package com.floragunn.searchguard.authc.session.backend;

import com.floragunn.codova.config.templates.AttributeSource;
import com.floragunn.codova.config.templates.ExpressionEvaluationException;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Format;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.AuthFailureListener;
import com.floragunn.searchguard.authc.AuthenticationDomain;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.blocking.BlockedIpRegistry;
import com.floragunn.searchguard.authc.blocking.BlockedUserRegistry;
import com.floragunn.searchguard.authc.legacy.LegacySgConfig;
import com.floragunn.searchguard.authc.rest.ClientAddressAscertainer;
import com.floragunn.searchguard.authc.rest.RestAuthcConfig;
import com.floragunn.searchguard.authc.rest.RestRequestMetaData;
import com.floragunn.searchguard.authc.session.ApiAuthenticationFrontend;
import com.floragunn.searchguard.authc.session.ApiAuthenticationProcessor;
import com.floragunn.searchguard.authc.session.backend.PushSessionTokenUpdateAction;
import com.floragunn.searchguard.authc.session.backend.SessionApi;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.ConfigMap;
import com.floragunn.searchguard.configuration.ConfigurationChangeListener;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.ProtectedConfigIndexService;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.PrivilegedConfigClient;
import com.floragunn.searchguard.user.Attributes;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.StaticSettings;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.MetricsLevel;
import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
import com.floragunn.searchsupport.indices.IndexCleanupAgent;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.io.BaseEncoding;
import inet.ipaddr.IPAddress;
import java.nio.ByteBuffer;
import java.time.Duration;
import java.time.OffsetDateTime;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JoseJwtProducer;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.DocWriteResponse;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.index.IndexNotFoundException;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;

/* loaded from: input_file:com/floragunn/searchguard/authc/session/backend/SessionService.class */
public class SessionService {
    private static final Logger log = LogManager.getLogger(SessionService.class);
    public static final StaticSettings.Attribute<String> INDEX_NAME = StaticSettings.Attribute.define("searchguard.sessions.index.name").withDefault(".searchguard_sessions").asString();
    public static final StaticSettings.Attribute<TimeValue> CLEANUP_INTERVAL = StaticSettings.Attribute.define("searchguard.sessions.cleanup_interval").withDefault(TimeValue.timeValueHours(1)).asTimeValue();
    public static final String USER_TYPE = "session";
    private final PrivilegedConfigClient privilegedConfigClient;
    private final ThreadPool threadPool;
    private final ThreadContext threadContext;
    private final String indexName;
    private final AdminDNs adminDns;
    private final PrivilegesEvaluator privilegesEvaluator;
    private final AuditLog auditLog;
    private final BlockedIpRegistry blockedIpRegistry;
    private final BlockedUserRegistry blockedUserRegistry;
    private final ClusterService clusterService;
    private final ComponentState componentState;
    private final ComponentState configComponentState;
    private SessionActivityTracker activityTracker;
    private IndexCleanupAgent indexCleanupAgent;
    private SessionServiceConfig config;
    private JoseJwtProducer jwtProducer;
    private JsonWebKey encryptionKey;
    private JsonWebKey signingKey;
    private JwsSignatureVerifier jwsSignatureVerifier;
    private JweDecryptionProvider jweDecryptionProvider;
    private String jwtAudience;
    private volatile MergedAuthcConfig authcConfig;
    private volatile ClientAddressAscertainer clientAddressAscertainer;
    private final Cache<String, SessionToken> idToAuthTokenMap = CacheBuilder.newBuilder().expireAfterWrite(60, TimeUnit.MINUTES).build();
    private final TimeAggregation startAuthenticatedSessionMetrics = new TimeAggregation.Milliseconds();
    private final TimeAggregation startSessionMetrics = new TimeAggregation.Milliseconds();
    private final TimeAggregation deleteMetrics = new TimeAggregation.Milliseconds();
    private long maxTokensPerUser = 100;
    private boolean initialized = false;
    private List<AuthFailureListener> ipAuthFailureListeners = ImmutableList.empty();

