package org.elasticsearch.xpack.security.authc.oidc;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWEKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.IOUtils;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretJWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerTokenError;
import com.nimbusds.oauth2.sdk.util.JSONObjectUtils;
import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.claims.AccessTokenHash;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.AccessTokenValidator;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
import net.minidev.json.JSONArray;
import org.apache.commons.codec.Charsets;
import org.apache.http.Header;
import org.apache.http.HttpEntity;
import org.apache.http.HttpHost;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthenticationException;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.concurrent.FutureCallback;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.ConnectionKeepAliveStrategy;
import org.apache.http.entity.ContentType;
import org.apache.http.impl.auth.BasicScheme;
import org.apache.http.impl.client.DefaultConnectionKeepAliveStrategy;
import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
import org.apache.http.impl.nio.client.HttpAsyncClients;
import org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager;
import org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor;
import org.apache.http.impl.nio.reactor.IOReactorConfig;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.nio.conn.NoopIOSessionStrategy;
import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.EntityUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.util.concurrent.ListenableFuture;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.CheckedRunnable;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.watcher.FileChangesListener;
import org.elasticsearch.watcher.FileWatcher;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.jwt.JwtRealm;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator.class */
public class OpenIdConnectAuthenticator {
    private final RealmConfig realmConfig;
    private final OpenIdConnectProviderConfiguration opConfig;
    private final RelyingPartyConfiguration rpConfig;
    private final SSLService sslService;
    private AtomicReference<IDTokenValidator> idTokenValidator = new AtomicReference<>();
    private final CloseableHttpAsyncClient httpClient = createHttpClient();
    private final ResourceWatcherService watcherService;
    private static final Logger LOGGER;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator$FileListener.class */
    public static class FileListener implements FileChangesListener {
        private final Logger logger;
        private final CheckedRunnable<Exception> onChange;

        private FileListener(Logger logger, CheckedRunnable<Exception> checkedRunnable) {
            this.logger = logger;
            this.onChange = checkedRunnable;
        }

        public void onFileCreated(Path path) {
            onFileChanged(path);
        }

        public void onFileDeleted(Path path) {
            onFileChanged(path);
        }

        public void onFileChanged(Path path) {
            try {
                this.onChange.run();
            } catch (Exception e) {
                this.logger.warn(() -> {
                    return Strings.format("An error occurred while reloading file %s", new Object[]{path});
                }, e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticator$ReloadableJWKSource.class */
    public class ReloadableJWKSource<C extends SecurityContext> implements JWKSource<C> {
        private volatile JWKSet cachedJwkSet = new JWKSet();
        private final AtomicReference<ListenableFuture<Void>> reloadFutureRef = new AtomicReference<>();
        private final URL jwkSetPath;

        private ReloadableJWKSource(URL url) {
            this.jwkSetPath = url;
            triggerReload(ActionListener.wrap(r3 -> {
                OpenIdConnectAuthenticator.LOGGER.trace("Successfully loaded and cached remote JWKSet on startup");
            }, exc -> {
                OpenIdConnectAuthenticator.LOGGER.trace("Failed to load and cache remote JWKSet on startup", exc);
            }));
        }

        public List<JWK> get(JWKSelector jWKSelector, C c) {
            return jWKSelector.select(this.cachedJwkSet);
        }

        void triggerReload(ActionListener<Void> actionListener) {
            ListenableFuture<Void> listenableFuture = this.reloadFutureRef.get();
            while (listenableFuture == null) {
                listenableFuture = new ListenableFuture<>();
                if (this.reloadFutureRef.compareAndSet(null, listenableFuture)) {
                    reloadAsync(listenableFuture);
                } else {
                    listenableFuture = this.reloadFutureRef.get();
                }
            }
            listenableFuture.addListener(actionListener);
        }

        void reloadAsync(ListenableFuture<Void> listenableFuture) {
            try {
                HttpGet httpGet = new HttpGet(this.jwkSetPath.toURI());
                AccessController.doPrivileged(() -> {
                    OpenIdConnectAuthenticator.this.httpClient.execute(httpGet, new FutureCallback<HttpResponse>() { // from class: org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.ReloadableJWKSource.1
                        public void completed(HttpResponse httpResponse) {
                            try {
                                ReloadableJWKSource.this.cachedJwkSet = JWKSet.parse(IOUtils.readInputStreamToString(httpResponse.getEntity().getContent(), StandardCharsets.UTF_8));
                                ReloadableJWKSource.this.reloadFutureRef.set(null);
                                OpenIdConnectAuthenticator.LOGGER.trace("Successfully refreshed and cached remote JWKSet");
                                listenableFuture.onResponse((Object) null);
                            } catch (Exception e) {
                                failed(e);
                            }
                        }

