package org.elasticsearch.xpack.security.authc.oidc;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.LogoutRequest;
import com.nimbusds.openid.connect.sdk.Nonce;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.lease.Releasable;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectLogoutResponse;
import org.elasticsearch.xpack.core.security.action.oidc.OpenIdConnectPrepareAuthenticationResponse;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.oidc.OpenIdConnectRealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm.class */
public class OpenIdConnectRealm extends Realm implements Releasable {
    public static final String CONTEXT_TOKEN_DATA = "_oidc_tokendata";
    private final OpenIdConnectProviderConfiguration opConfiguration;
    private final RelyingPartyConfiguration rpConfiguration;
    private final OpenIdConnectAuthenticator openIdConnectAuthenticator;
    private final ClaimParser principalAttribute;
    private final ClaimParser groupsAttribute;
    private final ClaimParser dnAttribute;
    private final ClaimParser nameAttribute;
    private final ClaimParser mailAttribute;
    private final Boolean populateUserMetadata;
    private final UserRoleMapper roleMapper;
    private DelegatedAuthorizationSupport delegatedRealms;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectRealm$ClaimParser.class */
    public static final class ClaimParser {
        private final String name;
        private final Function<JWTClaimsSet, List<String>> parser;

        ClaimParser(String str, Function<JWTClaimsSet, List<String>> function) {
            this.name = str;
            this.parser = function;
        }

        List<String> getClaimValues(JWTClaimsSet jWTClaimsSet) {
            return this.parser.apply(jWTClaimsSet);
        }

        String getClaimValue(JWTClaimsSet jWTClaimsSet) {
            List<String> apply = this.parser.apply(jWTClaimsSet);
            if (apply == null || apply.isEmpty()) {
                return null;
            }
            return apply.get(0);
        }

        public String toString() {
            return this.name;
        }

        static ClaimParser forSetting(Logger logger, OpenIdConnectRealmSettings.ClaimSetting claimSetting, RealmConfig realmConfig, boolean z) {
            if (realmConfig.hasSetting(claimSetting.getClaim())) {
                String str = (String) realmConfig.getSetting(claimSetting.getClaim());
                if (!realmConfig.hasSetting(claimSetting.getPattern())) {
                    return new ClaimParser("OpenID Connect Claim [" + str + "] for [" + claimSetting.name(realmConfig) + "]", jWTClaimsSet -> {
                        Object claim = jWTClaimsSet.getClaim(str);
                        if (claim == null) {
                            return Collections.emptyList();
                        }
                        if (claim instanceof String) {
                            return Collections.singletonList((String) claim);
                        }
                        if (claim instanceof List) {
                            return (List) ((List) claim).stream().filter((v0) -> {
                                return Objects.nonNull(v0);
                            }).collect(Collectors.toList());
                        }
                        throw new SettingsException("Setting [" + RealmSettings.getFullSettingKey(realmConfig, claimSetting.getClaim()) + " expects a claim with String or a String Array value but found a " + claim.getClass().getName());
                    });
                }
                Pattern compile = Pattern.compile((String) realmConfig.getSetting(claimSetting.getPattern()));
                return new ClaimParser("OpenID Connect Claim [" + str + "] with pattern [" + compile.pattern() + "] for [" + claimSetting.name(realmConfig) + "]", jWTClaimsSet2 -> {
                    List list;
                    Object claim = jWTClaimsSet2.getClaim(str);
                    if (claim == null) {
                        list = Collections.emptyList();
                    } else if (claim instanceof String) {
                        list = Collections.singletonList((String) claim);
                    } else {
                        if (!(claim instanceof List)) {
                            throw new SettingsException("Setting [" + RealmSettings.getFullSettingKey(realmConfig, claimSetting.getClaim()) + " expects a claim with String or a String Array value but found a " + claim.getClass().getName());
                        }
                        list = (List) claim;
                    }
                    return (List) list.stream().map(str2 -> {
                        if (str2 == null) {
                            logger.debug("OpenID Connect Claim [{}] is null", str);
                            return null;
                        }
                        Matcher matcher = compile.matcher(str2);
                        if (!matcher.find()) {
                            logger.debug("OpenID Connect Claim [{}] is [{}], which does not match [{}]", str, str2, compile.pattern());
                            return null;
                        }
                        String group = matcher.group(1);
                        if (!Strings.isNullOrEmpty(group)) {
                            return group;
                        }
                        logger.debug("OpenID Connect Claim [{}] is [{}], which does match [{}] but group(1) is empty", str, str2, compile.pattern());
                        return null;
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).collect(Collectors.toList());
                });
            }
            if (z) {
                throw new SettingsException("Setting [" + RealmSettings.getFullSettingKey(realmConfig, claimSetting.getClaim()) + "] is required");
            }
            if (realmConfig.hasSetting(claimSetting.getPattern())) {
                throw new SettingsException("Setting [" + RealmSettings.getFullSettingKey(realmConfig, claimSetting.getPattern()) + "] cannot be set unless [" + RealmSettings.getFullSettingKey(realmConfig, claimSetting.getClaim()) + "] is also set");
            }
            return new ClaimParser("No OpenID Connect Claim for [" + claimSetting.name(realmConfig) + "]", jWTClaimsSet3 -> {
                return Collections.emptyList();
            });
        }
    }

