package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.BytesRef;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.settings.RotatableSecret;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.common.util.concurrent.ReleasableLock;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Releasable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtAuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtUtil;
import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.core.security.support.CacheIteratorHelper;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.support.ClaimParser;
import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;
import org.elasticsearch.xpack.security.support.ReloadableSecurityComponent;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtRealm.class */
public class JwtRealm extends Realm implements CachingRealm, ReloadableSecurityComponent, Releasable {
    private static final String LATEST_MALFORMED_JWT = "_latest_malformed_jwt";
    private static final Logger logger;
    public static final String HEADER_END_USER_AUTHENTICATION = "Authorization";
    public static final String HEADER_CLIENT_AUTHENTICATION = "ES-Client-Authentication";
    public static final String HEADER_END_USER_AUTHENTICATION_SCHEME = "Bearer";
    private final Cache<BytesArray, ExpiringUser> jwtCache;
    private final CacheIteratorHelper<BytesArray, ExpiringUser> jwtCacheHelper;
    private final UserRoleMapper userRoleMapper;
    private final Boolean populateUserMetadata;
    private final ClaimParser claimParserPrincipal;
    private final ClaimParser claimParserGroups;
    private final ClaimParser claimParserDn;
    private final ClaimParser claimParserMail;
    private final ClaimParser claimParserName;
    private final JwtRealmSettings.ClientAuthenticationType clientAuthenticationType;
    private final RotatableSecret clientAuthenticationSharedSecret;
    private final JwtAuthenticator jwtAuthenticator;
    private final TimeValue allowedClockSkew;
    DelegatedAuthorizationSupport delegatedAuthorizationSupport;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser.class */
    public static final class ExpiringUser extends Record {
        private final User user;
        private final Date exp;

        ExpiringUser(User user, Date date) {
            Objects.requireNonNull(user, "User must not be null");
            Objects.requireNonNull(date, "Expiration date must not be null");
            this.user = user;
            this.exp = date;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, ExpiringUser.class), ExpiringUser.class, "user;exp", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->user:Lorg/elasticsearch/xpack/core/security/user/User;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->exp:Ljava/util/Date;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, ExpiringUser.class), ExpiringUser.class, "user;exp", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->user:Lorg/elasticsearch/xpack/core/security/user/User;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->exp:Ljava/util/Date;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, ExpiringUser.class, Object.class), ExpiringUser.class, "user;exp", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->user:Lorg/elasticsearch/xpack/core/security/user/User;", "FIELD:Lorg/elasticsearch/xpack/security/authc/jwt/JwtRealm$ExpiringUser;->exp:Ljava/util/Date;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public User user() {
            return this.user;
        }

        public Date exp() {
            return this.exp;
        }
    }

    public JwtRealm(RealmConfig realmConfig, SSLService sSLService, UserRoleMapper userRoleMapper) throws SettingsException {
        super(realmConfig);
        this.delegatedAuthorizationSupport = null;
        this.userRoleMapper = userRoleMapper;
        this.userRoleMapper.clearRealmCacheOnChange(this);
        this.allowedClockSkew = (TimeValue) realmConfig.getSetting(JwtRealmSettings.ALLOWED_CLOCK_SKEW);
        this.populateUserMetadata = (Boolean) realmConfig.getSetting(JwtRealmSettings.POPULATE_USER_METADATA);
        this.clientAuthenticationType = (JwtRealmSettings.ClientAuthenticationType) realmConfig.getSetting(JwtRealmSettings.CLIENT_AUTHENTICATION_TYPE);
        this.clientAuthenticationSharedSecret = new RotatableSecret((SecureString) realmConfig.getSetting(JwtRealmSettings.CLIENT_AUTHENTICATION_SHARED_SECRET));
        JwtUtil.validateClientAuthenticationSettings(RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.CLIENT_AUTHENTICATION_TYPE), this.clientAuthenticationType, RealmSettings.getFullSettingKey(realmConfig, JwtRealmSettings.CLIENT_AUTHENTICATION_SHARED_SECRET), this.clientAuthenticationSharedSecret);
        TimeValue timeValue = (TimeValue) realmConfig.getSetting(JwtRealmSettings.JWT_CACHE_TTL);
        int intValue = ((Integer) realmConfig.getSetting(JwtRealmSettings.JWT_CACHE_SIZE)).intValue();
        if (timeValue.getNanos() <= 0 || intValue <= 0) {
            this.jwtCache = null;
            this.jwtCacheHelper = null;
        } else {
            this.jwtCache = CacheBuilder.builder().setExpireAfterWrite(timeValue).setMaximumWeight(intValue).build();
            this.jwtCacheHelper = new CacheIteratorHelper<>(this.jwtCache);
        }
        this.jwtAuthenticator = new JwtAuthenticator(realmConfig, sSLService, this::expireAll);
        Map<String, String> fallbackClaimNames = this.jwtAuthenticator.getFallbackClaimNames();
        this.claimParserPrincipal = ClaimParser.forSetting(logger, JwtRealmSettings.CLAIMS_PRINCIPAL, fallbackClaimNames, realmConfig, true);
        this.claimParserGroups = ClaimParser.forSetting(logger, JwtRealmSettings.CLAIMS_GROUPS, fallbackClaimNames, realmConfig, false);
        this.claimParserDn = ClaimParser.forSetting(logger, JwtRealmSettings.CLAIMS_DN, fallbackClaimNames, realmConfig, false);
        this.claimParserMail = ClaimParser.forSetting(logger, JwtRealmSettings.CLAIMS_MAIL, fallbackClaimNames, realmConfig, false);
        this.claimParserName = ClaimParser.forSetting(logger, JwtRealmSettings.CLAIMS_NAME, fallbackClaimNames, realmConfig, false);
    }

