package org.elasticsearch.xpack.security.action.saml;

import java.util.Map;
import java.util.Objects;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateRequest;
import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.saml.SamlRealm;
import org.elasticsearch.xpack.security.authc.saml.SamlToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.class */
public final class TransportSamlAuthenticateAction extends HandledTransportAction<SamlAuthenticateRequest, SamlAuthenticateResponse> {
    private final ThreadPool threadPool;
    private final AuthenticationService authenticationService;
    private final TokenService tokenService;
    private final SecurityContext securityContext;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public TransportSamlAuthenticateAction(ThreadPool threadPool, TransportService transportService, ActionFilters actionFilters, AuthenticationService authenticationService, TokenService tokenService, SecurityContext securityContext) {
        super("cluster:admin/xpack/security/saml/authenticate", transportService, actionFilters, SamlAuthenticateRequest::new, EsExecutors.DIRECT_EXECUTOR_SERVICE);
        this.threadPool = threadPool;
        this.authenticationService = authenticationService;
        this.tokenService = tokenService;
        this.securityContext = securityContext;
    }

    protected void doExecute(Task task, SamlAuthenticateRequest samlAuthenticateRequest, ActionListener<SamlAuthenticateResponse> actionListener) {
        SamlToken samlToken = new SamlToken(samlAuthenticateRequest.getSaml(), samlAuthenticateRequest.getValidRequestIds(), samlAuthenticateRequest.getRealm());
        this.logger.trace("Attempting to authenticate SamlToken [{}]", samlToken);
        ThreadContext threadContext = this.threadPool.getThreadContext();
        Authentication authentication = this.securityContext.getAuthentication();
        ThreadContext.StoredContext stashContext = threadContext.stashContext();
        try {
            this.authenticationService.authenticate("cluster:admin/xpack/security/saml/authenticate", (TransportRequest) samlAuthenticateRequest, (AuthenticationToken) samlToken, ActionListener.wrap(authentication2 -> {
                AuthenticationResult authenticationResult = (AuthenticationResult) threadContext.getTransient(AuthenticationResult.THREAD_CONTEXT_KEY);
                if (authenticationResult == null) {
                    actionListener.onFailure(new IllegalStateException("Cannot find User AuthenticationResult on thread context"));
                    return;
                }
                if (!$assertionsDisabled && authentication2 == null) {
                    throw new AssertionError("authentication should never be null at this point");
                }
                if (!$assertionsDisabled && false != authentication2.isRunAs()) {
                    throw new AssertionError("saml realm authentication cannot have run-as");
                }
                Map<String, Object> map = (Map) authenticationResult.getMetadata().get(SamlRealm.CONTEXT_TOKEN_DATA);
                TokenService tokenService = this.tokenService;
                CheckedConsumer checkedConsumer = createTokenResult -> {
                    actionListener.onResponse(new SamlAuthenticateResponse(authentication2, createTokenResult.getAccessToken(), createTokenResult.getRefreshToken(), this.tokenService.getExpirationDelay()));
                };
                Objects.requireNonNull(actionListener);
                tokenService.createOAuth2Tokens(authentication2, authentication, map, true, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            }, exc -> {
                this.logger.debug(() -> {
                    return "SamlToken [" + samlToken + "] could not be authenticated";
                }, exc);
                actionListener.onFailure(exc);
            }));
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (SamlAuthenticateRequest) actionRequest, (ActionListener<SamlAuthenticateResponse>) actionListener);
    }

    static {
        $assertionsDisabled = !TransportSamlAuthenticateAction.class.desiredAssertionStatus();
    }
}
