versionedApiKeyDoc.doc());
                IndexRequest maybeBuildIndexRequest = maybeBuildIndexRequest(versionedApiKeyDoc, authentication, baseBulkUpdateApiKeyRequest, set);
                if (maybeBuildIndexRequest == null) {
                    logger.debug("Detected noop update request for API key [{}]. Skipping index request", id);
                    builder.noop(id);
                } else {
                    prepareBulk.add(maybeBuildIndexRequest);
                }
            } catch (Exception e) {
                builder.error(id, (Exception) traceLog("prepare index request for update", e));
            }
        }
        addErrorsForNotFoundApiKeys(builder, collection, baseBulkUpdateApiKeyRequest.getIds());
        if (prepareBulk.numberOfActions() == 0) {
            logger.trace("No bulk request execution necessary for API key update");
            actionListener.onResponse(builder.build());
        } else {
            logger.trace("Executing bulk request to update [{}] API keys", Integer.valueOf(prepareBulk.numberOfActions()));
            prepareBulk.setRefreshPolicy(defaultCreateDocRefreshPolicy(this.settings));
            this.securityIndex.prepareIndexIfNeededThenExecute(exc -> {
                actionListener.onFailure((Exception) traceLog("prepare security index before update", exc));
            }, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                BulkRequest request = prepareBulk.request();
                ActionListener wrap = ActionListener.wrap(bulkResponse -> {
                    buildResponseAndClearCache(bulkResponse, builder, actionListener);
                }, exc2 -> {
                    actionListener.onFailure((Exception) traceLog("execute bulk request for update", exc2));
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::bulk);
            });
        }
    }

    void validateForUpdate(String str, ApiKey.Type type, Authentication authentication, ApiKeyDoc apiKeyDoc) {
        if (!$assertionsDisabled && !authentication.getEffectiveSubject().getUser().principal().equals(apiKeyDoc.creator.get("principal"))) {
            throw new AssertionError("Authenticated user should be owner (authentication=[" + authentication + "], owner=[" + apiKeyDoc.creator + "], id=[" + str + "])");
        }
        if (apiKeyDoc.invalidated.booleanValue()) {
            throw new IllegalArgumentException("cannot update invalidated API key [" + str + "]");
        }
        if (apiKeyDoc.expirationTime != -1 && this.clock.instant().isAfter(Instant.ofEpochMilli(apiKeyDoc.expirationTime))) {
            throw new IllegalArgumentException("cannot update expired API key [" + str + "]");
        }
        if (Strings.isNullOrEmpty(apiKeyDoc.name)) {
            throw new IllegalArgumentException("cannot update legacy API key [" + str + "] without name");
        }
        if (type != apiKeyDoc.type) {
            throw new IllegalArgumentException("cannot update API key of type [" + apiKeyDoc.type.value() + "] while expected type is [" + type.value() + "]");
        }
    }

    static Set<RoleDescriptor> maybeRemoveRemotePrivileges(Set<RoleDescriptor> set, TransportVersion transportVersion, String... strArr) {
        if (!transportVersion.before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY) && !transportVersion.before(RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS)) {
            return set;
        }
        HashSet hashSet = new HashSet();
        Set<RoleDescriptor> set2 = (Set) set.stream().map(roleDescriptor -> {
            if (!roleDescriptor.hasRemoteIndicesPrivileges() && !roleDescriptor.hasRemoteClusterPermissions()) {
                return roleDescriptor;
            }
            hashSet.add(roleDescriptor);
            return new RoleDescriptor(roleDescriptor.getName(), roleDescriptor.getClusterPrivileges(), roleDescriptor.getIndicesPrivileges(), roleDescriptor.getApplicationPrivileges(), roleDescriptor.getConditionalClusterPrivileges(), roleDescriptor.getRunAs(), roleDescriptor.getMetadata(), roleDescriptor.getTransientMetadata(), (roleDescriptor.hasRemoteIndicesPrivileges() && transportVersion.before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY)) ? null : roleDescriptor.getRemoteIndicesPrivileges(), (roleDescriptor.hasRemoteClusterPermissions() && transportVersion.before(RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS)) ? null : roleDescriptor.getRemoteClusterPermissions(), roleDescriptor.getRestriction(), roleDescriptor.getDescription());
        }).collect(Collectors.toSet());
        if (false == hashSet.isEmpty()) {
            List list = (List) hashSet.stream().map((v0) -> {
                return v0.getName();
            }).sorted().collect(Collectors.toList());
            if (hashSet.stream().anyMatch((v0) -> {
                return v0.hasRemoteIndicesPrivileges();
            }) && transportVersion.before(RemoteClusterPortSettings.TRANSPORT_VERSION_ADVANCED_REMOTE_CLUSTER_SECURITY)) {
                logger.info("removed remote indices privileges from role(s) {} for API key(s) [{}]", list, buildDelimitedStringWithLimit(10, strArr));
                HeaderWarning.addWarning("Removed API key's remote indices privileges from role(s) " + list + ". Remote indices are not supported by all nodes in the cluster. ", new Object[0]);
            }
            if (hashSet.stream().anyMatch((v0) -> {
                return v0.hasRemoteClusterPermissions();
            }) && transportVersion.before(RemoteClusterPermissions.ROLE_REMOTE_CLUSTER_PRIVS)) {
                logger.info("removed remote cluster privileges from role(s) {} for API key(s) [{}]", list, buildDelimitedStringWithLimit(10, strArr));
                HeaderWarning.addWarning("Removed API key's remote cluster privileges from role(s) " + list + ". Remote cluster privileges are not supported by all nodes in the cluster.", new Object[0]);
            }
        }
        return set2;
    }

    static String buildDelimitedStringWithLimit(int i, String... strArr) {
        if (i <= 0) {
            throw new IllegalArgumentException("limit must be positive number");
        }
        if (strArr == null || strArr.length <= 0) {
            return "";
        }
        int length = strArr.length;
        int max = Math.max(0, length - i);
        int min = Math.min(i, length);
        StringBuilder sb = new StringBuilder(min + (max > 0 ? 5 : 0));
        int i2 = 0;
        while (i2 < min) {
            sb.append(strArr[i2]);
            i2++;
            if (i2 < min) {
                sb.append(", ");
            }
        }
        if (max > 0) {
            sb.append("... (").append(length).append(" in total, ").append(max).append(" omitted)");
        }
        return sb.toString();
    }

    static XContentBuilder newDocument(char[] cArr, String str, Authentication authentication, Set<RoleDescriptor> set, Instant instant, Instant instant2, List<RoleDescriptor> list, ApiKey.Type type, ApiKey.Version version, @Nullable Map<String, Object> map) throws IOException {
        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
        jsonBuilder.startObject().field("doc_type", "api_key").field(LoggingAuditTrail.LOG_TYPE, type.value()).field("creation_time", instant.toEpochMilli()).field("expiration_time", instant2 == null ? null : Long.valueOf(instant2.toEpochMilli())).field("api_key_invalidated", false);
        addApiKeyHash(jsonBuilder, cArr);
        addRoleDescriptors(jsonBuilder, list);
        addLimitedByRoleDescriptors(jsonBuilder, set);
        jsonBuilder.field("name", str).field("version", version.version()).field(FieldNameTranslators.FLATTENED_METADATA_INDEX_FIELD_NAME, map);
        addCreator(jsonBuilder, authentication);
        return jsonBuilder.endObject();
    }

