package com.floragunn.searchguard.enterprise.auth.session;

import com.floragunn.codova.config.net.ProxyConfig;
import com.floragunn.codova.config.net.TLSConfig;
import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.DocumentParseException;
import com.floragunn.codova.documents.Format;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.AuthenticationBackend;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchsupport.PrivilegedCode;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import java.io.IOException;
import java.util.Map;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import org.apache.http.HttpHost;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/session/ExternalSearchGuardSessionAuthenticationBackend.class */
public class ExternalSearchGuardSessionAuthenticationBackend implements AuthenticationBackend, AutoCloseable {
    private final ComponentState componentState = new ComponentState(0, "authentication_backend", TYPE, ExternalSearchGuardSessionAuthenticationBackend.class).initialized().requiresEnterpriseLicense();
    private final ImmutableList<HttpHost> hosts;
    private final TLSConfig tlsConfig;
    private final ProxyConfig proxyConfig;
    private final int maxConnectionsPerHost;
    private PoolingHttpClientConnectionManager connectionManager;
    private CloseableHttpClient httpClient;
    private Thread idleConnectionMonitorThread;
    public static final String TYPE = "external_session";
    private static final Logger log = LogManager.getLogger(ExternalSearchGuardSessionAuthenticationBackend.class);
    public static TypedComponent.Info<AuthenticationBackend> INFO = new TypedComponent.Info<AuthenticationBackend>() { // from class: com.floragunn.searchguard.enterprise.auth.session.ExternalSearchGuardSessionAuthenticationBackend.2
        public Class<AuthenticationBackend> getType() {
            return AuthenticationBackend.class;
        }

        public String getName() {
            return ExternalSearchGuardSessionAuthenticationBackend.TYPE;
        }

        public TypedComponent.Factory<AuthenticationBackend> getFactory() {
            return (v1, v2) -> {
                return new ExternalSearchGuardSessionAuthenticationBackend(v1, v2);
            };
        }
    };

    public ExternalSearchGuardSessionAuthenticationBackend(Map<String, Object> map, ConfigurationRepository.Context context) throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(map, validationErrors, context);
        ImmutableList ofURIs = validatingDocNode.get("hosts").required().asList().minElements(1).ofURIs();
        this.tlsConfig = (TLSConfig) validatingDocNode.get("tls").by(TLSConfig::parse);
        this.proxyConfig = (ProxyConfig) validatingDocNode.get("proxy").by(ProxyConfig::parse);
        this.maxConnectionsPerHost = validatingDocNode.get("connection_pool.max_connections_per_host").withDefault(6).asInt();
        validatingDocNode.checkForUnusedAttributes();
        validationErrors.throwExceptionForPresentErrors();
        this.hosts = ofURIs.map(uri -> {
            return new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme());
        });
        if (this.tlsConfig != null) {
            this.connectionManager = new PoolingHttpClientConnectionManager(RegistryBuilder.create().register("https", this.tlsConfig.toSSLConnectionSocketFactory()).build());
        } else {
            this.connectionManager = new PoolingHttpClientConnectionManager();
        }
        this.connectionManager.setMaxTotal(this.maxConnectionsPerHost * this.hosts.size());
        this.connectionManager.setDefaultMaxPerRoute(this.maxConnectionsPerHost);
        HttpClientBuilder connectionManager = HttpClients.custom().setConnectionManager(this.connectionManager);
        if (this.proxyConfig != null) {
            this.proxyConfig.apply(connectionManager);
        }
        this.httpClient = connectionManager.build();
        this.idleConnectionMonitorThread = new Thread() { // from class: com.floragunn.searchguard.enterprise.auth.session.ExternalSearchGuardSessionAuthenticationBackend.1
            @Override // java.lang.Thread, java.lang.Runnable
            public void run() {
                while (ExternalSearchGuardSessionAuthenticationBackend.this.connectionManager != null) {
                    try {
                        synchronized (this) {
                            wait(5000L);
                            if (ExternalSearchGuardSessionAuthenticationBackend.this.connectionManager != null) {
                                ExternalSearchGuardSessionAuthenticationBackend.this.connectionManager.closeExpiredConnections();
                                ExternalSearchGuardSessionAuthenticationBackend.this.connectionManager.closeIdleConnections(60L, TimeUnit.SECONDS);
                            }
                        }
                    } catch (InterruptedException e) {
                        return;
                    }
                }
            }
        };
    }

