package com.floragunn.searchguard.legacy.auth;

import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.internal_users_db.InternalUser;
import com.floragunn.searchguard.authc.internal_users_db.InternalUsersDatabase;
import com.floragunn.searchguard.authc.legacy.LegacyAuthenticationBackend;
import com.floragunn.searchguard.authc.legacy.LegacyAuthorizationBackend;
import com.floragunn.searchguard.legacy.LegacyComponentFactory;
import com.floragunn.searchguard.user.Attributes;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.jayway.jsonpath.JsonPath;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.settings.Settings;

/* loaded from: input_file:com/floragunn/searchguard/legacy/auth/InternalAuthenticationBackend.class */
public class InternalAuthenticationBackend implements LegacyAuthenticationBackend, LegacyAuthorizationBackend {
    private final InternalUsersDatabase internalUsersDatabase;
    private Map<String, JsonPath> attributeMapping;

    /* loaded from: input_file:com/floragunn/searchguard/legacy/auth/InternalAuthenticationBackend$AuthcBackendInfo.class */
    public static class AuthcBackendInfo implements TypedComponent.Info<LegacyAuthenticationBackend> {
        private final InternalUsersDatabase internalUsersDatabase;

        public AuthcBackendInfo(InternalUsersDatabase internalUsersDatabase) {
            this.internalUsersDatabase = internalUsersDatabase;
        }

        public Class<LegacyAuthenticationBackend> getType() {
            return LegacyAuthenticationBackend.class;
        }

        public String getName() {
            return "internal";
        }

        public TypedComponent.Factory<LegacyAuthenticationBackend> getFactory() {
            return LegacyComponentFactory.adapt((settings, path) -> {
                return new InternalAuthenticationBackend(settings, this.internalUsersDatabase);
            });
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/legacy/auth/InternalAuthenticationBackend$AuthzBackendInfo.class */
    public static class AuthzBackendInfo implements TypedComponent.Info<LegacyAuthorizationBackend> {
        private final InternalUsersDatabase internalUsersDatabase;

        public AuthzBackendInfo(InternalUsersDatabase internalUsersDatabase) {
            this.internalUsersDatabase = internalUsersDatabase;
        }

        public Class<LegacyAuthorizationBackend> getType() {
            return LegacyAuthorizationBackend.class;
        }

        public String getName() {
            return "internal";
        }

        public TypedComponent.Factory<LegacyAuthorizationBackend> getFactory() {
            return LegacyComponentFactory.adapt((settings, path) -> {
                return new InternalAuthenticationBackend(settings, this.internalUsersDatabase);
            });
        }
    }

    InternalAuthenticationBackend(Settings settings, InternalUsersDatabase internalUsersDatabase) {
        this.internalUsersDatabase = internalUsersDatabase;
        this.attributeMapping = Attributes.getAttributeMapping(settings.getAsSettings("map_db_attrs_to_user_attrs"));
    }

    public boolean exists(User user) throws AuthenticatorUnavailableException {
        InternalUser internalUser;
        if (user == null || this.internalUsersDatabase == null || (internalUser = this.internalUsersDatabase.get(user.getName())) == null) {
            return false;
        }
        user.addRoles(internalUser.getBackendRoles());
        ImmutableMap attributes = internalUser.getAttributes();
        HashMap hashMap = new HashMap();
        if (attributes != null) {
            for (Map.Entry entry : attributes.entrySet()) {
                hashMap.put("attr.internal." + ((String) entry.getKey()), entry.getValue() != null ? entry.getValue().toString() : null);
            }
        }
        ImmutableSet searchGuardRoles = internalUser.getSearchGuardRoles();
        if (searchGuardRoles != null) {
            user.addSearchGuardRoles(searchGuardRoles);
        }
        user.addAttributes(hashMap);
        user.addStructuredAttributesByJsonPath(this.attributeMapping, attributes);
        return true;
    }

    public User authenticate(AuthCredentials authCredentials) throws AuthenticatorUnavailableException {
        InternalUser internalUser = this.internalUsersDatabase.get(authCredentials.getUsername());
        if (internalUser == null) {
            return null;
        }
        byte[] password = authCredentials.getPassword();
        if (password == null || password.length == 0) {
            throw new ElasticsearchSecurityException("empty passwords not supported", new Object[0]);
        }
        ByteBuffer wrap = ByteBuffer.wrap(password);
        CharBuffer decode = StandardCharsets.UTF_8.decode(wrap);
        char[] cArr = new char[decode.limit()];
        decode.get(cArr);
        Arrays.fill(password, (byte) 0);
        try {
            if (!OpenBSDBCrypt.checkPassword(internalUser.getPasswordHash(), cArr)) {
                throw new ElasticsearchSecurityException("password does not match", new Object[0]);
            }
            ImmutableSet backendRoles = internalUser.getBackendRoles();
            ImmutableMap attributes = internalUser.getAttributes();
            if (attributes != null) {
                authCredentials = authCredentials.copy().prefixOldAttributes("attr.internal.", attributes).build();
            }
            User build = User.forUser(authCredentials.getUsername()).authDomainInfo(authCredentials.getAuthDomainInfo().authBackendType(getType())).backendRoles(backendRoles).searchGuardRoles(internalUser.getSearchGuardRoles()).attributes(authCredentials.getStructuredAttributes()).attributesByJsonPath(this.attributeMapping, attributes).oldAttributes(authCredentials.getAttributes()).build();
            Arrays.fill(wrap.array(), (byte) 0);
            Arrays.fill(decode.array(), (char) 0);
            Arrays.fill(cArr, (char) 0);
            return build;
        } catch (Throwable th) {
            Arrays.fill(wrap.array(), (byte) 0);
            Arrays.fill(decode.array(), (char) 0);
            Arrays.fill(cArr, (char) 0);
            throw th;
        }
    }

    public String getType() {
        return "internal";
    }

    public void fillRoles(User user, AuthCredentials authCredentials) throws ElasticsearchSecurityException, AuthenticatorUnavailableException {
        ImmutableSet backendRoles;
        InternalUser internalUser = this.internalUsersDatabase.get(user.getName());
        if (internalUser == null || (backendRoles = internalUser.getBackendRoles()) == null || backendRoles.isEmpty() || user == null) {
            return;
        }
        user.addRoles(backendRoles);
    }
}
