package com.floragunn.searchguard.authtoken;

import com.floragunn.codova.config.net.CacheConfig;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Format;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.authtoken.AuthTokenServiceConfig;
import com.floragunn.searchguard.authtoken.api.CreateAuthTokenRequest;
import com.floragunn.searchguard.authtoken.api.CreateAuthTokenResponse;
import com.floragunn.searchguard.authtoken.update.PushAuthTokenUpdateAction;
import com.floragunn.searchguard.authtoken.update.PushAuthTokenUpdateRequest;
import com.floragunn.searchguard.authtoken.update.PushAuthTokenUpdateResponse;
import com.floragunn.searchguard.authz.ActionAuthorization;
import com.floragunn.searchguard.authz.AuthorizationService;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.ProtectedConfigIndexService;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.jwt.JwtVerifier;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContextProvider;
import com.floragunn.searchguard.sgconf.history.ConfigHistoryService;
import com.floragunn.searchguard.sgconf.history.ConfigModel;
import com.floragunn.searchguard.sgconf.history.ConfigSnapshot;
import com.floragunn.searchguard.support.PrivilegedConfigClient;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.PrivilegedCode;
import com.floragunn.searchsupport.StaticSettings;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.indices.IndexCleanupAgent;
import com.floragunn.searchsupport.xcontent.ObjectTreeXContent;
import com.google.common.cache.Cache;
import com.google.common.collect.Sets;
import com.google.common.io.BaseEncoding;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEEncrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.AESEncrypter;
import com.nimbusds.jose.crypto.ECDHEncrypter;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import java.nio.ByteBuffer;
import java.text.ParseException;
import java.time.OffsetDateTime;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;
import java.util.function.Consumer;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;

/* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenService.class */
public class AuthTokenService implements SpecialPrivilegesEvaluationContextProvider {
    public static final String USER_TYPE = "sg_auth_token";
    public static final String USER_TYPE_FULL_CURRENT_PERMISSIONS = "sg_auth_token_full_current_permissions";
    private final String indexName;
    private final PrivilegedConfigClient privilegedConfigClient;
    private final ConfigHistoryService configHistoryService;
    private final ComponentState componentState;
    private final AuthorizationService authorizationService;
    private final PrivilegesEvaluator privilegesEvaluator;
    private final Actions actions;
    private Cache<String, AuthToken> idToAuthTokenMap;
    private JWSSigner jwsSigner;
    private JWEEncrypter jweEncrypter;
    private String jwtAudience;
    private JWK encryptionKey;
    private JWK signingKey;
    private JwtVerifier jwtVerifier;
    private AuthTokenServiceConfig config;
    private boolean sendTokenUpdates;
    private boolean initialized;
    private IndexCleanupAgent indexCleanupAgent;
    private long maxTokensPerUser;
    private static final Logger log = LogManager.getLogger(AuthTokenService.class);
    public static final StaticSettings.Attribute<String> INDEX_NAME = StaticSettings.Attribute.define("searchguard.authtokens.index.name").withDefault(".searchguard_authtokens").asString();
    public static final StaticSettings.Attribute<TimeValue> CLEANUP_INTERVAL = StaticSettings.Attribute.define("searchguard.authtokens.cleanup_interval").withDefault(TimeValue.timeValueHours(1)).asTimeValue();
    private static final EncryptionMethod CONTENT_ENCRYPTION_METHOD = EncryptionMethod.A256CBC_HS512;

    /* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenService$SpecialPrivilegesEvaluationContextImpl.class */
    static class SpecialPrivilegesEvaluationContextImpl implements SpecialPrivilegesEvaluationContext {
        private final User user;
        private final ImmutableSet<String> mappedRoles;
        private final ActionAuthorization actionAuthorization;
        private final SgDynamicConfiguration<Role> rolesConfig;
        private final RequestedPrivileges requestedPrivileges;

        SpecialPrivilegesEvaluationContextImpl(User user, Set<String> set, ActionAuthorization actionAuthorization, SgDynamicConfiguration<Role> sgDynamicConfiguration, RequestedPrivileges requestedPrivileges) {
            this.user = user;
            this.mappedRoles = ImmutableSet.of(set);
            this.actionAuthorization = actionAuthorization;
            this.requestedPrivileges = requestedPrivileges;
            this.rolesConfig = sgDynamicConfiguration;
        }

        public User getUser() {
            return this.user;
        }

        public ImmutableSet<String> getMappedRoles() {
            return this.mappedRoles;
        }

        public ActionAuthorization getActionAuthorization() {
            return this.actionAuthorization;
        }

        public boolean isSgConfigRestApiAllowed() {
            return (this.requestedPrivileges.getClusterPermissions().contains("*") || this.requestedPrivileges.getClusterPermissions().contains("cluster:admin:searchguard:configrestapi")) && !this.requestedPrivileges.getExcludedClusterPermissions().contains("cluster:admin:searchguard:configrestapi");
        }

