package com.floragunn.searchguard.authtoken;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Parser;
import com.floragunn.codova.documents.patch.PatchableDocument;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidatingFunction;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.codova.validation.ValidationResult;
import com.floragunn.codova.validation.errors.InvalidAttributeValue;
import com.floragunn.codova.validation.errors.MissingAttribute;
import com.floragunn.searchguard.authtoken.RequestedPrivileges;
import com.floragunn.searchguard.authtoken.api.CreateAuthTokenAction;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import java.time.temporal.TemporalAmount;
import java.util.Arrays;
import java.util.List;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jwk.KeyType;
import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse;

/* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenServiceConfig.class */
public class AuthTokenServiceConfig implements PatchableDocument<AuthTokenServiceConfig> {
    public static final String DEFAULT_AUDIENCE = "searchguard_tokenauth";
    private boolean enabled;
    private JsonWebKey jwtSigningKey;
    private JsonWebKey jwtEncryptionKey;
    private String jwtAud;
    private TemporalAmount maxValidity;
    private List<RequestedPrivileges.ExcludedIndexPermissions> excludeIndexPermissions;
    private DocNode source;
    public static CType<AuthTokenServiceConfig> TYPE = new CType<>("auth_token_service", "Auth Token Service", 10021, AuthTokenServiceConfig.class, (v0, v1) -> {
        return parse(v0, v1);
    }, CType.Storage.OPTIONAL, CType.Arity.SINGLE);
    private static final ValidatingFunction<DocNode, JsonWebKey> JWK_SIGNING_KEY_PARSER = new ValidatingFunction<DocNode, JsonWebKey>() { // from class: com.floragunn.searchguard.authtoken.AuthTokenServiceConfig.1
        public JsonWebKey apply(DocNode docNode) throws ConfigValidationException {
            JsonWebKey readJwkKey = JwkUtils.readJwkKey(docNode.toJsonString());
            PublicKeyUse publicKeyUse = readJwkKey.getPublicKeyUse();
            if (publicKeyUse == null || publicKeyUse == PublicKeyUse.SIGN) {
                return readJwkKey;
            }
            throw new ConfigValidationException(new InvalidAttributeValue("use", publicKeyUse, "The use claim must designate the JWK for signing"));
        }
    };
    private static final ValidatingFunction<DocNode, JsonWebKey> JWK_HS512_SIGNING_KEY_PARSER = new ValidatingFunction<DocNode, JsonWebKey>() { // from class: com.floragunn.searchguard.authtoken.AuthTokenServiceConfig.2
        public JsonWebKey apply(DocNode docNode) throws ConfigValidationException {
            try {
                if (JoseUtils.decode(docNode.toString()).length < 64) {
                    throw new ConfigValidationException(new InvalidAttributeValue((String) null, "The key contains less than 512 bit", "A Base64URL encoded HMAC512 key with at least 512 bit (64 bytes, 86 Base64 encoded characters)"));
                }
                JsonWebKey jsonWebKey = new JsonWebKey();
                jsonWebKey.setKeyType(KeyType.OCTET);
                jsonWebKey.setAlgorithm("HS512");
                jsonWebKey.setPublicKeyUse(PublicKeyUse.SIGN);
                jsonWebKey.setProperty("k", docNode.toString());
                return jsonWebKey;
            } catch (Exception e) {
                throw new ConfigValidationException(new InvalidAttributeValue((String) null, e.getMessage(), "A Base64URL encoded HMAC512 key with at least 512 bit (64 bytes, 86 Base64 encoded characters)").cause(e));
            }
        }
    };
    private static final ValidatingFunction<DocNode, JsonWebKey> JWK_ENCRYPTION_KEY_PARSER = new ValidatingFunction<DocNode, JsonWebKey>() { // from class: com.floragunn.searchguard.authtoken.AuthTokenServiceConfig.3
        public JsonWebKey apply(DocNode docNode) throws ConfigValidationException {
            JsonWebKey readJwkKey = JwkUtils.readJwkKey(docNode.toJsonString());
            PublicKeyUse publicKeyUse = readJwkKey.getPublicKeyUse();
            if (publicKeyUse == null || publicKeyUse == PublicKeyUse.ENCRYPT) {
                return readJwkKey;
            }
            throw new ConfigValidationException(new InvalidAttributeValue("use", publicKeyUse, "The use claim must designate the JWK for encryption"));
        }
    };
    private static final ValidatingFunction<DocNode, JsonWebKey> JWK_A256KW_ENCRYPTION_KEY_PARSER_A256KW = new ValidatingFunction<DocNode, JsonWebKey>() { // from class: com.floragunn.searchguard.authtoken.AuthTokenServiceConfig.4
        public JsonWebKey apply(DocNode docNode) throws ConfigValidationException {
            String docNode2 = docNode.toString();
            try {
                if (JoseUtils.decode(docNode2).length < 32) {
                    throw new ConfigValidationException(new InvalidAttributeValue((String) null, "The key contains less than 256 bit", "A Base64URL encoded A256KW key with at least 256 bit (32 bytes, 43 Base64 encoded characters)"));
                }
                JsonWebKey jsonWebKey = new JsonWebKey();
                jsonWebKey.setKeyType(KeyType.OCTET);
                jsonWebKey.setAlgorithm("A256KW");
                jsonWebKey.setPublicKeyUse(PublicKeyUse.ENCRYPT);
                jsonWebKey.setProperty("k", docNode2);
                return jsonWebKey;
            } catch (Exception e) {
                throw new ConfigValidationException(new InvalidAttributeValue((String) null, e.getMessage(), "A Base64URL encoded A256KW key with at least 256 bit (32 bytes, 43 Base64 encoded characters)").cause(e));
            }
        }
    };
    private List<String> excludeClusterPermissions = Arrays.asList(CreateAuthTokenAction.NAME);
    private int maxTokensPerUser = 100;
    private FreezePrivileges freezePrivileges = FreezePrivileges.USER_CHOOSES;

