package com.floragunn.searchguard.auth;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend;
import com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend;
import com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.ConfigurationChangeListener;
import com.floragunn.searchguard.http.HTTPBasicAuthenticator;
import com.floragunn.searchguard.http.HTTPClientCertAuthenticator;
import com.floragunn.searchguard.http.HTTPProxyAuthenticator;
import com.floragunn.searchguard.http.XFFResolver;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HTTPHelper;
import com.floragunn.searchguard.support.ReflectionHelper;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.RemovalListener;
import com.google.common.cache.RemovalNotification;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/auth/BackendRegistry.class */
public class BackendRegistry implements ConfigurationChangeListener {
    private volatile boolean initialized;
    private final AdminDNs adminDns;
    private final XFFResolver xffResolver;
    private final Settings esSettings;
    private final Path configPath;
    private final InternalAuthenticationBackend iab;
    private final AuditLog auditLog;
    private final ThreadPool threadPool;
    private final UserInjector userInjector;
    private final int ttlInMin;
    private Cache<AuthCredentials, User> userCache;
    private Cache<String, User> userCacheTransport;
    private Cache<AuthCredentials, User> authenticatedUserCacheTransport;
    private Cache<String, User> restImpersonationCache;
    protected final Logger log = LogManager.getLogger(getClass());
    private final Map<String, String> authImplMap = new HashMap();
    private final SortedSet<AuthDomain> restAuthDomains = new TreeSet();
    private final Set<AuthorizationBackend> restAuthorizers = new HashSet();
    private final SortedSet<AuthDomain> transportAuthDomains = new TreeSet();
    private final Set<AuthorizationBackend> transportAuthorizers = new HashSet();
    private final List<Destroyable> destroyableComponents = new LinkedList();
    private volatile boolean anonymousAuthEnabled = false;
    private volatile String transportUsernameAttribute = null;

    private void createCaches() {
        this.userCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<AuthCredentials, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.1
            public void onRemoval(RemovalNotification<AuthCredentials, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause());
            }
        }).build();
        this.userCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.2
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.authenticatedUserCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<AuthCredentials, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.3
            public void onRemoval(RemovalNotification<AuthCredentials, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause());
            }
        }).build();
        this.restImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.4
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
    }

