package com.floragunn.searchguard.auth;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.blocking.ClientBlockRegistry;
import com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend;
import com.floragunn.searchguard.auth.internal.NoOpAuthenticationBackend;
import com.floragunn.searchguard.auth.internal.NoOpAuthorizationBackend;
import com.floragunn.searchguard.auth.limiting.AddressBasedRateLimiter;
import com.floragunn.searchguard.auth.limiting.UserNameBasedRateLimiter;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.configuration.ConfigurationChangeListener;
import com.floragunn.searchguard.http.HTTPBasicAuthenticator;
import com.floragunn.searchguard.http.HTTPClientCertAuthenticator;
import com.floragunn.searchguard.http.HTTPProxyAuthenticator;
import com.floragunn.searchguard.http.XFFResolver;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HTTPHelper;
import com.floragunn.searchguard.support.ReflectionHelper;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.RemovalListener;
import com.google.common.cache.RemovalNotification;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.Multimap;
import com.google.common.collect.Multimaps;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/auth/BackendRegistry.class */
public class BackendRegistry implements ConfigurationChangeListener {
    private SortedSet<AuthDomain> restAuthDomains;
    private Set<AuthorizationBackend> restAuthorizers;
    private SortedSet<AuthDomain> transportAuthDomains;
    private Set<AuthorizationBackend> transportAuthorizers;
    private List<Destroyable> destroyableComponents;
    private List<AuthFailureListener> ipAuthFailureListeners;
    private Multimap<String, AuthFailureListener> authBackendFailureListeners;
    private List<ClientBlockRegistry<InetAddress>> ipClientBlockRegistries;
    private Multimap<String, ClientBlockRegistry<String>> authBackendClientBlockRegistries;
    private volatile boolean initialized;
    private final AdminDNs adminDns;
    private final XFFResolver xffResolver;
    private final Settings esSettings;
    private final Path configPath;
    private final InternalAuthenticationBackend iab;
    private final AuditLog auditLog;
    private final ThreadPool threadPool;
    private final UserInjector userInjector;
    private final int ttlInMin;
    private Cache<AuthCredentials, User> userCache;
    private Cache<String, User> restImpersonationCache;
    private Cache<String, User> userCacheTransport;
    private Cache<AuthCredentials, User> authenticatedUserCacheTransport;
    private Cache<User, Set<String>> transportRoleCache;
    private Cache<User, Set<String>> restRoleCache;
    private Cache<String, User> transportImpersonationCache;
    protected final Logger log = LogManager.getLogger(getClass());
    private final Map<String, String> authImplMap = new HashMap();
    private volatile boolean anonymousAuthEnabled = false;
    private volatile String transportUsernameAttribute = null;

    private void createCaches() {
        this.userCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<AuthCredentials, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.1
            public void onRemoval(RemovalNotification<AuthCredentials, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause());
            }
        }).build();
        this.userCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.2
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.authenticatedUserCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<AuthCredentials, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.3
            public void onRemoval(RemovalNotification<AuthCredentials, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause());
            }
        }).build();
        this.restImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.4
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.transportRoleCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<User, Set<String>>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.5
            public void onRemoval(RemovalNotification<User, Set<String>> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.restRoleCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<User, Set<String>>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.6
            public void onRemoval(RemovalNotification<User, Set<String>> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.transportImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.7
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
    }

    public BackendRegistry(Settings settings, Path path, AdminDNs adminDNs, XFFResolver xFFResolver, InternalAuthenticationBackend internalAuthenticationBackend, AuditLog auditLog, ThreadPool threadPool) {
        this.adminDns = adminDNs;
        this.esSettings = settings;
        this.configPath = path;
        this.xffResolver = xFFResolver;
        this.iab = internalAuthenticationBackend;
        this.auditLog = auditLog;
        this.threadPool = threadPool;
        this.userInjector = new UserInjector(settings, threadPool, auditLog, xFFResolver);
        this.authImplMap.put("intern_c", InternalAuthenticationBackend.class.getName());
        this.authImplMap.put("intern_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("internal_c", InternalAuthenticationBackend.class.getName());
        this.authImplMap.put("internal_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("noop_c", NoOpAuthenticationBackend.class.getName());
        this.authImplMap.put("noop_z", NoOpAuthorizationBackend.class.getName());
        this.authImplMap.put("ldap_c", "com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend");
        this.authImplMap.put("ldap_z", "com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend");
        this.authImplMap.put("basic_h", HTTPBasicAuthenticator.class.getName());