    public OpenIdConnectRealm(RealmConfig realmConfig, SSLService sSLService, UserRoleMapper userRoleMapper, ResourceWatcherService resourceWatcherService) {
        super(realmConfig);
        this.roleMapper = userRoleMapper;
        this.rpConfiguration = buildRelyingPartyConfiguration(realmConfig);
        this.opConfiguration = buildOpenIdConnectProviderConfiguration(realmConfig);
        this.principalAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.PRINCIPAL_CLAIM, realmConfig, true);
        this.groupsAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.GROUPS_CLAIM, realmConfig, false);
        this.dnAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.DN_CLAIM, realmConfig, false);
        this.nameAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.NAME_CLAIM, realmConfig, false);
        this.mailAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.MAIL_CLAIM, realmConfig, false);
        this.populateUserMetadata = (Boolean) realmConfig.getSetting(OpenIdConnectRealmSettings.POPULATE_USER_METADATA);
        if (!TokenService.isTokenServiceEnabled(realmConfig.settings()).booleanValue()) {
            throw new IllegalStateException("OpenID Connect Realm requires that the token service be enabled (" + XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey() + ")");
        }
        this.openIdConnectAuthenticator = new OpenIdConnectAuthenticator(realmConfig, this.opConfiguration, this.rpConfiguration, sSLService, resourceWatcherService);
    }

    OpenIdConnectRealm(RealmConfig realmConfig, OpenIdConnectAuthenticator openIdConnectAuthenticator, UserRoleMapper userRoleMapper) {
        super(realmConfig);
        this.roleMapper = userRoleMapper;
        this.rpConfiguration = buildRelyingPartyConfiguration(realmConfig);
        this.opConfiguration = buildOpenIdConnectProviderConfiguration(realmConfig);
        this.openIdConnectAuthenticator = openIdConnectAuthenticator;
        this.principalAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.PRINCIPAL_CLAIM, realmConfig, true);
        this.groupsAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.GROUPS_CLAIM, realmConfig, false);
        this.dnAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.DN_CLAIM, realmConfig, false);
        this.nameAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.NAME_CLAIM, realmConfig, false);
        this.mailAttribute = ClaimParser.forSetting(this.logger, OpenIdConnectRealmSettings.MAIL_CLAIM, realmConfig, false);
        this.populateUserMetadata = (Boolean) realmConfig.getSetting(OpenIdConnectRealmSettings.POPULATE_USER_METADATA);
    }

    public void initialize(Iterable<Realm> iterable, XPackLicenseState xPackLicenseState) {
        if (this.delegatedRealms != null) {
            throw new IllegalStateException("Realm has already been initialized");
        }
        this.delegatedRealms = new DelegatedAuthorizationSupport(iterable, this.config, xPackLicenseState);
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof OpenIdConnectToken;
    }

    private boolean isTokenForRealm(OpenIdConnectToken openIdConnectToken) {
        if (openIdConnectToken.getAuthenticatingRealm() == null) {
            return true;
        }
        return openIdConnectToken.getAuthenticatingRealm().equals(name());
    }

    public AuthenticationToken token(ThreadContext threadContext) {
        return null;
    }

    public void authenticate(AuthenticationToken authenticationToken, ActionListener<AuthenticationResult> actionListener) {
        if (!(authenticationToken instanceof OpenIdConnectToken) || !isTokenForRealm((OpenIdConnectToken) authenticationToken)) {
            actionListener.onResponse(AuthenticationResult.notHandled());
        } else {
            this.openIdConnectAuthenticator.authenticate((OpenIdConnectToken) authenticationToken, ActionListener.wrap(jWTClaimsSet -> {
                buildUserFromClaims(jWTClaimsSet, actionListener);
            }, exc -> {
                this.logger.debug("Failed to consume the OpenIdConnectToken ", exc);
                if (exc instanceof ElasticsearchSecurityException) {
                    actionListener.onResponse(AuthenticationResult.unsuccessful("Failed to authenticate user with OpenID Connect", exc));
                } else {
                    actionListener.onFailure(exc);
                }
            }));
        }
    }

    public void lookupUser(String str, ActionListener<User> actionListener) {
        actionListener.onResponse((Object) null);
    }