    public BackendRegistry(Settings settings, Path path, AdminDNs adminDNs, XFFResolver xFFResolver, InternalAuthenticationBackend internalAuthenticationBackend, AuditLog auditLog, ThreadPool threadPool) {
        this.adminDns = adminDNs;
        this.esSettings = settings;
        this.configPath = path;
        this.xffResolver = xFFResolver;
        this.iab = internalAuthenticationBackend;
        this.auditLog = auditLog;
        this.threadPool = threadPool;
        this.userInjector = new UserInjector(settings, threadPool, auditLog, xFFResolver);
        this.authImplMap.put("intern_c", InternalAuthenticationBackend.class.getName());
        this.authImplMap.put("intern_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("internal_c", InternalAuthenticationBackend.class.getName());
        this.authImplMap.put("internal_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("noop_c", NoOpAuthenticationBackend.class.getName());
        this.authImplMap.put("noop_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("ldap_c", "com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend");
        this.authImplMap.put("ldap_z", "com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend");
        this.authImplMap.put("basic_h", HTTPBasicAuthenticator.class.getName());
        this.authImplMap.put("proxy_h", HTTPProxyAuthenticator.class.getName());
        this.authImplMap.put("clientcert_h", HTTPClientCertAuthenticator.class.getName());
        this.authImplMap.put("kerberos_h", "com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator");
        this.authImplMap.put("jwt_h", "com.floragunn.dlic.auth.http.jwt.HTTPJwtAuthenticator");
        this.authImplMap.put("openid_h", "com.floragunn.dlic.auth.http.jwt.keybyoidc.HTTPJwtKeyByOpenIdConnectAuthenticator");
        this.authImplMap.put("saml_h", "com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator");
        this.ttlInMin = settings.getAsInt(ConfigConstants.SEARCHGUARD_CACHE_TTL_MINUTES, 60).intValue();
        createCaches();
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    public void invalidateCache() {
        this.userCache.invalidateAll();
        this.userCacheTransport.invalidateAll();
        this.authenticatedUserCacheTransport.invalidateAll();
        this.restImpersonationCache.invalidateAll();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v143, types: [com.floragunn.searchguard.auth.AuthorizationBackend] */
    /* JADX WARN: Type inference failed for: r0v88, types: [com.floragunn.searchguard.auth.AuthenticationBackend] */
    @Override // com.floragunn.searchguard.configuration.ConfigurationChangeListener
    public void onChange(Settings settings) {
        InternalAuthenticationBackend internalAuthenticationBackend;
        InternalAuthenticationBackend internalAuthenticationBackend2;
        this.restAuthDomains.clear();
        this.transportAuthDomains.clear();
        this.restAuthorizers.clear();
        this.transportAuthorizers.clear();
        invalidateCache();
        destroyDestroyables();
        this.transportUsernameAttribute = settings.get("searchguard.dynamic.transport_userrname_attribute", (String) null);
        this.anonymousAuthEnabled = settings.getAsBoolean("searchguard.dynamic.http.anonymous_auth_enabled", false).booleanValue() && !this.esSettings.getAsBoolean(ConfigConstants.SEARCHGUARD_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false).booleanValue();
        Map groups = settings.getGroups("searchguard.dynamic.authz");
        for (String str : groups.keySet()) {
            Settings settings2 = (Settings) groups.get(str);
            boolean booleanValue = settings2.getAsBoolean("enabled", true).booleanValue();
            boolean z = booleanValue && settings2.getAsBoolean("http_enabled", true).booleanValue();
            boolean z2 = booleanValue && settings2.getAsBoolean("transport_enabled", true).booleanValue();
            if (z || z2) {
                try {
                    String str2 = settings2.get("authorization_backend.type", "noop");
                    if (str2.equals(InternalAuthenticationBackend.class.getName()) || str2.equals("internal") || str2.equals("intern")) {
                        internalAuthenticationBackend2 = this.iab;
                        ReflectionHelper.addLoadedModule(InternalAuthenticationBackend.class);
                    } else {
                        internalAuthenticationBackend2 = (AuthorizationBackend) newInstance(str2, "z", Settings.builder().put(this.esSettings).put(settings2.getAsSettings("authorization_backend.config")).build(), this.configPath);
                    }
                    if (z) {
                        this.restAuthorizers.add(internalAuthenticationBackend2);
                    }
                    if (z2) {
                        this.transportAuthorizers.add(internalAuthenticationBackend2);
                    }
                    if (internalAuthenticationBackend2 instanceof Destroyable) {
                        this.destroyableComponents.add((Destroyable) internalAuthenticationBackend2);
                    }
                } catch (Exception e) {
                    this.log.error("Unable to initialize AuthorizationBackend {} due to {}", str, e.toString(), e);
                }
            }
        }
        Map groups2 = settings.getGroups("searchguard.dynamic.authc");
        for (String str3 : groups2.keySet()) {
            Settings settings3 = (Settings) groups2.get(str3);
            boolean booleanValue2 = settings3.getAsBoolean("enabled", true).booleanValue();
            boolean z3 = booleanValue2 && settings3.getAsBoolean("http_enabled", true).booleanValue();
            boolean z4 = booleanValue2 && settings3.getAsBoolean("transport_enabled", true).booleanValue();
            if (z3 || z4) {
                try {
                    String str4 = settings3.get("authentication_backend.type", InternalAuthenticationBackend.class.getName());
                    if (str4.equals(InternalAuthenticationBackend.class.getName()) || str4.equals("internal") || str4.equals("intern")) {
                        internalAuthenticationBackend = this.iab;
                        ReflectionHelper.addLoadedModule(InternalAuthenticationBackend.class);
                    } else {
                        internalAuthenticationBackend = (AuthenticationBackend) newInstance(str4, "c", Settings.builder().put(this.esSettings).put(settings3.getAsSettings("authentication_backend.config")).build(), this.configPath);
                    }
                    String str5 = settings3.get("http_authenticator.type");
                    HTTPAuthenticator hTTPAuthenticator = str5 == null ? null : (HTTPAuthenticator) newInstance(str5, "h", Settings.builder().put(this.esSettings).put(settings3.getAsSettings("http_authenticator.config")).build(), this.configPath);
                    AuthDomain authDomain = new AuthDomain(internalAuthenticationBackend, hTTPAuthenticator, settings3.getAsBoolean("http_authenticator.challenge", true).booleanValue(), settings3.getAsInt("order", 0).intValue());
                    if (z3 && authDomain.getHttpAuthenticator() != null) {
                        this.restAuthDomains.add(authDomain);
                    }
                    if (z4) {
                        this.transportAuthDomains.add(authDomain);
                    }
                    if (hTTPAuthenticator instanceof Destroyable) {
                        this.destroyableComponents.add((Destroyable) hTTPAuthenticator);
                    }
                    if (internalAuthenticationBackend instanceof Destroyable) {
                        this.destroyableComponents.add((Destroyable) internalAuthenticationBackend);
                    }
                } catch (Exception e2) {
                    this.log.error("Unable to initialize auth domain {} due to {}", str3, e2.toString(), e2);
                }
            }
        }
        this.initialized = !this.restAuthDomains.isEmpty() || this.anonymousAuthEnabled;
    }