    public SessionService(ConfigurationRepository configurationRepository, PrivilegedConfigClient privilegedConfigClient, StaticSettings staticSettings, PrivilegesEvaluator privilegesEvaluator, AuditLog auditLog, ThreadPool threadPool, ClusterService clusterService, ProtectedConfigIndexService protectedConfigIndexService, SessionServiceConfig sessionServiceConfig, BlockedIpRegistry blockedIpRegistry, BlockedUserRegistry blockedUserRegistry, final ComponentState componentState) {
        this.indexName = (String) staticSettings.get(INDEX_NAME);
        this.privilegedConfigClient = privilegedConfigClient;
        this.threadPool = threadPool;
        this.componentState = componentState;
        this.configComponentState = componentState.getOrCreatePart("config", "sg_config");
        this.threadContext = threadPool.getThreadContext();
        this.adminDns = new AdminDNs(staticSettings.getPlatformSettings());
        this.privilegesEvaluator = privilegesEvaluator;
        this.auditLog = auditLog;
        this.blockedIpRegistry = blockedIpRegistry;
        this.blockedUserRegistry = blockedUserRegistry;
        this.clusterService = clusterService;
        this.activityTracker = new SessionActivityTracker(sessionServiceConfig.getInactivityTimeout() != null ? sessionServiceConfig.getInactivityTimeout() : Duration.ofHours(1L), this, this.indexName, privilegedConfigClient, threadPool);
        this.componentState.addPart(this.activityTracker.getComponentState());
        this.componentState.addMetrics("start_session_with_authentication", this.startAuthenticatedSessionMetrics);
        this.componentState.addMetrics("start_session_with_external_authentication", this.startSessionMetrics);
        this.componentState.addMetrics("delete_session", this.deleteMetrics);
        setConfig(sessionServiceConfig);
        componentState.addPart(protectedConfigIndexService.createIndex(new ProtectedConfigIndexService.ConfigIndex(this.indexName).mapping(SessionToken.INDEX_MAPPING).onIndexReady(this::init)));
        if (this.activityTracker != null) {
            this.indexCleanupAgent = new IndexCleanupAgent(this.indexName, () -> {
                return QueryBuilders.boolQuery().should(QueryBuilders.rangeQuery(SessionToken.DYNAMIC_EXPIRES_AT).lt(Long.valueOf(System.currentTimeMillis()))).should(QueryBuilders.rangeQuery(SessionToken.EXPIRES_AT).lt(Long.valueOf(System.currentTimeMillis())));
            }, (TimeValue) staticSettings.get(CLEANUP_INTERVAL), privilegedConfigClient, clusterService, threadPool);
        } else {
            this.indexCleanupAgent = new IndexCleanupAgent(this.indexName, SessionToken.EXPIRES_AT, (TimeValue) staticSettings.get(CLEANUP_INTERVAL), privilegedConfigClient, clusterService, threadPool);
        }
        componentState.addPart(this.indexCleanupAgent.getComponentState());
        configurationRepository.subscribeOnChange(new ConfigurationChangeListener() { // from class: com.floragunn.searchguard.authc.session.backend.SessionService.1
            @Override // com.floragunn.searchguard.configuration.ConfigurationChangeListener
            public void onChange(ConfigMap configMap) {
                SgDynamicConfiguration sgDynamicConfiguration = configMap.get(CType.FRONTEND_AUTHC);
                SgDynamicConfiguration sgDynamicConfiguration2 = configMap.get(CType.AUTHC);
                SgDynamicConfiguration sgDynamicConfiguration3 = configMap.get(CType.CONFIG);
                RestAuthcConfig restAuthcConfig = null;
                if (sgDynamicConfiguration2 != null && sgDynamicConfiguration2.getCEntry("default") != null) {
                    restAuthcConfig = (RestAuthcConfig) sgDynamicConfiguration2.getCEntry("default");
                    componentState.replacePartsWithType("config", sgDynamicConfiguration2.getComponentState());
                } else if (sgDynamicConfiguration3 == null || sgDynamicConfiguration3.getCEntry("sg_config") == null) {
                    componentState.setState(ComponentState.State.SUSPENDED, "no_configuration");
                } else {
                    restAuthcConfig = ((LegacySgConfig) sgDynamicConfiguration3.getCEntry("sg_config")).getRestAuthcConfig();
                    componentState.replacePartsWithType("config", sgDynamicConfiguration3.getComponentState());
                }
                if (sgDynamicConfiguration != null) {
                    componentState.addPart(sgDynamicConfiguration.getComponentState());
                }
                if (SessionService.log.isDebugEnabled()) {
                    SessionService.log.debug("New configuration:\nFrontendConfig: " + String.valueOf(sgDynamicConfiguration) + "\nRestAuthcConfig: " + String.valueOf(restAuthcConfig));
                }
                MergedAuthcConfig mergedAuthcConfig = new MergedAuthcConfig(sgDynamicConfiguration, restAuthcConfig);
                SessionService.this.authcConfig = mergedAuthcConfig;
                componentState.replacePartsWithType("auth_domain", (Collection) mergedAuthcConfig.getAuthenticationDomains().stream().map(authenticationDomain -> {
                    return authenticationDomain.getComponentState();
                }).collect(Collectors.toList()));
                SessionService.this.clientAddressAscertainer = ClientAddressAscertainer.create(restAuthcConfig != null ? restAuthcConfig.getNetwork() : null);
                SessionService.this.configComponentState.initialized();
                componentState.updateStateFromParts();
            }
        });
    }

