package com.floragunn.searchguard.authtoken;

import com.floragunn.searchguard.authc.RequestMetaData;
import com.floragunn.searchguard.authc.rest.HttpAuthenticationFrontend;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.google.common.base.Strings;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenHttpJwtAuthenticator.class */
public class AuthTokenHttpJwtAuthenticator implements HttpAuthenticationFrontend {
    private static final Logger log = LogManager.getLogger(AuthTokenHttpJwtAuthenticator.class);
    private final AuthTokenService authTokenService;
    private final ComponentState componentState = new ComponentState(0, "authentication_frontend", AuthTokenService.USER_TYPE, AuthTokenHttpJwtAuthenticator.class).initialized();
    private final String jwtHeaderName = "Authorization";
    private final String subjectKey = "sub";

    public AuthTokenHttpJwtAuthenticator(AuthTokenService authTokenService) {
        this.authTokenService = authTokenService;
    }

    public String getType() {
        return AuthTokenService.USER_TYPE;
    }

    public AuthCredentials extractCredentials(RequestMetaData<?> requestMetaData) {
        String authorizationByScheme = requestMetaData.getAuthorizationByScheme(this.jwtHeaderName, "bearer");
        if (Strings.isNullOrEmpty(authorizationByScheme)) {
            return null;
        }
        try {
            JwtToken verifiedJwtToken = this.authTokenService.getVerifiedJwtToken(authorizationByScheme);
            if (verifiedJwtToken == null) {
                return null;
            }
            JwtClaims claims = verifiedJwtToken.getClaims();
            String extractSubject = extractSubject(claims);
            if (extractSubject != null) {
                return AuthCredentials.forUser(extractSubject).claims(claims.asMap()).complete().build();
            }
            log.error("No subject found in JWT token: " + String.valueOf(claims));
            return null;
        } catch (JwtException e) {
            log.info("JWT is invalid (" + getType() + ")", e);
            return null;
        }
    }

    protected String extractSubject(JwtClaims jwtClaims) {
        String subject = jwtClaims.getSubject();
        if (this.subjectKey != null) {
            Object claim = jwtClaims.getClaim(this.subjectKey);
            if (claim == null) {
                log.warn("Failed to get subject from JWT claims, check if subject_key '{}' is correct.", this.subjectKey);
                return null;
            }
            if (claim instanceof String) {
                subject = (String) claim;
            } else {
                log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", this.subjectKey, claim, claim.getClass());
                subject = String.valueOf(claim);
            }
        }
        return subject;
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