    @Nullable
    static XContentBuilder maybeBuildUpdatedDocument(String str, ApiKeyDoc apiKeyDoc, ApiKey.Version version, Authentication authentication, BaseUpdateApiKeyRequest baseUpdateApiKeyRequest, Set<RoleDescriptor> set, Clock clock) throws IOException {
        if (!$assertionsDisabled && apiKeyDoc.type != baseUpdateApiKeyRequest.getType()) {
            throw new AssertionError("API Key doc does not match request type (key-id=[" + str + "], doc=[" + apiKeyDoc.type + "], request=[" + baseUpdateApiKeyRequest.getType() + "])");
        }
        if (isNoop(str, apiKeyDoc, version, authentication, baseUpdateApiKeyRequest, set)) {
            return null;
        }
        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
        jsonBuilder.startObject().field("doc_type", "api_key").field(LoggingAuditTrail.LOG_TYPE, apiKeyDoc.type.value()).field("creation_time", apiKeyDoc.creationTime).field("api_key_invalidated", false);
        if (baseUpdateApiKeyRequest.getExpiration() != null) {
            jsonBuilder.field("expiration_time", getApiKeyExpiration(clock.instant(), baseUpdateApiKeyRequest.getExpiration()).toEpochMilli());
        } else {
            jsonBuilder.field("expiration_time", apiKeyDoc.expirationTime == -1 ? null : Long.valueOf(apiKeyDoc.expirationTime));
        }
        addApiKeyHash(jsonBuilder, apiKeyDoc.hash.toCharArray());
        List roleDescriptors = baseUpdateApiKeyRequest.getRoleDescriptors();
        if (roleDescriptors != null) {
            logger.trace(() -> {
                return org.elasticsearch.core.Strings.format("Building API key doc with updated role descriptors [%s]", new Object[]{roleDescriptors});
            });
            addRoleDescriptors(jsonBuilder, roleDescriptors);
        } else {
            if (!$assertionsDisabled && apiKeyDoc.roleDescriptorsBytes == null) {
                throw new AssertionError("Role descriptors for [" + str + "] are null");
            }
            jsonBuilder.rawField("role_descriptors", apiKeyDoc.roleDescriptorsBytes.streamInput(), XContentType.JSON);
        }
        addLimitedByRoleDescriptors(jsonBuilder, set);
        jsonBuilder.field("name", apiKeyDoc.name).field("version", version.version());
        if (!$assertionsDisabled && apiKeyDoc.metadataFlattened != null && MetadataUtils.containsReservedMetadata((Map) XContentHelper.convertToMap(apiKeyDoc.metadataFlattened, false, XContentType.JSON).v2())) {
            throw new AssertionError("API key doc [" + str + "] to be updated contains reserved metadata");
        }
        Map metadata = baseUpdateApiKeyRequest.getMetadata();
        if (metadata != null) {
            logger.trace(() -> {
                return org.elasticsearch.core.Strings.format("Building API key doc with updated metadata [%s]", new Object[]{metadata});
            });
            jsonBuilder.field(FieldNameTranslators.FLATTENED_METADATA_INDEX_FIELD_NAME, metadata);
        } else {
            jsonBuilder.rawField(FieldNameTranslators.FLATTENED_METADATA_INDEX_FIELD_NAME, apiKeyDoc.metadataFlattened == null ? ApiKeyDoc.NULL_BYTES.streamInput() : apiKeyDoc.metadataFlattened.streamInput(), XContentType.JSON);
        }
        addCreator(jsonBuilder, authentication);
        return jsonBuilder.endObject();
    }

    private static boolean isNoop(String str, ApiKeyDoc apiKeyDoc, ApiKey.Version version, Authentication authentication, BaseUpdateApiKeyRequest baseUpdateApiKeyRequest, Set<RoleDescriptor> set) throws IOException {
        if (apiKeyDoc.version != version.version() || baseUpdateApiKeyRequest.getExpiration() != null) {
            return false;
        }
        Map<String, Object> map = apiKeyDoc.creator;
        User user = authentication.getEffectiveSubject().getUser();
        Authentication.RealmRef realm = authentication.getEffectiveSubject().getRealm();
        if (false == (Objects.equals(user.principal(), map.get("principal")) && Objects.equals(user.fullName(), map.get("full_name")) && Objects.equals(user.email(), map.get("email")) && Objects.equals(user.metadata(), map.get("metadata")) && Objects.equals(realm.getName(), map.get(LoggingAuditTrail.REALM_FIELD_NAME)) && Objects.equals(realm.getType(), map.get("realm_type")))) {
            return false;
        }
        if (realm.getDomain() != null) {
            if (map.get("realm_domain") == null) {
                return false;
            }
            XContentParser mapToXContentParser = XContentHelper.mapToXContentParser(XContentParserConfiguration.EMPTY, (Map) map.get("realm_domain"));
            try {
                RealmDomain fromXContent = RealmDomain.fromXContent(mapToXContentParser);
                if (mapToXContentParser != null) {
                    mapToXContentParser.close();
                }
                if (!realm.getDomain().equals(fromXContent)) {
                    return false;
                }
            } catch (Throwable th) {
                if (mapToXContentParser != null) {
                    try {
                        mapToXContentParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } else if (map.get("realm_domain") != null) {
            return false;
        }
        Map metadata = baseUpdateApiKeyRequest.getMetadata();
        if (metadata != null && (apiKeyDoc.metadataFlattened == null || !metadata.equals((Map) XContentHelper.convertToMap(apiKeyDoc.metadataFlattened, false, XContentType.JSON).v2()))) {
            return false;
        }
        List roleDescriptors = baseUpdateApiKeyRequest.getRoleDescriptors();
        if (roleDescriptors != null) {
            List<RoleDescriptor> parseRoleDescriptorsBytes = parseRoleDescriptorsBytes(str, apiKeyDoc.roleDescriptorsBytes, false);
            if (false == (roleDescriptors.size() == parseRoleDescriptorsBytes.size() && Set.copyOf(roleDescriptors).containsAll(parseRoleDescriptorsBytes))) {
                return false;
            }
            if (roleDescriptors.size() == parseRoleDescriptorsBytes.size()) {
                for (int i = 0; i < parseRoleDescriptorsBytes.size(); i++) {
                    if (!parseRoleDescriptorsBytes.get(i).getRemoteClusterPermissions().equals(((RoleDescriptor) roleDescriptors.get(i)).getRemoteClusterPermissions())) {
                        return false;
                    }
                }
            }
        }
        if (!$assertionsDisabled && set == null) {
            throw new AssertionError("API Key [" + str + "] has null role descriptors");
        }
        List<RoleDescriptor> parseRoleDescriptorsBytes2 = parseRoleDescriptorsBytes(str, apiKeyDoc.limitedByRoleDescriptorsBytes, false);
        return set.size() == parseRoleDescriptorsBytes2.size() && set.containsAll(parseRoleDescriptorsBytes2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void tryAuthenticate(ThreadContext threadContext, ApiKeyCredentials apiKeyCredentials, ActionListener<AuthenticationResult<User>> actionListener) {
        if (false == isEnabled()) {
            actionListener.onResponse(AuthenticationResult.notHandled());
        }
        if (!$assertionsDisabled && apiKeyCredentials == null) {
            throw new AssertionError("api key credentials must not be null");
        }
        loadApiKeyAndValidateCredentials(threadContext, apiKeyCredentials, ActionListener.wrap(authenticationResult -> {
            apiKeyCredentials.close();
            actionListener.onResponse(authenticationResult);
        }, exc -> {
            apiKeyCredentials.close();
            actionListener.onFailure(exc);
        }));
    }

