package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.auth.Secret;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.TreeSet;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Releasable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;
import org.elasticsearch.xpack.security.authc.support.ClaimParser;
import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtRealm.class */
public class JwtRealm extends Realm implements CachingRealm, Releasable {
    private static final Logger LOGGER;
    private final ThreadPool threadPool;
    private final SSLService sslService;
    private final UserRoleMapper userRoleMapper;
    private final ResourceWatcherService resourceWatcherService;
    private final String allowedIssuer;
    private final List<String> allowedSignatureAlgorithms;
    private final TimeValue allowedClientSkew;
    private final String jwkSetPath;
    private final SecureString hmacSecretKey;
    private final List<String> allowedAudiences;
    private final Boolean populateUserMetadata;
    private final ClaimParser principalAttribute;
    private final ClaimParser groupsAttribute;
    private final String clientAuthorizationType;
    private final SecureString clientAuthorizationSharedSecret;
    private final TimeValue cacheTtl;
    private final Integer cacheMaxUsers;
    private final TimeValue httpConnectTimeout;
    private final TimeValue httpConnectionReadTimeout;
    private final TimeValue httpSocketTimeout;
    private final Integer httpMaxConnections;
    private final Integer httpMaxEndpointConnections;
    private final URL jwkSetPathUrl;
    private final Path jwkSetPathObj;
    private final Cache<String, ListenableFuture<CachedAuthenticationSuccess>> cachedAuthenticationSuccesses;
    private final Hasher hasher;
    private DelegatedAuthorizationSupport delegatedAuthorizationSupport;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtRealm$CachedAuthenticationSuccess.class */
    public static class CachedAuthenticationSuccess {
        private final String cacheKey;
        private final AuthenticationResult<User> authenticationResult;
        static final /* synthetic */ boolean $assertionsDisabled;

        private CachedAuthenticationSuccess(@Nullable String str, AuthenticationResult<User> authenticationResult) {
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError("Cache key must be non-null");
            }
            if (!$assertionsDisabled && authenticationResult == null) {
                throw new AssertionError("AuthenticationResult must be non-null");
            }
            if (!$assertionsDisabled && !authenticationResult.isAuthenticated()) {
                throw new AssertionError("AuthenticationResult.isAuthenticated must be true");
            }
            if (!$assertionsDisabled && authenticationResult.getValue() == null) {
                throw new AssertionError("AuthenticationResult.getValue=User must be non-null");
            }
            this.cacheKey = str;
            this.authenticationResult = authenticationResult;
        }

        private boolean verify(SecureString secureString) {
            return this.cacheKey.equals(secureString.toString());
        }

        static {
            $assertionsDisabled = !JwtRealm.class.desiredAssertionStatus();
        }
    }

