package com.floragunn.dlic.auth.http.jwt;

import com.floragunn.dlic.auth.http.kerberos.util.KrbConstants;
import com.floragunn.searchguard.auth.HTTPAuthenticator;
import com.floragunn.searchguard.user.AuthCredentials;
import com.jayway.jsonpath.Configuration;
import com.jayway.jsonpath.JsonPath;
import com.jayway.jsonpath.Option;
import com.jayway.jsonpath.PathNotFoundException;
import com.jayway.jsonpath.Predicate;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.WeakKeyException;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import net.minidev.json.JSONArray;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/HTTPJwtAuthenticator.class */
public class HTTPJwtAuthenticator implements HTTPAuthenticator {
    protected final Logger log = LogManager.getLogger(getClass());
    private static final String BEARER = "bearer ";
    private final JwtParser jwtParser;
    private final String jwtHeaderName;
    private final String jwtUrlParameter;
    private final String rolesKey;
    private final String subjectKey;
    private final String jsonSubjectPath;
    private final String jsonRolesPath;
    private Configuration jsonPathConfig;

    public HTTPJwtAuthenticator(Settings settings, Path path) {
        JwtParser jwtParser = null;
        try {
            String str = settings.get("signing_key");
            if (str == null || str.length() == 0) {
                this.log.error("signingKey must not be null or empty. JWT authentication will not work");
            } else {
                byte[] bArr = (byte[]) Decoders.BASE64.decode(str.replace("-----BEGIN PUBLIC KEY-----\n", "").replace("-----END PUBLIC KEY-----", ""));
                PublicKey publicKey = null;
                try {
                    publicKey = getPublicKey(bArr, "RSA");
                } catch (Exception e) {
                    this.log.debug("No public RSA key, try other algos ({})", e.toString());
                }
                try {
                    publicKey = getPublicKey(bArr, "EC");
                } catch (Exception e2) {
                    this.log.debug("No public ECDSA key, try other algos ({})", e2.toString());
                }
                jwtParser = publicKey != null ? Jwts.parser().setSigningKey(publicKey) : Jwts.parser().setSigningKey(bArr);
            }
        } catch (Throwable th) {
            this.log.error("Error creating JWT authenticator: " + th + ". JWT authentication will not work", th);
        }
        this.jwtUrlParameter = settings.get("jwt_url_parameter");
        this.jwtHeaderName = settings.get("jwt_header", "Authorization");
        this.rolesKey = settings.get("roles_key");
        this.subjectKey = settings.get("subject_key");
        this.jsonRolesPath = settings.get("roles_path");
        this.jsonSubjectPath = settings.get("subject_path");
        this.jwtParser = jwtParser;
        if ((this.subjectKey != null && this.jsonSubjectPath != null) || (this.rolesKey != null && this.jsonRolesPath != null)) {
            throw new IllegalStateException("Both, subject_key and subject_path or roles_key and roles_path have simultaneously provided. Please provide only one combination.");
        }
        this.jsonPathConfig = Configuration.builder().options(new Option[]{Option.ALWAYS_RETURN_LIST}).build();
    }

    public AuthCredentials extractCredentials(RestRequest restRequest, ThreadContext threadContext) throws ElasticsearchSecurityException {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (AuthCredentials) AccessController.doPrivileged(() -> {
            return extractCredentials0(restRequest);
        });
    }

    private AuthCredentials extractCredentials0(RestRequest restRequest) {
        if (this.jwtParser == null) {
            this.log.error("Missing Signing Key. JWT authentication will not work");
            return null;
        }
        String header = restRequest.header(this.jwtHeaderName);
        if ((header == null || header.isEmpty()) && this.jwtUrlParameter != null) {
            header = restRequest.param(this.jwtUrlParameter);
        } else {
            restRequest.param(this.jwtUrlParameter);
        }
        if (header == null || header.length() == 0) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("No JWT token found in '{}' {} header", this.jwtUrlParameter == null ? this.jwtHeaderName : this.jwtUrlParameter, this.jwtUrlParameter == null ? "header" : "url parameter");
            return null;
        }
        int indexOf = header.toLowerCase().indexOf(BEARER);
        if (indexOf > -1) {
            header = header.substring(indexOf + BEARER.length());
        } else if (this.log.isDebugEnabled()) {
            this.log.debug("No Bearer scheme found in header");
        }
        try {
            Claims claims = (Claims) this.jwtParser.parseClaimsJws(header).getBody();
            String extractSubject = extractSubject(claims, restRequest);
            if (extractSubject == null) {
                this.log.error("No subject found in JWT token");
                return null;
            }
            AuthCredentials markComplete = new AuthCredentials(extractSubject, extractRoles(claims)).markComplete();
            for (Map.Entry entry : claims.entrySet()) {
                markComplete.addAttribute("attr.jwt." + ((String) entry.getKey()), String.valueOf(entry.getValue()));
            }
            return markComplete;
        } catch (Exception e) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Invalid or expired JWT token.", e);
            return null;
        } catch (WeakKeyException e2) {
            this.log.error("Cannot authenticate user with JWT because of " + e2, e2);
            return null;
        }
    }

