package com.floragunn.searchguard.auth;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.blocking.ClientBlockRegistry;
import com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.filter.TenantAwareRestHandler;
import com.floragunn.searchguard.http.XFFResolver;
import com.floragunn.searchguard.sgconf.ConfigModel;
import com.floragunn.searchguard.sgconf.DynamicConfigFactory;
import com.floragunn.searchguard.sgconf.DynamicConfigModel;
import com.floragunn.searchguard.sgconf.InternalUsersModel;
import com.floragunn.searchguard.ssl.util.Utils;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HTTPHelper;
import com.floragunn.searchguard.support.WildcardMatcher;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.Multimap;
import com.google.common.collect.Multimaps;
import inet.ipaddr.IPAddressString;
import java.net.InetAddress;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.SortedSet;
import java.util.concurrent.TimeUnit;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.apache.commons.collections.ListUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/auth/BackendRegistry.class */
public class BackendRegistry implements DynamicConfigFactory.DCFListener {
    private static final String BLOCKED_USERS = "BLOCKED_USERS";
    private SortedSet<AuthenticationDomain> restAuthenticationDomains;
    private SortedSet<AuthenticationDomain> transportAuthenticationDomains;
    private Set<AuthorizationDomain> restAuthorizationDomains;
    private Set<AuthorizationDomain> transportAuthorizationDomains;
    private List<AuthFailureListener> ipAuthFailureListeners;
    private Multimap<String, AuthFailureListener> authBackendFailureListeners;
    private List<ClientBlockRegistry<InetAddress>> ipClientBlockRegistries;
    private Multimap<String, ClientBlockRegistry<String>> authBackendClientBlockRegistries;
    private List<ClientBlockRegistry<IPAddressString>> blockedNetmasks;
    private volatile boolean initialized;
    private final AdminDNs adminDns;
    private final XFFResolver xffResolver;
    private final Settings esSettings;
    private final AuditLog auditLog;
    private final ThreadPool threadPool;
    private final UserInjector userInjector;
    private final int ttlInMin;
    private Cache<AuthCredentials, User> userCache;
    private Cache<String, User> restImpersonationCache;
    private Cache<String, User> userCacheTransport;
    private Cache<AuthCredentials, User> authenticatedUserCacheTransport;
    private Cache<User, Set<String>> transportRoleCache;
    private Cache<User, Set<String>> restRoleCache;
    private Cache<String, User> transportImpersonationCache;
    protected final Logger log = LogManager.getLogger(getClass());
    private volatile boolean anonymousAuthEnabled = false;
    private volatile String transportUsernameAttribute = null;

    private void createCaches() {
        this.userCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(removalNotification -> {
            this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause());
        }).build();
        this.userCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(removalNotification2 -> {
            this.log.debug("Clear user cache for {} due to {}", removalNotification2.getKey(), removalNotification2.getCause());
        }).build();
        this.authenticatedUserCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(removalNotification3 -> {
            this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification3.getKey()).getUsername(), removalNotification3.getCause());
        }).build();
        this.restImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(removalNotification4 -> {
            this.log.debug("Clear user cache for {} due to {}", removalNotification4.getKey(), removalNotification4.getCause());
        }).build();
        this.transportRoleCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(removalNotification5 -> {
            this.log.debug("Clear user cache for {} due to {}", removalNotification5.getKey(), removalNotification5.getCause());
        }).build();
        this.restRoleCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(removalNotification6 -> {
            this.log.debug("Clear user cache for {} due to {}", removalNotification6.getKey(), removalNotification6.getCause());
        }).build();
        this.transportImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(removalNotification7 -> {
            this.log.debug("Clear user cache for {} due to {}", removalNotification7.getKey(), removalNotification7.getCause());
        }).build();
    }

