package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.common.util.concurrent.ReleasableLock;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Releasable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.core.security.support.CacheIteratorHelper;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.BytesKey;
import org.elasticsearch.xpack.security.authc.support.ClaimParser;
import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtRealm.class */
public class JwtRealm extends Realm implements CachingRealm, Releasable {
    private static final Logger LOGGER;
    public static final String HEADER_END_USER_AUTHENTICATION = "Authorization";
    public static final String HEADER_CLIENT_AUTHENTICATION = "ES-Client-Authentication";
    public static final String HEADER_END_USER_AUTHENTICATION_SCHEME = "Bearer";
    public static final String HEADER_SHARED_SECRET_AUTHENTICATION_SCHEME = "SharedSecret";
    private final JwtRealmsService jwtRealmsService;
    final UserRoleMapper userRoleMapper;
    final String allowedIssuer;
    final List<String> allowedAudiences;
    final String jwkSetPath;
    final CloseableHttpAsyncClient httpClient;
    final JwksAlgs jwksAlgsHmac;
    final JwksAlgs jwksAlgsPkc;
    final TimeValue allowedClockSkew;
    final Boolean populateUserMetadata;
    final ClaimParser claimParserPrincipal;
    final ClaimParser claimParserGroups;
    final ClaimParser claimParserDn;
    final ClaimParser claimParserMail;
    final ClaimParser claimParserName;
    final JwtRealmSettings.ClientAuthenticationType clientAuthenticationType;
    final SecureString clientAuthenticationSharedSecret;
    final Cache<BytesKey, ExpiringUser> jwtCache;
    final CacheIteratorHelper<BytesKey, ExpiringUser> jwtCacheHelper;
    DelegatedAuthorizationSupport delegatedAuthorizationSupport;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser.class */
    public static final class ExpiringUser extends Record {
        private final User user;
        private final Date exp;

        ExpiringUser(User user, Date date) {
            this.user = user;
            this.exp = date;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ExpiringUser.class), ExpiringUser.class, "user;exp", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->user:Lorg/elasticsearch/xpack/core/security/user/User;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->exp:Ljava/util/Date;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ExpiringUser.class), ExpiringUser.class, "user;exp", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->user:Lorg/elasticsearch/xpack/core/security/user/User;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->exp:Ljava/util/Date;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ExpiringUser.class, Object.class), ExpiringUser.class, "user;exp", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->user:Lorg/elasticsearch/xpack/core/security/user/User;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->exp:Ljava/util/Date;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public User user() {
            return this.user;
        }

        public Date exp() {
            return this.exp;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtRealm$JwksAlgs.class */
    public static final class JwksAlgs extends Record {
        private final List<JWK> jwks;
        private final List<String> algs;

        /* JADX INFO: Access modifiers changed from: package-private */
        public JwksAlgs(List<JWK> list, List<String> list2) {
            this.jwks = list;
            this.algs = list2;
        }

        boolean isEmpty() {
            return this.jwks.isEmpty() && this.algs.isEmpty();
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, JwksAlgs.class), JwksAlgs.class, "jwks;algs", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$JwksAlgs;->jwks:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$JwksAlgs;->algs:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, JwksAlgs.class), JwksAlgs.class, "jwks;algs", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$JwksAlgs;->jwks:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$JwksAlgs;->algs:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, JwksAlgs.class, Object.class), JwksAlgs.class, "jwks;algs", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$JwksAlgs;->jwks:Ljava/util/List;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$JwksAlgs;->algs:Ljava/util/List;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public List<JWK> jwks() {
            return this.jwks;
        }