    void loadApiKeyAndValidateCredentials(ThreadContext threadContext, ApiKeyCredentials apiKeyCredentials, ActionListener<AuthenticationResult<User>> actionListener) {
        long j;
        String id = apiKeyCredentials.getId();
        Consumer consumer = apiKeyDoc -> {
            validateApiKeyCredentials(id, apiKeyDoc, apiKeyCredentials, this.clock, actionListener.delegateResponse((actionListener2, exc) -> {
                if (ExceptionsHelper.unwrapCause(exc) instanceof EsRejectedExecutionException) {
                    actionListener2.onResponse(AuthenticationResult.terminate("server is too busy to respond", exc));
                } else {
                    actionListener2.onFailure(exc);
                }
            }));
        };
        if (this.apiKeyDocCache != null) {
            ApiKeyDoc apiKeyDoc2 = this.apiKeyDocCache.get(id);
            if (apiKeyDoc2 != null) {
                consumer.accept(apiKeyDoc2);
                return;
            }
            j = this.apiKeyDocCache.getInvalidationCount();
        } else {
            j = -1;
        }
        GetRequest request = this.client.prepareGet(SecuritySystemIndices.SECURITY_MAIN_ALIAS, id).setFetchSource(true).request();
        long j2 = j;
        ActionListener wrap = ActionListener.wrap(getResponse -> {
            if (!getResponse.isExists()) {
                if (this.apiKeyAuthCache != null) {
                    this.apiKeyAuthCache.invalidate(id);
                }
                actionListener.onResponse(AuthenticationResult.unsuccessful("unable to find apikey with id " + apiKeyCredentials.getId(), (Exception) null));
                return;
            }
            XContentParser createParser = XContentHelper.createParser(XContentParserConfiguration.EMPTY.withDeprecationHandler(LoggingDeprecationHandler.INSTANCE), getResponse.getSourceAsBytesRef(), XContentType.JSON);
            try {
                ApiKeyDoc fromXContent = ApiKeyDoc.fromXContent(createParser);
                if (createParser != null) {
                    createParser.close();
                }
                if (j2 != -1) {
                    this.apiKeyDocCache.putIfNoInvalidationSince(id, fromXContent, j2);
                }
                consumer.accept(fromXContent);
            } catch (Throwable th) {
                if (createParser != null) {
                    try {
                        createParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }, exc -> {
            if (ExceptionsHelper.unwrapCause(exc) instanceof EsRejectedExecutionException) {
                actionListener.onResponse(AuthenticationResult.terminate("server is too busy to respond", exc));
            } else {
                actionListener.onResponse(AuthenticationResult.unsuccessful("apikey authentication for id " + apiKeyCredentials.getId() + " encountered a failure", exc));
            }
        });
        Client client = this.client;
        Objects.requireNonNull(client);
        ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::get);
    }

    public List<RoleDescriptor> parseRoleDescriptors(String str, Map<String, Object> map, RoleReference.ApiKeyRoleType apiKeyRoleType) {
        if (map == null) {
            return null;
        }
        List<RoleDescriptor> list = map.entrySet().stream().map(entry -> {
            String str2 = (String) entry.getKey();
            Map map2 = (Map) entry.getValue();
            try {
                XContentBuilder builder = XContentBuilder.builder(XContentType.JSON.xContent());
                try {
                    builder.map(map2);
                    XContentParser createParserNotCompressed = XContentHelper.createParserNotCompressed(XContentParserConfiguration.EMPTY.withDeprecationHandler(new ApiKeyLoggingDeprecationHandler(deprecationLogger, str)), BytesReference.bytes(builder), XContentType.JSON);
                    try {
                        RoleDescriptor parse = ROLE_DESCRIPTOR_PARSER.parse(str2, createParserNotCompressed);
                        if (createParserNotCompressed != null) {
                            createParserNotCompressed.close();
                        }
                        if (builder != null) {
                            builder.close();
                        }
                        return parse;
                    } catch (Throwable th) {
                        if (createParserNotCompressed != null) {
                            try {
                                createParserNotCompressed.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } finally {
                }
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        }).toList();
        return apiKeyRoleType == RoleReference.ApiKeyRoleType.LIMITED_BY ? maybeReplaceSuperuserRoleDescriptor(str, list) : list;
    }

    public List<RoleDescriptor> parseRoleDescriptorsBytes(String str, BytesReference bytesReference, RoleReference.ApiKeyRoleType apiKeyRoleType) {
        return parseRoleDescriptorsBytes(str, bytesReference, apiKeyRoleType == RoleReference.ApiKeyRoleType.LIMITED_BY);
    }

    private static List<RoleDescriptor> parseRoleDescriptorsBytes(String str, BytesReference bytesReference, boolean z) {
        if (bytesReference == null) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        try {
            XContentParser createParser = XContentHelper.createParser(XContentParserConfiguration.EMPTY.withDeprecationHandler(new ApiKeyLoggingDeprecationHandler(deprecationLogger, str)), bytesReference, XContentType.JSON);
            try {
                createParser.nextToken();
                while (createParser.nextToken() != XContentParser.Token.END_OBJECT) {
                    createParser.nextToken();
                    arrayList.add(ROLE_DESCRIPTOR_PARSER.parse(createParser.currentName(), createParser));
                }
                if (createParser != null) {
                    createParser.close();
                }
                return z ? maybeReplaceSuperuserRoleDescriptor(str, arrayList) : arrayList;
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private static List<RoleDescriptor> maybeReplaceSuperuserRoleDescriptor(String str, List<RoleDescriptor> list) {
        return list.stream().map(roleDescriptor -> {
            if (!roleDescriptor.equals(LEGACY_SUPERUSER_ROLE_DESCRIPTOR)) {
                return roleDescriptor;
            }
            logger.debug("replacing superuser role for API key [{}]", str);
            return ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR;
        }).toList();
    }

    void validateApiKeyCredentials(String str, ApiKeyDoc apiKeyDoc, ApiKeyCredentials apiKeyCredentials, Clock clock, ActionListener<AuthenticationResult<User>> actionListener) {
        if (!"api_key".equals(apiKeyDoc.docType)) {
            actionListener.onResponse(AuthenticationResult.unsuccessful("document [" + str + "] is [" + apiKeyDoc.docType + "] not an api key", (Exception) null));
            return;
        }
        if (apiKeyDoc.invalidated == null) {
            actionListener.onResponse(AuthenticationResult.unsuccessful("api key document is missing invalidated field", (Exception) null));
            return;
        }
        if (apiKeyDoc.invalidated.booleanValue()) {
            if (this.apiKeyAuthCache != null) {
                this.apiKeyAuthCache.invalidate(str);
            }
            actionListener.onResponse(AuthenticationResult.unsuccessful("api key [" + apiKeyCredentials.getId() + "] has been invalidated", (Exception) null));
            return;
        }
        if (apiKeyDoc.hash == null) {
            throw new IllegalStateException("api key hash is missing");
        }
        if (this.apiKeyAuthCache == null) {
            String str2 = apiKeyDoc.hash;
            CheckedConsumer checkedConsumer = bool -> {
                if (bool.booleanValue()) {
                    validateApiKeyTypeAndExpiration(apiKeyDoc, apiKeyCredentials, clock, actionListener);
                } else {
                    actionListener.onResponse(AuthenticationResult.unsuccessful("invalid credentials for API key [" + apiKeyCredentials.getId() + "]", (Exception) null));
                }
            };
            Objects.requireNonNull(actionListener);
            verifyKeyAgainstHash(str2, apiKeyCredentials, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            return;
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean(true);
        try {
            ListenableFuture listenableFuture = (ListenableFuture) this.apiKeyAuthCache.computeIfAbsent(apiKeyCredentials.getId(), str3 -> {
                atomicBoolean.set(false);
                return new ListenableFuture();
            });
            if (!atomicBoolean.get()) {
                verifyKeyAgainstHash(apiKeyDoc.hash, apiKeyCredentials, ActionListener.wrap(bool2 -> {
                    listenableFuture.onResponse(new CachedApiKeyHashResult(bool2.booleanValue(), apiKeyCredentials.getKey()));
                    if (bool2.booleanValue()) {
                        validateApiKeyTypeAndExpiration(apiKeyDoc, apiKeyCredentials, clock, actionListener);
                    } else {
                        actionListener.onResponse(AuthenticationResult.unsuccessful("invalid credentials for API key [" + apiKeyCredentials.getId() + "]", (Exception) null));
                    }
                }, exc -> {
                    logger.warn(Strings.format("rejecting possibly valid API key authentication because the [%s] threadpool is full", new Object[]{Security.SECURITY_CRYPTO_THREAD_POOL_NAME}));
                    this.apiKeyAuthCache.invalidate(apiKeyCredentials.getId(), listenableFuture);
                    listenableFuture.onFailure(exc);
                    actionListener.onFailure(exc);
                }));
                return;
            }
            CheckedConsumer checkedConsumer2 = cachedApiKeyHashResult -> {
                if (cachedApiKeyHashResult.success) {
                    if (cachedApiKeyHashResult.verify(apiKeyCredentials.getKey())) {
                        validateApiKeyTypeAndExpiration(apiKeyDoc, apiKeyCredentials, clock, actionListener);
                        return;
                    } else {
                        actionListener.onResponse(AuthenticationResult.unsuccessful("invalid credentials for API key [" + apiKeyCredentials.getId() + "]", (Exception) null));
                        return;
                    }
                }
                if (cachedApiKeyHashResult.verify(apiKeyCredentials.getKey())) {
                    actionListener.onResponse(AuthenticationResult.unsuccessful("invalid credentials for API key [" + apiKeyCredentials.getId() + "]", (Exception) null));
                } else {
                    this.apiKeyAuthCache.invalidate(apiKeyCredentials.getId(), listenableFuture);
                    validateApiKeyCredentials(str, apiKeyDoc, apiKeyCredentials, clock, actionListener);
                }
            };
            Objects.requireNonNull(actionListener);
            listenableFuture.addListener(ActionListener.wrap(checkedConsumer2, actionListener::onFailure), this.threadPool.generic(), this.threadPool.getThreadContext());
        } catch (ExecutionException e) {
            actionListener.onFailure(e);
        }
    }

