package org.apache.solr.security.jwt;

import com.google.common.annotations.VisibleForTesting;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.util.Utils;
import org.jose4j.http.Get;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:org/apache/solr/security/jwt/JWTIssuerConfig.class */
public class JWTIssuerConfig {
    static final String PARAM_ISS_NAME = "name";
    static final String PARAM_JWKS_URL = "jwksUrl";
    static final String PARAM_JWK = "jwk";
    static final String PARAM_ISSUER = "iss";
    static final String PARAM_AUDIENCE = "aud";
    static final String PARAM_WELL_KNOWN_URL = "wellKnownUrl";
    static final String PARAM_AUTHORIZATION_ENDPOINT = "authorizationEndpoint";
    static final String PARAM_CLIENT_ID = "clientId";
    private String iss;
    private String aud;
    private JsonWebKeySet jsonWebKeySet;
    private String name;
    private List<String> jwksUrl;
    private List<HttpsJwks> httpsJwks;
    private String wellKnownUrl;
    private WellKnownDiscoveryConfig wellKnownDiscoveryConfig;
    private String clientId;
    private String authorizationEndpoint;
    private Collection<X509Certificate> trustedCerts;
    public static final String ALLOW_OUTBOUND_HTTP_ERR_MSG = "HTTPS required for IDP communication. Please use SSL or start your nodes with -Dsolr.auth.jwt.allowOutboundHttp=true to allow HTTP for test purposes.";
    private static HttpsJwksFactory httpsJwksFactory = new HttpsJwksFactory(3600, 5000);
    public static boolean ALLOW_OUTBOUND_HTTP = Boolean.parseBoolean(System.getProperty("solr.auth.jwt.allowOutboundHttp", "false"));

    /* loaded from: input_file:org/apache/solr/security/jwt/JWTIssuerConfig$HttpsJwksFactory.class */
    public static class HttpsJwksFactory {
        private final long jwkCacheDuration;
        private final long refreshReprieveThreshold;
        private Collection<X509Certificate> trustedCerts;

        public HttpsJwksFactory(long j, long j2) {
            this.jwkCacheDuration = j;
            this.refreshReprieveThreshold = j2;
        }

        public HttpsJwksFactory(long j, long j2, Collection<X509Certificate> collection) {
            this.jwkCacheDuration = j;
            this.refreshReprieveThreshold = j2;
            this.trustedCerts = collection;
        }

        private HttpsJwks create(String str) {
            try {
                URL url = new URL(str);
                JWTIssuerConfig.checkAllowOutboundHttpConnections(JWTIssuerConfig.PARAM_JWKS_URL, url);
                HttpsJwks httpsJwks = new HttpsJwks(str);
                httpsJwks.setDefaultCacheDuration(this.jwkCacheDuration);
                httpsJwks.setRefreshReprieveThreshold(this.refreshReprieveThreshold);
                if (this.trustedCerts != null) {
                    Get get = new Get();
                    get.setTrustedCertificates(this.trustedCerts);
                    if ("localhost".equals(url.getHost())) {
                        get.setHostnameVerifier((str2, sSLSession) -> {
                            return true;
                        });
                    }
                    httpsJwks.setSimpleHttpGet(get);
                }
                return httpsJwks;
            } catch (MalformedURLException e) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Url " + str + " configured in jwksUrl is not a valid URL");
            }
        }

        public List<HttpsJwks> createList(List<String> list) {
            return (List) list.stream().map(this::create).collect(Collectors.toList());
        }
    }

    /* loaded from: input_file:org/apache/solr/security/jwt/JWTIssuerConfig$WellKnownDiscoveryConfig.class */
    public static class WellKnownDiscoveryConfig {
        private final Map<String, Object> securityConf;

        WellKnownDiscoveryConfig(Map<String, Object> map) {
            this.securityConf = map;
        }

        public static WellKnownDiscoveryConfig parse(String str) throws MalformedURLException {
            return parse(new URL(str), (Collection<X509Certificate>) null);
        }

        public static WellKnownDiscoveryConfig parse(URL url, Collection<X509Certificate> collection) {
            try {
                if (!Arrays.asList("https", "file", "http").contains(url.getProtocol())) {
                    throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, "Well-known config URL must be one of HTTPS or HTTP or file");
                }
                JWTIssuerConfig.checkAllowOutboundHttpConnections(JWTIssuerConfig.PARAM_WELL_KNOWN_URL, url);
                if ("file".equals(url.getProtocol())) {
                    return parse(url.openStream());
                }
                Get get = new Get();
                if (collection != null) {
                    get.setTrustedCertificates(collection);
                    if ("localhost".equals(url.getHost())) {
                        get.setHostnameVerifier((str, sSLSession) -> {
                            return true;
                        });
                    }
                }
                return parse(new ByteArrayInputStream(get.get(url.toString()).getBody().getBytes(StandardCharsets.UTF_8)));
            } catch (IOException e) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Well-known config could not be read from url " + url, e);
            }
        }