        public List<String> algs() {
            return this.algs;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtRealm(RealmConfig realmConfig, JwtRealmsService jwtRealmsService, SSLService sSLService, UserRoleMapper userRoleMapper) throws SettingsException {
        super(realmConfig);
        this.delegatedAuthorizationSupport = null;
        this.jwtRealmsService = jwtRealmsService;
        this.userRoleMapper = userRoleMapper;
        this.userRoleMapper.refreshRealmOnChange(this);
        this.allowedIssuer = (String) realmConfig.getSetting(JwtRealmSettings.ALLOWED_ISSUER);
        this.allowedAudiences = (List) realmConfig.getSetting(JwtRealmSettings.ALLOWED_AUDIENCES);
        this.allowedClockSkew = (TimeValue) realmConfig.getSetting(JwtRealmSettings.ALLOWED_CLOCK_SKEW);
        this.claimParserPrincipal = ClaimParser.forSetting(LOGGER, JwtRealmSettings.CLAIMS_PRINCIPAL, realmConfig, true);
        this.claimParserGroups = ClaimParser.forSetting(LOGGER, JwtRealmSettings.CLAIMS_GROUPS, realmConfig, false);
        this.claimParserDn = ClaimParser.forSetting(LOGGER, JwtRealmSettings.CLAIMS_DN, realmConfig, false);
        this.claimParserMail = ClaimParser.forSetting(LOGGER, JwtRealmSettings.CLAIMS_MAIL, realmConfig, false);
        this.claimParserName = ClaimParser.forSetting(LOGGER, JwtRealmSettings.CLAIMS_NAME, realmConfig, false);
        this.populateUserMetadata = (Boolean) realmConfig.getSetting(JwtRealmSettings.POPULATE_USER_METADATA);
        this.clientAuthenticationType = (JwtRealmSettings.ClientAuthenticationType) realmConfig.getSetting(JwtRealmSettings.CLIENT_AUTHENTICATION_TYPE);
        SecureString secureString = (SecureString) realmConfig.getSetting(JwtRealmSettings.CLIENT_AUTHENTICATION_SHARED_SECRET);
        this.clientAuthenticationSharedSecret = Strings.hasText(secureString) ? secureString : null;
        this.jwtCache = buildJwtCache();
        this.jwtCacheHelper = this.jwtCache == null ? null : new CacheIteratorHelper<>(this.jwtCache);
        JwtUtil.validateClientAuthenticationSettings(RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.CLIENT_AUTHENTICATION_TYPE), this.clientAuthenticationType, RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.CLIENT_AUTHENTICATION_SHARED_SECRET), this.clientAuthenticationSharedSecret);
        if (!this.config.hasSetting(JwtRealmSettings.HMAC_KEY) && !this.config.hasSetting(JwtRealmSettings.HMAC_JWKSET) && !this.config.hasSetting(JwtRealmSettings.PKC_JWKSET_PATH)) {
            throw new SettingsException("At least one of [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.HMAC_KEY) + "] or [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.HMAC_JWKSET) + "] or [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.PKC_JWKSET_PATH) + "] must be set");
        }
        this.jwkSetPath = (String) ((Realm) this).config.getSetting(JwtRealmSettings.PKC_JWKSET_PATH);
        if (!Strings.hasText(this.jwkSetPath)) {
            this.httpClient = null;
        } else if (JwtUtil.parseHttpsUri(this.jwkSetPath) == null) {
            this.httpClient = null;
        } else {
            this.httpClient = JwtUtil.createHttpClient(((Realm) this).config, sSLService);
        }
        try {
            this.jwksAlgsHmac = parseJwksAlgsHmac();
            this.jwksAlgsPkc = parseJwksAlgsPkc();
            verifyAnyAvailableJwkAndAlgPair();
        } catch (Throwable th) {
            close();
            throw th;
        }
    }

    private Cache<BytesKey, ExpiringUser> buildJwtCache() {
        TimeValue timeValue = (TimeValue) ((Realm) this).config.getSetting(JwtRealmSettings.JWT_CACHE_TTL);
        int intValue = ((Integer) ((Realm) this).config.getSetting(JwtRealmSettings.JWT_CACHE_SIZE)).intValue();
        if (timeValue.getNanos() <= 0 || intValue <= 0) {
            return null;
        }
        return CacheBuilder.builder().setExpireAfterWrite(timeValue).setMaximumWeight(intValue).build();
    }

    private JwksAlgs parseJwksAlgsHmac() {
        JwksAlgs filterJwksAndAlgorithms;
        SecureString secureString = (SecureString) ((Realm) this).config.getSetting(JwtRealmSettings.HMAC_JWKSET);
        SecureString secureString2 = (SecureString) ((Realm) this).config.getSetting(JwtRealmSettings.HMAC_KEY);
        if (Strings.hasText(secureString) && Strings.hasText(secureString2)) {
            throw new SettingsException("Settings [" + RealmSettings.getFullSettingKey(((Realm) this).config, JwtRealmSettings.HMAC_JWKSET) + "] and [" + RealmSettings.getFullSettingKey(((Realm) this).config, JwtRealmSettings.HMAC_KEY) + "] are not allowed at the same time.");
        }
        if (Strings.hasText(secureString) || Strings.hasText(secureString2)) {
            List<JWK> loadJwksFromJwkSetString = Strings.hasText(secureString) ? JwkValidateUtil.loadJwksFromJwkSetString(RealmSettings.getFullSettingKey(((Realm) this).config, JwtRealmSettings.HMAC_JWKSET), secureString.toString()) : List.of(JwkValidateUtil.loadHmacJwkFromJwkString(RealmSettings.getFullSettingKey(((Realm) this).config, JwtRealmSettings.HMAC_JWKSET), secureString2));
            Stream stream = ((List) ((Realm) this).config.getSetting(JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS)).stream();
            List list = JwtRealmSettings.SUPPORTED_SIGNATURE_ALGORITHMS_HMAC;
            Objects.requireNonNull(list);
            filterJwksAndAlgorithms = JwkValidateUtil.filterJwksAndAlgorithms(loadJwksFromJwkSetString, stream.filter((v1) -> {
                return r1.contains(v1);
            }).toList());
        } else {
            filterJwksAndAlgorithms = new JwksAlgs(Collections.emptyList(), Collections.emptyList());
        }
        LOGGER.info("Usable HMAC: JWKs [{}]. Algorithms [{}].", Integer.valueOf(filterJwksAndAlgorithms.jwks.size()), String.join(",", filterJwksAndAlgorithms.algs()));
        return filterJwksAndAlgorithms;
    }