    public void authenticateAndCreateSession(Map<String, Object> map, RestRequest restRequest, Consumer<SessionApi.StartSessionResponse> consumer, Consumer<AuthcResult> consumer2, Consumer<Exception> consumer3) {
        if (this.config == null) {
            consumer3.accept(new SessionCreationException("SessionService is not configured", RestStatus.INTERNAL_SERVER_ERROR));
        } else {
            Meter basic = Meter.basic(getMetricsLevel(), this.startAuthenticatedSessionMetrics);
            authenticate(map, restRequest, this.config.getRequiredLoginPrivileges(), authcResult -> {
                if (authcResult.getStatus() == AuthcResult.Status.PASS) {
                    this.threadPool.generic().submit(() -> {
                        try {
                            SessionApi.StartSessionResponse createLightweightJwt = createLightweightJwt(authcResult.getUser(), authcResult.getRedirectUri(), basic);
                            basic.close();
                            this.auditLog.logSucceededKibanaLogin(authcResult.getUser());
                            consumer.accept(createLightweightJwt);
                        } catch (SessionCreationException e) {
                            basic.close();
                            log.info("Creating token failed", e);
                            consumer2.accept(AuthcResult.stop(e.getRestStatus(), e.getMessage()));
                        } catch (Exception e2) {
                            basic.close();
                            consumer3.accept(e2);
                        }
                    });
                } else {
                    basic.close();
                    consumer2.accept(authcResult);
                }
            }, basic.consumer(consumer3), basic);
        }
    }

    public CompletableFuture<SessionApi.StartSessionResponse> createSession(User user) {
        CompletableFuture<SessionApi.StartSessionResponse> completableFuture = new CompletableFuture<>();
        Meter basic = Meter.basic(getMetricsLevel(), this.startSessionMetrics);
        this.threadPool.generic().submit(() -> {
            try {
                try {
                    SessionApi.StartSessionResponse createLightweightJwt = createLightweightJwt(user, null, basic);
                    this.auditLog.logSucceededKibanaLogin(user);
                    completableFuture.complete(createLightweightJwt);
                    basic.close();
                } catch (Exception e) {
                    log.error("Creating token failed", e);
                    completableFuture.completeExceptionally(e);
                    basic.close();
                }
            } catch (Throwable th) {
                basic.close();
                throw th;
            }
        });
        return completableFuture;
    }

    public String getSsoLogoutUrl(User user) {
        String logoutUrl;
        String attributeAsString = user.getAttributeAsString(Attributes.AUTH_TYPE);
        if (attributeAsString == null) {
            return (String) this.threadPool.getThreadContext().getTransient(ConfigConstants.SSO_LOGOUT_URL);
        }
        String attributeAsString2 = user.getAttributeAsString(Attributes.FRONTEND_CONFIG_ID);
        if (attributeAsString2 == null) {
            attributeAsString2 = "default";
        }
        ImmutableList<AuthenticationDomain<ApiAuthenticationFrontend>> immutableList = this.authcConfig.get(attributeAsString2);
        if (immutableList == null) {
            log.error("Cannot determine logoutUrl because frontend config " + attributeAsString2 + " is not known: " + String.valueOf(user));
            return null;
        }
        for (AuthenticationDomain authenticationDomain : (List) immutableList.stream().filter(authenticationDomain2 -> {
            return attributeAsString.equals(((ApiAuthenticationFrontend) authenticationDomain2.getFrontend()).getType());
        }).collect(Collectors.toList())) {
            try {
                logoutUrl = ((ApiAuthenticationFrontend) authenticationDomain.getFrontend()).getLogoutUrl(user);
            } catch (Exception e) {
                log.error("Error while determining logoutUrl via " + String.valueOf(authenticationDomain), e);
            }
            if (logoutUrl != null) {
                return logoutUrl;
            }
        }
        return null;
    }

