package com.floragunn.searchguard.enterprise.auth.jwt;

import com.floragunn.codova.config.net.ProxyConfig;
import com.floragunn.codova.config.net.TLSConfig;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Parser;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.codova.validation.errors.InvalidAttributeValue;
import com.floragunn.codova.validation.errors.MissingAttribute;
import com.floragunn.codova.validation.errors.ValidationError;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.RequestMetaData;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.rest.HttpAuthenticationFrontend;
import com.floragunn.searchguard.authc.session.ActivatedFrontendConfig;
import com.floragunn.searchguard.authc.session.ApiAuthenticationFrontend;
import com.floragunn.searchguard.authc.session.GetActivatedFrontendConfigAction;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.enterprise.auth.oidc.BadCredentialsException;
import com.floragunn.searchguard.enterprise.auth.oidc.JwksProviderClient;
import com.floragunn.searchguard.enterprise.auth.oidc.JwtVerifier;
import com.floragunn.searchguard.enterprise.auth.oidc.KeyProvider;
import com.floragunn.searchguard.enterprise.auth.oidc.OpenIdProviderClient;
import com.floragunn.searchguard.enterprise.auth.oidc.SelfRefreshingKeySet;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.google.common.base.Strings;
import java.io.ByteArrayInputStream;
import java.io.StringReader;
import java.net.URI;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.Map;
import java.util.Objects;
import org.apache.cxf.jaxrs.json.basic.JsonMapObject;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.bouncycastle.util.io.pem.PemReader;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/jwt/JwtAuthenticator.class */
public class JwtAuthenticator implements HttpAuthenticationFrontend, ApiAuthenticationFrontend {
    private final KeyProvider staticKeySet;
    private final SelfRefreshingKeySet openIdKeySet;
    private final SelfRefreshingKeySet jwksKeySet;
    private final JwtVerifier jwtVerifier;
    private final String jwtHeaderName;
    private final String jwtUrlParameter;
    private final String requiredAudience;
    private final String requiredIssuer;
    private final boolean challenge;
    private final ComponentState componentState = new ComponentState(0, "authentication_frontend", "jwt", JwtAuthenticator.class).initialized().requiresEnterpriseLicense();
    private static final Logger log = LogManager.getLogger(JwtAuthenticator.class);
    public static TypedComponent.Info<HttpAuthenticationFrontend> INFO = new TypedComponent.Info<HttpAuthenticationFrontend>() { // from class: com.floragunn.searchguard.enterprise.auth.jwt.JwtAuthenticator.2
        public Class<HttpAuthenticationFrontend> getType() {
            return HttpAuthenticationFrontend.class;
        }

        public String getName() {
            return "jwt";
        }

        public TypedComponent.Factory<HttpAuthenticationFrontend> getFactory() {
            return JwtAuthenticator::new;
        }
    };

    public JwtAuthenticator(DocNode docNode, ConfigurationRepository.Context context) throws ConfigValidationException {
        JsonWebKeys jsonWebKeys;
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode, validationErrors, context);
        this.jwtHeaderName = validatingDocNode.get("header").withDefault("Authorization").asString();
        this.jwtUrlParameter = validatingDocNode.get("url_parameter").asString();
        this.requiredAudience = validatingDocNode.get("required_audience").asString();
        this.requiredIssuer = validatingDocNode.get("required_issuer").asString();
        this.challenge = validatingDocNode.get("challenge").withDefault(true).asBoolean();
        JsonWebKeys jsonWebKeys2 = (JsonWebKeys) ((ValidatingDocNode.Attribute) validatingDocNode.get("signing.jwks").expected("A JWKS document")).by(docNode2 -> {
            return JwkUtils.readJwkSet(docNode2.toJsonString());
        });
        JsonWebKey jsonWebKey = (JsonWebKey) validatingDocNode.get("signing.rsa").by(JwtAuthenticator::parseRsa);
        JsonWebKey jsonWebKey2 = (JsonWebKey) validatingDocNode.get("signing.ec").by(JwtAuthenticator::parseEc);
        if (jsonWebKey == null && jsonWebKey2 == null) {
            jsonWebKeys = jsonWebKeys2;
        } else {
            ImmutableList ofNonNull = ImmutableList.ofNonNull(jsonWebKey, jsonWebKey2);
            jsonWebKeys = new JsonWebKeys(jsonWebKeys2 != null ? ofNonNull.with(jsonWebKeys2.getKeys()) : ofNonNull);
        }
        if (jsonWebKeys != null) {
            final JsonWebKeys jsonWebKeys3 = jsonWebKeys;
            this.staticKeySet = new KeyProvider() { // from class: com.floragunn.searchguard.enterprise.auth.jwt.JwtAuthenticator.1
                @Override // com.floragunn.searchguard.enterprise.auth.oidc.KeyProvider
                public JsonWebKey getKeyAfterRefresh(String str) throws AuthenticatorUnavailableException, BadCredentialsException {
                    return getKey(str);
                }