    private JwksAlgs parseJwksAlgsPkc() {
        byte[] readUriContents;
        JwksAlgs filterJwksAndAlgorithms;
        if (Strings.hasText(this.jwkSetPath)) {
            if (this.httpClient == null) {
                readUriContents = JwtUtil.readFileContents(RealmSettings.getFullSettingKey(((Realm) this).config, JwtRealmSettings.PKC_JWKSET_PATH), this.jwkSetPath, ((Realm) this).config.env());
            } else {
                readUriContents = JwtUtil.readUriContents(RealmSettings.getFullSettingKey(((Realm) this).config, JwtRealmSettings.PKC_JWKSET_PATH), JwtUtil.parseHttpsUri(this.jwkSetPath), this.httpClient);
            }
            List<JWK> loadJwksFromJwkSetString = JwkValidateUtil.loadJwksFromJwkSetString(RealmSettings.getFullSettingKey(((Realm) this).config, JwtRealmSettings.PKC_JWKSET_PATH), new String(readUriContents, StandardCharsets.UTF_8));
            Stream stream = ((List) ((Realm) this).config.getSetting(JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS)).stream();
            List list = JwtRealmSettings.SUPPORTED_SIGNATURE_ALGORITHMS_PKC;
            Objects.requireNonNull(list);
            filterJwksAndAlgorithms = JwkValidateUtil.filterJwksAndAlgorithms(loadJwksFromJwkSetString, stream.filter((v1) -> {
                return r1.contains(v1);
            }).toList());
        } else {
            filterJwksAndAlgorithms = new JwksAlgs(Collections.emptyList(), Collections.emptyList());
        }
        LOGGER.info("Usable PKC: JWKs [{}]. Algorithms [{}].", Integer.valueOf(filterJwksAndAlgorithms.jwks().size()), String.join(",", filterJwksAndAlgorithms.algs()));
        return filterJwksAndAlgorithms;
    }

    private void verifyAnyAvailableJwkAndAlgPair() {
        if (!$assertionsDisabled && this.jwksAlgsHmac == null) {
            throw new AssertionError("HMAC not initialized");
        }
        if (!$assertionsDisabled && this.jwksAlgsPkc == null) {
            throw new AssertionError("PKC not initialized");
        }
        if (this.jwksAlgsHmac.isEmpty() && this.jwksAlgsPkc.isEmpty()) {
            throw new SettingsException("No available JWK and algorithm for HMAC or PKC. Realm authentication expected to fail until this is fixed.");
        }
    }

    void ensureInitialized() {
        if (this.delegatedAuthorizationSupport == null) {
            throw new IllegalStateException("Realm has not been initialized");
        }
    }

    public void initialize(Iterable<Realm> iterable, XPackLicenseState xPackLicenseState) {
        if (this.delegatedAuthorizationSupport != null) {
            throw new IllegalStateException("Realm " + super.name() + " has already been initialized");
        }
        this.delegatedAuthorizationSupport = new DelegatedAuthorizationSupport(iterable, ((Realm) this).config, xPackLicenseState);
    }

    public void close() {
        if (this.jwtCache != null) {
            try {
                this.jwtCache.invalidateAll();
            } catch (Exception e) {
                LOGGER.warn("Exception invalidating JWT cache for realm [" + super.name() + "]", e);
            }
        }
        if (this.httpClient != null) {
            try {
                this.httpClient.close();
            } catch (IOException e2) {
                LOGGER.warn(() -> {
                    return "Exception closing HTTPS client for realm [" + super.name() + "]";
                }, e2);
            }
        }
    }