    private void authenticate(Map<String, Object> map, RestRequest restRequest, List<String> list, Consumer<AuthcResult> consumer, Consumer<Exception> consumer2, Meter meter) {
        Meter basic = meter.basic("authenticate");
        try {
            ClientAddressAscertainer.ClientIpInfo actualRemoteAddress = this.clientAddressAscertainer.getActualRemoteAddress(restRequest);
            IPAddress originatingIpAddress = actualRemoteAddress.getOriginatingIpAddress();
            if (log.isTraceEnabled()) {
                log.trace("Rest authentication request from {} [original: {}]", originatingIpAddress, restRequest.getHttpChannel().getRemoteAddress());
            }
            if (actualRemoteAddress.isTrustedProxy()) {
                this.threadContext.putTransient(ConfigConstants.SG_XFF_DONE, Boolean.TRUE);
            }
            this.threadContext.putTransient(ConfigConstants.SG_REMOTE_ADDRESS, actualRemoteAddress.getOriginatingTransportAddress());
            if (this.blockedIpRegistry.isIpBlocked(originatingIpAddress)) {
                if (log.isDebugEnabled()) {
                    log.debug("Rejecting REST request because of blocked address: " + String.valueOf(originatingIpAddress));
                }
                basic.close();
                this.auditLog.logBlockedIp(restRequest, actualRemoteAddress.getOriginatingTransportAddress().address());
                consumer.accept(new AuthcResult(AuthcResult.Status.STOP, RestStatus.UNAUTHORIZED, ConfigConstants.UNAUTHORIZED));
                return;
            }
            String obj = map.get("config_id") != null ? map.get("config_id").toString() : "default";
            List list2 = this.authcConfig.get(obj);
            if (list2 == null) {
                log.error("Invalid config_id: " + obj + "; available: " + String.valueOf(this.authcConfig));
                basic.close();
                consumer.accept(new AuthcResult(AuthcResult.Status.STOP, RestStatus.BAD_REQUEST, "Invalid config_id"));
                return;
            }
            if (log.isDebugEnabled()) {
                log.debug("Using auth domains from frontend config " + obj + ": " + String.valueOf(list2));
            }
            String obj2 = map.get("mode") != null ? map.get("mode").toString() : null;
            if (obj2 != null) {
                list2 = (List) list2.stream().filter(authenticationDomain -> {
                    return obj2.equals(((ApiAuthenticationFrontend) authenticationDomain.getFrontend()).getType());
                }).collect(Collectors.toList());
            }
            String obj3 = map.get("id") != null ? map.get("id").toString() : null;
            if (obj3 != null) {
                list2 = (List) list2.stream().filter(authenticationDomain2 -> {
                    return obj3.equals(authenticationDomain2.getId());
                }).collect(Collectors.toList());
            }
            if (log.isDebugEnabled()) {
                log.debug("Auth domains after filtering by mode " + obj2 + " and id " + obj3 + ": " + String.valueOf(list2));
            }
            new ApiAuthenticationProcessor(map, new RestRequestMetaData(restRequest, originatingIpAddress, (String) null), list2, this.adminDns, this.privilegesEvaluator, this.auditLog, this.blockedUserRegistry, this.ipAuthFailureListeners, list, this.authcConfig.isDebugEnabled(obj)).authenticate(basic.consumer(consumer), basic.consumer(consumer2));
        } catch (ElasticsearchStatusException e) {
            consumer2.accept(e);
        }
    }

    private SessionApi.StartSessionResponse createLightweightJwt(User user, String str, Meter meter) throws SessionCreationException {
        if (this.jwtProducer == null) {
            throw new SessionCreationException("SessionService is not configured", RestStatus.INTERNAL_SERVER_ERROR);
        }
        SessionToken create = create(user, meter);
        JwtClaims jwtClaims = new JwtClaims();
        JwtToken jwtToken = new JwtToken(jwtClaims);
        jwtClaims.setNotBefore(Long.valueOf(create.getCreationTime().getEpochSecond()));
        if (create.getExpiryTime() != null) {
            jwtClaims.setExpiryTime(Long.valueOf(create.getExpiryTime().getEpochSecond()));
        }
        jwtClaims.setSubject(user.getName());
        jwtClaims.setTokenId(create.getId());
        jwtClaims.setAudience(this.jwtAudience);
        try {
            return new SessionApi.StartSessionResponse(this.jwtProducer.processJwt(jwtToken), str);
        } catch (Exception e) {
            log.error("Error while creating JWT. Possibly the key configuration is not valid.", e);
            throw new SessionCreationException("Error while creating JWT. Possibly the key configuration is not valid.", RestStatus.INTERNAL_SERVER_ERROR, e);
        }
    }

    public SessionToken getById(String str, Meter meter) throws NoSuchSessionException {
        SessionToken sessionToken = (SessionToken) this.idToAuthTokenMap.getIfPresent(str);
        return sessionToken != null ? sessionToken : getByIdFromIndex(str, meter);
    }

    public void getById(String str, Consumer<SessionToken> consumer, Consumer<NoSuchSessionException> consumer2, Consumer<Exception> consumer3, Meter meter) {
        SessionToken sessionToken = (SessionToken) this.idToAuthTokenMap.getIfPresent(str);
        if (sessionToken != null) {
            consumer.accept(sessionToken);
        } else {
            getByIdFromIndex(str, consumer, consumer2, consumer3, meter);
        }
    }

