package org.elasticsearch.xpack.security.authc;

import java.io.Closeable;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.time.Clock;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.LongAdder;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import javax.crypto.SecretKeyFactory;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRunnable;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.bulk.BulkAction;
import org.elasticsearch.action.bulk.BulkItemResponse;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkRequestBuilder;
import org.elasticsearch.action.bulk.TransportSingleItemBulkWriteAction;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.search.SearchAction;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.update.UpdateResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.cache.RemovalListener;
import org.elasticsearch.common.cache.RemovalNotification;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.EsRejectedExecutionException;
import org.elasticsearch.common.util.concurrent.FutureUtils;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.LoggingDeprecationHandler;
import org.elasticsearch.common.xcontent.ObjectParserHelper;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.core.CharArrays;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.SearchService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xcontent.ConstructingObjectParser;
import org.elasticsearch.xcontent.DeprecationHandler;
import org.elasticsearch.xcontent.InstantiatingObjectParser;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xcontent.ParseField;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.elasticsearch.xcontent.XContentLocation;
import org.elasticsearch.xcontent.XContentParser;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.ScrollHelper;
import org.elasticsearch.xpack.core.security.action.ApiKey;
import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheAction;
import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheRequest;
import org.elasticsearch.xpack.core.security.action.ClearSecurityCacheResponse;
import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.CreateApiKeyResponse;
import org.elasticsearch.xpack.core.security.action.GetApiKeyResponse;
import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyResponse;
import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry;
import org.elasticsearch.xpack.security.support.FeatureNotEnabledException;
import org.elasticsearch.xpack.security.support.LockingAtomicCounter;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService.class */
public class ApiKeyService {
    private static final Logger logger;
    private static final DeprecationLogger deprecationLogger;
    private static final Version METADATA_INTRODUCED;
    public static final String API_KEY_ID_KEY = "_security_api_key_id";
    public static final String API_KEY_NAME_KEY = "_security_api_key_name";
    public static final String API_KEY_METADATA_KEY = "_security_api_key_metadata";
    public static final String API_KEY_REALM_NAME = "_es_api_key";
    public static final String API_KEY_REALM_TYPE = "_es_api_key";
    public static final String API_KEY_CREATOR_REALM_NAME = "_security_api_key_creator_realm_name";
    public static final String API_KEY_CREATOR_REALM_TYPE = "_security_api_key_creator_realm_type";
    public static final Setting<String> PASSWORD_HASHING_ALGORITHM;
    public static final Setting<TimeValue> DELETE_TIMEOUT;
    public static final Setting<TimeValue> DELETE_INTERVAL;
    public static final Setting<String> CACHE_HASH_ALGO_SETTING;
    public static final Setting<TimeValue> CACHE_TTL_SETTING;
    public static final Setting<Integer> CACHE_MAX_KEYS_SETTING;
    public static final Setting<TimeValue> DOC_CACHE_TTL_SETTING;
    private static final BytesArray FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14;
    private final Clock clock;
    private final Client client;
    private final XPackLicenseState licenseState;
    private final SecurityIndexManager securityIndex;
    private final ClusterService clusterService;
    private final Hasher hasher;
    private final boolean enabled;
    private final Settings settings;
    private final ExpiredApiKeysRemover expiredApiKeysRemover;
    private final TimeValue deleteInterval;
    private final Cache<String, ListenableFuture<CachedApiKeyHashResult>> apiKeyAuthCache;
    private final Hasher cacheHasher;
    private final ThreadPool threadPool;
    private final ApiKeyDocCache apiKeyDocCache;
    private volatile long lastExpirationRunMs;
    private static final long EVICTION_MONITOR_INTERVAL_SECONDS = 300;
    private static final long EVICTION_MONITOR_INTERVAL_NANOS = 300000000000L;
    private static final long EVICTION_WARNING_THRESHOLD = 4500;
    private final AtomicLong lastEvictionCheckedAt = new AtomicLong(0);
    private final LongAdder evictionCounter = new LongAdder();
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyCredentials.class */
    public static final class ApiKeyCredentials implements AuthenticationToken, Closeable {
        private final String id;
        private final SecureString key;

        public ApiKeyCredentials(String str, SecureString secureString) {
            this.id = str;
            this.key = secureString;
        }

        String getId() {
            return this.id;
        }

        SecureString getKey() {
            return this.key;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() {
            this.key.close();
        }

        public String principal() {
            return this.id;
        }

        public Object credentials() {
            return this.key;
        }

        public void clearCredentials() {
            close();
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyDoc.class */
    public static final class ApiKeyDoc {
        private static final BytesReference NULL_BYTES = new BytesArray("null");
        static final InstantiatingObjectParser<ApiKeyDoc, Void> PARSER;
        final String docType;
        final long creationTime;
        final long expirationTime;
        final Boolean invalidated;
        final String hash;

        @Nullable
        final String name;
        final int version;
        final BytesReference roleDescriptorsBytes;
        final BytesReference limitedByRoleDescriptorsBytes;
        final Map<String, Object> creator;

        @Nullable
        final BytesReference metadataFlattened;

        public ApiKeyDoc(String str, long j, long j2, Boolean bool, String str2, @Nullable String str3, int i, BytesReference bytesReference, BytesReference bytesReference2, Map<String, Object> map, @Nullable BytesReference bytesReference3) {
            this.docType = str;
            this.creationTime = j;
            this.expirationTime = j2;
            this.invalidated = bool;
            this.hash = str2;
            this.name = str3;
            this.version = i;
            this.roleDescriptorsBytes = bytesReference;
            this.limitedByRoleDescriptorsBytes = bytesReference2;
            this.creator = map;
            this.metadataFlattened = NULL_BYTES.equals(bytesReference3) ? null : bytesReference3;
        }

        public CachedApiKeyDoc toCachedApiKeyDoc() {
            MessageDigest sha256 = MessageDigests.sha256();
            String hexString = MessageDigests.toHexString(MessageDigests.digest(this.roleDescriptorsBytes, sha256));
            sha256.reset();
            return new CachedApiKeyDoc(this.creationTime, this.expirationTime, this.invalidated, this.hash, this.name, this.version, this.creator, hexString, MessageDigests.toHexString(MessageDigests.digest(this.limitedByRoleDescriptorsBytes, sha256)), this.metadataFlattened);
        }

        static ApiKeyDoc fromXContent(XContentParser xContentParser) {
            return (ApiKeyDoc) PARSER.apply(xContentParser, (Object) null);
        }

        static {
            InstantiatingObjectParser.Builder builder = InstantiatingObjectParser.builder("api_key_doc", true, ApiKeyDoc.class);
            builder.declareString(ConstructingObjectParser.constructorArg(), new ParseField("doc_type", new String[0]));
            builder.declareLong(ConstructingObjectParser.constructorArg(), new ParseField("creation_time", new String[0]));
            builder.declareLongOrNull(ConstructingObjectParser.constructorArg(), -1L, new ParseField("expiration_time", new String[0]));
            builder.declareBoolean(ConstructingObjectParser.constructorArg(), new ParseField("api_key_invalidated", new String[0]));
            builder.declareString(ConstructingObjectParser.constructorArg(), new ParseField("api_key_hash", new String[0]));
            builder.declareStringOrNull(ConstructingObjectParser.optionalConstructorArg(), new ParseField("name", new String[0]));
            builder.declareInt(ConstructingObjectParser.constructorArg(), new ParseField("version", new String[0]));
            ObjectParserHelper objectParserHelper = new ObjectParserHelper();
            objectParserHelper.declareRawObject(builder, ConstructingObjectParser.constructorArg(), new ParseField("role_descriptors", new String[0]));
            objectParserHelper.declareRawObject(builder, ConstructingObjectParser.constructorArg(), new ParseField("limited_by_role_descriptors", new String[0]));
            builder.declareObject(ConstructingObjectParser.constructorArg(), (xContentParser, r3) -> {
                return xContentParser.map();
            }, new ParseField("creator", new String[0]));
            objectParserHelper.declareRawObjectOrNull(builder, ConstructingObjectParser.optionalConstructorArg(), new ParseField("metadata_flattened", new String[0]));
            PARSER = builder.build();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyDocCache.class */
    public static final class ApiKeyDocCache {
        private final Cache<String, CachedApiKeyDoc> docCache;
        private final Cache<String, BytesReference> roleDescriptorsBytesCache;
        private final LockingAtomicCounter lockingAtomicCounter = new LockingAtomicCounter();