    public void lookupUser(String str, ActionListener<User> actionListener) {
        ensureInitialized();
        actionListener.onResponse((Object) null);
    }

    public void expire(String str) {
        ensureInitialized();
        LOGGER.trace("Expiring JWT cache entries for realm [" + super.name() + "] principal=[" + str + "]");
        if (this.jwtCacheHelper != null) {
            this.jwtCacheHelper.removeValuesIf(expiringUser -> {
                return expiringUser.user.principal().equals(str);
            });
        }
    }

    public void expireAll() {
        ensureInitialized();
        if (this.jwtCache == null || this.jwtCacheHelper == null) {
            return;
        }
        LOGGER.trace("Invalidating JWT cache for realm [" + super.name() + "]");
        ReleasableLock acquireUpdateLock = this.jwtCacheHelper.acquireUpdateLock();
        try {
            this.jwtCache.invalidateAll();
            if (acquireUpdateLock != null) {
                acquireUpdateLock.close();
            }
        } catch (Throwable th) {
            if (acquireUpdateLock != null) {
                try {
                    acquireUpdateLock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public AuthenticationToken token(ThreadContext threadContext) {
        ensureInitialized();
        return this.jwtRealmsService.token(threadContext);
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof JwtAuthenticationToken;
    }

    public void authenticate(AuthenticationToken authenticationToken, ActionListener<AuthenticationResult<User>> actionListener) {
        ensureInitialized();
        if (!(authenticationToken instanceof JwtAuthenticationToken)) {
            String str = "Realm [" + super.name() + "] does not support AuthenticationToken [" + (authenticationToken == null ? "null" : authenticationToken.getClass().getCanonicalName()) + "].";
            LOGGER.trace(str);
            actionListener.onResponse(AuthenticationResult.unsuccessful(str, (Exception) null));
            return;
        }
        JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) authenticationToken;
        String principal = jwtAuthenticationToken.principal();
        try {
            JwtUtil.validateClientAuthentication(this.clientAuthenticationType, this.clientAuthenticationSharedSecret, jwtAuthenticationToken.getClientAuthenticationSharedSecret());
            LOGGER.trace("Realm [{}] client authentication succeeded for token=[{}].", super.name(), principal);
            SecureString endUserSignedJwt = jwtAuthenticationToken.getEndUserSignedJwt();
            BytesKey computeBytesKey = this.jwtCache == null ? null : computeBytesKey(endUserSignedJwt);
            if (computeBytesKey != null) {
                ExpiringUser expiringUser = (ExpiringUser) this.jwtCache.get(computeBytesKey);
                if (expiringUser == null) {
                    LOGGER.trace("Realm [" + super.name() + "] JWT cache miss token=[" + principal + "] key=[" + computeBytesKey + "].");
                } else {
                    User user = expiringUser.user;
                    Date date = expiringUser.exp;
                    String principal2 = user.principal();
                    Date date2 = new Date();
                    if (date2.getTime() < date.getTime()) {
                        LOGGER.trace("Realm [" + super.name() + "] JWT cache hit token=[" + principal + "] key=[" + computeBytesKey + "] principal=[" + principal2 + "] exp=[" + date + "] now=[" + date2 + "].");
                        if (this.delegatedAuthorizationSupport.hasDelegation()) {
                            this.delegatedAuthorizationSupport.resolve(principal2, actionListener);
                            return;
                        } else {
                            actionListener.onResponse(AuthenticationResult.success(user));
                            return;
                        }
                    }
                    LOGGER.trace("Realm [" + super.name() + "] JWT cache exp token=[" + principal + "] key=[" + computeBytesKey + "] principal=[" + principal2 + "] exp=[" + date + "] now=[" + date2 + "].");
                }
            }
            try {
                SignedJWT parse = SignedJWT.parse(endUserSignedJwt.toString());
                JwksAlgs jwksAlgs = JwtRealmSettings.SUPPORTED_SIGNATURE_ALGORITHMS_HMAC.contains(parse.getHeader().getAlgorithm().getName()) ? this.jwksAlgsHmac : this.jwksAlgsPkc;
                JwtValidateUtil.validate(parse, this.allowedIssuer, this.allowedAudiences, this.allowedClockSkew.seconds(), jwksAlgs.algs, jwksAlgs.jwks);
                JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
                LOGGER.trace("Realm [{}] JWT validation succeeded for token=[{}].", super.name(), principal);
                String claimValue = this.claimParserPrincipal.getClaimValue(jWTClaimsSet);
                if (!Strings.hasText(claimValue)) {
                    String str2 = "Realm [" + super.name() + "] no principal for token=[" + principal + "] parser=[" + this.claimParserPrincipal + "] claims=[" + jWTClaimsSet + "].";
                    LOGGER.debug(str2);
