package com.floragunn.searchguard.authc.legacy;

import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.SignalsTenantParamResolver;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.AuthFailureListener;
import com.floragunn.searchguard.authc.AuthenticationDomain;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor;
import com.floragunn.searchguard.authc.blocking.BlockedUserRegistry;
import com.floragunn.searchguard.authc.rest.HttpAuthenticationFrontend;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.cache.Cache;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/searchguard/authc/legacy/LegacyRestRequestAuthenticationProcessor.class */
public class LegacyRestRequestAuthenticationProcessor extends RequestAuthenticationProcessor<HttpAuthenticationFrontend> {
    private static final Logger log = LogManager.getLogger(LegacyRestRequestAuthenticationProcessor.class);
    private final MetaRequestInfo authDomainMetaRequest;
    private final boolean isAuthDomainMetaRequest;
    private final RestRequest restRequest;
    private final RestChannel restChannel;
    private final ThreadContext threadContext;
    private LinkedHashSet<String> challenges;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/authc/legacy/LegacyRestRequestAuthenticationProcessor$MetaRequestInfo.class */
    public static class MetaRequestInfo {
        final String authDomainId;
        final String authDomainType;
        final String authDomainPath;
        final String remainingPath;

        public MetaRequestInfo(String str, String str2, String str3, String str4) {
            this.authDomainId = str;
            this.authDomainType = str2;
            this.authDomainPath = str3;
            this.remainingPath = str4;
        }
    }

