package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jwt.SignedJWT;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.Releasable;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.jwt.JwkSetLoader;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator.class */
public interface JwtSignatureValidator extends Releasable {

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator$DelegatingJwtSignatureValidator.class */
    public static class DelegatingJwtSignatureValidator implements JwtSignatureValidator {
        private static final Logger logger;
        private final RealmConfig realmConfig;
        final List<String> allowedJwksAlgsPkc;
        final List<String> allowedJwksAlgsHmac;

        @Nullable
        private final HmacJwtSignatureValidator hmacJwtSignatureValidator;

        @Nullable
        private final PkcJwtSignatureValidator pkcJwtSignatureValidator;
        static final /* synthetic */ boolean $assertionsDisabled;

        public DelegatingJwtSignatureValidator(RealmConfig realmConfig, SSLService sSLService, PkcJwkSetReloadNotifier pkcJwkSetReloadNotifier) {
            List<JWK> list;
            this.realmConfig = realmConfig;
            List list2 = (List) realmConfig.getSetting(JwtRealmSettings.ALLOWED_SIGNATURE_ALGORITHMS);
            Stream stream = list2.stream();
            List list3 = JwtRealmSettings.SUPPORTED_SIGNATURE_ALGORITHMS_HMAC;
            Objects.requireNonNull(list3);
            this.allowedJwksAlgsHmac = stream.filter((v1) -> {
                return r2.contains(v1);
            }).toList();
            Stream stream2 = list2.stream();
            List list4 = JwtRealmSettings.SUPPORTED_SIGNATURE_ALGORITHMS_PKC;
            Objects.requireNonNull(list4);
            this.allowedJwksAlgsPkc = stream2.filter((v1) -> {
                return r2.contains(v1);
            }).toList();
            String str = (String) realmConfig.getSetting(JwtRealmSettings.PKC_JWKSET_PATH);
            SecureString secureString = (SecureString) realmConfig.getSetting(JwtRealmSettings.HMAC_JWKSET);
            SecureString secureString2 = (SecureString) realmConfig.getSetting(JwtRealmSettings.HMAC_KEY);
            boolean hasText = Strings.hasText(str);
            boolean hasText2 = Strings.hasText(secureString);
            boolean hasText3 = Strings.hasText(secureString2);
            validateJwkSettings(realmConfig, hasText, hasText2, hasText3);
            if (hasText2) {
                list = JwkValidateUtil.loadJwksFromJwkSetString(RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.HMAC_JWKSET), secureString.toString());
            } else if (hasText3) {
                OctetSequenceKey loadHmacJwkFromJwkString = JwkValidateUtil.loadHmacJwkFromJwkString(RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.HMAC_KEY), secureString2);
                if (!$assertionsDisabled && loadHmacJwkFromJwkString == null) {
                    throw new AssertionError("Null HMAC key should not happen here");
                }
                list = List.of(loadHmacJwkFromJwkString);
            } else {
                list = null;
            }
            if (list != null) {
                JwkSetLoader.JwksAlgs filterJwksAndAlgorithms = JwkValidateUtil.filterJwksAndAlgorithms(list, this.allowedJwksAlgsHmac);
                logger.info("Usable HMAC: JWKs [{}]. Algorithms [{}].", Integer.valueOf(filterJwksAndAlgorithms.jwks().size()), String.join(",", filterJwksAndAlgorithms.algs()));
                this.hmacJwtSignatureValidator = new HmacJwtSignatureValidator(filterJwksAndAlgorithms);
            } else {
                this.hmacJwtSignatureValidator = null;
            }
            if (hasText) {
                this.pkcJwtSignatureValidator = new PkcJwtSignatureValidator(new JwkSetLoader(realmConfig, this.allowedJwksAlgsPkc, sSLService), pkcJwkSetReloadNotifier);
            } else {
                this.pkcJwtSignatureValidator = null;
            }
            logWarnIfAuthenticationWillAlwaysFail();
        }

