package org.apache.solr.security.jwt;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.HttpRequest;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.protocol.HttpContext;
import org.apache.solr.api.AnnotatedApi;
import org.apache.solr.api.Api;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.SpecProvider;
import org.apache.solr.common.util.CommandOperation;
import org.apache.solr.common.util.StrUtils;
import org.apache.solr.common.util.Utils;
import org.apache.solr.common.util.ValidatingJsonMap;
import org.apache.solr.core.CoreContainer;
import org.apache.solr.security.AuthenticationPlugin;
import org.apache.solr.security.ConfigEditablePlugin;
import org.apache.solr.security.jwt.JWTIssuerConfig;
import org.apache.solr.security.jwt.api.ModifyJWTAuthPluginConfigAPI;
import org.apache.solr.util.CryptoKeys;
import org.eclipse.jetty.client.api.Request;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.InvalidJwtSignatureException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/security/jwt/JWTAuthPlugin.class */
public class JWTAuthPlugin extends AuthenticationPlugin implements SpecProvider, ConfigEditablePlugin {
    private static final String PARAM_SCOPE = "scope";
    private static final String DEFAULT_AUTH_REALM = "solr-jwt";
    private static final String CLAIM_SCOPE = "scope";
    private static final long RETRY_INIT_DELAY_SECONDS = 30;
    private static final long DEFAULT_REFRESH_REPRIEVE_THRESHOLD = 5000;
    static final String PRIMARY_ISSUER = "PRIMARY";

    @Deprecated(since = "9.0")
    private static final String PARAM_ALG_WHITELIST = "algWhitelist";
    private JwtConsumer jwtConsumer;
    private boolean requireExpirationTime;
    private List<String> algAllowlist;
    private String principalClaim;
    private String rolesClaim;
    private HashMap<String, Pattern> claimsMatchCompiled;
    private boolean blockUnknown;
    private List<String> requiredScopes;
    private Map<String, Object> pluginConfig;
    private Instant lastInitTime;
    private String adminUiScope;
    private List<String> redirectUris;
    private List<JWTIssuerConfig> issuerConfigs;
    private boolean requireIssuer;
    private JWTVerificationkeyResolver verificationKeyResolver;
    private Collection<X509Certificate> trustedSslCerts;
    String realm;
    private final CoreContainer coreContainer;
    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    private static final String PARAM_BLOCK_UNKNOWN = "blockUnknown";
    private static final String PARAM_PRINCIPAL_CLAIM = "principalClaim";
    private static final String PARAM_REQUIRE_EXPIRATIONTIME = "requireExp";
    private static final String PARAM_ALG_ALLOWLIST = "algAllowlist";
    private static final String PARAM_JWK_CACHE_DURATION = "jwkCacheDur";
    private static final String PARAM_CLAIMS_MATCH = "claimsMatch";
    private static final String PARAM_REALM = "realm";
    private static final String PARAM_ROLES_CLAIM = "rolesClaim";
    private static final String PARAM_ADMINUI_SCOPE = "adminUiScope";
    private static final String PARAM_REDIRECT_URIS = "redirectUris";
    private static final String PARAM_REQUIRE_ISSUER = "requireIss";
    private static final String PARAM_ISSUERS = "issuers";
    private static final String PARAM_TRUSTED_CERTS_FILE = "trustedCertsFile";
    private static final String PARAM_TRUSTED_CERTS = "trustedCerts";
    private static final Set<String> PROPS = Set.of((Object[]) new String[]{PARAM_BLOCK_UNKNOWN, PARAM_PRINCIPAL_CLAIM, PARAM_REQUIRE_EXPIRATIONTIME, PARAM_ALG_ALLOWLIST, PARAM_JWK_CACHE_DURATION, PARAM_CLAIMS_MATCH, "scope", PARAM_REALM, PARAM_ROLES_CLAIM, PARAM_ADMINUI_SCOPE, PARAM_REDIRECT_URIS, PARAM_REQUIRE_ISSUER, PARAM_ISSUERS, PARAM_TRUSTED_CERTS_FILE, PARAM_TRUSTED_CERTS, "jwksUrl", "jwk", "iss", "clientId", "wellKnownUrl", "aud", "authorizationEndpoint"});

