package com.floragunn.searchguard.authc.base;

import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.AuthFailureListener;
import com.floragunn.searchguard.authc.AuthenticationDebugLogger;
import com.floragunn.searchguard.authc.AuthenticationDomain;
import com.floragunn.searchguard.authc.AuthenticationFrontend;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.RequestMetaData;
import com.floragunn.searchguard.authc.blocking.BlockedUserRegistry;
import com.floragunn.searchguard.authc.rest.RestImpersonationProcessor;
import com.floragunn.searchguard.authz.PrivilegesEvaluationException;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/searchguard/authc/base/RequestAuthenticationProcessor.class */
public abstract class RequestAuthenticationProcessor<AuthenticatorType extends AuthenticationFrontend> {
    private static final Logger log = LogManager.getLogger(RequestAuthenticationProcessor.class);
    protected final RequestMetaData<RestRequest> request;
    protected final AuditLog auditLog;
    private final Collection<AuthenticationDomain<AuthenticatorType>> authenticationDomains;
    private final Iterator<AuthenticationDomain<AuthenticatorType>> authenticationDomainIter;
    private final List<AuthFailureListener> ipAuthFailureListeners;
    private final BlockedUserRegistry blockedUserRegistry;
    private final AdminDNs adminDns;
    private final Cache<AuthCredentials, User> userCache;
    private final Cache<String, User> impersonationCache;
    private final PrivilegesEvaluator privilegesEvaluator;
    protected final AuthenticationDebugLogger debug;
    private final List<String> requiredLoginPrivileges;
    private boolean cacheResult = true;
    protected AuthCredentials authCredentials = null;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/floragunn/searchguard/authc/base/RequestAuthenticationProcessor$AuthDomainState.class */
    public enum AuthDomainState {
        PENDING,
        SKIP,
        PASS,
        STOP
    }

    public RequestAuthenticationProcessor(RequestMetaData<RestRequest> requestMetaData, Collection<AuthenticationDomain<AuthenticatorType>> collection, AdminDNs adminDNs, PrivilegesEvaluator privilegesEvaluator, Cache<AuthCredentials, User> cache, Cache<String, User> cache2, AuditLog auditLog, BlockedUserRegistry blockedUserRegistry, List<AuthFailureListener> list, List<String> list2, boolean z) {
        this.request = requestMetaData;
        this.authenticationDomains = collection;
        this.authenticationDomainIter = collection.iterator();
        this.ipAuthFailureListeners = list;
        this.blockedUserRegistry = blockedUserRegistry;
        this.adminDns = adminDNs;
        this.userCache = cache;
        this.impersonationCache = cache2;
        this.auditLog = auditLog;
        this.privilegesEvaluator = privilegesEvaluator;
        this.requiredLoginPrivileges = list2;
        this.debug = AuthenticationDebugLogger.create(z);
    }

    public void authenticate(Consumer<AuthcResult> consumer, Consumer<Exception> consumer2) {
        if (this.authenticationDomains.isEmpty()) {
            log.warn("Cannot authenticate request because no authentication domains are configured: " + this);
        } else if (log.isDebugEnabled()) {
            log.debug("Authenticating request using: " + this.authenticationDomains);
        }
        checkNextAuthenticationDomains(consumer, consumer2);
    }

    protected abstract AuthDomainState handleCurrentAuthenticationDomain(AuthenticationDomain<AuthenticatorType> authenticationDomain, Consumer<AuthcResult> consumer, Consumer<Exception> consumer2);

    protected AuthcResult handleChallenge(RestRequest restRequest) {
        return null;
    }

    protected String getImpersonationUser() {
        return null;
    }

    protected String getRequestedTenant() {
        return null;
    }

    protected void decorateAuthenticatedUser(User user) {
    }

    protected boolean checkLoginPrivileges(User user) throws PrivilegesEvaluationException {
        if (this.requiredLoginPrivileges == null || this.requiredLoginPrivileges.isEmpty()) {
            return true;
        }
        return this.privilegesEvaluator.hasClusterPermissions(user, this.requiredLoginPrivileges, null);
    }