    public void initialize(Iterable<Realm> iterable, XPackLicenseState xPackLicenseState) {
        if (this.delegatedAuthorizationSupport != null) {
            throw new IllegalStateException("Realm " + name() + " has already been initialized");
        }
        this.delegatedAuthorizationSupport = new DelegatedAuthorizationSupport(iterable, this.config, xPackLicenseState);
    }

    public void close() {
        this.jwtAuthenticator.close();
    }

    public void lookupUser(String str, ActionListener<User> actionListener) {
        ensureInitialized();
        actionListener.onResponse((Object) null);
    }

    public void expire(String str) {
        ensureInitialized();
        if (isCacheEnabled()) {
            logger.trace("Expiring JWT cache entries for realm [{}] principal=[{}]", name(), str);
            this.jwtCacheHelper.removeValuesIf(expiringUser -> {
                return expiringUser.user.principal().equals(str);
            });
            logger.trace("Expired JWT cache entries for realm [{}] principal=[{}]", name(), str);
        }
    }

    public void expireAll() {
        ensureInitialized();
        invalidateJwtCache();
    }

    public AuthenticationToken token(ThreadContext threadContext) {
        ensureInitialized();
        SecureString headerValue = JwtUtil.getHeaderValue(threadContext, "Authorization", HEADER_END_USER_AUTHENTICATION_SCHEME, false);
        SignedJWT parseSignedJWT = parseSignedJWT(headerValue, threadContext);
        if (parseSignedJWT == null) {
            return null;
        }
        return new JwtAuthenticationToken(parseSignedJWT, JwtUtil.sha256(headerValue), JwtUtil.getHeaderValue(threadContext, HEADER_CLIENT_AUTHENTICATION, "SharedSecret", true));
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof JwtAuthenticationToken;
    }

    public void authenticate(AuthenticationToken authenticationToken, ActionListener<AuthenticationResult<User>> actionListener) {
        User tryAuthenticateWithCache;
        ensureInitialized();
        if (!(authenticationToken instanceof JwtAuthenticationToken)) {
            if (!$assertionsDisabled) {
                throw new AssertionError("should not happen");
            }
            String str = "Realm [" + name() + "] does not support AuthenticationToken [" + (authenticationToken == null ? "null" : authenticationToken.getClass().getCanonicalName()) + "].";
            logger.trace(str);
            actionListener.onResponse(AuthenticationResult.unsuccessful(str, (Exception) null));
            return;
        }
        JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) authenticationToken;
        String principal = jwtAuthenticationToken.principal();
        try {
            JwtUtil.validateClientAuthentication(this.clientAuthenticationType, this.clientAuthenticationSharedSecret, jwtAuthenticationToken.getClientAuthenticationSharedSecret(), principal);
            logger.trace("Realm [{}] client authentication succeeded for token=[{}].", name(), principal);
            BytesArray bytesArray = isCacheEnabled() ? new BytesArray(new BytesRef(jwtAuthenticationToken.getUserCredentialsHash()), true) : null;
            if (bytesArray == null || (tryAuthenticateWithCache = tryAuthenticateWithCache(principal, bytesArray)) == null) {
                this.jwtAuthenticator.authenticate(jwtAuthenticationToken, ActionListener.wrap(jWTClaimsSet -> {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Realm [{}] JWT validation success for token=[{}] with header [{}] and claimSet [{}]", name(), principal, jwtAuthenticationToken.getSignedJWT().getHeader(), jwtAuthenticationToken.getJWTClaimsSet());
                    }
                    processValidatedJwt(principal, bytesArray, jWTClaimsSet, actionListener);
                }, exc -> {
                    String str2 = "Realm [" + name() + "] JWT validation failed for token=[" + principal + "] with header [" + jwtAuthenticationToken.getSignedJWT().getHeader() + "] and claimSet [" + jwtAuthenticationToken.getJWTClaimsSet() + "]";
                    if (logger.isTraceEnabled()) {
                        logger.trace(str2, exc);
                    } else {
                        logger.debug(str2 + " Cause: " + exc.getMessage());
                    }
                    actionListener.onResponse(AuthenticationResult.unsuccessful(str2, exc));
                }));
            } else if (this.delegatedAuthorizationSupport.hasDelegation()) {
                this.delegatedAuthorizationSupport.resolve(tryAuthenticateWithCache.principal(), actionListener);
            } else {
                actionListener.onResponse(AuthenticationResult.success(tryAuthenticateWithCache));
            }
        } catch (Exception e) {
            String str2 = "Realm [" + name() + "] client authentication failed for token=[" + principal + "].";
            logger.debug(str2, e);
            actionListener.onResponse(AuthenticationResult.unsuccessful(str2, e));
        }
    }

