package org.elasticsearch.xpack.security.authc.service;

import java.io.IOException;
import java.time.Clock;
import java.util.Arrays;
import java.util.Collection;
import java.util.Objects;
import java.util.function.Supplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteRequest;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.bulk.BulkAction;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.TransportSingleItemBulkWriteAction;
import org.elasticsearch.action.delete.DeleteAction;
import org.elasticsearch.action.delete.DeleteRequest;
import org.elasticsearch.action.get.GetAction;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.XContentFactory;
import org.elasticsearch.core.CharArrays;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.List;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.SearchService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.ScrollHelper;
import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheAction;
import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheRequest;
import org.elasticsearch.xpack.core.security.action.service.CreateServiceAccountTokenRequest;
import org.elasticsearch.xpack.core.security.action.service.CreateServiceAccountTokenResponse;
import org.elasticsearch.xpack.core.security.action.service.DeleteServiceAccountTokenRequest;
import org.elasticsearch.xpack.core.security.action.service.TokenInfo;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.service.ServiceAccount;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountToken;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountTokenStore;
import org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/IndexServiceAccountTokenStore.class */
public class IndexServiceAccountTokenStore extends CachingServiceAccountTokenStore {
    private static final Logger logger;
    static final String SERVICE_ACCOUNT_TOKEN_DOC_TYPE = "service_account_token";
    private final Clock clock;
    private final Client client;
    private final SecurityIndexManager securityIndex;
    private final ClusterService clusterService;
    private final Hasher hasher;
    static final /* synthetic */ boolean $assertionsDisabled;

    public IndexServiceAccountTokenStore(Settings settings, ThreadPool threadPool, Clock clock, Client client, SecurityIndexManager securityIndexManager, ClusterService clusterService, CacheInvalidatorRegistry cacheInvalidatorRegistry) {
        super(settings, threadPool);
        this.clock = clock;
        this.client = client;
        this.securityIndex = securityIndexManager;
        this.clusterService = clusterService;
        cacheInvalidatorRegistry.registerCacheInvalidator("index_service_account_token", this);
        this.hasher = Hasher.resolve((String) XPackSettings.SERVICE_TOKEN_HASHING_ALGORITHM.get(settings));
    }

    @Override // org.elasticsearch.xpack.security.authc.service.CachingServiceAccountTokenStore
    void doAuthenticate(ServiceAccountToken serviceAccountToken, ActionListener<ServiceAccountTokenStore.StoreAuthenticationResult> actionListener) {
        GetRequest request = this.client.prepareGet(".security", "_doc", docIdForToken(serviceAccountToken.getQualifiedName())).setFetchSource(true).request();
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
            Client client = this.client;
            GetAction getAction = GetAction.INSTANCE;
            CheckedConsumer checkedConsumer = getResponse -> {
                if (!getResponse.isExists()) {
                    logger.trace("service account token [{}] not found in index", serviceAccountToken.getQualifiedName());
                    actionListener.onResponse(new ServiceAccountTokenStore.StoreAuthenticationResult(false, getTokenSource()));
                    return;
                }
                String str = (String) getResponse.getSource().get("password");
                if (!$assertionsDisabled && str == null) {
                    throw new AssertionError("service account token hash cannot be null");
                }
                actionListener.onResponse(new ServiceAccountTokenStore.StoreAuthenticationResult(Hasher.verifyHash(serviceAccountToken.getSecret(), str.toCharArray()), getTokenSource()));
            };
            Objects.requireNonNull(actionListener);
            ClientHelper.executeAsyncWithOrigin(client, "security", getAction, request, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        });
    }

