package com.floragunn.searchguard.auth;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend;
import com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend;
import com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.ConfigurationChangeListener;
import com.floragunn.searchguard.http.HTTPBasicAuthenticator;
import com.floragunn.searchguard.http.HTTPClientCertAuthenticator;
import com.floragunn.searchguard.http.HTTPProxyAuthenticator;
import com.floragunn.searchguard.http.XFFResolver;
import com.floragunn.searchguard.ssl.util.Utils;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HTTPHelper;
import com.floragunn.searchguard.support.ReflectionHelper;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.RemovalListener;
import com.google.common.cache.RemovalNotification;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/auth/BackendRegistry.class */
public class BackendRegistry implements ConfigurationChangeListener {
    private volatile boolean initialized;
    private final AdminDNs adminDns;
    private final XFFResolver xffResolver;
    private final Settings esSettings;
    private final Path configPath;
    private final InternalAuthenticationBackend iab;
    private final AuditLog auditLog;
    private final ThreadPool threadPool;
    private final int ttlInMin;
    private Cache<AuthCredentials, User> userCache;
    private Cache<String, User> userCacheTransport;
    private Cache<AuthCredentials, User> authenticatedUserCacheTransport;
    private Cache<String, User> restImpersonationCache;
    protected final Logger log = LogManager.getLogger(getClass());
    private final Map<String, String> authImplMap = new HashMap();
    private final SortedSet<AuthDomain> restAuthDomains = new TreeSet();
    private final Set<AuthorizationBackend> restAuthorizers = new HashSet();
    private final SortedSet<AuthDomain> transportAuthDomains = new TreeSet();
    private final Set<AuthorizationBackend> transportAuthorizers = new HashSet();
    private volatile boolean anonymousAuthEnabled = false;

    private void createCaches() {
        this.userCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<AuthCredentials, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.1
            public void onRemoval(RemovalNotification<AuthCredentials, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause());
            }
        }).build();
        this.userCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.2
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.authenticatedUserCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<AuthCredentials, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.3
            public void onRemoval(RemovalNotification<AuthCredentials, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause());
            }
        }).build();
        this.restImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.4
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
    }

