package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.time.Clock;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Releasable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.jwt.JwtDateClaimValidator;
import org.elasticsearch.xpack.security.authc.jwt.JwtSignatureValidator;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtAuthenticator.class */
public class JwtAuthenticator implements Releasable {
    private static final Logger logger;
    private final RealmConfig realmConfig;
    private final List<JwtFieldValidator> jwtFieldValidators;
    private final JwtSignatureValidator jwtSignatureValidator;
    private final JwtRealmSettings.TokenType tokenType;
    private final Map<String, String> fallbackClaimNames;
    static final /* synthetic */ boolean $assertionsDisabled;

    public JwtAuthenticator(RealmConfig realmConfig, SSLService sSLService, JwtSignatureValidator.PkcJwkSetReloadNotifier pkcJwkSetReloadNotifier) {
        this.realmConfig = realmConfig;
        this.tokenType = (JwtRealmSettings.TokenType) realmConfig.getSetting(JwtRealmSettings.TOKEN_TYPE);
        ArrayList arrayList = new ArrayList();
        if (this.tokenType == JwtRealmSettings.TokenType.ID_TOKEN) {
            this.fallbackClaimNames = Map.of();
            arrayList.addAll(configureFieldValidatorsForIdToken(realmConfig));
        } else {
            this.fallbackClaimNames = Map.ofEntries(Map.entry("sub", (String) realmConfig.getSetting(JwtRealmSettings.FALLBACK_SUB_CLAIM)), Map.entry("aud", (String) realmConfig.getSetting(JwtRealmSettings.FALLBACK_AUD_CLAIM)));
            arrayList.addAll(configureFieldValidatorsForAccessToken(realmConfig, this.fallbackClaimNames));
        }
        arrayList.addAll(getRequireClaimsValidators());
        this.jwtFieldValidators = List.copyOf(arrayList);
        this.jwtSignatureValidator = new JwtSignatureValidator.DelegatingJwtSignatureValidator(realmConfig, sSLService, pkcJwkSetReloadNotifier);
    }

    public void authenticate(JwtAuthenticationToken jwtAuthenticationToken, ActionListener<JWTClaimsSet> actionListener) {
        String principal = jwtAuthenticationToken.principal();
        SignedJWT signedJWT = jwtAuthenticationToken.getSignedJWT();
        JWTClaimsSet jWTClaimsSet = jwtAuthenticationToken.getJWTClaimsSet();
        JWSHeader header = signedJWT.getHeader();
        if (logger.isTraceEnabled()) {
            logger.trace("Realm [{}] successfully parsed JWT token [{}] with header [{}] and claimSet [{}]", this.realmConfig.name(), principal, header, jWTClaimsSet);
        }
        Iterator<JwtFieldValidator> it = this.jwtFieldValidators.iterator();
        while (it.hasNext()) {
            try {
                it.next().validate(header, jWTClaimsSet);
            } catch (Exception e) {
                actionListener.onFailure(e);
                return;
            }
        }
        try {
            validateSignature(principal, signedJWT, actionListener.map(r3 -> {
                return jWTClaimsSet;
            }));
        } catch (Exception e2) {
            actionListener.onFailure(e2);
        }
    }

    void validateSignature(String str, SignedJWT signedJWT, ActionListener<Void> actionListener) {
        this.jwtSignatureValidator.validate(str, signedJWT, actionListener);
    }

    public void close() {
        this.jwtSignatureValidator.close();
    }

    public JwtRealmSettings.TokenType getTokenType() {
        return this.tokenType;
    }

    public Map<String, String> getFallbackClaimNames() {
        return this.fallbackClaimNames;
    }

