package com.floragunn.searchguard.authc.rest;

import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.AuthFailureListener;
import com.floragunn.searchguard.authc.AuthenticationDomain;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.RequestMetaData;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor;
import com.floragunn.searchguard.authc.blocking.BlockedUserRegistry;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.cache.Cache;
import java.util.Collection;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.ThreadContext;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/searchguard/authc/rest/RestRequestAuthenticationProcessor.class */
public class RestRequestAuthenticationProcessor extends RequestAuthenticationProcessor<HttpAuthenticationFrontend> {
    private static final Logger log = LogManager.getLogger(RestRequestAuthenticationProcessor.class);
    private final RestHandler restHandler;
    private final RequestMetaData<RestRequest> request;
    private LinkedHashSet<String> challenges;

    public RestRequestAuthenticationProcessor(RestHandler restHandler, RequestMetaData<RestRequest> requestMetaData, Collection<AuthenticationDomain<HttpAuthenticationFrontend>> collection, AdminDNs adminDNs, PrivilegesEvaluator privilegesEvaluator, Cache<AuthCredentials, User> cache, Cache<String, User> cache2, AuditLog auditLog, BlockedUserRegistry blockedUserRegistry, List<AuthFailureListener> list, List<String> list2, boolean z) {
        super(requestMetaData, collection, adminDNs, privilegesEvaluator, cache, cache2, auditLog, blockedUserRegistry, list, list2, z);
        this.challenges = new LinkedHashSet<>(2);
        this.restHandler = restHandler;
        this.request = requestMetaData;
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected RequestAuthenticationProcessor.AuthDomainState handleCurrentAuthenticationDomain(AuthenticationDomain<HttpAuthenticationFrontend> authenticationDomain, Consumer<AuthcResult> consumer, Consumer<Exception> consumer2) {
        String challenge;
        HttpAuthenticationFrontend frontend = authenticationDomain.getFrontend();
        if (log.isTraceEnabled()) {
            log.trace("Try to extract auth creds from {} http authenticator", frontend.getType());
        }
        try {
            AuthCredentials extractCredentials = frontend.extractCredentials(this.request);
            if (extractCredentials != null && isUserBlocked(authenticationDomain.getType(), extractCredentials.getUsername())) {
                if (log.isDebugEnabled()) {
                    log.debug("Rejecting REST request because of blocked user: " + extractCredentials.getUsername() + "; authDomain: " + authenticationDomain);
                }
                this.auditLog.logBlockedUser(extractCredentials, false, extractCredentials, this.request.getRequest());
                return RequestAuthenticationProcessor.AuthDomainState.SKIP;
            }
            if (extractCredentials == null) {
                log.trace("no {} credentials found in request", authenticationDomain.getFrontend().getType());
                String challenge2 = frontend.getChallenge(extractCredentials);
                if (challenge2 != null) {
                    this.challenges.add(challenge2);
                    this.debug.failure(frontend.getType(), "No credentials extracted. Sending challenge", "challenge", challenge2);
                } else {
                    this.debug.failure(frontend.getType(), "No credentials extracted");
                }
                return RequestAuthenticationProcessor.AuthDomainState.SKIP;
            }
            ThreadContext.put("user", extractCredentials.getUsername());
            if (extractCredentials.isComplete() || (challenge = frontend.getChallenge(extractCredentials)) == null) {
                return proceed(extractCredentials.userMappingAttributes(ImmutableMap.of("request", ImmutableMap.of("headers", this.request.getHeaders(), "direct_ip_address", String.valueOf(this.request.getDirectIpAddress()), "originating_ip_address", String.valueOf(this.request.getOriginatingIpAddress())))), authenticationDomain, consumer, consumer2);
            }
            this.challenges.add(challenge);
            extractCredentials.clearSecrets();
            return RequestAuthenticationProcessor.AuthDomainState.STOP;
        } catch (AuthenticatorUnavailableException e) {
            log.warn("'{}' extracting credentials from {} authentication frontend", e.toString(), frontend.getType(), e);
            this.debug.failure(frontend.getType(), e.getMessage());
            return RequestAuthenticationProcessor.AuthDomainState.SKIP;
        } catch (CredentialsException e2) {
            if (log.isTraceEnabled()) {
                log.trace("'{}' extracting credentials from {} authentication frontend", e2.toString(), frontend.getType(), e2);
            }
            this.debug.add(e2.getDebugInfo());
            return RequestAuthenticationProcessor.AuthDomainState.SKIP;
        } catch (Exception e3) {
            log.error("'{}' extracting credentials from {} authentication frontend", e3.toString(), frontend.getType(), e3);
            this.debug.failure(frontend.getType(), e3.toString());
            return RequestAuthenticationProcessor.AuthDomainState.SKIP;
        }
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected AuthcResult handleChallenge() {
        if (this.challenges.size() == 0) {
            return null;
        }
        if (log.isDebugEnabled()) {
            log.debug("Sending WWW-Authenticate: " + String.join(", ", this.challenges));
        }
        return AuthcResult.stop(RestStatus.UNAUTHORIZED, "Unauthorized", ImmutableMap.of("WWW-Authenticate", ImmutableList.of(this.challenges)), this.debug.get());
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected String getRequestedTenant() {
        return this.restHandler instanceof TenantAwareRestHandler ? ((TenantAwareRestHandler) this.restHandler).getTenantName(this.request) : this.request.getHeader("sgtenant") != null ? this.request.getHeader("sgtenant") : this.request.getHeader("sg_tenant");
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected String getImpersonationUser() {
        return this.request.getHeader("sg_impersonate_as");
    }
}