        @Override // org.elasticsearch.xpack.security.authc.jwt.JwtSignatureValidator
        public void validate(String str, SignedJWT signedJWT, ActionListener<Void> actionListener) {
            String name = signedJWT.getHeader().getAlgorithm().getName();
            if (this.allowedJwksAlgsHmac.contains(name)) {
                if (this.hmacJwtSignatureValidator != null) {
                    this.hmacJwtSignatureValidator.validate(str, signedJWT, actionListener);
                    return;
                } else {
                    actionListener.onFailure(new ElasticsearchSecurityException("algorithm [%s] is a HMAC signing algorithm, but none of the HMAC JWK settings [" + RealmSettings.getFullSettingKey(this.realmConfig, JwtRealmSettings.HMAC_KEY) + ", " + RealmSettings.getFullSettingKey(this.realmConfig, JwtRealmSettings.HMAC_JWKSET) + "] is configured", RestStatus.BAD_REQUEST, new Object[]{name}));
                    return;
                }
            }
            if (!this.allowedJwksAlgsPkc.contains(name)) {
                actionListener.onFailure(new ElasticsearchSecurityException("algorithm [%s] is not in the list of supported algorithms [%s]", RestStatus.BAD_REQUEST, new Object[]{name, Strings.collectionToCommaDelimitedString(Stream.of((Object[]) new Stream[]{this.allowedJwksAlgsHmac.stream(), this.allowedJwksAlgsPkc.stream()}).toList())}));
            } else if (this.pkcJwtSignatureValidator != null) {
                this.pkcJwtSignatureValidator.validate(str, signedJWT, actionListener);
            } else {
                actionListener.onFailure(new ElasticsearchSecurityException("algorithm [%s] is a PKC signing algorithm, but PKC JWK setting [" + RealmSettings.getFullSettingKey(this.realmConfig, JwtRealmSettings.PKC_JWKSET_PATH) + "] is not configured", RestStatus.BAD_REQUEST, new Object[]{name}));
            }
        }

        @Override // org.elasticsearch.xpack.security.authc.jwt.JwtSignatureValidator
        public void close() {
            if (this.pkcJwtSignatureValidator != null) {
                this.pkcJwtSignatureValidator.close();
            }
        }

        private void logWarnIfAuthenticationWillAlwaysFail() {
            if (false == ((this.hmacJwtSignatureValidator != null && false == this.hmacJwtSignatureValidator.jwksAlgs.isEmpty()) || (this.pkcJwtSignatureValidator != null && false == this.pkcJwtSignatureValidator.jwkSetLoader.getContentAndJwksAlgs().jwksAlgs().isEmpty()))) {
                logger.warn("No available JWK and algorithm for HMAC or PKC. JWT realm authentication expected to fail until this is fixed.");
            }
        }

        private static void validateJwkSettings(RealmConfig realmConfig, boolean z, boolean z2, boolean z3) {
            if (!z && !z2 && !z3) {
                throw new SettingsException("At least one of [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.HMAC_KEY) + "] or [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.HMAC_JWKSET) + "] or [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.PKC_JWKSET_PATH) + "] must be set");
            }
            if (z2 && z3) {
                throw new SettingsException("Settings [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.HMAC_JWKSET) + "] and [" + RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.HMAC_KEY) + "] are not allowed at the same time.");
            }
        }

        Tuple<JwkSetLoader.JwksAlgs, JwkSetLoader.JwksAlgs> getAllJwksAlgs() {
            return new Tuple<>(this.hmacJwtSignatureValidator == null ? new JwkSetLoader.JwksAlgs(List.of(), List.of()) : this.hmacJwtSignatureValidator.jwksAlgs, this.pkcJwtSignatureValidator == null ? new JwkSetLoader.JwksAlgs(List.of(), List.of()) : this.pkcJwtSignatureValidator.jwkSetLoader.getContentAndJwksAlgs().jwksAlgs());
        }

        static {
            $assertionsDisabled = !JwtSignatureValidator.class.desiredAssertionStatus();
            logger = LogManager.getLogger(DelegatingJwtSignatureValidator.class);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator$HmacJwtSignatureValidator.class */
    public static class HmacJwtSignatureValidator implements JwtSignatureValidator {
        private final JwkSetLoader.JwksAlgs jwksAlgs;

