package com.floragunn.searchguard.authc.rest;

import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.searchguard.SearchGuardModulesRegistry;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.AuthFailureListener;
import com.floragunn.searchguard.authc.AuthenticationDomain;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.base.IPAddressAcceptanceRules;
import com.floragunn.searchguard.authc.blocking.BlockedIpRegistry;
import com.floragunn.searchguard.authc.blocking.BlockedUserRegistry;
import com.floragunn.searchguard.authc.rest.ClientAddressAscertainer;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.floragunn.searchsupport.cstate.metrics.CacheStats;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
import com.google.common.cache.Cache;
import inet.ipaddr.IPAddress;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/authc/rest/RestAuthenticationProcessor.class */
public interface RestAuthenticationProcessor extends ComponentStateProvider {

    /* loaded from: input_file:com/floragunn/searchguard/authc/rest/RestAuthenticationProcessor$Default.class */
    public static class Default implements RestAuthenticationProcessor {
        private static final Logger log = LogManager.getLogger(RestAuthenticationProcessor.class);
        private final AuditLog auditLog;
        private final ThreadContext threadContext;
        private final AdminDNs adminDns;
        private final Cache<AuthCredentials, User> userCache;
        private final Cache<String, User> impersonationCache;
        private final PrivilegesEvaluator privilegesEvaluator;
        private final BlockedIpRegistry blockedIpRegistry;
        private final BlockedUserRegistry blockedUserRegistry;
        private final boolean debug;
        private final RestAuthcConfig authcConfig;
        private final List<AuthenticationDomain<HttpAuthenticationFrontend>> authenticationDomains;
        private final ClientAddressAscertainer clientAddressAscertainer;
        private final IPAddressAcceptanceRules ipAddressAcceptanceRules;
        private final List<String> requiredLoginPrivileges = Collections.emptyList();
        private final ComponentState componentState = new ComponentState(0, "rest_authentication_processor", "rest_authentication_processor");
        private final TimeAggregation authenticateMetrics = new TimeAggregation.Milliseconds();
        private List<AuthFailureListener> ipAuthFailureListeners = ImmutableList.empty();

        public Default(RestAuthcConfig restAuthcConfig, SearchGuardModulesRegistry searchGuardModulesRegistry, AdminDNs adminDNs, BlockedIpRegistry blockedIpRegistry, BlockedUserRegistry blockedUserRegistry, AuditLog auditLog, ThreadPool threadPool, PrivilegesEvaluator privilegesEvaluator) {
            this.authcConfig = restAuthcConfig;
            this.authenticationDomains = searchGuardModulesRegistry.getImplicitHttpAuthenticationDomains().with(this.authcConfig.getAuthenticators());
            this.clientAddressAscertainer = ClientAddressAscertainer.create(this.authcConfig.getNetwork());
            this.ipAddressAcceptanceRules = this.authcConfig.getNetwork() != null ? this.authcConfig.getNetwork().getIpAddressAcceptanceRules() : IPAddressAcceptanceRules.ANY;
            this.debug = restAuthcConfig.isDebugEnabled();
            this.auditLog = auditLog;
            this.threadContext = threadPool.getThreadContext();
            this.adminDns = adminDNs;
            this.privilegesEvaluator = privilegesEvaluator;
            this.blockedIpRegistry = blockedIpRegistry;
            this.blockedUserRegistry = blockedUserRegistry;
            if (this.authcConfig.getMetricsLevel().basicEnabled()) {
                this.userCache = this.authcConfig.getUserCacheConfig().buildWithStats();
                this.impersonationCache = this.authcConfig.getUserCacheConfig().buildWithStats();
            } else {
                this.userCache = this.authcConfig.getUserCacheConfig().build();
                this.impersonationCache = this.authcConfig.getUserCacheConfig().build();
            }
            Iterator<AuthenticationDomain<HttpAuthenticationFrontend>> it = this.authenticationDomains.iterator();
            while (it.hasNext()) {
                this.componentState.addPart(it.next().getComponentState());
            }
            if (this.authcConfig.getMetricsLevel().basicEnabled()) {
                this.componentState.addMetrics("authenticate", this.authenticateMetrics);
                this.componentState.addMetrics("user_cache", CacheStats.from(this.userCache));
                this.componentState.addMetrics("impersonation_cache", CacheStats.from(this.impersonationCache));
            }
        }

