package com.floragunn.searchguard.authc.rest;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.searchguard.SearchGuardModulesRegistry;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.blocking.BlockedIpRegistry;
import com.floragunn.searchguard.authc.blocking.BlockedUserRegistry;
import com.floragunn.searchguard.authc.legacy.LegacyRestAuthenticationProcessor;
import com.floragunn.searchguard.authc.legacy.LegacySgConfig;
import com.floragunn.searchguard.authc.rest.RestAuthenticationProcessor;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.CType;
import com.floragunn.searchguard.configuration.ConfigMap;
import com.floragunn.searchguard.configuration.ConfigurationChangeListener;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.configuration.SgDynamicConfiguration;
import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import com.floragunn.searchguard.ssl.util.SSLRequestHelper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.user.AuthDomainInfo;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.action.RestApi;
import com.floragunn.searchsupport.action.StandardResponse;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.ComponentStateProvider;
import com.floragunn.searchsupport.diag.DiagnosticContext;
import java.io.IOException;
import java.nio.file.Path;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.bytes.BytesArray;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestResponse;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/authc/rest/AuthenticatingRestFilter.class */
public class AuthenticatingRestFilter implements ComponentStateProvider {
    private static final Logger log = LogManager.getLogger(AuthenticatingRestFilter.class);
    private final AuditLog auditLog;
    private final ThreadContext threadContext;
    private final PrincipalExtractor principalExtractor;
    private final Settings settings;
    private final Path configPath;
    private final DiagnosticContext diagnosticContext;
    private final AdminDNs adminDns;
    private final ComponentState componentState = new ComponentState(1, "authc", "rest_filter");
    private volatile RestAuthenticationProcessor authenticationProcessor;

    /* loaded from: input_file:com/floragunn/searchguard/authc/rest/AuthenticatingRestFilter$AuthenticatingRestHandler.class */
    class AuthenticatingRestHandler implements HttpServerTransport.Dispatcher {
        private final HttpServerTransport.Dispatcher original;

        AuthenticatingRestHandler(HttpServerTransport.Dispatcher dispatcher) {
            this.original = dispatcher;
        }

        public void dispatchRequest(RestRequest restRequest, RestChannel restChannel, ThreadContext threadContext) {
            handleRequest(restRequest, restChannel);
        }

        public void dispatchBadRequest(RestChannel restChannel, ThreadContext threadContext, Throwable th) {
            handleRequest(restChannel.request(), restChannel);
        }