                    actionListener.onResponse(AuthenticationResult.unsuccessful(str2, (Exception) null));
                    return;
                }
                CheckedConsumer checkedConsumer = authenticationResult -> {
                    if (authenticationResult.isAuthenticated()) {
                        User user2 = (User) authenticationResult.getValue();
                        LOGGER.debug(() -> {
                            return org.elasticsearch.core.Strings.format("Realm [%s] roles [%s] for principal=[%s].", new Object[]{super.name(), String.join(",", user2.roles()), claimValue});
                        });
                        if (this.jwtCache != null && this.jwtCacheHelper != null) {
                            ReleasableLock acquireUpdateLock = this.jwtCacheHelper.acquireUpdateLock();
                            try {
                                this.jwtCache.put(computeBytesKey, new ExpiringUser((User) authenticationResult.getValue(), new Date(jWTClaimsSet.getExpirationTime().getTime() + this.allowedClockSkew.getMillis())));
                                if (acquireUpdateLock != null) {
                                    acquireUpdateLock.close();
                                }
                            } catch (Throwable th) {
                                if (acquireUpdateLock != null) {
                                    try {
                                        acquireUpdateLock.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                }
                                throw th;
                            }
                        }
                    }
                    actionListener.onResponse(authenticationResult);
                };
                Objects.requireNonNull(actionListener);
                ActionListener<AuthenticationResult<User>> wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
                if (this.delegatedAuthorizationSupport.hasDelegation()) {
                    this.delegatedAuthorizationSupport.resolve(claimValue, wrap);
                    return;
                }
                try {
                    Map<String, Object> userMetadata = this.populateUserMetadata.booleanValue() ? JwtUtil.toUserMetadata(parse) : Map.of();
                    List<String> claimValues = this.claimParserGroups.getClaimValues(jWTClaimsSet);
                    String claimValue2 = this.claimParserDn.getClaimValue(jWTClaimsSet);
                    String claimValue3 = this.claimParserMail.getClaimValue(jWTClaimsSet);
                    String claimValue4 = this.claimParserName.getClaimValue(jWTClaimsSet);
                    UserRoleMapper.UserData userData = new UserRoleMapper.UserData(claimValue, claimValue2, claimValues, userMetadata, ((Realm) this).config);
                    UserRoleMapper userRoleMapper = this.userRoleMapper;
                    CheckedConsumer checkedConsumer2 = set -> {
                        wrap.onResponse(AuthenticationResult.success(new User(claimValue, (String[]) set.toArray(Strings.EMPTY_ARRAY), claimValue4, claimValue3, userData.getMetadata(), true)));
                    };
                    Objects.requireNonNull(wrap);
                    userRoleMapper.resolveRoles(userData, ActionListener.wrap(checkedConsumer2, wrap::onFailure));
                } catch (Exception e) {
                    String str3 = "Realm [" + super.name() + "] parse metadata failed for principal=[" + claimValue + "].";
                    AuthenticationResult unsuccessful = AuthenticationResult.unsuccessful(str3, e);
                    LOGGER.debug(str3, e);
                    actionListener.onResponse(unsuccessful);
                }
            } catch (Exception e2) {
                String str4 = "Realm [" + super.name() + "] JWT validation failed for token=[" + principal + "].";
                AuthenticationResult unsuccessful2 = AuthenticationResult.unsuccessful(str4, e2);
                LOGGER.debug(str4, e2);
                actionListener.onResponse(unsuccessful2);
            }
        } catch (Exception e3) {
            String str5 = "Realm [" + super.name() + "] client authentication failed for token=[" + principal + "].";
            LOGGER.debug(str5, e3);
            actionListener.onResponse(AuthenticationResult.unsuccessful(str5, e3));
        }
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        ensureInitialized();
        CheckedConsumer checkedConsumer = map -> {
            map.put("jwt.cache", Collections.singletonMap("size", Integer.valueOf(this.jwtCache == null ? -1 : this.jwtCache.count())));
            actionListener.onResponse(map);
        };
        Objects.requireNonNull(actionListener);
        super.usageStats(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    static BytesKey computeBytesKey(CharSequence charSequence) {
        MessageDigest sha256 = MessageDigests.sha256();
        sha256.update(charSequence.toString().getBytes(StandardCharsets.UTF_8));
        return new BytesKey(sha256.digest());
    }

    static {
        $assertionsDisabled = !JwtRealm.class.desiredAssertionStatus();
        LOGGER = LogManager.getLogger(JwtRealm.class);
    }
}