        @VisibleForTesting
        public static WellKnownDiscoveryConfig parse(String str, Charset charset) {
            return parse(new ByteArrayInputStream(str.getBytes(charset)));
        }

        public static WellKnownDiscoveryConfig parse(InputStream inputStream) {
            return new WellKnownDiscoveryConfig((Map) Utils.fromJSON(inputStream));
        }

        public String getJwksUrl() {
            return (String) this.securityConf.get("jwks_uri");
        }

        public String getIssuer() {
            return (String) this.securityConf.get("issuer");
        }

        public String getAuthorizationEndpoint() {
            return (String) this.securityConf.get("authorization_endpoint");
        }

        public String getUserInfoEndpoint() {
            return (String) this.securityConf.get("userinfo_endpoint");
        }

        public String getTokenEndpoint() {
            return (String) this.securityConf.get("token_endpoint");
        }

        public List<String> getScopesSupported() {
            return (List) this.securityConf.get("scopes_supported");
        }

        public List<String> getResponseTypesSupported() {
            return (List) this.securityConf.get("response_types_supported");
        }
    }

    public JWTIssuerConfig(String str) {
        this.name = str;
    }

    public JWTIssuerConfig(Map<String, Object> map) {
        parseConfigMap(map);
    }

    public void init() {
        if (!isValid()) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Configuration is not valid");
        }
        if (this.wellKnownUrl != null) {
            try {
                this.wellKnownDiscoveryConfig = fetchWellKnown(new URL(this.wellKnownUrl));
                if (this.iss == null) {
                    this.iss = this.wellKnownDiscoveryConfig.getIssuer();
                }
                if (this.jwksUrl == null) {
                    this.jwksUrl = Collections.singletonList(this.wellKnownDiscoveryConfig.getJwksUrl());
                }
                if (this.authorizationEndpoint == null) {
                    this.authorizationEndpoint = this.wellKnownDiscoveryConfig.getAuthorizationEndpoint();
                }
            } catch (MalformedURLException e) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Wrong URL given for well-known endpoint " + this.wellKnownUrl);
            }
        }
        if (this.iss == null && usesHttpsJwk() && !"PRIMARY".equals(this.name)) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Missing required config 'iss' for issuer " + getName());
        }
    }

    protected void parseConfigMap(Map<String, Object> map) {
        HashMap hashMap = new HashMap(map);
        setName((String) hashMap.get(PARAM_ISS_NAME));
        setWellKnownUrl((String) hashMap.get(PARAM_WELL_KNOWN_URL));
        setIss((String) hashMap.get(PARAM_ISSUER));
        setClientId((String) hashMap.get(PARAM_CLIENT_ID));
        setAud((String) hashMap.get(PARAM_AUDIENCE));
        setJwksUrl(hashMap.get(PARAM_JWKS_URL));
        setJsonWebKeySet(hashMap.get(PARAM_JWK));
        setAuthorizationEndpoint((String) hashMap.get(PARAM_AUTHORIZATION_ENDPOINT));
        hashMap.remove(PARAM_WELL_KNOWN_URL);
        hashMap.remove(PARAM_ISSUER);
        hashMap.remove(PARAM_ISS_NAME);
        hashMap.remove(PARAM_CLIENT_ID);
        hashMap.remove(PARAM_AUDIENCE);
        hashMap.remove(PARAM_JWKS_URL);
        hashMap.remove(PARAM_JWK);
        hashMap.remove(PARAM_AUTHORIZATION_ENDPOINT);
        if (!hashMap.isEmpty()) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Unknown configuration key " + hashMap.keySet() + " for issuer " + this.name);
        }
    }

    protected void setJsonWebKeySet(Object obj) {
        if (obj != null) {
            try {
                this.jsonWebKeySet = parseJwkSet((Map) obj);
            } catch (JoseException e) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed parsing parameter 'jwk' for issuer " + getName(), e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static JsonWebKeySet parseJwkSet(Map<String, Object> map) throws JoseException {
        JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(new JsonWebKey[0]);
        if (map.containsKey("keys")) {
            Iterator it = ((List) map.get("keys")).iterator();
            while (it.hasNext()) {
                jsonWebKeySet.addJsonWebKey(JsonWebKey.Factory.newJwk((Map) it.next()));
            }
        } else {
            jsonWebKeySet = new JsonWebKeySet(new JsonWebKey[]{JsonWebKey.Factory.newJwk(map)});
        }
        return jsonWebKeySet;
    }

    private WellKnownDiscoveryConfig fetchWellKnown(URL url) {
        return WellKnownDiscoveryConfig.parse(url, this.trustedCerts);
    }

