package com.floragunn.dlic.auth.http.jwt;

import com.floragunn.codova.documents.BasicJsonPathDefaultConfiguration;
import com.floragunn.dlic.util.Roles;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.legacy.LegacyHTTPAuthenticator;
import com.floragunn.searchguard.enterprise.auth.oidc.BadCredentialsException;
import com.floragunn.searchguard.enterprise.auth.oidc.JwtVerifier;
import com.floragunn.searchguard.enterprise.auth.oidc.KeyProvider;
import com.floragunn.searchguard.user.Attributes;
import com.floragunn.searchguard.user.AuthCredentials;
import com.jayway.jsonpath.Configuration;
import com.jayway.jsonpath.JsonPath;
import com.jayway.jsonpath.Option;
import com.jayway.jsonpath.PathNotFoundException;
import com.jayway.jsonpath.Predicate;
import java.nio.file.Path;
import java.security.AccessController;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.OpenSearchSecurityException;
import org.opensearch.SpecialPermission;
import org.opensearch.common.Strings;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.util.concurrent.ThreadContext;
import org.opensearch.rest.RestRequest;
import org.opensearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/AbstractHTTPJwtAuthenticator.class */
public abstract class AbstractHTTPJwtAuthenticator implements LegacyHTTPAuthenticator {
    private static final Logger log = LogManager.getLogger(AbstractHTTPJwtAuthenticator.class);
    private static final String BEARER = "bearer ";
    private KeyProvider keyProvider;
    private JwtVerifier jwtVerifier;
    private final String jwtHeaderName;
    private final String jwtUrlParameter;
    private final String subjectKey;
    private final Pattern subjectPattern;
    private final String rolesKey;
    private final String jsonSubjectPath;
    private final String jsonRolesPath;
    private Configuration jsonPathConfig;
    private Map<String, JsonPath> attributeMapping;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractHTTPJwtAuthenticator(Settings settings, Path path) {
        this.jwtUrlParameter = settings.get("jwt_url_parameter");
        this.jwtHeaderName = settings.get("jwt_header", "Authorization");
        this.rolesKey = settings.get("roles_key");
        this.subjectKey = settings.get("subject_key");
        this.jsonRolesPath = settings.get("roles_path");
        this.jsonSubjectPath = settings.get("subject_path");
        this.subjectPattern = getSubjectPattern(settings);
        try {
            this.keyProvider = initKeyProvider(settings, path);
            this.jwtVerifier = new JwtVerifier(this.keyProvider, (String) null, (String) null);
        } catch (Exception e) {
            log.error("Error creating JWT authenticator: " + e + ". JWT authentication will not work", e);
        }
        if ((this.subjectKey != null && this.jsonSubjectPath != null) || (this.rolesKey != null && this.jsonRolesPath != null)) {
            throw new IllegalStateException("Both, subject_key and subject_path or roles_key and roles_path have simultaneously provided. Please provide only one combination.");
        }
        this.jsonPathConfig = BasicJsonPathDefaultConfiguration.builder().options(new Option[]{Option.ALWAYS_RETURN_LIST}).build();
        this.attributeMapping = Attributes.getAttributeMapping(settings.getAsSettings("map_claims_to_user_attrs"));
    }

    public AuthCredentials extractCredentials(RestRequest restRequest, ThreadContext threadContext) throws OpenSearchSecurityException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (AuthCredentials) AccessController.doPrivileged(() -> {
            return extractCredentials0(restRequest);
        });
    }

    private AuthCredentials extractCredentials0(RestRequest restRequest) throws OpenSearchSecurityException {
        String jwtTokenString = getJwtTokenString(restRequest);
        if (Strings.isNullOrEmpty(jwtTokenString)) {
            return null;
        }
        try {
            JwtClaims claims = this.jwtVerifier.getVerifiedJwtToken(jwtTokenString).getClaims();
            if (log.isTraceEnabled()) {
                log.trace("Claims from JWT: " + claims);
            }
            String extractSubject = extractSubject(claims);
            if (extractSubject == null) {
                log.error("No subject found in JWT token");
                return null;
            }
            String[] extractRoles = extractRoles(claims);
            if (log.isTraceEnabled()) {
                log.trace("From JWT:\nSubject: " + extractSubject + "\nRoles: " + Arrays.asList(extractRoles));
            }
            return AuthCredentials.forUser(extractSubject).authenticatorType(getType()).backendRoles(extractRoles).attributesByJsonPath(this.attributeMapping, claims).prefixOldAttributes("attr.jwt.", claims.asMap()).complete().build();
        } catch (AuthenticatorUnavailableException e) {
            log.info(e);
            throw new OpenSearchSecurityException(e.getMessage(), RestStatus.SERVICE_UNAVAILABLE, new Object[0]);
        } catch (BadCredentialsException e2) {
            log.info("Extracting JWT token from " + jwtTokenString + " failed", e2);
            return null;
        }
    }

