package com.floragunn.searchguard.authc.transport;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.AuthenticationDebugLogger;
import com.floragunn.searchguard.authc.AuthenticationDomain;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.base.IPAddressAcceptanceRules;
import com.floragunn.searchguard.authc.blocking.BlockedIpRegistry;
import com.floragunn.searchguard.authc.blocking.BlockedUserRegistry;
import com.floragunn.searchguard.authc.legacy.LegacySgConfig;
import com.floragunn.searchguard.authc.transport.TransportAuthenticationDomain;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.ConfigMap;
import com.floragunn.searchguard.configuration.ConfigurationChangeListener;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.AuthDomainInfo;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchguard.user.UserInformation;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.google.common.cache.Cache;
import inet.ipaddr.IPAddress;
import inet.ipaddr.IPAddressNetwork;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/authc/transport/AuthenticatingTransportRequestHandler.class */
public class AuthenticatingTransportRequestHandler implements ComponentStateProvider {
    private static final Logger log = LogManager.getLogger(AuthenticatingTransportRequestHandler.class);
    private final AdminDNs adminDns;
    private final AuditLog auditLog;
    private final ThreadContext threadContext;
    private volatile Cache<AuthCredentials, User> authenticatedUserCache;
    private volatile Cache<String, User> transportImpersonationCache;
    private final BlockedIpRegistry blockedIpRegistry;
    private final BlockedUserRegistry blockedUserRegistry;
    private volatile TransportAuthcConfig authczConfig;
    private final IPAddressNetwork.IPAddressGenerator ipAddressGenerator = new IPAddressNetwork.IPAddressGenerator();
    private final ComponentState componentState = new ComponentState(0, "authc", "transport_filter");
    private volatile IPAddressAcceptanceRules ipAddressAcceptanceRules = IPAddressAcceptanceRules.ANY;

    public AuthenticatingTransportRequestHandler(ConfigurationRepository configurationRepository, Settings settings, AuditLog auditLog, AdminDNs adminDNs, BlockedIpRegistry blockedIpRegistry, BlockedUserRegistry blockedUserRegistry, ThreadContext threadContext) {
        this.adminDns = adminDNs;
        this.auditLog = auditLog;
        this.threadContext = threadContext;
        this.blockedIpRegistry = blockedIpRegistry;
        this.blockedUserRegistry = blockedUserRegistry;
        configurationRepository.subscribeOnChange(new ConfigurationChangeListener() { // from class: com.floragunn.searchguard.authc.transport.AuthenticatingTransportRequestHandler.1
            @Override // com.floragunn.searchguard.configuration.ConfigurationChangeListener
            public void onChange(ConfigMap configMap) {
                SgDynamicConfiguration sgDynamicConfiguration = configMap.get(CType.AUTHC_TRANSPORT);
                SgDynamicConfiguration sgDynamicConfiguration2 = configMap.get(CType.CONFIG);
                if (sgDynamicConfiguration != null && sgDynamicConfiguration.getCEntry("default") != null) {
                    TransportAuthcConfig transportAuthcConfig = (TransportAuthcConfig) sgDynamicConfiguration.getCEntry("default");
                    AuthenticatingTransportRequestHandler.this.authczConfig = transportAuthcConfig;
                    AuthenticatingTransportRequestHandler.this.componentState.setState(ComponentState.State.INITIALIZED, "using_authcz_config");
                    AuthenticatingTransportRequestHandler.this.componentState.setConfigVersion(sgDynamicConfiguration.getDocVersion());
                    AuthenticatingTransportRequestHandler.this.authenticatedUserCache = transportAuthcConfig.getUserCacheConfig().build();
                    AuthenticatingTransportRequestHandler.this.transportImpersonationCache = transportAuthcConfig.getUserCacheConfig().build();
                    AuthenticatingTransportRequestHandler.this.ipAddressAcceptanceRules = transportAuthcConfig.getNetwork() != null ? transportAuthcConfig.getNetwork().getIpAddressAcceptanceRules() : IPAddressAcceptanceRules.ANY;
                    return;
                }
                if (sgDynamicConfiguration2 == null || sgDynamicConfiguration2.getCEntry("sg_config") == null) {
                    AuthenticatingTransportRequestHandler.this.componentState.setState(ComponentState.State.SUSPENDED, "no_configuration");
                    return;
                }
                TransportAuthcConfig transportAuthcConfig2 = ((LegacySgConfig) sgDynamicConfiguration2.getCEntry("sg_config")).getTransportAuthcConfig();
                AuthenticatingTransportRequestHandler.this.authczConfig = transportAuthcConfig2;
                AuthenticatingTransportRequestHandler.this.componentState.setState(ComponentState.State.INITIALIZED, "using_legacy_config");
                AuthenticatingTransportRequestHandler.this.componentState.setConfigVersion(sgDynamicConfiguration2.getDocVersion());
                AuthenticatingTransportRequestHandler.this.authenticatedUserCache = transportAuthcConfig2.getUserCacheConfig().build();
                AuthenticatingTransportRequestHandler.this.transportImpersonationCache = transportAuthcConfig2.getUserCacheConfig().build();
                AuthenticatingTransportRequestHandler.this.ipAddressAcceptanceRules = IPAddressAcceptanceRules.ANY;
            }
        });
    }