        public SgDynamicConfiguration<Role> getRolesConfig() {
            return this.rolesConfig;
        }
    }

    public AuthTokenService(PrivilegedConfigClient privilegedConfigClient, AuthorizationService authorizationService, PrivilegesEvaluator privilegesEvaluator, ConfigHistoryService configHistoryService, StaticSettings staticSettings, ThreadPool threadPool, ClusterService clusterService, ProtectedConfigIndexService protectedConfigIndexService, Actions actions, AuthTokenServiceConfig authTokenServiceConfig, ComponentState componentState) {
        this.sendTokenUpdates = true;
        this.initialized = false;
        this.maxTokensPerUser = 100L;
        this.indexName = (String) staticSettings.get(INDEX_NAME);
        this.privilegedConfigClient = privilegedConfigClient;
        this.configHistoryService = configHistoryService;
        this.componentState = componentState;
        this.authorizationService = authorizationService;
        this.privilegesEvaluator = privilegesEvaluator;
        this.actions = actions;
        this.idToAuthTokenMap = AuthTokenServiceConfig.DEFAULT_TOKEN_CACHE_CONFIG.build();
        setConfig(authTokenServiceConfig);
        ProtectedConfigIndexService.ConfigIndex onIndexReady = new ProtectedConfigIndexService.ConfigIndex(this.indexName).mapping(AuthToken.INDEX_MAPPING).onIndexReady(this::init);
        if (configHistoryService != null) {
            onIndexReady.dependsOnIndices(new String[]{configHistoryService.getIndexName()});
        }
        componentState.addPart(protectedConfigIndexService.createIndex(onIndexReady));
        this.indexCleanupAgent = new IndexCleanupAgent(this.indexName, AuthToken.EXPIRES_AT, (TimeValue) staticSettings.get(CLEANUP_INTERVAL), privilegedConfigClient, clusterService, threadPool);
    }

    public AuthTokenService(PrivilegedConfigClient privilegedConfigClient, AuthorizationService authorizationService, PrivilegesEvaluator privilegesEvaluator, ConfigHistoryService configHistoryService, StaticSettings staticSettings, ThreadPool threadPool, ClusterService clusterService, ProtectedConfigIndexService protectedConfigIndexService, Actions actions, AuthTokenServiceConfig authTokenServiceConfig) {
        this(privilegedConfigClient, authorizationService, privilegesEvaluator, configHistoryService, staticSettings, threadPool, clusterService, protectedConfigIndexService, actions, authTokenServiceConfig, new ComponentState(1000, (String) null, "auth_token_service"));
    }

    public AuthToken getById(String str) throws NoSuchAuthTokenException {
        Optional<AuthToken> tokenFromCache = getTokenFromCache(str);
        return tokenFromCache.isPresent() ? tokenFromCache.get() : getByIdFromIndex(str);
    }

    public void getById(String str, Consumer<AuthToken> consumer, Consumer<NoSuchAuthTokenException> consumer2, Consumer<Exception> consumer3) {
        Optional<AuthToken> tokenFromCache = getTokenFromCache(str);
        if (tokenFromCache.isPresent()) {
            consumer.accept(tokenFromCache.get());
        } else {
            getByIdFromIndex(str, consumer, consumer2, consumer3);
        }
    }

    public AuthToken getByIdFromIndex(String str) throws NoSuchAuthTokenException {
        CompletableFuture completableFuture = new CompletableFuture();
        Objects.requireNonNull(completableFuture);
        Consumer<AuthToken> consumer = (v1) -> {
            r2.complete(v1);
        };
        Objects.requireNonNull(completableFuture);
        Consumer<NoSuchAuthTokenException> consumer2 = (v1) -> {
            r3.completeExceptionally(v1);
        };
        Objects.requireNonNull(completableFuture);
        getByIdFromIndex(str, consumer, consumer2, (v1) -> {
            r4.completeExceptionally(v1);
        });
        try {
            return (AuthToken) completableFuture.get();
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        } catch (ExecutionException e2) {
            if (e2.getCause() instanceof NoSuchAuthTokenException) {
                throw ((NoSuchAuthTokenException) e2.getCause());
            }
            throw new RuntimeException(e2.getCause());
        }
    }