    public User authenticate(TransportRequest transportRequest, String str, Task task, String str2) {
        User authcz;
        if (this.log.isDebugEnabled() && transportRequest.remoteAddress() != null) {
            this.log.debug("Transport authentication request from {}", transportRequest.remoteAddress());
        }
        User user = new User(str);
        if (this.adminDns.isAdmin(user)) {
            this.auditLog.logSucceededLogin(user.getName(), true, null, transportRequest, str2, task);
            return user;
        }
        AuthCredentials extractCredentials = HTTPHelper.extractCredentials(this.threadPool.getThreadContext().getHeader("Authorization"), this.log);
        User user2 = null;
        if (extractCredentials != null && this.log.isDebugEnabled()) {
            this.log.debug("User {} submitted also basic credentials: {}", user.getName(), extractCredentials);
        }
        for (AuthDomain authDomain : this.transportAuthDomains) {
            if (extractCredentials == null) {
                user2 = impersonate(transportRequest, user);
                user = resolveTransportUsernameAttribute(user);
                authcz = checkExistsAndAuthz(this.userCacheTransport, user2 == null ? user : user2, authDomain.getBackend(), this.transportAuthorizers);
            } else {
                authcz = authcz(this.authenticatedUserCacheTransport, extractCredentials, authDomain.getBackend(), this.transportAuthorizers);
            }
            if (authcz != null) {
                if (this.adminDns.isAdmin(authcz)) {
                    this.log.error("Cannot authenticate user because admin user is not permitted to login");
                    this.auditLog.logFailedLogin(authcz.getName(), true, null, transportRequest, task);
                    return null;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("User '{}' is authenticated", authcz);
                }
                this.auditLog.logSucceededLogin(authcz.getName(), false, user2 == null ? null : user.getName(), transportRequest, str2, task);
                return authcz;
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("Cannot authenticate user {} (or add roles) with authdomain {}/{}, try next", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername(), authDomain.getBackend().getType(), Integer.valueOf(authDomain.getOrder()));
            }
        }
        if (extractCredentials == null) {
            this.auditLog.logFailedLogin(user2 == null ? user.getName() : user2.getName(), false, user2 == null ? null : user.getName(), transportRequest, task);
        } else {
            this.auditLog.logFailedLogin(extractCredentials.getUsername(), false, null, transportRequest, task);
        }
        this.log.warn("Transport authentication finally failed for {} from {}", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername(), transportRequest.remoteAddress());
        return null;
    }

