package org.elasticsearch.xpack.security.authc;

import java.util.HashMap;
import java.util.Map;
import java.util.function.LongSupplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.telemetry.metric.MeterRegistry;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authc.Authenticator;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountService;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountToken;
import org.elasticsearch.xpack.security.metric.InstrumentedSecurityActionListener;
import org.elasticsearch.xpack.security.metric.SecurityMetricType;
import org.elasticsearch.xpack.security.metric.SecurityMetrics;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ServiceAccountAuthenticator.class */
public class ServiceAccountAuthenticator implements Authenticator {
    public static final String ATTRIBUTE_SERVICE_ACCOUNT_ID = "es.security.service_account_id";
    public static final String ATTRIBUTE_SERVICE_ACCOUNT_TOKEN_NAME = "es.security.service_account_token_name";
    public static final String ATTRIBUTE_AUTHC_FAILURE_REASON = "es.security.service_account_authc_failure_reason";
    private static final Logger logger;
    private final ServiceAccountService serviceAccountService;
    private final String nodeName;
    private final SecurityMetrics<ServiceAccountToken> authenticationMetrics;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServiceAccountAuthenticator(ServiceAccountService serviceAccountService, String str, MeterRegistry meterRegistry) {
        this(serviceAccountService, str, meterRegistry, System::nanoTime);
    }

    ServiceAccountAuthenticator(ServiceAccountService serviceAccountService, String str, MeterRegistry meterRegistry, LongSupplier longSupplier) {
        this.serviceAccountService = serviceAccountService;
        this.nodeName = str;
        this.authenticationMetrics = new SecurityMetrics<>(SecurityMetricType.AUTHC_SERVICE_ACCOUNT, meterRegistry, this::buildMetricAttributes, longSupplier);
    }

    @Override // org.elasticsearch.xpack.security.authc.Authenticator
    public String name() {
        return "service account";
    }

    @Override // org.elasticsearch.xpack.security.authc.Authenticator
    public AuthenticationToken extractCredentials(Authenticator.Context context) {
        SecureString bearerString = context.getBearerString();
        if (bearerString == null) {
            return null;
        }
        return ServiceAccountService.tryParseToken(bearerString);
    }

    @Override // org.elasticsearch.xpack.security.authc.Authenticator
    public void authenticate(Authenticator.Context context, ActionListener<AuthenticationResult<Authentication>> actionListener) {
        AuthenticationToken mostRecentAuthenticationToken = context.getMostRecentAuthenticationToken();
        if (false == (mostRecentAuthenticationToken instanceof ServiceAccountToken)) {
            actionListener.onResponse(AuthenticationResult.notHandled());
        } else {
            ServiceAccountToken serviceAccountToken = (ServiceAccountToken) mostRecentAuthenticationToken;
            doAuthenticate(context, serviceAccountToken, InstrumentedSecurityActionListener.wrapForAuthc(this.authenticationMetrics, serviceAccountToken, actionListener));
        }
    }

    private void doAuthenticate(Authenticator.Context context, ServiceAccountToken serviceAccountToken, ActionListener<AuthenticationResult<Authentication>> actionListener) {
        this.serviceAccountService.authenticateToken(serviceAccountToken, this.nodeName, ActionListener.wrap(authentication -> {
            if (!$assertionsDisabled && authentication == null) {
                throw new AssertionError("service account authenticate should return either authentication or call onFailure");
            }
            actionListener.onResponse(AuthenticationResult.success(authentication));
        }, exc -> {
            logger.debug(() -> {
                return "Failed to validate service account token for request [" + context.getRequest() + "]";
            }, exc);
            actionListener.onFailure(context.getRequest().exceptionProcessingRequest(exc, serviceAccountToken));
        }));
    }

    private Map<String, Object> buildMetricAttributes(ServiceAccountToken serviceAccountToken, String str) {
        HashMap hashMap = new HashMap(3);
        hashMap.put(ATTRIBUTE_SERVICE_ACCOUNT_ID, serviceAccountToken.getAccountId().asPrincipal());
        hashMap.put(ATTRIBUTE_SERVICE_ACCOUNT_TOKEN_NAME, serviceAccountToken.getTokenName());
        if (str != null) {
            hashMap.put(ATTRIBUTE_AUTHC_FAILURE_REASON, str);
        }
        return hashMap;
    }

    static {
        $assertionsDisabled = !ServiceAccountAuthenticator.class.desiredAssertionStatus();
        logger = LogManager.getLogger(ServiceAccountAuthenticator.class);
    }
}