    public JwtRealm(RealmConfig realmConfig, ThreadPool threadPool, SSLService sSLService, UserRoleMapper userRoleMapper, ResourceWatcherService resourceWatcherService) {
        super(realmConfig);
        this.threadPool = threadPool;
        this.sslService = sSLService;
        this.userRoleMapper = userRoleMapper;
        this.resourceWatcherService = resourceWatcherService;
        this.allowedIssuer = (String) realmConfig.getSetting(JwtRealmSettings.ALLOWED_ISSUER);
        this.allowedSignatureAlgorithms = (List) realmConfig.getSetting(JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS);
        this.allowedClientSkew = (TimeValue) realmConfig.getSetting(JwtRealmSettings.ALLOWED_CLOCK_SKEW);
        this.jwkSetPath = (String) realmConfig.getSetting(JwtRealmSettings.JWKSET_PATH);
        this.hmacSecretKey = (SecureString) realmConfig.getSetting(JwtRealmSettings.ISSUER_HMAC_SECRET_KEY);
        this.allowedAudiences = (List) realmConfig.getSetting(JwtRealmSettings.ALLOWED_AUDIENCES);
        this.principalAttribute = ClaimParser.forSetting(LOGGER, JwtRealmSettings.CLAIMS_PRINCIPAL, realmConfig, true);
        this.groupsAttribute = ClaimParser.forSetting(LOGGER, JwtRealmSettings.CLAIMS_GROUPS, realmConfig, false);
        this.populateUserMetadata = (Boolean) realmConfig.getSetting(JwtRealmSettings.POPULATE_USER_METADATA);
        this.clientAuthorizationType = (String) realmConfig.getSetting(JwtRealmSettings.CLIENT_AUTHORIZATION_TYPE);
        this.clientAuthorizationSharedSecret = (SecureString) realmConfig.getSetting(JwtRealmSettings.CLIENT_AUTHORIZATION_SHARED_SECRET);
        this.cacheTtl = (TimeValue) realmConfig.getSetting(JwtRealmSettings.CACHE_TTL);
        this.cacheMaxUsers = (Integer) realmConfig.getSetting(JwtRealmSettings.CACHE_MAX_USERS);
        String str = (String) realmConfig.getSetting(JwtRealmSettings.CACHE_HASH_ALGO);
        this.httpConnectTimeout = (TimeValue) realmConfig.getSetting(JwtRealmSettings.HTTP_CONNECT_TIMEOUT);
        this.httpConnectionReadTimeout = (TimeValue) realmConfig.getSetting(JwtRealmSettings.HTTP_CONNECTION_READ_TIMEOUT);
        this.httpSocketTimeout = (TimeValue) realmConfig.getSetting(JwtRealmSettings.HTTP_SOCKET_TIMEOUT);
        this.httpMaxConnections = (Integer) realmConfig.getSetting(JwtRealmSettings.HTTP_MAX_CONNECTIONS);
        this.httpMaxEndpointConnections = (Integer) realmConfig.getSetting(JwtRealmSettings.HTTP_MAX_ENDPOINT_CONNECTIONS);
        if (this.cacheTtl.getNanos() > 0) {
            this.cachedAuthenticationSuccesses = CacheBuilder.builder().setExpireAfterWrite(this.cacheTtl).setMaximumWeight(this.cacheMaxUsers.intValue()).build();
        } else {
            this.cachedAuthenticationSuccesses = null;
        }
        this.hasher = Hasher.resolve(str);
        validateClientAuthorizationSettings(this.clientAuthorizationType, this.clientAuthorizationSharedSecret, ((Realm) this).config);
        Tuple<URL, Path> validateJwkSetPathSetting = validateJwkSetPathSetting(realmConfig, this.jwkSetPath);
        this.jwkSetPathUrl = validateJwkSetPathSetting == null ? null : (URL) validateJwkSetPathSetting.v1();
        this.jwkSetPathObj = validateJwkSetPathSetting == null ? null : (Path) validateJwkSetPathSetting.v2();
        validateIssuerCredentialSettings(((Realm) this).config, this.hmacSecretKey, this.jwkSetPath, this.allowedSignatureAlgorithms);
    }

    public static void validateClientAuthorizationSettings(String str, SecureString secureString, RealmConfig realmConfig) throws SettingsException {
        boolean z = -1;
        switch (str.hashCode()) {
            case -889939051:
                if (str.equals("SharedSecret")) {
                    z = false;
                    break;
                }
                break;
            case 2433880:
                if (str.equals("None")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (!Strings.hasText(secureString)) {
                    throw new SettingsException("Missing setting for [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.CLIENT_AUTHORIZATION_SHARED_SECRET) + "]. It is required when setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.CLIENT_AUTHORIZATION_TYPE) + "] is [SharedSecret]");
                }
                return;
            case true:
            default:
                if (Strings.hasText(secureString)) {
                    throw new SettingsException("Setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.CLIENT_AUTHORIZATION_SHARED_SECRET) + "] is not supported, because setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.CLIENT_AUTHORIZATION_TYPE) + "] is [None]");
                }
                return;
        }
    }