                        public void failed(Exception exc) {
                            listenableFuture.onFailure(new ElasticsearchSecurityException("Failed to retrieve remote JWK set.", exc, new Object[0]));
                            ReloadableJWKSource.this.reloadFutureRef.set(null);
                        }

                        public void cancelled() {
                            listenableFuture.onFailure(new ElasticsearchSecurityException("Failed to retrieve remote JWK set. Request was cancelled.", new Object[0]));
                            ReloadableJWKSource.this.reloadFutureRef.set(null);
                        }
                    });
                    return null;
                });
            } catch (Exception e) {
                listenableFuture.onFailure(e);
                this.reloadFutureRef.set(null);
            }
        }
    }

    public OpenIdConnectAuthenticator(RealmConfig realmConfig, OpenIdConnectProviderConfiguration openIdConnectProviderConfiguration, RelyingPartyConfiguration relyingPartyConfiguration, SSLService sSLService, ResourceWatcherService resourceWatcherService) {
        this.realmConfig = realmConfig;
        this.opConfig = openIdConnectProviderConfiguration;
        this.rpConfig = relyingPartyConfiguration;
        this.sslService = sSLService;
        this.watcherService = resourceWatcherService;
        this.idTokenValidator.set(createIdTokenValidator(true));
    }

    OpenIdConnectAuthenticator(RealmConfig realmConfig, OpenIdConnectProviderConfiguration openIdConnectProviderConfiguration, RelyingPartyConfiguration relyingPartyConfiguration, SSLService sSLService, IDTokenValidator iDTokenValidator, ResourceWatcherService resourceWatcherService) {
        this.realmConfig = realmConfig;
        this.opConfig = openIdConnectProviderConfiguration;
        this.rpConfig = relyingPartyConfiguration;
        this.sslService = sSLService;
        this.idTokenValidator.set(iDTokenValidator);
        this.watcherService = resourceWatcherService;
    }

    public void authenticate(OpenIdConnectToken openIdConnectToken, ActionListener<JWTClaimsSet> actionListener) {
        try {
            AuthenticationErrorResponse parse = AuthenticationResponseParser.parse(new URI(openIdConnectToken.getRedirectUrl()));
            Nonce nonce = openIdConnectToken.getNonce();
            State state = openIdConnectToken.getState();
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("OpenID Connect Provider redirected user to [{}]. Expected Nonce is [{}] and expected State is [{}]", openIdConnectToken.getRedirectUrl(), nonce, state);
            }
            if (parse instanceof AuthenticationErrorResponse) {
                ErrorObject errorObject = parse.getErrorObject();
                actionListener.onFailure(new ElasticsearchSecurityException("OpenID Connect Provider response indicates authentication failureCode=[{}], Description=[{}]", new Object[]{errorObject.getCode(), errorObject.getDescription()}));
                return;
            }
            AuthenticationSuccessResponse successResponse = parse.toSuccessResponse();
            validateState(state, successResponse.getState());
            validateResponseType(successResponse);
            if (this.rpConfig.getResponseType().impliesCodeFlow()) {
                AuthorizationCode authorizationCode = successResponse.getAuthorizationCode();
                CheckedConsumer checkedConsumer = tuple -> {
                    AccessToken accessToken = (AccessToken) tuple.v1();
                    JWT jwt = (JWT) tuple.v2();
                    validateAccessToken(accessToken, jwt);
                    getUserClaims(accessToken, jwt, nonce, true, actionListener);
                };
                Objects.requireNonNull(actionListener);
                exchangeCodeForToken(authorizationCode, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            } else {
                JWT iDToken = successResponse.getIDToken();
                AccessToken accessToken = successResponse.getAccessToken();
                validateAccessToken(accessToken, iDToken);
                getUserClaims(accessToken, iDToken, nonce, true, actionListener);
            }
        } catch (ElasticsearchSecurityException e) {
            actionListener.onFailure(e);
        } catch (Exception e2) {
            actionListener.onFailure(new ElasticsearchSecurityException("Failed to consume the OpenID connect response. ", e2, new Object[0]));
        }
    }

