package org.elasticsearch.xpack.security.authc;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.Closeable;
import java.io.IOException;
import java.io.OutputStream;
import java.io.UncheckedIOException;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.time.Clock;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicLong;
import java.util.function.Consumer;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.logging.log4j.util.Supplier;
import org.apache.lucene.util.BytesRef;
import org.apache.lucene.util.BytesRefBuilder;
import org.apache.lucene.util.UnicodeUtil;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.bulk.BulkItemResponse;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkRequestBuilder;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.MultiGetItemResponse;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.get.MultiGetResponse;
import org.elasticsearch.action.index.IndexAction;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.support.TransportActions;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.support.master.AcknowledgedRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.action.update.UpdateRequestBuilder;
import org.elasticsearch.action.update.UpdateResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.AckedClusterStateUpdateTask;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateUpdateTask;
import org.elasticsearch.cluster.ack.AckedRequest;
import org.elasticsearch.cluster.ack.ClusterStateUpdateResponse;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Priority;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.io.stream.InputStreamStreamInput;
import org.elasticsearch.common.io.stream.OutputStreamStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.settings.SecureSetting;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.util.iterable.Iterables;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.XContentFactory;
import org.elasticsearch.core.internal.io.IOUtils;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.index.engine.VersionConflictEngineException;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.SearchService;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.XPackPlugin;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.ScrollHelper;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.KeyAndTimestamp;
import org.elasticsearch.xpack.core.security.authc.TokenMetaData;
import org.elasticsearch.xpack.core.security.authc.support.TokensInvalidationResult;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService.class */
public final class TokenService extends AbstractComponent {
    private static final int ITERATIONS = 100000;
    private static final String KDF_ALGORITHM = "PBKDF2withHMACSHA512";
    private static final int SALT_BYTES = 32;
    private static final int KEY_BYTES = 64;
    private static final int IV_BYTES = 12;
    private static final int VERSION_BYTES = 4;
    private static final String ENCRYPTION_CIPHER = "AES/GCM/NoPadding";
    private static final String EXPIRED_TOKEN_WWW_AUTH_VALUE = "Bearer realm=\"security\", error=\"invalid_token\", error_description=\"The access token expired\"";
    private static final String MALFORMED_TOKEN_WWW_AUTH_VALUE = "Bearer realm=\"security\", error=\"invalid_token\", error_description=\"The access token is malformed\"";
    private static final String TYPE = "doc";
    public static final String THREAD_POOL_NAME = "security-token-key";
    public static final Setting<SecureString> TOKEN_PASSPHRASE;
    public static final Setting<TimeValue> TOKEN_EXPIRATION;
    public static final Setting<TimeValue> DELETE_INTERVAL;
    public static final Setting<TimeValue> DELETE_TIMEOUT;
    public static final Setting<Boolean> BWC_ENABLED;
    static final String INVALIDATED_TOKEN_DOC_TYPE = "invalidated-token";
    static final int MINIMUM_BYTES = 49;
    private static final int MINIMUM_BASE64_BYTES;
    private static final int MAX_RETRY_ATTEMPTS = 5;
    private final Settings settings;
    private final ClusterService clusterService;
    private final Clock clock;
    private final TimeValue expirationDelay;
    private final TimeValue deleteInterval;
    private final Client client;
    private final SecurityIndexManager securityIndex;
    private final ExpiredTokenRemover expiredTokenRemover;
    private final boolean enabled;
    private final boolean bwcEnabled;
    private final XPackLicenseState licenseState;
    private volatile TokenKeys keyCache;
    private volatile long lastExpirationRunMs;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final SecureRandom secureRandom = new SecureRandom();
    private final AtomicLong createdTimeStamps = new AtomicLong(-1);
    private final AtomicBoolean installTokenMetadataInProgress = new AtomicBoolean(false);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$KeyAndCache.class */
    public static final class KeyAndCache implements Closeable {
        private final KeyAndTimestamp keyAndTimestamp;
        private final Cache<BytesKey, SecretKey> keyCache;
        private final BytesKey salt;
        private final BytesKey keyHash;

        private KeyAndCache(KeyAndTimestamp keyAndTimestamp, BytesKey bytesKey) {
            this.keyAndTimestamp = keyAndTimestamp;
            this.keyCache = CacheBuilder.builder().setExpireAfterAccess(TimeValue.timeValueMinutes(60L)).setMaximumWeight(500L).build();
            try {
                this.keyCache.put(bytesKey, TokenService.computeSecretKey(keyAndTimestamp.getKey().getChars(), bytesKey.bytes));
                this.salt = bytesKey;
                this.keyHash = calculateKeyHash(keyAndTimestamp.getKey());
            } catch (Exception e) {
                throw new IllegalStateException(e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public SecretKey getKey(BytesKey bytesKey) {
            return (SecretKey) this.keyCache.get(bytesKey);
        }

        public SecretKey getOrComputeKey(BytesKey bytesKey) throws ExecutionException {
            return (SecretKey) this.keyCache.computeIfAbsent(bytesKey, bytesKey2 -> {
                SecureString clone = this.keyAndTimestamp.getKey().clone();
                try {
                    SecretKey computeSecretKey = TokenService.computeSecretKey(clone.getChars(), bytesKey2.bytes);
                    if (clone != null) {
                        clone.close();
                    }
                    return computeSecretKey;
                } catch (Throwable th) {
                    if (clone != null) {
                        try {
                            clone.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            });
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() {
            this.keyAndTimestamp.getKey().close();
        }

        BytesKey getKeyHash() {
            return this.keyHash;
        }

        private static BytesKey calculateKeyHash(SecureString secureString) {
            MessageDigest sha256 = MessageDigests.sha256();
            BytesRefBuilder bytesRefBuilder = new BytesRefBuilder();
            try {
                bytesRefBuilder.copyChars(secureString);
                BytesRef bytesRef = bytesRefBuilder.toBytesRef();
                try {
                    sha256.update(bytesRef.bytes, bytesRef.offset, bytesRef.length);
                    BytesKey bytesKey = new BytesKey(Arrays.copyOfRange(sha256.digest(), 0, 8));
                    Arrays.fill(bytesRef.bytes, (byte) 0);
                    Arrays.fill(bytesRefBuilder.bytes(), (byte) 0);
                    return bytesKey;
                } catch (Throwable th) {
                    Arrays.fill(bytesRef.bytes, (byte) 0);
                    throw th;
                }
            } catch (Throwable th2) {
                Arrays.fill(bytesRefBuilder.bytes(), (byte) 0);
                throw th2;
            }
        }

        BytesKey getSalt() {
            return this.salt;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$KeyComputingRunnable.class */
    public class KeyComputingRunnable extends AbstractRunnable {
        private final BytesKey decodedSalt;
        private final ActionListener<SecretKey> listener;
        private final KeyAndCache keyAndCache;

        KeyComputingRunnable(BytesKey bytesKey, ActionListener<SecretKey> actionListener, KeyAndCache keyAndCache) {
            this.decodedSalt = bytesKey;
            this.listener = actionListener;
            this.keyAndCache = keyAndCache;
        }

        protected void doRun() {
            try {
                this.listener.onResponse(this.keyAndCache.getOrComputeKey(this.decodedSalt));
            } catch (ExecutionException e) {
                if (e.getCause() == null || !((e.getCause() instanceof GeneralSecurityException) || (e.getCause() instanceof IOException) || (e.getCause() instanceof IllegalArgumentException))) {
                    this.listener.onFailure(e);
                } else {
                    TokenService.this.logger.debug("unable to decode bearer token", e);
                    this.listener.onResponse((Object) null);
                }
            }
        }

        public void onFailure(Exception exc) {
            this.listener.onFailure(exc);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$TokenKeys.class */
    public static final class TokenKeys {
        final Map<BytesKey, KeyAndCache> cache;
        final BytesKey currentTokenKeyHash;
        final KeyAndCache activeKeyCache;

        private TokenKeys(Map<BytesKey, KeyAndCache> map, BytesKey bytesKey) {
            this.cache = map;
            this.currentTokenKeyHash = bytesKey;
            this.activeKeyCache = map.get(bytesKey);
        }