    public SessionToken getByIdFromIndex(String str, Meter meter) throws NoSuchSessionException {
        CompletableFuture completableFuture = new CompletableFuture();
        Objects.requireNonNull(completableFuture);
        Consumer<SessionToken> consumer = (v1) -> {
            r2.complete(v1);
        };
        Objects.requireNonNull(completableFuture);
        Consumer<NoSuchSessionException> consumer2 = (v1) -> {
            r3.completeExceptionally(v1);
        };
        Objects.requireNonNull(completableFuture);
        getByIdFromIndex(str, consumer, consumer2, (v1) -> {
            r4.completeExceptionally(v1);
        }, meter);
        try {
            return (SessionToken) completableFuture.get();
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        } catch (ExecutionException e2) {
            if (e2.getCause() instanceof NoSuchSessionException) {
                throw ((NoSuchSessionException) e2.getCause());
            }
            throw new RuntimeException(e2.getCause());
        }
    }

    public void getByIdFromIndex(final String str, final Consumer<SessionToken> consumer, final Consumer<NoSuchSessionException> consumer2, final Consumer<Exception> consumer3, Meter meter) {
        final Meter basic = meter.basic("index_read_by_id");
        this.privilegedConfigClient.get(new GetRequest(this.indexName, str), new ActionListener<GetResponse>() { // from class: com.floragunn.searchguard.authc.session.backend.SessionService.2
            public void onResponse(GetResponse getResponse) {
                if (SessionService.log.isTraceEnabled()) {
                    SessionService.log.trace("SessionService.getByIdFromIndex(" + str + ") =>\n" + Strings.toString(getResponse));
                }
                if (!getResponse.isExists()) {
                    basic.close();
                    consumer2.accept(new NoSuchSessionException(str));
                    return;
                }
                try {
                    SessionToken parse = SessionToken.parse(str, DocNode.parse(Format.JSON).from(getResponse.getSourceAsString()));
                    SessionService.this.idToAuthTokenMap.put(str, parse);
                    basic.close();
                    consumer.accept(parse);
                } catch (ConfigValidationException e) {
                    basic.close();
                    consumer3.accept(new RuntimeException("Token " + str + " is not stored in a valid format", e));
                } catch (Exception e2) {
                    basic.close();
                    SessionService.log.error(e2);
                    consumer3.accept(e2);
                }
            }

            public void onFailure(Exception exc) {
                basic.close();
                if (exc instanceof IndexNotFoundException) {
                    consumer2.accept(new NoSuchSessionException(str));
                } else {
                    consumer3.accept(exc);
                }
            }
        });
    }

    public String delete(User user, SessionToken sessionToken) throws NoSuchSessionException, SessionUpdateException {
        Meter basic = Meter.basic(getMetricsLevel(), this.deleteMetrics);
        try {
            if (log.isTraceEnabled()) {
                log.trace("delete(" + String.valueOf(user) + ", " + sessionToken.getId() + ")");
            }
            SessionToken byId = getById(sessionToken.getId(), basic);
            if (byId.getRevokedAt() != null) {
                log.info("Session token " + String.valueOf(byId) + " was already revoked");
                if (basic != null) {
                    basic.close();
                }
                return "Session token was already revoked";
            }
            String updateSessionToken = updateSessionToken(byId.getRevokedInstance(), PushSessionTokenUpdateAction.Request.UpdateType.REVOKED, basic);
            this.auditLog.logSucceededKibanaLogout(user);
            if (updateSessionToken != null) {
                if (basic != null) {
                    basic.close();
                }
                return updateSessionToken;
            }
            if (basic != null) {
                basic.close();
            }
            return "Sesion has been deleted";
        } catch (Throwable th) {
            if (basic != null) {
                try {
                    basic.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public SessionToken getByClaims(Map<String, Object> map, Meter meter) throws NoSuchSessionException, InvalidTokenException {
        CompletableFuture completableFuture = new CompletableFuture();
        Objects.requireNonNull(completableFuture);
        Consumer<SessionToken> consumer = (v1) -> {
            r2.complete(v1);
        };
        Objects.requireNonNull(completableFuture);
        Consumer<NoSuchSessionException> consumer2 = (v1) -> {
            r3.completeExceptionally(v1);
        };
        Objects.requireNonNull(completableFuture);
        getByClaims(map, consumer, consumer2, (v1) -> {
            r4.completeExceptionally(v1);
        }, meter);
        try {
            return (SessionToken) completableFuture.get();
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        } catch (ExecutionException e2) {
            if (e2.getCause() instanceof NoSuchSessionException) {
                throw ((NoSuchSessionException) e2.getCause());
            }
            throw new RuntimeException(e2.getCause());
        }
    }

