package com.floragunn.searchguard.auth;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.api.AuthenticationBackend;
import com.floragunn.searchguard.auth.blocking.ClientBlockRegistry;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.filter.TenantAwareRestHandler;
import com.floragunn.searchguard.ssl.util.Utils;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchguard.user.UserInformation;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.collect.Multimap;
import inet.ipaddr.IPAddress;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/searchguard/auth/RestAuthenticationProcessor.class */
public class RestAuthenticationProcessor {
    private static final Logger log = LogManager.getLogger(RestAuthenticationProcessor.class);
    private final RestHandler restHandler;
    private final RestRequest restRequest;
    private final RestChannel restChannel;
    private final IPAddress remoteIpAddress;
    private final ThreadContext threadContext;
    private final Collection<AuthenticationDomain> authenticationDomains;
    private final Iterator<AuthenticationDomain> authenticationDomainIter;
    private final Set<AuthorizationDomain> authorizationDomains;
    private final Multimap<String, AuthFailureListener> authBackendFailureListeners;
    private final List<AuthFailureListener> ipAuthFailureListeners;
    private final Multimap<String, ClientBlockRegistry<String>> authBackendClientBlockRegistries;
    private final AdminDNs adminDns;
    private final MetaRequestInfo authDomainMetaRequest;
    private final boolean isAuthDomainMetaRequest;
    private final boolean anonymousAuthEnabled;
    private final Cache<AuthCredentials, User> userCache;
    private final Cache<User, Set<String>> roleCache;
    private final Cache<String, User> impersonationCache;
    private final AuditLog auditLog;
    private boolean cacheResult = true;
    private AuthCredentials authCredenetials = null;
    private HTTPAuthenticator firstChallengingHttpAuthenticator = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/auth/RestAuthenticationProcessor$AuthDomainState.class */
    public enum AuthDomainState {
        PENDING,
        SKIP,
        PASS,
        STOP
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/auth/RestAuthenticationProcessor$MetaRequestInfo.class */
    public static class MetaRequestInfo {
        final String authDomainId;
        final String authDomainType;
        final String authDomainPath;
        final String remainingPath;

        public MetaRequestInfo(String str, String str2, String str3, String str4) {
            this.authDomainId = str;
            this.authDomainType = str2;
            this.authDomainPath = str3;
            this.remainingPath = str4;
        }
    }

    public RestAuthenticationProcessor(RestHandler restHandler, RestRequest restRequest, RestChannel restChannel, IPAddress iPAddress, ThreadContext threadContext, Collection<AuthenticationDomain> collection, Set<AuthorizationDomain> set, AdminDNs adminDNs, Cache<AuthCredentials, User> cache, Cache<User, Set<String>> cache2, Cache<String, User> cache3, AuditLog auditLog, Multimap<String, AuthFailureListener> multimap, Multimap<String, ClientBlockRegistry<String>> multimap2, List<AuthFailureListener> list, boolean z) {
        this.restHandler = restHandler;
        this.restRequest = restRequest;
        this.restChannel = restChannel;
        this.remoteIpAddress = iPAddress;
        this.threadContext = threadContext;
        this.authenticationDomains = collection;
        this.authenticationDomainIter = collection.iterator();
        this.authorizationDomains = set;
        this.authBackendFailureListeners = multimap;
        this.ipAuthFailureListeners = list;
        this.authBackendClientBlockRegistries = multimap2;
        this.adminDns = adminDNs;
        this.userCache = cache;
        this.roleCache = cache2;
        this.impersonationCache = cache3;
        this.auditLog = auditLog;
        this.anonymousAuthEnabled = z;
        this.authDomainMetaRequest = checkAuthDomainMetaRequest(restRequest);
        this.isAuthDomainMetaRequest = this.authDomainMetaRequest != null;
    }

    public void authenticate(Consumer<AuthczResult> consumer, Consumer<Exception> consumer2) {
        checkNextAuthenticationDomains(consumer, consumer2);
    }

    private void checkNextAuthenticationDomains(Consumer<AuthczResult> consumer, Consumer<Exception> consumer2) {
        while (this.authenticationDomainIter.hasNext()) {
            AuthDomainState checkCurrentAuthenticationDomain = checkCurrentAuthenticationDomain(this.authenticationDomainIter.next(), consumer, consumer2);
            if (checkCurrentAuthenticationDomain == AuthDomainState.PENDING) {
                return;
            }
            if (checkCurrentAuthenticationDomain == AuthDomainState.STOP) {
                consumer.accept(AuthczResult.STOP);
                return;
            }
        }
        if (this.authCredenetials != null || !this.anonymousAuthEnabled) {
            consumer.accept(handleFinalAuthFailure());
            return;
        }
        this.threadContext.putTransient(ConfigConstants.SG_USER, User.ANONYMOUS);
        this.auditLog.logSucceededLogin(User.ANONYMOUS, false, null, this.restRequest);
        if (log.isDebugEnabled()) {
            log.debug("Anonymous User is authenticated");
        }
        consumer.accept(AuthczResult.PASS_ANONYMOUS);
    }