        ApiKeyDocCache(TimeValue timeValue, int i) {
            this.docCache = CacheBuilder.builder().setMaximumWeight(i).setExpireAfterWrite(timeValue).build();
            this.roleDescriptorsBytesCache = CacheBuilder.builder().setExpireAfterAccess(TimeValue.timeValueHours(1L)).setMaximumWeight(i * 2).build();
        }

        public ApiKeyDoc get(String str) {
            CachedApiKeyDoc cachedApiKeyDoc = (CachedApiKeyDoc) this.docCache.get(str);
            if (cachedApiKeyDoc == null) {
                return null;
            }
            BytesReference bytesReference = (BytesReference) this.roleDescriptorsBytesCache.get(cachedApiKeyDoc.roleDescriptorsHash);
            BytesReference bytesReference2 = (BytesReference) this.roleDescriptorsBytesCache.get(cachedApiKeyDoc.limitedByRoleDescriptorsHash);
            if (bytesReference == null || bytesReference2 == null) {
                return null;
            }
            return cachedApiKeyDoc.toApiKeyDoc(bytesReference, bytesReference2);
        }

        public long getInvalidationCount() {
            return this.lockingAtomicCounter.get();
        }

        public void putIfNoInvalidationSince(String str, ApiKeyDoc apiKeyDoc, long j) {
            CachedApiKeyDoc cachedApiKeyDoc = apiKeyDoc.toCachedApiKeyDoc();
            this.lockingAtomicCounter.compareAndRun(j, () -> {
                this.docCache.put(str, cachedApiKeyDoc);
                try {
                    this.roleDescriptorsBytesCache.computeIfAbsent(cachedApiKeyDoc.roleDescriptorsHash, str2 -> {
                        return apiKeyDoc.roleDescriptorsBytes;
                    });
                    this.roleDescriptorsBytesCache.computeIfAbsent(cachedApiKeyDoc.limitedByRoleDescriptorsHash, str3 -> {
                        return apiKeyDoc.limitedByRoleDescriptorsBytes;
                    });
                } catch (ExecutionException e) {
                    throw new RuntimeException(e);
                }
            });
        }

        public void invalidate(Collection<String> collection) {
            this.lockingAtomicCounter.increment();
            ApiKeyService.logger.debug("Invalidating API key doc cache with ids: [{}]", Strings.collectionToCommaDelimitedString(collection));
            Cache<String, CachedApiKeyDoc> cache = this.docCache;
            Objects.requireNonNull(cache);
            collection.forEach((v1) -> {
                r1.invalidate(v1);
            });
        }

        public void invalidateAll() {
            this.lockingAtomicCounter.increment();
            ApiKeyService.logger.debug("Invalidating all API key doc cache and descriptor cache");
            this.docCache.invalidateAll();
            this.roleDescriptorsBytesCache.invalidateAll();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyLoggingDeprecationHandler.class */
    public static class ApiKeyLoggingDeprecationHandler implements DeprecationHandler {
        private final DeprecationLogger deprecationLogger;
        private final String apiKeyId;

        private ApiKeyLoggingDeprecationHandler(DeprecationLogger deprecationLogger, String str) {
            this.deprecationLogger = deprecationLogger;
            this.apiKeyId = str;
        }

        public void usedDeprecatedName(String str, Supplier<XContentLocation> supplier, String str2, String str3) {
            this.deprecationLogger.warn(DeprecationCategory.SECURITY, "api_key_field", "{}Deprecated field [{}] used in api key [{}], expected [{}] instead", new Object[]{str == null ? "" : "[" + str + "][" + supplier.get() + "] ", str2, this.apiKeyId, str3});
        }

        public void usedDeprecatedField(String str, Supplier<XContentLocation> supplier, String str2, String str3) {
            this.deprecationLogger.warn(DeprecationCategory.SECURITY, "api_key_field", "{}Deprecated field [{}] used in api key [{}], replaced by [{}]", new Object[]{str == null ? "" : "[" + str + "][" + supplier.get() + "] ", str2, this.apiKeyId, str3});
        }

        public void usedDeprecatedField(String str, Supplier<XContentLocation> supplier, String str2) {
            this.deprecationLogger.warn(DeprecationCategory.SECURITY, "api_key_field", "{}Deprecated field [{}] used in api key [{}], which is unused and will be removed entirely", new Object[]{str == null ? "" : "[" + str + "][" + supplier.get() + "] ", str2, this.apiKeyId});
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$ApiKeyRoleDescriptors.class */
    public static class ApiKeyRoleDescriptors {
        private final String apiKeyId;
        private final List<RoleDescriptor> roleDescriptors;
        private final List<RoleDescriptor> limitedByRoleDescriptors;

        public ApiKeyRoleDescriptors(String str, List<RoleDescriptor> list, List<RoleDescriptor> list2) {
            this.apiKeyId = str;
            this.roleDescriptors = list;
            this.limitedByRoleDescriptors = list2;
        }

        public String getApiKeyId() {
            return this.apiKeyId;
        }

        public List<RoleDescriptor> getRoleDescriptors() {
            return this.roleDescriptors;
        }

        public List<RoleDescriptor> getLimitedByRoleDescriptors() {
            return this.limitedByRoleDescriptors;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$CachedApiKeyDoc.class */
    public static final class CachedApiKeyDoc {
        final long creationTime;
        final long expirationTime;
        final Boolean invalidated;
        final String hash;
        final String name;
        final int version;
        final Map<String, Object> creator;
        final String roleDescriptorsHash;
        final String limitedByRoleDescriptorsHash;

        @Nullable
        final BytesReference metadataFlattened;

        public CachedApiKeyDoc(long j, long j2, Boolean bool, String str, String str2, int i, Map<String, Object> map, String str3, String str4, @Nullable BytesReference bytesReference) {
            this.creationTime = j;
            this.expirationTime = j2;
            this.invalidated = bool;
            this.hash = str;
            this.name = str2;
            this.version = i;
            this.creator = map;
            this.roleDescriptorsHash = str3;
            this.limitedByRoleDescriptorsHash = str4;
            this.metadataFlattened = bytesReference;
        }

        public ApiKeyDoc toApiKeyDoc(BytesReference bytesReference, BytesReference bytesReference2) {
            return new ApiKeyDoc("api_key", this.creationTime, this.expirationTime, this.invalidated, this.hash, this.name, this.version, bytesReference, bytesReference2, this.creator, this.metadataFlattened);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/ApiKeyService$CachedApiKeyHashResult.class */
    public final class CachedApiKeyHashResult {
        final boolean success;
        final char[] hash;