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/solr/security/jwt/JWTAuthPlugin$BearerWwwAuthErrorCode.class */
    public enum BearerWwwAuthErrorCode {
        invalid_request,
        invalid_token,
        insufficient_scope
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/solr/security/jwt/JWTAuthPlugin$JWTAuthenticationResponse.class */
    public static class JWTAuthenticationResponse {
        private final Principal principal;
        private String errorMessage;
        private final AuthCode authCode;
        private InvalidJwtException jwtException;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/apache/solr/security/jwt/JWTAuthPlugin$JWTAuthenticationResponse$AuthCode.class */
        public enum AuthCode {
            PASS_THROUGH("No user, pass through"),
            AUTHENTICATED("Authenticated"),
            PRINCIPAL_MISSING("No principal in JWT"),
            JWT_PARSE_ERROR("Invalid JWT"),
            AUTZ_HEADER_PROBLEM("Wrong header"),
            NO_AUTZ_HEADER("Require authentication"),
            JWT_EXPIRED("JWT token expired"),
            CLAIM_MISMATCH("Required JWT claim missing"),
            JWT_VALIDATION_EXCEPTION("JWT validation failed"),
            SCOPE_MISSING("Required scope missing in JWT"),
            SIGNATURE_INVALID("Signature invalid");

            private final String msg;

            public String getMsg() {
                return this.msg;
            }

            AuthCode(String str) {
                this.msg = str;
            }
        }

        JWTAuthenticationResponse(AuthCode authCode, InvalidJwtException invalidJwtException) {
            this.authCode = authCode;
            this.jwtException = invalidJwtException;
            this.principal = null;
            this.errorMessage = invalidJwtException.getMessage();
        }

        JWTAuthenticationResponse(AuthCode authCode, String str) {
            this.authCode = authCode;
            this.errorMessage = str;
            this.principal = null;
        }

        JWTAuthenticationResponse(AuthCode authCode, Principal principal) {
            this.authCode = authCode;
            this.principal = principal;
        }

        JWTAuthenticationResponse(AuthCode authCode) {
            this.authCode = authCode;
            this.principal = null;
        }

        boolean isAuthenticated() {
            return this.authCode.equals(AuthCode.AUTHENTICATED);
        }

        public Principal getPrincipal() {
            return this.principal;
        }

        String getErrorMessage() {
            return this.errorMessage;
        }

        InvalidJwtException getJwtException() {
            return this.jwtException;
        }

        AuthCode getAuthCode() {
            return this.authCode;
        }
    }

    public JWTAuthPlugin() {
        this(null);
    }

    public JWTAuthPlugin(CoreContainer coreContainer) {
        this.requiredScopes = new ArrayList();
        this.lastInitTime = Instant.now();
        this.coreContainer = coreContainer;
    }