    public static void validateIssuerCredentialSettings(RealmConfig realmConfig, SecureString secureString, String str, List<String> list) throws SettingsException {
        boolean hasText = Strings.hasText(secureString);
        boolean hasText2 = Strings.hasText(str);
        if (!hasText && !hasText2) {
            throw new SettingsException("At least one setting is required for [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.ISSUER_HMAC_SECRET_KEY) + "] or [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.JWKSET_PATH) + "]");
        }
        if (hasText) {
            try {
                Arrays.fill(new Secret(secureString.toString()).getValueBytes(), (byte) 0);
            } catch (Exception e) {
                throw new SettingsException("Validation failed for setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.ISSUER_HMAC_SECRET_KEY) + "]", e);
            }
        }
        Stream<String> stream = list.stream();
        List list2 = JwtRealmSettings.SUPPORTED_SECRET_KEY_SIGNATURE_ALGORITHMS;
        Objects.requireNonNull(list2);
        boolean anyMatch = stream.anyMatch((v1) -> {
            return r1.contains(v1);
        });
        if (hasText && !anyMatch) {
            throw new SettingsException("Issuer HMAC Secret Key is configured in setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.ISSUER_HMAC_SECRET_KEY) + "], but no HMAC signature algorithms were found in setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS) + "]");
        }
        if (anyMatch && !hasText) {
            throw new SettingsException("HMAC signature algorithms were found in setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS) + "], but no Issuer HMAC Secret Key is configured in setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.JWKSET_PATH) + "]");
        }
        Stream<String> stream2 = list.stream();
        List list3 = JwtRealmSettings.SUPPORTED_PUBLIC_KEY_SIGNATURE_ALGORITHMS;
        Objects.requireNonNull(list3);
        boolean anyMatch2 = stream2.anyMatch((v1) -> {
            return r1.contains(v1);
        });
        if (hasText2 && !anyMatch2) {
            throw new SettingsException("JWT Set Path is configured in setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.JWKSET_PATH) + "], but no public key signature algorithms were found in setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS) + "]");
        }
        if (anyMatch2 && !hasText2) {
            throw new SettingsException("Public key signature algorithms were found in setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS) + "], but no JWT Set Path is configured in setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.JWKSET_PATH) + "]");
        }
    }

    public static Tuple<URL, Path> validateJwkSetPathSetting(RealmConfig realmConfig, String str) {
        Exception exc;
        if (!Strings.hasText(str)) {
            return null;
        }
        if (str.startsWith("https://")) {
            try {
                return new Tuple<>(new URL(str), (Object) null);
            } catch (Exception e) {
                LOGGER.debug("HTTPS URL [" + str + "] parsing failed for setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.JWKSET_PATH) + "].", e);
                exc = e;
            }
        } else {
            exc = new Exception("Parse URL not attempted for [" + str + "] for setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.JWKSET_PATH) + "]. Only HTTPS URL or local file are supported.");
        }
        try {
            Path resolve = realmConfig.env().configFile().resolve(str);
            if (Strings.hasText(Files.readString(resolve, StandardCharsets.UTF_8))) {
                return new Tuple<>((Object) null, resolve);
            }
            throw new Exception("Empty file [" + str + "] for setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.JWKSET_PATH) + "].");
        } catch (Exception e2) {
            Exception exc2 = new Exception("Error loading local file [" + str + "] for setting [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.JWKSET_PATH) + "].", e2);
            SettingsException settingsException = new SettingsException("Invalid value [" + str + "] for setting " + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.JWKSET_PATH));
            settingsException.addSuppressed(exc);
            settingsException.addSuppressed(exc2);
            throw settingsException;
        }
    }

    public void initialize(Iterable<Realm> iterable, XPackLicenseState xPackLicenseState) {
        if (this.delegatedAuthorizationSupport != null) {
            throw new IllegalStateException("Realm has already been initialized");
        }
        this.delegatedAuthorizationSupport = new DelegatedAuthorizationSupport(iterable, ((Realm) this).config, xPackLicenseState);
    }

    private void ensureInitialized() {
        if (this.delegatedAuthorizationSupport == null) {
            throw new IllegalStateException("Realm has not been initialized");
        }
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        ensureInitialized();
        return authenticationToken instanceof JwtAuthenticationToken;
    }

    public AuthenticationToken token(ThreadContext threadContext) {
        ensureInitialized();
        SecureString headerSchemeParameters = getHeaderSchemeParameters(threadContext, KerberosAuthenticationToken.AUTH_HEADER, "Bearer", false);
        if (headerSchemeParameters == null) {
            return null;
        }
        return new JwtAuthenticationToken(headerSchemeParameters, getHeaderSchemeParameters(threadContext, "X-Client-Authorization", "SharedSecret", true));
    }