        CachedApiKeyHashResult(boolean z, SecureString secureString) {
            this.success = z;
            this.hash = ApiKeyService.this.cacheHasher.hash(secureString);
        }

        boolean verify(SecureString secureString) {
            return this.hash != null && ApiKeyService.this.cacheHasher.verify(secureString, this.hash);
        }
    }

    public ApiKeyService(Settings settings, Clock clock, Client client, XPackLicenseState xPackLicenseState, SecurityIndexManager securityIndexManager, ClusterService clusterService, CacheInvalidatorRegistry cacheInvalidatorRegistry, ThreadPool threadPool) {
        this.clock = clock;
        this.client = client;
        this.licenseState = xPackLicenseState;
        this.securityIndex = securityIndexManager;
        this.clusterService = clusterService;
        this.enabled = ((Boolean) XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.get(settings)).booleanValue();
        this.hasher = Hasher.resolve((String) PASSWORD_HASHING_ALGORITHM.get(settings));
        this.settings = settings;
        this.deleteInterval = (TimeValue) DELETE_INTERVAL.get(settings);
        this.expiredApiKeysRemover = new ExpiredApiKeysRemover(settings, client);
        this.threadPool = threadPool;
        this.cacheHasher = Hasher.resolve((String) CACHE_HASH_ALGO_SETTING.get(settings));
        TimeValue timeValue = (TimeValue) CACHE_TTL_SETTING.get(settings);
        int intValue = ((Integer) CACHE_MAX_KEYS_SETTING.get(settings)).intValue();
        if (timeValue.getNanos() <= 0) {
            this.apiKeyAuthCache = null;
            this.apiKeyDocCache = null;
        } else {
            this.apiKeyAuthCache = CacheBuilder.builder().setExpireAfterAccess(timeValue).setMaximumWeight(intValue).removalListener(getAuthCacheRemovalListener(intValue)).build();
            TimeValue timeValue2 = (TimeValue) DOC_CACHE_TTL_SETTING.get(settings);
            this.apiKeyDocCache = timeValue2.getNanos() == 0 ? null : new ApiKeyDocCache(timeValue2, intValue);
            cacheInvalidatorRegistry.registerCacheInvalidator("api_key", new CacheInvalidatorRegistry.CacheInvalidator() { // from class: org.elasticsearch.xpack.security.authc.ApiKeyService.1
                @Override // org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry.CacheInvalidator
                public void invalidate(Collection<String> collection) {
                    if (ApiKeyService.this.apiKeyDocCache != null) {
                        ApiKeyService.this.apiKeyDocCache.invalidate(collection);
                    }
                    Cache cache = ApiKeyService.this.apiKeyAuthCache;
                    Objects.requireNonNull(cache);
                    collection.forEach((v1) -> {
                        r1.invalidate(v1);
                    });
                }

                @Override // org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry.CacheInvalidator
                public void invalidateAll() {
                    if (ApiKeyService.this.apiKeyDocCache != null) {
                        ApiKeyService.this.apiKeyDocCache.invalidateAll();
                    }
                    ApiKeyService.this.apiKeyAuthCache.invalidateAll();
                }
            });
        }
    }

    public void createApiKey(Authentication authentication, CreateApiKeyRequest createApiKeyRequest, Set<RoleDescriptor> set, ActionListener<CreateApiKeyResponse> actionListener) {
        ensureEnabled();
        if (createApiKeyRequest.getMetadata() != null && false == createApiKeyRequest.getMetadata().isEmpty()) {
            Version installableMappingVersion = this.securityIndex.getInstallableMappingVersion();
            if (installableMappingVersion.before(METADATA_INTRODUCED)) {
                logger.warn("The security index [{}] mapping is for version [{}] but API Key metadata requires [{}]; the mapping will automatically upgrade to a supported version when the cluster no longer has nodes that are [{}] or earlier", this.securityIndex.aliasName(), installableMappingVersion, METADATA_INTRODUCED, Security.FLATTENED_FIELD_TYPE_INTRODUCED);
                actionListener.onFailure(new IllegalArgumentException("API metadata requires all nodes to be at least [" + Security.FLATTENED_FIELD_TYPE_INTRODUCED + "]"));
                return;
            }
        }
        if (authentication == null) {
            actionListener.onFailure(new IllegalArgumentException("authentication must be provided"));
        } else {
            createApiKeyAndIndexIt(authentication, createApiKeyRequest, set, actionListener);
        }
    }

    private void createApiKeyAndIndexIt(Authentication authentication, CreateApiKeyRequest createApiKeyRequest, Set<RoleDescriptor> set, ActionListener<CreateApiKeyResponse> actionListener) {
        Instant instant = this.clock.instant();
        Instant apiKeyExpiration = getApiKeyExpiration(instant, createApiKeyRequest);
        SecureString randomBase64UUIDSecureString = UUIDs.randomBase64UUIDSecureString();
        Version minNodeVersion = this.clusterService.state().nodes().getMinNodeVersion();
        if (minNodeVersion.before(Version.V_6_7_0)) {
            logger.warn("nodes prior to the minimum supported version for api keys {} exist in the cluster; these nodes will not be able to use api keys", Version.V_6_7_0);
        }
        computeHashForApiKey(randomBase64UUIDSecureString, actionListener.delegateFailure((actionListener2, cArr) -> {
            try {
                try {
                    XContentBuilder newDocument = newDocument(cArr, createApiKeyRequest.getName(), authentication, set, instant, apiKeyExpiration, createApiKeyRequest.getRoleDescriptors(), minNodeVersion, createApiKeyRequest.getMetadata());
                    try {
                        BulkRequest singleItemBulkRequest = TransportSingleItemBulkWriteAction.toSingleItemBulkRequest(this.client.prepareIndex(".security", "_doc").setSource(newDocument).setRefreshPolicy(createApiKeyRequest.getRefreshPolicy()).request());
                        SecurityIndexManager securityIndexManager = this.securityIndex;
                        Objects.requireNonNull(actionListener);
                        securityIndexManager.prepareIndexIfNeededThenExecute(actionListener::onFailure, () -> {
                            Client client = this.client;
                            BulkAction bulkAction = BulkAction.INSTANCE;
                            CheckedConsumer checkedConsumer = indexResponse -> {
                                ListenableFuture listenableFuture = new ListenableFuture();
                                listenableFuture.onResponse(new CachedApiKeyHashResult(true, randomBase64UUIDSecureString));
                                this.apiKeyAuthCache.put(indexResponse.getId(), listenableFuture);
                                actionListener.onResponse(new CreateApiKeyResponse(createApiKeyRequest.getName(), indexResponse.getId(), randomBase64UUIDSecureString, apiKeyExpiration));
                            };
                            Objects.requireNonNull(actionListener);
                            ClientHelper.executeAsyncWithOrigin(client, "security", bulkAction, singleItemBulkRequest, TransportSingleItemBulkWriteAction.wrapBulkResponse(ActionListener.wrap(checkedConsumer, actionListener::onFailure)));
                        });
                        if (newDocument != null) {
                            newDocument.close();
                        }
                        Arrays.fill(cArr, (char) 0);
                    } catch (Throwable th) {
                        if (newDocument != null) {
                            try {
                                newDocument.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    Arrays.fill(cArr, (char) 0);
                    throw th3;
                }
            } catch (IOException e) {
                actionListener.onFailure(e);
                Arrays.fill(cArr, (char) 0);
            }
        }));
    }