    public void init(Map<String, Object> map) {
        this.pluginConfig = map;
        this.issuerConfigs = null;
        List list = (List) map.keySet().stream().filter(str -> {
            return !PROPS.contains(str);
        }).collect(Collectors.toList());
        list.remove("class");
        list.remove("");
        if (!list.isEmpty()) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Invalid JwtAuth configuration parameter " + list);
        }
        this.blockUnknown = Boolean.parseBoolean(String.valueOf(map.getOrDefault(PARAM_BLOCK_UNKNOWN, false)));
        this.requireIssuer = Boolean.parseBoolean(String.valueOf(map.getOrDefault(PARAM_REQUIRE_ISSUER, "true")));
        this.requireExpirationTime = Boolean.parseBoolean(String.valueOf(map.getOrDefault(PARAM_REQUIRE_EXPIRATIONTIME, "true")));
        this.principalClaim = (String) map.getOrDefault(PARAM_PRINCIPAL_CLAIM, "sub");
        this.rolesClaim = (String) map.get(PARAM_ROLES_CLAIM);
        this.algAllowlist = (List) map.get(PARAM_ALG_ALLOWLIST);
        if ((this.algAllowlist == null || this.algAllowlist.isEmpty()) && map.containsKey(PARAM_ALG_WHITELIST)) {
            log.warn("Found use of deprecated parameter algWhitelist. Please use {} instead.", PARAM_ALG_ALLOWLIST);
            this.algAllowlist = (List) map.get(PARAM_ALG_WHITELIST);
        }
        this.realm = (String) map.getOrDefault(PARAM_REALM, DEFAULT_AUTH_REALM);
        Map map2 = (Map) map.get(PARAM_CLAIMS_MATCH);
        this.claimsMatchCompiled = new HashMap<>();
        if (map2 != null) {
            for (Map.Entry entry : map2.entrySet()) {
                this.claimsMatchCompiled.put((String) entry.getKey(), Pattern.compile((String) entry.getValue()));
            }
        }
        String str2 = (String) map.get("scope");
        if (StrUtils.isNotNullOrEmpty(str2)) {
            this.requiredScopes = Arrays.asList(str2.split("\\s+"));
        }
        Object obj = map.get(PARAM_TRUSTED_CERTS_FILE);
        String str3 = (String) map.get(PARAM_TRUSTED_CERTS);
        if (obj != null && str3 != null) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Found both trustedCertsFile and trustedCerts, please use only one");
        }
        if (obj != null) {
            this.trustedSslCerts = readSslCertsFromFileOrList(obj);
        }
        if (str3 != null) {
            log.info("Reading trustedCerts PEM from configuration string");
            this.trustedSslCerts = CryptoKeys.parseX509Certs(new ByteArrayInputStream(str3.getBytes(StandardCharsets.UTF_8)));
        }
        JWTIssuerConfig.setHttpsJwksFactory(new JWTIssuerConfig.HttpsJwksFactory(Long.parseLong((String) map.getOrDefault(PARAM_JWK_CACHE_DURATION, "3600")), DEFAULT_REFRESH_REPRIEVE_THRESHOLD, this.trustedSslCerts));
        this.issuerConfigs = new ArrayList();
        parseIssuerFromTopLevelConfig(map).ifPresent(jWTIssuerConfig -> {
            this.issuerConfigs.add(jWTIssuerConfig);
            log.warn("JWTAuthPlugin issuer is configured using top-level configuration keys. Please consider using the 'issuers' array instead.");
        });
        this.issuerConfigs.addAll(parseIssuers(map));
        this.verificationKeyResolver = new JWTVerificationkeyResolver(this.issuerConfigs, this.requireIssuer);
        if (this.issuerConfigs.size() > 0 && getPrimaryIssuer().getAuthorizationEndpoint() != null) {
            this.adminUiScope = (String) map.get(PARAM_ADMINUI_SCOPE);
            if (this.adminUiScope == null && this.requiredScopes.size() > 0) {
                this.adminUiScope = this.requiredScopes.get(0);
                log.warn("No adminUiScope given, using first scope in 'scope' list as required scope for accessing Admin UI");
            }
            if (this.adminUiScope == null) {
                this.adminUiScope = "solr";
                log.info("No adminUiScope provided, fallback to 'solr' as required scope for Admin UI login may not work");
            }
            Object obj2 = map.get(PARAM_REDIRECT_URIS);
            this.redirectUris = Collections.emptyList();
            if (obj2 != null) {
                if (obj2 instanceof String) {
                    this.redirectUris = Collections.singletonList((String) obj2);
                } else if (obj2 instanceof List) {
                    this.redirectUris = (List) obj2;
                }
            }
        }
        initConsumer();
        this.lastInitTime = Instant.now();
    }

    Collection<X509Certificate> readSslCertsFromFileOrList(Object obj) {
        List list;
        HashSet hashSet = new HashSet();
        if (obj instanceof String) {
            list = List.of((String) obj);
        } else {
            if (!(obj instanceof List)) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "trustedCertsFile is neither a String or List");
            }
            list = (List) obj;
        }
        log.info("Reading trustedCerts from file(s) {}", list);
        list.forEach(str -> {
            try {
                hashSet.addAll(parseCertsFromFile(str));
            } catch (IOException e) {
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed to read file " + str, e);
            }
        });
        return hashSet;
    }

    Collection<? extends X509Certificate> parseCertsFromFile(String str) throws IOException {
        Path path = Paths.get(str, new String[0]);
        if (this.coreContainer != null) {
            this.coreContainer.assertPathAllowed(path);
        }
        return CryptoKeys.parseX509Certs(Files.newInputStream(path, new OpenOption[0]));
    }

    private Optional<JWTIssuerConfig> parseIssuerFromTopLevelConfig(Map<String, Object> map) {
        try {
            JWTIssuerConfig wellKnownUrl = new JWTIssuerConfig(PRIMARY_ISSUER).setIss((String) map.get("iss")).setAud((String) map.get("aud")).setJwksUrl(map.get("jwksUrl")).setAuthorizationEndpoint((String) map.get("authorizationEndpoint")).setClientId((String) map.get("clientId")).setWellKnownUrl((String) map.get("wellKnownUrl"));
            if (map.get("jwk") != null) {
                wellKnownUrl.setJsonWebKeySet(JWTIssuerConfig.parseJwkSet((Map) map.get("jwk")));
            }
            if (!wellKnownUrl.isValid()) {
                log.debug("No issuer configured in top level config");
                return Optional.empty();
            }
            log.debug("Found issuer in top level config");
            wellKnownUrl.setTrustedCerts(this.trustedSslCerts);
            wellKnownUrl.init();
            return Optional.of(wellKnownUrl);
        } catch (JoseException e) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed parsing issuer from top level config", e);
        }
    }

