package com.floragunn.searchguard.authc.session.backend;

import com.floragunn.searchguard.authc.AuthenticationDebugLogger;
import com.floragunn.searchguard.authc.AuthenticationDomain;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.RequestMetaData;
import com.floragunn.searchguard.authc.rest.HttpAuthenticationFrontend;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
import java.util.concurrent.CompletableFuture;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/searchguard/authc/session/backend/SessionTokenAuthenticationDomain.class */
public class SessionTokenAuthenticationDomain implements AuthenticationDomain<HttpAuthenticationFrontend> {
    private static final Logger log = LogManager.getLogger(SessionTokenAuthenticationDomain.class);
    private final SessionService sessionService;
    private final SessionAuthenticator authenticator;
    private final ComponentState componentState = new ComponentState(0, "auth_domain", SessionService.USER_TYPE).initialized();
    private final TimeAggregation authenticationBackendMetrics = new TimeAggregation.Milliseconds();

    /* loaded from: input_file:com/floragunn/searchguard/authc/session/backend/SessionTokenAuthenticationDomain$SessionAuthenticator.class */
    public static class SessionAuthenticator implements HttpAuthenticationFrontend {
        private final SessionService sessionService;
        private final ComponentState componentState = new ComponentState(0, "authentication_frontend", SessionService.USER_TYPE).initialized();
        private final String jwtHeaderName = "Authorization";
        private final String subjectKey = "sub";

        public SessionAuthenticator(SessionService sessionService) {
            this.sessionService = sessionService;
        }

        @Override // com.floragunn.searchguard.authc.AuthenticationFrontend
        public String getType() {
            return SessionService.USER_TYPE;
        }

        @Override // com.floragunn.searchguard.authc.rest.HttpAuthenticationFrontend
        public AuthCredentials extractCredentials(RequestMetaData<?> requestMetaData) throws CredentialsException {
            String authorizationByScheme = requestMetaData.getAuthorizationByScheme(this.jwtHeaderName, "bearer");
            if (Strings.isNullOrEmpty(authorizationByScheme)) {
                return null;
            }
            try {
                JwtToken verifiedJwtToken = this.sessionService.getVerifiedJwtToken(authorizationByScheme);
                if (verifiedJwtToken == null) {
                    return null;
                }
                JwtClaims claims = verifiedJwtToken.getClaims();
                String extractSubject = extractSubject(claims);
                if (extractSubject != null) {
                    return AuthCredentials.forUser(extractSubject).claims(claims.asMap()).complete().build();
                }
                SessionTokenAuthenticationDomain.log.error("No subject found in JWT token: " + claims);
                return null;
            } catch (JwtException e) {
                SessionTokenAuthenticationDomain.log.info("JWT is invalid (" + getType() + ")", e);
                throw new CredentialsException("JWT is invalid", (Throwable) e);
            }
        }

        protected String extractSubject(JwtClaims jwtClaims) {
            String subject = jwtClaims.getSubject();
            if (this.subjectKey != null) {
                Object claim = jwtClaims.getClaim(this.subjectKey);
                if (claim == null) {
                    SessionTokenAuthenticationDomain.log.warn("Failed to get subject from JWT claims, check if subject_key '{}' is correct.", this.subjectKey);
                    return null;
                }
                if (claim instanceof String) {
                    subject = (String) claim;
                } else {
                    SessionTokenAuthenticationDomain.log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", this.subjectKey, claim, claim.getClass());
                    subject = String.valueOf(claim);
                }
            }
            return subject;
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SessionTokenAuthenticationDomain(SessionService sessionService) {
        this.sessionService = sessionService;
        this.authenticator = new SessionAuthenticator(sessionService);
        this.componentState.addPart(this.authenticator.getComponentState());
        this.componentState.addMetrics("authentication_backend", this.authenticationBackendMetrics);
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // com.floragunn.searchguard.authc.AuthenticationDomain
    public HttpAuthenticationFrontend getFrontend() {
        return this.authenticator;
    }

    @Override // com.floragunn.searchguard.authc.AuthenticationDomain
    public String getId() {
        return SessionService.USER_TYPE;
    }

    @Override // com.floragunn.searchguard.authc.AuthenticationDomain
    public boolean accept(RequestMetaData<?> requestMetaData) {
        return true;
    }

    @Override // com.floragunn.searchguard.authc.AuthenticationDomain
    public boolean accept(AuthCredentials authCredentials) {
        return true;
    }

    @Override // com.floragunn.searchguard.authc.AuthenticationDomain
    public boolean isEnabled() {
        return this.sessionService.isEnabled();
    }

    @Override // com.floragunn.searchguard.authc.AuthenticationDomain
    public String getType() {
        return SessionService.USER_TYPE;
    }

    @Override // com.floragunn.searchguard.authc.AuthenticationDomain
    public CompletableFuture<User> authenticate(AuthCredentials authCredentials, AuthenticationDebugLogger authenticationDebugLogger) throws AuthenticatorUnavailableException, CredentialsException {
        Meter basic = Meter.basic(this.sessionService.getMetricsLevel(), this.authenticationBackendMetrics);
        try {
            CompletableFuture<User> completableFuture = new CompletableFuture<>();
            this.sessionService.getByClaims(authCredentials.getClaims(), sessionToken -> {
                if (sessionToken.isRevoked()) {
                    completableFuture.completeExceptionally(new ElasticsearchSecurityException("Session " + sessionToken.getId() + " has been expired or deleted", RestStatus.UNAUTHORIZED, new Object[0]));
                } else {
                    this.sessionService.checkExpiryAndTrackAccess(sessionToken, bool -> {
                        basic.close();
                        if (bool.booleanValue()) {
                            completableFuture.complete(User.forUser(sessionToken.getUserName()).type(SessionService.USER_TYPE).backendRoles(sessionToken.getBase().getBackendRoles()).searchGuardRoles(sessionToken.getBase().getSearchGuardRoles()).specialAuthzConfig(sessionToken.getId()).attributes(sessionToken.getBase().getAttributes()).authzComplete().build());
                        } else {
                            completableFuture.completeExceptionally(new ElasticsearchSecurityException("Session " + sessionToken.getId() + " has been expired", RestStatus.UNAUTHORIZED, new Object[0]));
                        }
                    }, exc -> {
                        basic.close();
                        completableFuture.completeExceptionally(exc);
                    }, basic);
                }
            }, noSuchSessionException -> {
                basic.close();
                completableFuture.complete(null);
            }, exc -> {
                basic.close();
                completableFuture.completeExceptionally(exc);
            }, basic);
            return completableFuture;
        } catch (InvalidTokenException e) {
            log.info("Got InvalidTokenException for " + authCredentials, e);
            basic.close();
            return CompletableFuture.completedFuture(null);
        }
    }

    @Override // com.floragunn.searchguard.authc.AuthenticationDomain
    public CompletableFuture<User> impersonate(User user, AuthCredentials authCredentials) throws AuthenticatorUnavailableException, CredentialsException {
        return CompletableFuture.completedFuture(null);
    }

    @Override // com.floragunn.searchguard.authc.AuthenticationDomain
    public boolean cacheUser() {
        return false;
    }

    public String toString() {
        return SessionService.USER_TYPE;
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
