package org.elasticsearch.xpack.core.security.authc.jwt;

import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.xpack.core.inference.results.StreamingUnifiedChatCompletionResults;
import org.elasticsearch.xpack.core.rollup.job.GroupConfig;
import org.elasticsearch.xpack.core.security.action.Grant;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.ClaimSetting;
import org.elasticsearch.xpack.core.security.authc.support.DelegatedAuthorizationSettings;
import org.elasticsearch.xpack.core.security.authc.support.SecuritySettingsUtil;
import org.elasticsearch.xpack.core.ssl.SSLConfigurationSettings;
import org.elasticsearch.xpack.core.watcher.input.none.NoneInput;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings.class */
public class JwtRealmSettings {
    public static final String HEADER_SHARED_SECRET_AUTHENTICATION_SCHEME = "SharedSecret";
    private static final boolean DEFAULT_POPULATE_USER_METADATA = true;
    private static final int DEFAULT_JWT_CACHE_SIZE = 100000;
    private static final int MIN_JWT_CACHE_SIZE = 0;
    private static final int DEFAULT_HTTP_MAX_CONNECTIONS = 200;
    private static final int MIN_HTTP_MAX_CONNECTIONS = 0;
    private static final int DEFAULT_HTTP_MAX_ENDPOINT_CONNECTIONS = 200;
    private static final int MIN_HTTP_MAX_ENDPOINT_CONNECTIONS = 0;
    public static final List<String> SUPPORTED_SIGNATURE_ALGORITHMS_HMAC = List.of("HS256", "HS384", "HS512");
    public static final List<String> SUPPORTED_SIGNATURE_ALGORITHMS_RSA = List.of("RS256", "RS384", "RS512", "PS256", "PS384", "PS512");
    public static final List<String> SUPPORTED_SIGNATURE_ALGORITHMS_EC = List.of("ES256", "ES384", "ES512");
    public static final List<String> SUPPORTED_SIGNATURE_ALGORITHMS_PKC = Stream.of((Object[]) new List[]{SUPPORTED_SIGNATURE_ALGORITHMS_RSA, SUPPORTED_SIGNATURE_ALGORITHMS_EC}).flatMap((v0) -> {
        return v0.stream();
    }).toList();
    public static final List<String> SUPPORTED_SIGNATURE_ALGORITHMS = Stream.of((Object[]) new List[]{SUPPORTED_SIGNATURE_ALGORITHMS_HMAC, SUPPORTED_SIGNATURE_ALGORITHMS_PKC}).flatMap((v0) -> {
        return v0.stream();
    }).toList();
    private static final TimeValue DEFAULT_ALLOWED_CLOCK_SKEW = TimeValue.timeValueSeconds(60);
    private static final List<String> DEFAULT_ALLOWED_SIGNATURE_ALGORITHMS = Collections.singletonList("RS256");
    private static final TimeValue DEFAULT_JWT_CACHE_TTL = TimeValue.timeValueMinutes(20);
    private static final TimeValue DEFAULT_JWT_CLIENT_AUTH_GRACE_PERIOD = TimeValue.timeValueMinutes(1);
    private static final TimeValue DEFAULT_HTTP_CONNECT_TIMEOUT = TimeValue.timeValueSeconds(5);
    private static final TimeValue DEFAULT_HTTP_CONNECTION_READ_TIMEOUT = TimeValue.timeValueSeconds(5);
    private static final TimeValue DEFAULT_HTTP_SOCKET_TIMEOUT = TimeValue.timeValueSeconds(5);
    public static final String TYPE = "jwt";
    public static final Setting.AffixSetting<TokenType> TOKEN_TYPE = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "token_type", str -> {
        return new Setting(str, TokenType.ID_TOKEN.value(), str -> {
            return TokenType.parse(str, str);
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<String> ALLOWED_ISSUER = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "allowed_issuer", str -> {
        return Setting.simpleString(str, str -> {
            SecuritySettingsUtil.verifyNonNullNotEmpty(str, str, (Collection<String>) null);
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<TimeValue> ALLOWED_CLOCK_SKEW = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "allowed_clock_skew", str -> {
        return Setting.timeSetting(str, DEFAULT_ALLOWED_CLOCK_SKEW, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<List<String>> ALLOWED_SIGNATURE_ALGORITHMS = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "allowed_signature_algorithms", str -> {
        return Setting.stringListSetting(str, DEFAULT_ALLOWED_SIGNATURE_ALGORITHMS, list -> {
            SecuritySettingsUtil.verifyNonNullNotEmpty(str, (List<String>) list, SUPPORTED_SIGNATURE_ALGORITHMS);
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<String> PKC_JWKSET_PATH = RealmSettings.simpleString(TYPE, "pkc_jwkset_path", Setting.Property.NodeScope);
    public static final Setting.AffixSetting<SecureString> HMAC_JWKSET = RealmSettings.secureString(TYPE, "hmac_jwkset");
    public static final Setting.AffixSetting<SecureString> HMAC_KEY = RealmSettings.secureString(TYPE, "hmac_key");
    public static final Setting.AffixSetting<List<String>> ALLOWED_AUDIENCES = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "allowed_audiences", str -> {
        return Setting.stringListSetting(str, list -> {
            SecuritySettingsUtil.verifyNonNullNotEmpty(str, (List<String>) list, (Collection<String>) null);
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<List<String>> ALLOWED_SUBJECTS = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "allowed_subjects", str -> {
        return Setting.stringListSetting(str, new Setting.Validator<List<String>>() { // from class: org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings.1
            public void validate(List<String> list) {
                String str = str;
                list.forEach(str2 -> {
                    SecuritySettingsUtil.verifyNonNullNotEmpty(str, str2, (Collection<String>) null);
                });
            }