    @Override // org.elasticsearch.xpack.security.authc.service.CachingServiceAccountTokenStore
    public TokenInfo.TokenSource getTokenSource() {
        return TokenInfo.TokenSource.INDEX;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createToken(Authentication authentication, CreateServiceAccountTokenRequest createServiceAccountTokenRequest, ActionListener<CreateServiceAccountTokenResponse> actionListener) {
        ServiceAccount.ServiceAccountId serviceAccountId = new ServiceAccount.ServiceAccountId(createServiceAccountTokenRequest.getNamespace(), createServiceAccountTokenRequest.getServiceName());
        if (false == ServiceAccountService.isServiceAccountPrincipal(serviceAccountId.asPrincipal())) {
            actionListener.onFailure(new IllegalArgumentException("service account [" + serviceAccountId + "] does not exist"));
            return;
        }
        ServiceAccountToken newToken = ServiceAccountToken.newToken(serviceAccountId, createServiceAccountTokenRequest.getTokenName());
        try {
            XContentBuilder newDocument = newDocument(authentication, newToken);
            try {
                BulkRequest singleItemBulkRequest = TransportSingleItemBulkWriteAction.toSingleItemBulkRequest(this.client.prepareIndex(".security", "_doc").setId(docIdForToken(newToken.getQualifiedName())).setSource(newDocument).setOpType(DocWriteRequest.OpType.CREATE).setRefreshPolicy(createServiceAccountTokenRequest.getRefreshPolicy()).request());
                SecurityIndexManager securityIndexManager = this.securityIndex;
                Objects.requireNonNull(actionListener);
                securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
                    Client client = this.client;
                    BulkAction bulkAction = BulkAction.INSTANCE;
                    CheckedConsumer checkedConsumer = indexResponse -> {
                        if (!$assertionsDisabled && DocWriteResponse.Result.CREATED != indexResponse.getResult()) {
                            throw new AssertionError("an successful response of an OpType.CREATE request must have result of CREATED");
                        }
                        actionListener.onResponse(CreateServiceAccountTokenResponse.created(newToken.getTokenName(), newToken.asBearerString()));
                    };
                    Objects.requireNonNull(actionListener);
                    ClientHelper.executeAsyncWithOrigin(client, "security", bulkAction, singleItemBulkRequest, TransportSingleItemBulkWriteAction.wrapBulkResponse(ActionListener.wrap(checkedConsumer, actionListener::onFailure)));
                });
                if (newDocument != null) {
                    newDocument.close();
                }
            } finally {
            }
        } catch (IOException e) {
            actionListener.onFailure(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void findTokensFor(ServiceAccount.ServiceAccountId serviceAccountId, ActionListener<Collection<TokenInfo>> actionListener) {
        SecurityIndexManager freeze = this.securityIndex.freeze();
        if (false == freeze.indexExists()) {
            actionListener.onResponse(List.of());
        } else {
            if (false == freeze.isAvailable()) {
                actionListener.onFailure(freeze.getUnavailableReason());
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Supplier newRestorableContext = this.client.threadPool().getThreadContext().newRestorableContext(false);
                ThreadContext.StoredContext stashWithOrigin = this.client.threadPool().getThreadContext().stashWithOrigin("security");
                try {
                    SearchRequest request = this.client.prepareSearch(new String[]{".security"}).setScroll((TimeValue) SearchService.DEFAULT_KEEPALIVE_SETTING.get(getSettings())).setQuery(QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("doc_type", SERVICE_ACCOUNT_TOKEN_DOC_TYPE)).must(QueryBuilders.termQuery("username", serviceAccountId.asPrincipal()))).setSize(1000).setFetchSource(false).request();
                    request.indicesOptions().ignoreUnavailable();
                    logger.trace("Searching tokens for service account [{}]", serviceAccountId);
                    ScrollHelper.fetchAllByEntity(this.client, request, new ContextPreservingActionListener(newRestorableContext, actionListener), searchHit -> {
                        return extractTokenInfo(searchHit.getId(), serviceAccountId);
                    });
                    if (stashWithOrigin != null) {
                        stashWithOrigin.close();
                    }
                } catch (Throwable th) {
                    if (stashWithOrigin != null) {
                        try {
                            stashWithOrigin.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deleteToken(DeleteServiceAccountTokenRequest deleteServiceAccountTokenRequest, ActionListener<Boolean> actionListener) {
        SecurityIndexManager freeze = this.securityIndex.freeze();
        if (false == freeze.indexExists()) {
            actionListener.onResponse(false);
            return;
        }
        if (false == freeze.isAvailable()) {
            actionListener.onFailure(freeze.getUnavailableReason());
            return;
        }
        ServiceAccount.ServiceAccountId serviceAccountId = new ServiceAccount.ServiceAccountId(deleteServiceAccountTokenRequest.getNamespace(), deleteServiceAccountTokenRequest.getServiceName());
        if (false == ServiceAccountService.isServiceAccountPrincipal(serviceAccountId.asPrincipal())) {
            actionListener.onResponse(false);
            return;
        }
        String qualifiedName = new ServiceAccountToken.ServiceAccountTokenId(serviceAccountId, deleteServiceAccountTokenRequest.getTokenName()).getQualifiedName();
        SecurityIndexManager securityIndexManager = this.securityIndex;
        Objects.requireNonNull(actionListener);
        securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
            DeleteRequest request = this.client.prepareDelete(".security", "_doc", docIdForToken(qualifiedName)).request();
            request.setRefreshPolicy(deleteServiceAccountTokenRequest.getRefreshPolicy());
            Client client = this.client;
            DeleteAction deleteAction = DeleteAction.INSTANCE;
            CheckedConsumer checkedConsumer = deleteResponse -> {
                ClientHelper.executeAsyncWithOrigin(this.client, "security", ClearSecurityCacheAction.INSTANCE, new ClearSecurityCacheRequest().cacheName("index_service_account_token").keys(new String[]{qualifiedName}), ActionListener.wrap(clearSecurityCacheResponse -> {
                    actionListener.onResponse(Boolean.valueOf(deleteResponse.getResult() == DocWriteResponse.Result.DELETED));
                }, exc -> {
                    ParameterizedMessage parameterizedMessage = new ParameterizedMessage("clearing the cache for service token [{}] failed. please clear the cache manually", qualifiedName);
                    logger.error(parameterizedMessage, exc);
                    actionListener.onFailure(new ElasticsearchException(parameterizedMessage.getFormattedMessage(), exc, new Object[0]));
                }));
            };
            Objects.requireNonNull(actionListener);
            ClientHelper.executeAsyncWithOrigin(client, "security", deleteAction, request, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        });
    }