                @Override // com.floragunn.searchguard.enterprise.auth.oidc.KeyProvider
                public JsonWebKey getKey(String str) throws AuthenticatorUnavailableException, BadCredentialsException {
                    if (!Strings.isNullOrEmpty(str)) {
                        return jsonWebKeys3.getKey(str);
                    }
                    if (jsonWebKeys3.getKeys().size() != 0) {
                        return (JsonWebKey) jsonWebKeys3.getKeys().get(0);
                    }
                    return null;
                }
            };
        } else {
            this.staticKeySet = null;
        }
        URI asURI = validatingDocNode.get("signing.jwks_from_openid_configuration.url").asURI();
        if (asURI != null) {
            OpenIdProviderClient openIdProviderClient = new OpenIdProviderClient(asURI, (TLSConfig) validatingDocNode.get("signing.keys_from_openid_configuration.tls").by(TLSConfig::parse), (ProxyConfig) validatingDocNode.get("signing.keys_from_openid_configuration.proxy").by(ProxyConfig::parse), validatingDocNode.get("signing.keys_from_openid_configuration.cache_jwks_endpoint").withDefault(false).asBoolean());
            this.openIdKeySet = new SelfRefreshingKeySet(() -> {
                return openIdProviderClient.getJsonWebKeys();
            });
        } else {
            this.openIdKeySet = null;
        }
        URI asURI2 = validatingDocNode.get("signing.jwks_endpoint.url").asURI();
        if (asURI2 != null) {
            JwksProviderClient jwksProviderClient = new JwksProviderClient((TLSConfig) validatingDocNode.get("signing.jwks_endpoint.tls").by(TLSConfig::parse), (ProxyConfig) validatingDocNode.get("signing.jwks_endpoint.proxy").by(ProxyConfig::parse));
            this.jwksKeySet = new SelfRefreshingKeySet(() -> {
                return jwksProviderClient.getJsonWebKeys(asURI2);
            });
        } else {
            this.jwksKeySet = null;
        }
        validatingDocNode.checkForUnusedAttributes();
        validationErrors.throwExceptionForPresentErrors();
        this.jwtVerifier = new JwtVerifier(KeyProvider.combined(this.staticKeySet, this.openIdKeySet, this.jwksKeySet), this.requiredAudience, this.requiredIssuer);
    }

    public String getType() {
        return "jwt";
    }

    public AuthCredentials extractCredentials(RequestMetaData<?> requestMetaData) throws CredentialsException, AuthenticatorUnavailableException {
        String authorizationByScheme = requestMetaData.getAuthorizationByScheme(this.jwtHeaderName, "bearer");
        String param = this.jwtUrlParameter != null ? requestMetaData.getParam(this.jwtUrlParameter) : null;
        if (authorizationByScheme == null && param != null) {
            authorizationByScheme = param.toLowerCase().startsWith("bearer ") ? param.substring("bearer ".length()).trim() : param;
        }
        if (authorizationByScheme == null) {
            return null;
        }
        return tokenToCredentials(authorizationByScheme);
    }

    private AuthCredentials tokenToCredentials(String str) throws AuthenticatorUnavailableException, CredentialsException {
        Objects.requireNonNull(str, "Jwt string is required");
        try {
            JwtClaims claims = this.jwtVerifier.getVerifiedJwtToken(str).getClaims();
            if (log.isTraceEnabled()) {
                log.trace("Claims from JWT: " + claims.asMap());
            }
            return AuthCredentials.forUser(claims.getSubject()).nativeCredentials(str).attribute("__auth_type", "jwt").userMappingAttribute("jwt", Jose.toBasicObject((JsonMapObject) claims)).complete().build();
        } catch (AuthenticatorUnavailableException e) {
            log.info(e);
            throw e;
        } catch (BadCredentialsException e2) {
            log.info("Extracting JWT token from " + str + " failed", e2);
            throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, e2.getMessage()), e2);
        }
    }

    public String getChallenge(AuthCredentials authCredentials) {
        if (this.challenge) {
            return "Bearer realm=\"Search Guard\"";
        }
        return null;
    }