    JWTIssuerConfig getPrimaryIssuer() {
        if (this.issuerConfigs.size() == 0) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "No issuers configured");
        }
        return this.issuerConfigs.get(0);
    }

    List<JWTIssuerConfig> parseIssuers(Map<String, Object> map) {
        ArrayList arrayList = new ArrayList();
        try {
            List list = (List) map.get(PARAM_ISSUERS);
            if (list != null) {
                list.forEach(map2 -> {
                    JWTIssuerConfig jWTIssuerConfig = new JWTIssuerConfig((Map<String, Object>) map2);
                    jWTIssuerConfig.setTrustedCerts(this.trustedSslCerts);
                    jWTIssuerConfig.init();
                    arrayList.add(jWTIssuerConfig);
                    if (log.isDebugEnabled()) {
                        log.debug("Found issuer with name {} and issuerId {}", jWTIssuerConfig.getName(), jWTIssuerConfig.getIss());
                    }
                });
            }
            return arrayList;
        } catch (ClassCastException e) {
            throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Parameter issuers has wrong format.", e);
        }
    }

    public boolean doAuthenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws Exception {
        String header = httpServletRequest.getHeader("Authorization");
        if (this.jwtConsumer == null) {
            if (header == null && !this.blockUnknown) {
                log.info("JWTAuth not configured, but allowing anonymous access since {}==false", PARAM_BLOCK_UNKNOWN);
                this.numPassThrough.inc();
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return true;
            }
            if (this.lastInitTime.plusSeconds(RETRY_INIT_DELAY_SECONDS).isAfter(Instant.now())) {
                log.info("Retrying JWTAuthPlugin initialization (retry delay={}s)", Long.valueOf(RETRY_INIT_DELAY_SECONDS));
                init(this.pluginConfig);
            }
            if (this.jwtConsumer == null) {
                log.warn("JWTAuth not configured");
                this.numErrors.mark();
                throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "JWTAuth plugin not correctly configured");
            }
        }
        JWTAuthenticationResponse authenticate = authenticate(header);
        String message = authenticate.getJwtException() != null ? authenticate.getJwtException().getMessage() : "";
        if (JWTAuthenticationResponse.AuthCode.SIGNATURE_INVALID.equals(authenticate.getAuthCode())) {
            try {
                String issuer = this.jwtConsumer.processToClaims(parseAuthorizationHeader(header)).getIssuer();
                if (issuer != null) {
                    Optional<JWTIssuerConfig> findFirst = this.issuerConfigs.stream().filter(jWTIssuerConfig -> {
                        return issuer.equals(jWTIssuerConfig.getIss());
                    }).findFirst();
                    if (findFirst.isPresent() && findFirst.get().usesHttpsJwk()) {
                        log.info("Signature validation failed for issuer {}. Refreshing JWKs from IdP before trying again: {}", issuer, message);
                        Iterator<HttpsJwks> it = findFirst.get().getHttpsJwks().iterator();
                        while (it.hasNext()) {
                            it.next().refresh();
                        }
                        authenticate = authenticate(header);
                        message = authenticate.getJwtException() != null ? authenticate.getJwtException().getMessage() : "";
                    }
                }
            } catch (InvalidJwtException e) {
            }
        }
        switch (authenticate.getAuthCode()) {
            case AUTHENTICATED:
                Principal principal = authenticate.getPrincipal();
                HttpServletRequest wrapWithPrincipal = wrapWithPrincipal(httpServletRequest, principal);
                if (!(principal instanceof JWTPrincipal)) {
                    this.numErrors.mark();
                    throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "JWTAuth plugin says AUTHENTICATED but no token extracted");
                }
                if (log.isDebugEnabled()) {
                    log.debug("Authentication SUCCESS");
                }
                this.numAuthenticated.inc();
                filterChain.doFilter(wrapWithPrincipal, httpServletResponse);
                return true;
            case PASS_THROUGH:
                if (log.isDebugEnabled()) {
                    log.debug("Unknown user, but allow due to {}=false", PARAM_BLOCK_UNKNOWN);
                }
                this.numPassThrough.inc();
                httpServletRequest.setAttribute(AuthenticationPlugin.class.getName(), getPromptHeaders(null, null));
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return true;
            case AUTZ_HEADER_PROBLEM:
            case JWT_PARSE_ERROR:
                log.warn("Authentication failed. {}, {}", authenticate.getAuthCode(), authenticate.getAuthCode().getMsg());
                this.numErrors.mark();
                authenticationFailure(httpServletResponse, authenticate.getAuthCode().getMsg(), 400, BearerWwwAuthErrorCode.invalid_request);
                return false;
            case CLAIM_MISMATCH:
            case JWT_EXPIRED:
            case JWT_VALIDATION_EXCEPTION:
            case PRINCIPAL_MISSING:
                log.warn("Authentication failed. {}, {}", authenticate.getAuthCode(), message);
                this.numWrongCredentials.inc();
                authenticationFailure(httpServletResponse, authenticate.getAuthCode().getMsg(), 401, BearerWwwAuthErrorCode.invalid_token);
                return false;
            case SIGNATURE_INVALID:
                log.warn("Signature validation failed: {}", message);
                this.numWrongCredentials.inc();
                authenticationFailure(httpServletResponse, authenticate.getAuthCode().getMsg(), 401, BearerWwwAuthErrorCode.invalid_token);
                return false;
            case SCOPE_MISSING:
                this.numWrongCredentials.inc();
                authenticationFailure(httpServletResponse, authenticate.getAuthCode().getMsg(), 401, BearerWwwAuthErrorCode.insufficient_scope);
                return false;
            case NO_AUTZ_HEADER:
            default:
                this.numMissingCredentials.inc();
                authenticationFailure(httpServletResponse, authenticate.getAuthCode().getMsg(), 401, null);
                return false;
        }
    }