        KeyAndCache get(BytesKey bytesKey) {
            return this.cache.get(bytesKey);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/TokenService$TokenMetadataPublishAction.class */
    private final class TokenMetadataPublishAction extends AckedClusterStateUpdateTask<ClusterStateUpdateResponse> {
        private final TokenMetaData tokenMetaData;

        protected TokenMetadataPublishAction(ActionListener<ClusterStateUpdateResponse> actionListener, TokenMetaData tokenMetaData) {
            super(new AckedRequest() { // from class: org.elasticsearch.xpack.security.authc.TokenService.TokenMetadataPublishAction.1
                public TimeValue ackTimeout() {
                    return AcknowledgedRequest.DEFAULT_ACK_TIMEOUT;
                }

                public TimeValue masterNodeTimeout() {
                    return AcknowledgedRequest.DEFAULT_MASTER_NODE_TIMEOUT;
                }
            }, actionListener);
            this.tokenMetaData = tokenMetaData;
        }

        public ClusterState execute(ClusterState clusterState) throws Exception {
            XPackPlugin.checkReadyForXPackCustomMetadata(clusterState);
            return this.tokenMetaData.equals(clusterState.custom("security_tokens")) ? clusterState : ClusterState.builder(clusterState).putCustom("security_tokens", this.tokenMetaData).build();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* renamed from: newResponse, reason: merged with bridge method [inline-methods] */
        public ClusterStateUpdateResponse m29newResponse(boolean z) {
            return new ClusterStateUpdateResponse(z);
        }
    }

    public TokenService(Settings settings, Clock clock, Client client, XPackLicenseState xPackLicenseState, SecurityIndexManager securityIndexManager, ClusterService clusterService) throws GeneralSecurityException {
        byte[] bArr = new byte[SALT_BYTES];
        this.secureRandom.nextBytes(bArr);
        SecureString secureString = (SecureString) TOKEN_PASSPHRASE.get(settings);
        SecureString generateTokenKey = secureString.length() == 0 ? generateTokenKey() : secureString;
        this.clock = clock.withZone(ZoneOffset.UTC);
        this.settings = settings;
        this.expirationDelay = (TimeValue) TOKEN_EXPIRATION.get(settings);
        this.client = client;
        this.licenseState = xPackLicenseState;
        this.securityIndex = securityIndexManager;
        this.lastExpirationRunMs = client.threadPool().relativeTimeInMillis();
        this.deleteInterval = (TimeValue) DELETE_INTERVAL.get(settings);
        this.enabled = isTokenServiceEnabled(settings).booleanValue();
        this.bwcEnabled = ((Boolean) BWC_ENABLED.get(settings)).booleanValue();
        this.expiredTokenRemover = new ExpiredTokenRemover(settings, client);
        ensureEncryptionCiphersSupported();
        KeyAndCache keyAndCache = new KeyAndCache(new KeyAndTimestamp(generateTokenKey, this.createdTimeStamps.incrementAndGet()), new BytesKey(bArr));
        this.keyCache = new TokenKeys(Collections.singletonMap(keyAndCache.getKeyHash(), keyAndCache), keyAndCache.getKeyHash());
        this.clusterService = clusterService;
        initialize(clusterService);
        getTokenMetaData();
    }

    public static Boolean isTokenServiceEnabled(Settings settings) {
        return (Boolean) XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.get(settings);
    }

    public void createUserToken(Authentication authentication, Authentication authentication2, ActionListener<Tuple<UserToken, String>> actionListener, Map<String, Object> map, boolean z) throws IOException {
        ensureEnabled();
        if (authentication == null) {
            actionListener.onFailure((Exception) traceLog("create token", new IllegalArgumentException("authentication must be provided")));
            return;
        }
        if (authentication2 == null) {
            actionListener.onFailure((Exception) traceLog("create token", new IllegalArgumentException("originating client authentication must be provided")));
            return;
        }
        Instant instant = this.clock.instant();
        Instant expirationTime = getExpirationTime(instant);
        Version minNodeVersion = this.clusterService.state().nodes().getMinNodeVersion();
        UserToken userToken = new UserToken(minNodeVersion, new Authentication(authentication.getUser(), authentication.getAuthenticatedBy(), authentication.getLookedUpBy(), minNodeVersion, Authentication.AuthenticationType.TOKEN, authentication.getMetadata()), expirationTime, map);
        String randomBase64UUID = z ? UUIDs.randomBase64UUID() : null;
        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
        try {
            jsonBuilder.startObject();
            jsonBuilder.field("doc_type", "token");
            jsonBuilder.field("creation_time", instant.toEpochMilli());
            if (z) {
                jsonBuilder.startObject("refresh_token").field("token", randomBase64UUID).field("invalidated", false).field("refreshed", false).startObject("client").field("type", "unassociated_client").field("user", authentication2.getUser().principal()).field("realm", authentication2.getAuthenticatedBy().getName()).endObject().endObject();
            }
            jsonBuilder.startObject("access_token").field("invalidated", false).field("user_token", userToken).field("realm", authentication.getAuthenticatedBy().getName()).endObject();
            jsonBuilder.endObject();
            String tokenDocumentId = getTokenDocumentId(userToken);
            IndexRequest request = this.client.prepareIndex(SecurityIndexManager.SECURITY_INDEX_NAME, "doc", tokenDocumentId).setOpType(DocWriteRequest.OpType.CREATE).setSource(jsonBuilder).setRefreshPolicy(WriteRequest.RefreshPolicy.WAIT_UNTIL).request();
            this.securityIndex.prepareIndexIfNeededThenExecute(exc -> {
                actionListener.onFailure((Exception) traceLog("prepare security index", tokenDocumentId, exc));
            }, () -> {
                Client client = this.client;
                IndexAction indexAction = IndexAction.INSTANCE;
                CheckedConsumer checkedConsumer = indexResponse -> {
                    actionListener.onResponse(new Tuple(userToken, randomBase64UUID));
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, "security", indexAction, request, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
            if (jsonBuilder != null) {
                jsonBuilder.close();
            }
        } catch (Throwable th) {
            if (jsonBuilder != null) {
                try {
                    jsonBuilder.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void getAndValidateToken(ThreadContext threadContext, ActionListener<UserToken> actionListener) {
        if (!isEnabled()) {
            actionListener.onResponse((Object) null);
            return;
        }
        String fromHeader = getFromHeader(threadContext);
        if (fromHeader == null) {
            actionListener.onResponse((Object) null);
            return;
        }
        try {
            Objects.requireNonNull(actionListener);
            decodeAndValidateToken(fromHeader, ActionListener.wrap((v1) -> {
                r2.onResponse(v1);
            }, exc -> {
                if (!(exc instanceof IOException)) {
                    actionListener.onFailure(exc);
                } else {
                    this.logger.debug("invalid token", exc);
                    actionListener.onResponse((Object) null);
                }
            }));
        } catch (IOException e) {
            this.logger.debug("invalid token", e);
            actionListener.onResponse((Object) null);
        }
    }

    public void getAuthenticationAndMetaData(String str, ActionListener<Tuple<Authentication, Map<String, Object>>> actionListener) throws IOException {
        CheckedConsumer checkedConsumer = userToken -> {
            if (userToken == null) {
                actionListener.onFailure(new ElasticsearchSecurityException("supplied token is not valid", new Object[0]));
            } else {
                actionListener.onResponse(new Tuple(userToken.getAuthentication(), userToken.getMetadata()));
            }
        };
        Objects.requireNonNull(actionListener);
        decodeToken(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void decodeAndValidateToken(String str, ActionListener<UserToken> actionListener) throws IOException {
        CheckedConsumer checkedConsumer = userToken -> {
            if (userToken == null) {
                actionListener.onResponse((Object) null);
            } else if (this.clock.instant().isAfter(userToken.getExpirationTime())) {
                actionListener.onFailure((Exception) traceLog("decode token", str, expiredTokenException()));
            } else {
                checkIfTokenIsRevoked(userToken, actionListener);
            }
        };
        Objects.requireNonNull(actionListener);
        decodeToken(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    void decodeToken(String str, ActionListener<UserToken> actionListener) throws IOException {
        Closeable inputStreamStreamInput = new InputStreamStreamInput(Base64.getDecoder().wrap(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))), r0.length);
        if (inputStreamStreamInput.available() < MINIMUM_BASE64_BYTES) {
            this.logger.debug("invalid token");
            actionListener.onResponse((Object) null);
            return;
        }
        Version readVersion = Version.readVersion(inputStreamStreamInput);
        inputStreamStreamInput.setVersion(readVersion);
        BytesKey bytesKey = new BytesKey(inputStreamStreamInput.readByteArray());
        BytesKey bytesKey2 = readVersion.onOrAfter(Version.V_6_0_0_beta2) ? new BytesKey(inputStreamStreamInput.readByteArray()) : this.keyCache.currentTokenKeyHash;
        KeyAndCache keyAndCache = this.keyCache.get(bytesKey2);
        if (keyAndCache != null) {
            getKeyAsync(bytesKey, keyAndCache, ActionListener.wrap(secretKey -> {
                try {
                    try {
                        Cipher decryptionCipher = getDecryptionCipher(inputStreamStreamInput.readByteArray(), secretKey, readVersion, bytesKey);
                        if (readVersion.onOrAfter(Version.V_6_2_0)) {
                            CheckedConsumer checkedConsumer = str2 -> {
                                if (this.securityIndex.isAvailable()) {
                                    this.securityIndex.checkIndexVersionThenExecute(exc -> {
                                        actionListener.onFailure((Exception) traceLog("prepare security index", str2, exc));
                                    }, () -> {
                                        GetRequest request = this.client.prepareGet(SecurityIndexManager.SECURITY_INDEX_NAME, "doc", getTokenDocumentId(str2)).request();
                                        Consumer consumer = exc2 -> {
                                            actionListener.onFailure((Exception) traceLog("decode token", str2, exc2));
                                        };
                                        ThreadContext threadContext = this.client.threadPool().getThreadContext();
                                        ActionListener wrap = ActionListener.wrap(getResponse -> {
                                            if (!getResponse.isExists()) {
                                                consumer.accept(new IllegalStateException("token document is missing and must be present"));
                                                return;
                                            }
                                            Map map = (Map) getResponse.getSource().get("access_token");
                                            if (map == null) {
                                                consumer.accept(new IllegalStateException("token document is missing the access_token field"));
                                            } else if (map.containsKey("user_token")) {
                                                actionListener.onResponse(UserToken.fromSourceMap((Map) map.get("user_token")));
                                            } else {
                                                consumer.accept(new IllegalStateException("token document is missing the user_token field"));
                                            }
                                        }, exc3 -> {
                                            if (TransportActions.isShardNotAvailableException(exc3)) {
                                                this.logger.warn("failed to get token [{}] since index is not available", str2);
                                                actionListener.onResponse((Object) null);
                                            } else {
                                                this.logger.error(new ParameterizedMessage("failed to get token [{}]", str2), exc3);
                                                actionListener.onFailure(exc3);
                                            }
                                        });
                                        Client client = this.client;
                                        Objects.requireNonNull(client);
                                        ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::get);
                                    });
                                } else {
                                    this.logger.warn("failed to get token [{}] since index is not available", str2);
                                    actionListener.onResponse((Object) null);
                                }
                            };
                            Objects.requireNonNull(actionListener);
                            decryptTokenId(inputStreamStreamInput, decryptionCipher, readVersion, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
                        } else if (this.bwcEnabled) {
                            decryptToken(inputStreamStreamInput, decryptionCipher, readVersion, actionListener);
                        } else {
                            this.logger.debug("Found [{}] version token, but old token compatibility is disabled", readVersion);
                            actionListener.onFailure(new IllegalArgumentException("Cannot authenticate using token from version [" + readVersion + "]"));
                        }
                        inputStreamStreamInput.close();
                    } catch (GeneralSecurityException e) {
                        this.logger.warn("invalid token", e);
                        actionListener.onResponse((Object) null);
                        inputStreamStreamInput.close();
                    }
                } catch (Throwable th) {
                    inputStreamStreamInput.close();
                    throw th;
                }
            }, exc -> {
                IOUtils.closeWhileHandlingException(new Closeable[]{inputStreamStreamInput});
                actionListener.onFailure(exc);
            }));
            return;
        }
        IOUtils.closeWhileHandlingException(new Closeable[]{inputStreamStreamInput});
        this.logger.debug("invalid key {} key: {}", bytesKey2, this.keyCache.cache.keySet());
        actionListener.onResponse((Object) null);
    }