    public String getIss() {
        return this.iss;
    }

    public JWTIssuerConfig setIss(String str) {
        this.iss = str;
        return this;
    }

    public String getName() {
        return this.name;
    }

    public JWTIssuerConfig setName(String str) {
        this.name = str;
        return this;
    }

    public String getWellKnownUrl() {
        return this.wellKnownUrl;
    }

    public JWTIssuerConfig setWellKnownUrl(String str) {
        this.wellKnownUrl = str;
        return this;
    }

    public List<String> getJwksUrls() {
        return this.jwksUrl;
    }

    public JWTIssuerConfig setJwksUrl(List<String> list) {
        this.jwksUrl = list;
        return this;
    }

    public JWTIssuerConfig setJwksUrl(Object obj) {
        if (obj instanceof String) {
            this.jwksUrl = Collections.singletonList((String) obj);
        } else if (obj instanceof List) {
            this.jwksUrl = (List) obj;
        } else if (obj != null) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Parameter jwksUrl must be either List or String");
        }
        return this;
    }

    public List<HttpsJwks> getHttpsJwks() {
        if (this.httpsJwks == null) {
            this.httpsJwks = httpsJwksFactory.createList(getJwksUrls());
        }
        return this.httpsJwks;
    }

    public static void setHttpsJwksFactory(HttpsJwksFactory httpsJwksFactory2) {
        httpsJwksFactory = httpsJwksFactory2;
    }

    public JsonWebKeySet getJsonWebKeySet() {
        return this.jsonWebKeySet;
    }

    public JWTIssuerConfig setJsonWebKeySet(JsonWebKeySet jsonWebKeySet) {
        this.jsonWebKeySet = jsonWebKeySet;
        return this;
    }

    public boolean usesHttpsJwk() {
        return (getJwksUrls() == null || getJwksUrls().isEmpty()) ? false : true;
    }

    public WellKnownDiscoveryConfig getWellKnownDiscoveryConfig() {
        return this.wellKnownDiscoveryConfig;
    }

    public String getAud() {
        return this.aud;
    }

    public JWTIssuerConfig setAud(String str) {
        this.aud = str;
        return this;
    }

    public String getClientId() {
        return this.clientId;
    }

    public JWTIssuerConfig setClientId(String str) {
        this.clientId = str;
        return this;
    }

    public String getAuthorizationEndpoint() {
        return this.authorizationEndpoint;
    }

    public JWTIssuerConfig setAuthorizationEndpoint(String str) {
        this.authorizationEndpoint = str;
        return this;
    }

    public Map<String, Object> asConfig() {
        HashMap<String, Object> hashMap = new HashMap<>();
        putIfNotNull(hashMap, PARAM_ISS_NAME, this.name);
        putIfNotNull(hashMap, PARAM_ISSUER, this.iss);
        putIfNotNull(hashMap, PARAM_AUDIENCE, this.aud);
        putIfNotNull(hashMap, PARAM_JWKS_URL, this.jwksUrl);
        putIfNotNull(hashMap, PARAM_WELL_KNOWN_URL, this.wellKnownUrl);
        putIfNotNull(hashMap, PARAM_CLIENT_ID, this.clientId);
        putIfNotNull(hashMap, PARAM_AUTHORIZATION_ENDPOINT, this.authorizationEndpoint);
        if (this.jsonWebKeySet != null) {
            putIfNotNull(hashMap, PARAM_JWK, this.jsonWebKeySet.getJsonWebKeys());
        }
        return hashMap;
    }

    private void putIfNotNull(HashMap<String, Object> hashMap, String str, Object obj) {
        if (obj != null) {
            hashMap.put(str, obj);
        }
    }

    public boolean isValid() {
        int i = (this.wellKnownUrl != null ? 1 : 0) + (this.jwksUrl != null ? 2 : 0) + (this.jsonWebKeySet != null ? 2 : 0);
        if (i > 3) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "JWTAuthPlugin needs to configure exactly one of wellKnownUrl, jwksUrl and jwk");
        }
        if (i <= 0 || this.name != null) {
            return i > 0;
        }
        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Parameter 'name' is required for issuer configurations");
    }

    public void setTrustedCerts(Collection<X509Certificate> collection) {
        this.trustedCerts = collection;
    }

    @VisibleForTesting
    public Collection<X509Certificate> getTrustedCerts() {
        return this.trustedCerts;
    }

    public static void checkAllowOutboundHttpConnections(String str, URL url) {
        if ("http".equalsIgnoreCase(url.getProtocol()) && !ALLOW_OUTBOUND_HTTP) {
            throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, str + " is using http protocol. HTTPS required for IDP communication. Please use SSL or start your nodes with -Dsolr.auth.jwt.allowOutboundHttp=true to allow HTTP for test purposes.");
        }
    }
}