    protected JWTAuthenticationResponse authenticate(String str) {
        if (str == null) {
            if (this.blockUnknown) {
                return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.NO_AUTZ_HEADER, "Missing Authorization header");
            }
            log.debug("No user authenticated, but blockUnknown=false, so letting request through");
            return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.PASS_THROUGH);
        }
        String parseAuthorizationHeader = parseAuthorizationHeader(str);
        try {
            if (parseAuthorizationHeader == null) {
                return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.AUTZ_HEADER_PROBLEM, "Authorization header is not in correct format");
            }
            try {
                try {
                    JwtClaims processToClaims = this.jwtConsumer.processToClaims(parseAuthorizationHeader);
                    String stringClaimValue = processToClaims.getStringClaimValue(this.principalClaim);
                    if (stringClaimValue == null || stringClaimValue.isEmpty()) {
                        return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.PRINCIPAL_MISSING, "Cannot identify principal from JWT. Required claim " + this.principalClaim + " missing. Cannot authenticate");
                    }
                    if (this.claimsMatchCompiled != null) {
                        for (Map.Entry<String, Pattern> entry : this.claimsMatchCompiled.entrySet()) {
                            String key = entry.getKey();
                            if (!processToClaims.hasClaim(key)) {
                                return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.CLAIM_MISMATCH, "Claim " + key + " is required but does not exist in JWT");
                            }
                            if (!entry.getValue().matcher(processToClaims.getStringClaimValue(key)).matches()) {
                                return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.CLAIM_MISMATCH, "Claim " + key + "=" + processToClaims.getStringClaimValue(key) + " does not match required regular expression " + entry.getValue().pattern());
                            }
                        }
                    }
                    if (!this.requiredScopes.isEmpty() && !processToClaims.hasClaim("scope")) {
                        return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.CLAIM_MISMATCH, "Claim scope is required but does not exist in JWT");
                    }
                    Set emptySet = Collections.emptySet();
                    Object claimValue = processToClaims.getClaimValue("scope");
                    if (claimValue != null) {
                        if (claimValue instanceof String) {
                            emptySet = new HashSet(Arrays.asList(((String) claimValue).split("\\s+")));
                        } else if (claimValue instanceof List) {
                            emptySet = new HashSet(processToClaims.getStringListClaimValue("scope"));
                        }
                        if (!this.requiredScopes.isEmpty()) {
                            Stream stream = emptySet.stream();
                            List<String> list = this.requiredScopes;
                            Objects.requireNonNull(list);
                            if (stream.noneMatch((v1) -> {
                                return r1.contains(v1);
                            })) {
                                return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.SCOPE_MISSING, "Claim scope does not contain any of the required scopes: " + this.requiredScopes);
                            }
                        }
                    }
                    HashSet hashSet = new HashSet();
                    if (this.rolesClaim == null) {
                        hashSet.addAll(emptySet);
                        hashSet.remove("openid");
                    } else {
                        Object claimValue2 = processToClaims.getClaimValue(this.rolesClaim);
                        if (claimValue2 == null && this.rolesClaim.indexOf(46) > 0) {
                            String[] split = this.rolesClaim.split("\\.");
                            claimValue2 = processToClaims.getClaimValue(split[0]);
                            for (int i = 1; i < split.length; i++) {
                                if (claimValue2 instanceof Map) {
                                    claimValue2 = ((Map) claimValue2).get(split[i]);
                                }
                            }
                        }
                        if (claimValue2 != null) {
                            if (claimValue2 instanceof String) {
                                hashSet.addAll(Arrays.asList(((String) claimValue2).split("\\s+")));
                            } else {
                                if (!(claimValue2 instanceof List)) {
                                    throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, String.format(Locale.ROOT, "Could not parse roles from JWT claim %s; got %s", this.rolesClaim, claimValue2.getClass().getSimpleName()));
                                }
                                ((List) claimValue2).forEach(obj -> {
                                    if (!(obj instanceof String)) {
                                        throw new SolrException(SolrException.ErrorCode.BAD_REQUEST, String.format(Locale.ROOT, "Could not parse roles from JWT claim %s; expected array of strings, got array with a value of type %s", this.rolesClaim, obj.getClass().getSimpleName()));
                                    }
                                    hashSet.add((String) obj);
                                });
                            }
                        }
                    }
                    return hashSet.size() > 0 ? new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.AUTHENTICATED, new JWTPrincipalWithUserRoles(stringClaimValue, parseAuthorizationHeader, processToClaims.getClaimsMap(), hashSet)) : new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.AUTHENTICATED, new JWTPrincipal(stringClaimValue, parseAuthorizationHeader, processToClaims.getClaimsMap()));
                } catch (InvalidJwtSignatureException e) {
                    return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.SIGNATURE_INVALID, (InvalidJwtException) e);
                }
            } catch (InvalidJwtException e2) {
                return e2.hasExpired() ? new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.JWT_EXPIRED, "Authentication failed due to expired JWT token. Expired at " + e2.getJwtContext().getJwtClaims().getExpirationTime()) : (e2.getCause() != null && (e2.getCause() instanceof JoseException) && e2.getCause().getMessage().contains("Invalid JOSE Compact Serialization")) ? new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.JWT_PARSE_ERROR, e2.getCause().getMessage()) : new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.JWT_VALIDATION_EXCEPTION, e2);
            }
        } catch (MalformedClaimException e3) {
            return new JWTAuthenticationResponse(JWTAuthenticationResponse.AuthCode.JWT_PARSE_ERROR, "Malformed claim, error was: " + e3.getMessage());
        }
    }

