package com.floragunn.searchguard.internalauthtoken;

import com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext;
import com.floragunn.searchguard.sgconf.ConfigModel;
import com.floragunn.searchguard.sgconf.ConfigModelV7;
import com.floragunn.searchguard.sgconf.DynamicConfigFactory;
import com.floragunn.searchguard.sgconf.DynamicConfigModel;
import com.floragunn.searchguard.sgconf.InternalUsersModel;
import com.floragunn.searchguard.sgconf.SgRoles;
import com.floragunn.searchguard.sgconf.impl.CType;
import com.floragunn.searchguard.sgconf.impl.SgDynamicConfiguration;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.user.AuthDomainInfo;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.xcontent.ObjectTreeXContent;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.KeyType;
import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JoseJwtProducer;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;

/* loaded from: input_file:com/floragunn/searchguard/internalauthtoken/InternalAuthTokenProvider.class */
public class InternalAuthTokenProvider implements DynamicConfigFactory.DCFListener {
    public static final String TOKEN_HEADER = "_sg_internal_auth_token";
    public static final String AUDIENCE_HEADER = "_sg_internal_auth_token_audience";
    private static final Logger log = LogManager.getLogger(InternalAuthTokenProvider.class);
    private JsonWebKey encryptionKey;
    private JsonWebKey signingKey;
    private JoseJwtProducer jwtProducer;
    private JwsSignatureVerifier jwsSignatureVerifier;
    private JweDecryptionProvider jweDecryptionProvider;
    private ConfigModel configModel;
    private SgRoles sgRoles;
    private DynamicConfigModel dynamicConfigModel;

    /* loaded from: input_file:com/floragunn/searchguard/internalauthtoken/InternalAuthTokenProvider$AuthFromInternalAuthToken.class */
    public static class AuthFromInternalAuthToken implements SpecialPrivilegesEvaluationContext {
        private final User user;
        private final SgRoles sgRoles;

        AuthFromInternalAuthToken(User user, SgRoles sgRoles) {
            this.user = user;
            this.sgRoles = sgRoles;
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public User getUser() {
            return this.user;
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public SgRoles getSgRoles() {
            return this.sgRoles;
        }

        public String toString() {
            return "AuthFromInternalAuthToken [user=" + this.user + ", sgRoles=" + this.sgRoles + "]";
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public Set<String> getMappedRoles() {
            return this.sgRoles.getRoleNames();
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public TransportAddress getCaller() {
            return null;
        }

        @Override // com.floragunn.searchguard.privileges.SpecialPrivilegesEvaluationContext
        public boolean requiresPrivilegeEvaluationForLocalRequests() {
            return true;
        }
    }

    public InternalAuthTokenProvider(DynamicConfigFactory dynamicConfigFactory) {
        dynamicConfigFactory.registerDCFListener(this);
    }

    public String getJwt(User user, String str) throws IllegalStateException {
        return getJwt(user, str, null);
    }

    public String getJwt(User user, String str, TemporalAmount temporalAmount) throws IllegalStateException {
        if (this.jwtProducer == null) {
            throw new IllegalStateException("AuthTokenProvider is not configured");
        }
        JwtClaims jwtClaims = new JwtClaims();
        JwtToken jwtToken = new JwtToken(jwtClaims);
        Instant now = Instant.now();
        jwtClaims.setNotBefore(Long.valueOf(now.getEpochSecond() - 30));
        if (temporalAmount != null) {
            jwtClaims.setExpiryTime(Long.valueOf(now.plus(temporalAmount).getEpochSecond()));
        }
        jwtClaims.setSubject(user.getName());
        jwtClaims.setAudience(str);
        jwtClaims.setProperty("sg_roles", getSgRolesForUser(user));
        return this.jwtProducer.processJwt(jwtToken);
    }

    public void userAuthFromToken(User user, ThreadContext threadContext, Consumer<SpecialPrivilegesEvaluationContext> consumer, Consumer<Exception> consumer2) {
        try {
            consumer.accept(userAuthFromToken(user, threadContext));
        } catch (Exception e) {
            log.error("Error in userAuthFromToken(" + user + ")", e);
            consumer2.accept(e);
        }
    }

    public AuthFromInternalAuthToken userAuthFromToken(User user, ThreadContext threadContext) {
        String header = threadContext.getHeader(TOKEN_HEADER);
        String safeFromHeader = HeaderHelper.getSafeFromHeader(threadContext, AUDIENCE_HEADER);
        if (header == null || safeFromHeader == null || header.equals("") || safeFromHeader.equals("")) {
            return null;
        }
        return userAuthFromToken(header, safeFromHeader);
    }

    public AuthFromInternalAuthToken userAuthFromToken(String str, String str2) {
        try {
            JwtToken verifiedJwtToken = getVerifiedJwtToken(str, str2);
            Map mapProperty = verifiedJwtToken.getClaims().getMapProperty("sg_roles");
            if (mapProperty == null) {
                throw new JwtException("JWT does not contain claim sg_roles");
            }
            SgDynamicConfiguration fromMap = SgDynamicConfiguration.fromMap(mapProperty, CType.ROLES);
            if (fromMap.getVersion() == 1) {
                throw new Exception("Unsupport version of sgconfig: " + fromMap);
            }
            ConfigModelV7.SgRoles create = ConfigModelV7.SgRoles.create(fromMap, this.configModel.getActionGroupResolver(), this.dynamicConfigModel.isIndexPrivilegeAliasResolutionEnabled());
            return new AuthFromInternalAuthToken(User.forUser(verifiedJwtToken.getClaims().getSubject()).authDomainInfo(AuthDomainInfo.STORED_AUTH).searchGuardRoles(create.getRoleNames()).build(), create);
        } catch (Exception e) {
            log.warn("Error while verifying internal auth token: " + str + "\n" + str2, e);
            return null;
        }
    }