    public User authenticate(TransportRequest transportRequest, String str, Task task, String str2) {
        if (log.isDebugEnabled() && transportRequest.remoteAddress() != null) {
            log.debug("Transport authentication request from {}", transportRequest.remoteAddress());
        }
        User user = new User(str, AuthDomainInfo.TLS_CERT);
        if (this.adminDns.isAdmin(user)) {
            this.auditLog.logSucceededLogin(user, true, null, transportRequest, str2, task);
            return user;
        }
        IPAddress from = transportRequest.remoteAddress() != null ? this.ipAddressGenerator.from(transportRequest.remoteAddress().address().getAddress()) : null;
        if (this.authczConfig == null) {
            log.error("Not yet initialized (you may need to run sgadmin)");
            return null;
        }
        TransportRequestMetaData transportRequestMetaData = new TransportRequestMetaData(transportRequest, from, str2);
        if (!this.ipAddressAcceptanceRules.accept(transportRequestMetaData)) {
            log.info("Not accepting request due to acceptance rules {}", transportRequestMetaData);
            return null;
        }
        if (this.blockedIpRegistry.isIpBlocked(from)) {
            if (log.isDebugEnabled()) {
                log.debug("Rejecting transport request because of blocked address: " + transportRequest.remoteAddress());
            }
            this.auditLog.logBlockedIp(transportRequest, str2, transportRequest.remoteAddress(), task);
            return null;
        }
        AuthCredentials.Builder extractCredentials = extractCredentials(this.threadContext.getHeader("Authorization"));
        AuthCredentials build = extractCredentials != null ? extractCredentials.authenticatorType("transport_basic").build() : null;
        UserInformation userInformation = null;
        if (build != null && log.isDebugEnabled()) {
            log.debug("User {} submitted also basic credentials: {}", user.getName(), build);
        }
        String header = this.threadContext.getHeader("sg_impersonate_as");
        for (AuthenticationDomain<TransportAuthenticationDomain.TransportAuthenticationFrontend> authenticationDomain : this.authczConfig.getAuthenticators()) {
            if (authenticationDomain.accept(transportRequestMetaData) && authenticationDomain.accept(build)) {
                User authcz = build != null ? authcz(build, authenticationDomain) : header != null ? impersonate(user, header, authenticationDomain) : checkExistsAndAuthz(user, AuthCredentials.forUser(user.getName()).authDomainInfo(AuthDomainInfo.TLS_CERT).build(), authenticationDomain);
                if (authcz != null) {
                    if (this.adminDns.isAdmin(authcz)) {
                        log.error("Cannot authenticate transport user because admin user is not permitted to login");
                        this.auditLog.logFailedLogin(authcz, true, null, transportRequest, task);
                        return null;
                    }
                    if (!this.blockedUserRegistry.isUserBlocked(authcz.getName())) {
                        if (log.isDebugEnabled()) {
                            log.debug("Transport user '{}' is authenticated", authcz);
                        }
                        this.auditLog.logSucceededLogin(authcz, false, 0 == 0 ? null : user, transportRequest, str2, task);
                        return authcz;
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("Rejecting TRANSPORT request because of blocked user: " + authcz.getName() + "; authDomain: " + authenticationDomain);
                    }
                    this.auditLog.logBlockedUser(authcz, false, user, transportRequest, task);
                } else if (log.isDebugEnabled()) {
                    log.debug("Cannot authenticate transport user {} (or add roles) with authdomain {}, try next", build == null ? 0 == 0 ? user.getName() : userInformation.getName() : build.getUsername(), authenticationDomain);
                }
            }
        }
        if (build == null) {
            this.auditLog.logFailedLogin(0 == 0 ? user : null, false, 0 == 0 ? null : user, transportRequest, task);
        } else {
            this.auditLog.logFailedLogin(build, false, null, transportRequest, task);
        }
        log.warn("Transport authentication finally failed for {} from {}", build == null ? 0 == 0 ? user.getName() : userInformation.getName() : build.getUsername(), transportRequest.remoteAddress());
        return null;
    }

