package com.floragunn.searchguard.authc.session;

import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.authc.AuthFailureListener;
import com.floragunn.searchguard.authc.AuthenticationDomain;
import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.RequestMetaData;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor;
import com.floragunn.searchguard.authc.blocking.BlockedUserRegistry;
import com.floragunn.searchguard.authz.PrivilegesEvaluator;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.user.Attributes;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.rest.RestRequest;

/* loaded from: input_file:com/floragunn/searchguard/authc/session/ApiAuthenticationProcessor.class */
public class ApiAuthenticationProcessor extends RequestAuthenticationProcessor<ApiAuthenticationFrontend> {
    private static final Logger log = LogManager.getLogger(ApiAuthenticationProcessor.class);
    private final Map<String, Object> request;
    private final String frontendConfigId;

    public ApiAuthenticationProcessor(Map<String, Object> map, RequestMetaData<RestRequest> requestMetaData, Collection<AuthenticationDomain<ApiAuthenticationFrontend>> collection, AdminDNs adminDNs, PrivilegesEvaluator privilegesEvaluator, AuditLog auditLog, BlockedUserRegistry blockedUserRegistry, List<AuthFailureListener> list, List<String> list2, boolean z) {
        super(requestMetaData, collection, adminDNs, privilegesEvaluator, null, null, auditLog, blockedUserRegistry, list, list2, z);
        this.request = map;
        this.frontendConfigId = map.get("config_id") != null ? map.get("config_id").toString() : "default";
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected RequestAuthenticationProcessor.AuthDomainState handleCurrentAuthenticationDomain(AuthenticationDomain<ApiAuthenticationFrontend> authenticationDomain, Consumer<AuthcResult> consumer, Consumer<Exception> consumer2) {
        ApiAuthenticationFrontend frontend = authenticationDomain.getFrontend();
        if (log.isTraceEnabled()) {
            log.trace("Try to extract auth creds from {} authentication frontend", frontend.getType());
        }
        try {
            AuthCredentials extractCredentials = frontend.extractCredentials(this.request);
            if (extractCredentials != null && isUserBlocked(authenticationDomain.getType(), extractCredentials.getUsername())) {
                if (log.isDebugEnabled()) {
                    log.debug("Rejecting REST request because of blocked user: " + extractCredentials.getUsername() + "; authDomain: " + String.valueOf(authenticationDomain));
                }
                this.auditLog.logBlockedUser(extractCredentials, false, extractCredentials, super.request.getRequest());
                this.debug.failure(frontend.getType(), "User " + extractCredentials.getUsername() + " is blocked");
                return RequestAuthenticationProcessor.AuthDomainState.SKIP;
            }
            this.authCredentials = extractCredentials;
            if (extractCredentials == null) {
                this.debug.failure(frontend.getType(), "No credentials extracted");
                return RequestAuthenticationProcessor.AuthDomainState.SKIP;
            }
            this.debug.success(frontend.getType(), "User has been identified by auth frontend", ConfigConstants.SEARCHGUARD_AUDIT_EXTERNAL_ES_USERNAME, extractCredentials.getUsername(), "roles", extractCredentials.getBackendRoles(), "attributes", extractCredentials.getStructuredAttributes(), "claims", extractCredentials.getClaims() != null ? extractCredentials.getClaims() : Collections.emptyMap());
            if (authenticationDomain.accept(extractCredentials)) {
                return proceed(extractCredentials, authenticationDomain, consumer, consumer2);
            }
            if (log.isDebugEnabled()) {
                log.debug("Skipped authentication of user {}", extractCredentials.getUsername());
            }
            this.debug.failure(frontend.getType(), "User " + extractCredentials.getUsername() + " is skipped according to auth domain settings");
            extractCredentials.clearSecrets();
            return RequestAuthenticationProcessor.AuthDomainState.SKIP;
        } catch (AuthenticatorUnavailableException e) {
            log.warn("'{}' extracting credentials from {} authentication frontend", e.toString(), frontend.getType(), e);
            this.debug.failure(frontend.getType(), e.getMessage());
            return RequestAuthenticationProcessor.AuthDomainState.SKIP;
        } catch (ConfigValidationException e2) {
            log.error("'{}' extracting credentials from {} authentication frontend", e2.toString(), frontend.getType(), e2);
            this.debug.failure(frontend.getType(), "Bad API request", "validation_errors", e2.getValidationErrors());
            return RequestAuthenticationProcessor.AuthDomainState.SKIP;
        } catch (CredentialsException e3) {
            if (log.isTraceEnabled()) {
                log.trace("'{}' extracting credentials from {} authentication frontend", e3.toString(), frontend.getType(), e3);
            }
            this.debug.add(e3.getDebugInfo());
            return RequestAuthenticationProcessor.AuthDomainState.SKIP;
        } catch (Exception e4) {
            log.error("'{}' extracting credentials from {} authentication frontend", e4.toString(), frontend.getType(), e4);
            this.debug.failure(frontend.getType(), e4.toString());
            return RequestAuthenticationProcessor.AuthDomainState.SKIP;
        }
    }

    @Override // com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor
    protected void decorateAuthenticatedUser(User user) {
        if (this.frontendConfigId == null || this.frontendConfigId.equals("default")) {
            return;
        }
        user.addStructuredAttribute(Attributes.FRONTEND_CONFIG_ID, this.frontendConfigId);
    }
}
