package com.floragunn.searchguard.filter;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.BackendRegistry;
import com.floragunn.searchguard.configuration.CompatConfig;
import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import com.floragunn.searchguard.ssl.util.SSLRequestHelper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HTTPHelper;
import com.floragunn.searchguard.user.User;
import java.nio.file.Path;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.client.node.NodeClient;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/filter/SearchGuardRestFilter.class */
public class SearchGuardRestFilter {
    protected final Logger log = LogManager.getLogger(getClass());
    private final BackendRegistry registry;
    private final AuditLog auditLog;
    private final ThreadContext threadContext;
    private final PrincipalExtractor principalExtractor;
    private final Settings settings;
    private final Path configPath;
    private final CompatConfig compatConfig;

    public SearchGuardRestFilter(BackendRegistry backendRegistry, AuditLog auditLog, ThreadPool threadPool, PrincipalExtractor principalExtractor, Settings settings, Path path, CompatConfig compatConfig) {
        this.registry = backendRegistry;
        this.auditLog = auditLog;
        this.threadContext = threadPool.getThreadContext();
        this.principalExtractor = principalExtractor;
        this.settings = settings;
        this.configPath = path;
        this.compatConfig = compatConfig;
    }

    public RestHandler wrap(final RestHandler restHandler) {
        return new RestHandler() { // from class: com.floragunn.searchguard.filter.SearchGuardRestFilter.1
            public void handleRequest(RestRequest restRequest, RestChannel restChannel, NodeClient nodeClient) throws Exception {
                org.apache.logging.log4j.ThreadContext.clearAll();
                if (SearchGuardRestFilter.this.checkAndAuthenticateRequest(restRequest, restChannel, nodeClient)) {
                    return;
                }
                restHandler.handleRequest(restRequest, restChannel, nodeClient);
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean checkAndAuthenticateRequest(RestRequest restRequest, RestChannel restChannel, NodeClient nodeClient) throws Exception {
        this.threadContext.putTransient(ConfigConstants.SG_ORIGIN, AuditLog.Origin.REST.toString());
        if (HTTPHelper.containsBadHeader(restRequest)) {
            ElasticsearchException createBadHeaderException = ExceptionUtils.createBadHeaderException();
            this.log.error(createBadHeaderException);
            this.auditLog.logBadHeaders(restRequest);
            restChannel.sendResponse(new BytesRestResponse(restChannel, RestStatus.FORBIDDEN, createBadHeaderException));
            return true;
        }
        if (SSLRequestHelper.containsBadHeader(this.threadContext, ConfigConstants.SG_CONFIG_PREFIX)) {
            ElasticsearchException createBadHeaderException2 = ExceptionUtils.createBadHeaderException();
            this.log.error(createBadHeaderException2);
            this.auditLog.logBadHeaders(restRequest);
            restChannel.sendResponse(new BytesRestResponse(restChannel, RestStatus.FORBIDDEN, createBadHeaderException2));
            return true;
        }
        try {
            SSLRequestHelper.SSLInfo sSLInfo = SSLRequestHelper.getSSLInfo(this.settings, this.configPath, restRequest, this.principalExtractor);
            if (sSLInfo != null) {
                if (sSLInfo.getPrincipal() != null) {
                    this.threadContext.putTransient(ConfigConstants.SG_SSL_PRINCIPAL, sSLInfo.getPrincipal());
                }
                if (sSLInfo.getX509Certs() != null) {
                    this.threadContext.putTransient(ConfigConstants.SG_SSL_PEER_CERTIFICATES, sSLInfo.getX509Certs());
                }
                this.threadContext.putTransient("_sg_ssl_protocol", sSLInfo.getProtocol());
                this.threadContext.putTransient("_sg_ssl_cipher", sSLInfo.getCipher());
            }
            if (!this.compatConfig.restAuthEnabled() || restRequest.method() == RestRequest.Method.OPTIONS || "/_searchguard/license".equals(restRequest.path()) || "/_searchguard/health".equals(restRequest.path())) {
                return false;
            }
            if (this.registry.authenticate(restRequest, restChannel, this.threadContext)) {
                org.apache.logging.log4j.ThreadContext.put("user", ((User) this.threadContext.getTransient(ConfigConstants.SG_USER)).getName());
                return false;
            }
            org.apache.logging.log4j.ThreadContext.remove("user");
            return true;
        } catch (SSLPeerUnverifiedException e) {
            this.log.error("No ssl info", e);
            this.auditLog.logSSLException(restRequest, e);
            restChannel.sendResponse(new BytesRestResponse(restChannel, RestStatus.FORBIDDEN, e));
            return true;
        }
    }
}
