package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jose.util.JSONObjectUtils;
import com.nimbusds.jwt.JWT;
import java.io.InputStream;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.MessageDigest;
import java.security.PrivilegedActionException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.function.Supplier;
import org.apache.http.HttpResponse;
import org.apache.http.StatusLine;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.concurrent.FutureCallback;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
import org.apache.http.impl.nio.client.HttpAsyncClients;
import org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager;
import org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor;
import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.SuppressLoggerChecks;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.settings.RotatableSecret;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtUtil.class */
public class JwtUtil {
    private static final Logger LOGGER;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* renamed from: org.elasticsearch.xpack.security.authc.jwt.JwtUtil$2, reason: invalid class name */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtUtil$2.class */
    static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$org$elasticsearch$xpack$core$security$authc$jwt$JwtRealmSettings$ClientAuthenticationType = new int[JwtRealmSettings.ClientAuthenticationType.values().length];

        static {
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$jwt$JwtRealmSettings$ClientAuthenticationType[JwtRealmSettings.ClientAuthenticationType.SHARED_SECRET.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$elasticsearch$xpack$core$security$authc$jwt$JwtRealmSettings$ClientAuthenticationType[JwtRealmSettings.ClientAuthenticationType.NONE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtUtil$TraceBuffer.class */
    public static class TraceBuffer implements AutoCloseable {
        private final Logger logger;
        private final List<Object> params = new ArrayList();
        private final StringBuilder builder = new StringBuilder();
        boolean closed = false;
        static final /* synthetic */ boolean $assertionsDisabled;

        public TraceBuffer(Logger logger) {
            this.logger = logger;
        }

        public void append(String str, Object... objArr) {
            if (!$assertionsDisabled && this.closed) {
                throw new AssertionError();
            }
            if (this.logger.isTraceEnabled()) {
                this.builder.append(str).append(" ");
                this.params.addAll(Arrays.stream(objArr).map(obj -> {
                    return obj instanceof Supplier ? ((Supplier) obj).get() : obj;
                }).toList());
            }
        }

        @SuppressLoggerChecks(reason = "builds the tracer dynamically")
        public void flush() {
            if (!$assertionsDisabled && this.closed) {
                throw new AssertionError();
            }
            if (!this.logger.isTraceEnabled() || this.builder.isEmpty()) {
                return;
            }
            this.logger.trace(this.builder.toString(), this.params.toArray());
            this.params.clear();
            this.builder.setLength(0);
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            flush();
            this.closed = true;
        }

        static {
            $assertionsDisabled = !JwtUtil.class.desiredAssertionStatus();
        }
    }

    public static SecureString getHeaderValue(ThreadContext threadContext, String str, String str2, boolean z) {
        String header = threadContext.getHeader(str);
        if (!Strings.hasText(header)) {
            return null;
        }
        String str3 = str2 + " ";
        if (header.regionMatches(z, 0, str3, 0, str3.length())) {
            return new SecureString(header.substring(str3.length()).trim().toCharArray());
        }
        return null;
    }

    public static void validateClientAuthenticationSettings(String str, JwtRealmSettings.ClientAuthenticationType clientAuthenticationType, String str2, RotatableSecret rotatableSecret) throws SettingsException {
        switch (AnonymousClass2.$SwitchMap$org$elasticsearch$xpack$core$security$authc$jwt$JwtRealmSettings$ClientAuthenticationType[clientAuthenticationType.ordinal()]) {
            case 1:
                if (!rotatableSecret.isSet()) {
                    throw new SettingsException("Missing setting for [" + str2 + "]. It is required when setting [" + str + "] is [" + JwtRealmSettings.ClientAuthenticationType.SHARED_SECRET.value() + "]");
                }
                return;
            case 2:
            default:
                if (rotatableSecret.isSet()) {
                    throw new SettingsException("Setting [" + str2 + "] is not supported, because setting [" + str + "] is [" + JwtRealmSettings.ClientAuthenticationType.NONE.value() + "]");
                }
                LOGGER.warn("Setting [{}] value [{}] may not be secure. Unauthorized clients may be able to submit JWTs from the same issuer.", str2, JwtRealmSettings.ClientAuthenticationType.NONE.value());
                return;
        }
    }