    private void getKeyAsync(BytesKey bytesKey, KeyAndCache keyAndCache, ActionListener<SecretKey> actionListener) {
        SecretKey key = keyAndCache.getKey(bytesKey);
        if (key != null) {
            actionListener.onResponse(key);
        } else {
            this.client.threadPool().executor(THREAD_POOL_NAME).submit((Runnable) new KeyComputingRunnable(bytesKey, actionListener, keyAndCache));
        }
    }

    private static void decryptToken(StreamInput streamInput, Cipher cipher, Version version, ActionListener<UserToken> actionListener) throws IOException {
        CipherInputStream cipherInputStream = new CipherInputStream(streamInput, cipher);
        try {
            InputStreamStreamInput inputStreamStreamInput = new InputStreamStreamInput(cipherInputStream);
            try {
                inputStreamStreamInput.setVersion(version);
                actionListener.onResponse(new UserToken(inputStreamStreamInput));
                inputStreamStreamInput.close();
                cipherInputStream.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                cipherInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static void decryptTokenId(StreamInput streamInput, Cipher cipher, Version version, ActionListener<String> actionListener) throws IOException {
        CipherInputStream cipherInputStream = new CipherInputStream(streamInput, cipher);
        try {
            InputStreamStreamInput inputStreamStreamInput = new InputStreamStreamInput(cipherInputStream);
            try {
                inputStreamStreamInput.setVersion(version);
                actionListener.onResponse(inputStreamStreamInput.readString());
                inputStreamStreamInput.close();
                cipherInputStream.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                cipherInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public void invalidateAccessToken(String str, ActionListener<TokensInvalidationResult> actionListener) {
        ensureEnabled();
        if (Strings.isNullOrEmpty(str)) {
            this.logger.trace("No token-string provided");
            actionListener.onFailure(new IllegalArgumentException("token must be provided"));
            return;
        }
        maybeStartTokenRemover();
        try {
            CheckedConsumer checkedConsumer = userToken -> {
                if (userToken == null) {
                    actionListener.onFailure((Exception) traceLog("invalidate token", str, malformedTokenException()));
                } else {
                    indexBwcInvalidation(Collections.singleton(userToken.getId()), actionListener, new AtomicInteger(0), getExpirationTime().toEpochMilli(), null);
                }
            };
            Objects.requireNonNull(actionListener);
            decodeToken(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } catch (IOException e) {
            this.logger.error("received a malformed token as part of a invalidation request", e);
            actionListener.onFailure(malformedTokenException());
        }
    }

    public void invalidateAccessToken(UserToken userToken, ActionListener<TokensInvalidationResult> actionListener) {
        ensureEnabled();
        if (userToken == null) {
            this.logger.trace("No access token provided");
            actionListener.onFailure(new IllegalArgumentException("token must be provided"));
        } else {
            maybeStartTokenRemover();
            indexBwcInvalidation(Collections.singleton(userToken.getId()), actionListener, new AtomicInteger(0), getExpirationTime().toEpochMilli(), null);
        }
    }

    public void invalidateRefreshToken(String str, ActionListener<TokensInvalidationResult> actionListener) {
        ensureEnabled();
        if (Strings.isNullOrEmpty(str)) {
            this.logger.trace("No refresh token provided");
            actionListener.onFailure(new IllegalArgumentException("refresh token must be provided"));
        } else {
            maybeStartTokenRemover();
            CheckedConsumer checkedConsumer = tuple -> {
                indexInvalidation(Collections.singletonList(getTokenIdFromDocumentId(((SearchResponse) tuple.v1()).getHits().getAt(0).getId())), actionListener, (AtomicInteger) tuple.v2(), "refresh_token", null);
            };
            Objects.requireNonNull(actionListener);
            findTokenFromRefreshToken(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure), new AtomicInteger(0));
        }
    }

    public void invalidateActiveTokensForRealmAndUser(@Nullable String str, @Nullable String str2, ActionListener<TokensInvalidationResult> actionListener) {
        ensureEnabled();
        if (Strings.isNullOrEmpty(str) && Strings.isNullOrEmpty(str2)) {
            this.logger.trace("No realm name or username provided");
            actionListener.onFailure(new IllegalArgumentException("realm name or username must be provided"));
            return;
        }
        if (Strings.isNullOrEmpty(str)) {
            CheckedConsumer checkedConsumer = collection -> {
                if (!collection.isEmpty()) {
                    invalidateAllTokens((Collection) collection.stream().map(tuple -> {
                        return ((UserToken) tuple.v1()).getId();
                    }).collect(Collectors.toList()), actionListener);
                } else {
                    this.logger.warn("No tokens to invalidate for realm [{}] and username [{}]", str, str2);
                    actionListener.onResponse(TokensInvalidationResult.emptyResult());
                }
            };
            Objects.requireNonNull(actionListener);
            findActiveTokensForUser(str2, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } else {
            Predicate<Map<String, Object>> predicate = null;
            if (Strings.hasText(str2)) {
                predicate = isOfUser(str2);
            }
            CheckedConsumer checkedConsumer2 = collection2 -> {
                if (!collection2.isEmpty()) {
                    invalidateAllTokens((Collection) collection2.stream().map(tuple -> {
                        return ((UserToken) tuple.v1()).getId();
                    }).collect(Collectors.toList()), actionListener);
                } else {
                    this.logger.warn("No tokens to invalidate for realm [{}] and username [{}]", str, str2);
                    actionListener.onResponse(TokensInvalidationResult.emptyResult());
                }
            };
            Objects.requireNonNull(actionListener);
            findActiveTokensForRealm(str, ActionListener.wrap(checkedConsumer2, actionListener::onFailure), predicate);
        }
    }

    private void invalidateAllTokens(Collection<String> collection, ActionListener<TokensInvalidationResult> actionListener) {
        maybeStartTokenRemover();
        long epochMilli = getExpirationTime().toEpochMilli();
        CheckedConsumer checkedConsumer = tokensInvalidationResult -> {
            indexBwcInvalidation(collection, actionListener, new AtomicInteger(tokensInvalidationResult.getAttemptCount()), epochMilli, tokensInvalidationResult);
        };
        Objects.requireNonNull(actionListener);
        indexInvalidation(collection, ActionListener.wrap(checkedConsumer, actionListener::onFailure), new AtomicInteger(0), "refresh_token", null);
    }