    public CompletableFuture<AuthCredentials> authenticate(AuthCredentials authCredentials, Meter meter) throws AuthenticatorUnavailableException, CredentialsException {
        if (!(authCredentials.getNativeCredentials() instanceof String)) {
            throw new AuthenticatorUnavailableException("Configuration Error", "external_session must be combined with a JWT authentication frontend");
        }
        String str = (String) authCredentials.getNativeCredentials();
        HttpGet httpGet = new HttpGet("/_searchguard/auth/session/extended");
        httpGet.addHeader("Authorization", "bearer " + str);
        return (CompletableFuture) PrivilegedCode.execute(() -> {
            try {
                CloseableHttpResponse executeWithRetry = executeWithRetry(httpGet, meter);
                try {
                    if (executeWithRetry.getStatusLine().getStatusCode() == 401) {
                        throw new CredentialsException(new AuthcResult.DebugInfo(getType(), false, "Failed to authenticate with JWT", ImmutableMap.of("response_status", executeWithRetry.getStatusLine())));
                    }
                    if (executeWithRetry.getStatusLine().getStatusCode() != 200) {
                        throw new AuthenticatorUnavailableException("Authentication failed", "session cluster is unavailable").details("response_status", executeWithRetry.getStatusLine(), new Object[0]);
                    }
                    DocNode from = DocNode.parse(Format.JSON).from(executeWithRetry.getEntity().getContent());
                    DocNode asNode = from.getAsNode("user");
                    if (asNode == null) {
                        throw new AuthenticatorUnavailableException("Authentication failed", "session cluster returned invalid result").details("response_status", executeWithRetry.getStatusLine(), new Object[]{"response_body", from.toJsonString()});
                    }
                    String asString = asNode.getAsString("name");
                    if (asString == null) {
                        throw new AuthenticatorUnavailableException("Authentication failed", "session cluster returned invalid result").details("response_status", executeWithRetry.getStatusLine(), new Object[]{"response_body", from.toJsonString()});
                    }
                    ImmutableList asListOfStrings = asNode.hasNonNull("backend_roles") ? asNode.getAsListOfStrings("backend_roles") : ImmutableList.empty();
                    CompletableFuture completedFuture = CompletableFuture.completedFuture(authCredentials.with(AuthCredentials.forUser(asString).backendRoles(asListOfStrings).searchGuardRoles(asNode.hasNonNull("search_guard_roles") ? asNode.getAsListOfStrings("search_guard_roles") : ImmutableList.empty()).attributes(asNode.hasNonNull("attributes") ? asNode.getAsNode("attributes").toMap() : ImmutableMap.empty()).build()));
                    if (executeWithRetry != null) {
                        executeWithRetry.close();
                    }
                    return completedFuture;
                } catch (Throwable th) {
                    if (executeWithRetry != null) {
                        try {
                            executeWithRetry.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (DocumentParseException e) {
                throw new AuthenticatorUnavailableException("Authentication failed", "session cluster returned invalid result", e);
            } catch (IOException e2) {
                throw new AuthenticatorUnavailableException("Authentication failed", "session cluster is unavailable", e2);
            }
        }, CredentialsException.class, AuthenticatorUnavailableException.class);
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        if (this.httpClient != null) {
            try {
                this.httpClient.close();
            } catch (IOException e) {
                log.warn("Error while closing client", e);
            }
        }
        if (this.connectionManager != null) {
            this.connectionManager.close();
            this.connectionManager = null;
        }
        if (this.idleConnectionMonitorThread != null) {
            this.idleConnectionMonitorThread.interrupt();
            this.idleConnectionMonitorThread = null;
        }
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }

    public String getType() {
        return TYPE;
    }

    private CloseableHttpResponse executeWithRetry(HttpGet httpGet, Meter meter) throws ClientProtocolException, IOException {
        Meter detail;
        CloseableHttpResponse execute;
        int size = this.hosts.size();
        if (size == 1) {
            Meter detail2 = meter.detail(((HttpHost) this.hosts.get(0)).toString());
            try {
                CloseableHttpResponse execute2 = this.httpClient.execute((HttpHost) this.hosts.get(0), httpGet);
                if (detail2 != null) {
                    detail2.close();
                }
                return execute2;
            } catch (Throwable th) {
                if (detail2 != null) {
                    try {
                        detail2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        int nextInt = ThreadLocalRandom.current().nextInt(size);
        for (int i = 0; i < size - 1; i++) {
            int i2 = (i + nextInt) % size;
            try {
                detail = meter.detail(((HttpHost) this.hosts.get(i2)).toString());
                try {
                    execute = this.httpClient.execute((HttpHost) this.hosts.get(i2), httpGet);
                } catch (Throwable th3) {
                    if (detail != null) {
                        try {
                            detail.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (IOException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Got exception while executing " + String.valueOf(httpGet) + ". Retrying with next host", e);
                }
            }
            if (execute.getStatusLine().getStatusCode() < 500) {
                if (detail != null) {
                    detail.close();
                }
                return execute;
            }
            if (log.isDebugEnabled()) {
                log.debug("Got status {} while executing {}. Retrying with next host", Integer.valueOf(execute.getStatusLine().getStatusCode()), httpGet);
            }
            execute.close();
            if (detail != null) {
                detail.close();
            }
        }
        return this.httpClient.execute((HttpHost) this.hosts.get(nextInt == 0 ? size - 1 : nextInt - 1), httpGet);
    }
}