            public void validate(List<String> list, Map<Setting<?>, Object> map) {
                String namespace = JwtRealmSettings.ALLOWED_SUBJECTS.getNamespace(JwtRealmSettings.ALLOWED_SUBJECTS.getConcreteSetting(str));
                List list2 = (List) map.get(JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS.getConcreteSettingForNamespace(namespace));
                if (list.isEmpty() && list2.isEmpty()) {
                    throw new SettingsException("One of either [" + JwtRealmSettings.ALLOWED_SUBJECTS.getConcreteSettingForNamespace(namespace).getKey() + "] or [" + JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS.getConcreteSettingForNamespace(namespace).getKey() + "] must be specified and not be empty.");
                }
            }

            public Iterator<Setting<?>> settings() {
                return List.of(JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS.getConcreteSettingForNamespace(JwtRealmSettings.ALLOWED_SUBJECTS.getNamespace(JwtRealmSettings.ALLOWED_SUBJECTS.getConcreteSetting(str)))).iterator();
            }

            public /* bridge */ /* synthetic */ void validate(Object obj, Map map) {
                validate((List<String>) obj, (Map<Setting<?>, Object>) map);
            }
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<List<String>> ALLOWED_SUBJECT_PATTERNS = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "allowed_subject_patterns", str -> {
        return Setting.stringListSetting(str, new Setting.Validator<List<String>>() { // from class: org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings.2
            public void validate(List<String> list) {
                String str = str;
                list.forEach(str2 -> {
                    SecuritySettingsUtil.verifyNonNullNotEmpty(str, str2, (Collection<String>) null);
                });
            }

            public void validate(List<String> list, Map<Setting<?>, Object> map) {
                String namespace = JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS.getNamespace(JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS.getConcreteSetting(str));
                if (((List) map.get(JwtRealmSettings.ALLOWED_SUBJECTS.getConcreteSettingForNamespace(namespace))).isEmpty() && list.isEmpty()) {
                    throw new SettingsException("One of either [" + JwtRealmSettings.ALLOWED_SUBJECTS.getConcreteSettingForNamespace(namespace).getKey() + "] or [" + JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS.getConcreteSettingForNamespace(namespace).getKey() + "] must be specified and not be empty.");
                }
            }

            public Iterator<Setting<?>> settings() {
                return List.of(JwtRealmSettings.ALLOWED_SUBJECTS.getConcreteSettingForNamespace(JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS.getNamespace(JwtRealmSettings.ALLOWED_SUBJECT_PATTERNS.getConcreteSetting(str)))).iterator();
            }

            public /* bridge */ /* synthetic */ void validate(Object obj, Map map) {
                validate((List<String>) obj, (Map<Setting<?>, Object>) map);
            }
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final List<String> REGISTERED_CLAIM_NAMES = List.of("iss", "sub", "aud", "exp", "nbf", "iat", "jti");
    public static final Setting.AffixSetting<String> FALLBACK_SUB_CLAIM = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "fallback_claims.sub", str -> {
        return Setting.simpleString(str, "sub", new Setting.Validator<String>() { // from class: org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings.3
            public void validate(String str) {
            }