    public BackendRegistry(Settings settings, AdminDNs adminDNs, XFFResolver xFFResolver, AuditLog auditLog, ThreadPool threadPool) {
        this.adminDns = adminDNs;
        this.esSettings = settings;
        this.xffResolver = xFFResolver;
        this.auditLog = auditLog;
        this.threadPool = threadPool;
        this.userInjector = new UserInjector(settings, threadPool, auditLog, xFFResolver);
        this.ttlInMin = settings.getAsInt(ConfigConstants.SEARCHGUARD_CACHE_TTL_MINUTES, 60).intValue();
        createCaches();
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    public void invalidateCache() {
        this.userCache.invalidateAll();
        this.userCacheTransport.invalidateAll();
        this.authenticatedUserCacheTransport.invalidateAll();
        this.restImpersonationCache.invalidateAll();
        this.restRoleCache.invalidateAll();
        this.transportRoleCache.invalidateAll();
        this.transportImpersonationCache.invalidateAll();
    }

    @Override // com.floragunn.searchguard.sgconf.DynamicConfigFactory.DCFListener
    public void onChanged(ConfigModel configModel, DynamicConfigModel dynamicConfigModel, InternalUsersModel internalUsersModel) {
        invalidateCache();
        this.transportUsernameAttribute = dynamicConfigModel.getTransportUsernameAttribute();
        this.anonymousAuthEnabled = dynamicConfigModel.isAnonymousAuthenticationEnabled() && !this.esSettings.getAsBoolean(ConfigConstants.SEARCHGUARD_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false).booleanValue();
        this.restAuthenticationDomains = Collections.unmodifiableSortedSet(dynamicConfigModel.getRestAuthenticationDomains());
        this.transportAuthenticationDomains = Collections.unmodifiableSortedSet(dynamicConfigModel.getTransportAuthenticationDomains());
        this.restAuthorizationDomains = Collections.unmodifiableSet(dynamicConfigModel.getRestAuthorizationDomains());
        this.transportAuthorizationDomains = Collections.unmodifiableSet(dynamicConfigModel.getTransportAuthorizationDomains());
        this.ipAuthFailureListeners = dynamicConfigModel.getIpAuthFailureListeners();
        this.authBackendFailureListeners = dynamicConfigModel.getAuthBackendFailureListeners();
        this.ipClientBlockRegistries = dynamicConfigModel.getIpClientBlockRegistries();
        this.authBackendClientBlockRegistries = dynamicConfigModel.getAuthBackendClientBlockRegistries();
        if (configModel.getBlockIpAddresses() != null) {
            if (this.ipClientBlockRegistries == null) {
                this.ipClientBlockRegistries = Collections.emptyList();
            }
            this.ipClientBlockRegistries = Collections.unmodifiableList(ListUtils.union(configModel.getBlockIpAddresses(), this.ipClientBlockRegistries));
        }
        if (configModel.getBlockedUsers() != null) {
            if (this.authBackendClientBlockRegistries == null) {
                this.authBackendClientBlockRegistries = ArrayListMultimap.create();
            }
            ArrayListMultimap create = ArrayListMultimap.create();
            create.putAll(this.authBackendClientBlockRegistries);
            create.putAll(BLOCKED_USERS, configModel.getBlockedUsers());
            this.authBackendClientBlockRegistries = Multimaps.unmodifiableMultimap(create);
        }
        if (configModel.getBlockedNetmasks() != null) {
            this.blockedNetmasks = configModel.getBlockedNetmasks();
        }
        this.initialized = !this.restAuthenticationDomains.isEmpty() || this.anonymousAuthEnabled;
    }