    XContentBuilder newDocument(char[] cArr, String str, Authentication authentication, Set<RoleDescriptor> set, Instant instant, Instant instant2, List<RoleDescriptor> list, Version version, @Nullable Map<String, Object> map) throws IOException {
        XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
        jsonBuilder.startObject().field("doc_type", "api_key").field("creation_time", instant.toEpochMilli()).field("expiration_time", instant2 == null ? null : Long.valueOf(instant2.toEpochMilli())).field("api_key_invalidated", false);
        byte[] bArr = null;
        try {
            bArr = CharArrays.toUtf8Bytes(cArr);
            jsonBuilder.field("api_key_hash").utf8Value(bArr, 0, bArr.length);
            if (bArr != null) {
                Arrays.fill(bArr, (byte) 0);
            }
            jsonBuilder.startObject("role_descriptors");
            if (list != null && !list.isEmpty()) {
                for (RoleDescriptor roleDescriptor : list) {
                    jsonBuilder.field(roleDescriptor.getName(), (xContentBuilder, params) -> {
                        return roleDescriptor.toXContent(xContentBuilder, params, true);
                    });
                }
            }
            jsonBuilder.endObject();
            jsonBuilder.startObject("limited_by_role_descriptors");
            for (RoleDescriptor roleDescriptor2 : set) {
                jsonBuilder.field(roleDescriptor2.getName(), (xContentBuilder2, params2) -> {
                    return roleDescriptor2.toXContent(xContentBuilder2, params2, true);
                });
            }
            jsonBuilder.endObject();
            jsonBuilder.field("name", str).field("version", version.id);
            if (map != null && false == map.isEmpty()) {
                if (!$assertionsDisabled && !this.securityIndex.getInstallableMappingVersion().onOrAfter(METADATA_INTRODUCED)) {
                    throw new AssertionError("API metadata requires all nodes to be at least [" + Security.FLATTENED_FIELD_TYPE_INTRODUCED + "]");
                }
                jsonBuilder.field("metadata_flattened", map);
            }
            jsonBuilder.startObject("creator").field("principal", authentication.getUser().principal()).field("full_name", authentication.getUser().fullName()).field("email", authentication.getUser().email()).field("metadata", authentication.getUser().metadata()).field(LoggingAuditTrail.REALM_FIELD_NAME, authentication.getSourceRealm().getName()).field("realm_type", authentication.getSourceRealm().getType()).endObject().endObject();
            return jsonBuilder;
        } catch (Throwable th) {
            if (bArr != null) {
                Arrays.fill(bArr, (byte) 0);
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void tryAuthenticate(ThreadContext threadContext, ApiKeyCredentials apiKeyCredentials, ActionListener<AuthenticationResult> actionListener) {
        if (false == isEnabled()) {
            actionListener.onResponse(AuthenticationResult.notHandled());
        }
        if (!$assertionsDisabled && apiKeyCredentials == null) {
            throw new AssertionError("api key credentials must not be null");
        }
        loadApiKeyAndValidateCredentials(threadContext, apiKeyCredentials, ActionListener.wrap(authenticationResult -> {
            apiKeyCredentials.close();
            actionListener.onResponse(authenticationResult);
        }, exc -> {
            apiKeyCredentials.close();
            actionListener.onFailure(exc);
        }));
    }

    public Authentication createApiKeyAuthentication(AuthenticationResult authenticationResult, String str) {
        if (false == authenticationResult.isAuthenticated()) {
            throw new IllegalArgumentException("API Key authn result must be successful");
        }
        return new Authentication(authenticationResult.getUser(), new Authentication.RealmRef("_es_api_key", "_es_api_key", str), (Authentication.RealmRef) null, Version.CURRENT, Authentication.AuthenticationType.API_KEY, authenticationResult.getMetadata());
    }

    void loadApiKeyAndValidateCredentials(ThreadContext threadContext, ApiKeyCredentials apiKeyCredentials, ActionListener<AuthenticationResult> actionListener) {
        long j;
        String id = apiKeyCredentials.getId();
        Consumer consumer = apiKeyDoc -> {
            validateApiKeyCredentials(id, apiKeyDoc, apiKeyCredentials, this.clock, actionListener.delegateResponse((actionListener2, exc) -> {
                if (ExceptionsHelper.unwrapCause(exc) instanceof EsRejectedExecutionException) {
                    actionListener2.onResponse(AuthenticationResult.terminate("server is too busy to respond", exc));
                } else {
                    actionListener2.onFailure(exc);
                }
            }));
        };
        if (this.apiKeyDocCache != null) {
            ApiKeyDoc apiKeyDoc2 = this.apiKeyDocCache.get(id);
            if (apiKeyDoc2 != null) {
                consumer.accept(apiKeyDoc2);
                return;
            }
            j = this.apiKeyDocCache.getInvalidationCount();
        } else {
            j = -1;
        }
        GetRequest request = this.client.prepareGet(".security", "_doc", id).setFetchSource(true).request();
        long j2 = j;
        ActionListener wrap = ActionListener.wrap(getResponse -> {
            if (!getResponse.isExists()) {
                if (this.apiKeyAuthCache != null) {
                    this.apiKeyAuthCache.invalidate(id);
                }
                actionListener.onResponse(AuthenticationResult.unsuccessful("unable to find apikey with id " + apiKeyCredentials.getId(), (Exception) null));
                return;
            }
            XContentParser createParser = XContentHelper.createParser(NamedXContentRegistry.EMPTY, LoggingDeprecationHandler.INSTANCE, getResponse.getSourceAsBytesRef(), XContentType.JSON);
            try {
                ApiKeyDoc fromXContent = ApiKeyDoc.fromXContent(createParser);
                if (createParser != null) {
                    createParser.close();
                }
                if (j2 != -1) {
                    this.apiKeyDocCache.putIfNoInvalidationSince(id, fromXContent, j2);
                }
                consumer.accept(fromXContent);
            } catch (Throwable th) {
                if (createParser != null) {
                    try {
                        createParser.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }, exc -> {
            if (ExceptionsHelper.unwrapCause(exc) instanceof EsRejectedExecutionException) {
                actionListener.onResponse(AuthenticationResult.terminate("server is too busy to respond", exc));
            } else {
                actionListener.onResponse(AuthenticationResult.unsuccessful("apikey authentication for id " + apiKeyCredentials.getId() + " encountered a failure", exc));
            }
        });
        Client client = this.client;
        Objects.requireNonNull(client);
        ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::get);
    }

    public void getRoleForApiKey(Authentication authentication, ActionListener<ApiKeyRoleDescriptors> actionListener) {
        if (authentication.getAuthenticationType() != Authentication.AuthenticationType.API_KEY) {
            throw new IllegalStateException("authentication type must be api key but is " + authentication.getAuthenticationType());
        }
        if (!$assertionsDisabled && !authentication.getVersion().before(Authentication.VERSION_API_KEY_ROLES_AS_BYTES)) {
            throw new AssertionError("This method only applies to authentication objects created before v7.9.0");
        }
        Map metadata = authentication.getMetadata();
        String str = (String) metadata.get(API_KEY_ID_KEY);
        Map<String, Object> map = (Map) metadata.get("_security_api_key_role_descriptors");
        Map<String, Object> map2 = (Map) metadata.get("_security_api_key_limited_by_role_descriptors");
        if (map == null && map2 == null) {
            actionListener.onFailure(new ElasticsearchSecurityException("no role descriptors found for API key", new Object[0]));
        } else if (map == null || map.isEmpty()) {
            actionListener.onResponse(new ApiKeyRoleDescriptors(str, parseRoleDescriptors(str, map2), null));
        } else {
            actionListener.onResponse(new ApiKeyRoleDescriptors(str, parseRoleDescriptors(str, map), parseRoleDescriptors(str, map2)));
        }
    }

    public Tuple<String, BytesReference> getApiKeyIdAndRoleBytes(Authentication authentication, boolean z) {
        if (authentication.getAuthenticationType() != Authentication.AuthenticationType.API_KEY) {
            throw new IllegalStateException("authentication type must be api key but is " + authentication.getAuthenticationType());
        }
        if (!$assertionsDisabled && !authentication.getVersion().onOrAfter(Authentication.VERSION_API_KEY_ROLES_AS_BYTES)) {
            throw new AssertionError("This method only applies to authentication objects created on or after v7.9.0");
        }
        Map metadata = authentication.getMetadata();
        BytesReference bytesReference = (BytesReference) metadata.get(z ? "_security_api_key_limited_by_role_descriptors" : "_security_api_key_role_descriptors");
        return (z && bytesReference.length() == 2 && "{}".equals(bytesReference.utf8ToString()) && "_service_account".equals(metadata.get(API_KEY_CREATOR_REALM_NAME)) && "elastic/fleet-server".equals(authentication.getUser().principal())) ? new Tuple<>((String) metadata.get(API_KEY_ID_KEY), FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14) : new Tuple<>((String) metadata.get(API_KEY_ID_KEY), bytesReference);
    }