    void getUserClaims(@Nullable AccessToken accessToken, JWT jwt, Nonce nonce, boolean z, ActionListener<JWTClaimsSet> actionListener) {
        try {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("ID Token Header: {}", jwt.getHeader());
            }
            JWTClaimsSet jWTClaimsSet = this.idTokenValidator.get().validate(jwt, nonce).toJWTClaimsSet();
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Received and validated the Id Token for the user: [{}]", jWTClaimsSet);
            }
            Map jSONObject = jWTClaimsSet.toJSONObject();
            mergeObjects((Map<String, Object>) jSONObject, (Map<String, Object>) new JWTClaimsSet.Builder().claim("id_token_hint", jwt.serialize()).build().toJSONObject());
            JWTClaimsSet parse = JWTClaimsSet.parse(jSONObject);
            if (accessToken == null || this.opConfig.getUserinfoEndpoint() == null) {
                if (accessToken == null && this.opConfig.getUserinfoEndpoint() != null) {
                    LOGGER.debug("UserInfo endpoint is configured but the OP didn't return an access token so we can't query it");
                } else if (accessToken != null && this.opConfig.getUserinfoEndpoint() == null) {
                    LOGGER.debug("OP returned an access token but the UserInfo endpoint is not configured.");
                }
                actionListener.onResponse(parse);
            } else {
                getAndCombineUserInfoClaims(accessToken, parse, actionListener);
            }
        } catch (BadJOSEException e) {
            if (z && !JWSAlgorithm.Family.HMAC_SHA.contains(this.rpConfig.getSignatureAlgorithm()) && this.opConfig.getJwkSetPath().startsWith("https://")) {
                ((ReloadableJWKSource) this.idTokenValidator.get().getJWSKeySelector().getJWKSource()).triggerReload(ActionListener.wrap(obj -> {
                    getUserClaims(accessToken, jwt, nonce, false, actionListener);
                }, exc -> {
                    LOGGER.trace("Attempted and failed to refresh JWK cache upon token validation failure", e);
                    actionListener.onFailure(exc);
                }));
            } else {
                actionListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e, new Object[0]));
            }
        } catch (ParseException | java.text.ParseException | JOSEException e2) {
            LOGGER.debug("ID Token: [{}], Nonce: [{}]", jwt.getParsedString(), nonce);
            actionListener.onFailure(new ElasticsearchSecurityException("Failed to parse or validate the ID Token", e2, new Object[0]));
        }
    }

    private void validateAccessToken(AccessToken accessToken, JWT jwt) {
        try {
            if (this.rpConfig.getResponseType().equals(ResponseType.parse("id_token token")) || this.rpConfig.getResponseType().equals(ResponseType.parse("code"))) {
                if (!$assertionsDisabled && accessToken == null) {
                    throw new AssertionError("Access Token cannot be null for Response Type " + this.rpConfig.getResponseType().toString());
                }
                boolean equals = this.rpConfig.getResponseType().equals(ResponseType.parse("code"));
                if (!accessToken.getType().toString().equals(JwtRealm.HEADER_END_USER_AUTHENTICATION_SCHEME)) {
                    throw new ElasticsearchSecurityException("Invalid access token type [{}], while [Bearer] was expected", new Object[]{accessToken.getType()});
                }
                String stringClaim = jwt.getJWTClaimsSet().getStringClaim("at_hash");
                if (org.elasticsearch.common.Strings.hasText(stringClaim)) {
                    AccessTokenValidator.validate(accessToken, JWSAlgorithm.parse(jwt.getHeader().getAlgorithm().getName()), new AccessTokenHash(stringClaim));
                } else if (!equals) {
                    throw new ElasticsearchSecurityException("Failed to verify access token. ID Token doesn't contain at_hash claim ", new Object[0]);
                }
            } else if (this.rpConfig.getResponseType().equals(ResponseType.parse("id_token")) && accessToken != null) {
                LOGGER.warn("Access Token incorrectly returned from the OpenId Connect Provider while using \"id_token\" response type.");
            }
        } catch (Exception e) {
            throw new ElasticsearchSecurityException("Failed to verify access token.", e, new Object[0]);
        }
    }