    private void indexBwcInvalidation(Collection<String> collection, ActionListener<TokensInvalidationResult> actionListener, AtomicInteger atomicInteger, long j, @Nullable TokensInvalidationResult tokensInvalidationResult) {
        if (collection.isEmpty()) {
            this.logger.warn("No tokens provided for invalidation");
            actionListener.onFailure(invalidGrantException("No tokens provided for invalidation"));
            return;
        }
        if (atomicInteger.get() > MAX_RETRY_ATTEMPTS) {
            this.logger.warn("Failed to invalidate [{}] tokens after [{}] attempts", Integer.valueOf(collection.size()), Integer.valueOf(atomicInteger.get()));
            actionListener.onFailure(invalidGrantException("failed to invalidate tokens"));
        } else {
            if (!this.bwcEnabled) {
                indexInvalidation(collection, actionListener, atomicInteger, "access_token", tokensInvalidationResult);
                return;
            }
            BulkRequestBuilder prepareBulk = this.client.prepareBulk();
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                prepareBulk.add(this.client.prepareIndex(SecurityIndexManager.SECURITY_INDEX_NAME, "doc", getInvalidatedTokenDocumentId(it.next())).setOpType(DocWriteRequest.OpType.CREATE).setSource(new Object[]{"doc_type", INVALIDATED_TOKEN_DOC_TYPE, "expiration_time", Long.valueOf(j)}).request());
            }
            prepareBulk.setRefreshPolicy(WriteRequest.RefreshPolicy.WAIT_UNTIL);
            BulkRequest request = prepareBulk.request();
            this.securityIndex.prepareIndexIfNeededThenExecute(exc -> {
                actionListener.onFailure((Exception) traceLog("prepare security index", exc));
            }, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                ActionListener wrap = ActionListener.wrap(bulkResponse -> {
                    ArrayList arrayList = new ArrayList();
                    for (BulkItemResponse bulkItemResponse : bulkResponse.getItems()) {
                        if (bulkItemResponse.isFailed()) {
                            Exception cause = bulkItemResponse.getFailure().getCause();
                            this.logger.error(cause.getMessage());
                            traceLog("(bwc) invalidate tokens", cause);
                            if (TransportActions.isShardNotAvailableException(cause)) {
                                arrayList.add(getTokenIdFromInvalidatedTokenDocumentId(bulkItemResponse.getFailure().getId()));
                            } else if (!(cause instanceof VersionConflictEngineException)) {
                                actionListener.onFailure(bulkItemResponse.getFailure().getCause());
                            }
                        }
                    }
                    if (!arrayList.isEmpty()) {
                        atomicInteger.incrementAndGet();
                        indexBwcInvalidation(arrayList, actionListener, atomicInteger, j, tokensInvalidationResult);
                    }
                    indexInvalidation(collection, actionListener, atomicInteger, "access_token", tokensInvalidationResult);
                }, exc2 -> {
                    Throwable unwrapCause = ExceptionsHelper.unwrapCause(exc2);
                    traceLog("(bwc) invalidate tokens", unwrapCause);
                    if (!TransportActions.isShardNotAvailableException(unwrapCause)) {
                        actionListener.onFailure(exc2);
                    } else {
                        atomicInteger.incrementAndGet();
                        indexBwcInvalidation(collection, actionListener, atomicInteger, j, tokensInvalidationResult);
                    }
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::bulk);
            });
        }
    }

    private void indexInvalidation(Collection<String> collection, ActionListener<TokensInvalidationResult> actionListener, AtomicInteger atomicInteger, String str, @Nullable TokensInvalidationResult tokensInvalidationResult) {
        if (collection.isEmpty()) {
            this.logger.warn("No [{}] tokens provided for invalidation", str);
            actionListener.onFailure(invalidGrantException("No tokens provided for invalidation"));
        } else {
            if (atomicInteger.get() > MAX_RETRY_ATTEMPTS) {
                this.logger.warn("Failed to invalidate [{}] tokens after [{}] attempts", Integer.valueOf(collection.size()), Integer.valueOf(atomicInteger.get()));
                actionListener.onFailure(invalidGrantException("failed to invalidate tokens"));
                return;
            }
            BulkRequestBuilder prepareBulk = this.client.prepareBulk();
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                prepareBulk.add(this.client.prepareUpdate(SecurityIndexManager.SECURITY_INDEX_NAME, "doc", getTokenDocumentId(it.next())).setDoc(new Object[]{str, Collections.singletonMap("invalidated", true)}).setFetchSource(str, "").request());
            }
            prepareBulk.setRefreshPolicy(WriteRequest.RefreshPolicy.WAIT_UNTIL);
            this.securityIndex.prepareIndexIfNeededThenExecute(exc -> {
                actionListener.onFailure((Exception) traceLog("prepare security index", exc));
            }, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                BulkRequest request = prepareBulk.request();
                ActionListener wrap = ActionListener.wrap(bulkResponse -> {
                    ArrayList arrayList = new ArrayList();
                    ArrayList arrayList2 = new ArrayList();
                    ArrayList arrayList3 = new ArrayList();
                    ArrayList arrayList4 = new ArrayList();
                    if (null != tokensInvalidationResult) {
                        arrayList2.addAll(tokensInvalidationResult.getErrors());
                        arrayList3.addAll(tokensInvalidationResult.getPreviouslyInvalidatedTokens());
                        arrayList4.addAll(tokensInvalidationResult.getInvalidatedTokens());
                    }
                    for (BulkItemResponse bulkItemResponse : bulkResponse.getItems()) {
                        if (bulkItemResponse.isFailed()) {
                            Exception cause = bulkItemResponse.getFailure().getCause();
                            String tokenIdFromDocumentId = getTokenIdFromDocumentId(bulkItemResponse.getFailure().getId());
                            if (TransportActions.isShardNotAvailableException(cause)) {
                                arrayList.add(tokenIdFromDocumentId);
                            } else {
                                traceLog("invalidate access token", tokenIdFromDocumentId, cause);
                                arrayList2.add(new ElasticsearchException("Error invalidating " + str + ": ", cause, new Object[0]));
                            }
                        } else {
                            UpdateResponse response = bulkItemResponse.getResponse();
                            if (response.getResult() == DocWriteResponse.Result.UPDATED) {
                                this.logger.debug("Invalidated [{}] for doc [{}]", str, response.getGetResult().getId());
                                arrayList4.add(response.getGetResult().getId());
                            } else if (response.getResult() == DocWriteResponse.Result.NOOP) {
                                arrayList3.add(response.getGetResult().getId());
                            }
                        }
                    }
                    if (!arrayList.isEmpty()) {
                        TokensInvalidationResult tokensInvalidationResult2 = new TokensInvalidationResult(arrayList4, arrayList3, arrayList2, atomicInteger.get());
                        atomicInteger.incrementAndGet();
                        indexInvalidation(arrayList, actionListener, atomicInteger, str, tokensInvalidationResult2);
                    }
                    actionListener.onResponse(new TokensInvalidationResult(arrayList4, arrayList3, arrayList2, atomicInteger.get()));
                }, exc2 -> {
                    Throwable unwrapCause = ExceptionsHelper.unwrapCause(exc2);
                    traceLog("invalidate tokens", unwrapCause);
                    if (!TransportActions.isShardNotAvailableException(unwrapCause)) {
                        actionListener.onFailure(exc2);
                    } else {
                        atomicInteger.incrementAndGet();
                        indexInvalidation(collection, actionListener, atomicInteger, str, tokensInvalidationResult);
                    }
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::bulk);
            });
        }
    }

    public void refreshToken(String str, ActionListener<Tuple<UserToken, String>> actionListener) {
        ensureEnabled();
        CheckedConsumer checkedConsumer = tuple -> {
            innerRefresh(((SearchResponse) tuple.v1()).getHits().getHits()[0].getId(), Authentication.readFromContext(this.client.threadPool().getThreadContext()), actionListener, (AtomicInteger) tuple.v2());
        };
        Objects.requireNonNull(actionListener);
        findTokenFromRefreshToken(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure), new AtomicInteger(0));
    }

    private void findTokenFromRefreshToken(String str, ActionListener<Tuple<SearchResponse, AtomicInteger>> actionListener, AtomicInteger atomicInteger) {
        if (atomicInteger.get() > MAX_RETRY_ATTEMPTS) {
            this.logger.warn("Failed to find token for refresh token [{}] after [{}] attempts", str, Integer.valueOf(atomicInteger.get()));
            actionListener.onFailure(invalidGrantException("could not refresh the requested token"));
            return;
        }
        SearchRequest request = this.client.prepareSearch(new String[]{SecurityIndexManager.SECURITY_INDEX_NAME}).setQuery(QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("doc_type", "token")).filter(QueryBuilders.termQuery("refresh_token.token", str))).setVersion(true).request();
        SecurityIndexManager freeze = this.securityIndex.freeze();
        if (!freeze.indexExists()) {
            this.logger.warn("security index does not exist therefore refresh token [{}] cannot be validated", str);
            actionListener.onFailure(invalidGrantException("could not refresh the requested token"));
        } else if (!freeze.isAvailable()) {
            this.logger.debug("security index is not available to find token from refresh token, retrying");
            atomicInteger.incrementAndGet();
            findTokenFromRefreshToken(str, actionListener, atomicInteger);
        } else {
            Consumer consumer = exc -> {
                actionListener.onFailure((Exception) traceLog("find by refresh token", str, exc));
            };
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ThreadContext threadContext = this.client.threadPool().getThreadContext();
                ActionListener wrap = ActionListener.wrap(searchResponse -> {
                    if (searchResponse.isTimedOut()) {
                        atomicInteger.incrementAndGet();
                        findTokenFromRefreshToken(str, actionListener, atomicInteger);
                    } else if (searchResponse.getHits().getHits().length < 1) {
                        this.logger.info("could not find token document with refresh_token [{}]", str);
                        consumer.accept(invalidGrantException("could not refresh the requested token"));
                    } else if (searchResponse.getHits().getHits().length > 1) {
                        consumer.accept(new IllegalStateException("multiple tokens share the same refresh token"));
                    } else {
                        actionListener.onResponse(new Tuple(searchResponse, atomicInteger));
                    }
                }, exc2 -> {
                    if (!TransportActions.isShardNotAvailableException(exc2)) {
                        consumer.accept(exc2);
                        return;
                    }
                    this.logger.debug("failed to search for token document, retrying", exc2);
                    atomicInteger.incrementAndGet();
                    findTokenFromRefreshToken(str, actionListener, atomicInteger);
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::search);
            });
        }
    }