    @Override // com.floragunn.searchguard.sgconf.DynamicConfigFactory.DCFListener
    public void onChanged(ConfigModel configModel, DynamicConfigModel dynamicConfigModel, InternalUsersModel internalUsersModel) {
        this.configModel = configModel;
        this.dynamicConfigModel = dynamicConfigModel;
        this.sgRoles = configModel.getSgRoles();
    }

    void initJwtProducer() {
        try {
            this.jwtProducer = new JoseJwtProducer();
            if (this.signingKey != null) {
                this.jwtProducer.setSignatureProvider(JwsUtils.getSignatureProvider(this.signingKey));
                this.jwsSignatureVerifier = JwsUtils.getSignatureVerifier(this.signingKey);
            } else {
                this.jwsSignatureVerifier = null;
            }
            if (this.encryptionKey != null) {
                this.jwtProducer.setEncryptionProvider(JweUtils.createJweEncryptionProvider(this.encryptionKey, ContentAlgorithm.A256CBC_HS512));
                this.jwtProducer.setJweRequired(true);
                this.jweDecryptionProvider = JweUtils.createJweDecryptionProvider(this.encryptionKey, ContentAlgorithm.A256CBC_HS512);
            } else {
                this.jweDecryptionProvider = null;
            }
        } catch (Exception e) {
            this.jwtProducer = null;
            log.error("Error while initializing JWT producer in AuthTokenProvider", e);
        }
    }

    private Object getSgRolesForUser(User user) {
        return ObjectTreeXContent.toObjectTree(this.sgRoles.filter(this.configModel.mapSgRoles(user, null)));
    }

    private JwtToken getVerifiedJwtToken(String str, String str2) throws JwtException {
        if (this.jweDecryptionProvider != null) {
            str = this.jweDecryptionProvider.decrypt(str).getContentText();
        }
        JwsJwtCompactConsumer jwsJwtCompactConsumer = new JwsJwtCompactConsumer(str);
        JwtToken jwtToken = jwsJwtCompactConsumer.getJwtToken();
        if (this.jwsSignatureVerifier != null && !jwsJwtCompactConsumer.verifySignatureWith(this.jwsSignatureVerifier)) {
            throw new JwtException("Invalid JWT signature");
        }
        validateClaims(jwtToken, str2);
        return jwtToken;
    }

    private void validateClaims(JwtToken jwtToken, String str) throws JwtException {
        JwtClaims claims = jwtToken.getClaims();
        if (claims == null) {
            throw new JwtException("The JWT does not have any claims");
        }
        JwtUtils.validateJwtExpiry(claims, 0, false);
        JwtUtils.validateJwtNotBefore(claims, 0, false);
        validateAudience(claims, str);
    }

    private void validateAudience(JwtClaims jwtClaims, String str) throws JwtException {
        if (str != null) {
            Iterator it = jwtClaims.getAudiences().iterator();
            while (it.hasNext()) {
                if (str.equals((String) it.next())) {
                    return;
                }
            }
        }
        throw new JwtException("Internal auth token does not allow audience: " + str + "\nAllowed audiences: " + jwtClaims.getAudiences());
    }

    public JsonWebKey getSigningKey() {
        return this.signingKey;
    }

    public void setSigningKey(JsonWebKey jsonWebKey) {
        if (Objects.equals(this.signingKey, jsonWebKey)) {
            return;
        }
        log.info("Updating signing key for " + this);
        this.signingKey = jsonWebKey;
        initJwtProducer();
    }

    public void setSigningKey(String str) {
        if (str == null || str.length() <= 0) {
            setSigningKey((JsonWebKey) null);
            return;
        }
        JsonWebKey jsonWebKey = new JsonWebKey();
        jsonWebKey.setKeyType(KeyType.OCTET);
        jsonWebKey.setAlgorithm("HS512");
        jsonWebKey.setPublicKeyUse(PublicKeyUse.SIGN);
        jsonWebKey.setProperty("k", str);
        setSigningKey(jsonWebKey);
    }

    public JsonWebKey getEncryptionKey() {
        return this.encryptionKey;
    }

    public void setEncryptionKey(JsonWebKey jsonWebKey) {
        if (Objects.equals(this.encryptionKey, jsonWebKey)) {
            return;
        }
        log.info("Updating encryption key for " + this);
        this.encryptionKey = jsonWebKey;
        initJwtProducer();
    }

    public void setEncryptionKey(String str) {
        if (str == null || str.length() <= 0) {
            setEncryptionKey((JsonWebKey) null);
            return;
        }
        JsonWebKey jsonWebKey = new JsonWebKey();
        jsonWebKey.setKeyType(KeyType.OCTET);
        jsonWebKey.setAlgorithm("A256KW");
        jsonWebKey.setPublicKeyUse(PublicKeyUse.ENCRYPT);
        jsonWebKey.setProperty("k", str);
        setEncryptionKey(jsonWebKey);
    }
}