    private static JsonWebKey parseRsa(DocNode docNode, Parser.Context context) throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode, validationErrors, context);
        RSAPublicKey rSAPublicKey = null;
        String asString = validatingDocNode.get("certificate").asString();
        if (asString != null) {
            try {
                PublicKey publicKey = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(asString.getBytes())).getPublicKey();
                if (publicKey instanceof RSAPublicKey) {
                    rSAPublicKey = (RSAPublicKey) publicKey;
                } else {
                    validationErrors.add(new InvalidAttributeValue("certificate", publicKey.getClass(), "An RSA certificate").message("Not an RSA certificate"));
                }
            } catch (Exception e) {
                validationErrors.add(new ValidationError("certificate", e.getMessage()).cause(e));
            }
        }
        String asString2 = validatingDocNode.get("public_key").asString();
        if (asString2 != null) {
            try {
                PublicKey generatePublic = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(new PemReader(new StringReader(asString2)).readPemObject().getContent()));
                if (generatePublic instanceof RSAPublicKey) {
                    rSAPublicKey = (RSAPublicKey) generatePublic;
                } else {
                    validationErrors.add(new InvalidAttributeValue("public_key", generatePublic.getClass(), "An RSA public key").message("Not an RSA public key"));
                }
            } catch (Exception e2) {
                validationErrors.add(new ValidationError("public_key", e2.getMessage()).cause(e2));
            }
        }
        String asString3 = validatingDocNode.get("algorithm").validatedBy(AlgorithmUtils::isRsa).asString();
        String asString4 = validatingDocNode.get("kid").asString();
        validationErrors.throwExceptionForPresentErrors();
        if (rSAPublicKey == null) {
            throw new ConfigValidationException(new MissingAttribute("certificate"));
        }
        try {
            return JwkUtils.fromRSAPublicKey(rSAPublicKey, asString3, asString4);
        } catch (Exception e3) {
            throw new ConfigValidationException(new ValidationError((String) null, e3.getMessage()).cause(e3));
        }
    }

    private static JsonWebKey parseEc(DocNode docNode, Parser.Context context) throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode, validationErrors, context);
        ECPublicKey eCPublicKey = null;
        String asString = validatingDocNode.get("certificate").asString();
        if (asString != null) {
            try {
                PublicKey publicKey = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(asString.getBytes())).getPublicKey();
                if (publicKey instanceof ECPublicKey) {
                    eCPublicKey = (ECPublicKey) publicKey;
                } else {
                    validationErrors.add(new InvalidAttributeValue("certificate", publicKey.getClass(), "An EC certificate").message("Not an EC certificate"));
                }
            } catch (Exception e) {
                validationErrors.add(new ValidationError("certificate", e.getMessage()).cause(e));
            }
        }
        String asString2 = validatingDocNode.get("public_key").asString();
        if (asString2 != null) {
            try {
                PublicKey generatePublic = KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(new PemReader(new StringReader(asString2)).readPemObject().getContent()));
                if (generatePublic instanceof ECPublicKey) {
                    eCPublicKey = (ECPublicKey) generatePublic;
                } else {
                    validationErrors.add(new InvalidAttributeValue("public_key", generatePublic.getClass(), "An EC public key").message("Not an EC public key"));
                }
            } catch (Exception e2) {
                validationErrors.add(new ValidationError("public_key", e2.getMessage()).cause(e2));
            }
        }
        String asString3 = validatingDocNode.get("curve").validatedBy(AlgorithmUtils::isRsa).asString();
        String asString4 = validatingDocNode.get("kid").asString();
        validationErrors.throwExceptionForPresentErrors();
        if (eCPublicKey == null) {
            throw new ConfigValidationException(new MissingAttribute("certificate"));
        }
        try {
            return JwkUtils.fromECPublicKey(eCPublicKey, asString3, asString4);
        } catch (Exception e3) {
            throw new ConfigValidationException(new ValidationError((String) null, e3.getMessage()).cause(e3));
        }
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }

    public AuthCredentials extractCredentials(Map<String, Object> map) throws CredentialsException, ConfigValidationException, AuthenticatorUnavailableException {
        return tokenToCredentials((String) (map.get("jwt") instanceof String ? map.get("jwt") : null));
    }

    public ActivatedFrontendConfig.AuthMethod activateFrontendConfig(ActivatedFrontendConfig.AuthMethod authMethod, GetActivatedFrontendConfigAction.Request request) throws AuthenticatorUnavailableException {
        return super.activateFrontendConfig(authMethod, request);
    }

    public String getLogoutUrl(User user) throws AuthenticatorUnavailableException {
        return super.getLogoutUrl(user);
    }
}