    CachedApiKeyHashResult getFromCache(String str) {
        if (this.apiKeyAuthCache == null) {
            return null;
        }
        return (CachedApiKeyHashResult) ((ListenableFuture) this.apiKeyAuthCache.get(str)).result();
    }

    Cache<String, ListenableFuture<CachedApiKeyHashResult>> getApiKeyAuthCache() {
        return this.apiKeyAuthCache;
    }

    Cache<String, CachedApiKeyDoc> getDocCache() {
        if (this.apiKeyDocCache == null) {
            return null;
        }
        return this.apiKeyDocCache.docCache;
    }

    Cache<String, BytesReference> getRoleDescriptorsBytesCache() {
        if (this.apiKeyDocCache == null) {
            return null;
        }
        return this.apiKeyDocCache.roleDescriptorsBytesCache;
    }

    static void validateApiKeyTypeAndExpiration(ApiKeyDoc apiKeyDoc, ApiKeyCredentials apiKeyCredentials, Clock clock, ActionListener<AuthenticationResult<User>> actionListener) {
        if (apiKeyDoc.type != apiKeyCredentials.expectedType) {
            actionListener.onResponse(AuthenticationResult.terminate(Strings.format("authentication expected API key type of [%s], but API key [%s] has type [%s]", new Object[]{apiKeyCredentials.expectedType.value(), apiKeyCredentials.getId(), apiKeyDoc.type.value()})));
            return;
        }
        if (apiKeyDoc.expirationTime != -1 && !Instant.ofEpochMilli(apiKeyDoc.expirationTime).isAfter(clock.instant())) {
            actionListener.onResponse(AuthenticationResult.unsuccessful("api key is expired", (Exception) null));
            return;
        }
        User user = new User((String) Objects.requireNonNull((String) apiKeyDoc.creator.get("principal")), Strings.EMPTY_ARRAY, (String) apiKeyDoc.creator.get("full_name"), (String) apiKeyDoc.creator.get("email"), (Map) apiKeyDoc.creator.get("metadata"), true);
        HashMap hashMap = new HashMap();
        hashMap.put("_security_api_key_creator_realm_name", apiKeyDoc.creator.get(LoggingAuditTrail.REALM_FIELD_NAME));
        hashMap.put("_security_api_key_creator_realm_type", apiKeyDoc.creator.get("realm_type"));
        hashMap.put("_security_api_key_role_descriptors", apiKeyDoc.roleDescriptorsBytes);
        hashMap.put("_security_api_key_limited_by_role_descriptors", apiKeyDoc.limitedByRoleDescriptorsBytes);
        hashMap.put("_security_api_key_id", apiKeyCredentials.getId());
        hashMap.put("_security_api_key_name", apiKeyDoc.name);
        hashMap.put("_security_api_key_type", apiKeyDoc.type.value());
        if (apiKeyDoc.metadataFlattened != null) {
            hashMap.put("_security_api_key_metadata", apiKeyDoc.metadataFlattened);
        }
        actionListener.onResponse(AuthenticationResult.success(user, hashMap));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ApiKeyCredentials parseCredentialsFromApiKeyString(SecureString secureString) {
        if (false == isEnabled()) {
            return null;
        }
        return parseApiKey(secureString, ApiKey.Type.REST);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ApiKeyCredentials getCredentialsFromHeader(String str, ApiKey.Type type) {
        return parseApiKey(Authenticator.extractCredentialFromHeaderValue(str, "ApiKey"), type);
    }

    public static String withApiKeyPrefix(String str) {
        return "ApiKey " + str;
    }

    private static ApiKeyCredentials parseApiKey(SecureString secureString, ApiKey.Type type) {
        if (secureString == null) {
            return null;
        }
        try {
            char[] utf8BytesToChars = CharArrays.utf8BytesToChars(Base64.getDecoder().decode(CharArrays.toUtf8Bytes(secureString.getChars())));
            int i = -1;
            int i2 = 0;
            while (true) {
                if (i2 >= utf8BytesToChars.length) {
                    break;
                }
                if (utf8BytesToChars[i2] == ':') {
                    i = i2;
                    break;
                }
                i2++;
            }
            if (i < 1) {
                throw new IllegalArgumentException("invalid ApiKey value");
            }
            int i3 = i + 1;
            if (ApiKey.Type.CROSS_CLUSTER == type && API_KEY_SECRET_LENGTH != utf8BytesToChars.length - i3) {
                throw new IllegalArgumentException("invalid cross-cluster API key value");
            }
            ApiKeyCredentials apiKeyCredentials = new ApiKeyCredentials(new String(Arrays.copyOfRange(utf8BytesToChars, 0, i)), new SecureString(Arrays.copyOfRange(utf8BytesToChars, i3, utf8BytesToChars.length)), type);
            if (utf8BytesToChars != null) {
                Arrays.fill(utf8BytesToChars, (char) 0);
            }
            return apiKeyCredentials;
        } catch (Throwable th) {
            if (0 != 0) {
                Arrays.fill((char[]) null, (char) 0);
            }
            throw th;
        }
    }

    void computeHashForApiKey(SecureString secureString, ActionListener<char[]> actionListener) {
        this.threadPool.executor(Security.SECURITY_CRYPTO_THREAD_POOL_NAME).execute(ActionRunnable.supply(actionListener, () -> {
            return this.hasher.hash(secureString);
        }));
    }

    protected void verifyKeyAgainstHash(String str, ApiKeyCredentials apiKeyCredentials, ActionListener<Boolean> actionListener) {
        this.threadPool.executor(Security.SECURITY_CRYPTO_THREAD_POOL_NAME).execute(ActionRunnable.supply(actionListener, () -> {
            Hasher resolveFromHash = Hasher.resolveFromHash(str.toCharArray());
            char[] charArray = str.toCharArray();
            try {
                Boolean valueOf = Boolean.valueOf(resolveFromHash.verify(apiKeyCredentials.getKey(), charArray));
                Arrays.fill(charArray, (char) 0);
                return valueOf;
            } catch (Throwable th) {
                Arrays.fill(charArray, (char) 0);
                throw th;
            }
        }));
    }

    private static Instant getApiKeyExpiration(Instant instant, @Nullable TimeValue timeValue) {
        if (timeValue != null) {
            return instant.plusSeconds(timeValue.getSeconds());
        }
        return null;
    }

    private boolean isEnabled() {
        return this.enabled;
    }

    public void ensureEnabled() {
        if (!this.enabled) {
            throw new FeatureNotEnabledException(FeatureNotEnabledException.Feature.API_KEY_SERVICE, "api keys are not enabled", new Object[0]);
        }
    }