        @Override // com.floragunn.searchguard.authc.rest.RestAuthenticationProcessor
        public void authenticate(RestRequest restRequest, RestChannel restChannel, Consumer<AuthcResult> consumer, Consumer<Exception> consumer2) {
            Meter basic = Meter.basic(this.authcConfig.getMetricsLevel(), this.authenticateMetrics);
            String str = (String) this.threadContext.getTransient(ConfigConstants.SG_SSL_PRINCIPAL);
            try {
                ClientAddressAscertainer.ClientIpInfo actualRemoteAddress = this.clientAddressAscertainer.getActualRemoteAddress(restRequest);
                RestRequestMetaData restRequestMetaData = new RestRequestMetaData(restRequest, actualRemoteAddress, str);
                IPAddress originatingIpAddress = actualRemoteAddress.getOriginatingIpAddress();
                if (!this.ipAddressAcceptanceRules.accept(restRequestMetaData)) {
                    log.info("Not accepting request from {}", restRequestMetaData);
                    basic.close();
                    consumer.accept(AuthcResult.stop(RestStatus.FORBIDDEN, "Forbidden", ImmutableList.of(new AuthcResult.DebugInfo("-/-", false, "Request denied because client IP address is denied by authc.network.accept configuration", ImmutableMap.of("direct_ip_address", actualRemoteAddress.getDirectIpAddress(), "originating_ip_address", actualRemoteAddress.getOriginatingIpAddress(), "trusted_proxy", Boolean.valueOf(actualRemoteAddress.isTrustedProxy()))))));
                    return;
                }
                if (log.isTraceEnabled()) {
                    log.trace("Rest authentication request from {} [original: {}]", originatingIpAddress, restRequest.getHttpChannel().getRemoteAddress());
                }
                if (actualRemoteAddress.isTrustedProxy()) {
                    this.threadContext.putTransient(ConfigConstants.SG_XFF_DONE, Boolean.TRUE);
                }
                this.threadContext.putTransient(ConfigConstants.SG_REMOTE_ADDRESS, actualRemoteAddress.getOriginatingTransportAddress());
                if (!this.blockedIpRegistry.isIpBlocked(originatingIpAddress)) {
                    new RestRequestAuthenticationProcessor(restRequestMetaData, this.authenticationDomains, this.adminDns, this.privilegesEvaluator, this.userCache, this.impersonationCache, this.auditLog, this.blockedUserRegistry, this.ipAuthFailureListeners, this.requiredLoginPrivileges, this.debug).authenticate(basic.consumer(consumer), basic.consumer(consumer2));
                    return;
                }
                if (log.isDebugEnabled()) {
                    log.debug("Rejecting REST request because of blocked address: " + restRequest.getHttpChannel().getRemoteAddress());
                }
                this.auditLog.logBlockedIp(restRequest, restRequest.getHttpChannel().getRemoteAddress());
                basic.close();
                restChannel.sendResponse(AuthenticatingRestFilter.createUnauthorizedResponse(restRequest));
                consumer.accept(new AuthcResult(AuthcResult.Status.STOP));
            } catch (ElasticsearchStatusException e) {
                consumer2.accept(e);
            }
        }

        @Override // com.floragunn.searchguard.authc.rest.RestAuthenticationProcessor
        public boolean isDebugEnabled() {
            return this.debug;
        }

        public ComponentState getComponentState() {
            return this.componentState;
        }

        @Override // com.floragunn.searchguard.authc.rest.RestAuthenticationProcessor
        public void clearCaches() {
            this.userCache.invalidateAll();
            this.impersonationCache.invalidateAll();
        }
    }

    void authenticate(RestRequest restRequest, RestChannel restChannel, Consumer<AuthcResult> consumer, Consumer<Exception> consumer2);

    boolean isDebugEnabled();

    void clearCaches();
}