    public static void validateClientAuthentication(JwtRealmSettings.ClientAuthenticationType clientAuthenticationType, RotatableSecret rotatableSecret, SecureString secureString, String str) throws Exception {
        switch (AnonymousClass2.$SwitchMap$org$elasticsearch$xpack$core$security$authc$jwt$JwtRealmSettings$ClientAuthenticationType[clientAuthenticationType.ordinal()]) {
            case 1:
                if (!Strings.hasText(secureString)) {
                    throw new Exception("Rejected client. Authentication type is [" + clientAuthenticationType + "] and secret is missing.");
                }
                if (!rotatableSecret.matches(secureString)) {
                    throw new Exception("Rejected client. Authentication type is [" + clientAuthenticationType + "] and secret did not match.");
                }
                LOGGER.trace("Accepted client for token [{}]. Authentication type is [{}] and secret matched.", str, clientAuthenticationType);
                return;
            case 2:
            default:
                if (Strings.hasText(secureString)) {
                    LOGGER.trace("Accepted client for token [{}]. Authentication type [{}]. Secret is present but ignored.", str, clientAuthenticationType);
                    return;
                } else {
                    LOGGER.trace("Accepted client for token [{}]. Authentication type [{}].", str, clientAuthenticationType);
                    return;
                }
        }
    }

    public static URI parseHttpsUri(String str) {
        if (!Strings.hasText(str)) {
            return null;
        }
        if (!str.startsWith("https")) {
            if (str.startsWith("http")) {
                throw new SettingsException("Not allowed to use HTTP URI [" + str + "]. Only HTTPS is supported.");
            }
            LOGGER.trace("Not a HTTPS URI [{}].", str);
            return null;
        }
        try {
            URI uri = new URI(str);
            if (Strings.hasText(uri.getHost())) {
                return uri;
            }
            throw new SettingsException("Host is missing in HTTPS URI [" + str + "].");
        } catch (Exception e) {
            throw new SettingsException("Failed to parse HTTPS URI [" + str + "].", e);
        }
    }

    public static void readUriContents(String str, URI uri, CloseableHttpAsyncClient closeableHttpAsyncClient, ActionListener<byte[]> actionListener) {
        Objects.requireNonNull(actionListener);
        readBytes(closeableHttpAsyncClient, uri, ActionListener.wrap((v1) -> {
            r2.onResponse(v1);
        }, exc -> {
            actionListener.onFailure(new SettingsException("Can't get contents for setting [" + str + "] value [" + uri + "].", exc));
        }));
    }

    public static byte[] readFileContents(String str, String str2, Environment environment) throws SettingsException {
        try {
            return Files.readAllBytes(resolvePath(environment, str2));
        } catch (Exception e) {
            throw new SettingsException("Failed to read contents for setting [" + str + "] value [" + str2 + "].", e);
        }
    }

    public static String serializeJwkSet(JWKSet jWKSet, boolean z) {
        if (jWKSet == null) {
            return null;
        }
        return JSONObjectUtils.toJSONString(jWKSet.toJSONObject(z));
    }

    public static String serializeJwkHmacOidc(JWK jwk) {
        return new String(jwk.toOctetSequenceKey().toByteArray(), StandardCharsets.UTF_8);
    }