    public void crossClusterApiKeyUsageStats(ActionListener<Map<String, Object>> actionListener) {
        if (false == isEnabled()) {
            actionListener.onResponse(Map.of());
            return;
        }
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            logger.debug("security index does not exist");
            actionListener.onResponse(Map.of("total", 0, "ccs", 0, "ccr", 0, "ccs_ccr", 0));
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.SEARCH_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.SEARCH_SHARDS));
                return;
            }
            BoolQueryBuilder filter = QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("doc_type", "api_key")).filter(QueryBuilders.termQuery(LoggingAuditTrail.LOG_TYPE, ApiKey.Type.CROSS_CLUSTER.value()));
            Function function = this::convertSearchHitToApiKeyInfo;
            CheckedConsumer checkedConsumer = collection -> {
                int i = 0;
                int i2 = 0;
                int i3 = 0;
                Iterator it = collection.iterator();
                while (it.hasNext()) {
                    ApiKey apiKey = (ApiKey) it.next();
                    if (!$assertionsDisabled && apiKey.getType() != ApiKey.Type.CROSS_CLUSTER) {
                        throw new AssertionError("Incorrect API Key type for [" + apiKey + "] should be [" + ApiKey.Type.CROSS_CLUSTER + "]");
                    }
                    if (!$assertionsDisabled && apiKey.getRoleDescriptors().size() != 1) {
                        throw new AssertionError("API Key [" + apiKey + "] has [" + apiKey.getRoleDescriptors().size() + "] role descriptors, but should be 1");
                    }
                    List asList = Arrays.asList(((RoleDescriptor) apiKey.getRoleDescriptors().iterator().next()).getClusterPrivileges());
                    if (asList.contains("cross_cluster_search") && !asList.contains("cross_cluster_replication")) {
                        i++;
                    } else if (asList.contains("cross_cluster_replication") && !asList.contains("cross_cluster_search")) {
                        i2++;
                    } else if (asList.contains("cross_cluster_search") && asList.contains("cross_cluster_replication")) {
                        i3++;
                    } else {
                        String str = "invalid cluster privileges " + asList + " for cross-cluster API key [" + apiKey.getId() + "]";
                        if (!$assertionsDisabled) {
                            throw new AssertionError(str);
                        }
                        actionListener.onFailure(new IllegalStateException(str));
                    }
                }
                actionListener.onResponse(Map.of("total", Integer.valueOf(collection.size()), "ccs", Integer.valueOf(i), "ccr", Integer.valueOf(i2), "ccs_ccr", Integer.valueOf(i3)));
            };
            Objects.requireNonNull(actionListener);
            findApiKeys(filter, true, true, function, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.cacheMetrics.forEach(autoCloseable -> {
            try {
                autoCloseable.close();
            } catch (Exception e) {
                logger.warn("metrics close() method should not throw Exception", e);
            }
        });
    }

    @Nullable
    private IndexRequest maybeBuildIndexRequest(VersionedApiKeyDoc versionedApiKeyDoc, Authentication authentication, BaseUpdateApiKeyRequest baseUpdateApiKeyRequest, Set<RoleDescriptor> set) throws IOException {
        if (logger.isTraceEnabled()) {
            logger.trace("Building index request for update of API key doc [{}] with seqNo [{}] and primaryTerm [{}]", versionedApiKeyDoc.id(), Long.valueOf(versionedApiKeyDoc.seqNo()), Long.valueOf(versionedApiKeyDoc.primaryTerm()));
        }
        ApiKey.Version version = ApiKey.CURRENT_API_KEY_VERSION;
        ApiKey.Version version2 = new ApiKey.Version(versionedApiKeyDoc.doc().version);
        if (!$assertionsDisabled && !version2.onOrBefore(version)) {
            throw new AssertionError("API key [" + versionedApiKeyDoc.id() + "] has version [" + version2 + " which is greater than current version [" + ApiKey.CURRENT_API_KEY_VERSION + "]");
        }
        if (logger.isDebugEnabled() && version2.before(version)) {
            logger.debug("API key update for [{}] will update version from [{}] to [{}]", versionedApiKeyDoc.id(), version2, version);
        }
        XContentBuilder maybeBuildUpdatedDocument = maybeBuildUpdatedDocument(versionedApiKeyDoc.id(), versionedApiKeyDoc.doc(), version, authentication, baseUpdateApiKeyRequest, set, this.clock);
        if (maybeBuildUpdatedDocument == null) {
            return null;
        }
        return this.client.prepareIndex(SecuritySystemIndices.SECURITY_MAIN_ALIAS).setId(versionedApiKeyDoc.id()).setSource(maybeBuildUpdatedDocument).setIfSeqNo(versionedApiKeyDoc.seqNo()).setIfPrimaryTerm(versionedApiKeyDoc.primaryTerm()).setOpType(DocWriteRequest.OpType.INDEX).request();
    }

    private static void addErrorsForNotFoundApiKeys(BulkUpdateApiKeyResponse.Builder builder, Collection<VersionedApiKeyDoc> collection, List<String> list) {
        if (collection.size() == list.size()) {
            return;
        }
        Set set = (Set) collection.stream().map((v0) -> {
            return v0.id();
        }).collect(Collectors.toUnmodifiableSet());
        for (String str : list) {
            if (!set.contains(str)) {
                builder.error(str, new ResourceNotFoundException("no API key owned by requesting user found for ID [" + str + "]", new Object[0]));
            }
        }
    }

    public void invalidateApiKeys(String[] strArr, String str, String str2, String[] strArr2, boolean z, ActionListener<InvalidateApiKeyResponse> actionListener) {
        ensureEnabled();
        if ((strArr == null || strArr.length == 0) && !Strings.hasText(str) && !Strings.hasText(str2) && (strArr2 == null || strArr2.length == 0)) {
            logger.trace("none of the parameters [api key id, api key name, username, realm name] were specified for invalidation");
            actionListener.onFailure(new IllegalArgumentException("One of [api key id, api key name, username, realm name] must be specified"));
        } else {
            Function function = this::convertSearchHitToApiKeyInfo;
            CheckedConsumer checkedConsumer = collection -> {
                if (!collection.isEmpty()) {
                    indexInvalidation(collection, z, actionListener);
                } else {
                    logger.debug("No active api keys to invalidate for realms {}, username [{}], api key name [{}] and api key ids {}", Arrays.toString(strArr), str, str2, Arrays.toString(strArr2));
                    actionListener.onResponse(InvalidateApiKeyResponse.emptyResponse());
                }
            };
            Objects.requireNonNull(actionListener);
            findApiKeysForUserRealmApiKeyIdAndNameCombination(strArr, str, str2, strArr2, true, false, function, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }
    }

    private <T> void findApiKeys(BoolQueryBuilder boolQueryBuilder, boolean z, boolean z2, Function<SearchHit, T> function, ActionListener<Collection<T>> actionListener) {
        if (z) {
            boolQueryBuilder.filter(QueryBuilders.termQuery("api_key_invalidated", false));
        }
        if (z2) {
            BoolQueryBuilder boolQuery = QueryBuilders.boolQuery();
            boolQuery.should(QueryBuilders.rangeQuery("expiration_time").gt(Long.valueOf(this.clock.instant().toEpochMilli())));
            boolQuery.should(QueryBuilders.boolQuery().mustNot(QueryBuilders.existsQuery("expiration_time")));
            boolQueryBuilder.filter(boolQuery);
        }
        Supplier newRestorableContext = this.client.threadPool().getThreadContext().newRestorableContext(false);
        ThreadContext.StoredContext stashWithOrigin = this.client.threadPool().getThreadContext().stashWithOrigin("security");
        try {
            SearchRequest request = this.client.prepareSearch(new String[]{SecuritySystemIndices.SECURITY_MAIN_ALIAS}).setScroll((TimeValue) SearchService.DEFAULT_KEEPALIVE_SETTING.get(this.settings)).setQuery(boolQueryBuilder).setVersion(false).setSize(1000).setFetchSource(true).request();
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ScrollHelper.fetchAllByEntity(this.client, request, new ContextPreservingActionListener(newRestorableContext, actionListener), function);
            });
            if (stashWithOrigin != null) {
                stashWithOrigin.close();
            }
        } catch (Throwable th) {
            if (stashWithOrigin != null) {
                try {
                    stashWithOrigin.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public static QueryBuilder filterForRealmNames(String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            return null;
        }
        if (strArr.length == 1) {
            return QueryBuilders.termQuery("creator.realm", strArr[0]);
        }
        BoolQueryBuilder boolQuery = QueryBuilders.boolQuery();
        for (String str : strArr) {
            boolQuery.should(QueryBuilders.termQuery("creator.realm", str));
        }
        boolQuery.minimumShouldMatch(1);
        return boolQuery;
    }

