package com.floragunn.searchguard.auth;

import com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction;
import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend;
import com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend;
import com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.ConfigChangeListener;
import com.floragunn.searchguard.filter.SearchGuardRestFilter;
import com.floragunn.searchguard.http.HTTPBasicAuthenticator;
import com.floragunn.searchguard.http.HTTPClientCertAuthenticator;
import com.floragunn.searchguard.http.HTTPProxyAuthenticator;
import com.floragunn.searchguard.http.XFFResolver;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.LogHelper;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.RemovalListener;
import com.google.common.cache.RemovalNotification;
import java.lang.reflect.InvocationTargetException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.cluster.ClusterService;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/auth/BackendRegistry.class */
public class BackendRegistry implements ConfigChangeListener {
    private volatile boolean initialized;
    private final TransportConfigUpdateAction tcua;
    private final AdminDNs adminDns;
    private final XFFResolver xffResolver;
    private final Settings esSettings;
    private final InternalAuthenticationBackend iab;
    private final AuditLog auditLog;
    protected final ESLogger log = Loggers.getLogger(getClass());
    private final Map<String, String> authImplMap = new HashMap();
    private final SortedSet<AuthDomain> authDomains = new TreeSet();
    private final Set<AuthorizationBackend> authorizers = new HashSet();
    private volatile boolean anonymousAuthEnabled = false;
    private Cache<AuthCredentials, User> userCache = CacheBuilder.newBuilder().expireAfterWrite(1, TimeUnit.HOURS).removalListener(new RemovalListener<AuthCredentials, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.1
        public void onRemoval(RemovalNotification<AuthCredentials, User> removalNotification) {
            BackendRegistry.this.log.debug("Clear user cache for {} due to {}", new Object[]{((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause()});
        }
    }).build();
    private Cache<String, User> userCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(1, TimeUnit.HOURS).removalListener(new RemovalListener<String, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.2
        public void onRemoval(RemovalNotification<String, User> removalNotification) {
            BackendRegistry.this.log.debug("Clear user cache for {} due to {}", new Object[]{removalNotification.getKey(), removalNotification.getCause()});
        }
    }).build();

    @Inject
    public BackendRegistry(Settings settings, RestController restController, TransportConfigUpdateAction transportConfigUpdateAction, ClusterService clusterService, AdminDNs adminDNs, XFFResolver xFFResolver, InternalAuthenticationBackend internalAuthenticationBackend, AuditLog auditLog) {
        transportConfigUpdateAction.addConfigChangeListener("config", this);
        restController.registerFilter(new SearchGuardRestFilter(this, auditLog));
        this.tcua = transportConfigUpdateAction;
        this.adminDns = adminDNs;
        this.esSettings = settings;
        this.xffResolver = xFFResolver;
        this.iab = internalAuthenticationBackend;
        this.auditLog = auditLog;
        this.authImplMap.put("intern_c", InternalAuthenticationBackend.class.getName());
        this.authImplMap.put("intern_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("internal_c", InternalAuthenticationBackend.class.getName());
        this.authImplMap.put("internal_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("noop_c", NoOpAuthenticationBackend.class.getName());
        this.authImplMap.put("noop_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("ldap_c", "com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend");
        this.authImplMap.put("ldap_z", "com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend");
        this.authImplMap.put("basic_h", HTTPBasicAuthenticator.class.getName());
        this.authImplMap.put("proxy_h", HTTPProxyAuthenticator.class.getName());
        this.authImplMap.put("clientcert_h", HTTPClientCertAuthenticator.class.getName());
        this.authImplMap.put("kerberos_h", "com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator");
        this.authImplMap.put("jwt_h", "com.floragunn.dlic.auth.http.jwt.HTTPJwtAuthenticator");
    }

    public void invalidateCache() {
        this.userCache.invalidateAll();
        this.userCacheTransport.invalidateAll();
    }