        private void handleRequest(RestRequest restRequest, RestChannel restChannel) {
            org.apache.logging.log4j.ThreadContext.clearAll();
            AuthenticatingRestFilter.this.diagnosticContext.traceActionStack(restRequest.getHttpRequest().method() + " " + restRequest.getHttpRequest().uri());
            if (checkRequest(restRequest, restChannel)) {
                if (!isAuthcRequired(restRequest)) {
                    this.original.dispatchRequest(restRequest, restChannel, AuthenticatingRestFilter.this.threadContext);
                    return;
                }
                String str = (String) AuthenticatingRestFilter.this.threadContext.getTransient(ConfigConstants.SG_SSL_PRINCIPAL);
                if (AuthenticatingRestFilter.this.adminDns.isAdminDN(str)) {
                    User user = new User(str, AuthDomainInfo.TLS_CERT);
                    AuthenticatingRestFilter.this.threadContext.putTransient(ConfigConstants.SG_USER, user);
                    AuthenticatingRestFilter.this.auditLog.logSucceededLogin(user, true, null, restRequest);
                    this.original.dispatchRequest(restRequest, restChannel, AuthenticatingRestFilter.this.threadContext);
                    return;
                }
                if (AuthenticatingRestFilter.this.authenticationProcessor == null) {
                    AuthenticatingRestFilter.log.error("Not yet initialized (you may need to run sgctl)");
                    restChannel.sendResponse(new RestResponse(RestStatus.SERVICE_UNAVAILABLE, "Search Guard not initialized (SG11). See https://docs.search-guard.com/latest/sgctl"));
                } else {
                    SendOnceRestChannelWrapper sendOnceRestChannelWrapper = new SendOnceRestChannelWrapper(restChannel);
                    AuthenticatingRestFilter.this.authenticationProcessor.authenticate(restRequest, sendOnceRestChannelWrapper, authcResult -> {
                        if (AuthenticatingRestFilter.this.authenticationProcessor.isDebugEnabled() && DebugApi.PATH.equals(restRequest.path())) {
                            sendDebugInfo(sendOnceRestChannelWrapper, authcResult);
                            return;
                        }
                        if (authcResult.getStatus() != AuthcResult.Status.PASS) {
                            org.apache.logging.log4j.ThreadContext.remove("user");
                            if (authcResult.getRestStatus() != null) {
                                RestResponse createResponse = AuthenticatingRestFilter.createResponse(restRequest, authcResult);
                                if (!authcResult.getHeaders().isEmpty()) {
                                    authcResult.getHeaders().forEach((str2, list) -> {
                                        list.forEach(str2 -> {
                                            createResponse.addHeader(str2, str2);
                                        });
                                    });
                                }
                                sendOnceRestChannelWrapper.sendResponse(createResponse);
                                return;
                            }
                            return;
                        }
                        AuthenticatingRestFilter.this.threadContext.putTransient(ConfigConstants.SG_USER, authcResult.getUser());
                        org.apache.logging.log4j.ThreadContext.clearAll();
                        org.apache.logging.log4j.ThreadContext.put("user", authcResult.getUser() != null ? authcResult.getUser().getName() : null);
                        try {
                            this.original.dispatchRequest(restRequest, restChannel, AuthenticatingRestFilter.this.threadContext);
                        } catch (Exception e) {
                            AuthenticatingRestFilter.log.error("Error in " + this.original, e);
                            try {
                                sendOnceRestChannelWrapper.sendResponse(new RestResponse(restChannel, e));
                            } catch (IOException e2) {
                                AuthenticatingRestFilter.log.error(e2);
                            }
                        }
                    }, exc -> {
                        try {
                            sendOnceRestChannelWrapper.sendResponse(new RestResponse(sendOnceRestChannelWrapper, exc));
                        } catch (IOException e) {
                            AuthenticatingRestFilter.log.error(e);
                        }
                    });
                }
            }
        }

        private boolean isAuthcRequired(RestRequest restRequest) {
            return (restRequest.method() == RestRequest.Method.OPTIONS || "/_searchguard/license".equals(restRequest.path()) || "/_searchguard/license".equals(restRequest.path()) || "/_searchguard/health".equals(restRequest.path()) || ("/_searchguard/auth/session".equals(restRequest.path()) && restRequest.method() == RestRequest.Method.POST)) ? false : true;
        }