    public void getByIdFromIndex(final String str, final Consumer<AuthToken> consumer, final Consumer<NoSuchAuthTokenException> consumer2, final Consumer<Exception> consumer3) {
        this.privilegedConfigClient.get(new GetRequest(this.indexName, str), new ActionListener<GetResponse>() { // from class: com.floragunn.searchguard.authtoken.AuthTokenService.1
            public void onResponse(GetResponse getResponse) {
                if (!getResponse.isExists()) {
                    consumer2.accept(new NoSuchAuthTokenException(str));
                    return;
                }
                try {
                    AuthToken parse = AuthToken.parse(str, DocNode.parse(Format.JSON).from(getResponse.getSourceAsString()));
                    AuthTokenService.this.addTokenToCache(str, parse);
                    consumer.accept(parse);
                } catch (Exception e) {
                    AuthTokenService.log.error(e);
                    consumer3.accept(e);
                } catch (ConfigValidationException e2) {
                    consumer3.accept(new RuntimeException("Token " + str + " is not stored in a valid format", e2));
                }
            }

            public void onFailure(Exception exc) {
                if (exc instanceof IndexNotFoundException) {
                    consumer2.accept(new NoSuchAuthTokenException(str));
                } else {
                    consumer3.accept(exc);
                }
            }
        });
    }

    public AuthToken getByClaims(Map<String, Object> map) throws NoSuchAuthTokenException, InvalidTokenException {
        CompletableFuture completableFuture = new CompletableFuture();
        Objects.requireNonNull(completableFuture);
        Consumer<AuthToken> consumer = (v1) -> {
            r2.complete(v1);
        };
        Objects.requireNonNull(completableFuture);
        Consumer<NoSuchAuthTokenException> consumer2 = (v1) -> {
            r3.completeExceptionally(v1);
        };
        Objects.requireNonNull(completableFuture);
        getByClaims(map, consumer, consumer2, (v1) -> {
            r4.completeExceptionally(v1);
        });
        try {
            return (AuthToken) completableFuture.get();
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        } catch (ExecutionException e2) {
            if (e2.getCause() instanceof NoSuchAuthTokenException) {
                throw ((NoSuchAuthTokenException) e2.getCause());
            }
            throw new RuntimeException(e2.getCause());
        }
    }

    public void getByClaims(Map<String, Object> map, Consumer<AuthToken> consumer, Consumer<NoSuchAuthTokenException> consumer2, Consumer<Exception> consumer3) throws InvalidTokenException {
        String objects = Objects.toString(map.get("jti"), null);
        Set<String> claimAsSet = getClaimAsSet(map, "aud");
        if (!claimAsSet.contains(this.jwtAudience)) {
            throw new InvalidTokenException("Invalid JWT audience claim. Supplied: " + claimAsSet + "; Expected: " + this.jwtAudience);
        }
        if (objects == null) {
            throw new InvalidTokenException("Supplied auth token does not have an id claim");
        }
        getById(objects, consumer, consumer2, consumer3);
    }

    public void getByIdWithConfigSnapshot(String str, Consumer<AuthToken> consumer, Consumer<NoSuchAuthTokenException> consumer2, Consumer<Exception> consumer3) {
        getById(str, authToken -> {
            if (authToken.getBase().getConfigVersions() == null || authToken.getBase().peekConfigSnapshot() != null) {
                consumer.accept(authToken);
            } else {
                this.configHistoryService.getConfigSnapshot(authToken.getBase().getConfigVersions(), configSnapshot -> {
                    authToken.getBase().setConfigSnapshot(configSnapshot);
                    consumer.accept(authToken);
                }, consumer3);
            }
        }, consumer2, consumer3);
    }

    public AuthToken getByIdWithConfigSnapshot(String str) throws NoSuchAuthTokenException {
        CompletableFuture completableFuture = new CompletableFuture();
        Objects.requireNonNull(completableFuture);
        Consumer<AuthToken> consumer = (v1) -> {
            r2.complete(v1);
        };
        Objects.requireNonNull(completableFuture);
        Consumer<NoSuchAuthTokenException> consumer2 = (v1) -> {
            r3.completeExceptionally(v1);
        };
        Objects.requireNonNull(completableFuture);
        getByIdWithConfigSnapshot(str, consumer, consumer2, (v1) -> {
            r4.completeExceptionally(v1);
        });
        try {
            return (AuthToken) completableFuture.get();
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        } catch (ExecutionException e2) {
            if (e2.getCause() instanceof NoSuchAuthTokenException) {
                throw ((NoSuchAuthTokenException) e2.getCause());
            }
            throw new RuntimeException(e2.getCause());
        }
    }