    private JWKSet readJwkSetFromFile(String str) throws IOException, java.text.ParseException {
        return JWKSet.parse(Files.readString(this.realmConfig.env().configFile().resolve(str), StandardCharsets.UTF_8));
    }

    private void validateResponseType(AuthenticationSuccessResponse authenticationSuccessResponse) {
        if (!this.rpConfig.getResponseType().equals(authenticationSuccessResponse.impliedResponseType())) {
            throw new ElasticsearchSecurityException("Unexpected response type [{}], while [{}] is configured", new Object[]{authenticationSuccessResponse.impliedResponseType(), this.rpConfig.getResponseType()});
        }
    }

    private void validateState(State state, State state2) {
        if (null == state2) {
            throw new ElasticsearchSecurityException("Failed to validate the response, the response did not contain a state parameter", new Object[0]);
        }
        if (null == state) {
            throw new ElasticsearchSecurityException("Failed to validate the response, the user's session did not contain a state parameter", new Object[0]);
        }
        if (!state2.equals(state)) {
            throw new ElasticsearchSecurityException("Invalid state parameter [{}], while [{}] was expected", new Object[]{state2, state});
        }
    }

    private void getAndCombineUserInfoClaims(AccessToken accessToken, JWTClaimsSet jWTClaimsSet, ActionListener<JWTClaimsSet> actionListener) {
        try {
            HttpGet httpGet = new HttpGet(this.opConfig.getUserinfoEndpoint());
            httpGet.setHeader("Authorization", "Bearer " + accessToken.getValue());
            AccessController.doPrivileged(() -> {
                this.httpClient.execute(httpGet, new FutureCallback<HttpResponse>() { // from class: org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.1
                    public void completed(HttpResponse httpResponse) {
                        OpenIdConnectAuthenticator.this.handleUserinfoResponse(httpResponse, jWTClaimsSet, actionListener);
                    }

                    public void failed(Exception exc) {
                        actionListener.onFailure(new ElasticsearchSecurityException("Failed to get claims from the Userinfo Endpoint.", exc, new Object[0]));
                    }

                    public void cancelled() {
                        actionListener.onFailure(new ElasticsearchSecurityException("Failed to get claims from the Userinfo Endpoint. Request was cancelled", new Object[0]));
                    }
                });
                return null;
            });
        } catch (Exception e) {
            actionListener.onFailure(new ElasticsearchSecurityException("Failed to get user information from the UserInfo endpoint.", e, new Object[0]));
        }
    }