    private List<RoleDescriptor> parseRoleDescriptors(String str, Map<String, Object> map) {
        if (map == null) {
            return null;
        }
        return (List) map.entrySet().stream().map(entry -> {
            String str2 = (String) entry.getKey();
            Map map2 = (Map) entry.getValue();
            try {
                XContentBuilder builder = XContentBuilder.builder(XContentType.JSON.xContent());
                try {
                    builder.map(map2);
                    XContentParser createParser = XContentType.JSON.xContent().createParser(NamedXContentRegistry.EMPTY, new ApiKeyLoggingDeprecationHandler(deprecationLogger, str), BytesReference.bytes(builder).streamInput());
                    try {
                        RoleDescriptor parse = RoleDescriptor.parse(str2, createParser, false);
                        if (createParser != null) {
                            createParser.close();
                        }
                        if (builder != null) {
                            builder.close();
                        }
                        return parse;
                    } catch (Throwable th) {
                        if (createParser != null) {
                            try {
                                createParser.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } finally {
                }
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        }).collect(Collectors.toList());
    }

    public List<RoleDescriptor> parseRoleDescriptors(String str, BytesReference bytesReference) {
        if (bytesReference == null) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        try {
            XContentParser createParser = XContentHelper.createParser(NamedXContentRegistry.EMPTY, new ApiKeyLoggingDeprecationHandler(deprecationLogger, str), bytesReference, XContentType.JSON);
            try {
                createParser.nextToken();
                while (createParser.nextToken() != XContentParser.Token.END_OBJECT) {
                    createParser.nextToken();
                    arrayList.add(RoleDescriptor.parse(createParser.currentName(), createParser, false));
                }
                if (createParser != null) {
                    createParser.close();
                }
                return Collections.unmodifiableList(arrayList);
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    void validateApiKeyCredentials(String str, ApiKeyDoc apiKeyDoc, ApiKeyCredentials apiKeyCredentials, Clock clock, ActionListener<AuthenticationResult> actionListener) {
        if (!"api_key".equals(apiKeyDoc.docType)) {
            actionListener.onResponse(AuthenticationResult.unsuccessful("document [" + str + "] is [" + apiKeyDoc.docType + "] not an api key", (Exception) null));
            return;
        }
        if (apiKeyDoc.invalidated == null) {
            actionListener.onResponse(AuthenticationResult.unsuccessful("api key document is missing invalidated field", (Exception) null));
            return;
        }
        if (apiKeyDoc.invalidated.booleanValue()) {
            if (this.apiKeyAuthCache != null) {
                this.apiKeyAuthCache.invalidate(str);
            }
            actionListener.onResponse(AuthenticationResult.unsuccessful("api key has been invalidated", (Exception) null));
            return;
        }
        if (apiKeyDoc.hash == null) {
            throw new IllegalStateException("api key hash is missing");
        }
        if (this.apiKeyAuthCache == null) {
            String str2 = apiKeyDoc.hash;
            CheckedConsumer checkedConsumer = bool -> {
                if (bool.booleanValue()) {
                    validateApiKeyExpiration(apiKeyDoc, apiKeyCredentials, clock, actionListener);
                } else {
                    actionListener.onResponse(AuthenticationResult.unsuccessful("invalid credentials", (Exception) null));
                }
            };
            Objects.requireNonNull(actionListener);
            verifyKeyAgainstHash(str2, apiKeyCredentials, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            return;
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean(true);
        try {
            ListenableFuture listenableFuture = (ListenableFuture) this.apiKeyAuthCache.computeIfAbsent(apiKeyCredentials.getId(), str3 -> {
                atomicBoolean.set(false);
                return new ListenableFuture();
            });
            if (atomicBoolean.get()) {
                CheckedConsumer checkedConsumer2 = cachedApiKeyHashResult -> {
                    if (cachedApiKeyHashResult.success) {
                        if (cachedApiKeyHashResult.verify(apiKeyCredentials.getKey())) {
                            validateApiKeyExpiration(apiKeyDoc, apiKeyCredentials, clock, actionListener);
                            return;
                        } else {
                            actionListener.onResponse(AuthenticationResult.unsuccessful("invalid credentials", (Exception) null));
                            return;
                        }
                    }
                    if (cachedApiKeyHashResult.verify(apiKeyCredentials.getKey())) {
                        actionListener.onResponse(AuthenticationResult.unsuccessful("invalid credentials", (Exception) null));
                    } else {
                        this.apiKeyAuthCache.invalidate(apiKeyCredentials.getId(), listenableFuture);
                        validateApiKeyCredentials(str, apiKeyDoc, apiKeyCredentials, clock, actionListener);
                    }
                };
                Objects.requireNonNull(actionListener);
                listenableFuture.addListener(ActionListener.wrap(checkedConsumer2, actionListener::onFailure), this.threadPool.generic(), this.threadPool.getThreadContext());
            } else {
                String str4 = apiKeyDoc.hash;
                CheckedConsumer checkedConsumer3 = bool2 -> {
                    listenableFuture.onResponse(new CachedApiKeyHashResult(bool2.booleanValue(), apiKeyCredentials.getKey()));
                    if (bool2.booleanValue()) {
                        validateApiKeyExpiration(apiKeyDoc, apiKeyCredentials, clock, actionListener);
                    } else {
                        actionListener.onResponse(AuthenticationResult.unsuccessful("invalid credentials", (Exception) null));
                    }
                };
                Objects.requireNonNull(actionListener);
                verifyKeyAgainstHash(str4, apiKeyCredentials, ActionListener.wrap(checkedConsumer3, actionListener::onFailure));
            }
        } catch (ExecutionException e) {
            actionListener.onFailure(e);
        }
    }

    CachedApiKeyHashResult getFromCache(String str) {
        if (this.apiKeyAuthCache == null) {
            return null;
        }
        return (CachedApiKeyHashResult) FutureUtils.get((Future) this.apiKeyAuthCache.get(str), 0L, TimeUnit.MILLISECONDS);
    }

    Cache<String, ListenableFuture<CachedApiKeyHashResult>> getApiKeyAuthCache() {
        return this.apiKeyAuthCache;
    }

    Cache<String, CachedApiKeyDoc> getDocCache() {
        if (this.apiKeyDocCache == null) {
            return null;
        }
        return this.apiKeyDocCache.docCache;
    }

    Cache<String, BytesReference> getRoleDescriptorsBytesCache() {
        if (this.apiKeyDocCache == null) {
            return null;
        }
        return this.apiKeyDocCache.roleDescriptorsBytesCache;
    }

    void validateApiKeyExpiration(ApiKeyDoc apiKeyDoc, ApiKeyCredentials apiKeyCredentials, Clock clock, ActionListener<AuthenticationResult> actionListener) {
        if (apiKeyDoc.expirationTime != -1 && !Instant.ofEpochMilli(apiKeyDoc.expirationTime).isAfter(clock.instant())) {
            actionListener.onResponse(AuthenticationResult.unsuccessful("api key is expired", (Exception) null));
            return;
        }
        User user = new User((String) Objects.requireNonNull((String) apiKeyDoc.creator.get("principal")), Strings.EMPTY_ARRAY, (String) apiKeyDoc.creator.get("full_name"), (String) apiKeyDoc.creator.get("email"), (Map) apiKeyDoc.creator.get("metadata"), true);
        HashMap hashMap = new HashMap();
        hashMap.put(API_KEY_CREATOR_REALM_NAME, apiKeyDoc.creator.get(LoggingAuditTrail.REALM_FIELD_NAME));
        hashMap.put(API_KEY_CREATOR_REALM_TYPE, apiKeyDoc.creator.get("realm_type"));
        hashMap.put("_security_api_key_role_descriptors", apiKeyDoc.roleDescriptorsBytes);
        hashMap.put("_security_api_key_limited_by_role_descriptors", apiKeyDoc.limitedByRoleDescriptorsBytes);
        hashMap.put(API_KEY_ID_KEY, apiKeyCredentials.getId());
        hashMap.put(API_KEY_NAME_KEY, apiKeyDoc.name);
        if (apiKeyDoc.metadataFlattened != null) {
            hashMap.put(API_KEY_METADATA_KEY, apiKeyDoc.metadataFlattened);
        }
        actionListener.onResponse(AuthenticationResult.success(user, hashMap));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ApiKeyCredentials getCredentialsFromHeader(ThreadContext threadContext) {
        SecureString extractCredentialFromAuthorizationHeader;
        if (false == isEnabled() || (extractCredentialFromAuthorizationHeader = Authenticator.extractCredentialFromAuthorizationHeader(threadContext, "ApiKey")) == null) {
            return null;
        }
        try {
            char[] utf8BytesToChars = CharArrays.utf8BytesToChars(Base64.getDecoder().decode(CharArrays.toUtf8Bytes(extractCredentialFromAuthorizationHeader.getChars())));
            int i = -1;
            int i2 = 0;
            while (true) {
                if (i2 >= utf8BytesToChars.length) {
                    break;
                }
                if (utf8BytesToChars[i2] == ':') {
                    i = i2;
                    break;
                }
                i2++;
            }
            if (i < 1) {
                throw new IllegalArgumentException("invalid ApiKey value");
            }
            ApiKeyCredentials apiKeyCredentials = new ApiKeyCredentials(new String(Arrays.copyOfRange(utf8BytesToChars, 0, i)), new SecureString(Arrays.copyOfRange(utf8BytesToChars, i + 1, utf8BytesToChars.length)));
            if (utf8BytesToChars != null) {
                Arrays.fill(utf8BytesToChars, (char) 0);
            }
            return apiKeyCredentials;
        } catch (Throwable th) {
            if (0 != 0) {
                Arrays.fill((char[]) null, (char) 0);
            }
            throw th;
        }
    }