    public void getByClaims(Map<String, Object> map, Consumer<SessionToken> consumer, Consumer<NoSuchSessionException> consumer2, Consumer<Exception> consumer3, Meter meter) throws InvalidTokenException {
        String objects = Objects.toString(map.get("jti"), null);
        Set<String> claimAsSet = getClaimAsSet(map, "aud");
        if (!claimAsSet.contains(this.jwtAudience)) {
            throw new InvalidTokenException("Invalid JWT audience claim. Supplied: " + String.valueOf(claimAsSet) + "; Expected: " + this.jwtAudience);
        }
        if (objects == null) {
            throw new InvalidTokenException("Supplied auth token does not have an id claim");
        }
        getById(objects, consumer, consumer2, consumer3, meter);
    }

    private Set<String> getClaimAsSet(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        return obj == null ? Collections.emptySet() : obj instanceof Collection ? (Set) ((Collection) obj).stream().map(obj2 -> {
            return String.valueOf(obj2);
        }).collect(Collectors.toSet()) : Collections.singleton(String.valueOf(obj));
    }

    private SessionToken create(User user, Meter meter) throws SessionCreationException {
        if (this.config == null || !this.config.isEnabled()) {
            throw new SessionCreationException("Session token handling is not enabled", RestStatus.INTERNAL_SERVER_ERROR);
        }
        if (log.isDebugEnabled()) {
            log.debug("create(user: " + user.toStringWithAttributes() + ")");
        }
        Set<String> roles = user.getRoles();
        Set<String> searchGuardRoles = user.getSearchGuardRoles();
        Map<String, Object> structuredAttributes = user.getStructuredAttributes();
        String randomId = getRandomId();
        SessionPrivileges sessionPrivileges = new SessionPrivileges(roles, searchGuardRoles, structuredAttributes);
        if (this.maxTokensPerUser == 0) {
            throw new SessionCreationException("Cannot create token. max_tokens_per_user is set to 0", RestStatus.FORBIDDEN);
        }
        if (this.maxTokensPerUser > 0 && countSessionsOfUser(user) + 1 > this.maxTokensPerUser) {
            throw new SessionCreationException("Cannot create session. Session limit per user exceeded. Max number of allowed sessions is " + this.maxTokensPerUser, RestStatus.FORBIDDEN);
        }
        OffsetDateTime withNano = OffsetDateTime.now().withNano(0);
        OffsetDateTime expiryTime = getExpiryTime(withNano);
        OffsetDateTime offsetDateTime = null;
        if (this.activityTracker != null) {
            offsetDateTime = withNano.plus((TemporalAmount) this.activityTracker.getInactivityTimeout());
        }
        SessionToken sessionToken = new SessionToken(randomId, user.getName(), sessionPrivileges, withNano.toInstant(), expiryTime != null ? expiryTime.toInstant() : null, offsetDateTime != null ? offsetDateTime.toInstant() : null, null);
        try {
            updateSessionToken(sessionToken, PushSessionTokenUpdateAction.Request.UpdateType.NEW, meter);
            return sessionToken;
        } catch (Exception e) {
            this.componentState.addLastException("create", e);
            throw new SessionCreationException("Error while creating token", RestStatus.INTERNAL_SERVER_ERROR, e);
        }
    }

    private String getRandomId() {
        UUID randomUUID = UUID.randomUUID();
        ByteBuffer wrap = ByteBuffer.wrap(new byte[16]);
        wrap.putLong(randomUUID.getMostSignificantBits());
        wrap.putLong(randomUUID.getLeastSignificantBits());
        return BaseEncoding.base64Url().encode(wrap.array()).replace("=", "");
    }

    private long countSessionsOfUser(User user) {
        SearchResponse searchResponse = (SearchResponse) this.privilegedConfigClient.search(new SearchRequest(new String[]{this.indexName}).source(new SearchSourceBuilder().query(QueryBuilders.termQuery("user_name", user.getName())).size(0))).actionGet();
        try {
            long value = searchResponse.getHits().getTotalHits().value();
            searchResponse.decRef();
            return value;
        } catch (Throwable th) {
            searchResponse.decRef();
            throw th;
        }
    }

    private OffsetDateTime getExpiryTime(OffsetDateTime offsetDateTime) {
        OffsetDateTime offsetDateTime2 = null;
        if (this.config.getMaxValidity() != null) {
            offsetDateTime2 = offsetDateTime.plus(this.config.getMaxValidity());
        }
        return offsetDateTime2;
    }