    public BackendRegistry(Settings settings, Path path, AdminDNs adminDNs, XFFResolver xFFResolver, InternalAuthenticationBackend internalAuthenticationBackend, AuditLog auditLog, ThreadPool threadPool) {
        this.adminDns = adminDNs;
        this.esSettings = settings;
        this.configPath = path;
        this.xffResolver = xFFResolver;
        this.iab = internalAuthenticationBackend;
        this.auditLog = auditLog;
        this.threadPool = threadPool;
        this.authImplMap.put("intern_c", InternalAuthenticationBackend.class.getName());
        this.authImplMap.put("intern_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("internal_c", InternalAuthenticationBackend.class.getName());
        this.authImplMap.put("internal_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("noop_c", NoOpAuthenticationBackend.class.getName());
        this.authImplMap.put("noop_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("ldap_c", "com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend");
        this.authImplMap.put("ldap_z", "com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend");
        this.authImplMap.put("basic_h", HTTPBasicAuthenticator.class.getName());
        this.authImplMap.put("proxy_h", HTTPProxyAuthenticator.class.getName());
        this.authImplMap.put("clientcert_h", HTTPClientCertAuthenticator.class.getName());
        this.authImplMap.put("kerberos_h", "com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator");
        this.authImplMap.put("jwt_h", "com.floragunn.dlic.auth.http.jwt.HTTPJwtAuthenticator");
        this.authImplMap.put("openid_h", "com.floragunn.dlic.auth.http.jwt.keybyoidc.HTTPJwtKeyByOpenIdConnectAuthenticator");
        this.ttlInMin = settings.getAsInt(ConfigConstants.SEARCHGUARD_CACHE_TTL_MINUTES, 60).intValue();
        createCaches();
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    public void invalidateCache() {
        this.userCache.invalidateAll();
        this.userCacheTransport.invalidateAll();
        this.authenticatedUserCacheTransport.invalidateAll();
        this.restImpersonationCache.invalidateAll();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v76, types: [com.floragunn.searchguard.auth.AuthenticationBackend] */
    @Override // com.floragunn.searchguard.configuration.ConfigurationChangeListener
    public void onChange(Settings settings) {
        InternalAuthenticationBackend internalAuthenticationBackend;
        this.restAuthDomains.clear();
        this.transportAuthDomains.clear();
        this.restAuthorizers.clear();
        this.transportAuthorizers.clear();
        invalidateCache();
        this.anonymousAuthEnabled = settings.getAsBoolean("searchguard.dynamic.http.anonymous_auth_enabled", false).booleanValue();
        Map groups = settings.getGroups("searchguard.dynamic.authz");
        for (String str : groups.keySet()) {
            Settings settings2 = (Settings) groups.get(str);
            boolean booleanValue = settings2.getAsBoolean("enabled", true).booleanValue();
            boolean z = booleanValue && settings2.getAsBoolean("http_enabled", true).booleanValue();
            boolean z2 = booleanValue && settings2.getAsBoolean("transport_enabled", true).booleanValue();
            if (z || z2) {
                try {
                    AuthorizationBackend authorizationBackend = (AuthorizationBackend) newInstance(settings2.get("authorization_backend.type", "noop"), "z", Settings.builder().put(this.esSettings).put(settings2.getAsSettings("authorization_backend.config")).build(), this.configPath);
                    if (z) {
                        this.restAuthorizers.add(authorizationBackend);
                    }
                    if (z2) {
                        this.transportAuthorizers.add(authorizationBackend);
                    }
                } catch (Exception e) {
                    this.log.error("Unable to initialize AuthorizationBackend {} due to {}", str, e.toString(), e);
                }
            }
        }
        Map groups2 = settings.getGroups("searchguard.dynamic.authc");
        for (String str2 : groups2.keySet()) {
            Settings settings3 = (Settings) groups2.get(str2);
            boolean booleanValue2 = settings3.getAsBoolean("enabled", true).booleanValue();
            boolean z3 = booleanValue2 && settings3.getAsBoolean("http_enabled", true).booleanValue();
            boolean z4 = booleanValue2 && settings3.getAsBoolean("transport_enabled", true).booleanValue();
            if (z3 || z4) {
                try {
                    String str3 = settings3.get("authentication_backend.type", InternalAuthenticationBackend.class.getName());
                    if (str3.equals(InternalAuthenticationBackend.class.getName()) || str3.equals("internal") || str3.equals("intern")) {
                        internalAuthenticationBackend = this.iab;
                        ReflectionHelper.addLoadedModule(InternalAuthenticationBackend.class);
                    } else {
                        internalAuthenticationBackend = (AuthenticationBackend) newInstance(str3, "c", Settings.builder().put(this.esSettings).put(settings3.getAsSettings("authentication_backend.config")).build(), this.configPath);
                    }
                    String str4 = settings3.get("http_authenticator.type");
                    AuthDomain authDomain = new AuthDomain(internalAuthenticationBackend, str4 == null ? null : (HTTPAuthenticator) newInstance(str4, "h", Settings.builder().put(this.esSettings).put(settings3.getAsSettings("http_authenticator.config")).build(), this.configPath), settings3.getAsBoolean("http_authenticator.challenge", true).booleanValue(), settings3.getAsInt("order", 0).intValue());
                    if (z3 && authDomain.getHttpAuthenticator() != null) {
                        this.restAuthDomains.add(authDomain);
                    }
                    if (z4) {
                        this.transportAuthDomains.add(authDomain);
                    }
                } catch (Exception e2) {
                    this.log.error("Unable to initialize auth domain {} due to {}", str2, e2.toString(), e2);
                }
            }
        }
        this.initialized = !this.restAuthDomains.isEmpty() || this.anonymousAuthEnabled;
    }