    private AuthDomainState checkCurrentAuthenticationDomain(AuthenticationDomain authenticationDomain, Consumer<AuthczResult> consumer, Consumer<Exception> consumer2) {
        try {
            if (log.isDebugEnabled()) {
                log.debug("Checking authdomain " + authenticationDomain + " (total: " + this.authenticationDomains.size() + ")");
            }
            if (authenticationDomain.getEnabledOnlyForIps() != null && !authenticationDomain.getEnabledOnlyForIps().contains(this.remoteIpAddress)) {
                if (log.isDebugEnabled()) {
                    log.debug("Skipping " + authenticationDomain + " because it is disabled for " + this.remoteIpAddress + ": " + authenticationDomain.getEnabledOnlyForIps());
                }
                return AuthDomainState.SKIP;
            }
            HTTPAuthenticator httpAuthenticator = authenticationDomain.getHttpAuthenticator();
            if (authenticationDomain.isChallenge() && this.firstChallengingHttpAuthenticator == null) {
                this.firstChallengingHttpAuthenticator = httpAuthenticator;
            }
            if (this.isAuthDomainMetaRequest && this.authDomainMetaRequest.authDomainType.equals(httpAuthenticator.getType()) && (("_first".equals(this.authDomainMetaRequest.authDomainId) || authenticationDomain.getId().equals(this.authDomainMetaRequest.authDomainId)) && httpAuthenticator.handleMetaRequest(this.restRequest, this.restChannel, this.authDomainMetaRequest.authDomainPath, this.authDomainMetaRequest.remainingPath, this.threadContext))) {
                return AuthDomainState.STOP;
            }
            if (log.isTraceEnabled()) {
                log.trace("Try to extract auth creds from {} http authenticator", httpAuthenticator.getType());
            }
            try {
                AuthCredentials extractCredentials = httpAuthenticator.extractCredentials(this.restRequest, this.threadContext);
                if (extractCredentials != null && isUserBlocked(authenticationDomain.getBackend().getClass().getName(), extractCredentials.getUsername())) {
                    if (log.isDebugEnabled()) {
                        log.debug("Rejecting REST request because of blocked user: " + extractCredentials.getUsername() + "; authDomain: " + authenticationDomain);
                    }
                    this.auditLog.logBlockedUser(extractCredentials, false, extractCredentials, this.restRequest);
                    return AuthDomainState.SKIP;
                }
                this.authCredenetials = extractCredentials;
                if (extractCredentials == null) {
                    if (this.anonymousAuthEnabled) {
                        return AuthDomainState.SKIP;
                    }
                    if (!authenticationDomain.isChallenge() || !httpAuthenticator.reRequestAuthentication(this.restChannel, null)) {
                        log.trace("No 'Authorization' header, send 403");
                        return AuthDomainState.SKIP;
                    }
                    this.auditLog.logFailedLogin(UserInformation.NONE, false, null, this.restRequest);
                    log.trace("No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'");
                    return AuthDomainState.STOP;
                }
                List<String> skippedUsers = authenticationDomain.getSkippedUsers();
                if (!skippedUsers.isEmpty() && WildcardMatcher.matchAny(skippedUsers, extractCredentials.getUsername())) {
                    if (log.isDebugEnabled()) {
                        log.debug("Skipped authentication of user {}", extractCredentials.getUsername());
                    }
                    extractCredentials.clearSecrets();
                    return AuthDomainState.SKIP;
                }
                org.apache.logging.log4j.ThreadContext.put("user", extractCredentials.getUsername());
                if (extractCredentials.isComplete()) {
                    callAuthczBackends(extractCredentials, authenticationDomain.getBackend(), user -> {
                        try {
                            extractCredentials.clearSecrets();
                            if (user == null) {
                                handleAuthFailure(extractCredentials, authenticationDomain, null);
                                checkNextAuthenticationDomains(consumer, consumer2);
                            } else {
                                if (this.adminDns.isAdmin(user)) {
                                    log.error("Cannot authenticate rest user because admin user is not permitted to login via HTTP");
                                    this.auditLog.logFailedLogin(user, true, null, this.restRequest);
                                    consumer.accept(AuthczResult.stop(RestStatus.FORBIDDEN, "Cannot authenticate user because admin user is not permitted to login via HTTP"));
                                    return;
                                }
                                if (log.isDebugEnabled()) {
                                    log.debug("Authcz successful for " + user + " on " + authenticationDomain);
                                }
                                user.setRequestedTenant(getRequestedTenant(this.restHandler, this.restRequest));
                                if (isImpersonationRequested()) {
                                    new RestImpersonationProcessor(user, this.restRequest.header("sg_impersonate_as"), this.authenticationDomains, this.authorizationDomains, this.adminDns, this.impersonationCache).impersonate(authczResult -> {
                                        if (authczResult.getUser() != null) {
                                            this.threadContext.putTransient(ConfigConstants.SG_USER, authczResult.getUser());
                                            this.auditLog.logSucceededLogin(authczResult.getUser(), false, user, this.restRequest);
                                        }
                                        consumer.accept(authczResult);
                                    }, consumer2);
                                } else {
                                    this.threadContext.putTransient(ConfigConstants.SG_USER, user);
                                    this.auditLog.logSucceededLogin(user, false, user, this.restRequest);
                                    consumer.accept(AuthczResult.pass(user));
                                }
                            }
                        } catch (Exception e) {
                            log.error(e);
                            consumer2.accept(e);
                        }
                    }, exc -> {
                        if (exc instanceof ElasticsearchSecurityException) {
                            handleAuthFailure(extractCredentials, authenticationDomain, exc);
                        } else {
                            log.error("Error while authenticating " + extractCredentials, exc);
                        }
                        extractCredentials.clearSecrets();
                        checkNextAuthenticationDomains(consumer, consumer2);
                    });
                    return AuthDomainState.PENDING;
                }
                if (httpAuthenticator.reRequestAuthentication(this.restChannel, extractCredentials)) {
                    extractCredentials.clearSecrets();
                    return AuthDomainState.STOP;
                }
                extractCredentials.clearSecrets();
                return AuthDomainState.SKIP;
            } catch (Exception e) {
                if (log.isDebugEnabled()) {
                    log.debug("'{}' extracting credentials from {} http authenticator", e.toString(), httpAuthenticator.getType(), e);
                }
                return AuthDomainState.SKIP;
            }
        } catch (Exception e2) {
            log.error("Error while handling auth domain " + authenticationDomain, e2);
            return AuthDomainState.SKIP;
        }
    }

