package com.floragunn.searchguard.authtoken;

import com.floragunn.dlic.auth.http.kerberos.util.KrbConstants;
import com.floragunn.searchguard.auth.HTTPAuthenticator;
import com.floragunn.searchguard.user.AuthCredentials;
import java.security.AccessController;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/searchguard/authtoken/AuthTokenHttpJwtAuthenticator.class */
public class AuthTokenHttpJwtAuthenticator implements HTTPAuthenticator {
    private static final Logger log = LogManager.getLogger(AuthTokenHttpJwtAuthenticator.class);
    private final AuthTokenService authTokenService;
    private final String jwtHeaderName = "Authorization";
    private final String subjectKey = "sub";

    public AuthTokenHttpJwtAuthenticator(AuthTokenService authTokenService) {
        this.authTokenService = authTokenService;
    }

    public String getType() {
        return AuthTokenService.USER_TYPE;
    }

    public AuthCredentials extractCredentials(RestRequest restRequest, ThreadContext threadContext) throws ElasticsearchSecurityException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (AuthCredentials) AccessController.doPrivileged(() -> {
            return extractCredentials0(restRequest);
        });
    }

    private AuthCredentials extractCredentials0(RestRequest restRequest) throws ElasticsearchSecurityException {
        String jwtTokenString = getJwtTokenString(restRequest);
        if (Strings.isNullOrEmpty(jwtTokenString)) {
            return null;
        }
        try {
            JwtClaims claims = this.authTokenService.getVerifiedJwtToken(jwtTokenString).getClaims();
            String extractSubject = extractSubject(claims);
            if (extractSubject != null) {
                return AuthCredentials.forUser(extractSubject).claims(claims.asMap()).complete().build();
            }
            log.error("No subject found in JWT token: " + claims);
            return null;
        } catch (JwtException e) {
            log.info("JWT is invalid", e);
            return null;
        }
    }

    protected String getJwtTokenString(RestRequest restRequest) {
        String header = restRequest.header(this.jwtHeaderName);
        if (header == null) {
            return null;
        }
        String trim = header.trim();
        int indexOf = trim.indexOf(32);
        if (indexOf == -1) {
            log.info("Illegal Authorization header: " + trim);
            return null;
        }
        String substring = trim.substring(0, indexOf);
        if (substring.equalsIgnoreCase("bearer")) {
            return trim.substring(indexOf + 1).trim();
        }
        if (!log.isDebugEnabled()) {
            return null;
        }
        log.debug("Unsupported authentication scheme " + substring);
        return null;
    }

    protected String extractSubject(JwtClaims jwtClaims) {
        String subject = jwtClaims.getSubject();
        if (this.subjectKey != null) {
            Object claim = jwtClaims.getClaim(this.subjectKey);
            if (claim == null) {
                log.warn("Failed to get subject from JWT claims, check if subject_key '{}' is correct.", this.subjectKey);
                return null;
            }
            if (claim instanceof String) {
                subject = (String) claim;
            } else {
                log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", this.subjectKey, claim, claim.getClass());
                subject = String.valueOf(claim);
            }
        }
        return subject;
    }

    public boolean reRequestAuthentication(RestChannel restChannel, AuthCredentials authCredentials) {
        BytesRestResponse bytesRestResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, "");
        bytesRestResponse.addHeader(KrbConstants.WWW_AUTHENTICATE, "Bearer realm=\"Search Guard\"");
        restChannel.sendResponse(bytesRestResponse);
        return true;
    }
}