    private <T> T newInstance(String str, String str2, Settings settings) throws ClassNotFoundException, NoSuchMethodException, SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
        String str3 = str;
        if (this.authImplMap.containsKey(str3 + "_" + str2)) {
            str3 = this.authImplMap.get(str3 + "_" + str2);
        }
        Class<?> cls = Class.forName(str3);
        try {
            return (T) cls.getConstructor(Settings.class).newInstance(settings);
        } catch (Exception e) {
            this.log.warn("Unable to create instance of class {} with (Settings.class) constructor due to {}", e, new Object[]{cls, e.toString()});
            return (T) cls.getConstructor(Settings.class, TransportConfigUpdateAction.class).newInstance(settings, this.tcua);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v53, types: [com.floragunn.searchguard.auth.AuthenticationBackend] */
    @Override // com.floragunn.searchguard.configuration.ConfigChangeListener
    public void onChange(String str, Settings settings) {
        this.authDomains.clear();
        this.anonymousAuthEnabled = settings.getAsBoolean("searchguard.dynamic.http.anonymous_auth_enabled", false).booleanValue();
        Map groups = settings.getGroups("searchguard.dynamic.authz");
        for (String str2 : groups.keySet()) {
            Settings settings2 = (Settings) groups.get(str2);
            if (settings2.getAsBoolean("enabled", true).booleanValue()) {
                try {
                    this.authorizers.add((AuthorizationBackend) newInstance(settings2.get("authorization_backend.type", "noop"), "z", Settings.builder().put(this.esSettings).put(settings2.getAsSettings("authorization_backend.config")).build()));
                } catch (Exception e) {
                    this.log.error("Unable to initialize AuthorizationBackend {} due to {}", e, new Object[]{str2, e.toString()});
                }
            }
        }
        Map groups2 = settings.getGroups("searchguard.dynamic.authc");
        for (String str3 : groups2.keySet()) {
            Settings settings3 = (Settings) groups2.get(str3);
            if (settings3.getAsBoolean("enabled", true).booleanValue()) {
                try {
                    String str4 = settings3.get("authentication_backend.type", InternalAuthenticationBackend.class.getName());
                    this.authDomains.add(new AuthDomain((str4.equals(InternalAuthenticationBackend.class.getName()) || str4.equals("internal") || str4.equals("intern")) ? this.iab : (AuthenticationBackend) newInstance(str4, "c", Settings.builder().put(this.esSettings).put(settings3.getAsSettings("authentication_backend.config")).build()), (HTTPAuthenticator) newInstance(settings3.get("http_authenticator.type", "basic"), "h", Settings.builder().put(this.esSettings).put(settings3.getAsSettings("http_authenticator.config")).build()), settings3.getAsBoolean("http_authenticator.challenge", true).booleanValue(), settings3.getAsInt("order", 0).intValue()));
                } catch (Exception e2) {
                    this.log.error("Unable to initialize auth domain {} due to {}", e2, new Object[]{str3, e2.toString()});
                }
            }
        }
        if (this.authDomains.isEmpty()) {
            this.authDomains.add(new AuthDomain(this.iab, new HTTPBasicAuthenticator(Settings.EMPTY), true, 0));
        }
        this.initialized = true;
    }

    @Override // com.floragunn.searchguard.configuration.ConfigChangeListener
    public void validate(String str, Settings settings) throws ElasticsearchSecurityException {
    }