    public void authenticate(AuthenticationToken authenticationToken, ActionListener<AuthenticationResult<User>> actionListener) {
        ensureInitialized();
        if (!(authenticationToken instanceof JwtAuthenticationToken)) {
            Locale locale = Locale.ROOT;
            Object[] objArr = new Object[2];
            objArr[0] = super.name();
            objArr[1] = authenticationToken == null ? "null" : authenticationToken.getClass().getCanonicalName();
            String format = String.format(locale, "Realm [%s] does not support AuthenticationToken [%s].", objArr);
            LOGGER.trace(format);
            actionListener.onResponse(AuthenticationResult.unsuccessful(format, (Exception) null));
            return;
        }
        JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) authenticationToken;
        String principal = jwtAuthenticationToken.principal();
        LOGGER.trace("Realm [{}] received JwtAuthenticationToken for tokenPrincipal [{}].", super.name(), principal);
        JWSHeader jwsHeader = jwtAuthenticationToken.getJwsHeader();
        JWTClaimsSet jwtClaimsSet = jwtAuthenticationToken.getJwtClaimsSet();
        String issuerClaim = jwtAuthenticationToken.getIssuerClaim();
        List<String> audiencesClaim = jwtAuthenticationToken.getAudiencesClaim();
        Map claims = jwtClaimsSet.getClaims();
        SecureString clientAuthorizationSharedSecret = jwtAuthenticationToken.getClientAuthorizationSharedSecret();
        String secureString = clientAuthorizationSharedSecret == null ? null : clientAuthorizationSharedSecret.toString();
        if (issuerClaim == null || !this.allowedIssuer.equals(issuerClaim)) {
            String format2 = String.format(Locale.ROOT, "Realm [%s] did not allow issuer [%s] for tokenPrincipal [%s]. Allowed issuer is [%s].", super.name(), issuerClaim, principal, this.allowedIssuer);
            LOGGER.debug(format2);
            actionListener.onResponse(AuthenticationResult.unsuccessful(format2, (Exception) null));
            return;
        }
        LOGGER.trace("Realm [{}] allowed issuer [{}] for tokenPrincipal [{}]. Allowed issuer is [{}].", super.name(), issuerClaim, principal, this.allowedIssuer);
        if (audiencesClaim != null) {
            Stream<String> stream = this.allowedAudiences.stream();
            Objects.requireNonNull(audiencesClaim);
            if (stream.anyMatch((v1) -> {
                return r1.contains(v1);
            })) {
                LOGGER.trace("Realm [{}] allowed at least one audience [{}] for tokenPrincipal [{}]. Allowed audiences are [{}].", super.name(), String.join(",", audiencesClaim), principal, String.join(",", this.allowedAudiences));
                JWSAlgorithm algorithm = jwsHeader.getAlgorithm();
                if (algorithm == null || !this.allowedSignatureAlgorithms.contains(algorithm.getName())) {
                    String format3 = String.format(Locale.ROOT, "Realm [%s] did not allow signature algorithm [%s] for tokenPrincipal [%s]. Allowed signature algorithms are [%s].", super.name(), algorithm, principal, String.join(",", this.allowedSignatureAlgorithms));
                    LOGGER.debug(format3);
                    actionListener.onResponse(AuthenticationResult.unsuccessful(format3, (Exception) null));
                    return;
                }
                LOGGER.trace("Realm [{}] allowed signature algorithm [{}] for tokenPrincipal [{}]. Allowed signature algorithms are [{}].", super.name(), algorithm, principal, String.join(",", this.allowedSignatureAlgorithms));
                String str = this.clientAuthorizationType;
                boolean z = -1;
                switch (str.hashCode()) {
                    case -889939051:
                        if (str.equals("SharedSecret")) {
                            z = false;
                            break;
                        }
                        break;
                    case 2433880:
                        if (str.equals("None")) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        if (!Strings.hasText(secureString)) {
                            String format4 = String.format(Locale.ROOT, "Realm [%s] client authentication [%s] failed for tokenPrincipal [%s] because request header is missing.", super.name(), this.clientAuthorizationType, principal);
                            LOGGER.debug(format4);
                            actionListener.onResponse(AuthenticationResult.unsuccessful(format4, (Exception) null));
                            return;
                        } else {
                            if (!this.clientAuthorizationSharedSecret.toString().equals(secureString)) {
                                String format5 = String.format(Locale.ROOT, "Realm [%s] client authentication [%s] failed for tokenPrincipal [%s] because request header did not match.", super.name(), this.clientAuthorizationType, principal);
                                LOGGER.debug(format5);
                                actionListener.onResponse(AuthenticationResult.unsuccessful(format5, (Exception) null));
                                return;
                            }
                            LOGGER.trace("Realm [{}] client authentication [{}] succeeded for tokenPrincipal [{}] because request header matched.", super.name(), this.clientAuthorizationType, principal);
                            break;
                        }
                    case true:
                    default:
                        if (!Strings.hasText(secureString)) {
                            LOGGER.trace("Realm [{}] client authentication [{}] succeeded for tokenPrincipal [{}] because request header is not present.", super.name(), this.clientAuthorizationType, principal);
                            break;
                        } else {
                            String format6 = String.format(Locale.ROOT, "Realm [%s] client authentication [%s] failed for tokenPrincipal [%s] because request header is present.", super.name(), this.clientAuthorizationType, principal);
                            LOGGER.debug(format6);
                            actionListener.onResponse(AuthenticationResult.unsuccessful(format6, (Exception) null));
