package com.floragunn.searchguard.enterprise.auth.oidc;

import com.floragunn.codova.config.net.ProxyConfig;
import com.floragunn.codova.config.net.TLSConfig;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import java.io.IOException;
import java.net.URI;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.http.HttpEntity;
import org.apache.http.StatusLine;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;
import org.elasticsearch.SpecialPermission;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/oidc/JwksProviderClient.class */
public class JwksProviderClient {
    private final TLSConfig tlsConfig;
    private final ProxyConfig proxyConfig;
    private int requestTimeoutMs = 10000;

    public JwksProviderClient(TLSConfig tLSConfig, ProxyConfig proxyConfig) {
        this.tlsConfig = tLSConfig;
        this.proxyConfig = proxyConfig;
    }

    public JsonWebKeys getJsonWebKeys(URI uri) throws AuthenticatorUnavailableException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        try {
            return (JsonWebKeys) AccessController.doPrivileged(() -> {
                return getJsonWebKeysPrivileged(uri);
            });
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof AuthenticatorUnavailableException) {
                throw e.getCause();
            }
            if (e.getCause() instanceof RuntimeException) {
                throw ((RuntimeException) e.getCause());
            }
            throw new RuntimeException(e.getCause());
        }
    }

    private JsonWebKeys getJsonWebKeysPrivileged(URI uri) throws AuthenticatorUnavailableException {
        try {
            CloseableHttpClient createHttpClient = createHttpClient();
            try {
                HttpGet httpGet = new HttpGet(uri);
                httpGet.setConfig(RequestConfig.custom().setConnectionRequestTimeout(getRequestTimeoutMs()).setConnectTimeout(getRequestTimeoutMs()).setSocketTimeout(getRequestTimeoutMs()).build());
                CloseableHttpResponse execute = createHttpClient.execute(httpGet);
                try {
                    StatusLine statusLine = execute.getStatusLine();
                    if (statusLine.getStatusCode() < 200 || statusLine.getStatusCode() >= 300) {
                        throw new AuthenticatorUnavailableException("Error while retrieving JWKS OIDC config", statusLine + (execute.getEntity() != null ? "\n" + EntityUtils.toString(execute.getEntity()) : "")).details("jwks_uri", uri, new Object[0]);
                    }
                    HttpEntity entity = execute.getEntity();
                    if (entity == null) {
                        throw new AuthenticatorUnavailableException("Error while retrieving JWKS OIDC config", "Empty response").details("jwks_uri", uri, new Object[0]);
                    }
                    JsonWebKeys readJwkSet = JwkUtils.readJwkSet(entity.getContent());
                    if (execute != null) {
                        execute.close();
                    }
                    if (createHttpClient != null) {
                        createHttpClient.close();
                    }
                    return readJwkSet;
                } catch (Throwable th) {
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (IOException e) {
            throw new AuthenticatorUnavailableException("Error while retrieving JWKS OIDC config", e).details("jwks_uri", uri, new Object[0]);
        }
    }

    private CloseableHttpClient createHttpClient() {
        HttpClientBuilder custom = HttpClients.custom();
        if (this.proxyConfig != null) {
            this.proxyConfig.apply(custom);
        }
        custom.useSystemProperties();
        if (this.tlsConfig != null) {
            custom.setSSLSocketFactory(this.tlsConfig.toSSLConnectionSocketFactory());
        }
        return custom.build();
    }

    public int getRequestTimeoutMs() {
        return this.requestTimeoutMs;
    }

    public void setRequestTimeoutMs(int i) {
        this.requestTimeoutMs = i;
    }
}