            public void validate(String str, Map<Setting<?>, Object> map, boolean z) {
                JwtRealmSettings.validateFallbackClaimSetting(JwtRealmSettings.FALLBACK_SUB_CLAIM, str, str, map, z);
            }

            public Iterator<Setting<?>> settings() {
                return List.of(JwtRealmSettings.TOKEN_TYPE.getConcreteSettingForNamespace(JwtRealmSettings.FALLBACK_SUB_CLAIM.getNamespace(JwtRealmSettings.FALLBACK_SUB_CLAIM.getConcreteSetting(str)))).iterator();
            }

            public /* bridge */ /* synthetic */ void validate(Object obj, Map map, boolean z) {
                validate((String) obj, (Map<Setting<?>, Object>) map, z);
            }
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<String> FALLBACK_AUD_CLAIM = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "fallback_claims.aud", str -> {
        return Setting.simpleString(str, "aud", new Setting.Validator<String>() { // from class: org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings.4
            public void validate(String str) {
            }

            public void validate(String str, Map<Setting<?>, Object> map, boolean z) {
                JwtRealmSettings.validateFallbackClaimSetting(JwtRealmSettings.FALLBACK_AUD_CLAIM, str, str, map, z);
            }

            public Iterator<Setting<?>> settings() {
                return List.of(JwtRealmSettings.TOKEN_TYPE.getConcreteSettingForNamespace(JwtRealmSettings.FALLBACK_AUD_CLAIM.getNamespace(JwtRealmSettings.FALLBACK_AUD_CLAIM.getConcreteSetting(str)))).iterator();
            }

            public /* bridge */ /* synthetic */ void validate(Object obj, Map map, boolean z) {
                validate((String) obj, (Map<Setting<?>, Object>) map, z);
            }
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<Settings> REQUIRED_CLAIMS = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "required_claims", str -> {
        return Setting.groupSetting(str + ".", settings -> {
            List of = List.of("iss", "sub", "aud", "exp", "nbf", "iat");
            for (String str : settings.names()) {
                String str2 = str + "." + str;
                if (of.contains(str)) {
                    throw new IllegalArgumentException(Strings.format("required claim [%s] cannot be one of [%s]", new Object[]{str2, String.join(",", of)}));
                }
                if (settings.getAsList(str).isEmpty()) {
                    throw new IllegalArgumentException(Strings.format("required claim [%s] cannot be empty", new Object[]{str2}));
                }
            }
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final ClaimSetting CLAIMS_PRINCIPAL = new ClaimSetting(TYPE, "principal");
    public static final ClaimSetting CLAIMS_GROUPS = new ClaimSetting(TYPE, GroupConfig.NAME);
    public static final ClaimSetting CLAIMS_DN = new ClaimSetting(TYPE, "dn");
    public static final ClaimSetting CLAIMS_MAIL = new ClaimSetting(TYPE, "mail");
    public static final ClaimSetting CLAIMS_NAME = new ClaimSetting(TYPE, StreamingUnifiedChatCompletionResults.FUNCTION_NAME_FIELD);
    public static final Setting.AffixSetting<Boolean> POPULATE_USER_METADATA = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "populate_user_metadata", str -> {
        return Setting.boolSetting(str, true, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<ClientAuthenticationType> CLIENT_AUTHENTICATION_TYPE = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "client_authentication.type", str -> {
        return new Setting(str, ClientAuthenticationType.SHARED_SECRET.value, str -> {
            return ClientAuthenticationType.parse(str, str);
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<SecureString> CLIENT_AUTHENTICATION_SHARED_SECRET = RealmSettings.secureString(TYPE, "client_authentication.shared_secret");
    public static final Setting.AffixSetting<TimeValue> CLIENT_AUTH_SHARED_SECRET_ROTATION_GRACE_PERIOD = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "client_authentication.rotation_grace_period", str -> {
        return Setting.timeSetting(str, DEFAULT_JWT_CLIENT_AUTH_GRACE_PERIOD, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<TimeValue> JWT_CACHE_TTL = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "jwt.cache.ttl", str -> {
        return Setting.timeSetting(str, DEFAULT_JWT_CACHE_TTL, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<Integer> JWT_CACHE_SIZE = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "jwt.cache.size", str -> {
        return Setting.intSetting(str, DEFAULT_JWT_CACHE_SIZE, 0, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<TimeValue> HTTP_CONNECT_TIMEOUT = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.connect_timeout", str -> {
        return Setting.timeSetting(str, DEFAULT_HTTP_CONNECT_TIMEOUT, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<TimeValue> HTTP_CONNECTION_READ_TIMEOUT = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.connection_read_timeout", str -> {
        return Setting.timeSetting(str, DEFAULT_HTTP_CONNECTION_READ_TIMEOUT, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<TimeValue> HTTP_SOCKET_TIMEOUT = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.socket_timeout", str -> {
        return Setting.timeSetting(str, DEFAULT_HTTP_SOCKET_TIMEOUT, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<Integer> HTTP_MAX_CONNECTIONS = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.max_connections", str -> {
        return Setting.intSetting(str, 200, 0, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<Integer> HTTP_MAX_ENDPOINT_CONNECTIONS = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.max_endpoint_connections", str -> {
        return Setting.intSetting(str, 200, 0, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<String> HTTP_PROXY_HOST = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.proxy.host", str -> {
        return Setting.simpleString(str, new Setting.Validator<String>() { // from class: org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings.5
            public void validate(String str) {
            }