    public User authenticate(TransportRequest transportRequest, String str, Task task, String str2) {
        User authcz;
        if (this.log.isDebugEnabled() && transportRequest.remoteAddress() != null) {
            this.log.debug("Transport authentication request from {}", transportRequest.remoteAddress());
        }
        User user = new User(str);
        if (this.adminDns.isAdmin(user)) {
            this.auditLog.logSucceededLogin(user.getName(), true, null, transportRequest, str2, task);
            return user;
        }
        if (transportRequest.remoteAddress() != null && isIpBlocked(transportRequest.remoteAddress().address().getAddress())) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Rejecting transport request because of blocked address: " + transportRequest.remoteAddress());
            }
            this.auditLog.logBlockedIp(transportRequest, str2, transportRequest.remoteAddress(), task);
            return null;
        }
        if (!isInitialized()) {
            this.log.error("Not yet initialized (you may need to run sgadmin)");
            return null;
        }
        AuthCredentials extractCredentials = HTTPHelper.extractCredentials(this.threadPool.getThreadContext().getHeader("Authorization"), this.log);
        User user2 = null;
        if (extractCredentials != null && this.log.isDebugEnabled()) {
            this.log.debug("User {} submitted also basic credentials: {}", user.getName(), extractCredentials);
        }
        for (AuthenticationDomain authenticationDomain : this.transportAuthenticationDomains) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Check transport authdomain {}/{} or {} in total", authenticationDomain.getBackend().getType(), Integer.valueOf(authenticationDomain.getOrder()), Integer.valueOf(this.transportAuthenticationDomains.size()));
            }
            if (extractCredentials == null) {
                user2 = impersonate(user);
                user = resolveTransportUsernameAttribute(user);
                authcz = checkExistsAndAuthz(this.userCacheTransport, user2 == null ? user : user2, authenticationDomain.getBackend(), this.transportAuthorizationDomains);
            } else {
                authcz = authcz(this.authenticatedUserCacheTransport, this.transportRoleCache, extractCredentials, authenticationDomain.getBackend(), this.transportAuthorizationDomains);
            }
            if (authcz == null) {
                Iterator it = this.authBackendFailureListeners.get(authenticationDomain.getBackend().getClass().getName()).iterator();
                while (it.hasNext()) {
                    ((AuthFailureListener) it.next()).onAuthFailure(transportRequest.remoteAddress() != null ? transportRequest.remoteAddress().address().getAddress() : null, extractCredentials, transportRequest);
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Cannot authenticate transport user {} (or add roles) with authdomain {}/{} of {}, try next", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername(), authenticationDomain.getBackend().getType(), Integer.valueOf(authenticationDomain.getOrder()), Integer.valueOf(this.transportAuthenticationDomains.size()));
                }
            } else {
                if (this.adminDns.isAdmin(authcz)) {
                    this.log.error("Cannot authenticate transport user because admin user is not permitted to login");
                    this.auditLog.logFailedLogin(authcz.getName(), true, null, transportRequest, task);
                    return null;
                }
                if (!isUserBlocked(authenticationDomain.getBackend().getClass().getName(), authcz.getName())) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Transport user '{}' is authenticated", authcz);
                    }
                    this.auditLog.logSucceededLogin(authcz.getName(), false, user2 == null ? null : user.getName(), transportRequest, str2, task);
                    return authcz;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Rejecting TRANSPORT request because of blocked user: " + authcz.getName() + "; authDomain: " + authenticationDomain);
                }
                this.auditLog.logBlockedUser(authcz.getName(), false, user.getName(), transportRequest, task);
            }
        }
        if (extractCredentials == null) {
            this.auditLog.logFailedLogin(user2 == null ? user.getName() : user2.getName(), false, user2 == null ? null : user.getName(), transportRequest, task);
        } else {
            this.auditLog.logFailedLogin(extractCredentials.getUsername(), false, null, transportRequest, task);
        }
        this.log.warn("Transport authentication finally failed for {} from {}", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername(), transportRequest.remoteAddress());
        notifyIpAuthFailureListeners(transportRequest.remoteAddress() != null ? transportRequest.remoteAddress().address().getAddress() : null, extractCredentials, transportRequest);
        return null;
    }

    /* JADX WARN: Code restructure failed: missing block: B:100:0x0452, code lost:
    
        r1 = r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:101:0x043f, code lost:
    
        r2 = r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:103:0x046f, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L119;
     */
    /* JADX WARN: Code restructure failed: missing block: B:104:0x0472, code lost:
    
        r7.log.debug("User still not authenticated after checking {} auth domains", java.lang.Integer.valueOf(r7.restAuthenticationDomains.size()));
     */
    /* JADX WARN: Code restructure failed: missing block: B:106:0x048b, code lost:
    
        if (r16 != null) goto L128;
     */
    /* JADX WARN: Code restructure failed: missing block: B:108:0x0492, code lost:
    