    public static boolean isApiKeyAuthentication(Authentication authentication) {
        if (Authentication.AuthenticationType.API_KEY != authentication.getAuthenticationType()) {
            return false;
        }
        if ($assertionsDisabled || "_es_api_key".equals(authentication.getAuthenticatedBy().getType())) {
            return true;
        }
        throw new AssertionError("API key authentication must have API key realm type");
    }

    void computeHashForApiKey(SecureString secureString, ActionListener<char[]> actionListener) {
        this.threadPool.executor(Security.SECURITY_CRYPTO_THREAD_POOL_NAME).execute(ActionRunnable.supply(actionListener, () -> {
            return this.hasher.hash(secureString);
        }));
    }

    protected void verifyKeyAgainstHash(String str, ApiKeyCredentials apiKeyCredentials, ActionListener<Boolean> actionListener) {
        this.threadPool.executor(Security.SECURITY_CRYPTO_THREAD_POOL_NAME).execute(ActionRunnable.supply(actionListener, () -> {
            Hasher resolveFromHash = Hasher.resolveFromHash(str.toCharArray());
            char[] charArray = str.toCharArray();
            try {
                Boolean valueOf = Boolean.valueOf(resolveFromHash.verify(apiKeyCredentials.getKey(), charArray));
                Arrays.fill(charArray, (char) 0);
                return valueOf;
            } catch (Throwable th) {
                Arrays.fill(charArray, (char) 0);
                throw th;
            }
        }));
    }

    private Instant getApiKeyExpiration(Instant instant, CreateApiKeyRequest createApiKeyRequest) {
        if (createApiKeyRequest.getExpiration() != null) {
            return instant.plusSeconds(createApiKeyRequest.getExpiration().getSeconds());
        }
        return null;
    }

    private boolean isEnabled() {
        return this.enabled && this.licenseState.isSecurityEnabled();
    }

    public void ensureEnabled() {
        if (!this.licenseState.isSecurityEnabled()) {
            throw LicenseUtils.newComplianceException("security is not enabled");
        }
        if (!this.enabled) {
            throw new FeatureNotEnabledException(FeatureNotEnabledException.Feature.API_KEY_SERVICE, "api keys are not enabled", new Object[0]);
        }
    }

    public void invalidateApiKeys(String str, String str2, String str3, String[] strArr, ActionListener<InvalidateApiKeyResponse> actionListener) {
        ensureEnabled();
        if (!Strings.hasText(str) && !Strings.hasText(str2) && !Strings.hasText(str3) && (strArr == null || strArr.length == 0)) {
            logger.trace("none of the parameters [api key id, api key name, username, realm name] were specified for invalidation");
            actionListener.onFailure(new IllegalArgumentException("One of [api key id, api key name, username, realm name] must be specified"));
        } else {
            CheckedConsumer checkedConsumer = collection -> {
                if (!collection.isEmpty()) {
                    invalidateAllApiKeys((Collection) collection.stream().map(apiKey -> {
                        return apiKey.getId();
                    }).collect(Collectors.toSet()), actionListener);
                } else {
                    logger.debug("No active api keys to invalidate for realm [{}], username [{}], api key name [{}] and api key id [{}]", str, str2, str3, Arrays.toString(strArr));
                    actionListener.onResponse(InvalidateApiKeyResponse.emptyResponse());
                }
            };
            Objects.requireNonNull(actionListener);
            findApiKeysForUserRealmApiKeyIdAndNameCombination(str, str2, str3, strArr, true, false, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }
    }

    private void invalidateAllApiKeys(Collection<String> collection, ActionListener<InvalidateApiKeyResponse> actionListener) {
        indexInvalidation(collection, actionListener, null);
    }

    private void findApiKeys(BoolQueryBuilder boolQueryBuilder, boolean z, boolean z2, ActionListener<Collection<ApiKey>> actionListener) {
        if (z) {
            boolQueryBuilder.filter(QueryBuilders.termQuery("api_key_invalidated", false));
        }
        if (z2) {
            BoolQueryBuilder boolQuery = QueryBuilders.boolQuery();
            boolQuery.should(QueryBuilders.rangeQuery("expiration_time").gt(Long.valueOf(Instant.now().toEpochMilli())));
            boolQuery.should(QueryBuilders.boolQuery().mustNot(QueryBuilders.existsQuery("expiration_time")));
            boolQueryBuilder.filter(boolQuery);
        }
        Supplier newRestorableContext = this.client.threadPool().getThreadContext().newRestorableContext(false);
        ThreadContext.StoredContext stashWithOrigin = this.client.threadPool().getThreadContext().stashWithOrigin("security");
        try {
            SearchRequest request = this.client.prepareSearch(new String[]{".security"}).setScroll((TimeValue) SearchService.DEFAULT_KEEPALIVE_SETTING.get(this.settings)).setQuery(boolQueryBuilder).setVersion(false).setSize(1000).setFetchSource(true).request();
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                ScrollHelper.fetchAllByEntity(this.client, request, new ContextPreservingActionListener(newRestorableContext, actionListener), ApiKeyService::convertSearchHitToApiKeyInfo);
            });
            if (stashWithOrigin != null) {
                stashWithOrigin.close();
            }
        } catch (Throwable th) {
            if (stashWithOrigin != null) {
                try {
                    stashWithOrigin.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void findApiKeysForUserRealmApiKeyIdAndNameCombination(String str, String str2, String str3, String[] strArr, boolean z, boolean z2, ActionListener<Collection<ApiKey>> actionListener) {
        SecurityIndexManager freeze = this.securityIndex.freeze();
        if (!freeze.indexExists()) {
            actionListener.onResponse(Collections.emptyList());
            return;
        }
        if (!freeze.isAvailable()) {
            actionListener.onFailure(freeze.getUnavailableReason());
            return;
        }
        BoolQueryBuilder filter = QueryBuilders.boolQuery().filter(QueryBuilders.termQuery("doc_type", "api_key"));
        if (Strings.hasText(str)) {
            filter.filter(QueryBuilders.termQuery("creator.realm", str));
        }
        if (Strings.hasText(str2)) {
            filter.filter(QueryBuilders.termQuery("creator.principal", str2));
        }
        if (Strings.hasText(str3) && !"*".equals(str3)) {
            if (str3.endsWith("*")) {
                filter.filter(QueryBuilders.prefixQuery("name", str3.substring(0, str3.length() - 1)));
            } else {
                filter.filter(QueryBuilders.termQuery("name", str3));
            }
        }
        if (strArr != null && strArr.length > 0) {
            filter.filter(QueryBuilders.idsQuery().addIds(strArr));
        }
        findApiKeys(filter, z, z2, actionListener);
    }