    public AuthToken create(User user, CreateAuthTokenRequest createAuthTokenRequest) throws TokenCreationException {
        ConfigSnapshot currentConfigSnapshot;
        Set<String> roles;
        Set<String> searchGuardRoles;
        Map<String, Object> structuredAttributes;
        if (this.config == null || !this.config.isEnabled()) {
            throw new TokenCreationException("Auth token handling is not enabled", RestStatus.INTERNAL_SERVER_ERROR);
        }
        if (log.isDebugEnabled()) {
            log.debug("create(user: " + user + ", request: " + createAuthTokenRequest + ")");
        }
        if (USER_TYPE.equals(user.getType())) {
            log.debug("User is based on an auth token. Resulting auth token will be based on the original one");
            String str = (String) user.getSpecialAuthzConfig();
            try {
                AuthToken byIdWithConfigSnapshot = getByIdWithConfigSnapshot(str);
                currentConfigSnapshot = byIdWithConfigSnapshot.getBase().getConfigSnapshot();
                roles = new HashSet(byIdWithConfigSnapshot.getBase().getBackendRoles());
                searchGuardRoles = new HashSet(byIdWithConfigSnapshot.getBase().getSearchGuardRoles());
                structuredAttributes = byIdWithConfigSnapshot.getBase().getAttributes();
            } catch (NoSuchAuthTokenException e) {
                this.componentState.addLastException("create", e);
                throw new TokenCreationException("Error while creating auth token: Could not find base token " + str, RestStatus.INTERNAL_SERVER_ERROR, e);
            }
        } else {
            currentConfigSnapshot = ((createAuthTokenRequest.isFreezePrivileges() && this.config.getFreezePrivileges() == AuthTokenServiceConfig.FreezePrivileges.USER_CHOOSES) || this.config.getFreezePrivileges() == AuthTokenServiceConfig.FreezePrivileges.ALWAYS) ? this.configHistoryService.getCurrentConfigSnapshot(CType.ROLES, CType.ROLESMAPPING, CType.ACTIONGROUPS, CType.TENANTS) : null;
            roles = user.getRoles();
            searchGuardRoles = user.getSearchGuardRoles();
            structuredAttributes = user.getStructuredAttributes();
        }
        String randomId = getRandomId();
        AuthTokenPrivilegeBase authTokenPrivilegeBase = new AuthTokenPrivilegeBase(restrictRoles(createAuthTokenRequest, roles), restrictRoles(createAuthTokenRequest, searchGuardRoles), structuredAttributes, currentConfigSnapshot != null ? currentConfigSnapshot.getConfigVersions() : null);
        if (log.isDebugEnabled()) {
            log.debug("base for auth token " + createAuthTokenRequest + ": " + authTokenPrivilegeBase);
        }
        authTokenPrivilegeBase.setConfigSnapshot(currentConfigSnapshot);
        if (authTokenPrivilegeBase.getBackendRoles().size() == 0 && authTokenPrivilegeBase.getSearchGuardRoles().size() == 0) {
            throw new TokenCreationException("Cannot create token. The resulting token would have no privileges as the specified roles do not intersect with the user's roles. Specified: " + createAuthTokenRequest.getRequestedPrivileges().getRoles() + " User: " + roles + " + " + searchGuardRoles, RestStatus.BAD_REQUEST);
        }
        if (this.maxTokensPerUser == 0) {
            throw new TokenCreationException("Cannot create token. max_tokens_per_user is set to 0", RestStatus.FORBIDDEN);
        }
        if (this.maxTokensPerUser > 0 && countAuthTokensOfUser(user) + 1 > this.maxTokensPerUser) {
            throw new TokenCreationException("Cannot create token. Token limit per user exceeded. Max number of allowed tokens is " + this.maxTokensPerUser, RestStatus.FORBIDDEN);
        }
        OffsetDateTime withNano = OffsetDateTime.now().withNano(0);
        OffsetDateTime expiryTime = getExpiryTime(withNano, createAuthTokenRequest);
        AuthToken authToken = new AuthToken(randomId, user.getName(), createAuthTokenRequest.getTokenName(), createAuthTokenRequest.getRequestedPrivileges().excludeClusterPermissions(this.config.getExcludeClusterPermissions()), authTokenPrivilegeBase, withNano.toInstant(), expiryTime != null ? expiryTime.toInstant() : null, null);
        try {
            updateAuthToken(authToken, PushAuthTokenUpdateRequest.UpdateType.NEW);
            return authToken;
        } catch (Exception e2) {
            this.componentState.addLastException("create", e2);
            throw new TokenCreationException("Error while creating token", RestStatus.INTERNAL_SERVER_ERROR, e2);
        }
    }