    private void innerRefresh(String str, Authentication authentication, ActionListener<Tuple<UserToken, String>> actionListener, AtomicInteger atomicInteger) {
        if (atomicInteger.getAndIncrement() > MAX_RETRY_ATTEMPTS) {
            this.logger.warn("Failed to refresh token for doc [{}] after [{}] attempts", str, Integer.valueOf(atomicInteger.get()));
            actionListener.onFailure(invalidGrantException("could not refresh the requested token"));
            return;
        }
        Consumer consumer = exc -> {
            actionListener.onFailure((Exception) traceLog("refresh token", str, exc));
        };
        GetRequest request = this.client.prepareGet(SecurityIndexManager.SECURITY_INDEX_NAME, "doc", str).request();
        ThreadContext threadContext = this.client.threadPool().getThreadContext();
        ActionListener wrap = ActionListener.wrap(getResponse -> {
            if (!getResponse.isExists()) {
                this.logger.info("could not find token document [{}] for refresh", str);
                consumer.accept(invalidGrantException("could not refresh the requested token"));
                return;
            }
            Map<String, Object> source = getResponse.getSource();
            Optional<ElasticsearchSecurityException> checkTokenDocForRefresh = checkTokenDocForRefresh(source, authentication);
            if (checkTokenDocForRefresh.isPresent()) {
                consumer.accept(checkTokenDocForRefresh.get());
                return;
            }
            Map map = (Map) ((Map) source.get("access_token")).get("user_token");
            String str2 = (String) map.get("authentication");
            Integer num = (Integer) map.get("version");
            Map map2 = (Map) map.get("metadata");
            Version fromId = Version.fromId(num.intValue());
            StreamInput wrap2 = StreamInput.wrap(Base64.getDecoder().decode(str2));
            try {
                wrap2.setVersion(fromId);
                Authentication authentication2 = new Authentication(wrap2);
                UpdateRequestBuilder refreshPolicy = this.client.prepareUpdate(SecurityIndexManager.SECURITY_INDEX_NAME, "doc", str).setDoc(new Object[]{"refresh_token", Collections.singletonMap("refreshed", true)}).setRefreshPolicy(WriteRequest.RefreshPolicy.WAIT_UNTIL);
                if (!this.clusterService.state().nodes().getMinNodeVersion().onOrAfter(Version.V_6_7_0) || getResponse.getSeqNo() == -2) {
                    refreshPolicy.setVersion(getResponse.getVersion());
                } else {
                    if (!$assertionsDisabled && getResponse.getSeqNo() == -2) {
                        throw new AssertionError("reading a token [" + str + "] with no sequence number");
                    }
                    if (!$assertionsDisabled && getResponse.getPrimaryTerm() == 0) {
                        throw new AssertionError("reading a token [" + str + "] with no primary term");
                    }
                    refreshPolicy.setIfSeqNo(getResponse.getSeqNo());
                    refreshPolicy.setIfPrimaryTerm(getResponse.getPrimaryTerm());
                }
                ThreadContext threadContext2 = this.client.threadPool().getThreadContext();
                UpdateRequest request2 = refreshPolicy.request();
                ActionListener wrap3 = ActionListener.wrap(updateResponse -> {
                    createUserToken(authentication2, authentication, actionListener, map2, true);
                }, exc2 -> {
                    if ((ExceptionsHelper.unwrapCause(exc2) instanceof VersionConflictEngineException) || TransportActions.isShardNotAvailableException(exc2)) {
                        innerRefresh(str, authentication, actionListener, atomicInteger);
                    } else {
                        consumer.accept(exc2);
                    }
                });
                Client client = this.client;
                Objects.requireNonNull(client);
                ClientHelper.executeAsyncWithOrigin(threadContext2, "security", request2, wrap3, client::update);
                if (wrap2 != null) {
                    wrap2.close();
                }
            } catch (Throwable th) {
                if (wrap2 != null) {
                    try {
                        wrap2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }, exc2 -> {
            if (TransportActions.isShardNotAvailableException(exc2)) {
                innerRefresh(str, authentication, actionListener, atomicInteger);
            } else {
                actionListener.onFailure(exc2);
            }
        });
        Client client = this.client;
        Objects.requireNonNull(client);
        ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::get);
    }

    private Optional<ElasticsearchSecurityException> checkTokenDocForRefresh(Map<String, Object> map, Authentication authentication) {
        Map<String, Object> map2 = (Map) map.get("refresh_token");
        Map map3 = (Map) map.get("access_token");
        if (map2 == null || map2.isEmpty()) {
            return Optional.of(invalidGrantException("token document is missing the refresh_token object"));
        }
        if (map3 == null || map3.isEmpty()) {
            return Optional.of(invalidGrantException("token document is missing the access_token object"));
        }
        Boolean bool = (Boolean) map2.get("refreshed");
        Boolean bool2 = (Boolean) map2.get("invalidated");
        Long l = (Long) map.get("creation_time");
        Instant ofEpochMilli = l == null ? null : Instant.ofEpochMilli(l.longValue());
        Map map4 = (Map) map3.get("user_token");
        return bool == null ? Optional.of(invalidGrantException("token document is missing refreshed value")) : bool2 == null ? Optional.of(invalidGrantException("token document is missing invalidated value")) : l == null ? Optional.of(invalidGrantException("token document is missing creation time value")) : bool.booleanValue() ? Optional.of(invalidGrantException("token has already been refreshed")) : bool2.booleanValue() ? Optional.of(invalidGrantException("token has been invalidated")) : this.clock.instant().isAfter(ofEpochMilli.plus(24L, (TemporalUnit) ChronoUnit.HOURS)) ? Optional.of(invalidGrantException("refresh token is expired")) : (map4 == null || map4.isEmpty()) ? Optional.of(invalidGrantException("token document is missing the user token info")) : map4.get("authentication") == null ? Optional.of(invalidGrantException("token is missing authentication info")) : map4.get("version") == null ? Optional.of(invalidGrantException("token is missing version value")) : map4.get("metadata") == null ? Optional.of(invalidGrantException("token is missing metadata")) : checkClient(map2, authentication);
    }

    private Optional<ElasticsearchSecurityException> checkClient(Map<String, Object> map, Authentication authentication) {
        Map map2 = (Map) map.get("client");
        if (map2 == null) {
            return Optional.of(invalidGrantException("token is missing client information"));
        }
        if (authentication.getUser().principal().equals(map2.get("user")) && authentication.getAuthenticatedBy().getName().equals(map2.get("realm"))) {
            return Optional.empty();
        }
        return Optional.of(invalidGrantException("tokens must be refreshed by the creating client"));
    }

    public void findActiveTokensForRealm(String str, ActionListener<Collection<Tuple<UserToken, String>>> actionListener, @Nullable Predicate<Map<String, Object>> predicate) {
        ensureEnabled();
        SecurityIndexManager freeze = this.securityIndex.freeze();
        if (Strings.isNullOrEmpty(str)) {
            actionListener.onFailure(new IllegalArgumentException("Realm name is required"));
            return;
        }
        if (!freeze.indexExists()) {
            actionListener.onResponse(Collections.emptyList());
            return;
        }
        if (!freeze.isAvailable()) {
            actionListener.onFailure(freeze.getUnavailableReason());
            return;
        }
        Instant instant = this.clock.instant();
        SearchRequest request = this.client.prepareSearch(new String[]{SecurityIndexManager.SECURITY_INDEX_NAME}).setScroll((TimeValue) SearchService.DEFAULT_KEEPALIVE_SETTING.get(this.settings)).setQuery(QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("doc_type", "token")).filter(QueryBuilders.termQuery("access_token.realm", str)).filter(QueryBuilders.boolQuery().should(QueryBuilders.boolQuery().must(QueryBuilders.termQuery("access_token.invalidated", false)).must(QueryBuilders.rangeQuery("access_token.user_token.expiration_time").gte(Long.valueOf(instant.toEpochMilli())))).should(QueryBuilders.boolQuery().must(QueryBuilders.termQuery("refresh_token.invalidated", false)).must(QueryBuilders.rangeQuery("creation_time").gte(Long.valueOf(instant.toEpochMilli() - TimeValue.timeValueHours(24L).millis())))))).setVersion(false).setSize(1000).setFetchSource(true).request();
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
            ScrollHelper.fetchAllByEntity(this.client, request, actionListener, searchHit -> {
                return filterAndParseHit(searchHit, predicate);
            });
        });
    }