    void ensureInitialized() {
        if (this.delegatedAuthorizationSupport == null) {
            throw new IllegalStateException("Realm has not been initialized");
        }
    }

    RealmConfig getConfig() {
        return this.config;
    }

    JwtAuthenticator getJwtAuthenticator() {
        return this.jwtAuthenticator;
    }

    private User tryAuthenticateWithCache(String str, BytesArray bytesArray) {
        ExpiringUser expiringUser = (ExpiringUser) this.jwtCache.get(bytesArray);
        if (expiringUser == null) {
            logger.trace("Realm [" + name() + "] JWT cache miss token=[" + str + "] key=[" + bytesArray + "].");
            return null;
        }
        User user = expiringUser.user;
        Date date = expiringUser.exp;
        String principal = user.principal();
        Date date2 = new Date();
        boolean z = date2.getTime() < date.getTime();
        logger.trace("Realm [{}] JWT cache {} token=[{}] key=[{}] principal=[{}] exp=[{}] now=[{}].", name(), z ? "hit" : "exp", str, bytesArray, principal, date, date2);
        if (z) {
            return user;
        }
        return null;
    }

    void processValidatedJwt(String str, BytesArray bytesArray, JWTClaimsSet jWTClaimsSet, ActionListener<AuthenticationResult<User>> actionListener) {
        String claimValue = this.claimParserPrincipal.getClaimValue(jWTClaimsSet);
        if (!Strings.hasText(claimValue)) {
            String str2 = "Realm [" + name() + "] no principal for token=[" + str + "] parser=[" + this.claimParserPrincipal + "] claims=[" + jWTClaimsSet + "].";
            logger.debug(str2);
            actionListener.onResponse(AuthenticationResult.unsuccessful(str2, (Exception) null));
            return;
        }
        CheckedConsumer checkedConsumer = authenticationResult -> {
            if (authenticationResult.isAuthenticated()) {
                User user = (User) authenticationResult.getValue();
                logger.trace(() -> {
                    return org.elasticsearch.core.Strings.format("Realm [%s] roles resolved [%s] for principal=[%s].", new Object[]{name(), String.join(",", user.roles()), claimValue});
                });
                if (isCacheEnabled()) {
                    ReleasableLock acquireUpdateLock = this.jwtCacheHelper.acquireUpdateLock();
                    try {
                        this.jwtCache.put(bytesArray, new ExpiringUser((User) authenticationResult.getValue(), new Date(jWTClaimsSet.getExpirationTime().getTime() + this.allowedClockSkew.getMillis())));
                        if (acquireUpdateLock != null) {
                            acquireUpdateLock.close();
                        }
                    } catch (Throwable th) {
                        if (acquireUpdateLock != null) {
                            try {
                                acquireUpdateLock.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                }
            }
            actionListener.onResponse(authenticationResult);
        };
        Objects.requireNonNull(actionListener);
        ActionListener<AuthenticationResult<User>> wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
        if (this.delegatedAuthorizationSupport.hasDelegation()) {
            this.delegatedAuthorizationSupport.resolve(claimValue, wrap);
            return;
        }
        Map<String, Object> buildUserMetadata = buildUserMetadata(jWTClaimsSet);
        List<String> claimValues = this.claimParserGroups.getClaimValues(jWTClaimsSet);
        String claimValue2 = this.claimParserDn.getClaimValue(jWTClaimsSet);
        String claimValue3 = this.claimParserMail.getClaimValue(jWTClaimsSet);
        String claimValue4 = this.claimParserName.getClaimValue(jWTClaimsSet);
        UserRoleMapper.UserData userData = new UserRoleMapper.UserData(claimValue, claimValue2, claimValues, buildUserMetadata, this.config);
        UserRoleMapper userRoleMapper = this.userRoleMapper;
        CheckedConsumer checkedConsumer2 = set -> {
            wrap.onResponse(AuthenticationResult.success(new User(claimValue, (String[]) set.toArray(Strings.EMPTY_ARRAY), claimValue4, claimValue3, userData.getMetadata(), true)));
        };
        Objects.requireNonNull(wrap);
        userRoleMapper.resolveRoles(userData, ActionListener.wrap(checkedConsumer2, wrap::onFailure));
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        ensureInitialized();
        CheckedConsumer checkedConsumer = map -> {
            map.put("jwt.cache", Collections.singletonMap("size", Integer.valueOf(isCacheEnabled() ? this.jwtCache.count() : -1)));
            actionListener.onResponse(map);
        };
        Objects.requireNonNull(actionListener);
        super.usageStats(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.support.ReloadableSecurityComponent
    public void reload(Settings settings) {
        SecureString secureString = (SecureString) JwtRealmSettings.CLIENT_AUTHENTICATION_SHARED_SECRET.getConcreteSettingForNamespace(realmRef().getName()).get(settings);
        JwtUtil.validateClientAuthenticationSettings(RealmSettings.getFullSettingKey(this.config, JwtRealmSettings.CLIENT_AUTHENTICATION_TYPE), this.clientAuthenticationType, RealmSettings.getFullSettingKey(this.config, JwtRealmSettings.CLIENT_AUTHENTICATION_SHARED_SECRET), new RotatableSecret(secureString));
        this.clientAuthenticationSharedSecret.rotate(secureString, (TimeValue) this.config.getSetting(JwtRealmSettings.CLIENT_AUTH_SHARED_SECRET_ROTATION_GRACE_PERIOD));
    }

