package org.elasticsearch.xpack.security.authc.service;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CopyOnWriteArrayList;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.env.Environment;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.XPackPlugin;
import org.elasticsearch.xpack.core.security.action.service.TokenInfo;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.support.NoOpLogger;
import org.elasticsearch.xpack.security.PrivilegedFileWatcher;
import org.elasticsearch.xpack.security.authc.service.ServiceAccount;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountTokenStore;
import org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry;
import org.elasticsearch.xpack.security.support.FileLineParser;
import org.elasticsearch.xpack.security.support.FileReloadListener;
import org.elasticsearch.xpack.security.support.SecurityFiles;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/FileServiceAccountTokenStore.class */
public class FileServiceAccountTokenStore extends CachingServiceAccountTokenStore {
    private static final Logger logger = LogManager.getLogger(FileServiceAccountTokenStore.class);
    private final Path file;
    private final ClusterService clusterService;
    private final CopyOnWriteArrayList<Runnable> refreshListeners;
    private volatile Map<String, char[]> tokenHashes;

    public FileServiceAccountTokenStore(Environment environment, ResourceWatcherService resourceWatcherService, ThreadPool threadPool, ClusterService clusterService, CacheInvalidatorRegistry cacheInvalidatorRegistry) {
        super(environment.settings(), threadPool);
        this.clusterService = clusterService;
        this.file = resolveFile(environment);
        PrivilegedFileWatcher privilegedFileWatcher = new PrivilegedFileWatcher(this.file.getParent());
        privilegedFileWatcher.addListener(new FileReloadListener(this.file, this::tryReload));
        try {
            resourceWatcherService.add(privilegedFileWatcher, ResourceWatcherService.Frequency.HIGH);
            try {
                this.tokenHashes = parseFile(this.file, logger);
                this.refreshListeners = new CopyOnWriteArrayList<>(List.of(this::invalidateAll));
                cacheInvalidatorRegistry.registerCacheInvalidator("file_service_account_token", this);
            } catch (IOException e) {
                throw new IllegalStateException("Failed to load service_tokens file [" + String.valueOf(this.file) + "]", e);
            }
        } catch (IOException e2) {
            throw new ElasticsearchException("failed to start watching service_tokens file [{}]", e2, new Object[]{this.file.toAbsolutePath()});
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.service.CachingServiceAccountTokenStore
    public void doAuthenticate(ServiceAccountToken serviceAccountToken, ActionListener<ServiceAccountTokenStore.StoreAuthenticationResult> actionListener) {
        actionListener.onResponse((ServiceAccountTokenStore.StoreAuthenticationResult) Optional.ofNullable(this.tokenHashes.get(serviceAccountToken.getQualifiedName())).map(cArr -> {
            return new ServiceAccountTokenStore.StoreAuthenticationResult(Hasher.verifyHash(serviceAccountToken.getSecret(), cArr), getTokenSource());
        }).orElse(new ServiceAccountTokenStore.StoreAuthenticationResult(false, getTokenSource())));
    }

    @Override // org.elasticsearch.xpack.security.authc.service.CachingServiceAccountTokenStore
    public TokenInfo.TokenSource getTokenSource() {
        return TokenInfo.TokenSource.FILE;
    }

    public List<TokenInfo> findTokensFor(ServiceAccount.ServiceAccountId serviceAccountId) {
        String asPrincipal = serviceAccountId.asPrincipal();
        return this.tokenHashes.keySet().stream().filter(str -> {
            return str.startsWith(asPrincipal + "/");
        }).map(str2 -> {
            return TokenInfo.fileToken(Strings.substring(str2, asPrincipal.length() + 1, str2.length()), List.of(this.clusterService.localNode().getName()));
        }).toList();
    }

    public void addListener(Runnable runnable) {
        this.refreshListeners.add(runnable);
    }

    @Override // org.elasticsearch.xpack.security.support.CacheInvalidatorRegistry.CacheInvalidator
    public boolean shouldClearOnSecurityIndexStateChange() {
        return false;
    }

    private void notifyRefresh() {
        this.refreshListeners.forEach((v0) -> {
            v0.run();
        });
    }

    private void tryReload() {
        Map<String, char[]> map = this.tokenHashes;
        this.tokenHashes = parseFileLenient(this.file, logger);
        if (false == Maps.deepEquals(this.tokenHashes, map)) {
            logger.info("service tokens file [{}] changed. updating ...", this.file.toAbsolutePath());
            notifyRefresh();
        }
    }

    Map<String, char[]> getTokenHashes() {
        return this.tokenHashes;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Path resolveFile(Environment environment) {
        return XPackPlugin.resolveConfigFile(environment, "service_tokens");
    }

    static Map<String, char[]> parseFileLenient(Path path, @Nullable Logger logger2) {
        try {
            return parseFile(path, logger2);
        } catch (Exception e) {
            logger2.error("failed to parse service tokens file [{}]. skipping/removing all tokens...", path.toAbsolutePath());
            return Map.of();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Map<String, char[]> parseFile(Path path, @Nullable Logger logger2) throws IOException {
        Logger logger3 = logger2 == null ? NoOpLogger.INSTANCE : logger2;
        logger3.trace("reading service_tokens file [{}]...", path.toAbsolutePath());
        if (!Files.exists(path, new LinkOption[0])) {
            logger3.trace("file [{}] does not exist", path.toAbsolutePath());
            return Map.of();
        }
        HashMap hashMap = new HashMap();
        FileLineParser.parse(path, (num, str) -> {
            String trim = str.trim();
            int indexOf = trim.indexOf(58);
            if (indexOf == -1) {
                logger3.warn("invalid format at line #{} of service_tokens file [{}] - missing ':' character - ", num, path);
                throw new IllegalStateException("Missing ':' character at line #" + num);
            }
            String substring = trim.substring(0, indexOf);
            char[] cArr = new char[trim.length() - (indexOf + 1)];
            trim.getChars(indexOf + 1, trim.length(), cArr, 0);
            if (Hasher.resolveFromHash(cArr) == Hasher.NOOP) {
                logger3.warn("skipping plaintext service account token for key [{}]", substring);
                return;
            }
            logger3.trace("parsed tokens for key [{}]", substring);
            if (((char[]) hashMap.put(substring, cArr)) != null) {
                logger3.warn("found duplicated key [{}], earlier entries are overridden", substring);
            }
        });
        logger3.debug("parsed [{}] tokens from file [{}]", Integer.valueOf(hashMap.size()), path.toAbsolutePath());
        return Map.copyOf(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void writeFile(Path path, Map<String, char[]> map) {
        SecurityFiles.writeFileAtomically(path, map, entry -> {
            return String.format(Locale.ROOT, "%s:%s", entry.getKey(), new String((char[]) entry.getValue()));
        });
    }
}