    /* JADX WARN: Code restructure failed: missing block: B:100:0x03aa, code lost:
    
        r0 = r7.log;
     */
    /* JADX WARN: Code restructure failed: missing block: B:101:0x03b2, code lost:
    
        if (r15 != null) goto L111;
     */
    /* JADX WARN: Code restructure failed: missing block: B:102:0x03b5, code lost:
    
        r2 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:103:0x03be, code lost:
    
        r0.warn("Authentication finally failed for {} from {}", r2, r0);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:104:0x03cb, code lost:
    
        if (r15 != null) goto L115;
     */
    /* JADX WARN: Code restructure failed: missing block: B:105:0x03ce, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:106:0x03d7, code lost:
    
        r0.logFailedLogin(r1, false, null, r8);
        r9.sendResponse(new org.elasticsearch.rest.BytesRestResponse(org.elasticsearch.rest.RestStatus.UNAUTHORIZED, "Authentication finally failed"));
     */
    /* JADX WARN: Code restructure failed: missing block: B:107:0x03f2, code lost:
    
        return false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:108:0x03d2, code lost:
    
        r1 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:109:0x03b9, code lost:
    
        r2 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:56:0x0287, code lost:
    
        if (r13 == false) goto L76;
     */
    /* JADX WARN: Code restructure failed: missing block: B:57:0x028a, code lost:
    
        r0 = impersonate(r8, r14);
     */
    /* JADX WARN: Code restructure failed: missing block: B:58:0x0298, code lost:
    
        if (r0 != null) goto L70;
     */
    /* JADX WARN: Code restructure failed: missing block: B:59:0x029b, code lost:
    
        r2 = r14;
     */
    /* JADX WARN: Code restructure failed: missing block: B:60:0x02a2, code lost:
    
        r10.putTransient(com.floragunn.searchguard.support.ConfigConstants.SG_USER, r2);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:61:0x02ab, code lost:
    
        if (r0 != null) goto L74;
     */
    /* JADX WARN: Code restructure failed: missing block: B:62:0x02ae, code lost:
    
        r1 = r14;
     */
    /* JADX WARN: Code restructure failed: missing block: B:63:0x02b5, code lost:
    
        r0.logSucceededLogin(r1.getName(), false, r14.getName(), r8);
     */
    /* JADX WARN: Code restructure failed: missing block: B:65:0x03f5, code lost:
    
        return r13;
     */
    /* JADX WARN: Code restructure failed: missing block: B:66:0x02b3, code lost:
    
        r1 = r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:67:0x02a0, code lost:
    
        r2 = r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:69:0x02d0, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L79;
     */
    /* JADX WARN: Code restructure failed: missing block: B:70:0x02d3, code lost:
    
        r7.log.debug("User still not authenticated after checking {} auth domains", java.lang.Integer.valueOf(r7.restAuthDomains.size()));
     */
    /* JADX WARN: Code restructure failed: missing block: B:72:0x02ec, code lost:
    
        if (r15 != null) goto L88;
     */
    /* JADX WARN: Code restructure failed: missing block: B:74:0x02f3, code lost:
    
        if (r7.anonymousAuthEnabled == false) goto L88;
     */
    /* JADX WARN: Code restructure failed: missing block: B:75:0x02f6, code lost:
    
        r10.putTransient(com.floragunn.searchguard.support.ConfigConstants.SG_USER, com.floragunn.searchguard.user.User.ANONYMOUS);
        r7.auditLog.logSucceededLogin(com.floragunn.searchguard.user.User.ANONYMOUS.getName(), false, null, r8);
     */
    /* JADX WARN: Code restructure failed: missing block: B:76:0x031a, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L142;
     */
    /* JADX WARN: Code restructure failed: missing block: B:77:0x031d, code lost:
    
        r7.log.debug("Anonymous User is authenticated");
     */
    /* JADX WARN: Code restructure failed: missing block: B:78:0x0328, code lost:
    
        return true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:79:?, code lost:
    
        return true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:81:0x032c, code lost:
    
        if (r16 == null) goto L108;
     */
    /* JADX WARN: Code restructure failed: missing block: B:83:0x0338, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L93;
     */
    /* JADX WARN: Code restructure failed: missing block: B:84:0x033b, code lost:
    
        r7.log.debug("Rerequest with {}", r16.getClass());
     */
    /* JADX WARN: Code restructure failed: missing block: B:86:0x0354, code lost:
    
        if (r16.reRequestAuthentication(r9, null) == false) goto L108;
     */
    /* JADX WARN: Code restructure failed: missing block: B:88:0x0360, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L98;
     */
    /* JADX WARN: Code restructure failed: missing block: B:89:0x0363, code lost:
    