    private void findVersionedApiKeyDocsForSubject(Authentication authentication, String[] strArr, ActionListener<Collection<VersionedApiKeyDoc>> actionListener) {
        if (!$assertionsDisabled && authentication.isApiKey()) {
            throw new AssertionError("Authentication [" + authentication + "] is an API key, but should not be");
        }
        findApiKeysForUserRealmApiKeyIdAndNameCombination(getOwnersRealmNames(authentication), authentication.getEffectiveSubject().getUser().principal(), null, strArr, false, false, ApiKeyService::convertSearchHitToVersionedApiKeyDoc, actionListener);
    }

    private <T> void findApiKeysForUserRealmApiKeyIdAndNameCombination(String[] strArr, String str, String str2, String[] strArr2, boolean z, boolean z2, Function<SearchHit, T> function, ActionListener<Collection<T>> actionListener) {
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            actionListener.onResponse(Collections.emptyList());
            return;
        }
        if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.SEARCH_SHARDS)) {
            actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.SEARCH_SHARDS));
            return;
        }
        BoolQueryBuilder filter = QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("doc_type", "api_key"));
        QueryBuilder filterForRealmNames = filterForRealmNames(strArr);
        if (filterForRealmNames != null) {
            filter.filter(filterForRealmNames);
        }
        if (Strings.hasText(str)) {
            filter.filter(QueryBuilders.termQuery("creator.principal", str));
        }
        if (Strings.hasText(str2) && !"*".equals(str2)) {
            if (str2.endsWith("*")) {
                filter.filter(QueryBuilders.prefixQuery("name", str2.substring(0, str2.length() - 1)));
            } else {
                filter.filter(QueryBuilders.termQuery("name", str2));
            }
        }
        if (strArr2 != null && strArr2.length > 0) {
            filter.filter(QueryBuilders.idsQuery().addIds(strArr2));
        }
        findApiKeys(filter, z, z2, function, actionListener);
    }

    private void indexInvalidation(Collection<ApiKey> collection, boolean z, ActionListener<InvalidateApiKeyResponse> actionListener) {
        maybeStartApiKeyRemover();
        if (collection.isEmpty()) {
            actionListener.onFailure(new ElasticsearchSecurityException("No api key ids provided for invalidation", new Object[0]));
            return;
        }
        BulkRequestBuilder prepareBulk = this.client.prepareBulk();
        long epochMilli = this.clock.instant().toEpochMilli();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        ArrayList arrayList = new ArrayList();
        for (ApiKey apiKey : collection) {
            String id = apiKey.getId();
            if (!hashSet.contains(id) && !hashSet2.contains(id)) {
                if (false == z && ApiKey.Type.CROSS_CLUSTER.equals(apiKey.getType())) {
                    logger.debug("Skipping invalidation of cross cluster API key [{}]", apiKey);
                    arrayList.add(cannotInvalidateCrossClusterApiKeyException(id));
                    hashSet2.add(id);
                } else {
                    prepareBulk.add(this.client.prepareUpdate(SecuritySystemIndices.SECURITY_MAIN_ALIAS, id).setDoc(Map.of("api_key_invalidated", true, "invalidation_time", Long.valueOf(epochMilli))));
                    hashSet.add(id);
                }
            }
        }
        if (!$assertionsDisabled && false != hashSet.isEmpty() && false != hashSet2.isEmpty()) {
            throw new AssertionError("There are no API keys but that should never happen, original=[" + (collection.size() > 10 ? "size=" + collection.size() + " including " + collection.iterator().next() : collection) + "], to-invalidate=[" + hashSet + "], to-skip=[" + hashSet2 + "]");
        }
        if (hashSet.isEmpty()) {
            actionListener.onResponse(new InvalidateApiKeyResponse(Collections.emptyList(), Collections.emptyList(), arrayList));
        } else {
            if (!$assertionsDisabled && prepareBulk.numberOfActions() <= 0) {
                throw new AssertionError("Bulk request has [" + prepareBulk.numberOfActions() + "] actions, but there are [" + hashSet.size() + "] api keys to invalidate");
            }
            prepareBulk.setRefreshPolicy(defaultCreateDocRefreshPolicy(this.settings));
            this.securityIndex.prepareIndexIfNeededThenExecute(exc -> {
                actionListener.onFailure((Exception) traceLog("prepare security index", exc));
            }, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                BulkRequest request = prepareBulk.request();
                ActionListener wrap = ActionListener.wrap(bulkResponse -> {
                    ArrayList arrayList2 = new ArrayList();
                    ArrayList arrayList3 = new ArrayList();
                    for (BulkItemResponse bulkItemResponse : bulkResponse.getItems()) {
                        if (bulkItemResponse.isFailed()) {
                            Exception cause = bulkItemResponse.getFailure().getCause();
                            traceLog("invalidate api key", bulkItemResponse.getFailure().getId(), cause);
                            arrayList.add(new ElasticsearchException("Error invalidating api key", cause, new Object[0]));
                        } else {
                            UpdateResponse response = bulkItemResponse.getResponse();
                            if (response.getResult() == DocWriteResponse.Result.UPDATED) {
                                logger.debug("Invalidated api key for doc [{}]", response.getId());
                                arrayList3.add(response.getId());
                            } else if (response.getResult() == DocWriteResponse.Result.NOOP) {
                                arrayList2.add(response.getId());
                            }
                        }
                    }
                    clearCache(new InvalidateApiKeyResponse(arrayList3, arrayList2, arrayList), actionListener);
                }, exc2 -> {
                    traceLog("invalidate api keys", ExceptionsHelper.unwrapCause(exc2));
                    actionListener.onFailure(exc2);
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::bulk);
            });
        }
    }

    private ElasticsearchException cannotInvalidateCrossClusterApiKeyException(String str) {
        return new ElasticsearchSecurityException("Cannot invalidate cross-cluster API key [" + str + "]. This requires [" + ClusterPrivilegeResolver.MANAGE_SECURITY.name() + "] cluster privilege or higher", new Object[0]);
    }

    private void buildResponseAndClearCache(BulkResponse bulkResponse, BulkUpdateApiKeyResponse.Builder builder, ActionListener<BulkUpdateApiKeyResponse> actionListener) {
        for (BulkItemResponse bulkItemResponse : bulkResponse.getItems()) {
            String id = bulkItemResponse.getId();
            if (bulkItemResponse.isFailed()) {
                builder.error(id, new ElasticsearchException("bulk request execution failure", bulkItemResponse.getFailure().getCause(), new Object[0]));
            } else {
                if (!$assertionsDisabled && bulkItemResponse.getResponse().getResult() != DocWriteResponse.Result.UPDATED) {
                    throw new AssertionError("Bulk Item [" + bulkItemResponse.getId() + "] is [" + bulkItemResponse.getResponse().getResult() + "] but should be [" + DocWriteResponse.Result.UPDATED + "]");
                }
                builder.updated(id);
            }
        }
        clearApiKeyDocCache(builder.build(), actionListener);
    }

    private static void addLimitedByRoleDescriptors(XContentBuilder xContentBuilder, Set<RoleDescriptor> set) throws IOException {
        if (!$assertionsDisabled && set == null) {
            throw new AssertionError();
        }
        xContentBuilder.startObject("limited_by_role_descriptors");
        for (RoleDescriptor roleDescriptor : set) {
            xContentBuilder.field(roleDescriptor.getName(), (xContentBuilder2, params) -> {
                return roleDescriptor.toXContent(xContentBuilder2, params, true);
            });
        }
        xContentBuilder.endObject();
    }

    private static void addApiKeyHash(XContentBuilder xContentBuilder, char[] cArr) throws IOException {
        byte[] bArr = null;
        try {
            bArr = CharArrays.toUtf8Bytes(cArr);
            xContentBuilder.field("api_key_hash").utf8Value(bArr, 0, bArr.length);
            if (bArr != null) {
                Arrays.fill(bArr, (byte) 0);
            }
        } catch (Throwable th) {
            if (bArr != null) {
                Arrays.fill(bArr, (byte) 0);
            }
            throw th;
        }
    }

    private static void addCreator(XContentBuilder xContentBuilder, Authentication authentication) throws IOException {
        User user = authentication.getEffectiveSubject().getUser();
        Authentication.RealmRef realm = authentication.getEffectiveSubject().getRealm();
        xContentBuilder.startObject("creator").field("principal", user.principal()).field("full_name", user.fullName()).field("email", user.email()).field("metadata", user.metadata()).field(LoggingAuditTrail.REALM_FIELD_NAME, realm.getName()).field("realm_type", realm.getType());
        if (realm.getDomain() != null) {
            xContentBuilder.field("realm_domain", realm.getDomain());
        }
        xContentBuilder.endObject();
    }

