package org.elasticsearch.xpack.security.action;

import java.util.Objects;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.TransportAction;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.action.Grant;
import org.elasticsearch.xpack.core.security.action.GrantRequest;
import org.elasticsearch.xpack.core.security.action.user.AuthenticateRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.support.BearerToken;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.jwt.JwtAuthenticationToken;
import org.elasticsearch.xpack.security.authz.AuthorizationService;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/TransportGrantAction.class */
public abstract class TransportGrantAction<Request extends GrantRequest, Response extends ActionResponse> extends TransportAction<Request, Response> {
    protected final AuthenticationService authenticationService;
    protected final AuthorizationService authorizationService;
    protected final ThreadContext threadContext;
    static final /* synthetic */ boolean $assertionsDisabled;

    public TransportGrantAction(String str, TransportService transportService, ActionFilters actionFilters, AuthenticationService authenticationService, AuthorizationService authorizationService, ThreadContext threadContext) {
        super(str, actionFilters, transportService.getTaskManager());
        this.authenticationService = authenticationService;
        this.authorizationService = authorizationService;
        this.threadContext = threadContext;
    }

    public final void doExecute(Task task, Request request, ActionListener<Response> actionListener) {
        try {
            ThreadContext.StoredContext stashContext = this.threadContext.stashContext();
            try {
                AuthenticationToken authenticationToken = getAuthenticationToken(request.getGrant());
                if (!$assertionsDisabled && authenticationToken == null) {
                    throw new AssertionError("authentication token must not be null");
                }
                String runAsUsername = request.getGrant().getRunAsUsername();
                CheckedConsumer checkedConsumer = authentication -> {
                    if (!authentication.isRunAs()) {
                        if (runAsUsername != null) {
                            actionListener.onFailure(new ElasticsearchStatusException("the provided grant credentials do not support run-as", RestStatus.BAD_REQUEST, new Object[0]));
                            return;
                        } else {
                            doExecuteWithGrantAuthentication(task, request, authentication, actionListener);
                            return;
                        }
                    }
                    String principal = authentication.getEffectiveSubject().getUser().principal();
                    if (runAsUsername != null && false == runAsUsername.equals(principal)) {
                        actionListener.onFailure(new ElasticsearchStatusException("the provided grant credentials do not support run-as", RestStatus.BAD_REQUEST, new Object[0]));
                        return;
                    }
                    if (!$assertionsDisabled && runAsUsername == null && !"access_token".equals(request.getGrant().getType())) {
                        throw new AssertionError();
                    }
                    AuthorizationService authorizationService = this.authorizationService;
                    AuthenticateRequest authenticateRequest = AuthenticateRequest.INSTANCE;
                    CheckedConsumer checkedConsumer2 = r11 -> {
                        doExecuteWithGrantAuthentication(task, request, authentication, actionListener);
                    };
                    Objects.requireNonNull(actionListener);
                    authorizationService.authorize(authentication, "cluster:admin/xpack/security/user/authenticate", authenticateRequest, ActionListener.wrap(checkedConsumer2, actionListener::onFailure));
                };
                Objects.requireNonNull(actionListener);
                ActionListener wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
                if (runAsUsername != null) {
                    this.threadContext.putHeader("es-security-runas-user", runAsUsername);
                }
                AuthenticationService authenticationService = this.authenticationService;
                String str = this.actionName;
                Objects.requireNonNull(authenticationToken);
                authenticationService.authenticate(str, (TransportRequest) request, authenticationToken, ActionListener.runBefore(wrap, authenticationToken::clearCredentials));
                if (stashContext != null) {
                    stashContext.close();
                }
            } finally {
            }
        } catch (Exception e) {
            actionListener.onFailure(e);
        }
    }

    protected abstract void doExecuteWithGrantAuthentication(Task task, Request request, Authentication authentication, ActionListener<Response> actionListener);

    public static AuthenticationToken getAuthenticationToken(Grant grant) {
        if (!$assertionsDisabled && grant.validate((ActionRequestValidationException) null) != null) {
            throw new AssertionError("grant is invalid");
        }
        String type = grant.getType();
        boolean z = -1;
        switch (type.hashCode()) {
            case -1938933922:
                if (type.equals("access_token")) {
                    z = true;
                    break;
                }
                break;
            case 1216985755:
                if (type.equals("password")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new UsernamePasswordToken(grant.getUsername(), grant.getPassword());
            case true:
                SecureString value = grant.getClientAuthentication() != null ? grant.getClientAuthentication().value() : null;
                JwtAuthenticationToken tryParseJwt = JwtAuthenticationToken.tryParseJwt(grant.getAccessToken(), value);
                if (tryParseJwt != null) {
                    return tryParseJwt;
                }
                if (value == null) {
                    return new BearerToken(grant.getAccessToken());
                }
                value.close();
                throw new ElasticsearchSecurityException("[client_authentication] not supported with the supplied access_token type", RestStatus.BAD_REQUEST, new Object[0]);
            default:
                throw new ElasticsearchSecurityException("the grant type [{}] is not supported", new Object[]{grant.getType()});
        }
    }

    static {
        $assertionsDisabled = !TransportGrantAction.class.desiredAssertionStatus();
    }
}