    private void buildUserFromClaims(JWTClaimsSet jWTClaimsSet, ActionListener<AuthenticationResult> actionListener) {
        String claimValue = this.principalAttribute.getClaimValue(jWTClaimsSet);
        if (Strings.isNullOrEmpty(claimValue)) {
            actionListener.onResponse(AuthenticationResult.unsuccessful(this.principalAttribute + "not found in " + jWTClaimsSet.toJSONObject(), (Exception) null));
            return;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("id_token_hint", jWTClaimsSet.getClaim("id_token_hint"));
        CheckedConsumer checkedConsumer = authenticationResult -> {
            if (authenticationResult.isAuthenticated()) {
                HashMap hashMap2 = new HashMap(authenticationResult.getMetadata());
                hashMap2.put(CONTEXT_TOKEN_DATA, hashMap);
                authenticationResult = AuthenticationResult.success(authenticationResult.getUser(), hashMap2);
            }
            actionListener.onResponse(authenticationResult);
        };
        Objects.requireNonNull(actionListener);
        ActionListener<AuthenticationResult> wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
        if (this.delegatedRealms.hasDelegation()) {
            this.delegatedRealms.resolve(claimValue, wrap);
            return;
        }
        HashMap hashMap2 = new HashMap();
        if (this.populateUserMetadata.booleanValue()) {
            for (Map.Entry entry : (Set) jWTClaimsSet.getClaims().entrySet().stream().filter(entry2 -> {
                Object value = entry2.getValue();
                return (value instanceof String) || (value instanceof Boolean) || (value instanceof Number) || (value instanceof Collection);
            }).collect(Collectors.toSet())) {
                hashMap2.put("oidc(" + entry.getKey() + ")", entry.getValue());
            }
        }
        List<String> claimValues = this.groupsAttribute.getClaimValues(jWTClaimsSet);
        String claimValue2 = this.dnAttribute.getClaimValue(jWTClaimsSet);
        String claimValue3 = this.mailAttribute.getClaimValue(jWTClaimsSet);
        String claimValue4 = this.nameAttribute.getClaimValue(jWTClaimsSet);
        UserRoleMapper.UserData userData = new UserRoleMapper.UserData(claimValue, claimValue2, claimValues, hashMap2, this.config);
        UserRoleMapper userRoleMapper = this.roleMapper;
        CheckedConsumer checkedConsumer2 = set -> {
            wrap.onResponse(AuthenticationResult.success(new User(claimValue, (String[]) set.toArray(Strings.EMPTY_ARRAY), claimValue4, claimValue3, hashMap2, true)));
        };
        Objects.requireNonNull(wrap);
        userRoleMapper.resolveRoles(userData, ActionListener.wrap(checkedConsumer2, wrap::onFailure));
    }

    private RelyingPartyConfiguration buildRelyingPartyConfiguration(RealmConfig realmConfig) {
        try {
            URI uri = new URI(require(realmConfig, OpenIdConnectRealmSettings.RP_REDIRECT_URI));
            try {
                URI uri2 = new URI((String) realmConfig.getSetting(OpenIdConnectRealmSettings.RP_POST_LOGOUT_REDIRECT_URI));
                ClientID clientID = new ClientID(require(realmConfig, OpenIdConnectRealmSettings.RP_CLIENT_ID));
                SecureString secureString = (SecureString) realmConfig.getSetting(OpenIdConnectRealmSettings.RP_CLIENT_SECRET);
                if (secureString.length() == 0) {
                    throw new SettingsException("The configuration setting [" + RealmSettings.getFullSettingKey(realmConfig, OpenIdConnectRealmSettings.RP_CLIENT_SECRET) + "] is required");
                }
                try {
                    ResponseType parse = ResponseType.parse(require(realmConfig, OpenIdConnectRealmSettings.RP_RESPONSE_TYPE));
                    Scope scope = new Scope((String[]) ((List) realmConfig.getSetting(OpenIdConnectRealmSettings.RP_REQUESTED_SCOPES)).toArray(Strings.EMPTY_ARRAY));
                    if (!scope.contains("openid")) {
                        scope.add("openid");
                    }
                    return new RelyingPartyConfiguration(clientID, secureString, uri, parse, scope, JWSAlgorithm.parse(require(realmConfig, OpenIdConnectRealmSettings.RP_SIGNATURE_ALGORITHM)), uri2);
                } catch (ParseException e) {
                    throw new SettingsException("Invalid value for " + OpenIdConnectRealmSettings.RP_RESPONSE_TYPE.getKey(), e);
                }
            } catch (URISyntaxException e2) {
                throw new SettingsException("Invalid URI:" + OpenIdConnectRealmSettings.RP_POST_LOGOUT_REDIRECT_URI.getKey(), e2);
            }
        } catch (URISyntaxException e3) {
            throw new SettingsException("Invalid URI:" + OpenIdConnectRealmSettings.RP_REDIRECT_URI.getKey(), e3);
        }
    }