            public void validate(String str, Map<Setting<?>, Object> map) {
                SecuritySettingsUtil.verifyProxySettings(str, str, map, JwtRealmSettings.HTTP_PROXY_HOST, JwtRealmSettings.HTTP_PROXY_SCHEME, JwtRealmSettings.HTTP_PROXY_PORT);
            }

            public Iterator<Setting<?>> settings() {
                String namespace = JwtRealmSettings.HTTP_PROXY_HOST.getNamespace(JwtRealmSettings.HTTP_PROXY_HOST.getConcreteSetting(str));
                return List.of(JwtRealmSettings.HTTP_PROXY_PORT.getConcreteSettingForNamespace(namespace), JwtRealmSettings.HTTP_PROXY_SCHEME.getConcreteSettingForNamespace(namespace)).iterator();
            }

            public /* bridge */ /* synthetic */ void validate(Object obj, Map map) {
                validate((String) obj, (Map<Setting<?>, Object>) map);
            }
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Setting.AffixSetting<Integer> HTTP_PROXY_PORT = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.proxy.port", str -> {
        return Setting.intSetting(str, 80, 1, 65535, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[]{() -> {
        return HTTP_PROXY_HOST;
    }});
    public static final Setting.AffixSetting<String> HTTP_PROXY_SCHEME = Setting.affixKeySetting(RealmSettings.realmSettingPrefix(TYPE), "http.proxy.scheme", str -> {
        return Setting.simpleString(str, "http", str -> {
            SecuritySettingsUtil.verifyNonNullNotEmpty(str, str, List.of("http"));
        }, new Setting.Property[]{Setting.Property.NodeScope});
    }, new Setting.AffixSettingDependency[0]);
    public static final Collection<Setting.AffixSetting<?>> SSL_CONFIGURATION_SETTINGS = SSLConfigurationSettings.getRealmSettings(TYPE);
    public static final SSLConfigurationSettings ssl = SSLConfigurationSettings.withoutPrefix(true);
    public static final Collection<Setting.AffixSetting<?>> DELEGATED_AUTHORIZATION_REALMS_SETTINGS = DelegatedAuthorizationSettings.getSettings(TYPE);

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings$ClientAuthenticationType.class */
    public enum ClientAuthenticationType {
        NONE(NoneInput.TYPE),
        SHARED_SECRET("shared_secret");

        private final String value;

        ClientAuthenticationType(String str) {
            this.value = str;
        }

        public String value() {
            return this.value;
        }

        public static ClientAuthenticationType parse(String str, String str2) {
            for (ClientAuthenticationType clientAuthenticationType : values()) {
                if (clientAuthenticationType.value.equalsIgnoreCase(str)) {
                    return clientAuthenticationType;
                }
            }
            throw new IllegalArgumentException("Invalid value [" + str + "] for [" + str2 + "], allowed values are [" + ((String) Stream.of((Object[]) values()).map((v0) -> {
                return v0.value();
            }).collect(Collectors.joining(","))) + "]");
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/authc/jwt/JwtRealmSettings$TokenType.class */
    public enum TokenType {
        ID_TOKEN("id_token"),
        ACCESS_TOKEN(Grant.ACCESS_TOKEN_GRANT_TYPE);

        private final String value;