    private String updateSessionToken(SessionToken sessionToken, PushSessionTokenUpdateAction.Request.UpdateType updateType, Meter meter) throws SessionUpdateException {
        SessionToken sessionToken2;
        try {
            sessionToken2 = getById(sessionToken.getId(), meter);
        } catch (NoSuchSessionException e) {
            sessionToken2 = null;
        }
        if (updateType == PushSessionTokenUpdateAction.Request.UpdateType.NEW && sessionToken2 != null) {
            throw new SessionUpdateException("Token ID already exists: " + sessionToken.getId());
        }
        try {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            try {
                Meter basic = meter.basic("index_update");
                try {
                    sessionToken.toXContent(jsonBuilder, ToXContent.EMPTY_PARAMS);
                    DocWriteResponse docWriteResponse = (DocWriteResponse) this.privilegedConfigClient.index((IndexRequest) new IndexRequest(this.indexName).id(sessionToken.getId()).source(jsonBuilder).setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE)).actionGet();
                    if (log.isDebugEnabled()) {
                        log.debug("Token stored: " + String.valueOf(docWriteResponse));
                    }
                    if (basic != null) {
                        basic.close();
                    }
                    if (jsonBuilder != null) {
                        jsonBuilder.close();
                    }
                    try {
                        Meter basic2 = meter.basic("cluster_update");
                        try {
                            PushSessionTokenUpdateAction.Response response = (PushSessionTokenUpdateAction.Response) this.privilegedConfigClient.execute(PushSessionTokenUpdateAction.INSTANCE, new PushSessionTokenUpdateAction.Request(sessionToken, updateType, 0L)).actionGet();
                            if (log.isDebugEnabled()) {
                                log.debug("Token update pushed: " + String.valueOf(response));
                            }
                            if (!response.hasFailures()) {
                                if (basic2 != null) {
                                    basic2.close();
                                }
                                return null;
                            }
                            String str = "Update partially failed: " + String.valueOf(response.failures());
                            if (basic2 != null) {
                                basic2.close();
                            }
                            return str;
                        } catch (Throwable th) {
                            if (basic2 != null) {
                                try {
                                    basic2.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    } catch (Exception e2) {
                        log.warn("Token update push failed: " + String.valueOf(sessionToken), e2);
                        return "Update partially failed: " + String.valueOf(e2);
                    }
                } catch (Throwable th3) {
                    if (basic != null) {
                        try {
                            basic.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } finally {
            }
        } catch (Exception e3) {
            if (sessionToken2 != null) {
                this.idToAuthTokenMap.put(sessionToken2.getId(), sessionToken2);
            } else {
                this.idToAuthTokenMap.invalidate(sessionToken.getId());
            }
            log.warn("Error while storing token " + String.valueOf(sessionToken), e3);
            throw new SessionUpdateException(e3);
        }
    }

    public JwtToken getVerifiedJwtToken(String str) throws JwtException {
        if (this.jweDecryptionProvider != null) {
            str = this.jweDecryptionProvider.decrypt(str).getContentText();
        }
        JwsJwtCompactConsumer jwsJwtCompactConsumer = new JwsJwtCompactConsumer(str);
        JwtToken jwtToken = jwsJwtCompactConsumer.getJwtToken();
        if (!validateAudience(jwtToken.getClaims())) {
            if (!log.isTraceEnabled()) {
                return null;
            }
            log.trace("Not checking this token because it has a different audience: " + jwtToken.getClaims().getAudience());
            return null;
        }
        if (this.jwsSignatureVerifier != null && !jwsJwtCompactConsumer.verifySignatureWith(this.jwsSignatureVerifier)) {
            throw new JwtException("Invalid JWT signature for token " + String.valueOf(jwtToken.getClaims().asMap()));
        }
        validateClaims(jwtToken);
        return jwtToken;
    }

    private void validateClaims(JwtToken jwtToken) throws JwtException {
        JwtClaims claims = jwtToken.getClaims();
        if (claims == null) {
            throw new JwtException("The JWT does not have any claims");
        }
        JwtUtils.validateJwtExpiry(claims, 0, false);
        JwtUtils.validateJwtNotBefore(claims, 0, false);
    }

    private boolean validateAudience(JwtClaims jwtClaims) throws JwtException {
        Iterator it = jwtClaims.getAudiences().iterator();
        while (it.hasNext()) {
            if (this.jwtAudience.equals((String) it.next())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkExpiryAndTrackAccess(SessionToken sessionToken, Consumer<Boolean> consumer, Consumer<Exception> consumer2, Meter meter) {
        this.activityTracker.checkExpiryAndTrackAccess(sessionToken, consumer, consumer2, meter);
    }