    public User authenticate(TransportRequest transportRequest, String str, Task task, String str2) {
        User authcz;
        User user = new User(str);
        if (this.adminDns.isAdmin(user.getName())) {
            this.auditLog.logSucceededLogin(user.getName(), true, null, transportRequest, str2, task);
            return user;
        }
        AuthCredentials extractCredentials = HTTPHelper.extractCredentials(this.threadPool.getThreadContext().getHeader("Authorization"), this.log);
        User user2 = null;
        if (extractCredentials != null && this.log.isDebugEnabled()) {
            this.log.debug("User {} submitted also basic credentials: {}", user.getName(), extractCredentials);
        }
        for (AuthDomain authDomain : this.transportAuthDomains) {
            if (extractCredentials == null) {
                user2 = impersonate(transportRequest, user);
                authcz = checkExistsAndAuthz(this.userCacheTransport, user2 == null ? user : user2, authDomain, this.transportAuthorizers);
            } else {
                authcz = authcz(this.authenticatedUserCacheTransport, extractCredentials, authDomain, this.transportAuthorizers);
            }
            if (authcz != null) {
                if (this.adminDns.isAdmin(authcz.getName())) {
                    this.log.error("Cannot authenticate user because admin user is not permitted to login");
                    this.auditLog.logFailedLogin(authcz.getName(), true, null, transportRequest, task);
                    return null;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("User '{}' is authenticated", authcz);
                }
                this.auditLog.logSucceededLogin(authcz.getName(), false, user2 == null ? null : user.getName(), transportRequest, str2, task);
                return authcz;
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("Cannot authenticate user {} (or add roles) with authdomain {}/{}, try next", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername(), authDomain.getBackend().getType(), Integer.valueOf(authDomain.getOrder()));
            }
        }
        if (extractCredentials == null) {
            this.auditLog.logFailedLogin(user2 == null ? user.getName() : user2.getName(), false, user2 == null ? null : user.getName(), transportRequest, task);
        } else {
            this.auditLog.logFailedLogin(extractCredentials.getUsername(), false, null, transportRequest, task);
        }
        this.log.warn("Transport authentication finally failed for {}", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername());
        return null;
    }