    protected boolean userHasRoles(User user) {
        return (user.getRoles().size() == 0 && user.getSearchGuardRoles().size() == 0) ? false : true;
    }

    protected void notifyIpAuthFailureListeners(AuthCredentials authCredentials) {
        Iterator<AuthFailureListener> it = this.ipAuthFailureListeners.iterator();
        while (it.hasNext()) {
            it.next().onAuthFailure(this.request.getOriginatingIpAddress() != null ? this.request.getOriginatingIpAddress().toInetAddress() : null, authCredentials, this.request.getRequest());
        }
    }

    private void checkNextAuthenticationDomains(Consumer<AuthcResult> consumer, Consumer<Exception> consumer2) {
        while (this.authenticationDomainIter.hasNext()) {
            AuthDomainState checkCurrentAuthenticationDomain = checkCurrentAuthenticationDomain(this.authenticationDomainIter.next(), consumer, consumer2);
            if (checkCurrentAuthenticationDomain == AuthDomainState.PENDING) {
                return;
            }
            if (checkCurrentAuthenticationDomain == AuthDomainState.STOP) {
                consumer.accept(AuthcResult.STOP);
                return;
            }
        }
        consumer.accept(handleFinalAuthFailure());
    }

    private AuthDomainState checkCurrentAuthenticationDomain(AuthenticationDomain<AuthenticatorType> authenticationDomain, Consumer<AuthcResult> consumer, Consumer<Exception> consumer2) {
        try {
            if (!authenticationDomain.isEnabled()) {
                return AuthDomainState.SKIP;
            }
            if (log.isTraceEnabled()) {
                log.trace("Checking authdomain " + authenticationDomain + " (total: " + this.authenticationDomains.size() + ")");
            }
            if (authenticationDomain.accept((RequestMetaData<?>) this.request)) {
                return handleCurrentAuthenticationDomain(authenticationDomain, consumer, consumer2);
            }
            if (log.isDebugEnabled()) {
                log.debug("Skipping " + authenticationDomain + " because it is disabled by acceptance rules: " + this.request.getDirectIpAddress() + "/" + this.request.getOriginatingIpAddress());
            }
            return AuthDomainState.SKIP;
        } catch (Exception e) {
            log.error("Error while handling auth domain " + authenticationDomain, e);
            return AuthDomainState.SKIP;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthDomainState proceed(AuthCredentials authCredentials, AuthenticationDomain<AuthenticatorType> authenticationDomain, Consumer<AuthcResult> consumer, Consumer<Exception> consumer2) {
        this.authCredentials = authCredentials;
        try {
            authCredentials = authenticationDomain.getCredentialsMapper().mapCredentials(authCredentials);
            this.authCredentials = authCredentials;
            if (authenticationDomain.accept(authCredentials)) {
                log.trace("Calling {} backends", authenticationDomain.getType());
                callAuthcBackends(authCredentials, authenticationDomain, user -> {
                    try {
                        authCredentials.clearSecrets();
                        if (user == null) {
                            if (log.isTraceEnabled()) {
                                log.trace("Could not authenticate user with " + authenticationDomain.getType());
                            }
                            this.debug.failure(authenticationDomain.getType(), "User " + authCredentials.getUsername() + " could not be authenticated by auth backend");
                            handleAuthFailure(authCredentials, authenticationDomain, null);
                            checkNextAuthenticationDomains(consumer, consumer2);
                        } else {
                            if (this.adminDns.isAdmin(user)) {
                                log.error("Cannot authenticate rest user because admin user is not permitted to login via HTTP");
                                this.auditLog.logFailedLogin(user, true, null, this.request.getRequest());
                                this.debug.failure(authenticationDomain.getType(), "User name is associated with an administrator. These are only allowed to login via certificate.");
                                consumer.accept(AuthcResult.stop(RestStatus.FORBIDDEN, "Cannot authenticate user because admin user is not permitted to login via HTTP", this.debug.get()));
                                return;
                            }
                            if (!userHasRoles(user)) {
                                this.debug.failure(authenticationDomain.getType(), "User does not have any roles. Please verify the configuration of the authentication frontend and backend.", "user_mapping_attributes", authCredentials.getAttributesForUserMapping());
                            }
                            if (!checkLoginPrivileges(user)) {
                                log.error("Cannot authenticate rest user because user does not have the necessary login privileges: " + this.requiredLoginPrivileges + "; " + user + "; backend roles: " + user.getRoles() + "; sg roles: " + user.getSearchGuardRoles() + "; source attributes: " + authCredentials.getAttributesForUserMapping());