        TokenType(String str) {
            this.value = str;
        }

        public String value() {
            return this.value;
        }

        public static TokenType parse(String str, String str2) {
            return (TokenType) EnumSet.allOf(TokenType.class).stream().filter(tokenType -> {
                return tokenType.value.equalsIgnoreCase(str);
            }).findFirst().orElseThrow(() -> {
                return new IllegalArgumentException(Strings.format("Invalid value [%s] for [%s], allowed values are [%s]", new Object[]{str, str2, Stream.of((Object[]) values()).map((v0) -> {
                    return v0.value();
                }).collect(Collectors.joining(","))}));
            });
        }
    }

    private JwtRealmSettings() {
    }

    public static Set<Setting.AffixSetting<?>> getSettings() {
        HashSet hashSet = new HashSet();
        hashSet.addAll(getNonSecureSettings());
        hashSet.addAll(getSecureSettings());
        return hashSet;
    }

    private static Set<Setting.AffixSetting<?>> getNonSecureSettings() {
        HashSet hashSet = new HashSet(RealmSettings.getStandardSettings(TYPE));
        hashSet.add(TOKEN_TYPE);
        hashSet.addAll(List.of(ALLOWED_ISSUER, ALLOWED_SIGNATURE_ALGORITHMS, ALLOWED_CLOCK_SKEW, PKC_JWKSET_PATH));
        hashSet.addAll(List.of(ALLOWED_AUDIENCES));
        hashSet.addAll(List.of((Object[]) new Setting.AffixSetting[]{ALLOWED_SUBJECTS, ALLOWED_SUBJECT_PATTERNS, FALLBACK_SUB_CLAIM, FALLBACK_AUD_CLAIM, REQUIRED_CLAIMS, CLAIMS_PRINCIPAL.getClaim(), CLAIMS_PRINCIPAL.getPattern(), CLAIMS_GROUPS.getClaim(), CLAIMS_GROUPS.getPattern(), CLAIMS_DN.getClaim(), CLAIMS_DN.getPattern(), CLAIMS_MAIL.getClaim(), CLAIMS_MAIL.getPattern(), CLAIMS_NAME.getClaim(), CLAIMS_NAME.getPattern(), POPULATE_USER_METADATA, CLIENT_AUTH_SHARED_SECRET_ROTATION_GRACE_PERIOD}));
        hashSet.addAll(List.of(CLIENT_AUTHENTICATION_TYPE));
        hashSet.addAll(List.of(JWT_CACHE_TTL, JWT_CACHE_SIZE));
        hashSet.addAll(List.of(HTTP_CONNECT_TIMEOUT, HTTP_CONNECTION_READ_TIMEOUT, HTTP_SOCKET_TIMEOUT, HTTP_MAX_CONNECTIONS, HTTP_MAX_ENDPOINT_CONNECTIONS, HTTP_PROXY_SCHEME, HTTP_PROXY_HOST, HTTP_PROXY_PORT));
        hashSet.addAll(SSL_CONFIGURATION_SETTINGS);
        hashSet.addAll(DELEGATED_AUTHORIZATION_REALMS_SETTINGS);
        return hashSet;
    }

    private static Set<Setting.AffixSetting<SecureString>> getSecureSettings() {
        return new HashSet(List.of(HMAC_JWKSET, HMAC_KEY, CLIENT_AUTHENTICATION_SHARED_SECRET));
    }

    private static void validateFallbackClaimSetting(Setting.AffixSetting<String> affixSetting, String str, String str2, Map<Setting<?>, Object> map, boolean z) {
        if (false == z) {
            return;
        }
        String namespace = affixSetting.getNamespace(affixSetting.getConcreteSetting(str));
        if (((TokenType) map.get(TOKEN_TYPE.getConcreteSettingForNamespace(namespace))) == TokenType.ID_TOKEN) {
            throw new IllegalArgumentException(Strings.format("fallback claim setting [%s] is not allowed when JWT realm [%s] is [%s] type", new Object[]{str, namespace, TokenType.ID_TOKEN.value()}));
        }
        verifyFallbackClaimName(str, str2);
    }

    private static void verifyFallbackClaimName(String str, String str2) {
        String substring = str.substring(str.lastIndexOf(46) + 1);
        SecuritySettingsUtil.verifyNonNullNotEmpty(str, str2, (Collection<String>) null);
        if (!substring.equals(str2) && REGISTERED_CLAIM_NAMES.contains(str2)) {
            throw new IllegalArgumentException(Strings.format("Invalid fallback claims setting [%s]. Claim [%s] cannot fallback to a registered claim [%s]", new Object[]{str, substring, str2}));
        }
    }
}
