package com.floragunn.searchguard.auth;

import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.user.AuthDomainInfo;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import java.util.Collection;
import java.util.Iterator;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/searchguard/auth/RestImpersonationProcessor.class */
public class RestImpersonationProcessor {
    private static final Logger log = LogManager.getLogger(RestImpersonationProcessor.class);
    private final User originalUser;
    private final Collection<AuthenticationDomain> authenticationDomains;
    private final Iterator<AuthenticationDomain> authenticationDomainIter;
    private final Set<AuthorizationDomain> authorizationDomains;
    private final AdminDNs adminDns;
    private final Cache<String, User> impersonationCache;
    private final String impersonatedUserHeader;
    private boolean cacheResult = true;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/auth/RestImpersonationProcessor$AuthDomainState.class */
    public enum AuthDomainState {
        PENDING,
        SKIP,
        PASS,
        STOP
    }

    public RestImpersonationProcessor(User user, String str, Collection<AuthenticationDomain> collection, Set<AuthorizationDomain> set, AdminDNs adminDNs, Cache<String, User> cache) {
        this.originalUser = user;
        this.authenticationDomains = collection;
        this.authenticationDomainIter = collection.iterator();
        this.authorizationDomains = set;
        this.adminDns = adminDNs;
        this.impersonationCache = cache;
        this.impersonatedUserHeader = str;
        if (Strings.isNullOrEmpty(str) || user == null) {
            throw new IllegalStateException("impersonate() called with " + str + "; " + user);
        }
    }

    public void impersonate(Consumer<AuthczResult> consumer, Consumer<Exception> consumer2) {
        try {
            if (this.adminDns.isAdminDN(this.impersonatedUserHeader)) {
                throw new ElasticsearchSecurityException("It is not allowed to impersonate as an adminuser  '" + this.impersonatedUserHeader + "'", RestStatus.FORBIDDEN, new Object[0]);
            }
            if (!this.adminDns.isRestImpersonationAllowed(this.originalUser.getName(), this.impersonatedUserHeader)) {
                throw new ElasticsearchSecurityException("'" + this.originalUser.getName() + "' is not allowed to impersonate as '" + this.impersonatedUserHeader + "'", RestStatus.FORBIDDEN, new Object[0]);
            }
            User user = (User) this.impersonationCache.getIfPresent(this.impersonatedUserHeader);
            if (user == null) {
                checkNextAuthenticationDomains(consumer, consumer2);
            } else {
                user.setRequestedTenant(this.originalUser.getRequestedTenant());
                consumer.accept(AuthczResult.pass(user));
            }
        } catch (Exception e) {
            consumer2.accept(e);
        }
    }

    private void checkNextAuthenticationDomains(Consumer<AuthczResult> consumer, Consumer<Exception> consumer2) {
        AuthDomainState checkCurrentAuthenticationDomain;
        do {
            try {
                if (!this.authenticationDomainIter.hasNext()) {
                    log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists", this.originalUser.getName(), this.impersonatedUserHeader);
                    throw new ElasticsearchSecurityException("No such user:" + this.impersonatedUserHeader, RestStatus.FORBIDDEN, new Object[0]);
                }
                checkCurrentAuthenticationDomain = checkCurrentAuthenticationDomain(this.authenticationDomainIter.next(), consumer, consumer2);
                if (checkCurrentAuthenticationDomain == AuthDomainState.PENDING) {
                    return;
                }
            } catch (Exception e) {
                consumer2.accept(e);
                return;
            }
        } while (checkCurrentAuthenticationDomain != AuthDomainState.STOP);
        consumer.accept(AuthczResult.STOP);
    }

    private AuthDomainState checkCurrentAuthenticationDomain(AuthenticationDomain authenticationDomain, Consumer<AuthczResult> consumer, Consumer<Exception> consumer2) {
        try {
            if (log.isDebugEnabled()) {
                log.debug("Checking authdomain " + authenticationDomain + " (total: " + this.authenticationDomains.size() + ")");
            }
            com.floragunn.searchguard.auth.api.AuthenticationBackend backend = authenticationDomain.getBackend();
            User user = new User(this.impersonatedUserHeader, AuthDomainInfo.from(this.originalUser).addAuthBackend(backend.getType() + "+impersonation"));
            if (!backend.exists(user)) {
                return AuthDomainState.SKIP;
            }
            authz(user, user2 -> {
                user.setRequestedTenant(this.originalUser.getRequestedTenant());
                if (this.cacheResult) {
                    this.impersonationCache.put(this.impersonatedUserHeader, user);
                }
                consumer.accept(AuthczResult.pass(user));
            }, exc -> {
                log.error("Error while impersonating " + user, exc);
                this.cacheResult = false;
                checkNextAuthenticationDomains(consumer, consumer2);
            });
            return AuthDomainState.PENDING;
        } catch (Exception e) {
            log.error("Error while handling auth domain " + authenticationDomain, e);
            return AuthDomainState.SKIP;
        }
    }

    private void authz(User user, Consumer<User> consumer, Consumer<Exception> consumer2) {
        new AuthorizationProcessor(this.authorizationDomains, null).authz(user, consumer, consumer2);
    }
}
