package com.floragunn.searchguard.internalauthtoken;

import com.floragunn.codova.documents.Document;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.authz.ActionAuthorization;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.RoleBasedActionAuthorization;
import com.floragunn.searchguard.authz.actions.Actions;
import com.floragunn.searchguard.authz.config.ActionGroup;
import com.floragunn.searchguard.authz.config.Role;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.jwt.JwtVerifier;
import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.user.AuthDomainInfo;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.PrivilegedCode;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEEncrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.AESEncrypter;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import java.text.ParseException;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Base64;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;

/* loaded from: input_file:com/floragunn/searchguard/internalauthtoken/InternalAuthTokenProvider.class */
public class InternalAuthTokenProvider {
    public static final String TOKEN_HEADER = "_sg_internal_auth_token";
    public static final String AUDIENCE_HEADER = "_sg_internal_auth_token_audience";
    private static final JWSAlgorithm SIGNING_ALGORITHM = JWSAlgorithm.HS512;
    private static final Logger log = LogManager.getLogger(InternalAuthTokenProvider.class);
    private final Actions actions;
    private final Function<User, ImmutableSet<String>> roleMapper;
    private final Supplier<ActionGroup.FlattenedIndex> actionGroupsSupplier;
    private final Supplier<Set<String>> tenantNameSupplier;
    private final Supplier<SgDynamicConfiguration<Role>> rolesSupplier;
    private JWK encryptionKey;
    private JWK signingKey;
    private JWSSigner jwsSigner;
    private JWEEncrypter jweEncrypter;
    private JwtVerifier jwtVerifier;

    /* loaded from: input_file:com/floragunn/searchguard/internalauthtoken/InternalAuthTokenProvider$AuthFromInternalAuthToken.class */
    public static class AuthFromInternalAuthToken implements SpecialPrivilegesEvaluationContext {
        private final User user;
        private final ImmutableSet<String> mappedRoles;
        private final ActionAuthorization actionAuthorization;
        private final SgDynamicConfiguration<Role> rolesConfig;

        AuthFromInternalAuthToken(User user, ImmutableSet<String> immutableSet, ActionAuthorization actionAuthorization, SgDynamicConfiguration<Role> sgDynamicConfiguration) {
            this.user = user;
            this.mappedRoles = immutableSet;
            this.actionAuthorization = actionAuthorization;
            this.rolesConfig = sgDynamicConfiguration;
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public User getUser() {
            return this.user;
        }

        public String toString() {
            return "AuthFromInternalAuthToken [user=" + this.user + "]";
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public ImmutableSet<String> getMappedRoles() {
            return this.mappedRoles;
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public TransportAddress getCaller() {
            return null;
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public boolean requiresPrivilegeEvaluationForLocalRequests() {
            return true;
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public ActionAuthorization getActionAuthorization() {
            return this.actionAuthorization;
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public SgDynamicConfiguration<Role> getRolesConfig() {
            return this.rolesConfig;
        }
    }

    public InternalAuthTokenProvider(Function<User, ImmutableSet<String>> function, Supplier<ActionGroup.FlattenedIndex> supplier, Supplier<Set<String>> supplier2, Actions actions, Supplier<SgDynamicConfiguration<Role>> supplier3) {
        this.actionGroupsSupplier = supplier;
        this.tenantNameSupplier = supplier2;
        this.roleMapper = function;
        this.actions = actions;
        this.rolesSupplier = supplier3;
    }

    public String getJwt(User user, String str) throws IllegalStateException, JOSEException {
        return getJwt(user, str, null);
    }

    public String getJwt(User user, String str, TemporalAmount temporalAmount) throws IllegalStateException, JOSEException {
        if (this.jwsSigner == null) {
            throw new IllegalStateException("AuthTokenProvider is not configured");
        }
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        Instant now = Instant.now();
        builder.notBeforeTime(new Date(now.getEpochSecond() - 30));
        if (temporalAmount != null) {
            builder.expirationTime(new Date(now.plus(temporalAmount).getEpochSecond()));
        }
        builder.subject(user.getName());
        builder.audience(str);
        builder.claim("sg_roles", getSgRolesForUser(user));
        builder.claim("sg_i", JwtVerifier.PRODUCER_CLAIM_NIMBUS);
        SignedJWT signedJWT = (SignedJWT) PrivilegedCode.execute(() -> {
            return new SignedJWT(new JWSHeader(SIGNING_ALGORITHM), builder.build());
        });
        signedJWT.sign(this.jwsSigner);
        if (this.jweEncrypter == null) {
            return signedJWT.serialize();
        }
        JWEObject jWEObject = (JWEObject) PrivilegedCode.execute(() -> {
            return new JWEObject(new JWEHeader.Builder(JWEAlgorithm.A256KW, EncryptionMethod.A256CBC_HS512).customParam(JwtVerifier.PRODUCER_CLAIM, JwtVerifier.PRODUCER_CLAIM_NIMBUS).build(), new Payload(signedJWT));
        });
        jWEObject.encrypt(this.jweEncrypter);
        return jWEObject.serialize();
    }

