package org.elasticsearch.xpack.security.action.saml;

import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateRequest;
import org.elasticsearch.xpack.core.security.action.saml.SamlAuthenticateResponse;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.UserToken;
import org.elasticsearch.xpack.security.authc.saml.SamlRealm;
import org.elasticsearch.xpack.security.authc.saml.SamlToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/saml/TransportSamlAuthenticateAction.class */
public final class TransportSamlAuthenticateAction extends HandledTransportAction<SamlAuthenticateRequest, SamlAuthenticateResponse> {
    private final AuthenticationService authenticationService;
    private final TokenService tokenService;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public TransportSamlAuthenticateAction(Settings settings, ThreadPool threadPool, TransportService transportService, ActionFilters actionFilters, IndexNameExpressionResolver indexNameExpressionResolver, AuthenticationService authenticationService, TokenService tokenService) {
        super(settings, "cluster:admin/xpack/security/saml/authenticate", threadPool, transportService, actionFilters, indexNameExpressionResolver, SamlAuthenticateRequest::new);
        this.authenticationService = authenticationService;
        this.tokenService = tokenService;
    }

    protected void doExecute(SamlAuthenticateRequest samlAuthenticateRequest, ActionListener<SamlAuthenticateResponse> actionListener) {
        SamlToken samlToken = new SamlToken(samlAuthenticateRequest.getSaml(), samlAuthenticateRequest.getValidRequestIds());
        this.logger.trace("Attempting to authenticate SamlToken [{}]", samlToken);
        ThreadContext threadContext = this.threadPool.getThreadContext();
        Authentication authentication = Authentication.getAuthentication(threadContext);
        ThreadContext.StoredContext stashContext = threadContext.stashContext();
        try {
            this.authenticationService.authenticate("cluster:admin/xpack/security/saml/authenticate", (TransportMessage) samlAuthenticateRequest, (AuthenticationToken) samlToken, ActionListener.wrap(authentication2 -> {
                AuthenticationResult authenticationResult = (AuthenticationResult) threadContext.getTransient(AuthenticationResult.THREAD_CONTEXT_KEY);
                if (authenticationResult == null) {
                    actionListener.onFailure(new IllegalStateException("Cannot find AuthenticationResult on thread context"));
                    return;
                }
                if (!$assertionsDisabled && authentication2 == null) {
                    throw new AssertionError("authentication should never be null at this point");
                }
                Map<String, Object> map = (Map) authenticationResult.getMetadata().get(SamlRealm.CONTEXT_TOKEN_DATA);
                TokenService tokenService = this.tokenService;
                CheckedConsumer checkedConsumer = tuple -> {
                    actionListener.onResponse(new SamlAuthenticateResponse(authentication2.getUser().principal(), this.tokenService.getUserTokenString((UserToken) tuple.v1()), (String) tuple.v2(), this.tokenService.getExpirationDelay()));
                };
                Objects.requireNonNull(actionListener);
                tokenService.createUserToken(authentication2, authentication, ActionListener.wrap(checkedConsumer, actionListener::onFailure), map, true);
            }, exc -> {
                this.logger.debug(() -> {
                    return new ParameterizedMessage("SamlToken [{}] could not be authenticated", samlToken);
                }, exc);
                actionListener.onFailure(exc);
            }));
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected /* bridge */ /* synthetic */ void doExecute(ActionRequest actionRequest, ActionListener actionListener) {
        doExecute((SamlAuthenticateRequest) actionRequest, (ActionListener<SamlAuthenticateResponse>) actionListener);
    }

    static {
        $assertionsDisabled = !TransportSamlAuthenticateAction.class.desiredAssertionStatus();
    }
}
