package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xpack.core.security.support.Automatons;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtStringClaimValidator.class */
public class JwtStringClaimValidator implements JwtFieldValidator {
    public static final JwtStringClaimValidator ALLOW_ALL_SUBJECTS;
    private final String claimName;
    private final boolean singleValuedClaim;

    @Nullable
    private final Map<String, String> fallbackClaimNames;
    private final Predicate<String> allowedClaimValuesPredicate;
    static final /* synthetic */ boolean $assertionsDisabled;

    public JwtStringClaimValidator(String str, boolean z, Collection<String> collection, Collection<String> collection2) {
        this(str, z, null, collection, collection2);
    }

    public JwtStringClaimValidator(final String str, boolean z, Map<String, String> map, final Collection<String> collection, final Collection<String> collection2) {
        if (!$assertionsDisabled && collection == null) {
            throw new AssertionError("allowed claim values should be empty rather than null");
        }
        if (!$assertionsDisabled && collection2 == null) {
            throw new AssertionError("allowed claim value patterns should be empty rather than null");
        }
        this.claimName = str;
        this.singleValuedClaim = z;
        this.fallbackClaimNames = map;
        this.allowedClaimValuesPredicate = new Predicate<String>() { // from class: org.elasticsearch.xpack.security.authc.jwt.JwtStringClaimValidator.1
            private final Set<String> allowedClaimsSet;
            private final Predicate<String> allowedClaimPatternsPredicate;

            {
                this.allowedClaimsSet = new HashSet(collection);
                this.allowedClaimPatternsPredicate = JwtStringClaimValidator.predicateFromPatterns(str, collection2);
            }

            @Override // java.util.function.Predicate
            public boolean test(String str2) {
                return this.allowedClaimsSet.contains(str2) || this.allowedClaimPatternsPredicate.test(str2);
            }

            public String toString() {
                return "[" + Strings.collectionToCommaDelimitedString(this.allowedClaimsSet) + "] || [" + String.valueOf(this.allowedClaimPatternsPredicate) + "]";
            }
        };
    }

    @Override // org.elasticsearch.xpack.security.authc.jwt.JwtFieldValidator
    public void validate(JWSHeader jWSHeader, JWTClaimsSet jWTClaimsSet) {
        FallbackableClaim fallbackableClaim = new FallbackableClaim(this.claimName, this.fallbackClaimNames, jWTClaimsSet);
        List<String> stringClaimValues = getStringClaimValues(fallbackableClaim);
        if (stringClaimValues == null) {
            throw new IllegalArgumentException("missing required string claim [" + String.valueOf(fallbackableClaim) + "]");
        }
        Iterator<String> it = stringClaimValues.iterator();
        while (it.hasNext()) {
            if (this.allowedClaimValuesPredicate.test(it.next())) {
                return;
            }
        }
        throw new IllegalArgumentException("string claim [" + String.valueOf(fallbackableClaim) + "] has value [" + Strings.collectionToCommaDelimitedString(stringClaimValues) + "] which does not match allowed claim values " + String.valueOf(this.allowedClaimValuesPredicate));
    }

    private List<String> getStringClaimValues(FallbackableClaim fallbackableClaim) {
        if (!this.singleValuedClaim) {
            return fallbackableClaim.getStringListClaimValue();
        }
        String stringClaimValue = fallbackableClaim.getStringClaimValue();
        if (stringClaimValue != null) {
            return List.of(stringClaimValue);
        }
        return null;
    }

    private static Predicate<String> predicateFromPatterns(String str, Collection<String> collection) {
        try {
            return Automatons.predicate(collection);
        } catch (Exception e) {
            throw new SettingsException("Invalid patterns for allowed claim values for [" + str + "].", e);
        }
    }

    static {
        $assertionsDisabled = !JwtStringClaimValidator.class.desiredAssertionStatus();
        ALLOW_ALL_SUBJECTS = new JwtStringClaimValidator("sub", true, List.of(), List.of("*"));
    }
}
