package com.floragunn.searchguard.auth.internal;

import com.floragunn.searchguard.auth.AuthenticationBackend;
import com.floragunn.searchguard.auth.AuthorizationBackend;
import com.floragunn.searchguard.sgconf.ConfigModel;
import com.floragunn.searchguard.sgconf.DynamicConfigFactory;
import com.floragunn.searchguard.sgconf.DynamicConfigModel;
import com.floragunn.searchguard.sgconf.InternalUsersModel;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
import org.elasticsearch.ElasticsearchSecurityException;

/* loaded from: input_file:com/floragunn/searchguard/auth/internal/InternalAuthenticationBackend.class */
public class InternalAuthenticationBackend implements AuthenticationBackend, AuthorizationBackend, DynamicConfigFactory.DCFListener {
    private InternalUsersModel internalUsersModel;

    @Override // com.floragunn.searchguard.auth.AuthenticationBackend
    public boolean exists(User user) {
        if (user == null || this.internalUsersModel == null || !this.internalUsersModel.exists(user.getName())) {
            return false;
        }
        user.addRoles(this.internalUsersModel.getBackenRoles(user.getName()));
        Map<String, String> attributes = this.internalUsersModel.getAttributes(user.getName());
        HashMap hashMap = new HashMap();
        if (attributes != null) {
            for (Map.Entry<String, String> entry : attributes.entrySet()) {
                hashMap.put("attr.internal." + entry.getKey(), entry.getValue());
            }
        }
        List<String> searchGuardRoles = this.internalUsersModel.getSearchGuardRoles(user.getName());
        if (searchGuardRoles != null) {
            user.addSearchGuardRoles(searchGuardRoles);
        }
        user.addAttributes(hashMap);
        return true;
    }

    @Override // com.floragunn.searchguard.auth.AuthenticationBackend
    public User authenticate(AuthCredentials authCredentials) {
        if (this.internalUsersModel == null) {
            throw new ElasticsearchSecurityException("Internal authentication backend not configured. May be Search Guard is not initialized. See https://docs.search-guard.com/latest/sgadmin", new Object[0]);
        }
        if (!this.internalUsersModel.exists(authCredentials.getUsername())) {
            throw new ElasticsearchSecurityException(authCredentials.getUsername() + " not found", new Object[0]);
        }
        byte[] password = authCredentials.getPassword();
        if (password == null || password.length == 0) {
            throw new ElasticsearchSecurityException("empty passwords not supported", new Object[0]);
        }
        ByteBuffer wrap = ByteBuffer.wrap(password);
        CharBuffer decode = StandardCharsets.UTF_8.decode(wrap);
        char[] cArr = new char[decode.limit()];
        decode.get(cArr);
        Arrays.fill(password, (byte) 0);
        try {
            if (!OpenBSDBCrypt.checkPassword(this.internalUsersModel.getHash(authCredentials.getUsername()), cArr)) {
                throw new ElasticsearchSecurityException("password does not match", new Object[0]);
            }
            List<String> backenRoles = this.internalUsersModel.getBackenRoles(authCredentials.getUsername());
            Map<String, String> attributes = this.internalUsersModel.getAttributes(authCredentials.getUsername());
            if (attributes != null) {
                for (Map.Entry<String, String> entry : attributes.entrySet()) {
                    authCredentials.addAttribute("attr.internal." + entry.getKey(), entry.getValue());
                }
            }
            User user = new User(authCredentials.getUsername(), backenRoles, authCredentials);
            List<String> searchGuardRoles = this.internalUsersModel.getSearchGuardRoles(authCredentials.getUsername());
            if (searchGuardRoles != null) {
                user.addSearchGuardRoles(searchGuardRoles);
            }
            return user;
        } finally {
            Arrays.fill(wrap.array(), (byte) 0);
            Arrays.fill(decode.array(), (char) 0);
            Arrays.fill(cArr, (char) 0);
        }
    }

    @Override // com.floragunn.searchguard.auth.AuthenticationBackend, com.floragunn.searchguard.auth.AuthorizationBackend
    public String getType() {
        return "internal";
    }

    @Override // com.floragunn.searchguard.auth.AuthorizationBackend
    public void fillRoles(User user, AuthCredentials authCredentials) throws ElasticsearchSecurityException {
        List<String> backenRoles;
        if (this.internalUsersModel == null) {
            throw new ElasticsearchSecurityException("Internal authentication backend not configured. May be Search Guard is not initialized. See https://docs.search-guard.com/latest/sgadmin", new Object[0]);
        }
        if (!exists(user) || (backenRoles = this.internalUsersModel.getBackenRoles(user.getName())) == null || backenRoles.isEmpty() || user == null) {
            return;
        }
        user.addRoles(backenRoles);
    }

    @Override // com.floragunn.searchguard.sgconf.DynamicConfigFactory.DCFListener
    public void onChanged(ConfigModel configModel, DynamicConfigModel dynamicConfigModel, InternalUsersModel internalUsersModel) {
        this.internalUsersModel = internalUsersModel;
    }
}