    private static void addRoleDescriptors(XContentBuilder xContentBuilder, List<RoleDescriptor> list) throws IOException {
        xContentBuilder.startObject("role_descriptors");
        if (list != null && !list.isEmpty()) {
            for (RoleDescriptor roleDescriptor : list) {
                xContentBuilder.field(roleDescriptor.getName(), (xContentBuilder2, params) -> {
                    return roleDescriptor.toXContent(xContentBuilder2, params, true);
                });
            }
        }
        xContentBuilder.endObject();
    }

    private void clearCache(InvalidateApiKeyResponse invalidateApiKeyResponse, ActionListener<InvalidateApiKeyResponse> actionListener) {
        executeClearCacheRequest(invalidateApiKeyResponse, actionListener, new ClearSecurityCacheRequest().cacheName("api_key").keys((String[]) invalidateApiKeyResponse.getInvalidatedApiKeys().toArray(i -> {
            return new String[i];
        })));
    }

    private void clearApiKeyDocCache(BulkUpdateApiKeyResponse bulkUpdateApiKeyResponse, ActionListener<BulkUpdateApiKeyResponse> actionListener) {
        executeClearCacheRequest(bulkUpdateApiKeyResponse, actionListener, new ClearSecurityCacheRequest().cacheName("api_key_doc").keys((String[]) bulkUpdateApiKeyResponse.getUpdated().toArray(i -> {
            return new String[i];
        })));
    }

    private <T> void executeClearCacheRequest(final T t, final ActionListener<T> actionListener, final ClearSecurityCacheRequest clearSecurityCacheRequest) {
        ClientHelper.executeAsyncWithOrigin(this.client, "security", ClearSecurityCacheAction.INSTANCE, clearSecurityCacheRequest, new ActionListener<ClearSecurityCacheResponse>() { // from class: org.elasticsearch.xpack.security.authc.ApiKeyService.3
            public void onResponse(ClearSecurityCacheResponse clearSecurityCacheResponse) {
                actionListener.onResponse(t);
            }

            public void onFailure(Exception exc) {
                Logger logger2 = ApiKeyService.logger;
                ClearSecurityCacheRequest clearSecurityCacheRequest2 = clearSecurityCacheRequest;
                logger2.error(() -> {
                    return org.elasticsearch.core.Strings.format("unable to clear API key cache [%s]", new Object[]{clearSecurityCacheRequest2.cacheName()});
                }, exc);
                actionListener.onFailure(new ElasticsearchException("clearing the API key cache failed; please clear the caches manually", exc, new Object[0]));
            }
        });
    }

    private static <E extends Throwable> E traceLog(String str, String str2, E e) {
        if (logger.isTraceEnabled()) {
            if (e instanceof ElasticsearchException) {
                ElasticsearchException elasticsearchException = (ElasticsearchException) e;
                List header = elasticsearchException.getHeader("error_description");
                if (header != null) {
                    logger.trace(() -> {
                        return org.elasticsearch.core.Strings.format("Failure in [%s] for id [%s] - [%s]", new Object[]{str, str2, header});
                    }, elasticsearchException);
                } else {
                    logger.trace(() -> {
                        return org.elasticsearch.core.Strings.format("Failure in [%s] for id [%s]", new Object[]{str, str2});
                    }, elasticsearchException);
                }
            } else {
                logger.trace(() -> {
                    return org.elasticsearch.core.Strings.format("Failure in [%s] for id [%s]", new Object[]{str, str2});
                }, e);
            }
        }
        return e;
    }

    private static <E extends Throwable> E traceLog(String str, E e) {
        if (logger.isTraceEnabled()) {
            if (e instanceof ElasticsearchException) {
                ElasticsearchException elasticsearchException = (ElasticsearchException) e;
                List header = elasticsearchException.getHeader("error_description");
                if (header != null) {
                    logger.trace(() -> {
                        return org.elasticsearch.core.Strings.format("Failure in [%s] - [%s]", new Object[]{str, header});
                    }, elasticsearchException);
                } else {
                    logger.trace(() -> {
                        return "Failure in [" + str + "]";
                    }, elasticsearchException);
                }
            } else {
                logger.trace(() -> {
                    return "Failure in [" + str + "]";
                }, e);
            }
        }
        return e;
    }

    boolean isExpirationInProgress() {
        return this.inactiveApiKeysRemover.isExpirationInProgress();
    }

    long lastTimeWhenApiKeysRemoverWasTriggered() {
        return this.inactiveApiKeysRemover.getLastRunTimestamp();
    }

    private void maybeStartApiKeyRemover() {
        if (this.securityIndex.isAvailable(SecurityIndexManager.Availability.PRIMARY_SHARDS)) {
            this.inactiveApiKeysRemover.maybeSubmit(this.client.threadPool());
        }
    }

    public void getApiKeys(String[] strArr, String str, String str2, String[] strArr2, boolean z, boolean z2, ActionListener<Collection<ApiKey>> actionListener) {
        ensureEnabled();
        Function function = searchHit -> {
            return convertSearchHitToApiKeyInfo(searchHit, z);
        };
        CheckedConsumer checkedConsumer = collection -> {
            if (collection.isEmpty() && logger.isDebugEnabled()) {
                logger.debug("No API keys found for realms {}, user [{}], API key name [{}], API key IDs {}, and active_only flag [{}]", Arrays.toString(strArr), str, str2, Arrays.toString(strArr2), Boolean.valueOf(z2));
            }
            actionListener.onResponse(collection);
        };
        Objects.requireNonNull(actionListener);
        findApiKeysForUserRealmApiKeyIdAndNameCombination(strArr, str, str2, strArr2, z2, z2, function, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void queryApiKeys(SearchRequest searchRequest, boolean z, ActionListener<QueryApiKeysResult> actionListener) {
        ensureEnabled();
        SecurityIndexManager defensiveCopy = this.securityIndex.defensiveCopy();
        if (!defensiveCopy.indexExists()) {
            logger.debug("security index does not exist");
            actionListener.onResponse(QueryApiKeysResult.EMPTY);
        } else {
            if (!defensiveCopy.isAvailable(SecurityIndexManager.Availability.SEARCH_SHARDS)) {
                actionListener.onFailure(defensiveCopy.getUnavailableReason(SecurityIndexManager.Availability.SEARCH_SHARDS));
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Client client = this.client;
                ActionType actionType = TransportSearchAction.TYPE;
                CheckedConsumer checkedConsumer = searchResponse -> {
                    long j = searchResponse.getHits().getTotalHits().value;
                    if (j == 0) {
                        logger.debug("No api keys found for query [{}]", searchRequest.source().query());
                        actionListener.onResponse(QueryApiKeysResult.EMPTY);
                    } else {
                        SearchHit[] hits = searchResponse.getHits().getHits();
                        actionListener.onResponse(new QueryApiKeysResult(j, Arrays.stream(hits).map(searchHit -> {
                            return convertSearchHitToApiKeyInfo(searchHit, z);
                        }).toList(), Arrays.stream(hits).map((v0) -> {
                            return v0.getSortValues();
                        }).toList(), searchResponse.getAggregations()));
                    }
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, "security", actionType, searchRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        }
    }

    private ApiKey convertSearchHitToApiKeyInfo(SearchHit searchHit) {
        return convertSearchHitToApiKeyInfo(searchHit, false);
    }

