package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.time.Clock;
import java.util.Iterator;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.core.Releasable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.jwt.JwtDateClaimValidator;
import org.elasticsearch.xpack.security.authc.jwt.JwtSignatureValidator;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.class */
public class JwtAuthenticator implements Releasable {
    private static final Logger logger;
    private final RealmConfig realmConfig;
    private final List<JwtFieldValidator> jwtFieldValidators;
    private final JwtSignatureValidator jwtSignatureValidator;
    static final /* synthetic */ boolean $assertionsDisabled;

    public JwtAuthenticator(RealmConfig realmConfig, SSLService sSLService, JwtSignatureValidator.PkcJwkSetReloadNotifier pkcJwkSetReloadNotifier) {
        this.realmConfig = realmConfig;
        TimeValue timeValue = (TimeValue) realmConfig.getSetting(JwtRealmSettings.ALLOWED_CLOCK_SKEW);
        Clock systemUTC = Clock.systemUTC();
        this.jwtFieldValidators = List.of(JwtTypeValidator.INSTANCE, new JwtStringClaimValidator("iss", List.of((String) realmConfig.getSetting(JwtRealmSettings.ALLOWED_ISSUER)), true), new JwtStringClaimValidator("aud", (List) realmConfig.getSetting(JwtRealmSettings.ALLOWED_AUDIENCES), false), new JwtAlgorithmValidator((List) realmConfig.getSetting(JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS)), new JwtDateClaimValidator(systemUTC, "iat", timeValue, JwtDateClaimValidator.Relationship.BEFORE_NOW, false), new JwtDateClaimValidator(systemUTC, "exp", timeValue, JwtDateClaimValidator.Relationship.AFTER_NOW, false), new JwtDateClaimValidator(systemUTC, "nbf", timeValue, JwtDateClaimValidator.Relationship.BEFORE_NOW, true), new JwtDateClaimValidator(systemUTC, "auth_time", timeValue, JwtDateClaimValidator.Relationship.BEFORE_NOW, true));
        this.jwtSignatureValidator = new JwtSignatureValidator.DelegatingJwtSignatureValidator(realmConfig, sSLService, pkcJwkSetReloadNotifier);
    }

    public void authenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionListener<JWTClaimsSet> actionListener) {
        String principal = jwtAuthenticationToken.principal();
        try {
            SignedJWT parse = SignedJWT.parse(jwtAuthenticationToken.getEndUserSignedJwt().toString());
            try {
                JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
                JWSHeader header = parse.getHeader();
                if (logger.isDebugEnabled()) {
                    logger.debug("Realm [{}] successfully parsed JWT token [{}] with header [{}] and claimSet [{}]", this.realmConfig.name(), principal, header, jWTClaimsSet);
                }
                Iterator<JwtFieldValidator> it = this.jwtFieldValidators.iterator();
                while (it.hasNext()) {
                    try {
                        it.next().validate(header, jWTClaimsSet);
                    } catch (Exception e) {
                        actionListener.onFailure(e);
                        return;
                    }
                }
                try {
                    this.jwtSignatureValidator.validate(principal, parse, actionListener.map(r3 -> {
                        return jWTClaimsSet;
                    }));
                } catch (Exception e2) {
                    actionListener.onFailure(e2);
                }
            } catch (ParseException e3) {
                actionListener.onFailure(e3);
            }
        } catch (ParseException e4) {
            actionListener.onFailure(e4);
        }
    }

    public void close() {
        this.jwtSignatureValidator.close();
    }

    JwtSignatureValidator.DelegatingJwtSignatureValidator getJwtSignatureValidator() {
        if ($assertionsDisabled || (this.jwtSignatureValidator instanceof JwtSignatureValidator.DelegatingJwtSignatureValidator)) {
            return (JwtSignatureValidator.DelegatingJwtSignatureValidator) this.jwtSignatureValidator;
        }
        throw new AssertionError();
    }

    static {
        $assertionsDisabled = !JwtAuthenticator.class.desiredAssertionStatus();
        logger = LogManager.getLogger(JwtAuthenticator.class);
    }
}