        HmacJwtSignatureValidator(JwkSetLoader.JwksAlgs jwksAlgs) {
            this.jwksAlgs = jwksAlgs;
        }

        @Override // org.elasticsearch.xpack.security.authc.jwt.JwtSignatureValidator
        public void validate(String str, SignedJWT signedJWT, ActionListener<Void> actionListener) {
            try {
                JwtValidateUtil.validateSignature(signedJWT, this.jwksAlgs.jwks());
                actionListener.onResponse((Object) null);
            } catch (Exception e) {
                actionListener.onFailure(e);
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator$PkcJwkSetReloadNotifier.class */
    public interface PkcJwkSetReloadNotifier {
        void reloaded();
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtSignatureValidator$PkcJwtSignatureValidator.class */
    public static class PkcJwtSignatureValidator implements JwtSignatureValidator {
        private static final Logger logger = LogManager.getLogger(PkcJwtSignatureValidator.class);
        private final JwkSetLoader jwkSetLoader;
        private final PkcJwkSetReloadNotifier reloadNotifier;

        PkcJwtSignatureValidator(JwkSetLoader jwkSetLoader, PkcJwkSetReloadNotifier pkcJwkSetReloadNotifier) {
            this.jwkSetLoader = jwkSetLoader;
            this.reloadNotifier = pkcJwkSetReloadNotifier;
        }

        @Override // org.elasticsearch.xpack.security.authc.jwt.JwtSignatureValidator
        public void validate(String str, SignedJWT signedJWT, ActionListener<Void> actionListener) {
            JwkSetLoader.ContentAndJwksAlgs contentAndJwksAlgs = this.jwkSetLoader.getContentAndJwksAlgs();
            JwkSetLoader.JwksAlgs jwksAlgs = contentAndJwksAlgs.jwksAlgs();
            try {
                JwtValidateUtil.validateSignature(signedJWT, jwksAlgs.jwks());
                actionListener.onResponse((Object) null);
            } catch (Exception e) {
                logger.debug(() -> {
                    return org.elasticsearch.core.Strings.format("Signature verification failed for JWT [%s] reloading JWKSet (was: #[%s] JWKs, #[%s] algs, sha256=[%s])", new Object[]{str, Integer.valueOf(jwksAlgs.jwks().size()), Integer.valueOf(jwksAlgs.algs().size()), MessageDigests.toHexString(contentAndJwksAlgs.sha256())});
                }, e);
                JwkSetLoader jwkSetLoader = this.jwkSetLoader;
                CheckedConsumer checkedConsumer = tuple -> {
                    if (false == ((Boolean) tuple.v1()).booleanValue()) {
                        logger.debug("Reloaded same PKC JWKs, can't retry verify JWT token [{}]", str);
                        actionListener.onFailure(e);
                        return;
                    }
                    this.reloadNotifier.reloaded();
                    JwkSetLoader.JwksAlgs jwksAlgs2 = (JwkSetLoader.JwksAlgs) tuple.v2();
                    if (jwksAlgs2.isEmpty()) {
                        logger.debug("Reloaded empty PKC JWKs, signature verification will fail for JWT [{}]", str);
                    }
                    try {
                        JwtValidateUtil.validateSignature(signedJWT, jwksAlgs2.jwks());
                        actionListener.onResponse((Object) null);
                    } catch (Exception e2) {
                        logger.debug("Signature verification of JWT [{}] failed - original failure: [{}], failure after reload: [{}]", str, e.getMessage(), e2.getMessage());
                        e2.addSuppressed(e);
                        actionListener.onFailure(e2);
                    }
                };
                Objects.requireNonNull(actionListener);
                jwkSetLoader.reload(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
            }
        }

        @Override // org.elasticsearch.xpack.security.authc.jwt.JwtSignatureValidator
        public void close() {
            this.jwkSetLoader.close();
        }
    }

    default void close() {
    }

    void validate(String str, SignedJWT signedJWT, ActionListener<Void> actionListener);
}