                                this.debug.failure(authenticationDomain.getType(), "User does not have the necessary login privileges: " + this.requiredLoginPrivileges, "backend_roles", user.getRoles(), "sg_roles", user.getSearchGuardRoles(), "source_attributes", authCredentials.getAttributesForUserMapping());
                                consumer.accept(AuthcResult.stop(RestStatus.FORBIDDEN, "The user '" + authCredentials.getName() + "' is not allowed to log in.", this.debug.get()));
                                return;
                            }
                            String requestedTenant = getRequestedTenant();
                            if (log.isDebugEnabled()) {
                                log.debug("Authentication successful for " + user.toStringWithAttributes() + " on " + authenticationDomain + " using " + this + "\nrequestedTenant: " + requestedTenant);
                            }
                            decorateAuthenticatedUser(user);
                            user.setRequestedTenant(requestedTenant);
                            if (isImpersonationRequested()) {
                                new RestImpersonationProcessor(user, getImpersonationUser(), this.authenticationDomains, this.adminDns, this.impersonationCache).impersonate(authcResult -> {
                                    if (authcResult.getUser() != null) {
                                        this.auditLog.logSucceededLogin(authcResult.getUser(), false, user, this.request.getRequest());
                                    }
                                    consumer.accept(authcResult);
                                }, consumer2);
                            } else {
                                this.auditLog.logSucceededLogin(user, false, user, this.request.getRequest());
                                if (this.debug.isEnabled()) {
                                    this.debug.success(authenticationDomain.getType(), "User is logged in", "user", ImmutableMap.of("name", user.getName(), "roles", user.getRoles(), "search_guard_roles", user.getSearchGuardRoles(), "attributes", user.getStructuredAttributes()));
                                }
                                consumer.accept(AuthcResult.pass(user, authCredentials.getRedirectUri(), this.debug.get()));
                            }
                        }
                    } catch (Exception e) {
                        this.debug.failure(authenticationDomain.getType(), "Exception while authenticating " + authCredentials.getUsername() + ": " + e);
                        log.error(e);
                        consumer2.accept(e);
                    }
                }, exc -> {
                    if (exc instanceof ElasticsearchSecurityException) {
                        this.debug.failure(authenticationDomain.getType(), exc.getMessage());
                        handleAuthFailure(authCredentials, authenticationDomain, exc);
                    } else if (exc instanceof CredentialsException) {
                        if (((CredentialsException) exc).getDebugInfo() != null) {
                            this.debug.add(((CredentialsException) exc).getDebugInfo());
                        } else {
                            this.debug.failure(authenticationDomain.getType(), exc.getMessage());
                        }
                        handleAuthFailure(authCredentials, authenticationDomain, exc);
                    } else if (exc instanceof AuthenticatorUnavailableException) {
                        this.debug.failure(authenticationDomain.getType(), "Authenticator unavailable: " + exc.getMessage(), ((AuthenticatorUnavailableException) exc).getDetails());
                        log.error("Error while authenticating " + authCredentials + "\n" + ((AuthenticatorUnavailableException) exc).getDetails(), exc);
                    } else {
                        this.debug.failure(authenticationDomain.getType(), "Exception while authenticating " + authCredentials.getUsername() + ": " + exc);
                        log.error("Error while authenticating " + authCredentials, exc);
                    }
                    authCredentials.clearSecrets();
                    checkNextAuthenticationDomains(consumer, consumer2);
                });
                return AuthDomainState.PENDING;
            }
            if (log.isDebugEnabled()) {
                log.debug("Skipped authentication of user {}", authCredentials.getUsername());
            }
            this.debug.failure(authenticationDomain.getType(), "User was skipped because of access/skip settings of auth domain", "user_name", authCredentials.getUsername());
            authCredentials.clearSecrets();
            return AuthDomainState.SKIP;
        } catch (CredentialsException e) {
            log.warn("Error while mapping auth credentials for " + authenticationDomain, e);
            this.debug.add(authenticationDomain.getType(), e.getDebugInfo());
            authCredentials.clearSecrets();
            return AuthDomainState.SKIP;
        }
    }

