package org.elasticsearch.xpack.security.action.oidc;

import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.openid.connect.sdk.Nonce;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.injection.guice.Inject;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectAuthenticateRequest;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectAuthenticateResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectRealm;
import org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/oidc/TransportOpenIdConnectAuthenticateAction.class */
public class TransportOpenIdConnectAuthenticateAction extends HandledTransportAction<OpenIdConnectAuthenticateRequest, OpenIdConnectAuthenticateResponse> {
    private final ThreadPool threadPool;
    private final AuthenticationService authenticationService;
    private final TokenService tokenService;
    private final SecurityContext securityContext;
    private static final Logger logger = LogManager.getLogger(TransportOpenIdConnectAuthenticateAction.class);

    @Inject
    public TransportOpenIdConnectAuthenticateAction(ThreadPool threadPool, TransportService transportService, ActionFilters actionFilters, AuthenticationService authenticationService, TokenService tokenService, SecurityContext securityContext) {
        super("cluster:admin/xpack/security/oidc/authenticate", transportService, actionFilters, OpenIdConnectAuthenticateRequest::new, EsExecutors.DIRECT_EXECUTOR_SERVICE);
        this.threadPool = threadPool;
        this.authenticationService = authenticationService;
        this.tokenService = tokenService;
        this.securityContext = securityContext;
    }

    protected void doExecute(Task task, OpenIdConnectAuthenticateRequest openIdConnectAuthenticateRequest, ActionListener<OpenIdConnectAuthenticateResponse> actionListener) {
        OpenIdConnectToken openIdConnectToken = new OpenIdConnectToken(openIdConnectAuthenticateRequest.getRedirectUri(), new State(openIdConnectAuthenticateRequest.getState()), new Nonce(openIdConnectAuthenticateRequest.getNonce()), openIdConnectAuthenticateRequest.getRealm());
        ThreadContext threadContext = this.threadPool.getThreadContext();
        Authentication authentication = this.securityContext.getAuthentication();
        ThreadContext.StoredContext stashContext = threadContext.stashContext();
        try {
            this.authenticationService.authenticate("cluster:admin/xpack/security/oidc/authenticate", (TransportRequest) openIdConnectAuthenticateRequest, (AuthenticationToken) openIdConnectToken, ActionListener.wrap(authentication2 -> {
                AuthenticationResult authenticationResult = (AuthenticationResult) threadContext.getTransient(AuthenticationResult.THREAD_CONTEXT_KEY);
                if (authenticationResult == null) {
                    actionListener.onFailure(new IllegalStateException("Cannot find User AuthenticationResult on thread context"));
                    return;
                }
                Map<String, Object> map = (Map) authenticationResult.getMetadata().get(OpenIdConnectRealm.CONTEXT_TOKEN_DATA);
                TokenService tokenService = this.tokenService;
                CheckedConsumer checkedConsumer = createTokenResult -> {
                    actionListener.onResponse(new OpenIdConnectAuthenticateResponse(authentication2, createTokenResult.getAccessToken(), createTokenResult.getRefreshToken(), this.tokenService.getExpirationDelay()));
                };
                Objects.requireNonNull(actionListener);
                tokenService.createOAuth2Tokens(authentication2, authentication, map, true, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            }, exc -> {
                logger.debug(() -> {
                    return "OpenIDConnectToken [" + openIdConnectToken + "] could not be authenticated";
                }, exc);
                actionListener.onFailure(exc);
            }));
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (OpenIdConnectAuthenticateRequest) actionRequest, (ActionListener<OpenIdConnectAuthenticateResponse>) actionListener);
    }
}
