package org.elasticsearch.xpack.security.authc.service;

import java.util.Collection;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.security.action.service.CreateServiceAccountTokenRequest;
import org.elasticsearch.xpack.core.security.action.service.CreateServiceAccountTokenResponse;
import org.elasticsearch.xpack.core.security.action.service.DeleteServiceAccountTokenRequest;
import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountCredentialsNodesRequest;
import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountCredentialsRequest;
import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountCredentialsResponse;
import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountNodesCredentialsAction;
import org.elasticsearch.xpack.core.security.action.service.TokenInfo;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.security.authc.service.ServiceAccount;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/ServiceAccountService.class */
public class ServiceAccountService {
    private static final Logger logger;
    private static final int MIN_TOKEN_SECRET_LENGTH = 10;
    private final Client client;
    private final IndexServiceAccountTokenStore indexServiceAccountTokenStore;
    private final CompositeServiceAccountTokenStore compositeServiceAccountTokenStore;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ServiceAccountService(Client client, FileServiceAccountTokenStore fileServiceAccountTokenStore, IndexServiceAccountTokenStore indexServiceAccountTokenStore) {
        this.client = client;
        this.indexServiceAccountTokenStore = indexServiceAccountTokenStore;
        this.compositeServiceAccountTokenStore = new CompositeServiceAccountTokenStore(List.of(fileServiceAccountTokenStore, indexServiceAccountTokenStore), client.threadPool().getThreadContext());
    }

    public static boolean isServiceAccountPrincipal(String str) {
        return ElasticServiceAccounts.ACCOUNTS.containsKey(str);
    }

    public static Collection<String> getServiceAccountPrincipals() {
        return ElasticServiceAccounts.ACCOUNTS.keySet();
    }

    public static Map<String, ServiceAccount> getServiceAccounts() {
        return Map.copyOf(ElasticServiceAccounts.ACCOUNTS);
    }

    public static ServiceAccountToken tryParseToken(SecureString secureString) {
        if (secureString == null) {
            return null;
        }
        try {
            return ServiceAccountToken.fromBearerString(secureString);
        } catch (Exception e) {
            logger.trace("Cannot parse possible service account token", e);
            return null;
        }
    }

    public void authenticateToken(ServiceAccountToken serviceAccountToken, String str, ActionListener<Authentication> actionListener) {
        logger.trace("attempt to authenticate service account token [{}]", serviceAccountToken.getQualifiedName());
        if (!"elastic".equals(serviceAccountToken.getAccountId().namespace())) {
            logger.debug("only [{}] service accounts are supported, but received [{}]", "elastic", serviceAccountToken.getAccountId().asPrincipal());
            actionListener.onFailure(createAuthenticationException(serviceAccountToken));
            return;
        }
        ServiceAccount serviceAccount = ElasticServiceAccounts.ACCOUNTS.get(serviceAccountToken.getAccountId().asPrincipal());
        if (serviceAccount == null) {
            logger.debug("the [{}] service account does not exist", serviceAccountToken.getAccountId().asPrincipal());
            actionListener.onFailure(createAuthenticationException(serviceAccountToken));
        } else if (serviceAccountToken.getSecret().length() < MIN_TOKEN_SECRET_LENGTH) {
            logger.debug("failing authentication for service account token [{}], the provided credential has length [{}] but a token's secret value must be at least [{}] characters", serviceAccountToken.getQualifiedName(), Integer.valueOf(serviceAccountToken.getSecret().length()), Integer.valueOf(MIN_TOKEN_SECRET_LENGTH));
            actionListener.onFailure(createAuthenticationException(serviceAccountToken));
        } else {
            CompositeServiceAccountTokenStore compositeServiceAccountTokenStore = this.compositeServiceAccountTokenStore;
            CheckedConsumer checkedConsumer = storeAuthenticationResult -> {
                if (storeAuthenticationResult.isSuccess()) {
                    actionListener.onResponse(createAuthentication(serviceAccount, serviceAccountToken, storeAuthenticationResult.getTokenSource(), str));
                    return;
                }
                ElasticsearchSecurityException createAuthenticationException = createAuthenticationException(serviceAccountToken);
                logger.debug(createAuthenticationException.getMessage());
                actionListener.onFailure(createAuthenticationException);
            };
            Objects.requireNonNull(actionListener);
            compositeServiceAccountTokenStore.authenticate(serviceAccountToken, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }
    }