    private ApiKey convertSearchHitToApiKeyInfo(SearchHit searchHit, boolean z) {
        ApiKeyDoc apiKeyDoc = convertSearchHitToVersionedApiKeyDoc(searchHit).doc;
        String id = searchHit.getId();
        return new ApiKey(apiKeyDoc.name, id, apiKeyDoc.type, Instant.ofEpochMilli(apiKeyDoc.creationTime), apiKeyDoc.expirationTime != -1 ? Instant.ofEpochMilli(apiKeyDoc.expirationTime) : null, apiKeyDoc.invalidated.booleanValue(), apiKeyDoc.invalidation != -1 ? Instant.ofEpochMilli(apiKeyDoc.invalidation) : null, (String) apiKeyDoc.creator.get("principal"), (String) apiKeyDoc.creator.get(LoggingAuditTrail.REALM_FIELD_NAME), (String) apiKeyDoc.creator.get("realm_type"), apiKeyDoc.metadataFlattened != null ? (Map) XContentHelper.convertToMap(apiKeyDoc.metadataFlattened, false, XContentType.JSON).v2() : Map.of(), parseRoleDescriptorsBytes(id, apiKeyDoc.roleDescriptorsBytes, RoleReference.ApiKeyRoleType.ASSIGNED), (!z || apiKeyDoc.type == ApiKey.Type.CROSS_CLUSTER) ? null : parseRoleDescriptorsBytes(id, apiKeyDoc.limitedByRoleDescriptorsBytes, RoleReference.ApiKeyRoleType.LIMITED_BY));
    }

    private static VersionedApiKeyDoc convertSearchHitToVersionedApiKeyDoc(SearchHit searchHit) {
        try {
            XContentParser createParser = XContentHelper.createParser(XContentParserConfiguration.EMPTY, searchHit.getSourceRef(), XContentType.JSON);
            try {
                VersionedApiKeyDoc versionedApiKeyDoc = new VersionedApiKeyDoc(ApiKeyDoc.fromXContent(createParser), searchHit.getId(), searchHit.getSeqNo(), searchHit.getPrimaryTerm());
                if (createParser != null) {
                    createParser.close();
                }
                return versionedApiKeyDoc;
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private RemovalListener<String, ListenableFuture<CachedApiKeyHashResult>> getAuthCacheRemovalListener(int i) {
        return removalNotification -> {
            if (RemovalNotification.RemovalReason.EVICTED != removalNotification.getRemovalReason() || getApiKeyAuthCache().count() < i) {
                return;
            }
            this.evictionCounter.increment();
            logger.trace("API key with ID [{}] was evicted from the authentication cache, possibly due to cache size limit", removalNotification.getKey());
            long j = this.lastEvictionCheckedAt.get();
            long nanoTime = System.nanoTime();
            if (nanoTime - j < EVICTION_MONITOR_INTERVAL_NANOS || !this.lastEvictionCheckedAt.compareAndSet(j, nanoTime)) {
                return;
            }
            long sum = this.evictionCounter.sum();
            this.evictionCounter.add(-sum);
            if (sum >= EVICTION_WARNING_THRESHOLD) {
                logger.warn("Possible thrashing for API key authentication cache, [{}] eviction due to cache size within last [{}] seconds", Long.valueOf(sum), Long.valueOf(EVICTION_MONITOR_INTERVAL_SECONDS));
            }
        };
    }

    LongAdder getEvictionCounter() {
        return this.evictionCounter;
    }

    AtomicLong getLastEvictionCheckedAt() {
        return this.lastEvictionCheckedAt;
    }

    public static String getCreatorRealmName(Authentication authentication) {
        return (authentication.isApiKey() || authentication.isCrossClusterAccess()) ? (String) authentication.getEffectiveSubject().getMetadata().get("_security_api_key_creator_realm_name") : authentication.isFailedRunAs() ? authentication.getAuthenticatingSubject().getRealm().getName() : authentication.getEffectiveSubject().getRealm().getName();
    }

    public static String[] getOwnersRealmNames(Authentication authentication) {
        if (authentication.isApiKey()) {
            return new String[]{(String) authentication.getEffectiveSubject().getMetadata().get("_security_api_key_creator_realm_name")};
        }
        Authentication.RealmRef realm = authentication.getEffectiveSubject().getRealm();
        if (realm != null) {
            RealmDomain domain = realm.getDomain();
            return domain != null ? (String[]) domain.realms().stream().map((v0) -> {
                return v0.getName();
            }).toArray(i -> {
                return new String[i];
            }) : new String[]{realm.getName()};
        }
        String str = "Cannot determine owner realms without an effective subject realm for non-API key authentication object [" + authentication + "]";
        if ($assertionsDisabled) {
            throw new IllegalArgumentException(str);
        }
        throw new AssertionError(str);
    }

    public static String getCreatorRealmType(Authentication authentication) {
        return authentication.isApiKey() ? (String) authentication.getEffectiveSubject().getMetadata().get("_security_api_key_creator_realm_type") : authentication.isFailedRunAs() ? authentication.getAuthenticatingSubject().getRealm().getType() : authentication.getEffectiveSubject().getRealm().getType();
    }

    public static Map<String, Object> getApiKeyMetadata(Authentication authentication) {
        if (false == authentication.isAuthenticatedAsApiKey()) {
            throw new IllegalArgumentException("authentication realm must be [_es_api_key], got [" + authentication.getEffectiveSubject().getRealm().getType() + "]");
        }
        Object obj = authentication.getEffectiveSubject().getMetadata().get("_security_api_key_metadata");
        return obj != null ? (Map) XContentHelper.convertToMap((BytesReference) obj, false, XContentType.JSON).v2() : Map.of();
    }

    public static WriteRequest.RefreshPolicy defaultCreateDocRefreshPolicy(Settings settings) {
        return DiscoveryNode.isStateless(settings) ? WriteRequest.RefreshPolicy.IMMEDIATE : WriteRequest.RefreshPolicy.WAIT_UNTIL;
    }

    static {
        $assertionsDisabled = !ApiKeyService.class.desiredAssertionStatus();
        logger = LogManager.getLogger(ApiKeyService.class);
        deprecationLogger = DeprecationLogger.getLogger(ApiKeyService.class);
        PASSWORD_HASHING_ALGORITHM = XPackSettings.defaultStoredHashAlgorithmSetting("xpack.security.authc.api_key.hashing.algorithm", settings -> {
            return Hasher.PBKDF2.name();
        });
        DELETE_TIMEOUT = Setting.timeSetting("xpack.security.authc.api_key.delete.timeout", TimeValue.MINUS_ONE, new Setting.Property[]{Setting.Property.NodeScope});
        DELETE_INTERVAL = Setting.timeSetting("xpack.security.authc.api_key.delete.interval", TimeValue.timeValueHours(24L), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        DELETE_RETENTION_PERIOD = Setting.positiveTimeSetting("xpack.security.authc.api_key.delete.retention_period", TimeValue.timeValueDays(7L), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Dynamic});
        CACHE_HASH_ALGO_SETTING = Setting.simpleString("xpack.security.authc.api_key.cache.hash_algo", "ssha256", new Setting.Property[]{Setting.Property.NodeScope});
        CACHE_TTL_SETTING = Setting.timeSetting("xpack.security.authc.api_key.cache.ttl", TimeValue.timeValueHours(24L), new Setting.Property[]{Setting.Property.NodeScope});
        CACHE_MAX_KEYS_SETTING = Setting.intSetting("xpack.security.authc.api_key.cache.max_keys", 25000, new Setting.Property[]{Setting.Property.NodeScope});
        DOC_CACHE_TTL_SETTING = Setting.timeSetting("xpack.security.authc.api_key.doc_cache.ttl", TimeValue.timeValueMinutes(5L), TimeValue.timeValueMinutes(0L), TimeValue.timeValueMinutes(15L), new Setting.Property[]{Setting.Property.NodeScope});
        ROLE_DESCRIPTOR_PARSER = RoleDescriptor.parserBuilder().allowRestriction(true).build();
        LEGACY_SUPERUSER_ROLE_DESCRIPTOR = new RoleDescriptor("superuser", new String[]{"all"}, new RoleDescriptor.IndicesPrivileges[]{RoleDescriptor.IndicesPrivileges.builder().indices(new String[]{"*"}).privileges(new String[]{"all"}).allowRestrictedIndices(true).build()}, new RoleDescriptor.ApplicationResourcePrivileges[]{RoleDescriptor.ApplicationResourcePrivileges.builder().application("*").privileges(new String[]{"*"}).resources(new String[]{"*"}).build()}, (ConfigurableClusterPrivilege[]) null, new String[]{"*"}, MetadataUtils.DEFAULT_RESERVED_METADATA, Collections.emptyMap());
    }
}
