package com.floragunn.dlic.auth.http.jwt.keybyoidc;

import com.floragunn.dlic.auth.http.jwt.keybyoidc.SettingsBasedSSLConfigurator;
import com.floragunn.searchguard.auth.HTTPAuthenticator;
import com.floragunn.searchguard.user.AuthCredentials;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Collection;
import java.util.Map;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/HTTPJwtKeyByOpenIdConnectAuthenticator.class */
public class HTTPJwtKeyByOpenIdConnectAuthenticator implements HTTPAuthenticator {
    private static final Logger log = LogManager.getLogger(HTTPJwtKeyByOpenIdConnectAuthenticator.class);
    private static final String BEARER = "bearer ";
    private KeySetRetriever keySetRetriever;
    private SelfRefreshingKeySet selfRefreshingKeySet;
    private JwtVerifier jwtVerifier;
    private final String jwtHeaderName;
    private final String jwtUrlParameter;
    private final String subjectKey;
    private final String rolesKey;
    private final int idpRequestTimeoutMs;
    private final int idpQueuedThreadTimeoutMs;
    private final int refreshRateLimitTimeWindowMs;
    private final int refreshRateLimitCount;

    public HTTPJwtKeyByOpenIdConnectAuthenticator(Settings settings, Path path) {
        this.jwtUrlParameter = settings.get("jwt_url_parameter");
        this.jwtHeaderName = settings.get("jwt_header", "Authorization");
        this.rolesKey = settings.get("roles_key");
        this.subjectKey = settings.get("subject_key");
        this.idpRequestTimeoutMs = settings.getAsInt("idp_request_timeout_ms", 5000).intValue();
        this.idpQueuedThreadTimeoutMs = settings.getAsInt("idp_queued_thread_timeout_ms", 2500).intValue();
        this.refreshRateLimitTimeWindowMs = settings.getAsInt("refresh_rate_limit_time_window_ms", 10000).intValue();
        this.refreshRateLimitCount = settings.getAsInt("refresh_rate_limit_count", 10).intValue();
        try {
            this.keySetRetriever = new KeySetRetriever(settings.get("openid_connect_url"), getSSLConfig(settings, path), settings.getAsBoolean("cache_jwks_endpoint", false).booleanValue());
            this.keySetRetriever.setRequestTimeoutMs(this.idpRequestTimeoutMs);
            this.selfRefreshingKeySet = new SelfRefreshingKeySet(this.keySetRetriever);
            this.selfRefreshingKeySet.setRequestTimeoutMs(this.idpRequestTimeoutMs);
            this.selfRefreshingKeySet.setQueuedThreadTimeoutMs(this.idpQueuedThreadTimeoutMs);
            this.selfRefreshingKeySet.setRefreshRateLimitTimeWindowMs(this.refreshRateLimitTimeWindowMs);
            this.selfRefreshingKeySet.setRefreshRateLimitCount(this.refreshRateLimitCount);
            this.jwtVerifier = new JwtVerifier(this.selfRefreshingKeySet);
        } catch (Exception e) {
            log.error("Error creating JWT authenticator: " + e + ". JWT authentication will not work", e);
        }
    }

    public AuthCredentials extractCredentials(final RestRequest restRequest, ThreadContext threadContext) throws ElasticsearchSecurityException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (AuthCredentials) AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() { // from class: com.floragunn.dlic.auth.http.jwt.keybyoidc.HTTPJwtKeyByOpenIdConnectAuthenticator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public AuthCredentials run() {
                return HTTPJwtKeyByOpenIdConnectAuthenticator.this.extractCredentials0(restRequest);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthCredentials extractCredentials0(RestRequest restRequest) throws ElasticsearchSecurityException {
        String jwtTokenString = getJwtTokenString(restRequest);
        try {
            JwtClaims claims = this.jwtVerifier.getJwtToken(jwtTokenString).getClaims();
            String extractSubject = extractSubject(claims);
            if (extractSubject == null) {
                log.error("No subject found in JWT token");
                return null;
            }
            AuthCredentials markComplete = new AuthCredentials(extractSubject, extractRoles(claims)).markComplete();
            for (Map.Entry entry : claims.asMap().entrySet()) {
                markComplete.addAttribute("attr.jwt." + ((String) entry.getKey()), String.valueOf(entry.getValue()));
            }
            return markComplete;
        } catch (JwtException e) {
            log.info("Extracting JWT token from " + jwtTokenString + " failed", e);
            return null;
        } catch (AuthenticatorUnavailableException e2) {
            throw new ElasticsearchSecurityException(e2.getMessage(), RestStatus.SERVICE_UNAVAILABLE, new Object[0]);
        }
    }

    protected String getJwtTokenString(RestRequest restRequest) {
        String header = restRequest.header(this.jwtHeaderName);
        if (this.jwtUrlParameter != null) {
            if (header == null || header.isEmpty()) {
                header = restRequest.param(this.jwtUrlParameter);
            } else {
                restRequest.param(this.jwtUrlParameter);
            }
        }
        if (header == null) {
            return null;
        }
        int indexOf = header.toLowerCase().indexOf(BEARER);
        if (indexOf > -1) {
            header = header.substring(indexOf + BEARER.length());
        }
        return header;
    }

    protected String extractSubject(JwtClaims jwtClaims) {
        String subject = jwtClaims.getSubject();
        if (this.subjectKey != null) {
            Object claim = jwtClaims.getClaim(this.subjectKey);
            if (claim == null) {
                log.warn("Failed to get subject from JWT claims, check if subject_key '{}' is correct.", this.subjectKey);
                return null;
            }
            if (claim instanceof String) {
                subject = (String) claim;
            } else {
                log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", this.subjectKey, claim, claim.getClass());
                subject = String.valueOf(claim);
            }
        }
        return subject;
    }

    protected String[] extractRoles(JwtClaims jwtClaims) {
        if (this.rolesKey == null) {
            return new String[0];
        }
        Object claim = jwtClaims.getClaim(this.rolesKey);
        if (claim == null) {
            log.warn("Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.", this.rolesKey);
            return new String[0];
        }
        String[] split = String.valueOf(claim).split(",");
        if (!(claim instanceof String) && !(claim instanceof Collection)) {
            log.warn("Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.", this.rolesKey, claim, claim.getClass());
        } else if (claim instanceof Collection) {
            split = (String[]) ((Collection) claim).toArray(new String[0]);
        }
        for (int i = 0; i < split.length; i++) {
            split[i] = split[i].trim();
        }
        return split;
    }

    private static SettingsBasedSSLConfigurator.SSLConfig getSSLConfig(Settings settings, Path path) throws Exception {
        return new SettingsBasedSSLConfigurator(settings, path, "openid_connect_idp").buildSSLConfig();
    }

    public String getType() {
        return "jwt-key-by-oidc";
    }

    public boolean reRequestAuthentication(RestChannel restChannel, AuthCredentials authCredentials) {
        BytesRestResponse bytesRestResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, "");
        bytesRestResponse.addHeader("WWW-Authenticate", "Bearer realm=\"Search Guard\"");
        restChannel.sendResponse(bytesRestResponse);
        return true;
    }
}