    public void setConfig(SessionServiceConfig sessionServiceConfig) {
        if (sessionServiceConfig == null) {
            return;
        }
        this.config = sessionServiceConfig;
        this.maxTokensPerUser = sessionServiceConfig.getMaxSessionsPerUser();
        if (sessionServiceConfig.getJwtAudience() != null) {
            try {
                this.jwtAudience = (String) sessionServiceConfig.getJwtAudience().render(AttributeSource.of("cluster.name", this.clusterService.getClusterName()));
            } catch (ExpressionEvaluationException e) {
                log.error("Invalid configuration for jwt_audience: " + String.valueOf(sessionServiceConfig.getJwtAudience()), e);
                this.jwtAudience = "sg_session_" + String.valueOf(this.clusterService.getClusterName());
                this.componentState.addLastException("jwt_audience", e);
            }
        } else {
            this.jwtAudience = "sg_session_" + String.valueOf(this.clusterService.getClusterName());
        }
        setKeys(sessionServiceConfig.getJwtSigningKey(), sessionServiceConfig.getJwtEncryptionKey());
        this.activityTracker.setInactivityTimeout(sessionServiceConfig.getInactivityTimeout() != null ? sessionServiceConfig.getInactivityTimeout() : Duration.ofHours(1L));
        this.activityTracker.setIndexRefreshPolicy(sessionServiceConfig.isRefreshSessionActivityIndex() ? WriteRequest.RefreshPolicy.IMMEDIATE : WriteRequest.RefreshPolicy.NONE);
    }

    public void shutdown() {
        this.indexCleanupAgent.shutdown();
    }

    public String pushAuthTokenUpdate(PushSessionTokenUpdateAction.Request request) {
        if (log.isDebugEnabled()) {
            log.debug("got auth token update: " + String.valueOf(request));
        }
        SessionToken updatedToken = request.getUpdatedToken();
        if (((SessionToken) this.idToAuthTokenMap.getIfPresent(updatedToken.getId())) == null) {
            return "Session token is not cached";
        }
        this.idToAuthTokenMap.put(updatedToken.getId(), updatedToken);
        return "Session token updated";
    }

    public boolean isEnabled() {
        return this.config.isEnabled();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public MetricsLevel getMetricsLevel() {
        return this.config.getMetricsLevel();
    }

    void initJwtProducer() {
        try {
            this.jwtProducer = new JoseJwtProducer();
            if (this.signingKey != null) {
                this.jwtProducer.setSignatureProvider(JwsUtils.getSignatureProvider(this.signingKey));
                this.jwsSignatureVerifier = JwsUtils.getSignatureVerifier(this.signingKey);
            } else {
                this.jwsSignatureVerifier = null;
            }
            if (this.encryptionKey != null) {
                this.jwtProducer.setEncryptionProvider(JweUtils.createJweEncryptionProvider(this.encryptionKey, ContentAlgorithm.A256CBC_HS512));
                this.jwtProducer.setJweRequired(true);
                this.jweDecryptionProvider = JweUtils.createJweDecryptionProvider(this.encryptionKey, ContentAlgorithm.A256CBC_HS512);
            } else {
                this.jweDecryptionProvider = null;
            }
        } catch (Exception e) {
            this.configComponentState.setFailed(e);
            this.jwtProducer = null;
            log.error("Error while initializing JWT producer in AuthTokenProvider", e);
        }
    }

    public JsonWebKey getSigningKey() {
        return this.signingKey;
    }

    public void setSigningKey(JsonWebKey jsonWebKey) {
        if (Objects.equals(this.signingKey, jsonWebKey)) {
            return;
        }
        log.info("Updating signing key for " + String.valueOf(this));
        this.signingKey = jsonWebKey;
        initJwtProducer();
    }

    public JsonWebKey getEncryptionKey() {
        return this.encryptionKey;
    }

    public void setEncryptionKey(JsonWebKey jsonWebKey) {
        if (Objects.equals(this.encryptionKey, jsonWebKey)) {
            return;
        }
        log.info("Updating encryption key for " + String.valueOf(this));
        this.encryptionKey = jsonWebKey;
        initJwtProducer();
    }

    public void setKeys(JsonWebKey jsonWebKey, JsonWebKey jsonWebKey2) {
        if (Objects.equals(this.signingKey, jsonWebKey) && Objects.equals(this.encryptionKey, jsonWebKey2)) {
            return;
        }
        log.info("Updating keys for " + String.valueOf(this));
        this.signingKey = jsonWebKey;
        this.encryptionKey = jsonWebKey2;
        initJwtProducer();
    }

    private void init(ProtectedConfigIndexService.FailureListener failureListener) {
        initComplete();
        failureListener.onSuccess();
        this.componentState.updateStateFromParts();
    }

    private synchronized void initComplete() {
        this.initialized = true;
        notifyAll();
    }

    public synchronized void waitForInitComplete(long j) {
        if (this.initialized) {
            return;
        }
        try {
            wait(j);
        } catch (InterruptedException e) {
        }
        if (!this.initialized) {
            throw new RuntimeException(String.valueOf(this) + " did not initialize after " + j);
        }
    }
}