    protected AuthcResult handleFinalAuthFailure() {
        try {
            log.warn("Authentication failed for {} from {}", this.authCredentials == null ? null : this.authCredentials.getUsername(), this.request);
            this.auditLog.logFailedLogin(this.authCredentials != null ? this.authCredentials : AuthCredentials.NONE, false, null, this.request.getRequest());
            notifyIpAuthFailureListeners(this.authCredentials);
            AuthcResult handleChallenge = handleChallenge(this.request.getRequest());
            return handleChallenge != null ? handleChallenge : AuthcResult.stop(RestStatus.UNAUTHORIZED, ConfigConstants.UNAUTHORIZED, this.debug.get());
        } catch (Exception e) {
            log.error("Error while handling auth failure", e);
            return AuthcResult.stop(RestStatus.UNAUTHORIZED, ConfigConstants.UNAUTHORIZED, this.debug.get());
        }
    }

    private void callAuthcBackends(AuthCredentials authCredentials, AuthenticationDomain<AuthenticatorType> authenticationDomain, Consumer<User> consumer, Consumer<Exception> consumer2) {
        try {
            this.debug.success(authenticationDomain.getType(), "Extracted credentials", "user_name", authCredentials.getUsername(), "user_mapping_attributes", authCredentials.getAttributesForUserMapping());
            if (this.userCache == null || !authenticationDomain.cacheUser()) {
                authenticationDomain.authenticate(authCredentials, this.debug).whenComplete((user, th) -> {
                    if (th != null) {
                        consumer2.accept((Exception) th);
                    } else if (user == null) {
                        consumer2.accept(new Exception("User not authenticated"));
                    } else {
                        this.debug.success(authenticationDomain.getType(), "User has been successfully authenticated by auth backend.");
                        consumer.accept(user);
                    }
                });
            } else {
                User user2 = (User) this.userCache.getIfPresent(authCredentials);
                if (user2 != null) {
                    this.debug.success(authenticationDomain.getType(), "User has been successfully authenticated by user cache");
                    consumer.accept(user2);
                } else {
                    authenticationDomain.authenticate(authCredentials, this.debug).whenComplete((user3, th2) -> {
                        if (th2 != null) {
                            consumer2.accept((Exception) th2);
                        } else if (user3 != null) {
                            authzAndCache(authCredentials, authenticationDomain, user3, consumer, consumer2);
                        } else {
                            consumer2.accept(new CredentialsException("User not authenticated"));
                        }
                    });
                }
            }
        } catch (Exception e) {
            authCredentials.clearSecrets();
            consumer2.accept(e);
        }
    }

    private void authzAndCache(AuthCredentials authCredentials, AuthenticationDomain<AuthenticatorType> authenticationDomain, User user, Consumer<User> consumer, Consumer<Exception> consumer2) {
        try {
            if (this.cacheResult && this.userCache != null) {
                this.userCache.put(authCredentials, user);
            }
            consumer.accept(user);
        } catch (Exception e) {
            log.error(e);
            consumer2.accept(e);
        }
    }

    private void handleAuthFailure(AuthCredentials authCredentials, AuthenticationDomain<AuthenticatorType> authenticationDomain, Exception exc) {
    }

    private boolean isImpersonationRequested() {
        return !Strings.isNullOrEmpty(getImpersonationUser());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isUserBlocked(String str, String str2) {
        return this.blockedUserRegistry.isUserBlocked(str2);
    }
}