    public boolean authenticate(TransportRequest transportRequest) throws ElasticsearchSecurityException {
        User user;
        final User user2 = (User) transportRequest.getFromContext(ConfigConstants.SG_USER);
        if (user2 == null) {
            return false;
        }
        if (this.adminDns.isAdmin(user2.getName())) {
            return true;
        }
        Iterator it = new TreeSet((SortedSet) this.authDomains).iterator();
        while (it.hasNext()) {
            final AuthDomain authDomain = (AuthDomain) it.next();
            if (this.log.isDebugEnabled()) {
                ESLogger eSLogger = this.log;
                Object[] objArr = new Object[3];
                objArr[0] = user2.getName();
                objArr[1] = Boolean.valueOf(this.userCacheTransport.getIfPresent(user2.getName()) != null);
                objArr[2] = Long.valueOf(this.userCacheTransport.size());
                eSLogger.debug("Transport User '{}' is in cache? {} (cache size: {})", objArr);
            }
            try {
                try {
                    user = (User) this.userCacheTransport.get(user2.getName(), new Callable<User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.3
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.util.concurrent.Callable
                        public User call() throws Exception {
                            if (BackendRegistry.this.log.isDebugEnabled()) {
                                BackendRegistry.this.log.debug(user2.getName() + " not cached, return from backend directly", new Object[0]);
                            }
                            if (!authDomain.getBackend().exists(user2)) {
                                throw new Exception("no such user " + user2.getName());
                            }
                            for (AuthorizationBackend authorizationBackend : BackendRegistry.this.authorizers) {
                                try {
                                    authorizationBackend.fillRoles(user2, new AuthCredentials(user2.getName(), new String[0]));
                                } catch (Exception e) {
                                    BackendRegistry.this.log.error("Problems retrieving roles for {} from {}", new Object[]{user2, authorizationBackend.getClass()});
                                }
                            }
                            return user2;
                        }
                    });
                } catch (Exception e) {
                    this.log.error("Unexpected exception {} ", e, new Object[]{e.toString()});
                    throw new ElasticsearchSecurityException(e.toString(), e, new Object[0]);
                }
            } catch (ElasticsearchSecurityException e2) {
                this.log.info("Cannot authenticate user (or add roles) with ad {} due to {}, try next", new Object[]{Integer.valueOf(authDomain.getOrder()), e2.toString()});
            }
            if (user != null) {
                if (this.adminDns.isAdmin(user.getName())) {
                    this.log.error("Cannot authenticate user because admin user is not permitted to login via HTTP", new Object[0]);
                    return false;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("User '{}' is authenticated", new Object[]{user});
                }
                transportRequest.putInContext(ConfigConstants.SG_USER, user);
                return true;
            }
            this.log.info("Cannot authenticate user (or add roles) with ad {} due to user is null, try next", new Object[]{Integer.valueOf(authDomain.getOrder())});
        }
        return false;
    }