                            return;
                        }
                }
                String claimValue = this.principalAttribute.getClaimValue(jwtClaimsSet);
                String format7 = String.format(Locale.ROOT, "Realm [%s] got principal claim [%s] using parser [%s]. JWTClaimsSet is %s.", super.name(), claimValue, this.principalAttribute.getName(), claims);
                if (claimValue == null) {
                    LOGGER.debug(format7);
                    actionListener.onResponse(AuthenticationResult.unsuccessful(format7, (Exception) null));
                    return;
                }
                LOGGER.trace(format7);
                List<String> claimValues = this.groupsAttribute.getClaimValues(jwtClaimsSet);
                Logger logger = LOGGER;
                Locale locale2 = Locale.ROOT;
                Object[] objArr2 = new Object[5];
                objArr2[0] = super.name();
                objArr2[1] = claimValue;
                objArr2[2] = claimValues == null ? "null" : String.join(",", claimValues);
                objArr2[3] = this.groupsAttribute.getName() == null ? "null" : this.groupsAttribute.getName();
                objArr2[4] = claims;
                logger.trace(String.format(locale2, "Realm [%s] principal [%s] got groups [%s] using parser [%s]. JWTClaimsSet is %s.", objArr2));
                String str2 = null;
                String str3 = null;
                String str4 = null;
                Map of = this.populateUserMetadata.booleanValue() ? claims : Map.of();
                LOGGER.trace(String.format(Locale.ROOT, "Realm [%s] principal [%s] populateUserMetadata [%s] got metadata [%s] from JWTClaimsSet.", super.name(), claimValue, this.populateUserMetadata, of));
                if (!this.delegatedAuthorizationSupport.hasDelegation()) {
                    this.userRoleMapper.resolveRoles(new UserRoleMapper.UserData(claimValue, (String) null, claimValues, of, ((Realm) this).config), ActionListener.wrap(set -> {
                        if (!$assertionsDisabled && set == null) {
                            throw new AssertionError("JWT role mapping should return non-null set of roles.");
                        }
                        String[] strArr = (String[]) new TreeSet(set).toArray(new String[set.size()]);
                        Logger logger2 = LOGGER;
                        Locale locale3 = Locale.ROOT;
                        Object[] objArr3 = new Object[6];
                        objArr3[0] = super.name();
                        objArr3[1] = claimValue;
                        objArr3[2] = str2;
                        objArr3[3] = claimValues == null ? "null" : String.join(",", claimValues);
                        objArr3[4] = of;
                        objArr3[5] = Arrays.toString(strArr);
                        logger2.debug(String.format(locale3, "Realm [%s] principal [%s] dn [%s] groups [%s] metadata [%s] got mapped roles [%s].", objArr3));
                        actionListener.onResponse(AuthenticationResult.success(new User(claimValue, strArr, str3, str4, of, true)));
                    }, exc -> {
                        Logger logger2 = LOGGER;
                        Locale locale3 = Locale.ROOT;
                        Object[] objArr3 = new Object[5];
                        objArr3[0] = super.name();
                        objArr3[1] = claimValue;
                        objArr3[2] = str2;
                        objArr3[3] = claimValues == null ? "null" : String.join(",", claimValues);
                        objArr3[4] = of;
                        logger2.debug(String.format(locale3, "Realm [%s] principal [%s] dn [%s] groups [%s] metadata [%s] failed to get mapped roles.", objArr3), exc);
                        actionListener.onFailure(exc);
                    }));
                    return;
                } else {
                    String delegatedAuthorizationSupport = this.delegatedAuthorizationSupport.toString();
                    this.delegatedAuthorizationSupport.resolve(claimValue, ActionListener.wrap(authenticationResult -> {
                        if (!$assertionsDisabled && authenticationResult == null) {
                            throw new AssertionError("JWT delegated authz should return a non-null AuthenticationResult<User>");
                        }
                        User user = (User) authenticationResult.getValue();
                        if (!$assertionsDisabled && user == null) {
                            throw new AssertionError("JWT delegated authz should return a non-null User");
                        }
                        String[] roles = user.roles();
                        if (!$assertionsDisabled && roles == null) {
                            throw new AssertionError("JWT delegated authz should return non-null Roles");
                        }
                        LOGGER.debug(String.format(Locale.ROOT, "Realm [%s] principal [%s] got lookup roles [%s] via delegated authorization [%s]", super.name(), claimValue, Arrays.toString(roles), delegatedAuthorizationSupport));
                        actionListener.onResponse(authenticationResult);
                    }, exc2 -> {
                        LOGGER.debug(String.format(Locale.ROOT, "Realm [%s] principal [%s] failed to get lookup roles via delegated authorization [%s]", super.name(), claimValue, delegatedAuthorizationSupport), exc2);
                        actionListener.onFailure(exc2);
                    }));
                    return;
                }
            }
        }
        Locale locale3 = Locale.ROOT;
        Object[] objArr3 = new Object[4];
        objArr3[0] = super.name();
        objArr3[1] = audiencesClaim == null ? "null" : String.join(",", audiencesClaim);
        objArr3[2] = principal;
        objArr3[3] = String.join(",", this.allowedAudiences);
        String format8 = String.format(locale3, "Realm [%s] did not allow audiences [%s] for tokenPrincipal [%s]. Allowed audiences are [%s].", objArr3);
        LOGGER.debug(format8);
        actionListener.onResponse(AuthenticationResult.unsuccessful(format8, (Exception) null));
    }