    public boolean authenticate(RestRequest restRequest, RestChannel restChannel, ThreadContext threadContext) {
        String str = (String) this.threadPool.getThreadContext().getTransient(ConfigConstants.SG_SSL_PRINCIPAL);
        if (this.adminDns.isAdmin(str)) {
            this.threadPool.getThreadContext().putTransient(ConfigConstants.SG_USER, new User(str));
            this.auditLog.logSucceededLogin(str, true, null, restRequest);
            return true;
        }
        if (!isInitialized()) {
            this.log.error("Not yet initialized (you may need to run sgadmin)");
            restChannel.sendResponse(new BytesRestResponse(RestStatus.SERVICE_UNAVAILABLE, "Search Guard not initialized (SG11). See http://docs.search-guard.com/v6/sgadmin"));
            return false;
        }
        threadContext.putTransient(ConfigConstants.SG_REMOTE_ADDRESS, this.xffResolver.resolve(restRequest));
        boolean z = false;
        AuthCredentials authCredentials = null;
        HTTPAuthenticator hTTPAuthenticator = null;
        Iterator<AuthDomain> it = this.restAuthDomains.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AuthDomain next = it.next();
            HTTPAuthenticator httpAuthenticator = next.getHttpAuthenticator();
            if (next.isChallenge() && hTTPAuthenticator == null) {
                hTTPAuthenticator = httpAuthenticator;
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("Try to extract auth creds from {} http authenticator", httpAuthenticator.getType());
            }
            try {
                AuthCredentials extractCredentials = httpAuthenticator.extractCredentials(restRequest, threadContext);
                authCredentials = extractCredentials;
                if (extractCredentials == null) {
                    if (!this.anonymousAuthEnabled && next.isChallenge() && httpAuthenticator.reRequestAuthentication(restChannel, null)) {
                        this.auditLog.logFailedLogin("<NONE>", false, null, restRequest);
                        return false;
                    }
                } else if (extractCredentials.isComplete()) {
                    User authcz = authcz(this.userCache, extractCredentials, next, this.restAuthorizers);
                    if (authcz == null) {
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("Cannot authenticate user {} (or add roles) with authdomain {}/{}, try next", extractCredentials.getUsername(), next.getBackend().getType(), Integer.valueOf(next.getOrder()));
                        }
                    } else {
                        if (this.adminDns.isAdmin(authcz.getName())) {
                            this.log.error("Cannot authenticate user because admin user is not permitted to login via HTTP");
                            this.auditLog.logFailedLogin(authcz.getName(), true, null, restRequest);
                            restChannel.sendResponse(new BytesRestResponse(RestStatus.FORBIDDEN, "Cannot authenticate user because admin user is not permitted to login via HTTP"));
                            return false;
                        }
                        String str2 = (String) Utils.coalesce(restRequest.header("sgtenant"), new String[]{restRequest.header("sg_tenant")});
                        if (this.log.isDebugEnabled()) {
                            this.log.debug("User '{}' is authenticated", authcz);
                            this.log.debug("sgtenant '{}'", str2);
                        }
                        authcz.setRequestedTenant(str2);
                        User impersonate = impersonate(restRequest, authcz, next);
                        threadContext.putTransient(ConfigConstants.SG_USER, impersonate == null ? authcz : impersonate);
                        this.auditLog.logSucceededLogin((impersonate == null ? authcz : impersonate).getName(), false, authcz.getName(), restRequest);
                        z = true;
                    }
                } else if (httpAuthenticator.reRequestAuthentication(restChannel, extractCredentials)) {
                    return false;
                }
            } catch (Exception e) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("'{}' extracting credentials from {} http authenticator", e.toString(), httpAuthenticator.getType(), e);
                }
            }
        }
        if (z) {
            return z;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("User still not authenticated after checking {} auth domains", Integer.valueOf(this.restAuthDomains.size()));
        }
        if (authCredentials == null && this.anonymousAuthEnabled) {
            threadContext.putTransient(ConfigConstants.SG_USER, User.ANONYMOUS);
            this.auditLog.logSucceededLogin(User.ANONYMOUS.getName(), false, null, restRequest);
            if (!this.log.isDebugEnabled()) {
                return true;
            }
            this.log.debug("Anonymous User is authenticated");
            return true;
        }
        if (hTTPAuthenticator != null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Rerequest with {}", hTTPAuthenticator.getClass());
            }
            if (hTTPAuthenticator.reRequestAuthentication(restChannel, null)) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Rerequest {} failed", hTTPAuthenticator.getClass());
                }
                this.log.warn("Authentication finally failed for {}", authCredentials == null ? null : authCredentials.getUsername());
                this.auditLog.logFailedLogin(authCredentials == null ? null : authCredentials.getUsername(), false, null, restRequest);
                return false;
            }
        }
        this.log.warn("Authentication finally failed for {}", authCredentials == null ? null : authCredentials.getUsername());
        this.auditLog.logFailedLogin(authCredentials == null ? null : authCredentials.getUsername(), false, null, restRequest);
        restChannel.sendResponse(new BytesRestResponse(RestStatus.UNAUTHORIZED, "Authentication finally failed"));
        return false;
    }

    private User checkExistsAndAuthz(Cache<String, User> cache, final User user, final AuthDomain authDomain, final Set<AuthorizationBackend> set) {
        if (user == null) {
            return null;
        }
        try {
            return (User) cache.get(user.getName(), new Callable<User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.5
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public User call() throws Exception {
                    if (BackendRegistry.this.log.isDebugEnabled()) {
                        BackendRegistry.this.log.debug(user.getName() + " not cached, return from " + authDomain.getBackend().getType() + " backend directly");
                    }
                    if (!authDomain.getBackend().exists(user)) {
                        if (!BackendRegistry.this.log.isDebugEnabled()) {
                            return null;
                        }
                        BackendRegistry.this.log.debug("User " + user.getName() + " does not exist in " + authDomain.getBackend().getType());
                        return null;
                    }
                    for (AuthorizationBackend authorizationBackend : set) {
                        try {
                            authorizationBackend.fillRoles(user, new AuthCredentials(user.getName(), new String[0]));
                        } catch (Exception e) {
                            BackendRegistry.this.log.error("Cannot retrieve roles for {} from {} due to {}", user.getName(), authorizationBackend.getType(), e.toString(), e);
                        }
                    }
                    return user;
                }
            });
        } catch (Exception e) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Can not check and authorize " + user.getName() + " due to " + e.toString(), e);
            return null;
        }
    }

