package com.floragunn.dlic.auth.http.jwt;

import com.floragunn.searchguard.auth.HTTPAuthenticator;
import com.floragunn.searchguard.user.AuthCredentials;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.impl.TextCodec;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Collection;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticator.class */
public class HTTPJwtAuthenticator implements HTTPAuthenticator {
    protected final Logger log = LogManager.getLogger(getClass());
    private static final String BEARER = "bearer ";
    private final JwtParser jwtParser;
    private final String jwtHeaderName;
    private final String jwtUrlParameter;
    private final String rolesKey;
    private final String subjectKey;

    public HTTPJwtAuthenticator(Settings settings, Path path) {
        JwtParser jwtParser = null;
        try {
            String str = settings.get("signing_key");
            if (str == null || str.length() == 0) {
                this.log.error("signingKey must not be null or empty. JWT authentication will not work");
            } else {
                byte[] decode = TextCodec.BASE64.decode(str.replace("-----BEGIN PUBLIC KEY-----\n", "").replace("-----END PUBLIC KEY-----", ""));
                PublicKey publicKey = null;
                try {
                    publicKey = getPublicKey(decode, "RSA");
                } catch (Exception e) {
                    this.log.debug("No public RSA key, try other algos ({})", e.toString());
                }
                try {
                    publicKey = getPublicKey(decode, "EC");
                } catch (Exception e2) {
                    this.log.debug("No public ECDSA key, try other algos ({})", e2.toString());
                }
                jwtParser = publicKey != null ? Jwts.parser().setSigningKey(publicKey) : Jwts.parser().setSigningKey(decode);
            }
        } catch (Throwable th) {
            this.log.error("Error creating JWT authenticator: " + th + ". JWT authentication will not work", th);
        }
        this.jwtUrlParameter = settings.get("jwt_url_parameter");
        this.jwtHeaderName = settings.get("jwt_header", "Authorization");
        this.rolesKey = settings.get("roles_key");
        this.subjectKey = settings.get("subject_key");
        this.jwtParser = jwtParser;
    }

    public AuthCredentials extractCredentials(final RestRequest restRequest, ThreadContext threadContext) throws ElasticsearchSecurityException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (AuthCredentials) AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() { // from class: com.floragunn.dlic.auth.http.jwt.HTTPJwtAuthenticator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public AuthCredentials run() {
                return HTTPJwtAuthenticator.this.extractCredentials0(restRequest);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthCredentials extractCredentials0(RestRequest restRequest) {
        if (this.jwtParser == null) {
            this.log.error("Missing Signing Key. JWT authentication will not work");
            return null;
        }
        String header = restRequest.header(this.jwtHeaderName);
        if ((header == null || header.isEmpty()) && this.jwtUrlParameter != null) {
            header = restRequest.param(this.jwtUrlParameter);
        } else {
            restRequest.param(this.jwtUrlParameter);
        }
        if (header == null || header.length() == 0) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("No JWT token found in '{}' {} header", this.jwtUrlParameter == null ? this.jwtHeaderName : this.jwtUrlParameter, this.jwtUrlParameter == null ? "header" : "url parameter");
            return null;
        }
        int indexOf = header.toLowerCase().indexOf(BEARER);
        if (indexOf > -1) {
            header = header.substring(indexOf + BEARER.length());
        }
        try {
            Claims claims = (Claims) this.jwtParser.parseClaimsJws(header).getBody();
            String extractSubject = extractSubject(claims, restRequest);
            if (extractSubject == null) {
                this.log.error("No subject found in JWT token");
                return null;
            }
            AuthCredentials markComplete = new AuthCredentials(extractSubject, extractRoles(claims, restRequest)).markComplete();
            for (Map.Entry entry : claims.entrySet()) {
                markComplete.addAttribute("attr.jwt." + ((String) entry.getKey()), String.valueOf(entry.getValue()));
            }
            return markComplete;
        } catch (Exception e) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Invalid or expired JWT token.", e);
            return null;
        }
    }

    public boolean reRequestAuthentication(RestChannel restChannel, AuthCredentials authCredentials) {
        BytesRestResponse bytesRestResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, "");
        bytesRestResponse.addHeader("WWW-Authenticate", "Bearer realm=\"Search Guard\"");
        restChannel.sendResponse(bytesRestResponse);
        return true;
    }

    public String getType() {
        return "jwt";
    }

    protected String extractSubject(Claims claims, RestRequest restRequest) {
        String subject = claims.getSubject();
        if (this.subjectKey != null) {
            Object obj = claims.get(this.subjectKey, Object.class);
            if (obj == null) {
                this.log.warn("Failed to get subject from JWT claims, check if subject_key '{}' is correct.", this.subjectKey);
                return null;
            }
            if (!(obj instanceof String)) {
                this.log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", this.subjectKey, obj, obj.getClass());
            }
            subject = String.valueOf(obj);
        }
        return subject;
    }

    protected String[] extractRoles(Claims claims, RestRequest restRequest) {
        if (this.rolesKey == null) {
            return new String[0];
        }
        Object obj = claims.get(this.rolesKey, Object.class);
        if (obj == null) {
            this.log.warn("Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.", this.rolesKey);
            return new String[0];
        }
        String[] split = String.valueOf(obj).split(",");
        if (!(obj instanceof String) && !(obj instanceof Collection)) {
            this.log.warn("Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.", this.rolesKey, obj, obj.getClass());
        } else if (obj instanceof Collection) {
            split = (String[]) ((Collection) obj).toArray(new String[0]);
        }
        for (int i = 0; i < split.length; i++) {
            split[i] = split[i].trim();
        }
        return split;
    }

    private static PublicKey getPublicKey(byte[] bArr, String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance(str).generatePublic(new X509EncodedKeySpec(bArr));
    }

    private static void printLicenseInfo() {
        StringBuilder sb = new StringBuilder();
        sb.append("******************************************************" + System.lineSeparator());
        sb.append("Search Guard JWT (JSON Web Token) is not free software" + System.lineSeparator());
        sb.append("for commercial use in production." + System.lineSeparator());
        sb.append("You have to obtain a license if you " + System.lineSeparator());
        sb.append("use it in production." + System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append("See https://floragunn.com/searchguard-validate-license" + System.lineSeparator());
        sb.append("In case of any doubt mail to <sales@floragunn.com>" + System.lineSeparator());
        sb.append("*****************************************************" + System.lineSeparator());
        String sb2 = sb.toString();
        if (Boolean.getBoolean("sg.display_lic_none")) {
            return;
        }
        if (!Boolean.getBoolean("sg.display_lic_only_stdout")) {
            LogManager.getLogger(HTTPJwtAuthenticator.class).warn(sb2);
            System.err.println(sb2);
        }
        System.out.println(sb2);
    }
}