        private boolean checkRequest(RestRequest restRequest, RestChannel restChannel) {
            AuthenticatingRestFilter.this.threadContext.putTransient(ConfigConstants.SG_ORIGIN, AuditLog.Origin.REST.toString());
            if (AuthenticatingRestFilter.containsBadHeader(restRequest)) {
                ElasticsearchException createBadHeaderException = ExceptionUtils.createBadHeaderException();
                AuthenticatingRestFilter.log.error(createBadHeaderException);
                AuthenticatingRestFilter.this.auditLog.logBadHeaders(restRequest);
                try {
                    restChannel.sendResponse(new RestResponse(restChannel, RestStatus.FORBIDDEN, createBadHeaderException));
                    return false;
                } catch (IOException e) {
                    AuthenticatingRestFilter.log.error(e, e);
                    restChannel.sendResponse(new RestResponse(RestStatus.INTERNAL_SERVER_ERROR, "text/plain; charset=UTF-8", BytesArray.EMPTY));
                    return false;
                }
            }
            if (SSLRequestHelper.containsBadHeader(AuthenticatingRestFilter.this.threadContext, ConfigConstants.SG_CONFIG_PREFIX)) {
                ElasticsearchException createBadHeaderException2 = ExceptionUtils.createBadHeaderException();
                AuthenticatingRestFilter.log.error(createBadHeaderException2);
                AuthenticatingRestFilter.this.auditLog.logBadHeaders(restRequest);
                try {
                    restChannel.sendResponse(new RestResponse(restChannel, RestStatus.FORBIDDEN, createBadHeaderException2));
                    return false;
                } catch (IOException e2) {
                    AuthenticatingRestFilter.log.error(e2, e2);
                    restChannel.sendResponse(new RestResponse(RestStatus.INTERNAL_SERVER_ERROR, "text/plain; charset=UTF-8", BytesArray.EMPTY));
                    return false;
                }
            }
            try {
                SSLRequestHelper.SSLInfo sSLInfo = SSLRequestHelper.getSSLInfo(AuthenticatingRestFilter.this.settings, AuthenticatingRestFilter.this.configPath, restRequest, AuthenticatingRestFilter.this.principalExtractor);
                if (sSLInfo != null) {
                    if (sSLInfo.getPrincipal() != null) {
                        AuthenticatingRestFilter.this.threadContext.putTransient(ConfigConstants.SG_SSL_PRINCIPAL, sSLInfo.getPrincipal());
                    }
                    if (sSLInfo.getX509Certs() != null) {
                        AuthenticatingRestFilter.this.threadContext.putTransient(ConfigConstants.SG_SSL_PEER_CERTIFICATES, sSLInfo.getX509Certs());
                    }
                    AuthenticatingRestFilter.this.threadContext.putTransient("_sg_ssl_protocol", sSLInfo.getProtocol());
                    AuthenticatingRestFilter.this.threadContext.putTransient("_sg_ssl_cipher", sSLInfo.getCipher());
                }
                return true;
            } catch (SSLPeerUnverifiedException e3) {
                AuthenticatingRestFilter.log.error("No ssl info", e3);
                AuthenticatingRestFilter.this.auditLog.logSSLException(restRequest, e3);
                try {
                    restChannel.sendResponse(new RestResponse(restChannel, RestStatus.FORBIDDEN, e3));
                    return false;
                } catch (IOException e4) {
                    AuthenticatingRestFilter.log.error(e3, e3);
                    restChannel.sendResponse(new RestResponse(RestStatus.INTERNAL_SERVER_ERROR, "text/plain; charset=UTF-8", BytesArray.EMPTY));
                    return false;
                }
            }
        }

        private void sendDebugInfo(RestChannel restChannel, AuthcResult authcResult) {
            RestResponse restResponse = new RestResponse(authcResult.getRestStatus(), "application/json", authcResult.toPrettyJsonString());
            if (!authcResult.getHeaders().isEmpty()) {
                authcResult.getHeaders().forEach((str, list) -> {
                    list.forEach(str -> {
                        restResponse.addHeader(str, str);
                    });
                });
            }
            restChannel.sendResponse(restResponse);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/authc/rest/AuthenticatingRestFilter$DebugApi.class */
    public static class DebugApi extends RestApi {
        public static final String PATH = "/_searchguard/auth/debug";

        public DebugApi() {
            name(PATH);
            handlesGet(PATH).with((restRequest, nodeClient) -> {
                return restChannel -> {
                    restChannel.sendResponse(new StandardResponse(404, new StandardResponse.Error("The /_searchguard/auth/debug API is not enabled. See the sg_authc configuration.")).toRestResponse());
                };
            });
        }
    }