    private String parseAuthorizationHeader(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str);
        if (stringTokenizer.hasMoreTokens() && stringTokenizer.nextToken().equalsIgnoreCase("Bearer") && stringTokenizer.hasMoreTokens()) {
            return stringTokenizer.nextToken();
        }
        return null;
    }

    private void initConsumer() {
        JwtConsumerBuilder allowedClockSkewInSeconds = new JwtConsumerBuilder().setAllowedClockSkewInSeconds(30);
        String[] strArr = (String[]) this.issuerConfigs.stream().map((v0) -> {
            return v0.getIss();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toArray(i -> {
            return new String[i];
        });
        if (strArr.length > 0) {
            allowedClockSkewInSeconds.setExpectedIssuers(this.requireIssuer, strArr);
        }
        String[] strArr2 = (String[]) this.issuerConfigs.stream().map((v0) -> {
            return v0.getAud();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toArray(i2 -> {
            return new String[i2];
        });
        if (strArr2.length > 0) {
            allowedClockSkewInSeconds.setExpectedAudience(strArr2);
        } else {
            allowedClockSkewInSeconds.setSkipDefaultAudienceValidation();
        }
        if (this.requireExpirationTime) {
            allowedClockSkewInSeconds.setRequireExpirationTime();
        }
        if (this.algAllowlist != null) {
            allowedClockSkewInSeconds.setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, (String[]) this.algAllowlist.toArray(new String[0])));
        }
        allowedClockSkewInSeconds.setVerificationKeyResolver(this.verificationKeyResolver);
        this.jwtConsumer = allowedClockSkewInSeconds.build();
    }

