package org.elasticsearch.xpack.security.action;

import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Strings;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationRequest;
import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.pki.X509AuthenticationToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/TransportDelegatePkiAuthenticationAction.class */
public final class TransportDelegatePkiAuthenticationAction extends HandledTransportAction<DelegatePkiAuthenticationRequest, DelegatePkiAuthenticationResponse> {
    private static final Logger logger;
    private final ThreadPool threadPool;
    private final AuthenticationService authenticationService;
    private final TokenService tokenService;
    private final SecurityContext securityContext;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public TransportDelegatePkiAuthenticationAction(ThreadPool threadPool, TransportService transportService, ActionFilters actionFilters, AuthenticationService authenticationService, TokenService tokenService, SecurityContext securityContext) {
        super("cluster:admin/xpack/security/delegate_pki", transportService, actionFilters, DelegatePkiAuthenticationRequest::new, EsExecutors.DIRECT_EXECUTOR_SERVICE);
        this.threadPool = threadPool;
        this.authenticationService = authenticationService;
        this.tokenService = tokenService;
        this.securityContext = securityContext;
    }

    protected void doExecute(Task task, DelegatePkiAuthenticationRequest delegatePkiAuthenticationRequest, ActionListener<DelegatePkiAuthenticationResponse> actionListener) {
        ThreadContext threadContext = this.threadPool.getThreadContext();
        Authentication authentication = this.securityContext.getAuthentication();
        if (authentication == null) {
            actionListener.onFailure(new IllegalStateException("Delegatee authentication cannot be null"));
            return;
        }
        X509AuthenticationToken delegated = X509AuthenticationToken.delegated((X509Certificate[]) delegatePkiAuthenticationRequest.getCertificateChain().toArray(new X509Certificate[0]), authentication);
        logger.trace("Attempting to authenticate delegated x509Token [{}]", delegated);
        ThreadContext.StoredContext stashContext = threadContext.stashContext();
        try {
            this.authenticationService.authenticate("cluster:admin/xpack/security/delegate_pki", (TransportRequest) delegatePkiAuthenticationRequest, (AuthenticationToken) delegated, ActionListener.wrap(authentication2 -> {
                if (!$assertionsDisabled && authentication2 == null) {
                    throw new AssertionError("authentication should never be null at this point");
                }
                TokenService tokenService = this.tokenService;
                Map<String, Object> of = Map.of();
                CheckedConsumer checkedConsumer = createTokenResult -> {
                    actionListener.onResponse(new DelegatePkiAuthenticationResponse(createTokenResult.getAccessToken(), this.tokenService.getExpirationDelay(), authentication2));
                };
                Objects.requireNonNull(actionListener);
                tokenService.createOAuth2Tokens(authentication2, authentication, of, false, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            }, exc -> {
                logger.debug(() -> {
                    return Strings.format("Delegated x509Token [%s] could not be authenticated", new Object[]{delegated});
                }, exc);
                actionListener.onFailure(exc);
            }));
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (DelegatePkiAuthenticationRequest) actionRequest, (ActionListener<DelegatePkiAuthenticationResponse>) actionListener);
    }

    static {
        $assertionsDisabled = !TransportDelegatePkiAuthenticationAction.class.desiredAssertionStatus();
        logger = LogManager.getLogger(TransportDelegatePkiAuthenticationAction.class);
    }
}