        r7.log.debug("Rerequest {} failed", r16.getClass());
     */
    /* JADX WARN: Code restructure failed: missing block: B:90:0x0373, code lost:
    
        r0 = r7.log;
     */
    /* JADX WARN: Code restructure failed: missing block: B:91:0x037b, code lost:
    
        if (r15 != null) goto L101;
     */
    /* JADX WARN: Code restructure failed: missing block: B:92:0x037e, code lost:
    
        r2 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:93:0x0387, code lost:
    
        r0.warn("Authentication finally failed for {} from {}", r2, r0);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:94:0x0394, code lost:
    
        if (r15 != null) goto L105;
     */
    /* JADX WARN: Code restructure failed: missing block: B:95:0x0397, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:96:0x03a0, code lost:
    
        r0.logFailedLogin(r1, false, null, r8);
     */
    /* JADX WARN: Code restructure failed: missing block: B:97:0x03a9, code lost:
    
        return false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:98:0x039b, code lost:
    
        r1 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:99:0x0382, code lost:
    
        r2 = r15.getUsername();
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean authenticate(org.elasticsearch.rest.RestRequest r8, org.elasticsearch.rest.RestChannel r9, org.elasticsearch.common.util.concurrent.ThreadContext r10) {
        /*
            Method dump skipped, instructions count: 1014
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.floragunn.searchguard.auth.BackendRegistry.authenticate(org.elasticsearch.rest.RestRequest, org.elasticsearch.rest.RestChannel, org.elasticsearch.common.util.concurrent.ThreadContext):boolean");
    }

    private User checkExistsAndAuthz(Cache<String, User> cache, final User user, final AuthenticationBackend authenticationBackend, final Set<AuthorizationBackend> set) {
        if (user == null) {
            return null;
        }
        try {
            return (User) cache.get(user.getName(), new Callable<User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.5
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public User call() throws Exception {
                    if (BackendRegistry.this.log.isDebugEnabled()) {
                        BackendRegistry.this.log.debug(user.getName() + " not cached, return from " + authenticationBackend.getType() + " backend directly");
                    }
                    if (!authenticationBackend.exists(user)) {
                        if (!BackendRegistry.this.log.isDebugEnabled()) {
                            return null;
                        }
                        BackendRegistry.this.log.debug("User " + user.getName() + " does not exist in " + authenticationBackend.getType());
                        return null;
                    }
                    for (AuthorizationBackend authorizationBackend : set) {
                        try {
                            authorizationBackend.fillRoles(user, new AuthCredentials(user.getName(), new String[0]));
                        } catch (Exception e) {
                            BackendRegistry.this.log.error("Cannot retrieve roles for {} from {} due to {}", user.getName(), authorizationBackend.getType(), e.toString(), e);
                        }
                    }
                    return user;
                }
            });
        } catch (Exception e) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Can not check and authorize " + user.getName() + " due to " + e.toString(), e);
            return null;
        }
    }

    private User authcz(Cache<AuthCredentials, User> cache, final AuthCredentials authCredentials, final AuthenticationBackend authenticationBackend, final Set<AuthorizationBackend> set) {
        try {
            if (authCredentials == null) {
                return null;
            }
            try {
                if (authenticationBackend.getClass() == NoOpAuthenticationBackend.class && set.isEmpty()) {
                    User authenticate = authenticationBackend.authenticate(authCredentials);
                    authCredentials.clearSecrets();
                    return authenticate;
                }
                User user = (User) cache.get(authCredentials, new Callable<User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.6
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public User call() throws Exception {
                        if (BackendRegistry.this.log.isDebugEnabled()) {
                            BackendRegistry.this.log.debug(authCredentials.getUsername() + " not cached, return from " + authenticationBackend.getType() + " backend directly");
                        }
                        User authenticate2 = authenticationBackend.authenticate(authCredentials);
                        for (AuthorizationBackend authorizationBackend : set) {
                            try {
                                authorizationBackend.fillRoles(authenticate2, new AuthCredentials(authenticate2.getName(), new String[0]));
                            } catch (Exception e) {
                                BackendRegistry.this.log.error("Cannot retrieve roles for {} from {} due to {}", authenticate2, authorizationBackend.getType(), e.toString(), e);
                            }
                        }
                        return authenticate2;
                    }
                });
                authCredentials.clearSecrets();
                return user;
            } catch (Exception e) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Can not authenticate " + authCredentials.getUsername() + " due to " + e.toString(), e);
                }
                authCredentials.clearSecrets();
                return null;
            }
        } catch (Throwable th) {
            authCredentials.clearSecrets();
            throw th;
        }
    }