        if (r7.anonymousAuthEnabled == false) goto L128;
     */
    /* JADX WARN: Code restructure failed: missing block: B:109:0x0495, code lost:
    
        r11.putTransient(com.floragunn.searchguard.support.ConfigConstants.SG_USER, com.floragunn.searchguard.user.User.ANONYMOUS);
        r7.auditLog.logSucceededLogin(com.floragunn.searchguard.user.User.ANONYMOUS.getName(), false, null, r9);
     */
    /* JADX WARN: Code restructure failed: missing block: B:110:0x04ba, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L204;
     */
    /* JADX WARN: Code restructure failed: missing block: B:111:0x04bd, code lost:
    
        r7.log.debug("Anonymous User is authenticated");
     */
    /* JADX WARN: Code restructure failed: missing block: B:112:0x04c8, code lost:
    
        return true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:113:?, code lost:
    
        return true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:115:0x04cc, code lost:
    
        if (r17 == null) goto L154;
     */
    /* JADX WARN: Code restructure failed: missing block: B:117:0x04d8, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L133;
     */
    /* JADX WARN: Code restructure failed: missing block: B:118:0x04db, code lost:
    
        r7.log.debug("Rerequest with {}", r17.getClass());
     */
    /* JADX WARN: Code restructure failed: missing block: B:120:0x04f4, code lost:
    
        if (r17.reRequestAuthentication(r10, null) == false) goto L154;
     */
    /* JADX WARN: Code restructure failed: missing block: B:122:0x0500, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L138;
     */
    /* JADX WARN: Code restructure failed: missing block: B:123:0x0503, code lost:
    
        r7.log.debug("Rerequest {} failed", r17.getClass());
     */
    /* JADX WARN: Code restructure failed: missing block: B:124:0x0513, code lost:
    
        r0 = r7.log;
     */
    /* JADX WARN: Code restructure failed: missing block: B:125:0x051b, code lost:
    
        if (r16 != null) goto L141;
     */
    /* JADX WARN: Code restructure failed: missing block: B:126:0x051e, code lost:
    
        r2 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:127:0x0527, code lost:
    
        r0.warn("Authentication finally failed for {} from {}", r2, r0);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:128:0x0534, code lost:
    
        if (r16 != null) goto L145;
     */
    /* JADX WARN: Code restructure failed: missing block: B:129:0x0537, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:130:0x0540, code lost:
    
        r0.logFailedLogin(r1, false, null, r9);
     */
    /* JADX WARN: Code restructure failed: missing block: B:131:0x054b, code lost:
    
        if (r0 == null) goto L151;
     */
    /* JADX WARN: Code restructure failed: missing block: B:133:0x0553, code lost:
    
        if (r0.address() == null) goto L151;
     */
    /* JADX WARN: Code restructure failed: missing block: B:134:0x0556, code lost:
    
        r1 = r0.address().getAddress();
     */
    /* JADX WARN: Code restructure failed: missing block: B:135:0x0562, code lost:
    
        notifyIpAuthFailureListeners(r1, r16, r9);
     */
    /* JADX WARN: Code restructure failed: missing block: B:136:0x0569, code lost:
    
        return false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:137:0x0561, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:138:0x053b, code lost:
    
        r1 = r16.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:139:0x0522, code lost:
    
        r2 = r16.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:140:0x056a, code lost:
    
        r0 = r7.log;
     */
    /* JADX WARN: Code restructure failed: missing block: B:141:0x0572, code lost:
    
        if (r16 != null) goto L157;
     */
    /* JADX WARN: Code restructure failed: missing block: B:142:0x0575, code lost:
    
        r2 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:143:0x057e, code lost:
    
        r0.warn("Authentication finally failed for {} from {}", r2, r0);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:144:0x058b, code lost:
    
        if (r16 != null) goto L161;
     */
    /* JADX WARN: Code restructure failed: missing block: B:145:0x058e, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:146:0x0597, code lost:
    
        r0.logFailedLogin(r1, false, null, r9);
     */
    /* JADX WARN: Code restructure failed: missing block: B:147:0x05a2, code lost:
    