    private void invalidateJwtCache() {
        if (isCacheEnabled()) {
            try {
                logger.trace("Invalidating JWT cache for realm [{}]", name());
                ReleasableLock acquireForIterator = this.jwtCacheHelper.acquireForIterator();
                try {
                    this.jwtCache.invalidateAll();
                    if (acquireForIterator != null) {
                        acquireForIterator.close();
                    }
                    logger.debug("Invalidated JWT cache for realm [{}]", name());
                } finally {
                }
            } catch (Exception e) {
                logger.warn("Exception invalidating JWT cache for realm [" + name() + "]", e);
            }
        }
    }

    private boolean isCacheEnabled() {
        return (this.jwtCache == null || this.jwtCacheHelper == null) ? false : true;
    }

    Cache<BytesArray, ExpiringUser> getJwtCache() {
        return this.jwtCache;
    }

    private Map<String, Object> buildUserMetadata(JWTClaimsSet jWTClaimsSet) {
        HashMap hashMap = new HashMap();
        hashMap.put("jwt_token_type", this.jwtAuthenticator.getTokenType().value());
        if (this.populateUserMetadata.booleanValue()) {
            jWTClaimsSet.getClaims().entrySet().stream().filter(entry -> {
                return isAllowedTypeForClaim(entry.getValue());
            }).forEach(entry2 -> {
                hashMap.put("jwt_claim_" + ((String) entry2.getKey()), entry2.getValue());
            });
        }
        return Map.copyOf(hashMap);
    }

    private SignedJWT parseSignedJWT(SecureString secureString, ThreadContext threadContext) {
        if (Objects.equals(secureString, threadContext.getTransient(LATEST_MALFORMED_JWT))) {
            return null;
        }
        SignedJWT parseSignedJWT = JwtUtil.parseSignedJWT(secureString);
        if (parseSignedJWT == null) {
            threadContext.putTransient(LATEST_MALFORMED_JWT, secureString);
        }
        return parseSignedJWT;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isAllowedTypeForClaim(Object obj) {
        return (obj instanceof String) || (obj instanceof Boolean) || (obj instanceof Number) || ((obj instanceof Collection) && ((Collection) obj).stream().allMatch(obj2 -> {
            return (obj2 instanceof String) || (obj2 instanceof Boolean) || (obj2 instanceof Number);
        }));
    }

    static {
        $assertionsDisabled = !JwtRealm.class.desiredAssertionStatus();
        logger = LogManager.getLogger(JwtRealm.class);
    }
}