    public void expire(String str) {
        ensureInitialized();
        if (this.cachedAuthenticationSuccesses != null) {
            LOGGER.trace("invalidating cache for user [{}] in realm [{}]", str, name());
            this.cachedAuthenticationSuccesses.invalidate(str);
        }
    }

    public void expireAll() {
        ensureInitialized();
        if (this.cachedAuthenticationSuccesses != null) {
            LOGGER.trace("invalidating cache for all users in realm [{}]", name());
            this.cachedAuthenticationSuccesses.invalidateAll();
        }
    }

    public void close() {
        ensureInitialized();
        expireAll();
    }

    public void lookupUser(String str, ActionListener<User> actionListener) {
        ensureInitialized();
        actionListener.onResponse((Object) null);
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        ensureInitialized();
        CheckedConsumer checkedConsumer = map -> {
            map.put("cache", Collections.singletonMap("size", Integer.valueOf(getCacheSize())));
            actionListener.onResponse(map);
        };
        Objects.requireNonNull(actionListener);
        super.usageStats(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private int getCacheSize() {
        ensureInitialized();
        if (this.cachedAuthenticationSuccesses == null) {
            return -1;
        }
        return this.cachedAuthenticationSuccesses.count();
    }

    public static SecureString getHeaderSchemeParameters(ThreadContext threadContext, String str, String str2, boolean z) {
        String header = threadContext.getHeader(str);
        if (!Strings.hasText(header)) {
            return null;
        }
        String str3 = str2 + " ";
        if (!header.regionMatches(z, 0, str3, 0, str3.length())) {
            return null;
        }
        String trim = header.substring(str3.length()).trim();
        if (Strings.hasText(trim)) {
            return new SecureString(trim.toCharArray());
        }
        return null;
    }

    static {
        $assertionsDisabled = !JwtRealm.class.desiredAssertionStatus();
        LOGGER = LogManager.getLogger(JwtRealm.class);
    }
}