        if (r0 == null) goto L167;
     */
    /* JADX WARN: Code restructure failed: missing block: B:149:0x05aa, code lost:
    
        if (r0.address() == null) goto L167;
     */
    /* JADX WARN: Code restructure failed: missing block: B:150:0x05ad, code lost:
    
        r1 = r0.address().getAddress();
     */
    /* JADX WARN: Code restructure failed: missing block: B:151:0x05b9, code lost:
    
        notifyIpAuthFailureListeners(r1, r16, r9);
        r10.sendResponse(new org.elasticsearch.rest.BytesRestResponse(org.elasticsearch.rest.RestStatus.UNAUTHORIZED, "Authentication finally failed"));
     */
    /* JADX WARN: Code restructure failed: missing block: B:152:0x05d2, code lost:
    
        return false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:153:0x05b8, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:154:0x0592, code lost:
    
        r1 = r16.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:155:0x0579, code lost:
    
        r2 = r16.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:90:0x0425, code lost:
    
        if (r14 == false) goto L116;
     */
    /* JADX WARN: Code restructure failed: missing block: B:91:0x0428, code lost:
    
        r0 = impersonate(r9, r15);
     */
    /* JADX WARN: Code restructure failed: missing block: B:92:0x0437, code lost:
    
        if (r0 != null) goto L110;
     */
    /* JADX WARN: Code restructure failed: missing block: B:93:0x043a, code lost:
    
        r2 = r15;
     */
    /* JADX WARN: Code restructure failed: missing block: B:94:0x0441, code lost:
    
        r11.putTransient(com.floragunn.searchguard.support.ConfigConstants.SG_USER, r2);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:95:0x044a, code lost:
    
        if (r0 != null) goto L114;
     */
    /* JADX WARN: Code restructure failed: missing block: B:96:0x044d, code lost:
    
        r1 = r15;
     */
    /* JADX WARN: Code restructure failed: missing block: B:97:0x0454, code lost:
    
        r0.logSucceededLogin(r1.getName(), false, r15.getName(), r9);
     */
    /* JADX WARN: Code restructure failed: missing block: B:99:0x05d5, code lost:
    
        return r14;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean authenticate(org.elasticsearch.rest.RestHandler r8, org.elasticsearch.rest.RestRequest r9, org.elasticsearch.rest.RestChannel r10, org.elasticsearch.common.util.concurrent.ThreadContext r11) {
        /*
            Method dump skipped, instructions count: 1494
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.floragunn.searchguard.auth.BackendRegistry.authenticate(org.elasticsearch.rest.RestHandler, org.elasticsearch.rest.RestRequest, org.elasticsearch.rest.RestChannel, org.elasticsearch.common.util.concurrent.ThreadContext):boolean");
    }

    private String getRequestedTenant(RestHandler restHandler, RestRequest restRequest) {
        return restHandler instanceof TenantAwareRestHandler ? ((TenantAwareRestHandler) restHandler).getTenantName(restRequest) : (String) Utils.coalesce(restRequest.header("sgtenant"), restRequest.header("sg_tenant"));
    }

    private void notifyIpAuthFailureListeners(InetAddress inetAddress, AuthCredentials authCredentials, Object obj) {
        Iterator<AuthFailureListener> it = this.ipAuthFailureListeners.iterator();
        while (it.hasNext()) {
            it.next().onAuthFailure(inetAddress, authCredentials, obj);
        }
    }

    private User checkExistsAndAuthz(Cache<String, User> cache, User user, AuthenticationBackend authenticationBackend, Set<AuthorizationDomain> set) {
        if (user == null) {
            return null;
        }
        try {
            return (User) cache.get(user.getName(), () -> {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("Credentials for user " + user.getName() + " not cached, return from " + authenticationBackend.getType() + " backend directly");
                }
                if (authenticationBackend.exists(user)) {
                    authz(user, null, set);
                    return user;
                }
                if (!this.log.isDebugEnabled()) {
                    return null;
                }
                this.log.debug("User " + user.getName() + " does not exist in " + authenticationBackend.getType());
                return null;
            });
        } catch (Exception e) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Can not check and authorize " + user.getName() + " due to " + e.toString(), e);
            return null;
        }
    }