    public boolean reRequestAuthentication(RestChannel restChannel, AuthCredentials authCredentials) {
        BytesRestResponse bytesRestResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, "");
        bytesRestResponse.addHeader(KrbConstants.WWW_AUTHENTICATE, "Bearer realm=\"Search Guard\"");
        restChannel.sendResponse(bytesRestResponse);
        return true;
    }

    public String getType() {
        return "jwt";
    }

    protected String extractSubject(Claims claims, RestRequest restRequest) {
        String subject = claims.getSubject();
        if (this.subjectKey != null) {
            Object obj = claims.get(this.subjectKey, Object.class);
            if (obj == null) {
                this.log.warn("Failed to get subject from JWT claims, check if subject_key '{}' is correct.", this.subjectKey);
                return null;
            }
            if (!(obj instanceof String)) {
                this.log.warn("Expected type String for roles in the JWT for subject_key {}, but value was '{}' ({}). Will convert this value to String.", this.subjectKey, obj, obj.getClass());
            }
            subject = String.valueOf(obj);
        } else if (this.jsonSubjectPath != null) {
            try {
                subject = (String) JsonPath.read(claims, this.jsonSubjectPath, new Predicate[0]);
            } catch (PathNotFoundException e) {
                this.log.error("The provided JSON path {} could not be found ", this.jsonSubjectPath);
            }
        }
        return subject;
    }

    protected String[] extractRoles(Claims claims) {
        if (this.rolesKey == null && this.jsonRolesPath == null) {
            return new String[0];
        }
        if (this.jsonRolesPath != null) {
            try {
                return splitRoles(JsonPath.using(this.jsonPathConfig).parse(claims).read(this.jsonRolesPath, new Predicate[0]));
            } catch (PathNotFoundException e) {
                this.log.error("The provided JSON path {} could not be found ", this.jsonRolesPath);
                return null;
            }
        }
        Object obj = claims.get(this.rolesKey, Object.class);
        if (obj != null) {
            return splitRoles(obj);
        }
        this.log.warn("Failed to get roles from JWT claims with roles_key '{}'. Check if this key is correct and available in the JWT payload.", this.rolesKey);
        return new String[0];
    }

    private static PublicKey getPublicKey(byte[] bArr, String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance(str).generatePublic(new X509EncodedKeySpec(bArr));
    }

    private String[] splitRoles(Object obj) {
        String[] split = String.valueOf(obj).split(",");
        if (!(obj instanceof String) && !(obj instanceof Collection)) {
            this.log.warn("Expected type String or Collection for roles in the JWT for roles_key {}, but value was '{}' ({}). Will convert this value to String.", this.rolesKey, obj, obj.getClass());
        } else if (obj instanceof JSONArray) {
            ArrayList arrayList = new ArrayList();
            Iterator it = ((JSONArray) obj).iterator();
            while (it.hasNext()) {
                Object next = it.next();
                if (next instanceof List) {
                    Iterator it2 = ((List) next).iterator();
                    while (it2.hasNext()) {
                        arrayList.addAll(Arrays.asList(String.valueOf(it2.next()).split(",")));
                    }
                } else {
                    arrayList.addAll(Arrays.asList(String.valueOf(next).split(",")));
                }
            }
            split = (String[]) arrayList.toArray(new String[0]);
        } else if (obj instanceof Collection) {
            split = (String[]) ((Collection) obj).toArray(new String[0]);
        }
        for (int i = 0; i < split.length; i++) {
            split[i] = split[i].trim();
        }
        return split;
    }
}