    public static CloseableHttpAsyncClient createHttpClient(RealmConfig realmConfig, SSLService sSLService) {
        try {
            SpecialPermission.check();
            return (CloseableHttpAsyncClient) AccessController.doPrivileged(() -> {
                DefaultConnectingIOReactor defaultConnectingIOReactor = new DefaultConnectingIOReactor();
                SslConfiguration sSLConfiguration = sSLService.getSSLConfiguration(RealmSettings.realmSslPrefix(realmConfig.identifier()));
                PoolingNHttpClientConnectionManager poolingNHttpClientConnectionManager = new PoolingNHttpClientConnectionManager(defaultConnectingIOReactor, RegistryBuilder.create().register("https", new SSLIOSessionStrategy(sSLService.sslContext(sSLConfiguration), SSLService.getHostnameVerifier(sSLConfiguration))).build());
                poolingNHttpClientConnectionManager.setDefaultMaxPerRoute(((Integer) realmConfig.getSetting(JwtRealmSettings.HTTP_MAX_ENDPOINT_CONNECTIONS)).intValue());
                poolingNHttpClientConnectionManager.setMaxTotal(((Integer) realmConfig.getSetting(JwtRealmSettings.HTTP_MAX_CONNECTIONS)).intValue());
                CloseableHttpAsyncClient build = HttpAsyncClients.custom().setConnectionManager(poolingNHttpClientConnectionManager).setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(Math.toIntExact(((TimeValue) realmConfig.getSetting(JwtRealmSettings.HTTP_CONNECT_TIMEOUT)).getMillis())).setConnectionRequestTimeout(Math.toIntExact(((TimeValue) realmConfig.getSetting(JwtRealmSettings.HTTP_CONNECTION_READ_TIMEOUT)).getMillis())).setSocketTimeout(Math.toIntExact(((TimeValue) realmConfig.getSetting(JwtRealmSettings.HTTP_SOCKET_TIMEOUT)).getMillis())).build()).build();
                build.start();
                return build;
            });
        } catch (PrivilegedActionException e) {
            throw new IllegalStateException("Unable to create a HttpAsyncClient instance", e);
        }
    }

    public static void readBytes(CloseableHttpAsyncClient closeableHttpAsyncClient, URI uri, ActionListener<byte[]> actionListener) {
        AccessController.doPrivileged(() -> {
            closeableHttpAsyncClient.execute(new HttpGet(uri), new FutureCallback<HttpResponse>() { // from class: org.elasticsearch.xpack.security.authc.jwt.JwtUtil.1
                public void completed(HttpResponse httpResponse) {
                    StatusLine statusLine = httpResponse.getStatusLine();
                    int statusCode = statusLine.getStatusCode();
                    if (statusCode != 200) {
                        actionListener.onFailure(new ElasticsearchSecurityException("Get [" + uri + "] failed, status [" + statusCode + "], reason [" + statusLine.getReasonPhrase() + "].", new Object[0]));
                        return;
                    }
                    try {
                        InputStream content = httpResponse.getEntity().getContent();
                        try {
                            actionListener.onResponse(content.readAllBytes());
                            if (content != null) {
                                content.close();
                            }
                        } finally {
                        }
                    } catch (Exception e) {
                        actionListener.onFailure(e);
                    }
                }

                public void failed(Exception exc) {
                    actionListener.onFailure(new ElasticsearchSecurityException("Get [" + uri + "] failed.", exc, new Object[0]));
                }

                public void cancelled() {
                    actionListener.onFailure(new ElasticsearchSecurityException("Get [" + uri + "] was cancelled.", new Object[0]));
                }
            });
            return null;
        });
    }

    public static Path resolvePath(Environment environment, String str) {
        return environment.configFile().resolve(str);
    }

    public static SecureString join(CharSequence charSequence, CharSequence... charSequenceArr) {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < charSequenceArr.length; i++) {
            if (i != 0) {
                sb.append(charSequence);
            }
            sb.append(charSequenceArr[i]);
        }
        return new SecureString(sb.toString().toCharArray());
    }

    public static byte[] sha256(CharSequence charSequence) {
        MessageDigest sha256 = MessageDigests.sha256();
        sha256.update(charSequence.toString().getBytes(StandardCharsets.UTF_8));
        return sha256.digest();
    }

    public static Supplier<String> toStringRedactSignature(JWT jwt) {
        if (!(jwt instanceof JWSObject)) {
            Objects.requireNonNull(jwt);
            return jwt::getParsedString;
        }
        Base64URL[] parsedParts = jwt.getParsedParts();
        if (!$assertionsDisabled && parsedParts.length != 3) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && parsedParts[0] == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && parsedParts[1] == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && parsedParts[2] == null) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || Objects.equals(parsedParts[2], ((JWSObject) jwt).getSignature())) {
            return () -> {
                return parsedParts[0] + "." + parsedParts[1] + ".<redacted-signature>";
            };
        }
        throw new AssertionError();
    }

    static {
        $assertionsDisabled = !JwtUtil.class.desiredAssertionStatus();
        LOGGER = LogManager.getLogger(JwtUtil.class);
    }
}