    public void userAuthFromToken(User user, ThreadContext threadContext, Consumer<SpecialPrivilegesEvaluationContext> consumer, Consumer<Exception> consumer2) {
        try {
            consumer.accept(userAuthFromToken(user, threadContext));
        } catch (Exception e) {
            log.error("Error in userAuthFromToken(" + user + ")", e);
            consumer2.accept(e);
        }
    }

    public AuthFromInternalAuthToken userAuthFromToken(User user, ThreadContext threadContext) throws PrivilegesEvaluationException {
        String header = threadContext.getHeader(TOKEN_HEADER);
        String safeFromHeader = HeaderHelper.getSafeFromHeader(threadContext, AUDIENCE_HEADER);
        if (header == null || safeFromHeader == null || header.equals("") || safeFromHeader.equals("")) {
            return null;
        }
        return userAuthFromToken(header, safeFromHeader);
    }

    public AuthFromInternalAuthToken userAuthFromToken(String str, String str2) throws PrivilegesEvaluationException {
        try {
            JWTClaimsSet verifiedJwtToken = getVerifiedJwtToken(str, str2);
            Map jSONObjectClaim = verifiedJwtToken.getJSONObjectClaim("sg_roles");
            if (jSONObjectClaim == null) {
                throw new JOSEException("JWT does not contain claim sg_roles");
            }
            log.trace("userAuthFromToken({}, {}); verfiedToken: {} {}", str, str2, verifiedJwtToken, jSONObjectClaim);
            SgDynamicConfiguration sgDynamicConfiguration = (SgDynamicConfiguration) SgDynamicConfiguration.fromMap(jSONObjectClaim, CType.ROLES, null).get();
            Collection<String> of = ImmutableSet.of(sgDynamicConfiguration.getCEntries().keySet());
            return new AuthFromInternalAuthToken(User.forUser(verifiedJwtToken.getSubject()).authDomainInfo(AuthDomainInfo.STORED_AUTH).searchGuardRoles(of).build(), of, new RoleBasedActionAuthorization(sgDynamicConfiguration, this.actionGroupsSupplier.get(), this.actions, null, this.tenantNameSupplier.get(), null), sgDynamicConfiguration);
        } catch (JOSEException | ConfigValidationException | ParseException | BadJWTException e) {
            log.debug("Error while verifying internal auth token: {}", str, e);
            throw new PrivilegesEvaluationException("Error while verifying internal auth token", e);
        }
    }

    private Object getSgRolesForUser(User user) {
        return Document.toDeepBasicObject(ImmutableMap.of(this.rolesSupplier.get().getCEntries()).intersection(this.roleMapper.apply(user)));
    }

    private JWTClaimsSet getVerifiedJwtToken(String str, String str2) throws JOSEException, ParseException, BadJWTException {
        if (this.jwtVerifier == null) {
            throw new RuntimeException("Cannot verify token because signing key is not configured");
        }
        JWT verfiedJwt = this.jwtVerifier.getVerfiedJwt(str, str2);
        if (verfiedJwt != null) {
            return verfiedJwt.getJWTClaimsSet();
        }
        throw new JOSEException("Invalid JWT");
    }

    public synchronized void setSigningKey(String str) throws JOSEException {
        if (str == null || str.length() <= 0) {
            this.signingKey = null;
            this.jwsSigner = null;
            updateJwtVerifier();
        } else {
            byte[] decode = Base64.getDecoder().decode(str);
            this.jwsSigner = new MACSigner(decode);
            this.signingKey = new OctetSequenceKey.Builder(decode).keyUse(KeyUse.SIGNATURE).algorithm(JWSAlgorithm.HS512).build();
            updateJwtVerifier();
        }
    }

    public synchronized void setEncryptionKey(String str) throws KeyLengthException {
        if (str == null || str.length() <= 0) {
            this.encryptionKey = null;
            this.jweEncrypter = null;
            updateJwtVerifier();
        } else {
            byte[] decode = Base64.getDecoder().decode(str);
            this.jweEncrypter = new AESEncrypter(decode);
            this.encryptionKey = new OctetSequenceKey.Builder(decode).keyUse(KeyUse.ENCRYPTION).algorithm(JWEAlgorithm.A256KW).build();
            updateJwtVerifier();
        }
    }

    private synchronized void updateJwtVerifier() {
        if (this.signingKey != null) {
            this.jwtVerifier = new JwtVerifier(this.signingKey, this.encryptionKey, "");
        } else if (this.jwtVerifier == null) {
            log.warn("Disabling JWT verifier because no signing key is present");
            this.jwtVerifier = null;
        }
    }
}
