package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.jwk.JWK;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.PlainActionFuture;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Releasable;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwkSetLoader.class */
public class JwkSetLoader implements Releasable {
    private static final Logger logger;
    private final RealmConfig realmConfig;
    private final List<String> allowedJwksAlgsPkc;
    private final String jwkSetPath;

    @Nullable
    private final URI jwkSetPathUri;

    @Nullable
    private final CloseableHttpAsyncClient httpClient;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final AtomicReference<ListenableFuture<Void>> reloadFutureRef = new AtomicReference<>();
    private volatile ContentAndJwksAlgs contentAndJwksAlgs = new ContentAndJwksAlgs(new byte[32], new JwksAlgs(Collections.emptyList(), Collections.emptyList()));

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$ContentAndJwksAlgs.class */
    public static final class ContentAndJwksAlgs extends Record {
        private final byte[] sha256;
        private final JwksAlgs jwksAlgs;

        ContentAndJwksAlgs(byte[] bArr, JwksAlgs jwksAlgs) {
            Objects.requireNonNull(jwksAlgs, "Filters JWKs and Algs must not be null");
            this.sha256 = bArr;
            this.jwksAlgs = jwksAlgs;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ContentAndJwksAlgs.class), ContentAndJwksAlgs.class, "sha256;jwksAlgs", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$ContentAndJwksAlgs;->sha256:[B", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$ContentAndJwksAlgs;->jwksAlgs:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ContentAndJwksAlgs.class), ContentAndJwksAlgs.class, "sha256;jwksAlgs", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$ContentAndJwksAlgs;->sha256:[B", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$ContentAndJwksAlgs;->jwksAlgs:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ContentAndJwksAlgs.class, Object.class), ContentAndJwksAlgs.class, "sha256;jwksAlgs", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$ContentAndJwksAlgs;->sha256:[B", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$ContentAndJwksAlgs;->jwksAlgs:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public byte[] sha256() {
            return this.sha256;
        }

        public JwksAlgs jwksAlgs() {
            return this.jwksAlgs;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs.class */
    public static final class JwksAlgs extends Record {
        private final List<JWK> jwks;
        private final List<String> algs;

        /* JADX INFO: Access modifiers changed from: package-private */
        public JwksAlgs(List<JWK> list, List<String> list2) {
            Objects.requireNonNull(list, "JWKs must not be null");
            Objects.requireNonNull(list2, "Algs must not be null");
            this.jwks = list;
            this.algs = list2;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean isEmpty() {
            return this.jwks.isEmpty() && this.algs.isEmpty();
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, JwksAlgs.class), JwksAlgs.class, "jwks;algs", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs;->jwks:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs;->algs:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, JwksAlgs.class), JwksAlgs.class, "jwks;algs", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs;->jwks:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs;->algs:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, JwksAlgs.class, Object.class), JwksAlgs.class, "jwks;algs", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs;->jwks:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwkSetLoader$JwksAlgs;->algs:Ljava/util/List;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public List<JWK> jwks() {
            return this.jwks;
        }

        public List<String> algs() {
            return this.algs;
        }
    }

    public JwkSetLoader(RealmConfig realmConfig, List<String> list, SSLService sSLService) {
        this.realmConfig = realmConfig;
        this.allowedJwksAlgsPkc = list;
        this.jwkSetPath = (String) realmConfig.getSetting(JwtRealmSettings.PKC_JWKSET_PATH);
        if (!$assertionsDisabled && !Strings.hasText(this.jwkSetPath)) {
            throw new AssertionError();
        }
        this.jwkSetPathUri = JwtUtil.parseHttpsUri(this.jwkSetPath);
        if (this.jwkSetPathUri == null) {
            this.httpClient = null;
        } else {
            this.httpClient = JwtUtil.createHttpClient(realmConfig, sSLService);
        }
        try {
            PlainActionFuture plainActionFuture = new PlainActionFuture();
            reload(plainActionFuture);
            plainActionFuture.actionGet();
        } catch (Throwable th) {
            close();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void reload(ActionListener<Void> actionListener) {
        getFuture().addListener(actionListener);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContentAndJwksAlgs getContentAndJwksAlgs() {
        return this.contentAndJwksAlgs;
    }