    private OpenIdConnectProviderConfiguration buildOpenIdConnectProviderConfiguration(RealmConfig realmConfig) {
        Issuer issuer = new Issuer(require(realmConfig, OpenIdConnectRealmSettings.OP_ISSUER));
        String require = require(realmConfig, OpenIdConnectRealmSettings.OP_JWKSET_PATH);
        try {
            URI uri = new URI(require(realmConfig, OpenIdConnectRealmSettings.OP_AUTHORIZATION_ENDPOINT));
            String require2 = require(realmConfig, OpenIdConnectRealmSettings.RP_RESPONSE_TYPE);
            String str = (String) realmConfig.getSetting(OpenIdConnectRealmSettings.OP_TOKEN_ENDPOINT);
            if (require2.equals("code") && str.isEmpty()) {
                throw new SettingsException("The configuration setting [" + OpenIdConnectRealmSettings.OP_TOKEN_ENDPOINT.getConcreteSettingForNamespace(name()).getKey() + "] is required when [" + OpenIdConnectRealmSettings.RP_RESPONSE_TYPE.getConcreteSettingForNamespace(name()).getKey() + "] is set to \"code\"");
            }
            try {
                try {
                    try {
                        return new OpenIdConnectProviderConfiguration(issuer, require, uri, str.isEmpty() ? null : new URI(str), ((String) realmConfig.getSetting(OpenIdConnectRealmSettings.OP_USERINFO_ENDPOINT)).isEmpty() ? null : new URI((String) realmConfig.getSetting(OpenIdConnectRealmSettings.OP_USERINFO_ENDPOINT)), ((String) realmConfig.getSetting(OpenIdConnectRealmSettings.OP_ENDSESSION_ENDPOINT)).isEmpty() ? null : new URI((String) realmConfig.getSetting(OpenIdConnectRealmSettings.OP_ENDSESSION_ENDPOINT)));
                    } catch (URISyntaxException e) {
                        throw new SettingsException("Invalid URI: " + OpenIdConnectRealmSettings.OP_ENDSESSION_ENDPOINT.getKey(), e);
                    }
                } catch (URISyntaxException e2) {
                    throw new SettingsException("Invalid URI: " + OpenIdConnectRealmSettings.OP_USERINFO_ENDPOINT.getKey(), e2);
                }
            } catch (URISyntaxException e3) {
                throw new SettingsException("Invalid URL: " + OpenIdConnectRealmSettings.OP_TOKEN_ENDPOINT.getKey(), e3);
            }
        } catch (URISyntaxException e4) {
            throw new SettingsException("Invalid URI: " + OpenIdConnectRealmSettings.OP_AUTHORIZATION_ENDPOINT.getKey(), e4);
        }
    }

    private static String require(RealmConfig realmConfig, Setting.AffixSetting<String> affixSetting) {
        String str = (String) realmConfig.getSetting(affixSetting);
        if (str.isEmpty()) {
            throw new SettingsException("The configuration setting [" + RealmSettings.getFullSettingKey(realmConfig, affixSetting) + "] is required");
        }
        return str;
    }

    public OpenIdConnectPrepareAuthenticationResponse buildAuthenticationRequestUri(@Nullable String str, @Nullable String str2, @Nullable String str3) {
        State state = str != null ? new State(str) : new State();
        Nonce nonce = str2 != null ? new Nonce(str2) : new Nonce();
        AuthenticationRequest.Builder nonce2 = new AuthenticationRequest.Builder(this.rpConfiguration.getResponseType(), this.rpConfiguration.getRequestedScope(), this.rpConfiguration.getClientId(), this.rpConfiguration.getRedirectUri()).endpointURI(this.opConfiguration.getAuthorizationEndpoint()).state(state).nonce(nonce);
        if (Strings.hasText(str3)) {
            nonce2.loginHint(str3);
        }
        return new OpenIdConnectPrepareAuthenticationResponse(nonce2.build().toURI().toString(), state.getValue(), nonce.getValue());
    }

    public boolean isIssuerValid(String str) {
        return this.opConfiguration.getIssuer().getValue().equals(str);
    }

    public OpenIdConnectLogoutResponse buildLogoutResponse(JWT jwt) {
        if (this.opConfiguration.getEndsessionEndpoint() == null) {
            return new OpenIdConnectLogoutResponse((String) null);
        }
        return new OpenIdConnectLogoutResponse(new LogoutRequest(this.opConfiguration.getEndsessionEndpoint(), jwt, this.rpConfiguration.getPostLogoutRedirectUri(), new State()).toURI().toString());
    }

    public void close() {
        this.openIdConnectAuthenticator.close();
    }
}