    public void findActiveTokensForUser(String str, ActionListener<Collection<Tuple<UserToken, String>>> actionListener) {
        ensureEnabled();
        SecurityIndexManager freeze = this.securityIndex.freeze();
        if (Strings.isNullOrEmpty(str)) {
            actionListener.onFailure(new IllegalArgumentException("username is required"));
            return;
        }
        if (!freeze.indexExists()) {
            actionListener.onResponse(Collections.emptyList());
            return;
        }
        if (!freeze.isAvailable()) {
            actionListener.onFailure(freeze.getUnavailableReason());
            return;
        }
        Instant instant = this.clock.instant();
        SearchRequest request = this.client.prepareSearch(new String[]{SecurityIndexManager.SECURITY_INDEX_NAME}).setScroll((TimeValue) SearchService.DEFAULT_KEEPALIVE_SETTING.get(this.settings)).setQuery(QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("doc_type", "token")).filter(QueryBuilders.boolQuery().should(QueryBuilders.boolQuery().must(QueryBuilders.termQuery("access_token.invalidated", false)).must(QueryBuilders.rangeQuery("access_token.user_token.expiration_time").gte(Long.valueOf(instant.toEpochMilli())))).should(QueryBuilders.boolQuery().must(QueryBuilders.termQuery("refresh_token.invalidated", false)).must(QueryBuilders.rangeQuery("creation_time").gte(Long.valueOf(instant.toEpochMilli() - TimeValue.timeValueHours(24L).millis())))))).setVersion(false).setSize(1000).setFetchSource(true).request();
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
            ScrollHelper.fetchAllByEntity(this.client, request, actionListener, searchHit -> {
                return filterAndParseHit(searchHit, isOfUser(str));
            });
        });
    }

    private static Predicate<Map<String, Object>> isOfUser(String str) {
        return map -> {
            String str2 = (String) map.get("authentication");
            Version fromId = Version.fromId(((Integer) map.get("version")).intValue());
            try {
                StreamInput wrap = StreamInput.wrap(Base64.getDecoder().decode(str2));
                try {
                    wrap.setVersion(fromId);
                    boolean equals = new Authentication(wrap).getUser().principal().equals(str);
                    if (wrap != null) {
                        wrap.close();
                    }
                    return equals;
                } finally {
                }
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        };
    }

    private Tuple<UserToken, String> filterAndParseHit(SearchHit searchHit, @Nullable Predicate<Map<String, Object>> predicate) {
        Map<String, Object> sourceAsMap = searchHit.getSourceAsMap();
        if (sourceAsMap == null) {
            throw new IllegalStateException("token document did not have source but source should have been fetched");
        }
        try {
            return parseTokensFromDocument(sourceAsMap, predicate);
        } catch (IOException e) {
            throw invalidGrantException("cannot read token from document");
        }
    }

    private Tuple<UserToken, String> parseTokensFromDocument(Map<String, Object> map, @Nullable Predicate<Map<String, Object>> predicate) throws IOException {
        String str = (String) ((Map) map.get("refresh_token")).get("token");
        Map<String, Object> map2 = (Map) ((Map) map.get("access_token")).get("user_token");
        if (null != predicate && !predicate.test(map2)) {
            return null;
        }
        String str2 = (String) map2.get("id");
        Integer num = (Integer) map2.get("version");
        String str3 = (String) map2.get("authentication");
        Long l = (Long) map2.get("expiration_time");
        Map map3 = (Map) map2.get("metadata");
        Version fromId = Version.fromId(num.intValue());
        StreamInput wrap = StreamInput.wrap(Base64.getDecoder().decode(str3));
        try {
            wrap.setVersion(fromId);
            Tuple<UserToken, String> tuple = new Tuple<>(new UserToken(str2, Version.fromId(num.intValue()), new Authentication(wrap), Instant.ofEpochMilli(l.longValue()), map3), str);
            if (wrap != null) {
                wrap.close();
            }
            return tuple;
        } catch (Throwable th) {
            if (wrap != null) {
                try {
                    wrap.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static String getInvalidatedTokenDocumentId(UserToken userToken) {
        return getInvalidatedTokenDocumentId(userToken.getId());
    }

    private static String getInvalidatedTokenDocumentId(String str) {
        return "invalidated-token_" + str;
    }

    private static String getTokenDocumentId(UserToken userToken) {
        return getTokenDocumentId(userToken.getId());
    }

    private static String getTokenDocumentId(String str) {
        return "token_" + str;
    }

    private static String getTokenIdFromDocumentId(String str) {
        if (str.startsWith("token_")) {
            return str.substring("token_".length());
        }
        throw new IllegalStateException("TokenDocument ID [" + str + "] has unexpected value");
    }

    private static String getTokenIdFromInvalidatedTokenDocumentId(String str) {
        if (str.startsWith("invalidated-token_")) {
            return str.substring("invalidated-token_".length());
        }
        throw new IllegalStateException("InvalidatedTokenDocument ID [" + str + "] has unexpected value");
    }

    private boolean isEnabled() {
        return this.enabled && this.licenseState.isTokenServiceAllowed();
    }

    private void ensureEnabled() {
        if (!this.licenseState.isTokenServiceAllowed()) {
            throw LicenseUtils.newComplianceException("security tokens");
        }
        if (!this.enabled) {
            throw new IllegalStateException("security tokens are not enabled");
        }
    }

    private void checkIfTokenIsRevoked(UserToken userToken, ActionListener<UserToken> actionListener) {
        if (!this.securityIndex.indexExists()) {
            actionListener.onResponse(userToken);
            return;
        }
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
            MultiGetRequest request = this.client.prepareMultiGet().add(SecurityIndexManager.SECURITY_INDEX_NAME, "doc", getInvalidatedTokenDocumentId(userToken)).add(SecurityIndexManager.SECURITY_INDEX_NAME, "doc", getTokenDocumentId(userToken)).request();
            final Consumer consumer = exc -> {
                actionListener.onFailure((Exception) traceLog("check token state", userToken.getId(), exc));
            };
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            ActionListener<MultiGetResponse> actionListener2 = new ActionListener<MultiGetResponse>() { // from class: org.elasticsearch.xpack.security.authc.TokenService.1
                public void onResponse(MultiGetResponse multiGetResponse) {
                    MultiGetItemResponse[] responses = multiGetResponse.getResponses();
                    if (responses[0].isFailed()) {
                        onFailure(responses[0].getFailure().getFailure());
                        return;
                    }
                    if (responses[0].getResponse().isExists()) {
                        consumer.accept(TokenService.access$800());
                        return;
                    }
                    if (responses[1].isFailed()) {
                        onFailure(responses[1].getFailure().getFailure());
                        return;
                    }
                    if (!responses[1].getResponse().isExists()) {
                        if (userToken.getVersion().onOrAfter(Version.V_6_2_0)) {
                            consumer.accept(new IllegalStateException("token document is missing and must be present"));
                            return;
                        } else {
                            actionListener.onResponse(userToken);
                            return;
                        }
                    }
                    Map map = (Map) responses[1].getResponse().getSource().get("access_token");
                    if (map == null) {
                        consumer.accept(new IllegalStateException("token document is missing access_token field"));
                        return;
                    }
                    Boolean bool = (Boolean) map.get("invalidated");
                    if (bool == null) {
                        consumer.accept(new IllegalStateException("token document is missing invalidated field"));
                    } else if (bool.booleanValue()) {
                        consumer.accept(TokenService.access$800());
                    } else {
                        actionListener.onResponse(userToken);
                    }
                }

                public void onFailure(Exception exc2) {
                    if (TransportActions.isShardNotAvailableException(exc2)) {
                        TokenService.this.logger.warn("failed to get token [{}] since index is not available", userToken.getId());
                        actionListener.onResponse((Object) null);
                    } else {
                        TokenService.this.logger.error(new ParameterizedMessage("failed to get token [{}]", userToken.getId()), exc2);
                        actionListener.onFailure(exc2);
                    }
                }
            };
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, actionListener2, client::multiGet);
        });
    }

    public TimeValue getExpirationDelay() {
        return this.expirationDelay;
    }

    private Instant getExpirationTime() {
        return getExpirationTime(this.clock.instant());
    }

    private Instant getExpirationTime(Instant instant) {
        return instant.plusSeconds(this.expirationDelay.getSeconds());
    }

    private void maybeStartTokenRemover() {
        if (!this.securityIndex.isAvailable() || this.client.threadPool().relativeTimeInMillis() - this.lastExpirationRunMs <= this.deleteInterval.getMillis()) {
            return;
        }
        this.expiredTokenRemover.submit(this.client.threadPool());
        this.lastExpirationRunMs = this.client.threadPool().relativeTimeInMillis();
    }