    public CreateAuthTokenResponse createJwt(User user, CreateAuthTokenRequest createAuthTokenRequest) throws TokenCreationException {
        String serialize;
        if (this.jwsSigner == null) {
            throw new TokenCreationException("AuthTokenProvider is not configured", RestStatus.INTERNAL_SERVER_ERROR);
        }
        AuthToken create = create(user, createAuthTokenRequest);
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        builder.notBeforeTime(Date.from(create.getCreationTime()));
        if (create.getExpiryTime() != null) {
            builder.expirationTime(Date.from(create.getExpiryTime()));
        }
        builder.subject(user.getName());
        builder.jwtID(create.getId());
        builder.audience(this.config.getJwtAud());
        builder.claim("requested", ObjectTreeXContent.toObjectTree(create.getRequestedPrivileges()));
        builder.claim("base", ObjectTreeXContent.toObjectTree(create.getBase(), AuthTokenPrivilegeBase.COMPACT));
        try {
            SignedJWT signedJWT = (SignedJWT) PrivilegedCode.execute(() -> {
                return new SignedJWT(new JWSHeader(asJwsAlgorithm(this.signingKey.getAlgorithm())), builder.build());
            });
            signedJWT.sign(this.jwsSigner);
            if (this.jweEncrypter != null) {
                JWEObject jWEObject = (JWEObject) PrivilegedCode.execute(() -> {
                    return new JWEObject(new JWEHeader.Builder(asJweAlgorithm(this.encryptionKey.getAlgorithm()), CONTENT_ENCRYPTION_METHOD).customParam("sg_p", "n").build(), new Payload(signedJWT));
                });
                jWEObject.encrypt(this.jweEncrypter);
                serialize = jWEObject.serialize();
            } else {
                serialize = signedJWT.serialize();
            }
            return new CreateAuthTokenResponse(create, serialize);
        } catch (Exception e) {
            this.componentState.addLastException("createJwt", new ComponentState.ExceptionRecord(e, "Error while creating JWT. Possibly the key configuration is not valid."));
            log.error("Error while creating JWT. Possibly the key configuration is not valid.", e);
            throw new TokenCreationException("Error while creating JWT. Possibly the key configuration is not valid.", RestStatus.INTERNAL_SERVER_ERROR, e);
        }
    }

    public CreateAuthTokenResponse createLightweightJwt(User user, CreateAuthTokenRequest createAuthTokenRequest) throws TokenCreationException {
        String serialize;
        if (this.jwsSigner == null) {
            throw new TokenCreationException("AuthTokenProvider is not configured", RestStatus.INTERNAL_SERVER_ERROR);
        }
        AuthToken create = create(user, createAuthTokenRequest);
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        builder.notBeforeTime(Date.from(create.getCreationTime()));
        if (create.getExpiryTime() != null) {
            builder.expirationTime(Date.from(create.getExpiryTime()));
        }
        builder.subject(user.getName());
        builder.jwtID(create.getId());
        builder.audience(this.config.getJwtAud());
        try {
            SignedJWT signedJWT = new SignedJWT(new JWSHeader(this.signingKey.getAlgorithm()), builder.build());
            signedJWT.sign(this.jwsSigner);
            if (this.jweEncrypter != null) {
                JWEObject jWEObject = new JWEObject(new JWEHeader(this.encryptionKey.getAlgorithm(), CONTENT_ENCRYPTION_METHOD), new Payload(signedJWT));
                jWEObject.encrypt(this.jweEncrypter);
                serialize = jWEObject.serialize();
            } else {
                serialize = signedJWT.serialize();
            }
            return new CreateAuthTokenResponse(create, serialize);
        } catch (Exception e) {
            log.error("Error while creating JWT. Possibly the key configuration is not valid.", e);
            throw new TokenCreationException("Error while creating JWT. Possibly the key configuration is not valid.", RestStatus.INTERNAL_SERVER_ERROR, e);
        }
    }

    public JWT getVerifiedJwtToken(String str) throws BadJWTException, ParseException, JOSEException {
        return this.jwtVerifier.getVerfiedJwt(str);
    }

    public String revoke(User user, String str) throws NoSuchAuthTokenException, TokenUpdateException {
        if (log.isTraceEnabled()) {
            log.trace("revoke(" + user + ", " + str + ")");
        }
        AuthToken byId = getById(str);
        if (byId.getRevokedAt() != null) {
            log.info("Auth token " + byId + " was already revoked");
            return "Auth token was already revoked";
        }
        String updateAuthToken = updateAuthToken(byId.getRevokedInstance(), PushAuthTokenUpdateRequest.UpdateType.REVOKED);
        return updateAuthToken != null ? updateAuthToken : "Auth token has been revoked";
    }

    public void setConfig(AuthTokenServiceConfig authTokenServiceConfig) {
        if (authTokenServiceConfig == null) {
            return;
        }
        this.idToAuthTokenMap = ((CacheConfig) Optional.ofNullable(authTokenServiceConfig.getCacheConfig()).orElse(AuthTokenServiceConfig.DEFAULT_TOKEN_CACHE_CONFIG)).build();
        this.config = authTokenServiceConfig;
        this.jwtAudience = authTokenServiceConfig.getJwtAud();
        this.maxTokensPerUser = authTokenServiceConfig.getMaxTokensPerUser();
        setKeys(authTokenServiceConfig.getJwtSigningKey(), authTokenServiceConfig.getJwtEncryptionKey());
    }

    private void init(ProtectedConfigIndexService.FailureListener failureListener) {
        initComplete();
        failureListener.onSuccess();
        this.componentState.updateStateFromParts();
    }