    public void createIndexToken(Authentication authentication, CreateServiceAccountTokenRequest createServiceAccountTokenRequest, ActionListener<CreateServiceAccountTokenResponse> actionListener) {
        this.indexServiceAccountTokenStore.createToken(authentication, createServiceAccountTokenRequest, actionListener);
    }

    public void deleteIndexToken(DeleteServiceAccountTokenRequest deleteServiceAccountTokenRequest, ActionListener<Boolean> actionListener) {
        this.indexServiceAccountTokenStore.deleteToken(deleteServiceAccountTokenRequest, actionListener);
    }

    public void findTokensFor(GetServiceAccountCredentialsRequest getServiceAccountCredentialsRequest, ActionListener<GetServiceAccountCredentialsResponse> actionListener) {
        findIndexTokens(new ServiceAccount.ServiceAccountId(getServiceAccountCredentialsRequest.getNamespace(), getServiceAccountCredentialsRequest.getServiceName()), actionListener);
    }

    public static void getRoleDescriptor(Authentication authentication, ActionListener<RoleDescriptor> actionListener) {
        if (!$assertionsDisabled && !authentication.isServiceAccount()) {
            throw new AssertionError("authentication is not for service account: " + authentication);
        }
        getRoleDescriptorForPrincipal(authentication.getEffectiveSubject().getUser().principal(), actionListener);
    }

    public static void getRoleDescriptorForPrincipal(String str, ActionListener<RoleDescriptor> actionListener) {
        ServiceAccount serviceAccount = ElasticServiceAccounts.ACCOUNTS.get(str);
        if (serviceAccount == null) {
            actionListener.onFailure(new ElasticsearchSecurityException("cannot load role for service account [" + str + "] - no such service account", new Object[0]));
        } else {
            actionListener.onResponse(serviceAccount.roleDescriptor());
        }
    }

    private static Authentication createAuthentication(ServiceAccount serviceAccount, ServiceAccountToken serviceAccountToken, TokenInfo.TokenSource tokenSource, String str) {
        return Authentication.newServiceAccountAuthentication(serviceAccount.asUser(), str, Map.of("_token_name", serviceAccountToken.getTokenName(), "_token_source", tokenSource.name().toLowerCase(Locale.ROOT)));
    }

    private static ElasticsearchSecurityException createAuthenticationException(ServiceAccountToken serviceAccountToken) {
        return new ElasticsearchSecurityException("failed to authenticate service account [{}] with token name [{}]", RestStatus.UNAUTHORIZED, new Object[]{serviceAccountToken.getAccountId().asPrincipal(), serviceAccountToken.getTokenName()});
    }

    private void findIndexTokens(ServiceAccount.ServiceAccountId serviceAccountId, ActionListener<GetServiceAccountCredentialsResponse> actionListener) {
        IndexServiceAccountTokenStore indexServiceAccountTokenStore = this.indexServiceAccountTokenStore;
        CheckedConsumer checkedConsumer = collection -> {
            findFileTokens(collection, serviceAccountId, actionListener);
        };
        Objects.requireNonNull(actionListener);
        indexServiceAccountTokenStore.findTokensFor(serviceAccountId, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void findFileTokens(Collection<TokenInfo> collection, ServiceAccount.ServiceAccountId serviceAccountId, ActionListener<GetServiceAccountCredentialsResponse> actionListener) {
        Client client = this.client;
        GetServiceAccountNodesCredentialsAction getServiceAccountNodesCredentialsAction = GetServiceAccountNodesCredentialsAction.INSTANCE;
        GetServiceAccountCredentialsNodesRequest getServiceAccountCredentialsNodesRequest = new GetServiceAccountCredentialsNodesRequest(serviceAccountId.namespace(), serviceAccountId.serviceName());
        CheckedConsumer checkedConsumer = getServiceAccountCredentialsNodesResponse -> {
            actionListener.onResponse(new GetServiceAccountCredentialsResponse(serviceAccountId.asPrincipal(), collection, getServiceAccountCredentialsNodesResponse));
        };
        Objects.requireNonNull(actionListener);
        ClientHelper.executeAsyncWithOrigin(client, "security", getServiceAccountNodesCredentialsAction, getServiceAccountCredentialsNodesRequest, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    static {
        $assertionsDisabled = !ServiceAccountService.class.desiredAssertionStatus();
        logger = LogManager.getLogger(ServiceAccountService.class);
    }
}