    private void authz(User user, Cache<User, Set<String>> cache, Set<AuthorizationDomain> set) {
        Set set2;
        if (user == null) {
            return;
        }
        if (cache != null && (set2 = (Set) cache.getIfPresent(user)) != null) {
            user.addRoles(new HashSet(set2));
            return;
        }
        if (set == null || set.isEmpty()) {
            return;
        }
        for (AuthorizationDomain authorizationDomain : set) {
            List<String> skippedUsers = authorizationDomain.getSkippedUsers();
            if (skippedUsers.isEmpty() || user.getName() == null || !WildcardMatcher.matchAny(skippedUsers, user.getName())) {
                AuthorizationBackend authorizationBackend = authorizationDomain.getAuthorizationBackend();
                try {
                    if (this.log.isTraceEnabled()) {
                        this.log.trace("Backend roles for " + user.getName() + " not cached, return from " + authorizationBackend.getType() + " backend directly");
                    }
                    authorizationBackend.fillRoles(user, AuthCredentials.forUser(user.getName()).build());
                } catch (Exception e) {
                    this.log.error("Cannot retrieve roles for {} from {} due to {}", user, authorizationBackend.getType(), e.toString(), e);
                }
            } else if (this.log.isDebugEnabled()) {
                this.log.debug("Skipped authorization of user {}", user.getName());
            }
        }
        if (cache != null) {
            cache.put(user, new HashSet(user.getRoles()));
        }
    }

    private User authcz(Cache<AuthCredentials, User> cache, Cache<User, Set<String>> cache2, AuthCredentials authCredentials, AuthenticationBackend authenticationBackend, Set<AuthorizationDomain> set) {
        try {
            if (authCredentials == null) {
                return null;
            }
            try {
                if (authenticationBackend.getClass() == NoOpAuthenticationBackend.class && set.isEmpty()) {
                    User authenticate = authenticationBackend.authenticate(authCredentials);
                    authCredentials.clearSecrets();
                    return authenticate;
                }
                User user = (User) cache.get(authCredentials, () -> {
                    if (this.log.isTraceEnabled()) {
                        this.log.trace("Credentials for user " + authCredentials.getUsername() + " not cached, return from " + authenticationBackend.getType() + " backend directly");
                    }
                    User authenticate2 = authenticationBackend.authenticate(authCredentials);
                    authz(authenticate2, cache2, set);
                    return authenticate2;
                });
                authCredentials.clearSecrets();
                return user;
            } catch (Exception e) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Can not authenticate " + authCredentials.getUsername() + " due to " + e.toString(), e);
                }
                authCredentials.clearSecrets();
                return null;
            }
        } catch (Throwable th) {
            authCredentials.clearSecrets();
            throw th;
        }
    }

    private User impersonate(User user) throws ElasticsearchSecurityException {
        String header = this.threadPool.getThreadContext().getHeader("sg_impersonate_as");
        if (Strings.isNullOrEmpty(header)) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized", new Object[0]);
        }
        if (user == null) {
            throw new ElasticsearchSecurityException("no original PKI user found", new Object[0]);
        }
        if (this.adminDns.isAdminDN(header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as an adminuser  '" + header + "'", new Object[0]);
        }
        try {
            if (!this.adminDns.isTransportImpersonationAllowed(new LdapName(user.getName()), header)) {
                throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as transport user '" + header + "'", new Object[0]);
            }
            Iterator<AuthenticationDomain> it = this.transportAuthenticationDomains.iterator();
            while (it.hasNext()) {
                AuthenticationBackend backend = it.next().getBackend();
                User checkExistsAndAuthz = checkExistsAndAuthz(this.transportImpersonationCache, new User(header), backend, this.transportAuthorizationDomains);
                if (checkExistsAndAuthz != null) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Impersonate transport user from '{}' to '{}'", user.getName(), header);
                    }
                    return checkExistsAndAuthz;
                }
                this.log.debug("Unable to impersonate transport user from '{}' to '{}' because the impersonated user does not exists in {}, try next ...", user.getName(), header, backend.getType());
            }
            this.log.debug("Unable to impersonate transport user from '{}' to '{}' because the impersonated user does not exists", user.getName(), header);
            throw new ElasticsearchSecurityException("No such transport user: " + header, RestStatus.FORBIDDEN, new Object[0]);
        } catch (InvalidNameException e) {
            throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + user.getName() + "'), should never happen", e, new Object[0]);
        }
    }