    public void close() {
        this.jwtConsumer = null;
    }

    public ValidatingJsonMap getSpec() {
        return ((Api) AnnotatedApi.getApis(new ModifyJWTAuthPluginConfigAPI()).get(0)).getSpec();
    }

    public Map<String, Object> edit(Map<String, Object> map, List<CommandOperation> list) {
        for (CommandOperation commandOperation : list) {
            if (commandOperation.name.equals("set-property")) {
                for (Map.Entry entry : commandOperation.getDataMap().entrySet()) {
                    if (PROPS.contains(entry.getKey())) {
                        map.put((String) entry.getKey(), entry.getValue());
                        return map;
                    }
                    commandOperation.addError("Unknown property " + ((String) entry.getKey()));
                }
            }
        }
        if (CommandOperation.captureErrors(list).isEmpty()) {
            return map;
        }
        return null;
    }

    private void authenticationFailure(HttpServletResponse httpServletResponse, String str, int i, BearerWwwAuthErrorCode bearerWwwAuthErrorCode) throws IOException {
        Map<String, String> promptHeaders = getPromptHeaders(bearerWwwAuthErrorCode, str);
        Objects.requireNonNull(httpServletResponse);
        promptHeaders.forEach(httpServletResponse::setHeader);
        httpServletResponse.sendError(i, str);
        log.info("JWT Authentication attempt failed: {}", str);
    }

    private Map<String, String> getPromptHeaders(BearerWwwAuthErrorCode bearerWwwAuthErrorCode, String str) {
        HashMap hashMap = new HashMap();
        ArrayList arrayList = new ArrayList();
        arrayList.add("Bearer realm=\"" + this.realm + "\"");
        if (bearerWwwAuthErrorCode != null) {
            arrayList.add("error=\"" + bearerWwwAuthErrorCode + "\"");
            arrayList.add("error_description=\"" + str + "\"");
        }
        hashMap.put("WWW-Authenticate", String.join(", ", arrayList));
        hashMap.put("X-Solr-AuthData", generateAuthDataHeader());
        return hashMap;
    }

    protected String generateAuthDataHeader() {
        JWTIssuerConfig primaryIssuer = getPrimaryIssuer();
        HashMap hashMap = new HashMap();
        hashMap.put("authorizationEndpoint", primaryIssuer.getAuthorizationEndpoint());
        hashMap.put("client_id", primaryIssuer.getClientId());
        hashMap.put("scope", this.adminUiScope);
        hashMap.put("redirect_uris", this.redirectUris);
        return Base64.getEncoder().encodeToString(Utils.toJSONString(hashMap).getBytes(StandardCharsets.UTF_8));
    }

    protected boolean interceptInternodeRequest(HttpRequest httpRequest, HttpContext httpContext) {
        if (!(httpContext instanceof HttpClientContext)) {
            return false;
        }
        HttpClientContext httpClientContext = (HttpClientContext) httpContext;
        if (!(httpClientContext.getUserToken() instanceof JWTPrincipal)) {
            return false;
        }
        httpRequest.setHeader("Authorization", "Bearer " + ((JWTPrincipal) httpClientContext.getUserToken()).getToken());
        return true;
    }

    protected boolean interceptInternodeRequest(Request request) {
        Object obj = request.getAttributes().get("solr-req-principal");
        if (!(obj instanceof JWTPrincipal)) {
            return false;
        }
        request.header("Authorization", "Bearer " + ((JWTPrincipal) obj).getToken());
        return true;
    }

    public List<JWTIssuerConfig> getIssuerConfigs() {
        return this.issuerConfigs;
    }

    public JWTIssuerConfig getIssuerConfigByName(String str) {
        return this.issuerConfigs.stream().filter(jWTIssuerConfig -> {
            return str.equals(jWTIssuerConfig.getName());
        }).findAny().orElse(null);
    }
}
