package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.List;
import java.util.TreeSet;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticationToken.class */
public class JwtAuthenticationToken implements AuthenticationToken {
    private static final Logger LOGGER = LogManager.getLogger(JwtAuthenticationToken.class);
    protected SecureString endUserSignedJwt;
    protected SecureString clientAuthenticationSharedSecret;
    protected String principal;

    public JwtAuthenticationToken(List<String> list, SecureString secureString, @Nullable SecureString secureString2) {
        if (list.isEmpty()) {
            throw new IllegalArgumentException("JWT token principal claim names list must be non-empty");
        }
        if (secureString.isEmpty()) {
            throw new IllegalArgumentException("JWT bearer token must be non-empty");
        }
        if (secureString2 != null && secureString2.isEmpty()) {
            throw new IllegalArgumentException("Client shared secret must be non-empty");
        }
        this.endUserSignedJwt = secureString;
        this.clientAuthenticationSharedSecret = secureString2;
        try {
            JWTClaimsSet jWTClaimsSet = SignedJWT.parse(this.endUserSignedJwt.toString()).getJWTClaimsSet();
            String issuer = jWTClaimsSet.getIssuer();
            List audience = jWTClaimsSet.getAudience();
            if (!Strings.hasText(issuer)) {
                throw new IllegalArgumentException("Issuer claim 'iss' is missing.");
            }
            if (audience == null || audience.isEmpty()) {
                throw new IllegalArgumentException("Audiences claim 'aud' is missing.");
            }
            this.principal = issuer + "/" + String.join(",", new TreeSet(audience)) + "/" + resolvePrincipalClaimName(jWTClaimsSet, list);
        } catch (ParseException e) {
            throw new IllegalArgumentException("Failed to parse JWT bearer token", e);
        }
    }

    private String resolvePrincipalClaimName(JWTClaimsSet jWTClaimsSet, List<String> list) {
        for (String str : list) {
            Object claim = jWTClaimsSet.getClaim(str);
            if (claim instanceof String) {
                String str2 = (String) claim;
                if (str2.isEmpty()) {
                    throw new IllegalArgumentException("Allowed principal claim name '" + str + "' exists but cannot be used because the value of that claim is an empty string");
                }
                LOGGER.trace("Found allowed principal claim name [{}] with value [{}]", str, str2);
                return str2;
            }
            if (claim != null) {
                throw new IllegalArgumentException("Allowed principal claim name '" + str + "' exists but cannot be used because the value of that claim must be a string, but instead it was a [" + claim.getClass().getSimpleName() + "]");
            }
        }
        throw new IllegalArgumentException("None of these configured principal claim names were found in the JWT Claims Set [" + String.join(",", list) + "] - available claims in the JWT with potential compatible string values are [" + ((String) jWTClaimsSet.getClaims().entrySet().stream().filter(entry -> {
            return entry.getValue() instanceof String;
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.joining(","))) + "]");
    }

    public String principal() {
        return this.principal;
    }

    /* renamed from: credentials, reason: merged with bridge method [inline-methods] */
    public SecureString m57credentials() {
        return null;
    }

    public SecureString getEndUserSignedJwt() {
        return this.endUserSignedJwt;
    }

    public SecureString getClientAuthenticationSharedSecret() {
        return this.clientAuthenticationSharedSecret;
    }

    public void clearCredentials() {
        this.endUserSignedJwt.close();
        this.endUserSignedJwt = null;
        if (this.clientAuthenticationSharedSecret != null) {
            this.clientAuthenticationSharedSecret.close();
            this.clientAuthenticationSharedSecret = null;
        }
        this.principal = null;
    }

    public String toString() {
        return JwtAuthenticationToken.class.getSimpleName() + "=" + this.principal;
    }
}