    public LegacyRestRequestAuthenticationProcessor(LegacyRestRequestMetaData legacyRestRequestMetaData, RestChannel restChannel, ThreadContext threadContext, Collection<AuthenticationDomain<HttpAuthenticationFrontend>> collection, AdminDNs adminDNs, PrivilegesEvaluator privilegesEvaluator, Cache<AuthCredentials, User> cache, Cache<String, User> cache2, AuditLog auditLog, BlockedUserRegistry blockedUserRegistry, List<AuthFailureListener> list, List<String> list2, boolean z) {
        super(legacyRestRequestMetaData, collection, adminDNs, privilegesEvaluator, cache, cache2, auditLog, blockedUserRegistry, list, list2, z);
        this.challenges = new LinkedHashSet<>(2);
        this.restRequest = legacyRestRequestMetaData.getRequest();
        this.restChannel = restChannel;
        this.authDomainMetaRequest = checkAuthDomainMetaRequest(this.restRequest);
        this.isAuthDomainMetaRequest = this.authDomainMetaRequest != null;
        this.threadContext = legacyRestRequestMetaData.getThreadContext();
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected RequestAuthenticationProcessor.AuthDomainState handleCurrentAuthenticationDomain(AuthenticationDomain<HttpAuthenticationFrontend> authenticationDomain, Consumer<AuthcResult> consumer, Consumer<Exception> consumer2) {
        HttpAuthenticationFrontend frontend = authenticationDomain.getFrontend();
        if (this.isAuthDomainMetaRequest && this.authDomainMetaRequest.authDomainType.equals(frontend.getType()) && (("_first".equals(this.authDomainMetaRequest.authDomainId) || authenticationDomain.getId().equals(this.authDomainMetaRequest.authDomainId)) && (frontend instanceof LegacyHTTPAuthenticator) && ((LegacyHTTPAuthenticator) frontend).handleMetaRequest(this.restRequest, this.restChannel, this.authDomainMetaRequest.authDomainPath, this.authDomainMetaRequest.remainingPath, this.threadContext))) {
            return RequestAuthenticationProcessor.AuthDomainState.STOP;
        }
        if (log.isTraceEnabled()) {
            log.trace("Try to extract auth creds from {} http authenticator", frontend.getType());
        }
        try {
            AuthCredentials extractCredentials = frontend.extractCredentials(this.request);
            if (extractCredentials != null && isUserBlocked(authenticationDomain.getType(), extractCredentials.getUsername())) {
                if (log.isDebugEnabled()) {
                    log.debug("Rejecting REST request because of blocked user: " + extractCredentials.getUsername() + "; authDomain: " + authenticationDomain);
                }
                this.auditLog.logBlockedUser(extractCredentials, false, extractCredentials, this.restRequest);
                return RequestAuthenticationProcessor.AuthDomainState.SKIP;
            }
            if (extractCredentials == null) {
                log.trace("no {} credentials found in request", authenticationDomain.getFrontend().getType());
                if (isChallengeEnabled(authenticationDomain)) {
                    if ((frontend instanceof LegacyHTTPAuthenticator) && ((LegacyHTTPAuthenticator) frontend).reRequestAuthentication(this.restChannel, extractCredentials)) {
                        return RequestAuthenticationProcessor.AuthDomainState.STOP;
                    }
                    String challenge = frontend.getChallenge(extractCredentials);
                    if (challenge != null) {
                        this.challenges.add(challenge);
                    }
                }
                return RequestAuthenticationProcessor.AuthDomainState.SKIP;
            }
            org.apache.logging.log4j.ThreadContext.put("user", extractCredentials.getUsername());
            if (!extractCredentials.isComplete()) {
                if (isChallengeEnabled(authenticationDomain) && (frontend instanceof LegacyHTTPAuthenticator) && ((LegacyHTTPAuthenticator) frontend).reRequestAuthentication(this.restChannel, extractCredentials)) {
                    extractCredentials.clearSecrets();
                    return RequestAuthenticationProcessor.AuthDomainState.STOP;
                }
                String challenge2 = frontend.getChallenge(extractCredentials);
                if (challenge2 != null) {
                    this.challenges.add(challenge2);
                    extractCredentials.clearSecrets();
                    return RequestAuthenticationProcessor.AuthDomainState.STOP;
                }
            }
            return proceed(extractCredentials.userMappingAttributes(ImmutableMap.of("request", ImmutableMap.of("headers", this.restRequest.getHeaders(), "direct_ip_address", String.valueOf(this.request.getDirectIpAddress()), "originating_ip_address", String.valueOf(this.request.getOriginatingIpAddress())))), authenticationDomain, consumer, consumer2);
        } catch (Exception e) {
            log.warn("'{}' extracting credentials from {} http authenticator", e.toString(), frontend.getType(), e);
            return RequestAuthenticationProcessor.AuthDomainState.SKIP;
        }
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected AuthcResult handleChallenge() {
        if (this.challenges.size() == 0) {
            return null;
        }
        if (log.isDebugEnabled()) {
            log.debug("Sending WWW-Authenticate: " + String.join(", ", this.challenges));
        }
        BytesRestResponse bytesRestResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, ConfigConstants.UNAUTHORIZED_JSON);
        Iterator<String> it = this.challenges.iterator();
        while (it.hasNext()) {
            bytesRestResponse.addHeader("WWW-Authenticate", it.next());
        }
        this.restChannel.sendResponse(bytesRestResponse);
        return AuthcResult.STOP;
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected String getRequestedTenant() {
        return SignalsTenantParamResolver.getRequestedTenant(this.request.getRequest());
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected String getImpersonationUser() {
        return this.restRequest.header("sg_impersonate_as");
    }

    private boolean isChallengeEnabled(AuthenticationDomain<?> authenticationDomain) {
        if (authenticationDomain instanceof LegacyAuthenticationDomain) {
            return ((LegacyAuthenticationDomain) authenticationDomain).isChallenge();
        }
        return true;
    }

    private MetaRequestInfo checkAuthDomainMetaRequest(RestRequest restRequest) {
        int indexOf;
        String str;
        String substring;
        String path = restRequest.path();
        if (!path.startsWith("/_searchguard/auth_domain/") || (indexOf = path.indexOf(47, "/_searchguard/auth_domain/".length())) <= 0) {
            return null;
        }
        String substring2 = path.substring("/_searchguard/auth_domain/".length(), indexOf);
        int indexOf2 = path.indexOf(47, indexOf + 1);
        String str2 = "";
        if (indexOf2 > 0) {
            str = path.substring(0, indexOf2);
            substring = path.substring(indexOf + 1, indexOf2);
            str2 = path.substring(indexOf2 + 1);
        } else {
            str = path;
            substring = path.substring(indexOf + 1);
        }
        return new MetaRequestInfo(substring2, substring, str, str2);
    }
}