    private User impersonate(TransportRequest transportRequest, User user) throws ElasticsearchSecurityException {
        String header = this.threadPool.getThreadContext().getHeader("sg_impersonate_as");
        if (Strings.isNullOrEmpty(header)) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized", new Object[0]);
        }
        if (user == null) {
            throw new ElasticsearchSecurityException("no original PKI user found", new Object[0]);
        }
        User user2 = user;
        if (this.adminDns.isAdminDN(header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as an adminuser  '" + header + "'", new Object[0]);
        }
        if (header != null) {
            try {
                if (!this.adminDns.isTransportImpersonationAllowed(new LdapName(user.getName()), header)) {
                    throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as '" + header + "'", new Object[0]);
                }
            } catch (InvalidNameException e) {
                throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + user.getName() + "'), should never happen", e, new Object[0]);
            }
        }
        if (header != null) {
            user2 = new User(header);
            if (this.log.isDebugEnabled()) {
                this.log.debug("Impersonate from '{}' to '{}'", user.getName(), header);
            }
        }
        return user2;
    }

    private User impersonate(RestRequest restRequest, User user) throws ElasticsearchSecurityException {
        String header = restRequest.header("sg_impersonate_as");
        if (Strings.isNullOrEmpty(header) || user == null) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized", new Object[0]);
        }
        if (this.adminDns.isAdminDN(header)) {
            throw new ElasticsearchSecurityException("It is not allowed to impersonate as an adminuser  '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        if (!this.adminDns.isRestImpersonationAllowed(user.getName(), header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        Iterator<AuthDomain> it = this.restAuthDomains.iterator();
        while (it.hasNext()) {
            AuthenticationBackend backend = it.next().getBackend();
            User checkExistsAndAuthz = checkExistsAndAuthz(this.restImpersonationCache, new User(header), backend, this.restAuthorizers);
            if (checkExistsAndAuthz != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Impersonate rest user from '{}' to '{}'", user.getName(), header);
                }
                return checkExistsAndAuthz;
            }
            this.log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists in {}, try next ...", user.getName(), header, backend.getType());
        }
        this.log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists", user.getName(), header);
        throw new ElasticsearchSecurityException("No such user:" + header, RestStatus.FORBIDDEN, new Object[0]);
    }

    private <T> T newInstance(String str, String str2, Settings settings, Path path) {
        String str3 = str;
        boolean z = false;
        if (this.authImplMap.containsKey(str3 + "_" + str2)) {
            str3 = this.authImplMap.get(str3 + "_" + str2);
        } else {
            z = true;
        }
        if (ReflectionHelper.isEnterpriseAAAModule(str3)) {
            z = true;
        }
        return (T) ReflectionHelper.instantiateAAA(str3, settings, path, z);
    }

    private void destroyDestroyables() {
        for (Destroyable destroyable : this.destroyableComponents) {
            try {
                destroyable.destroy();
            } catch (Exception e) {
                this.log.error("Error while destroying " + destroyable, e);
            }
        }
        this.destroyableComponents.clear();
    }

    private User resolveTransportUsernameAttribute(User user) {
        if (this.transportUsernameAttribute != null && !this.transportUsernameAttribute.isEmpty()) {
            try {
                for (Rdn rdn : new LdapName(user.getName()).getRdns()) {
                    if (rdn.getType().equals(this.transportUsernameAttribute)) {
                        return new User((String) rdn.getValue());
                    }
                }
            } catch (InvalidNameException e) {
            }
        }
        return user;
    }
}