    ListenableFuture<Void> getFuture() {
        ListenableFuture<Void> listenableFuture;
        do {
            ListenableFuture<Void> listenableFuture2 = this.reloadFutureRef.get();
            if (listenableFuture2 != null) {
                return listenableFuture2;
            }
            listenableFuture = new ListenableFuture<>();
        } while (!this.reloadFutureRef.compareAndSet(null, listenableFuture));
        loadInternal(ActionListener.runBefore(listenableFuture, () -> {
            ListenableFuture<Void> andSet = this.reloadFutureRef.getAndSet(null);
            if (!$assertionsDisabled && andSet != listenableFuture) {
                throw new AssertionError("future reference changed unexpectedly");
            }
        }));
        return listenableFuture;
    }

    void loadInternal(ActionListener<Void> actionListener) {
        if (this.httpClient != null) {
            logger.trace("Loading PKC JWKs from https URI [{}]", this.jwkSetPathUri);
            JwtUtil.readUriContents(RealmSettings.getFullSettingKey(this.realmConfig, JwtRealmSettings.PKC_JWKSET_PATH), this.jwkSetPathUri, this.httpClient, actionListener.map(bArr -> {
                logger.trace("Loaded bytes [{}] from [{}]", Integer.valueOf(bArr.length), this.jwkSetPathUri);
                handleReloadedContentAndJwksAlgs(bArr);
                return null;
            }));
        } else {
            logger.trace("Loading PKC JWKs from path [{}]", this.jwkSetPath);
            handleReloadedContentAndJwksAlgs(JwtUtil.readFileContents(RealmSettings.getFullSettingKey(this.realmConfig, JwtRealmSettings.PKC_JWKSET_PATH), this.jwkSetPath, this.realmConfig.env()));
            actionListener.onResponse((Object) null);
        }
    }

    private void handleReloadedContentAndJwksAlgs(byte[] bArr) {
        ContentAndJwksAlgs parseContent = parseContent(bArr);
        if (!$assertionsDisabled && parseContent == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.contentAndJwksAlgs == null) {
            throw new AssertionError();
        }
        if (Arrays.equals(this.contentAndJwksAlgs.sha256, parseContent.sha256)) {
            return;
        }
        logger.debug("Reloaded JWK set from sha256=[{}] to sha256=[{}]", MessageDigests.toHexString(this.contentAndJwksAlgs.sha256), MessageDigests.toHexString(parseContent.sha256));
        this.contentAndJwksAlgs = parseContent;
    }

    private ContentAndJwksAlgs parseContent(byte[] bArr) {
        String str = new String(bArr, StandardCharsets.UTF_8);
        byte[] sha256 = JwtUtil.sha256(str);
        JwksAlgs filterJwksAndAlgorithms = JwkValidateUtil.filterJwksAndAlgorithms(JwkValidateUtil.loadJwksFromJwkSetString(RealmSettings.getFullSettingKey(this.realmConfig, JwtRealmSettings.PKC_JWKSET_PATH), str), this.allowedJwksAlgsPkc);
        logger.info("Usable PKC: JWKs=[{}] algorithms=[{}] sha256=[{}]", Integer.valueOf(filterJwksAndAlgorithms.jwks().size()), String.join(",", filterJwksAndAlgorithms.algs()), MessageDigests.toHexString(sha256));
        return new ContentAndJwksAlgs(sha256, filterJwksAndAlgorithms);
    }

    public void close() {
        if (this.httpClient != null) {
            try {
                this.httpClient.close();
            } catch (IOException e) {
                logger.warn(() -> {
                    return "Exception closing HTTPS client for realm [" + this.realmConfig.name() + "]";
                }, e);
            }
        }
    }

    static {
        $assertionsDisabled = !JwkSetLoader.class.desiredAssertionStatus();
        logger = LogManager.getLogger(JwkSetLoader.class);
    }
}