    String getFromHeader(ThreadContext threadContext) {
        String header = threadContext.getHeader(KerberosAuthenticationToken.AUTH_HEADER);
        if (Strings.hasText(header) && header.regionMatches(true, 0, "Bearer ", 0, "Bearer ".length()) && header.length() > "Bearer ".length()) {
            return header.substring("Bearer ".length());
        }
        return null;
    }

    public String getUserTokenString(UserToken userToken) throws IOException, GeneralSecurityException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(MINIMUM_BASE64_BYTES);
        try {
            OutputStream wrap = Base64.getEncoder().wrap(byteArrayOutputStream);
            try {
                OutputStreamStreamOutput outputStreamStreamOutput = new OutputStreamStreamOutput(wrap);
                try {
                    outputStreamStreamOutput.setVersion(userToken.getVersion());
                    KeyAndCache keyAndCache = this.keyCache.activeKeyCache;
                    Version.writeVersion(userToken.getVersion(), outputStreamStreamOutput);
                    outputStreamStreamOutput.writeByteArray(keyAndCache.getSalt().bytes);
                    if (userToken.getVersion().onOrAfter(Version.V_6_0_0_beta2)) {
                        outputStreamStreamOutput.writeByteArray(keyAndCache.getKeyHash().bytes);
                    }
                    byte[] newInitializationVector = getNewInitializationVector();
                    outputStreamStreamOutput.writeByteArray(newInitializationVector);
                    CipherOutputStream cipherOutputStream = new CipherOutputStream(outputStreamStreamOutput, getEncryptionCipher(newInitializationVector, keyAndCache, userToken.getVersion()));
                    try {
                        outputStreamStreamOutput = new OutputStreamStreamOutput(cipherOutputStream);
                        try {
                            outputStreamStreamOutput.setVersion(userToken.getVersion());
                            if (userToken.getVersion().onOrAfter(Version.V_6_2_0)) {
                                outputStreamStreamOutput.writeString(userToken.getId());
                            } else {
                                userToken.writeTo(outputStreamStreamOutput);
                            }
                            outputStreamStreamOutput.close();
                            String str = new String(byteArrayOutputStream.toByteArray(), StandardCharsets.UTF_8);
                            outputStreamStreamOutput.close();
                            cipherOutputStream.close();
                            outputStreamStreamOutput.close();
                            if (wrap != null) {
                                wrap.close();
                            }
                            byteArrayOutputStream.close();
                            return str;
                        } finally {
                            try {
                                outputStreamStreamOutput.close();
                            } catch (Throwable th) {
                                th.addSuppressed(th);
                            }
                        }
                    } catch (Throwable th2) {
                        try {
                            cipherOutputStream.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                        throw th2;
                    }
                } catch (Throwable th4) {
                    throw th4;
                }
            } finally {
            }
        } catch (Throwable th5) {
            try {
                byteArrayOutputStream.close();
            } catch (Throwable th6) {
                th5.addSuppressed(th6);
            }
            throw th5;
        }
    }

    private void ensureEncryptionCiphersSupported() throws NoSuchPaddingException, NoSuchAlgorithmException {
        Cipher.getInstance(ENCRYPTION_CIPHER);
        SecretKeyFactory.getInstance(KDF_ALGORITHM);
    }

    private Cipher getEncryptionCipher(byte[] bArr, KeyAndCache keyAndCache, Version version) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance(ENCRYPTION_CIPHER);
        BytesKey salt = keyAndCache.getSalt();
        try {
            cipher.init(1, keyAndCache.getOrComputeKey(salt), new GCMParameterSpec(128, bArr), this.secureRandom);
            cipher.updateAAD(ByteBuffer.allocate(VERSION_BYTES).putInt(version.id).array());
            cipher.updateAAD(salt.bytes);
            return cipher;
        } catch (ExecutionException e) {
            throw new ElasticsearchSecurityException("Failed to compute secret key for active salt", e, new Object[0]);
        }
    }

    private Cipher getDecryptionCipher(byte[] bArr, SecretKey secretKey, Version version, BytesKey bytesKey) throws GeneralSecurityException {
        Cipher cipher = Cipher.getInstance(ENCRYPTION_CIPHER);
        cipher.init(2, secretKey, new GCMParameterSpec(128, bArr), this.secureRandom);
        cipher.updateAAD(ByteBuffer.allocate(VERSION_BYTES).putInt(version.id).array());
        cipher.updateAAD(bytesKey.bytes);
        return cipher;
    }

    private byte[] getNewInitializationVector() {
        byte[] bArr = new byte[IV_BYTES];
        this.secureRandom.nextBytes(bArr);
        return bArr;
    }

    static SecretKey computeSecretKey(char[] cArr, byte[] bArr) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return new SecretKeySpec(SecretKeyFactory.getInstance(KDF_ALGORITHM).generateSecret(new PBEKeySpec(cArr, bArr, ITERATIONS, 128)).getEncoded(), "AES");
    }

    private static ElasticsearchSecurityException expiredTokenException() {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("token expired", RestStatus.UNAUTHORIZED, new Object[0]);
        elasticsearchSecurityException.addHeader(KerberosAuthenticationToken.WWW_AUTHENTICATE, new String[]{EXPIRED_TOKEN_WWW_AUTH_VALUE});
        return elasticsearchSecurityException;
    }

    private static ElasticsearchSecurityException malformedTokenException() {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("token malformed", RestStatus.UNAUTHORIZED, new Object[0]);
        elasticsearchSecurityException.addHeader(KerberosAuthenticationToken.WWW_AUTHENTICATE, new String[]{MALFORMED_TOKEN_WWW_AUTH_VALUE});
        return elasticsearchSecurityException;
    }

    private static ElasticsearchSecurityException invalidGrantException(String str) {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("invalid_grant", RestStatus.BAD_REQUEST, new Object[0]);
        elasticsearchSecurityException.addHeader("error_description", new String[]{str});
        return elasticsearchSecurityException;
    }

    private <E extends Throwable> E traceLog(String str, String str2, E e) {
        if (this.logger.isTraceEnabled()) {
            if (e instanceof ElasticsearchException) {
                ElasticsearchException elasticsearchException = (ElasticsearchException) e;
                List header = elasticsearchException.getHeader("error_description");
                if (header != null) {
                    this.logger.trace(() -> {
                        return new ParameterizedMessage("Failure in [{}] for id [{}] - [{}]", new Object[]{str, str2, header});
                    }, elasticsearchException);
                } else {
                    this.logger.trace(() -> {
                        return new ParameterizedMessage("Failure in [{}] for id [{}]", str, str2);
                    }, elasticsearchException);
                }
            } else {
                this.logger.trace(() -> {
                    return new ParameterizedMessage("Failure in [{}] for id [{}]", str, str2);
                }, e);
            }
        }
        return e;
    }

    private <E extends Throwable> E traceLog(String str, E e) {
        if (this.logger.isTraceEnabled()) {
            if (e instanceof ElasticsearchException) {
                ElasticsearchException elasticsearchException = (ElasticsearchException) e;
                List header = elasticsearchException.getHeader("error_description");
                if (header != null) {
                    this.logger.trace(() -> {
                        return new ParameterizedMessage("Failure in [{}] - [{}]", str, header);
                    }, elasticsearchException);
                } else {
                    this.logger.trace(() -> {
                        return new ParameterizedMessage("Failure in [{}]", str);
                    }, elasticsearchException);
                }
            } else {
                this.logger.trace(() -> {
                    return new ParameterizedMessage("Failure in [{}]", str);
                }, e);
            }
        }
        return e;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isExpiredTokenException(ElasticsearchSecurityException elasticsearchSecurityException) {
        List header = elasticsearchSecurityException.getHeader(KerberosAuthenticationToken.WWW_AUTHENTICATE);
        if (header != null) {
            Stream stream = header.stream();
            String str = EXPIRED_TOKEN_WWW_AUTH_VALUE;
            if (stream.anyMatch((v1) -> {
                return r1.equals(v1);
            })) {
                return true;
            }
        }
        return false;
    }

    boolean isExpirationInProgress() {
        return this.expiredTokenRemover.isExpirationInProgress();
    }

    synchronized TokenMetaData generateSpareKey() {
        KeyAndCache keyAndCache;
        if (this.keyCache.activeKeyCache != this.keyCache.cache.values().stream().max(Comparator.comparingLong(keyAndCache2 -> {
            return keyAndCache2.keyAndTimestamp.getTimestamp();
        })).get()) {
            return newTokenMetaData(this.keyCache.currentTokenKeyHash, this.keyCache.cache.values());
        }
        long incrementAndGet = this.createdTimeStamps.incrementAndGet();
        do {
            byte[] bArr = new byte[SALT_BYTES];
            this.secureRandom.nextBytes(bArr);
            keyAndCache = new KeyAndCache(new KeyAndTimestamp(generateTokenKey(), incrementAndGet), new BytesKey(bArr));
        } while (this.keyCache.cache.containsKey(keyAndCache.getKeyHash()));
        return newTokenMetaData(this.keyCache.currentTokenKeyHash, Iterables.concat(new Iterable[]{this.keyCache.cache.values(), Collections.singletonList(keyAndCache)}));
    }

    synchronized TokenMetaData rotateToSpareKey() {
        KeyAndCache keyAndCache = this.keyCache.cache.values().stream().max(Comparator.comparingLong(keyAndCache2 -> {
            return keyAndCache2.keyAndTimestamp.getTimestamp();
        })).get();
        if (keyAndCache == this.keyCache.activeKeyCache) {
            throw new IllegalStateException("call generateSpareKey first");
        }
        return newTokenMetaData(keyAndCache.getKeyHash(), this.keyCache.cache.values());
    }