    /* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenServiceConfig$FreezePrivileges.class */
    public enum FreezePrivileges {
        ALWAYS,
        NEVER,
        USER_CHOOSES
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public JsonWebKey getJwtSigningKey() {
        return this.jwtSigningKey;
    }

    public JsonWebKey getJwtEncryptionKey() {
        return this.jwtEncryptionKey;
    }

    public String getJwtAud() {
        return this.jwtAud;
    }

    public TemporalAmount getMaxValidity() {
        return this.maxValidity;
    }

    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    public void setJwtSigningKey(JsonWebKey jsonWebKey) {
        this.jwtSigningKey = jsonWebKey;
    }

    public void setJwtEncryptionKey(JsonWebKey jsonWebKey) {
        this.jwtEncryptionKey = jsonWebKey;
    }

    public void setJwtAud(String str) {
        this.jwtAud = str;
    }

    public void setMaxValidity(TemporalAmount temporalAmount) {
        this.maxValidity = temporalAmount;
    }

    public List<String> getExcludeClusterPermissions() {
        return this.excludeClusterPermissions;
    }

    public void setExcludeClusterPermissions(List<String> list) {
        this.excludeClusterPermissions = list;
    }

    public List<RequestedPrivileges.ExcludedIndexPermissions> getExcludeIndexPermissions() {
        return this.excludeIndexPermissions;
    }

    public void setExcludeIndexPermissions(List<RequestedPrivileges.ExcludedIndexPermissions> list) {
        this.excludeIndexPermissions = list;
    }

    public static ValidationResult<AuthTokenServiceConfig> parse(DocNode docNode, Parser.Context context) {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode, validationErrors, context);
        AuthTokenServiceConfig authTokenServiceConfig = new AuthTokenServiceConfig();
        authTokenServiceConfig.source = docNode;
        authTokenServiceConfig.enabled = validatingDocNode.get("enabled").withDefault(false).asBoolean();
        if (authTokenServiceConfig.enabled) {
            if (validatingDocNode.hasNonNull("jwt_signing_key")) {
                authTokenServiceConfig.jwtSigningKey = (JsonWebKey) validatingDocNode.get("jwt_signing_key").by(JWK_SIGNING_KEY_PARSER);
            } else if (validatingDocNode.hasNonNull("jwt_signing_key_hs512")) {
                authTokenServiceConfig.jwtSigningKey = (JsonWebKey) validatingDocNode.get("jwt_signing_key_hs512").by(JWK_HS512_SIGNING_KEY_PARSER);
            } else {
                validationErrors.add(new MissingAttribute("jwt_signing_key", docNode));
            }
            if (validatingDocNode.hasNonNull("jwt_encryption_key")) {
                authTokenServiceConfig.jwtEncryptionKey = (JsonWebKey) validatingDocNode.get("jwt_encryption_key").by(JWK_ENCRYPTION_KEY_PARSER);
            } else if (validatingDocNode.hasNonNull("jwt_encryption_key_a256kw")) {
                authTokenServiceConfig.jwtEncryptionKey = (JsonWebKey) validatingDocNode.get("jwt_encryption_key_a256kw").by(JWK_A256KW_ENCRYPTION_KEY_PARSER_A256KW);
            }
            authTokenServiceConfig.jwtAud = validatingDocNode.get("jwt_aud_claim").withDefault(DEFAULT_AUDIENCE).asString();
            authTokenServiceConfig.maxValidity = validatingDocNode.get("max_validity").asTemporalAmount();
            authTokenServiceConfig.excludeClusterPermissions = validatingDocNode.get("exclude_cluster_permissions").asList().withDefault(new String[]{CreateAuthTokenAction.NAME}).ofStrings();
            authTokenServiceConfig.excludeIndexPermissions = validatingDocNode.get("exclude_index_permissions").asList(RequestedPrivileges.ExcludedIndexPermissions::parse);
            authTokenServiceConfig.maxTokensPerUser = validatingDocNode.get("max_tokens_per_user").withDefault(100).asInt();
            authTokenServiceConfig.freezePrivileges = (FreezePrivileges) validatingDocNode.get("freeze_privileges").withDefault(FreezePrivileges.USER_CHOOSES).asEnum(FreezePrivileges.class);
        }
        return !validationErrors.hasErrors() ? new ValidationResult<>(authTokenServiceConfig) : new ValidationResult<>(validationErrors);
    }

    public int getMaxTokensPerUser() {
        return this.maxTokensPerUser;
    }

    public void setMaxTokensPerUser(int i) {
        this.maxTokensPerUser = i;
    }

    public FreezePrivileges getFreezePrivileges() {
        return this.freezePrivileges;
    }

    public void setFreezePrivileges(FreezePrivileges freezePrivileges) {
        this.freezePrivileges = freezePrivileges;
    }

    public Object toBasicObject() {
        return this.source;
    }

    /* renamed from: parseI, reason: merged with bridge method [inline-methods] */
    public AuthTokenServiceConfig m7parseI(DocNode docNode, Parser.Context context) throws ConfigValidationException {
        return (AuthTokenServiceConfig) parse(docNode, (ConfigurationRepository.Context) context).get();
    }
}