    private User impersonate(RestRequest restRequest, User user) throws ElasticsearchSecurityException {
        String header = restRequest.header("sg_impersonate_as");
        if (Strings.isNullOrEmpty(header) || user == null) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized", new Object[0]);
        }
        if (this.adminDns.isAdminDN(header)) {
            throw new ElasticsearchSecurityException("It is not allowed to impersonate as an adminuser  '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        if (!this.adminDns.isRestImpersonationAllowed(user.getName(), header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        Iterator<AuthenticationDomain> it = this.restAuthenticationDomains.iterator();
        while (it.hasNext()) {
            AuthenticationBackend backend = it.next().getBackend();
            User checkExistsAndAuthz = checkExistsAndAuthz(this.restImpersonationCache, new User(header), backend, this.restAuthorizationDomains);
            if (checkExistsAndAuthz != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Impersonate rest user from '{}' to '{}'", user.toStringWithAttributes(), checkExistsAndAuthz.toStringWithAttributes());
                }
                checkExistsAndAuthz.setRequestedTenant(user.getRequestedTenant());
                return checkExistsAndAuthz;
            }
            this.log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists in {}, try next ...", user.getName(), header, backend.getType());
        }
        this.log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists", user.getName(), header);
        throw new ElasticsearchSecurityException("No such user:" + header, RestStatus.FORBIDDEN, new Object[0]);
    }

    private User resolveTransportUsernameAttribute(User user) {
        if (this.transportUsernameAttribute != null && !this.transportUsernameAttribute.isEmpty()) {
            try {
                for (Rdn rdn : new LdapName(user.getName()).getRdns()) {
                    if (rdn.getType().equals(this.transportUsernameAttribute)) {
                        return new User((String) rdn.getValue());
                    }
                }
            } catch (InvalidNameException e) {
            }
        }
        return user;
    }

    private boolean isIpBlocked(InetAddress inetAddress) {
        if ((this.ipClientBlockRegistries == null || this.ipClientBlockRegistries.isEmpty()) && (this.blockedNetmasks == null || this.blockedNetmasks.isEmpty())) {
            return false;
        }
        if (this.ipClientBlockRegistries != null) {
            Iterator<ClientBlockRegistry<InetAddress>> it = this.ipClientBlockRegistries.iterator();
            while (it.hasNext()) {
                if (it.next().isBlocked(inetAddress)) {
                    return true;
                }
            }
        }
        if (this.blockedNetmasks == null) {
            return false;
        }
        Iterator<ClientBlockRegistry<IPAddressString>> it2 = this.blockedNetmasks.iterator();
        while (it2.hasNext()) {
            if (it2.next().isBlocked(new IPAddressString(inetAddress.getHostAddress()))) {
                return true;
            }
        }
        return false;
    }

    private boolean isUserBlocked(String str, String str2) {
        if (this.authBackendClientBlockRegistries == null) {
            return false;
        }
        Collection collection = this.authBackendClientBlockRegistries.get(BLOCKED_USERS);
        if (collection != null) {
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                if (((ClientBlockRegistry) it.next()).isBlocked(str2)) {
                    return true;
                }
            }
        }
        Collection collection2 = this.authBackendClientBlockRegistries.get(str);
        if (collection2.isEmpty()) {
            return false;
        }
        Iterator it2 = collection2.iterator();
        while (it2.hasNext()) {
            if (((ClientBlockRegistry) it2.next()).isBlocked(str2)) {
                return true;
            }
        }
        return false;
    }
}