    protected String getJwtTokenString(RestRequest restRequest) {
        String header = restRequest.header(this.jwtHeaderName);
        if (header != null && header.toLowerCase().startsWith("basic ")) {
            header = null;
        }
        if (this.jwtUrlParameter != null) {
            if (header == null || header.isEmpty()) {
                header = restRequest.param(this.jwtUrlParameter);
            } else {
                restRequest.param(this.jwtUrlParameter);
            }
        }
        if (header == null) {
            return null;
        }
        int indexOf = header.toLowerCase().indexOf(BEARER);
        if (indexOf > -1) {
            header = header.substring(indexOf + BEARER.length());
        }
        return header;
    }

    protected String extractSubject(JwtClaims jwtClaims) {
        String subject = jwtClaims.getSubject();
        if (this.subjectKey != null) {
            Object claim = jwtClaims.getClaim(this.subjectKey);
            if (claim == null) {
                log.warn("Failed to get subject from JWT claims, check if subject_key '{}' is correct.", this.subjectKey);
                return null;
            }
            if (claim instanceof String) {
                subject = (String) claim;
            } else {
                log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", this.subjectKey, claim, claim.getClass());
                subject = String.valueOf(claim);
            }
        } else if (this.jsonSubjectPath != null) {
            try {
                Object read = JsonPath.using(BasicJsonPathDefaultConfiguration.defaultConfiguration()).parse(jwtClaims.asMap()).read(this.jsonSubjectPath, new Predicate[0]);
                if (read == null) {
                    log.error("The subject is null: " + this.jsonSubjectPath);
                    return null;
                }
                if (read instanceof Collection) {
                    Collection collection = (Collection) read;
                    if (collection.size() == 0) {
                        log.error("The subject is empty: " + this.jsonSubjectPath);
                        return null;
                    }
                    if (collection.size() > 1) {
                        log.error("More than one subject was found. Failing authentication: " + read + "; " + this.jsonSubjectPath);
                        return null;
                    }
                    subject = String.valueOf(collection.iterator().next());
                } else {
                    subject = String.valueOf(read);
                }
            } catch (PathNotFoundException e) {
                log.error("The provided JSON path {} could not be found ", this.jsonSubjectPath);
                return null;
            }
        }
        if (subject != null && this.subjectPattern != null) {
            Matcher matcher = this.subjectPattern.matcher(subject);
            if (!matcher.matches()) {
                log.warn("Subject " + subject + " does not match subject_pattern " + this.subjectPattern);
                return null;
            }
            if (matcher.groupCount() == 1) {
                subject = matcher.group(1);
            } else if (matcher.groupCount() > 1) {
                StringBuilder sb = new StringBuilder();
                for (int i = 1; i <= matcher.groupCount(); i++) {
                    if (matcher.group(i) != null) {
                        sb.append(matcher.group(i));
                    }
                }
                subject = sb.length() != 0 ? sb.toString() : null;
            }
        }
        return subject;
    }

    protected String[] extractRoles(JwtClaims jwtClaims) {
        if (this.rolesKey == null && this.jsonRolesPath == null) {
            return new String[0];
        }
        if (this.jsonRolesPath != null) {
            try {
                return Roles.split(JsonPath.using(this.jsonPathConfig).parse(jwtClaims.asMap()).read(this.jsonRolesPath, new Predicate[0]));
            } catch (PathNotFoundException e) {
                log.error("The provided JSON path {} could not be found ", this.jsonRolesPath);
                return new String[0];
            }
        }
        Object claim = jwtClaims.getClaim(this.rolesKey);
        if (claim != null) {
            return Roles.split(claim);
        }
        log.warn("Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.", this.rolesKey);
        return new String[0];
    }

    protected abstract KeyProvider initKeyProvider(Settings settings, Path path) throws Exception;

    public String getChallenge(AuthCredentials authCredentials) {
        return "Bearer realm=\"Search Guard\"";
    }

    private static Pattern getSubjectPattern(Settings settings) {
        String str = settings.get("subject_pattern");
        if (str == null) {
            return null;
        }
        try {
            return Pattern.compile(str);
        } catch (PatternSyntaxException e) {
            log.error("Invalid regular expression for subject_pattern: " + str, e);
            return null;
        }
    }
}