        this.authImplMap.put("proxy_h", HTTPProxyAuthenticator.class.getName());
        this.authImplMap.put("clientcert_h", HTTPClientCertAuthenticator.class.getName());
        this.authImplMap.put("kerberos_h", "com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator");
        this.authImplMap.put("jwt_h", "com.floragunn.dlic.auth.http.jwt.HTTPJwtAuthenticator");
        this.authImplMap.put("openid_h", "com.floragunn.dlic.auth.http.jwt.keybyoidc.HTTPJwtKeyByOpenIdConnectAuthenticator");
        this.authImplMap.put("saml_h", "com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator");
        this.authImplMap.put("ip_authFailureListener", AddressBasedRateLimiter.class.getName());
        this.authImplMap.put("username_authFailureListener", UserNameBasedRateLimiter.class.getName());
        this.ttlInMin = settings.getAsInt(ConfigConstants.SEARCHGUARD_CACHE_TTL_MINUTES, 60).intValue();
        createCaches();
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    public void invalidateCache() {
        this.userCache.invalidateAll();
        this.userCacheTransport.invalidateAll();
        this.authenticatedUserCacheTransport.invalidateAll();
        this.restImpersonationCache.invalidateAll();
        this.restRoleCache.invalidateAll();
        this.transportRoleCache.invalidateAll();
        this.transportImpersonationCache.invalidateAll();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v132, types: [com.floragunn.searchguard.auth.internal.InternalAuthenticationBackend] */
    /* JADX WARN: Type inference failed for: r0v151, types: [com.floragunn.searchguard.auth.AuthorizationBackend] */
    @Override // com.floragunn.searchguard.configuration.ConfigurationChangeListener
    public void onChange(Settings settings) {
        AuthenticationBackend authenticationBackend;
        Destroyable destroyable;
        TreeSet treeSet = new TreeSet();
        HashSet hashSet = new HashSet();
        TreeSet treeSet2 = new TreeSet();
        HashSet hashSet2 = new HashSet();
        LinkedList linkedList = new LinkedList();
        ArrayList arrayList = new ArrayList();
        ArrayListMultimap create = ArrayListMultimap.create();
        ArrayList arrayList2 = new ArrayList();
        ArrayListMultimap create2 = ArrayListMultimap.create();
        Map groups = settings.getGroups("searchguard.dynamic.authz");
        for (String str : groups.keySet()) {
            Settings settings2 = (Settings) groups.get(str);
            boolean booleanValue = settings2.getAsBoolean("enabled", true).booleanValue();
            boolean z = booleanValue && settings2.getAsBoolean("http_enabled", true).booleanValue();
            boolean z2 = booleanValue && settings2.getAsBoolean("transport_enabled", true).booleanValue();
            if (z || z2) {
                try {
                    String str2 = settings2.get("authorization_backend.type", "noop");
                    if (str2.equals(InternalAuthenticationBackend.class.getName()) || str2.equals("internal") || str2.equals("intern")) {
                        destroyable = this.iab;
                        ReflectionHelper.addLoadedModule(InternalAuthenticationBackend.class);
                    } else {
                        destroyable = (AuthorizationBackend) newInstance(str2, "z", Settings.builder().put(this.esSettings).put(settings2.getAsSettings("authorization_backend.config")).build(), this.configPath);
                    }
                    if (z) {
                        hashSet.add(destroyable);
                    }
                    if (z2) {
                        hashSet2.add(destroyable);
                    }
                    if (destroyable instanceof Destroyable) {
                        linkedList.add(destroyable);
                    }
                } catch (Exception e) {
                    this.log.error("Unable to initialize AuthorizationBackend {} due to {}", str, e.toString(), e);
                }
            }
        }
        Map groups2 = settings.getGroups("searchguard.dynamic.authc");
        for (String str3 : groups2.keySet()) {
            Settings settings3 = (Settings) groups2.get(str3);
            boolean booleanValue2 = settings3.getAsBoolean("enabled", true).booleanValue();
            boolean z3 = booleanValue2 && settings3.getAsBoolean("http_enabled", true).booleanValue();
            boolean z4 = booleanValue2 && settings3.getAsBoolean("transport_enabled", true).booleanValue();
            if (z3 || z4) {
                try {
                    String str4 = settings3.get("authentication_backend.type", InternalAuthenticationBackend.class.getName());
                    if (str4.equals(InternalAuthenticationBackend.class.getName()) || str4.equals("internal") || str4.equals("intern")) {
                        authenticationBackend = this.iab;
                        ReflectionHelper.addLoadedModule(InternalAuthenticationBackend.class);
                    } else {
                        authenticationBackend = (AuthenticationBackend) newInstance(str4, "c", Settings.builder().put(this.esSettings).put(settings3.getAsSettings("authentication_backend.config")).build(), this.configPath);
                    }
                    String str5 = settings3.get("http_authenticator.type");
                    HTTPAuthenticator hTTPAuthenticator = str5 == null ? null : (HTTPAuthenticator) newInstance(str5, "h", Settings.builder().put(this.esSettings).put(settings3.getAsSettings("http_authenticator.config")).build(), this.configPath);
                    AuthDomain authDomain = new AuthDomain(authenticationBackend, hTTPAuthenticator, settings3.getAsBoolean("http_authenticator.challenge", true).booleanValue(), settings3.getAsInt("order", 0).intValue());
                    if (z3 && authDomain.getHttpAuthenticator() != null) {