    private User authcz(Cache<AuthCredentials, User> cache, final AuthCredentials authCredentials, final AuthDomain authDomain, final Set<AuthorizationBackend> set) {
        try {
            if (authCredentials == null) {
                return null;
            }
            try {
                User user = (User) cache.get(authCredentials, new Callable<User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.6
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public User call() throws Exception {
                        if (BackendRegistry.this.log.isDebugEnabled()) {
                            BackendRegistry.this.log.debug(authCredentials.getUsername() + " not cached, return from " + authDomain.getBackend().getType() + " backend directly");
                        }
                        User authenticate = authDomain.getBackend().authenticate(authCredentials);
                        for (AuthorizationBackend authorizationBackend : set) {
                            try {
                                authorizationBackend.fillRoles(authenticate, new AuthCredentials(authenticate.getName(), new String[0]));
                            } catch (Exception e) {
                                BackendRegistry.this.log.error("Cannot retrieve roles for {} from {} due to {}", authenticate, authorizationBackend.getType(), e.toString(), e);
                            }
                        }
                        return authenticate;
                    }
                });
                authCredentials.clearSecrets();
                return user;
            } catch (Exception e) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Can not authenticate " + authCredentials.getUsername() + " due to " + e.toString(), e);
                }
                authCredentials.clearSecrets();
                return null;
            }
        } catch (Throwable th) {
            authCredentials.clearSecrets();
            throw th;
        }
    }

    private User impersonate(TransportRequest transportRequest, User user) throws ElasticsearchSecurityException {
        String header = this.threadPool.getThreadContext().getHeader("sg_impersonate_as");
        if (Strings.isNullOrEmpty(header)) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized", new Object[0]);
        }
        if (user == null) {
            throw new ElasticsearchSecurityException("no original PKI user found", new Object[0]);
        }
        User user2 = user;
        if (this.adminDns.isAdmin(header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as an adminuser  '" + header + "'", new Object[0]);
        }
        if (header != null) {
            try {
                if (!this.adminDns.isTransportImpersonationAllowed(new LdapName(user.getName()), header)) {
                    throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as '" + header + "'", new Object[0]);
                }
            } catch (InvalidNameException e) {
                throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + user.getName() + "'), should never happen", e, new Object[0]);
            }
        }
        if (header != null) {
            user2 = new User(header);
            if (this.log.isDebugEnabled()) {
                this.log.debug("Impersonate from '{}' to '{}'", user.getName(), header);
            }
        }
        return user2;
    }

    private User impersonate(RestRequest restRequest, User user, AuthDomain authDomain) throws ElasticsearchSecurityException {
        String header = restRequest.header("sg_impersonate_as");
        if (Strings.isNullOrEmpty(header) || user == null) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized", new Object[0]);
        }
        if (this.adminDns.isAdmin(header)) {
            throw new ElasticsearchSecurityException("It is not allowed to impersonate as an adminuser  '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        if (!this.adminDns.isRestImpersonationAllowed(user.getName(), header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        User checkExistsAndAuthz = checkExistsAndAuthz(this.restImpersonationCache, new User(header), authDomain, this.restAuthorizers);
        if (checkExistsAndAuthz == null) {
            this.log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists in {}", user.getName(), header, authDomain.getBackend().getType());
            throw new ElasticsearchSecurityException("No such user:" + header, RestStatus.FORBIDDEN, new Object[0]);
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Impersonate rest user from '{}' to '{}'", user.getName(), header);
        }
        return checkExistsAndAuthz;
    }

    private <T> T newInstance(String str, String str2, Settings settings, Path path) {
        String str3 = str;
        boolean z = false;
        if (this.authImplMap.containsKey(str3 + "_" + str2)) {
            str3 = this.authImplMap.get(str3 + "_" + str2);
        } else {
            z = true;
        }
        if (ReflectionHelper.isEnterpriseAAAModule(str3)) {
            z = true;
        }
        return (T) ReflectionHelper.instantiateAAA(str3, settings, path, z);
    }
}