    synchronized TokenMetaData pruneKeys(int i) {
        if (this.keyCache.cache.size() <= i) {
            return getTokenMetaData();
        }
        HashMap hashMap = new HashMap(this.keyCache.cache.size() + 1);
        KeyAndCache keyAndCache = this.keyCache.get(this.keyCache.currentTokenKeyHash);
        ArrayList arrayList = new ArrayList(this.keyCache.cache.values());
        Collections.sort(arrayList, (keyAndCache2, keyAndCache3) -> {
            return Long.compare(keyAndCache3.keyAndTimestamp.getTimestamp(), keyAndCache2.keyAndTimestamp.getTimestamp());
        });
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            KeyAndCache keyAndCache4 = (KeyAndCache) it.next();
            if (hashMap.size() < i || keyAndCache4.keyAndTimestamp.getTimestamp() >= keyAndCache.keyAndTimestamp.getTimestamp()) {
                this.logger.debug("keeping key {} ", keyAndCache4.getKeyHash());
                hashMap.put(keyAndCache4.getKeyHash(), keyAndCache4);
            } else {
                this.logger.debug("prune key {} ", keyAndCache4.getKeyHash());
            }
        }
        if (!$assertionsDisabled && hashMap.isEmpty()) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || hashMap.containsKey(this.keyCache.currentTokenKeyHash)) {
            return newTokenMetaData(this.keyCache.currentTokenKeyHash, hashMap.values());
        }
        throw new AssertionError();
    }

    public synchronized TokenMetaData getTokenMetaData() {
        return newTokenMetaData(this.keyCache.currentTokenKeyHash, this.keyCache.cache.values());
    }

    private TokenMetaData newTokenMetaData(BytesKey bytesKey, Iterable<KeyAndCache> iterable) {
        ArrayList arrayList = new ArrayList();
        Iterator<KeyAndCache> it = iterable.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().keyAndTimestamp);
        }
        return new TokenMetaData(arrayList, bytesKey.bytes);
    }

    synchronized void refreshMetaData(TokenMetaData tokenMetaData) {
        BytesKey bytesKey = new BytesKey(tokenMetaData.getCurrentKeyHash());
        byte[] bArr = new byte[SALT_BYTES];
        HashMap hashMap = new HashMap(tokenMetaData.getKeys().size());
        long j = this.createdTimeStamps.get();
        for (KeyAndTimestamp keyAndTimestamp : tokenMetaData.getKeys()) {
            this.secureRandom.nextBytes(bArr);
            KeyAndCache keyAndCache = new KeyAndCache(keyAndTimestamp, new BytesKey(bArr));
            j = Math.max(keyAndCache.keyAndTimestamp.getTimestamp(), j);
            if (this.keyCache.cache.containsKey(keyAndCache.getKeyHash())) {
                hashMap.put(keyAndCache.getKeyHash(), this.keyCache.get(keyAndCache.getKeyHash()));
            } else {
                hashMap.put(keyAndCache.getKeyHash(), keyAndCache);
            }
        }
        if (!hashMap.containsKey(bytesKey)) {
            throw new IllegalStateException("Current key is not in the map: " + hashMap.keySet() + " key: " + bytesKey);
        }
        this.createdTimeStamps.set(j);
        this.keyCache = new TokenKeys(Collections.unmodifiableMap(hashMap), bytesKey);
        this.logger.debug("refreshed keys current: {}, keys: {}", bytesKey, this.keyCache.cache.keySet());
    }

    private SecureString generateTokenKey() {
        byte[] bArr = new byte[KEY_BYTES];
        byte[] bArr2 = new byte[0];
        char[] cArr = new char[0];
        try {
            this.secureRandom.nextBytes(bArr);
            bArr2 = Base64.getUrlEncoder().withoutPadding().encode(bArr);
            cArr = new char[bArr2.length];
            SecureString secureString = new SecureString(Arrays.copyOfRange(cArr, 0, UnicodeUtil.UTF8toUTF16(bArr2, 0, bArr2.length, cArr)));
            Arrays.fill(bArr, (byte) 0);
            Arrays.fill(bArr2, (byte) 0);
            Arrays.fill(cArr, (char) 0);
            return secureString;
        } catch (Throwable th) {
            Arrays.fill(bArr, (byte) 0);
            Arrays.fill(bArr2, (byte) 0);
            Arrays.fill(cArr, (char) 0);
            throw th;
        }
    }

    synchronized String getActiveKeyHash() {
        return new BytesRef(Base64.getUrlEncoder().withoutPadding().encode(this.keyCache.currentTokenKeyHash.bytes)).utf8ToString();
    }

    void rotateKeysOnMaster(ActionListener<ClusterStateUpdateResponse> actionListener) {
        this.logger.info("rotate keys on master");
        TokenMetaData generateSpareKey = generateSpareKey();
        ClusterService clusterService = this.clusterService;
        CheckedConsumer checkedConsumer = clusterStateUpdateResponse -> {
            if (!clusterStateUpdateResponse.isAcknowledged()) {
                actionListener.onFailure(new IllegalStateException("not acked"));
            } else {
                this.clusterService.submitStateUpdateTask("publish next key to prepare key rotation", new TokenMetadataPublishAction(actionListener, rotateToSpareKey()));
            }
        };
        Objects.requireNonNull(actionListener);
        clusterService.submitStateUpdateTask("publish next key to prepare key rotation", new TokenMetadataPublishAction(ActionListener.wrap(checkedConsumer, actionListener::onFailure), generateSpareKey));
    }

    private void initialize(ClusterService clusterService) {
        clusterService.addListener(clusterChangedEvent -> {
            ClusterState state = clusterChangedEvent.state();
            if (state.getBlocks().hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
                return;
            }
            TokenMetaData tokenMetaData = (TokenMetaData) clusterChangedEvent.state().custom("security_tokens");
            if (state.nodes().isLocalNodeElectedMaster() && tokenMetaData == null) {
                if (XPackPlugin.isReadyForXPackCustomMetadata(state)) {
                    installTokenMetadata();
                } else {
                    this.logger.debug("cannot add token metadata to cluster as the following nodes might not understand the metadata: {}", new Supplier[]{() -> {
                        return XPackPlugin.nodesNotReadyForXPackCustomMetadata(state);
                    }});
                }
            }
            if (tokenMetaData == null || tokenMetaData.equals(getTokenMetaData())) {
                return;
            }
            this.logger.info("refresh keys");
            try {
                refreshMetaData(tokenMetaData);
            } catch (Exception e) {
                this.logger.warn("refreshing metadata failed", e);
            }
            this.logger.info("refreshed keys");
        });
    }

    private void installTokenMetadata() {
        if (this.installTokenMetadataInProgress.compareAndSet(false, true)) {
            this.clusterService.submitStateUpdateTask("install-token-metadata", new ClusterStateUpdateTask(Priority.URGENT) { // from class: org.elasticsearch.xpack.security.authc.TokenService.2
                public ClusterState execute(ClusterState clusterState) {
                    XPackPlugin.checkReadyForXPackCustomMetadata(clusterState);
                    return clusterState.custom("security_tokens") == null ? ClusterState.builder(clusterState).putCustom("security_tokens", TokenService.this.getTokenMetaData()).build() : clusterState;
                }

                public void onFailure(String str, Exception exc) {
                    TokenService.this.installTokenMetadataInProgress.set(false);
                    TokenService.this.logger.error("unable to install token metadata", exc);
                }

                public void clusterStateProcessed(String str, ClusterState clusterState, ClusterState clusterState2) {
                    TokenService.this.installTokenMetadataInProgress.set(false);
                }
            });
        }
    }

    void clearActiveKeyCache() {
        this.keyCache.activeKeyCache.keyCache.invalidateAll();
    }

    static /* synthetic */ ElasticsearchSecurityException access$800() {
        return expiredTokenException();
    }

    static {
        $assertionsDisabled = !TokenService.class.desiredAssertionStatus();
        TOKEN_PASSPHRASE = SecureSetting.secureString("xpack.security.authc.token.passphrase", (Setting) null, new Setting.Property[]{Setting.Property.Deprecated});
        TOKEN_EXPIRATION = Setting.timeSetting("xpack.security.authc.token.timeout", TimeValue.timeValueMinutes(20L), TimeValue.timeValueSeconds(1L), TimeValue.timeValueHours(1L), new Setting.Property[]{Setting.Property.NodeScope});
        DELETE_INTERVAL = Setting.timeSetting("xpack.security.authc.token.delete.interval", TimeValue.timeValueMinutes(30L), new Setting.Property[]{Setting.Property.NodeScope});
        DELETE_TIMEOUT = Setting.timeSetting("xpack.security.authc.token.delete.timeout", TimeValue.MINUS_ONE, new Setting.Property[]{Setting.Property.NodeScope});
        BWC_ENABLED = Setting.boolSetting("xpack.security.authc.token.compat.enabled", false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Deprecated});
        MINIMUM_BASE64_BYTES = Double.valueOf(Math.ceil(65.0d)).intValue();
    }
}