    private User impersonate(User user, String str, AuthenticationDomain<TransportAuthenticationDomain.TransportAuthenticationFrontend> authenticationDomain) throws ElasticsearchSecurityException {
        if (user == null) {
            throw new ElasticsearchSecurityException("no original PKI user found", new Object[0]);
        }
        if (this.adminDns.isAdminDN(str)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as an adminuser  '" + str + "'", new Object[0]);
        }
        try {
            if (!this.adminDns.isTransportImpersonationAllowed(new LdapName(user.getName()), str)) {
                throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as transport user '" + str + "'", new Object[0]);
            }
            User checkExistsAndAuthz = checkExistsAndAuthz(user, AuthCredentials.forUser(str).authenticatorType("impersonation+tls_cert").build(), authenticationDomain);
            if (checkExistsAndAuthz == null) {
                log.debug("Unable to impersonate transport user from '{}' to '{}' because the impersonated user does not exists in {}, try next ...", user.getName(), str, authenticationDomain);
                return null;
            }
            if (log.isDebugEnabled()) {
                log.debug("Impersonate transport user from '{}' to '{}'", user.getName(), str);
            }
            return checkExistsAndAuthz;
        } catch (InvalidNameException e) {
            throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + user.getName() + "'), should never happen", e, new Object[0]);
        }
    }

    private User authcz(AuthCredentials authCredentials, AuthenticationDomain<TransportAuthenticationDomain.TransportAuthenticationFrontend> authenticationDomain) {
        try {
            if (authCredentials == null) {
                return null;
            }
            try {
                if (!authenticationDomain.cacheUser() || this.authenticatedUserCache == null) {
                    User user = authenticationDomain.authenticate(authCredentials, AuthenticationDebugLogger.DISABLED).get();
                    authCredentials.clearSecrets();
                    return user;
                }
                User user2 = (User) this.authenticatedUserCache.get(authCredentials, () -> {
                    if (log.isTraceEnabled()) {
                        log.trace("Credentials for user " + authCredentials.getUsername() + " not cached, return from " + authenticationDomain + " backend directly");
                    }
                    User user3 = authenticationDomain.authenticate(authCredentials, AuthenticationDebugLogger.DISABLED).get();
                    if (user3 == null) {
                        throw new CredentialsException("Could not authenticate " + authCredentials);
                    }
                    return user3;
                });
                authCredentials.clearSecrets();
                return user2;
            } catch (Exception e) {
                if (log.isDebugEnabled()) {
                    log.debug("Can not authenticate " + authCredentials.getUsername() + " due to " + e.toString(), e);
                }
                authCredentials.clearSecrets();
                return null;
            }
        } catch (Throwable th) {
            authCredentials.clearSecrets();
            throw th;
        }
    }

    private User checkExistsAndAuthz(User user, AuthCredentials authCredentials, AuthenticationDomain<TransportAuthenticationDomain.TransportAuthenticationFrontend> authenticationDomain) {
        if (authCredentials == null) {
            return null;
        }
        try {
            return this.transportImpersonationCache == null ? authenticationDomain.impersonate(user, authCredentials).get() : (User) this.transportImpersonationCache.get(authCredentials.getName(), () -> {
                if (log.isTraceEnabled()) {
                    log.trace("Credentials for user " + authCredentials.getName() + " not cached, return from " + authenticationDomain + " backend directly");
                }
                User user2 = authenticationDomain.impersonate(user, authCredentials).get();
                if (user2 != null) {
                    return user2;
                }
                if (log.isDebugEnabled()) {
                    log.debug("User " + authCredentials.getName() + " does not exist in " + authenticationDomain);
                }
                throw new CredentialsException("User " + authCredentials.getName() + " does not exist in " + authenticationDomain);
            });
        } catch (Exception e) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("Can not check and authorize " + authCredentials.getName() + " due to " + e.toString(), e);
            return null;
        }
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }

    private static AuthCredentials.Builder extractCredentials(String str) {
        if (str == null || !str.trim().toLowerCase().startsWith("basic ")) {
            return null;
        }
        String str2 = new String(Base64.getDecoder().decode(str.split(" ")[1]), StandardCharsets.UTF_8);
        int indexOf = str2.indexOf(58);
        String str3 = null;
        String str4 = null;
        if (indexOf > 0) {
            str3 = str2.substring(0, indexOf);
            str4 = str2.length() - 1 != indexOf ? str2.substring(indexOf + 1) : "";
        }
        if (str3 != null && str4 != null) {
            return AuthCredentials.forUser(str3).password(str4.getBytes(StandardCharsets.UTF_8)).complete();
        }
        log.debug("Invalid 'Authorization' header");
        return null;
    }
}