    void handleUserinfoResponse(HttpResponse httpResponse, JWTClaimsSet jWTClaimsSet, ActionListener<JWTClaimsSet> actionListener) {
        try {
            HttpEntity entity = httpResponse.getEntity();
            Header contentEncoding = entity.getContentEncoding();
            Charset charset = contentEncoding == null ? StandardCharsets.UTF_8 : Charsets.toCharset(contentEncoding.getValue());
            Header contentType = entity.getContentType();
            String entityUtils = EntityUtils.toString(entity, charset);
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("Received UserInfo Response from OP with status [{}] and content [{}] ", Integer.valueOf(httpResponse.getStatusLine().getStatusCode()), entityUtils);
            }
            if (httpResponse.getStatusLine().getStatusCode() != 200) {
                Header firstHeader = httpResponse.getFirstHeader(KerberosAuthenticationToken.WWW_AUTHENTICATE);
                if (firstHeader == null || !org.elasticsearch.common.Strings.hasText(firstHeader.getValue())) {
                    actionListener.onFailure(new ElasticsearchSecurityException("Failed to get user information from the UserInfo endpoint. Code=[{}], Description=[{}]", new Object[]{Integer.valueOf(httpResponse.getStatusLine().getStatusCode()), httpResponse.getStatusLine().getReasonPhrase()}));
                } else {
                    BearerTokenError parse = BearerTokenError.parse(firstHeader.getValue());
                    actionListener.onFailure(new ElasticsearchSecurityException("Failed to get user information from the UserInfo endpoint. Code=[{}], Description=[{}]", new Object[]{parse.getCode(), parse.getDescription()}));
                }
            } else if (ContentType.parse(contentType.getValue()).getMimeType().equals("application/json")) {
                JWTClaimsSet parse2 = JWTClaimsSet.parse(entityUtils);
                validateUserInfoResponse(parse2, jWTClaimsSet.getSubject(), actionListener);
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Successfully retrieved user information: [{}]", parse2);
                }
                Map jSONObject = jWTClaimsSet.toJSONObject();
                mergeObjects((Map<String, Object>) jSONObject, (Map<String, Object>) parse2.toJSONObject());
                actionListener.onResponse(JWTClaimsSet.parse(jSONObject));
            } else if (ContentType.parse(contentType.getValue()).getMimeType().equals("application/jwt")) {
                actionListener.onFailure(new IllegalStateException("Unable to parse Userinfo Response. Signed/encrypted JWTs arenot currently supported"));
            } else {
                actionListener.onFailure(new IllegalStateException("Unable to parse Userinfo Response. Content type was expected to be [application/json] or [appliation/jwt] but was [" + contentType.getValue() + "]"));
            }
        } catch (Exception e) {
            actionListener.onFailure(new ElasticsearchSecurityException("Failed to get user information from the UserInfo endpoint.", e, new Object[0]));
        }
    }

    private void validateUserInfoResponse(JWTClaimsSet jWTClaimsSet, String str, ActionListener<JWTClaimsSet> actionListener) {
        if (jWTClaimsSet.getSubject().isEmpty()) {
            actionListener.onFailure(new ElasticsearchSecurityException("Userinfo Response did not contain a sub Claim", new Object[0]));
        } else {
            if (jWTClaimsSet.getSubject().equals(str)) {
                return;
            }
            actionListener.onFailure(new ElasticsearchSecurityException("Userinfo Response is not valid as it is for subject [{}] while the ID Token was for subject [{}]", new Object[]{jWTClaimsSet.getSubject(), str}));
        }
    }

    private void exchangeCodeForToken(AuthorizationCode authorizationCode, ActionListener<Tuple<AccessToken, JWT>> actionListener) {
        try {
            AuthorizationCodeGrant authorizationCodeGrant = new AuthorizationCodeGrant(authorizationCode, this.rpConfig.getRedirectUri());
            HttpPost httpPost = new HttpPost(this.opConfig.getTokenEndpoint());
            httpPost.setHeader("Content-type", "application/x-www-form-urlencoded");
            ArrayList arrayList = new ArrayList();
            for (Map.Entry entry : authorizationCodeGrant.toParameters().entrySet()) {
                arrayList.add(new BasicNameValuePair((String) entry.getKey(), (String) ((List) entry.getValue()).get(0)));
            }
            if (this.rpConfig.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)) {
                httpPost.addHeader(new BasicScheme().authenticate(new UsernamePasswordCredentials(URLEncoder.encode(this.rpConfig.getClientId().getValue(), StandardCharsets.UTF_8), URLEncoder.encode(this.rpConfig.getClientSecret().toString(), StandardCharsets.UTF_8)), httpPost, (HttpContext) null));
            } else if (this.rpConfig.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_POST)) {
                arrayList.add(new BasicNameValuePair("client_id", this.rpConfig.getClientId().getValue()));
                arrayList.add(new BasicNameValuePair("client_secret", this.rpConfig.getClientSecret().toString()));
            } else if (this.rpConfig.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
                for (Map.Entry entry2 : new ClientSecretJWT(this.rpConfig.getClientId(), this.opConfig.getTokenEndpoint(), this.rpConfig.getClientAuthenticationJwtAlgorithm(), new Secret(this.rpConfig.getClientSecret().toString())).toParameters().entrySet()) {
                    arrayList.add(new BasicNameValuePair((String) entry2.getKey(), (String) ((List) entry2.getValue()).get(0)));
                }
            } else {
                actionListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token using Token Endpoint.Expected client authentication method to be one of " + OpenIdConnectRealmSettings.CLIENT_AUTH_METHODS + " but was [" + this.rpConfig.getClientAuthenticationMethod() + "]", new Object[0]));
            }
            httpPost.setEntity(new UrlEncodedFormEntity(arrayList, (Charset) null));
            SpecialPermission.check();
            AccessController.doPrivileged(() -> {
                this.httpClient.execute(httpPost, new FutureCallback<HttpResponse>() { // from class: org.elasticsearch.xpack.security.authc.oidc.OpenIdConnectAuthenticator.2
                    public void completed(HttpResponse httpResponse) {
                        OpenIdConnectAuthenticator.this.handleTokenResponse(httpResponse, actionListener);
                    }