    private synchronized void initComplete() {
        this.initialized = true;
        notifyAll();
    }

    public synchronized void waitForInitComplete(long j) {
        if (this.initialized) {
            return;
        }
        try {
            wait(j);
        } catch (InterruptedException e) {
        }
        if (!this.initialized) {
            throw new RuntimeException(this + " did not initialize after " + j);
        }
    }

    public String pushAuthTokenUpdate(PushAuthTokenUpdateRequest pushAuthTokenUpdateRequest) {
        if (log.isDebugEnabled()) {
            log.debug("got auth token update: " + pushAuthTokenUpdateRequest);
        }
        AuthToken updatedToken = pushAuthTokenUpdateRequest.getUpdatedToken();
        if (!getTokenFromCache(updatedToken.getId()).isPresent()) {
            return "Auth token is not cached";
        }
        addTokenToCache(updatedToken.getId(), updatedToken);
        return "Auth token updated";
    }

    private String updateAuthToken(AuthToken authToken, PushAuthTokenUpdateRequest.UpdateType updateType) throws TokenUpdateException {
        AuthToken authToken2;
        try {
            authToken2 = getById(authToken.getId());
        } catch (NoSuchAuthTokenException e) {
            authToken2 = null;
        }
        if (updateType == PushAuthTokenUpdateRequest.UpdateType.NEW && authToken2 != null) {
            throw new TokenUpdateException("Token ID already exists: " + authToken.getId());
        }
        try {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            try {
                authToken.toXContent(jsonBuilder, ToXContent.EMPTY_PARAMS);
                DocWriteResponse docWriteResponse = (DocWriteResponse) this.privilegedConfigClient.index(new IndexRequest(this.indexName).id(authToken.getId()).source(jsonBuilder).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE)).actionGet();
                if (log.isDebugEnabled()) {
                    log.debug("Token stored: " + docWriteResponse);
                }
                if (jsonBuilder != null) {
                    jsonBuilder.close();
                }
                if (!this.sendTokenUpdates) {
                    return "Update disabled";
                }
                try {
                    PushAuthTokenUpdateResponse pushAuthTokenUpdateResponse = (PushAuthTokenUpdateResponse) this.privilegedConfigClient.execute(PushAuthTokenUpdateAction.INSTANCE, new PushAuthTokenUpdateRequest(authToken, updateType, 0L)).actionGet();
                    if (log.isDebugEnabled()) {
                        log.debug("Token update pushed: " + pushAuthTokenUpdateResponse);
                    }
                    if (pushAuthTokenUpdateResponse.hasFailures()) {
                        return "Update partially failed: " + pushAuthTokenUpdateResponse.failures();
                    }
                    return null;
                } catch (Exception e2) {
                    log.warn("Token update push failed: " + authToken, e2);
                    return "Update partially failed: " + e2;
                }
            } finally {
            }
        } catch (Exception e3) {
            if (authToken2 != null) {
                addTokenToCache(authToken2.getId(), authToken2);
            } else {
                removeTokenFromCache(authToken.getId());
            }
            log.warn("Error while storing token " + authToken, e3);
            throw new TokenUpdateException(e3);
        }
    }

    private long countAuthTokensOfUser(User user) {
        SearchResponse searchResponse = (SearchResponse) this.privilegedConfigClient.search(new SearchRequest(new String[]{getIndexName()}).source(new SearchSourceBuilder().query(QueryBuilders.termQuery("user_name", user.getName())).size(0))).actionGet();
        try {
            long j = searchResponse.getHits().getTotalHits().value;
            searchResponse.decRef();
            return j;
        } catch (Throwable th) {
            searchResponse.decRef();
            throw th;
        }
    }

    private OffsetDateTime getExpiryTime(OffsetDateTime offsetDateTime, CreateAuthTokenRequest createAuthTokenRequest) {
        OffsetDateTime offsetDateTime2 = null;
        OffsetDateTime offsetDateTime3 = null;
        if (createAuthTokenRequest.getExpiresAfter() != null) {
            offsetDateTime2 = offsetDateTime.plus(createAuthTokenRequest.getExpiresAfter());
        }
        if (this.config.getMaxValidity() != null) {
            offsetDateTime3 = offsetDateTime.plus(this.config.getMaxValidity());
        }
        if (offsetDateTime2 == null) {
            offsetDateTime2 = offsetDateTime3;
        } else if (offsetDateTime2 != null && offsetDateTime3 != null && offsetDateTime3.isBefore(offsetDateTime2)) {
            offsetDateTime2 = offsetDateTime3;
        }
        return offsetDateTime2;
    }