    private void callAuthczBackends(AuthCredentials authCredentials, com.floragunn.searchguard.auth.api.AuthenticationBackend authenticationBackend, Consumer<User> consumer, Consumer<Exception> consumer2) {
        try {
            AuthenticationBackend.UserCachingPolicy userCachingPolicy = authenticationBackend.userCachingPolicy();
            if (userCachingPolicy == AuthenticationBackend.UserCachingPolicy.NEVER) {
                authenticationBackend.authenticate(authCredentials, user -> {
                    if (authCredentials.isAuthzComplete() || user.isAuthzComplete()) {
                        consumer.accept(user);
                    } else {
                        authz(user, consumer, consumer2);
                    }
                }, consumer2);
            } else if (userCachingPolicy == AuthenticationBackend.UserCachingPolicy.ONLY_IF_AUTHZ_SEPARATE && this.authorizationDomains.isEmpty()) {
                authenticationBackend.authenticate(authCredentials, consumer, consumer2);
            } else {
                User user2 = (User) this.userCache.getIfPresent(authCredentials);
                if (user2 != null) {
                    consumer.accept(user2);
                } else {
                    authenticationBackend.authenticate(authCredentials, user3 -> {
                        authzAndCache(authCredentials, authenticationBackend, user3, consumer, consumer2);
                    }, consumer2);
                }
            }
        } catch (Exception e) {
            authCredentials.clearSecrets();
            consumer2.accept(e);
        }
    }

    private void authzAndCache(AuthCredentials authCredentials, com.floragunn.searchguard.auth.api.AuthenticationBackend authenticationBackend, User user, Consumer<User> consumer, Consumer<Exception> consumer2) {
        try {
            if (log.isTraceEnabled()) {
                log.trace("Auth backend " + authenticationBackend + " returned " + user);
            }
            if (authCredentials.isAuthzComplete() || user.isAuthzComplete()) {
                if (this.cacheResult) {
                    this.userCache.put(authCredentials, user);
                }
                consumer.accept(user);
            } else {
                authz(user, user2 -> {
                    if (this.cacheResult) {
                        this.userCache.put(authCredentials, user2);
                    }
                    consumer.accept(user2);
                }, consumer2);
            }
        } catch (Exception e) {
            log.error(e);
            consumer2.accept(e);
        }
    }

    private void authz(User user, Consumer<User> consumer, Consumer<Exception> consumer2) {
        new AuthorizationProcessor(this.authorizationDomains, this.roleCache).authz(user, consumer, consumer2);
    }