                    public void failed(Exception exc) {
                        actionListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token using the Token Endpoint.", exc, new Object[0]));
                    }

                    public void cancelled() {
                        actionListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token using the Token Endpoint. Request was cancelled", new Object[0]));
                    }
                });
                return null;
            });
        } catch (AuthenticationException | JOSEException e) {
            actionListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token using the Token Endpoint.", e, new Object[0]));
        }
    }

    private void handleTokenResponse(HttpResponse httpResponse, ActionListener<Tuple<AccessToken, JWT>> actionListener) {
        try {
            HttpEntity entity = httpResponse.getEntity();
            Header contentEncoding = entity.getContentEncoding();
            Header contentType = entity.getContentType();
            if (!ContentType.parse(contentType.getValue()).getMimeType().equals("application/json")) {
                actionListener.onFailure(new IllegalStateException("Unable to parse Token Response. Content type was expected to be [application/json] but was [" + contentType.getValue() + "]"));
                return;
            }
            Charset charset = contentEncoding == null ? StandardCharsets.UTF_8 : Charsets.toCharset(contentEncoding.getValue());
            RestStatus fromCode = RestStatus.fromCode(httpResponse.getStatusLine().getStatusCode());
            if (RestStatus.OK != fromCode) {
                String entityUtils = EntityUtils.toString(entity, charset);
                LOGGER.warn("Received Token Response from OP with status [{}] and content [{}]", fromCode, entityUtils);
                if (RestStatus.BAD_REQUEST == fromCode) {
                    TokenErrorResponse parse = TokenErrorResponse.parse(JSONObjectUtils.parse(entityUtils));
                    actionListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token. Code=[{}], Description=[{}]", new Object[]{parse.getErrorObject().getCode(), parse.getErrorObject().getDescription()}));
                } else {
                    actionListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token", new Object[0]));
                }
            } else {
                OIDCTokens oIDCTokens = OIDCTokenResponse.parse(JSONObjectUtils.parse(EntityUtils.toString(entity, charset))).getOIDCTokens();
                AccessToken accessToken = oIDCTokens.getAccessToken();
                JWT iDToken = oIDCTokens.getIDToken();
                if (LOGGER.isTraceEnabled()) {
                    LOGGER.trace("Successfully exchanged code for ID Token [{}] and Access Token [{}]", iDToken, truncateToken(accessToken.toString()));
                }
                if (iDToken == null) {
                    actionListener.onFailure(new ElasticsearchSecurityException("Token Response did not contain an ID Token or parsing of the JWT failed.", new Object[0]));
                    return;
                }
                actionListener.onResponse(new Tuple(accessToken, iDToken));
            }
        } catch (Exception e) {
            actionListener.onFailure(new ElasticsearchSecurityException("Failed to exchange code for Id Token using the Token Endpoint. Unable to parse Token Response", e, new Object[0]));
        }
    }

    private static String truncateToken(String str) {
        return (!org.elasticsearch.common.Strings.hasText(str) || str.length() <= 4) ? str : str.substring(0, 2) + "***" + str.substring(str.length() - 2);
    }