    JwtSignatureValidator.DelegatingJwtSignatureValidator getJwtSignatureValidator() {
        if ($assertionsDisabled || (this.jwtSignatureValidator instanceof JwtSignatureValidator.DelegatingJwtSignatureValidator)) {
            return (JwtSignatureValidator.DelegatingJwtSignatureValidator) this.jwtSignatureValidator;
        }
        throw new AssertionError();
    }

    private static List<JwtFieldValidator> configureFieldValidatorsForIdToken(RealmConfig realmConfig) {
        if (!$assertionsDisabled && realmConfig.getSetting(JwtRealmSettings.TOKEN_TYPE) != JwtRealmSettings.TokenType.ID_TOKEN) {
            throw new AssertionError();
        }
        TimeValue timeValue = (TimeValue) realmConfig.getSetting(JwtRealmSettings.ALLOWED_CLOCK_SKEW);
        Clock systemUTC = Clock.systemUTC();
        return List.of(JwtTypeValidator.INSTANCE, new JwtStringClaimValidator("iss", true, List.of((String) realmConfig.getSetting(JwtRealmSettings.ALLOWED_ISSUER)), List.of()), (realmConfig.hasSetting(JwtRealmSettings.ALLOWED_SUBJECTS) || realmConfig.hasSetting(JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS)) ? getSubjectClaimValidator(realmConfig, null) : JwtStringClaimValidator.ALLOW_ALL_SUBJECTS, new JwtStringClaimValidator("aud", false, (Collection) realmConfig.getSetting(JwtRealmSettings.ALLOWED_AUDIENCES), List.of()), new JwtAlgorithmValidator((List) realmConfig.getSetting(JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS)), new JwtDateClaimValidator(systemUTC, "iat", timeValue, JwtDateClaimValidator.Relationship.BEFORE_NOW, false), new JwtDateClaimValidator(systemUTC, "exp", timeValue, JwtDateClaimValidator.Relationship.AFTER_NOW, false), new JwtDateClaimValidator(systemUTC, "nbf", timeValue, JwtDateClaimValidator.Relationship.BEFORE_NOW, true), new JwtDateClaimValidator(systemUTC, "auth_time", timeValue, JwtDateClaimValidator.Relationship.BEFORE_NOW, true));
    }

    private static List<JwtFieldValidator> configureFieldValidatorsForAccessToken(RealmConfig realmConfig, Map<String, String> map) {
        if (!$assertionsDisabled && realmConfig.getSetting(JwtRealmSettings.TOKEN_TYPE) != JwtRealmSettings.TokenType.ACCESS_TOKEN) {
            throw new AssertionError();
        }
        TimeValue timeValue = (TimeValue) realmConfig.getSetting(JwtRealmSettings.ALLOWED_CLOCK_SKEW);
        Clock systemUTC = Clock.systemUTC();
        return List.of(JwtTypeValidator.INSTANCE, new JwtStringClaimValidator("iss", true, List.of((String) realmConfig.getSetting(JwtRealmSettings.ALLOWED_ISSUER)), List.of()), getSubjectClaimValidator(realmConfig, map), new JwtStringClaimValidator("aud", false, map, (Collection) realmConfig.getSetting(JwtRealmSettings.ALLOWED_AUDIENCES), List.of()), new JwtAlgorithmValidator((List) realmConfig.getSetting(JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS)), new JwtDateClaimValidator(systemUTC, "iat", timeValue, JwtDateClaimValidator.Relationship.BEFORE_NOW, false), new JwtDateClaimValidator(systemUTC, "exp", timeValue, JwtDateClaimValidator.Relationship.AFTER_NOW, false));
    }

    private List<JwtStringClaimValidator> getRequireClaimsValidators() {
        Settings settings = (Settings) this.realmConfig.getSetting(JwtRealmSettings.REQUIRED_CLAIMS);
        return settings.names().stream().map(str -> {
            return new JwtStringClaimValidator(str, false, settings.getAsList(str), List.of());
        }).toList();
    }

    private static JwtStringClaimValidator getSubjectClaimValidator(RealmConfig realmConfig, @Nullable Map<String, String> map) {
        return new JwtStringClaimValidator("sub", true, map, (Collection) realmConfig.getSetting(JwtRealmSettings.ALLOWED_SUBJECTS), (Collection) realmConfig.getSetting(JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS));
    }

    static {
        $assertionsDisabled = !JwtAuthenticator.class.desiredAssertionStatus();
        logger = LogManager.getLogger(JwtAuthenticator.class);
    }
}