    private void handleAuthFailure(AuthCredentials authCredentials, AuthenticationDomain authenticationDomain, Exception exc) {
        if (log.isDebugEnabled()) {
            log.debug("Cannot authenticate user {} with authdomain {} ({}/{})", authCredentials.getUsername(), authenticationDomain.getBackend().getType(), Integer.valueOf(authenticationDomain.getOrder()), Integer.valueOf(this.authenticationDomains.size()), exc);
        }
        Iterator it = this.authBackendFailureListeners.get(authenticationDomain.getBackend().getClass().getName()).iterator();
        while (it.hasNext()) {
            ((AuthFailureListener) it.next()).onAuthFailure(this.remoteIpAddress != null ? this.remoteIpAddress.toInetAddress() : null, authCredentials, this.restRequest);
        }
    }

    private void notifyIpAuthFailureListeners(AuthCredentials authCredentials) {
        Iterator<AuthFailureListener> it = this.ipAuthFailureListeners.iterator();
        while (it.hasNext()) {
            it.next().onAuthFailure(this.remoteIpAddress != null ? this.remoteIpAddress.toInetAddress() : null, authCredentials, this.restRequest);
        }
    }

    private boolean isImpersonationRequested() {
        return !Strings.isNullOrEmpty(this.restRequest.header("sg_impersonate_as"));
    }

    private AuthczResult handleFinalAuthFailure() {
        try {
            log.warn("Authentication finally failed for {} from {}", this.authCredenetials == null ? null : this.authCredenetials.getUsername(), this.remoteIpAddress);
            if (this.firstChallengingHttpAuthenticator != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Rerequest with {}", this.firstChallengingHttpAuthenticator.getClass());
                }
                if (this.firstChallengingHttpAuthenticator.reRequestAuthentication(this.restChannel, null)) {
                    if (log.isDebugEnabled()) {
                        log.debug("Rerequest {} failed", this.firstChallengingHttpAuthenticator.getClass());
                    }
                    log.warn("Authentication finally failed for {} from {}", this.authCredenetials == null ? null : this.authCredenetials.getUsername(), this.remoteIpAddress);
                    this.auditLog.logFailedLogin(this.authCredenetials, false, null, this.restRequest);
                    notifyIpAuthFailureListeners(this.authCredenetials);
                    return AuthczResult.STOP;
                }
            }
            this.auditLog.logFailedLogin(this.authCredenetials, false, null, this.restRequest);
            notifyIpAuthFailureListeners(this.authCredenetials);
            return AuthczResult.stop(RestStatus.UNAUTHORIZED, "Authentication finally failed");
        } catch (Exception e) {
            log.error("Error while handling auth failure", e);
            return AuthczResult.stop(RestStatus.UNAUTHORIZED, "Authentication finally failed");
        }
    }

    private MetaRequestInfo checkAuthDomainMetaRequest(RestRequest restRequest) {
        int indexOf;
        String str;
        String substring;
        String path = restRequest.path();
        if (!path.startsWith("/_searchguard/auth_domain/") || (indexOf = path.indexOf(47, "/_searchguard/auth_domain/".length())) <= 0) {
            return null;
        }
        String substring2 = path.substring("/_searchguard/auth_domain/".length(), indexOf);
        int indexOf2 = path.indexOf(47, indexOf + 1);
        String str2 = "";
        if (indexOf2 > 0) {
            str = path.substring(0, indexOf2);
            substring = path.substring(indexOf + 1, indexOf2);
            str2 = path.substring(indexOf2 + 1);
        } else {
            str = path;
            substring = path.substring(indexOf + 1);
        }
        return new MetaRequestInfo(substring2, substring, str, str2);
    }

    private String getRequestedTenant(RestHandler restHandler, RestRequest restRequest) {
        return restHandler instanceof TenantAwareRestHandler ? ((TenantAwareRestHandler) restHandler).getTenantName(restRequest) : (String) Utils.coalesce(restRequest.header("sgtenant"), restRequest.header("sg_tenant"));
    }

    private boolean isUserBlocked(String str, String str2) {
        if (this.authBackendClientBlockRegistries == null) {
            return false;
        }
        Collection collection = this.authBackendClientBlockRegistries.get("BLOCKED_USERS");
        if (collection != null) {
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                if (((ClientBlockRegistry) it.next()).isBlocked(str2)) {
                    return true;
                }
            }
        }
        Collection collection2 = this.authBackendClientBlockRegistries.get(str);
        if (collection2.isEmpty()) {
            return false;
        }
        Iterator it2 = collection2.iterator();
        while (it2.hasNext()) {
            if (((ClientBlockRegistry) it2.next()).isBlocked(str2)) {
                return true;
            }
        }
        return false;
    }
}