    private String getRandomId() {
        UUID randomUUID = UUID.randomUUID();
        ByteBuffer wrap = ByteBuffer.wrap(new byte[16]);
        wrap.putLong(randomUUID.getMostSignificantBits());
        wrap.putLong(randomUUID.getLeastSignificantBits());
        return BaseEncoding.base64Url().encode(wrap.array()).replace("=", "");
    }

    void initJwtProducer() {
        try {
            if (this.signingKey != null) {
                this.jwsSigner = new DefaultJWSSignerFactory().createJWSSigner(this.signingKey);
                this.jwtVerifier = new JwtVerifier(this.signingKey, this.encryptionKey, this.jwtAudience);
            } else {
                this.jwsSigner = null;
                this.jwtVerifier = null;
            }
            if (this.encryptionKey != null) {
                this.jweEncrypter = createJweEncrypter(this.encryptionKey);
            } else {
                this.jweEncrypter = null;
            }
        } catch (Exception e) {
            this.componentState.setFailed(e);
            this.componentState.setSubState("jwt_producer_not_initialized");
            this.jwsSigner = null;
            this.jweEncrypter = null;
            log.error("Error while initializing JWT producer in AuthTokenProvider", e);
        }
    }

    public JWK getSigningKey() {
        return this.signingKey;
    }

    public void setSigningKey(JWK jwk) {
        if (Objects.equals(this.signingKey, jwk)) {
            return;
        }
        log.info("Updating signing key for " + this);
        this.signingKey = jwk;
        initJwtProducer();
    }

    public JWK getEncryptionKey() {
        return this.encryptionKey;
    }

    public void setEncryptionKey(JWK jwk) {
        if (Objects.equals(this.encryptionKey, jwk)) {
            return;
        }
        log.info("Updating encryption key for " + this);
        this.encryptionKey = jwk;
        initJwtProducer();
    }

    public void setKeys(JWK jwk, JWK jwk2) {
        if (Objects.equals(this.signingKey, jwk) && Objects.equals(this.encryptionKey, jwk2)) {
            return;
        }
        log.info("Updating keys for " + this);
        this.signingKey = jwk;
        this.encryptionKey = jwk2;
        initJwtProducer();
    }

    private Set<String> getClaimAsSet(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        return obj == null ? Collections.emptySet() : obj instanceof Collection ? (Set) ((Collection) obj).stream().map(obj2 -> {
            return String.valueOf(obj2);
        }).collect(Collectors.toSet()) : Collections.singleton(String.valueOf(obj));
    }

    private Set<String> restrictRoles(CreateAuthTokenRequest createAuthTokenRequest, Set<String> set) {
        return createAuthTokenRequest.getRequestedPrivileges().getRoles() != null ? Sets.intersection(new HashSet((Collection) createAuthTokenRequest.getRequestedPrivileges().getRoles()), set) : set;
    }

