package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.TreeMap;
import java.util.TreeSet;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticationToken.class */
public class JwtAuthenticationToken implements AuthenticationToken {
    private static final List<String> CLAIMS_TO_REMOVE = List.of("iss", "aud", "exp", "iat", "nbf", "auth_time", "nonce", "jti");
    protected final SecureString endUserSignedJwt;
    protected final SecureString clientAuthorizationSharedSecret;
    protected SignedJWT signedJwt;
    protected JWSHeader jwsHeader;
    protected JWTClaimsSet jwtClaimsSet;
    protected byte[] jwtSignature;
    protected String issuerClaim;
    protected List<String> audiencesClaim;
    protected String subjectClaim;
    protected String principal;

    public JwtAuthenticationToken(SecureString secureString, @Nullable SecureString secureString2) {
        String obj;
        if (secureString == null) {
            throw new IllegalArgumentException("JWT bearer token must be non-null");
        }
        if (secureString.isEmpty()) {
            throw new IllegalArgumentException("JWT bearer token must be non-empty");
        }
        if (secureString2 != null && secureString2.isEmpty()) {
            throw new IllegalArgumentException("Client shared secret must be non-empty");
        }
        this.endUserSignedJwt = secureString;
        this.clientAuthorizationSharedSecret = secureString2;
        try {
            SignedJWT parse = SignedJWT.parse(this.endUserSignedJwt.toString());
            this.signedJwt = parse;
            this.jwsHeader = parse.getHeader();
            this.jwtClaimsSet = parse.getJWTClaimsSet();
            this.jwtSignature = parse.getSignature().decode();
            JWTClaimsSet jWTClaimsSet = this.jwtClaimsSet;
            this.issuerClaim = jWTClaimsSet.getIssuer();
            this.audiencesClaim = jWTClaimsSet.getAudience();
            this.subjectClaim = jWTClaimsSet.getSubject();
            if (!Strings.hasText(this.issuerClaim)) {
                throw new IllegalArgumentException("Issuer claim is missing.");
            }
            if (this.audiencesClaim == null || this.audiencesClaim.isEmpty()) {
                throw new IllegalArgumentException("Audiences claim is missing.");
            }
            String join = String.join(",", new TreeSet(this.audiencesClaim));
            if (Strings.hasText(this.subjectClaim)) {
                obj = this.subjectClaim;
            } else {
                TreeMap treeMap = new TreeMap(jWTClaimsSet.getClaims());
                Iterator<String> it = CLAIMS_TO_REMOVE.iterator();
                while (it.hasNext()) {
                    treeMap.remove(it.next());
                }
                if (treeMap.isEmpty()) {
                    throw new IllegalArgumentException("Claim [sub] is absent, and no other claims found besides [" + String.join(",", CLAIMS_TO_REMOVE) + "].");
                }
                obj = treeMap.toString();
            }
            this.principal = this.issuerClaim + "/" + join + "/" + obj;
        } catch (ParseException e) {
            throw new IllegalArgumentException("Failed to parse JWT bearer token", e);
        }
    }

    public String principal() {
        return this.principal;
    }

    /* renamed from: credentials, reason: merged with bridge method [inline-methods] */
    public SecureString m53credentials() {
        return this.endUserSignedJwt;
    }

    public SecureString getEndUserSignedJwt() {
        return this.endUserSignedJwt;
    }

    public SecureString getClientAuthorizationSharedSecret() {
        return this.clientAuthorizationSharedSecret;
    }

    public SignedJWT getSignedJwt() {
        return this.signedJwt;
    }

    public JWSHeader getJwsHeader() {
        return this.jwsHeader;
    }

    public JWTClaimsSet getJwtClaimsSet() {
        return this.jwtClaimsSet;
    }

    public byte[] getSignatureBytes() {
        return this.jwtSignature;
    }

    public String getIssuerClaim() {
        return this.issuerClaim;
    }

    public List<String> getAudiencesClaim() {
        return this.audiencesClaim;
    }

    public String getSubjectClaim() {
        return this.subjectClaim;
    }

    public void clearCredentials() {
        this.endUserSignedJwt.close();
        if (this.clientAuthorizationSharedSecret != null) {
            this.clientAuthorizationSharedSecret.close();
        }
        this.signedJwt = null;
        this.jwsHeader = null;
        this.jwtClaimsSet = null;
        Arrays.fill(this.jwtSignature, (byte) 0);
        this.jwtSignature = null;
        this.issuerClaim = null;
        this.audiencesClaim = null;
        this.subjectClaim = null;
        this.principal = null;
    }
}