    private void indexInvalidation(Collection<String> collection, ActionListener<InvalidateApiKeyResponse> actionListener, @Nullable InvalidateApiKeyResponse invalidateApiKeyResponse) {
        maybeStartApiKeyRemover();
        if (collection.isEmpty()) {
            actionListener.onFailure(new ElasticsearchSecurityException("No api key ids provided for invalidation", new Object[0]));
            return;
        }
        BulkRequestBuilder prepareBulk = this.client.prepareBulk();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            prepareBulk.add(this.client.prepareUpdate(".security", "_doc", it.next()).setDoc(Collections.singletonMap("api_key_invalidated", true)).request());
        }
        prepareBulk.setRefreshPolicy(WriteRequest.RefreshPolicy.WAIT_UNTIL);
        this.securityIndex.prepareIndexIfNeededThenExecute(exc -> {
            actionListener.onFailure((Exception) traceLog("prepare security index", exc));
        }, () -> {
            ThreadContext threadContext = this.client.threadPool().getThreadContext();
            BulkRequest request = prepareBulk.request();
            ActionListener wrap = ActionListener.wrap(bulkResponse -> {
                ArrayList arrayList = new ArrayList();
                ArrayList arrayList2 = new ArrayList();
                ArrayList arrayList3 = new ArrayList();
                if (null != invalidateApiKeyResponse) {
                    arrayList.addAll(invalidateApiKeyResponse.getErrors());
                    arrayList2.addAll(invalidateApiKeyResponse.getPreviouslyInvalidatedApiKeys());
                    arrayList3.addAll(invalidateApiKeyResponse.getInvalidatedApiKeys());
                }
                for (BulkItemResponse bulkItemResponse : bulkResponse.getItems()) {
                    if (bulkItemResponse.isFailed()) {
                        Exception cause = bulkItemResponse.getFailure().getCause();
                        traceLog("invalidate api key", bulkItemResponse.getFailure().getId(), cause);
                        arrayList.add(new ElasticsearchException("Error invalidating api key", cause, new Object[0]));
                    } else {
                        UpdateResponse response = bulkItemResponse.getResponse();
                        if (response.getResult() == DocWriteResponse.Result.UPDATED) {
                            logger.debug("Invalidated api key for doc [{}]", response.getId());
                            arrayList3.add(response.getId());
                        } else if (response.getResult() == DocWriteResponse.Result.NOOP) {
                            arrayList2.add(response.getId());
                        }
                    }
                }
                clearCache(new InvalidateApiKeyResponse(arrayList3, arrayList2, arrayList), actionListener);
            }, exc2 -> {
                traceLog("invalidate api keys", ExceptionsHelper.unwrapCause(exc2));
                actionListener.onFailure(exc2);
            });
            Client client = this.client;
            Objects.requireNonNull(client);
            ClientHelper.executeAsyncWithOrigin(threadContext, "security", request, wrap, client::bulk);
        });
    }

    private void clearCache(final InvalidateApiKeyResponse invalidateApiKeyResponse, final ActionListener<InvalidateApiKeyResponse> actionListener) {
        ClientHelper.executeAsyncWithOrigin(this.client, "security", ClearSecurityCacheAction.INSTANCE, new ClearSecurityCacheRequest().cacheName("api_key").keys((String[]) invalidateApiKeyResponse.getInvalidatedApiKeys().toArray(new String[0])), new ActionListener<ClearSecurityCacheResponse>() { // from class: org.elasticsearch.xpack.security.authc.ApiKeyService.2
            public void onResponse(ClearSecurityCacheResponse clearSecurityCacheResponse) {
                actionListener.onResponse(invalidateApiKeyResponse);
            }

            public void onFailure(Exception exc) {
                ApiKeyService.logger.error("unable to clear API key cache", exc);
                actionListener.onFailure(new ElasticsearchException("clearing the API key cache failed; please clear the caches manually", exc, new Object[0]));
            }
        });
    }

    private <E extends Throwable> E traceLog(String str, String str2, E e) {
        if (logger.isTraceEnabled()) {
            if (e instanceof ElasticsearchException) {
                ElasticsearchException elasticsearchException = (ElasticsearchException) e;
                List header = elasticsearchException.getHeader("error_description");
                if (header != null) {
                    logger.trace(() -> {
                        return new ParameterizedMessage("Failure in [{}] for id [{}] - [{}]", new Object[]{str, str2, header});
                    }, elasticsearchException);
                } else {
                    logger.trace(() -> {
                        return new ParameterizedMessage("Failure in [{}] for id [{}]", str, str2);
                    }, elasticsearchException);
                }
            } else {
                logger.trace(() -> {
                    return new ParameterizedMessage("Failure in [{}] for id [{}]", str, str2);
                }, e);
            }
        }
        return e;
    }

    private <E extends Throwable> E traceLog(String str, E e) {
        if (logger.isTraceEnabled()) {
            if (e instanceof ElasticsearchException) {
                ElasticsearchException elasticsearchException = (ElasticsearchException) e;
                List header = elasticsearchException.getHeader("error_description");
                if (header != null) {
                    logger.trace(() -> {
                        return new ParameterizedMessage("Failure in [{}] - [{}]", str, header);
                    }, elasticsearchException);
                } else {
                    logger.trace(() -> {
                        return new ParameterizedMessage("Failure in [{}]", str);
                    }, elasticsearchException);
                }
            } else {
                logger.trace(() -> {
                    return new ParameterizedMessage("Failure in [{}]", str);
                }, e);
            }
        }
        return e;
    }

    boolean isExpirationInProgress() {
        return this.expiredApiKeysRemover.isExpirationInProgress();
    }

    long lastTimeWhenApiKeysRemoverWasTriggered() {
        return this.lastExpirationRunMs;
    }

    private void maybeStartApiKeyRemover() {
        if (!this.securityIndex.isAvailable() || this.client.threadPool().relativeTimeInMillis() - this.lastExpirationRunMs <= this.deleteInterval.getMillis()) {
            return;
        }
        this.expiredApiKeysRemover.submit(this.client.threadPool());
        this.lastExpirationRunMs = this.client.threadPool().relativeTimeInMillis();
    }

    public void getApiKeys(String str, String str2, String str3, String str4, ActionListener<GetApiKeyResponse> actionListener) {
        ensureEnabled();
        String[] strArr = !Strings.hasText(str4) ? null : new String[]{str4};
        CheckedConsumer checkedConsumer = collection -> {
            if (!collection.isEmpty()) {
                actionListener.onResponse(new GetApiKeyResponse(collection));
            } else {
                logger.debug("No active api keys found for realm [{}], user [{}], api key name [{}] and api key id [{}]", str, str2, str3, str4);
                actionListener.onResponse(GetApiKeyResponse.emptyResponse());
            }
        };
        Objects.requireNonNull(actionListener);
        findApiKeysForUserRealmApiKeyIdAndNameCombination(str, str2, str3, strArr, false, false, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void queryApiKeys(SearchRequest searchRequest, ActionListener<QueryApiKeyResponse> actionListener) {
        ensureEnabled();
        SecurityIndexManager freeze = this.securityIndex.freeze();
        if (!freeze.indexExists()) {
            logger.debug("security index does not exist");
            actionListener.onResponse(QueryApiKeyResponse.emptyResponse());
        } else {
            if (!freeze.isAvailable()) {
                actionListener.onFailure(freeze.getUnavailableReason());
                return;
            }
            SecurityIndexManager securityIndexManager = this.securityIndex;
            Objects.requireNonNull(actionListener);
            securityIndexManager.checkIndexVersionThenExecute(actionListener::onFailure, () -> {
                Client client = this.client;
                SearchAction searchAction = SearchAction.INSTANCE;
                CheckedConsumer checkedConsumer = searchResponse -> {
                    long j = searchResponse.getHits().getTotalHits().value;
                    if (j != 0) {
                        actionListener.onResponse(new QueryApiKeyResponse(j, (List) Arrays.stream(searchResponse.getHits().getHits()).map(ApiKeyService::convertSearchHitToQueryItem).collect(Collectors.toList())));
                    } else {
                        logger.debug("No api keys found for query [{}]", searchRequest.source().query());
                        actionListener.onResponse(QueryApiKeyResponse.emptyResponse());
                    }
                };
                Objects.requireNonNull(actionListener);
                ClientHelper.executeAsyncWithOrigin(client, "security", searchAction, searchRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            });
        }
    }