    private String docIdForToken(String str) {
        return "service_account_token-" + str;
    }

    private XContentBuilder newDocument(Authentication authentication, ServiceAccountToken serviceAccountToken) throws IOException {
        Version minNodeVersion = this.clusterService.state().nodes().getMinNodeVersion();
        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
        jsonBuilder.startObject().field("doc_type", SERVICE_ACCOUNT_TOKEN_DOC_TYPE).field("version", minNodeVersion.id).field("username", serviceAccountToken.getAccountId().asPrincipal()).field("name", serviceAccountToken.getTokenName()).field("creation_time", this.clock.instant().toEpochMilli()).field("enabled", true).startObject("creator").field("principal", authentication.getUser().principal()).field("full_name", authentication.getUser().fullName()).field("email", authentication.getUser().email()).field("metadata", authentication.getUser().metadata()).field(LoggingAuditTrail.REALM_FIELD_NAME, authentication.getSourceRealm().getName()).field("realm_type", authentication.getSourceRealm().getType()).endObject();
        byte[] bArr = null;
        char[] hash = this.hasher.hash(serviceAccountToken.getSecret());
        try {
            bArr = CharArrays.toUtf8Bytes(hash);
            jsonBuilder.field("password").utf8Value(bArr, 0, bArr.length);
            if (bArr != null) {
                Arrays.fill(bArr, (byte) 0);
            }
            Arrays.fill(hash, (char) 0);
            jsonBuilder.endObject();
            return jsonBuilder;
        } catch (Throwable th) {
            if (bArr != null) {
                Arrays.fill(bArr, (byte) 0);
            }
            Arrays.fill(hash, (char) 0);
            throw th;
        }
    }

    private TokenInfo extractTokenInfo(String str, ServiceAccount.ServiceAccountId serviceAccountId) {
        return TokenInfo.indexToken(Strings.substring(str, SERVICE_ACCOUNT_TOKEN_DOC_TYPE.length() + serviceAccountId.asPrincipal().length() + 2, str.length()));
    }

    static {
        $assertionsDisabled = !IndexServiceAccountTokenStore.class.desiredAssertionStatus();
        logger = LogManager.getLogger(IndexServiceAccountTokenStore.class);
    }
}