    public void provide(User user, ThreadContext threadContext, Consumer<SpecialPrivilegesEvaluationContext> consumer, Consumer<Exception> consumer2) {
        if (this.config == null || !this.config.isEnabled()) {
            consumer.accept(null);
            return;
        }
        if (user == null || !USER_TYPE.equals(user.getType())) {
            consumer.accept(null);
            return;
        }
        String str = (String) user.getSpecialAuthzConfig();
        if (log.isDebugEnabled()) {
            log.debug("AuthTokenService.provide(" + user.getName() + ") on " + str);
        }
        Supplier newRestorableContext = threadContext.newRestorableContext(true);
        ThreadContext.StoredContext stashContext = threadContext.stashContext();
        try {
            getByIdWithConfigSnapshot(str, authToken -> {
                ThreadContext.StoredContext storedContext;
                ConfigModel configModelForSnapshot;
                ThreadContext.StoredContext storedContext2;
                try {
                    try {
                        if (log.isTraceEnabled()) {
                            log.trace("Got token: " + authToken);
                        }
                        if (authToken.isRevoked()) {
                            log.info("Using revoked auth token: " + authToken);
                            storedContext2 = (ThreadContext.StoredContext) newRestorableContext.get();
                            try {
                                consumer.accept(null);
                                if (storedContext2 != null) {
                                    storedContext2.close();
                                    return;
                                }
                                return;
                            } finally {
                            }
                        }
                        if (authToken.getBase().getConfigSnapshot() == null) {
                            configModelForSnapshot = getCurrentConfigModel();
                        } else {
                            if (authToken.getBase().getConfigSnapshot().hasMissingConfigVersions()) {
                                throw new RuntimeException("Stored config snapshot is not complete: " + authToken);
                            }
                            configModelForSnapshot = this.configHistoryService.getConfigModelForSnapshot(authToken.getBase().getConfigSnapshot());
                        }
                        User build = user.copy().backendRoles(authToken.getBase().getBackendRoles()).searchGuardRoles(authToken.getBase().getSearchGuardRoles()).build();
                        ImmutableSet evaluate = configModelForSnapshot.getRoleMapping().evaluate(build, (TransportAddress) threadContext.getTransient("_sg_remote_address"), this.privilegesEvaluator.getRolesMappingResolution());
                        if (log.isDebugEnabled()) {
                            log.debug("AuthTokenService.provide returns SpecialPrivilegesEvaluationContext for " + user + "\nuserWithRoles: " + build + "\nmappedBaseRoles: " + evaluate);
                        }
                        RestrictedActionAuthorization restrictedActionAuthorization = new RestrictedActionAuthorization(configModelForSnapshot.getActionAuthorization(), authToken.getRequestedPrivileges(), configModelForSnapshot.getActionGroups(), this.actions, null, this.privilegesEvaluator.getAllConfiguredTenantNames(), null);
                        storedContext2 = (ThreadContext.StoredContext) newRestorableContext.get();
                        try {
                            consumer.accept(new SpecialPrivilegesEvaluationContextImpl(build, evaluate, restrictedActionAuthorization, configModelForSnapshot.getRolesConfig(), authToken.getRequestedPrivileges()));
                            if (storedContext2 != null) {
                                storedContext2.close();
                            }
                            return;
                        } finally {
                        }
                    } catch (Exception e) {
                        log.error("Error in provide(" + user + "); authTokenId: " + str, e);
                        storedContext = (ThreadContext.StoredContext) newRestorableContext.get();
                        consumer2.accept(e);
                        if (storedContext == null) {
                        }
                    }
                    consumer2.accept(e);
                    if (storedContext == null) {
                        storedContext.close();
                        return;
                    }
                    return;
                } catch (Throwable th) {
                    if (storedContext != null) {
                        try {
                            storedContext.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
                log.error("Error in provide(" + user + "); authTokenId: " + str, e);
                storedContext = (ThreadContext.StoredContext) newRestorableContext.get();
            }, noSuchAuthTokenException -> {
                ThreadContext.StoredContext storedContext = (ThreadContext.StoredContext) newRestorableContext.get();
                try {
                    consumer2.accept(new ElasticsearchSecurityException("Cannot authenticate user due to invalid auth token " + str, noSuchAuthTokenException, new Object[0]));
                    if (storedContext != null) {
                        storedContext.close();
                    }
                } catch (Throwable th) {
                    if (storedContext != null) {
                        try {
                            storedContext.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }, consumer2);
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void shutdown() {
        this.indexCleanupAgent.shutdown();
    }

    private ConfigModel getCurrentConfigModel() {
        return new ConfigModel(this.privilegesEvaluator.getActionAuthorization(), this.authorizationService.getRoleMapping(), this.privilegesEvaluator.getActionGroups());
    }

    private static JWEEncrypter createJweEncrypter(JWK jwk) throws JOSEException {
        if (jwk instanceof RSAKey) {
            return new RSAEncrypter((RSAKey) jwk);
        }
        if (jwk instanceof OctetSequenceKey) {
            return new AESEncrypter((OctetSequenceKey) jwk);
        }
        if (jwk instanceof ECKey) {
            return new ECDHEncrypter((ECKey) jwk);
        }
        throw new IllegalArgumentException("Unsupported key type for encryption: " + jwk.getKeyType());
    }

    private static JWSAlgorithm asJwsAlgorithm(Algorithm algorithm) {
        return algorithm instanceof JWSAlgorithm ? (JWSAlgorithm) algorithm : JWSAlgorithm.parse(algorithm.getName());
    }

    private static JWEAlgorithm asJweAlgorithm(Algorithm algorithm) {
        return algorithm instanceof JWEAlgorithm ? (JWEAlgorithm) algorithm : JWEAlgorithm.parse(algorithm.getName());
    }

    public String getIndexName() {
        return this.indexName;
    }

    boolean isSendTokenUpdates() {
        return this.sendTokenUpdates;
    }

    void setSendTokenUpdates(boolean z) {
        this.sendTokenUpdates = z;
    }

    public AuthTokenServiceConfig getConfig() {
        return this.config;
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    public ComponentState getComponentState() {
        this.componentState.updateStateFromParts();
        return this.componentState;
    }

    public boolean isEnabled() {
        return this.config != null && this.config.isEnabled();
    }

    private Optional<AuthToken> getTokenFromCache(String str) {
        return Optional.ofNullable(this.idToAuthTokenMap).map(cache -> {
            return (AuthToken) cache.getIfPresent(str);
        });
    }

    private void addTokenToCache(String str, AuthToken authToken) {
        Optional.ofNullable(this.idToAuthTokenMap).ifPresent(cache -> {
            cache.put(str, authToken);
        });
    }

    private void removeTokenFromCache(String str) {
        Optional.ofNullable(this.idToAuthTokenMap).ifPresent(cache -> {
            cache.invalidate(str);
        });
    }
}