    private static QueryApiKeyResponse.Item convertSearchHitToQueryItem(SearchHit searchHit) {
        return new QueryApiKeyResponse.Item(convertSearchHitToApiKeyInfo(searchHit), searchHit.getSortValues());
    }

    private static ApiKey convertSearchHitToApiKeyInfo(SearchHit searchHit) {
        Map sourceAsMap = searchHit.getSourceAsMap();
        String str = (String) sourceAsMap.get("name");
        String id = searchHit.getId();
        Long l = (Long) sourceAsMap.get("creation_time");
        Long l2 = (Long) sourceAsMap.get("expiration_time");
        Boolean bool = (Boolean) sourceAsMap.get("api_key_invalidated");
        return new ApiKey(str, id, Instant.ofEpochMilli(l.longValue()), l2 != null ? Instant.ofEpochMilli(l2.longValue()) : null, bool.booleanValue(), (String) ((Map) sourceAsMap.get("creator")).get("principal"), (String) ((Map) sourceAsMap.get("creator")).get(LoggingAuditTrail.REALM_FIELD_NAME), (Map) sourceAsMap.get("metadata_flattened"));
    }

    private RemovalListener<String, ListenableFuture<CachedApiKeyHashResult>> getAuthCacheRemovalListener(int i) {
        return removalNotification -> {
            if (RemovalNotification.RemovalReason.EVICTED != removalNotification.getRemovalReason() || getApiKeyAuthCache().count() < i) {
                return;
            }
            this.evictionCounter.increment();
            logger.trace("API key with ID [{}] was evicted from the authentication cache, possibly due to cache size limit", removalNotification.getKey());
            long j = this.lastEvictionCheckedAt.get();
            long nanoTime = System.nanoTime();
            if (nanoTime - j < EVICTION_MONITOR_INTERVAL_NANOS || !this.lastEvictionCheckedAt.compareAndSet(j, nanoTime)) {
                return;
            }
            long sum = this.evictionCounter.sum();
            this.evictionCounter.add(-sum);
            if (sum >= EVICTION_WARNING_THRESHOLD) {
                logger.warn("Possible thrashing for API key authentication cache, [{}] eviction due to cache size within last [{}] seconds", Long.valueOf(sum), Long.valueOf(EVICTION_MONITOR_INTERVAL_SECONDS));
            }
        };
    }

    LongAdder getEvictionCounter() {
        return this.evictionCounter;
    }

    AtomicLong getLastEvictionCheckedAt() {
        return this.lastEvictionCheckedAt;
    }

    public static String getCreatorRealmName(Authentication authentication) {
        return Authentication.AuthenticationType.API_KEY == authentication.getAuthenticationType() ? (String) authentication.getMetadata().get(API_KEY_CREATOR_REALM_NAME) : authentication.getSourceRealm().getName();
    }

    public static String getCreatorRealmType(Authentication authentication) {
        return Authentication.AuthenticationType.API_KEY == authentication.getAuthenticationType() ? (String) authentication.getMetadata().get(API_KEY_CREATOR_REALM_TYPE) : authentication.getSourceRealm().getType();
    }

    public static Map<String, Object> getApiKeyMetadata(Authentication authentication) {
        if (Authentication.AuthenticationType.API_KEY != authentication.getAuthenticationType()) {
            throw new IllegalArgumentException("authentication type must be [api_key], got [" + authentication.getAuthenticationType().name().toLowerCase(Locale.ROOT) + "]");
        }
        Object obj = authentication.getMetadata().get(API_KEY_METADATA_KEY);
        return obj != null ? (Map) XContentHelper.convertToMap((BytesReference) obj, false, XContentType.JSON).v2() : org.elasticsearch.core.Map.of();
    }

    static {
        $assertionsDisabled = !ApiKeyService.class.desiredAssertionStatus();
        logger = LogManager.getLogger(ApiKeyService.class);
        deprecationLogger = DeprecationLogger.getLogger(ApiKeyService.class);
        METADATA_INTRODUCED = Version.V_7_13_0;
        PASSWORD_HASHING_ALGORITHM = new Setting<>("xpack.security.authc.api_key.hashing.algorithm", "pbkdf2", Function.identity(), str -> {
            if (!Hasher.getAvailableAlgoStoredHash().contains(str.toLowerCase(Locale.ROOT))) {
                throw new IllegalArgumentException("Invalid algorithm: " + str + ". Valid values for password hashing are " + Hasher.getAvailableAlgoStoredHash().toString());
            }
            if (str.regionMatches(true, 0, "pbkdf2", 0, "pbkdf2".length())) {
                try {
                    SecretKeyFactory.getInstance("PBKDF2withHMACSHA512");
                } catch (NoSuchAlgorithmException e) {
                    throw new IllegalArgumentException("Support for PBKDF2WithHMACSHA512 must be available in order to use any of the PBKDF2 algorithms for the [xpack.security.authc.api_key.hashing.algorithm] setting.", e);
                }
            }
        }, new Setting.Property[]{Setting.Property.NodeScope});
        DELETE_TIMEOUT = Setting.timeSetting("xpack.security.authc.api_key.delete.timeout", TimeValue.MINUS_ONE, new Setting.Property[]{Setting.Property.NodeScope});
        DELETE_INTERVAL = Setting.timeSetting("xpack.security.authc.api_key.delete.interval", TimeValue.timeValueHours(24L), new Setting.Property[]{Setting.Property.NodeScope});
        CACHE_HASH_ALGO_SETTING = Setting.simpleString("xpack.security.authc.api_key.cache.hash_algo", "ssha256", new Setting.Property[]{Setting.Property.NodeScope});
        CACHE_TTL_SETTING = Setting.timeSetting("xpack.security.authc.api_key.cache.ttl", TimeValue.timeValueHours(24L), new Setting.Property[]{Setting.Property.NodeScope});
        CACHE_MAX_KEYS_SETTING = Setting.intSetting("xpack.security.authc.api_key.cache.max_keys", 25000, new Setting.Property[]{Setting.Property.NodeScope});
        DOC_CACHE_TTL_SETTING = Setting.timeSetting("xpack.security.authc.api_key.doc_cache.ttl", TimeValue.timeValueMinutes(5L), TimeValue.timeValueMinutes(0L), TimeValue.timeValueMinutes(15L), new Setting.Property[]{Setting.Property.NodeScope});
        FLEET_SERVER_ROLE_DESCRIPTOR_BYTES_V_7_14 = new BytesArray("{\"elastic/fleet-server\":{\"cluster\":[\"monitor\",\"manage_own_api_key\"],\"indices\":[{\"names\":[\"logs-*\",\"metrics-*\",\"traces-*\",\"synthetics-*\",\".logs-endpoint.diagnostic.collection-*\"],\"privileges\":[\"write\",\"create_index\",\"auto_configure\"],\"allow_restricted_indices\":false},{\"names\":[\".fleet-*\"],\"privileges\":[\"read\",\"write\",\"monitor\",\"create_index\",\"auto_configure\"],\"allow_restricted_indices\":false}],\"applications\":[],\"run_as\":[],\"metadata\":{},\"transient_metadata\":{\"enabled\":true}}}");
    }
}