    public AuthenticatingRestFilter(ConfigurationRepository configurationRepository, final SearchGuardModulesRegistry searchGuardModulesRegistry, final AdminDNs adminDNs, final BlockedIpRegistry blockedIpRegistry, final BlockedUserRegistry blockedUserRegistry, final AuditLog auditLog, final ThreadPool threadPool, PrincipalExtractor principalExtractor, final PrivilegesEvaluator privilegesEvaluator, Settings settings, Path path, DiagnosticContext diagnosticContext) {
        this.adminDns = adminDNs;
        this.auditLog = auditLog;
        this.threadContext = threadPool.getThreadContext();
        this.principalExtractor = principalExtractor;
        this.settings = settings;
        this.configPath = path;
        this.diagnosticContext = diagnosticContext;
        configurationRepository.subscribeOnChange(new ConfigurationChangeListener() { // from class: com.floragunn.searchguard.authc.rest.AuthenticatingRestFilter.1
            @Override // com.floragunn.searchguard.configuration.ConfigurationChangeListener
            public void onChange(ConfigMap configMap) {
                SgDynamicConfiguration sgDynamicConfiguration = configMap.get(CType.AUTHC);
                SgDynamicConfiguration sgDynamicConfiguration2 = configMap.get(CType.CONFIG);
                if (sgDynamicConfiguration != null && sgDynamicConfiguration.getCEntry("default") != null) {
                    RestAuthenticationProcessor.Default r0 = new RestAuthenticationProcessor.Default((RestAuthcConfig) sgDynamicConfiguration.getCEntry("default"), searchGuardModulesRegistry, adminDNs, blockedIpRegistry, blockedUserRegistry, auditLog, threadPool, privilegesEvaluator);
                    AuthenticatingRestFilter.this.authenticationProcessor = r0;
                    AuthenticatingRestFilter.this.componentState.replacePartsWithType("config", sgDynamicConfiguration.getComponentState());
                    AuthenticatingRestFilter.this.componentState.replacePartsWithType("rest_authentication_processor", r0.getComponentState());
                    AuthenticatingRestFilter.this.componentState.updateStateFromParts();
                    if (AuthenticatingRestFilter.log.isDebugEnabled()) {
                        AuthenticatingRestFilter.log.debug("New configuration:\n" + ((RestAuthcConfig) sgDynamicConfiguration.getCEntry("default")).toYamlString());
                        return;
                    }
                    return;
                }
                if (sgDynamicConfiguration2 == null || sgDynamicConfiguration2.getCEntry("sg_config") == null) {
                    AuthenticatingRestFilter.this.componentState.setState(ComponentState.State.SUSPENDED, "no_configuration");
                    return;
                }
                LegacyRestAuthenticationProcessor legacyRestAuthenticationProcessor = new LegacyRestAuthenticationProcessor((LegacySgConfig) sgDynamicConfiguration2.getCEntry("sg_config"), searchGuardModulesRegistry, adminDNs, blockedIpRegistry, blockedUserRegistry, auditLog, threadPool, privilegesEvaluator);
                AuthenticatingRestFilter.this.authenticationProcessor = legacyRestAuthenticationProcessor;
                AuthenticatingRestFilter.this.componentState.replacePartsWithType("config", sgDynamicConfiguration2.getComponentState());
                AuthenticatingRestFilter.this.componentState.replacePartsWithType("rest_authentication_processor", legacyRestAuthenticationProcessor.getComponentState());
                AuthenticatingRestFilter.this.componentState.updateStateFromParts();
                if (AuthenticatingRestFilter.log.isDebugEnabled()) {
                    AuthenticatingRestFilter.log.debug("New legacy configuration:\n" + ((LegacySgConfig) sgDynamicConfiguration2.getCEntry("sg_config")).toYamlString());
                }
            }
        });
    }

    public HttpServerTransport.Dispatcher wrap(HttpServerTransport.Dispatcher dispatcher) {
        return new AuthenticatingRestHandler(dispatcher);
    }

    public RestAuthenticationProcessor getAuthenticationProcessor() {
        return this.authenticationProcessor;
    }

    public static RestResponse createUnauthorizedResponse(RestRequest restRequest) {
        return createResponse(restRequest, AuthcResult.stop(RestStatus.UNAUTHORIZED, ConfigConstants.UNAUTHORIZED));
    }

    public static RestResponse createResponse(RestRequest restRequest, AuthcResult authcResult) {
        String name = authcResult.getRestStatusMessage() == null ? authcResult.getRestStatus().name() : authcResult.getRestStatusMessage();
        String header = restRequest.header("accept");
        return (header == null || !(header.startsWith("application/json") || header.startsWith("application/vnd.elasticsearch+json"))) ? new RestResponse(authcResult.getRestStatus(), name) : new RestResponse(authcResult.getRestStatus(), "application/json", DocNode.of("status", Integer.valueOf(authcResult.getRestStatus().getStatus()), "error.reason", name, "error.type", "authentication_exception").toJsonString());
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }

    private static boolean containsBadHeader(RestRequest restRequest) {
        for (String str : restRequest.getHeaders().keySet()) {
            if (str != null && str.trim().toLowerCase().startsWith(ConfigConstants.SG_CONFIG_PREFIX.toLowerCase())) {
                return true;
            }
        }
        return false;
    }
}