    private CloseableHttpAsyncClient createHttpClient() {
        try {
            SpecialPermission.check();
            return (CloseableHttpAsyncClient) AccessController.doPrivileged(() -> {
                DefaultConnectingIOReactor defaultConnectingIOReactor = new DefaultConnectingIOReactor(IOReactorConfig.custom().setSoKeepAlive(((Boolean) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_TCP_KEEP_ALIVE)).booleanValue()).build());
                SslConfiguration sSLConfiguration = this.sslService.getSSLConfiguration(RealmSettings.realmSslPrefix(this.realmConfig.identifier()));
                PoolingNHttpClientConnectionManager poolingNHttpClientConnectionManager = new PoolingNHttpClientConnectionManager(defaultConnectingIOReactor, RegistryBuilder.create().register("http", NoopIOSessionStrategy.INSTANCE).register("https", new SSLIOSessionStrategy(this.sslService.sslContext(sSLConfiguration), SSLService.getHostnameVerifier(sSLConfiguration))).build());
                poolingNHttpClientConnectionManager.setDefaultMaxPerRoute(((Integer) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_MAX_ENDPOINT_CONNECTIONS)).intValue());
                poolingNHttpClientConnectionManager.setMaxTotal(((Integer) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_MAX_CONNECTIONS)).intValue());
                HttpAsyncClientBuilder keepAliveStrategy = HttpAsyncClients.custom().setConnectionManager(poolingNHttpClientConnectionManager).setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(Math.toIntExact(((TimeValue) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_CONNECT_TIMEOUT)).getMillis())).setConnectionRequestTimeout(Math.toIntExact(((TimeValue) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_CONNECTION_READ_TIMEOUT)).getSeconds())).setSocketTimeout(Math.toIntExact(((TimeValue) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_SOCKET_TIMEOUT)).getMillis())).build()).setKeepAliveStrategy(getKeepAliveStrategy());
                if (this.realmConfig.hasSetting(OpenIdConnectRealmSettings.HTTP_PROXY_HOST)) {
                    keepAliveStrategy.setProxy(new HttpHost((String) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_PROXY_HOST), ((Integer) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_PROXY_PORT)).intValue(), (String) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_PROXY_SCHEME)));
                }
                CloseableHttpAsyncClient build = keepAliveStrategy.build();
                build.start();
                return build;
            });
        } catch (PrivilegedActionException e) {
            throw new IllegalStateException("Unable to create a HttpAsyncClient instance", e);
        }
    }

    CloseableHttpAsyncClient getHttpClient() {
        return this.httpClient;
    }

    ConnectionKeepAliveStrategy getKeepAliveStrategy() {
        long millis = ((TimeValue) this.realmConfig.getSetting(OpenIdConnectRealmSettings.HTTP_CONNECTION_POOL_TTL)).millis();
        return (httpResponse, httpContext) -> {
            long keepAliveDuration = DefaultConnectionKeepAliveStrategy.INSTANCE.getKeepAliveDuration(httpResponse, httpContext);
            long min = keepAliveDuration <= -1 ? millis : millis <= -1 ? keepAliveDuration : Math.min(keepAliveDuration, millis);
            if (min < -1) {
                min = -1;
            }
            LOGGER.debug("effective HTTP connection keep-alive: [{}]ms", Long.valueOf(min));
            return min;
        };
    }