    /* JADX WARN: Finally extract failed */
    public boolean authenticate(RestRequest restRequest, RestChannel restChannel) throws ElasticsearchSecurityException {
        if (this.log.isTraceEnabled()) {
            this.log.trace(LogHelper.toString(restRequest), new Object[0]);
        }
        if (!isInitialized()) {
            this.log.error("Not yet initialized", new Object[0]);
            restChannel.sendResponse(new BytesRestResponse(RestStatus.SERVICE_UNAVAILABLE, "Search Guard not initialized (SG11)"));
            return false;
        }
        restRequest.putInContext(ConfigConstants.SG_REMOTE_ADDRESS, this.xffResolver.resolve(restRequest));
        boolean z = false;
        AuthCredentials authCredentials = null;
        HTTPAuthenticator hTTPAuthenticator = null;
        Iterator it = new TreeSet((SortedSet) this.authDomains).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            final AuthDomain authDomain = (AuthDomain) it.next();
            HTTPAuthenticator httpAuthenticator = authDomain.getHttpAuthenticator();
            if (authDomain.isChallenge() && hTTPAuthenticator == null) {
                hTTPAuthenticator = httpAuthenticator;
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("Try to extract auth creds from http {} ", new Object[]{httpAuthenticator.getType()});
            }
            try {
                final AuthCredentials extractCredentials = httpAuthenticator.extractCredentials(restRequest);
                authCredentials = extractCredentials;
                if (extractCredentials != null) {
                    if (extractCredentials.isComplete()) {
                        if (this.log.isDebugEnabled()) {
                            ESLogger eSLogger = this.log;
                            Object[] objArr = new Object[3];
                            objArr[0] = extractCredentials.getUsername();
                            objArr[1] = Boolean.valueOf(this.userCache.getIfPresent(extractCredentials) != null);
                            objArr[2] = Long.valueOf(this.userCache.size());
                            eSLogger.debug("User '{}' is in cache? {} (cache size: {})", objArr);
                        }
                        try {
                            try {
                                try {
                                    User user = (User) this.userCache.get(extractCredentials, new Callable<User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.4
                                        /* JADX WARN: Can't rename method to resolve collision */
                                        @Override // java.util.concurrent.Callable
                                        public User call() throws Exception {
                                            if (BackendRegistry.this.log.isDebugEnabled()) {
                                                BackendRegistry.this.log.debug(extractCredentials.getUsername() + " (" + extractCredentials.hashCode() + ") not cached, return from " + authDomain.getBackend().getType() + " backend directly", new Object[0]);
                                            }
                                            User authenticate = authDomain.getBackend().authenticate(extractCredentials);
                                            for (AuthorizationBackend authorizationBackend : BackendRegistry.this.authorizers) {
                                                try {
                                                    authorizationBackend.fillRoles(authenticate, new AuthCredentials(authenticate.getName(), new String[0]));
                                                } catch (Exception e) {
                                                    BackendRegistry.this.log.error("Problems retrieving roles for {} from {}", new Object[]{authenticate, authorizationBackend.getClass()});
                                                }
                                            }
                                            return authenticate;
                                        }
                                    });
                                    extractCredentials.clearSecrets();
                                    if (user == null) {
                                        this.log.info("Cannot authenticate user (or add roles) with ad {} due to user is null, try next", new Object[]{Integer.valueOf(authDomain.getOrder())});
                                    } else {
                                        if (this.adminDns.isAdmin(user.getName())) {
                                            this.log.error("Cannot authenticate user because admin user is not permitted to login via HTTP", new Object[0]);
                                            restChannel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN));
                                            return false;
                                        }
                                        if (this.log.isDebugEnabled()) {
                                            this.log.debug("User '{}' is authenticated", new Object[]{user});
                                        }
                                        restRequest.putInContext(ConfigConstants.SG_USER, user);
                                        z = true;
                                    }
                                } catch (Throwable th) {
                                    extractCredentials.clearSecrets();
                                    throw th;
                                }
                            } catch (ElasticsearchSecurityException e) {
                                this.log.info("Cannot authenticate user (or add roles) with ad {} due to {}, try next", new Object[]{Integer.valueOf(authDomain.getOrder()), e.toString()});
                            }
                        } catch (Exception e2) {
                            this.log.error("Unexpected exception {} ", e2, new Object[]{e2.toString()});
                            throw new ElasticsearchSecurityException(e2.toString(), e2, new Object[0]);
                            break;
                        }
                    } else if (httpAuthenticator.reRequestAuthentication(restChannel, extractCredentials)) {
                        return false;
                    }
                } else if (!this.anonymousAuthEnabled && authDomain.isChallenge() && httpAuthenticator.reRequestAuthentication(restChannel, null)) {
                    return false;
                }
            } catch (Exception e3) {
                this.log.info("{} extracting credentials from {}", e3, new Object[]{e3.toString(), httpAuthenticator.getType()});
            }
        }
        if (z) {
            return z;
        }
        if (authCredentials == null && this.anonymousAuthEnabled) {
            restRequest.putInContext(ConfigConstants.SG_USER, User.ANONYMOUS);
            if (!this.log.isDebugEnabled()) {
                return true;
            }
            this.log.debug("Anonymous User is authenticated", new Object[0]);
            return true;
        }
        if (hTTPAuthenticator != null && hTTPAuthenticator.reRequestAuthentication(restChannel, null)) {
            return false;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Authentication finally failed", new Object[0]);
        }
        this.auditLog.logFailedLogin(authCredentials == null ? null : authCredentials.getUsername(), restRequest);
        restChannel.sendResponse(new BytesRestResponse(RestStatus.UNAUTHORIZED));
        return false;
    }

    @Override // com.floragunn.searchguard.configuration.ConfigChangeListener
    public boolean isInitialized() {
        return this.initialized;
    }

    public void impersonate(TransportRequest transportRequest, TransportChannel transportChannel) throws ElasticsearchSecurityException {
        String str = (String) transportRequest.getHeader("sg_impersonate_as");
        if (Strings.isNullOrEmpty(str)) {
            return;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized", new Object[0]);
        }
        User user = (User) transportRequest.getFromContext(ConfigConstants.SG_USER);
        if (user == null) {
            throw new ElasticsearchSecurityException("no original PKI user found", new Object[0]);
        }
        User user2 = user;
        if (this.adminDns.isAdmin(str)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as an adminuser  '" + str + "'", new Object[0]);
        }
        if (str != null) {
            try {
                if (!this.adminDns.isImpersonationAllowed(new LdapName(user.getName()), str)) {
                    throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as '" + str + "'", new Object[0]);
                }
            } catch (InvalidNameException e) {
                throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + user.getName() + "'), should never happen", e, new Object[0]);
            }
        }
        if (str != null) {
            user2 = new User(str);
            if (this.log.isDebugEnabled()) {
                this.log.debug("Impersonate from '{}' to '{}'", new Object[]{user.getName(), str});
            }
        }
        transportRequest.putInContext(ConfigConstants.SG_USER, Objects.requireNonNull(user2));
    }
}