    IDTokenValidator createIdTokenValidator(boolean z) {
        IDTokenValidator iDTokenValidator;
        try {
            JWSAlgorithm signatureAlgorithm = this.rpConfig.getSignatureAlgorithm();
            int intExact = Math.toIntExact(((TimeValue) this.realmConfig.getSetting(OpenIdConnectRealmSettings.ALLOWED_CLOCK_SKEW)).getMillis());
            if (JWSAlgorithm.Family.HMAC_SHA.contains(signatureAlgorithm)) {
                iDTokenValidator = new IDTokenValidator(this.opConfig.getIssuer(), this.rpConfig.getClientId(), signatureAlgorithm, new Secret(this.rpConfig.getClientSecret().toString()));
            } else {
                String jwkSetPath = this.opConfig.getJwkSetPath();
                if (jwkSetPath.startsWith("http://")) {
                    throw new IllegalArgumentException("The [http] protocol is not supported as it is insecure. Use [https] instead");
                }
                if (jwkSetPath.startsWith("https://")) {
                    iDTokenValidator = new IDTokenValidator(this.opConfig.getIssuer(), this.rpConfig.getClientId(), new JWSVerificationKeySelector(signatureAlgorithm, new ReloadableJWKSource(new URL(jwkSetPath))), (JWEKeySelector) null);
                } else {
                    if (z) {
                        setMetadataFileWatcher(jwkSetPath);
                    }
                    iDTokenValidator = new IDTokenValidator(this.opConfig.getIssuer(), this.rpConfig.getClientId(), signatureAlgorithm, readJwkSetFromFile(jwkSetPath));
                }
            }
            iDTokenValidator.setMaxClockSkew(intExact);
            return iDTokenValidator;
        } catch (IOException | java.text.ParseException e) {
            throw new IllegalStateException("Unable to create a IDTokenValidator instance", e);
        }
    }

    private void setMetadataFileWatcher(String str) throws IOException {
        FileWatcher fileWatcher = new FileWatcher(this.realmConfig.env().configFile().resolve(str));
        fileWatcher.addListener(new FileListener(LOGGER, () -> {
            this.idTokenValidator.set(createIdTokenValidator(false));
        }));
        this.watcherService.add(fileWatcher, ResourceWatcherService.Frequency.MEDIUM);
    }

    static Map<String, Object> mergeObjects(Map<String, Object> map, Map<String, Object> map2) {
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            Object value = entry.getValue();
            Object obj = map2.get(entry.getKey());
            if (obj != null) {
                if (value instanceof JSONArray) {
                    map.put(entry.getKey(), mergeArrays((JSONArray) value, obj));
                } else if (value instanceof Map) {
                    map.put(entry.getKey(), mergeObjects((Map<String, Object>) value, obj));
                } else if (value.getClass().equals(obj.getClass())) {
                    continue;
                } else if ((value instanceof Boolean) && (obj instanceof String) && String.valueOf(value).equals(obj)) {
                    map.put(entry.getKey(), value);
                } else {
                    if (!(obj instanceof Boolean) || !(value instanceof String) || !String.valueOf(obj).equals(value)) {
                        throw new IllegalStateException("Error merging ID token and userinfo claim value for claim [" + entry.getKey() + "]. Cannot merge [" + value.getClass().getName() + "] with [" + obj.getClass().getName() + "]");
                    }
                    map.put(entry.getKey(), obj);
                }
            }
        }
        for (Map.Entry<String, Object> entry2 : map2.entrySet()) {
            if (!map.containsKey(entry2.getKey())) {
                map.put(entry2.getKey(), entry2.getValue());
            }
        }
        return map;
    }

    private static Map<String, Object> mergeObjects(Map<String, Object> map, Object obj) {
        if (obj == null) {
            return map;
        }
        if (obj instanceof Map) {
            return mergeObjects(map, (Map<String, Object>) obj);
        }
        throw new IllegalStateException("Error while merging ID token and userinfo claims. Cannot merge a Map with a [" + obj.getClass().getName() + "]");
    }

    private static JSONArray mergeArrays(JSONArray jSONArray, Object obj) {
        if (obj == null) {
            return jSONArray;
        }
        if (obj instanceof JSONArray) {
            return mergeArrays(jSONArray, (JSONArray) obj);
        }
        if (obj instanceof String) {
            jSONArray.add(obj);
        }
        return jSONArray;
    }

    private static JSONArray mergeArrays(JSONArray jSONArray, JSONArray jSONArray2) {
        jSONArray.addAll(jSONArray2);
        return jSONArray;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void close() {
        try {
            this.httpClient.close();
        } catch (IOException e) {
            LOGGER.debug("Unable to close the HttpAsyncClient", e);
        }
    }

    static {
        $assertionsDisabled = !OpenIdConnectAuthenticator.class.desiredAssertionStatus();
        LOGGER = LogManager.getLogger(OpenIdConnectAuthenticator.class);
    }
}