                        treeSet.add(authDomain);
                    }
                    if (z4) {
                        treeSet2.add(authDomain);
                    }
                    if (hTTPAuthenticator instanceof Destroyable) {
                        linkedList.add((Destroyable) hTTPAuthenticator);
                    }
                    if (authenticationBackend instanceof Destroyable) {
                        linkedList.add((Destroyable) authenticationBackend);
                    }
                } catch (Exception e2) {
                    this.log.error("Unable to initialize auth domain {} due to {}", str3, e2.toString(), e2);
                }
            }
        }
        createAuthFailureListeners(settings.getGroups("searchguard.dynamic.auth_failure_listeners"), arrayList, create, arrayList2, create2, linkedList);
        invalidateCache();
        this.transportUsernameAttribute = settings.get("searchguard.dynamic.transport_userrname_attribute", (String) null);
        this.anonymousAuthEnabled = settings.getAsBoolean("searchguard.dynamic.http.anonymous_auth_enabled", false).booleanValue() && !this.esSettings.getAsBoolean(ConfigConstants.SEARCHGUARD_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false).booleanValue();
        List<Destroyable> list = this.destroyableComponents;
        this.restAuthDomains = Collections.unmodifiableSortedSet(treeSet);
        this.transportAuthDomains = Collections.unmodifiableSortedSet(treeSet2);
        this.restAuthorizers = Collections.unmodifiableSet(hashSet);
        this.transportAuthorizers = Collections.unmodifiableSet(hashSet2);
        this.destroyableComponents = Collections.unmodifiableList(linkedList);
        this.ipAuthFailureListeners = Collections.unmodifiableList(arrayList);
        this.ipClientBlockRegistries = Collections.unmodifiableList(arrayList2);
        this.authBackendClientBlockRegistries = Multimaps.unmodifiableMultimap(create2);
        this.authBackendFailureListeners = Multimaps.unmodifiableMultimap(create);
        this.initialized = !this.restAuthDomains.isEmpty() || this.anonymousAuthEnabled;
        if (list != null) {
            destroyDestroyables(list);
        }
    }

    private void createAuthFailureListeners(Map<String, Settings> map, List<AuthFailureListener> list, Multimap<String, AuthFailureListener> multimap, List<ClientBlockRegistry<InetAddress>> list2, Multimap<String, ClientBlockRegistry<String>> multimap2, List<Destroyable> list3) {
        for (Map.Entry<String, Settings> entry : map.entrySet()) {
            Settings value = entry.getValue();
            String str = value.get(ConfigConstants.SEARCHGUARD_AUDIT_ES_TYPE);
            String str2 = value.get("authentication_backend");
            AuthFailureListener authFailureListener = (AuthFailureListener) newInstance(str, "authFailureListener", value, this.configPath);
            if (Strings.isNullOrEmpty(str2)) {
                list.add(authFailureListener);
                if (authFailureListener instanceof ClientBlockRegistry) {
                    if (InetAddress.class.isAssignableFrom(((ClientBlockRegistry) authFailureListener).getClientIdType())) {
                        list2.add((ClientBlockRegistry) authFailureListener);
                    } else {
                        this.log.error("Illegal ClientIdType for AuthFailureListener" + entry.getKey() + ": " + ((ClientBlockRegistry) authFailureListener).getClientIdType() + "; must be InetAddress.");
                    }
                }
            } else {
                String translateShortcutToClassName = translateShortcutToClassName(str2, "c");
                multimap.put(translateShortcutToClassName, authFailureListener);
                if (authFailureListener instanceof ClientBlockRegistry) {
                    if (String.class.isAssignableFrom(((ClientBlockRegistry) authFailureListener).getClientIdType())) {
                        multimap2.put(translateShortcutToClassName, (ClientBlockRegistry) authFailureListener);
                    } else {
                        this.log.error("Illegal ClientIdType for AuthFailureListener" + entry.getKey() + ": " + ((ClientBlockRegistry) authFailureListener).getClientIdType() + "; must be InetAddress.");
                    }
                }
            }
            if (authFailureListener instanceof Destroyable) {
                list3.add((Destroyable) authFailureListener);
            }
        }
    }

    public User authenticate(TransportRequest transportRequest, String str, Task task, String str2) {
        User authcz;
        if (this.log.isDebugEnabled() && transportRequest.remoteAddress() != null) {
            this.log.debug("Transport authentication request from {}", transportRequest.remoteAddress());
        }
        if (transportRequest.remoteAddress() != null && isBlocked(transportRequest.remoteAddress().address().getAddress())) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Rejecting transport request because of blocked address: " + transportRequest.remoteAddress());
            return null;
        }
        User user = new User(str);
        if (this.adminDns.isAdmin(user)) {
            this.auditLog.logSucceededLogin(user.getName(), true, null, transportRequest, str2, task);
            return user;
        }
        if (!isInitialized()) {
            this.log.error("Not yet initialized (you may need to run sgadmin)");
            return null;
        }
        AuthCredentials extractCredentials = HTTPHelper.extractCredentials(this.threadPool.getThreadContext().getHeader("Authorization"), this.log);
        User user2 = null;
        if (extractCredentials != null && this.log.isDebugEnabled()) {
            this.log.debug("User {} submitted also basic credentials: {}", user.getName(), extractCredentials);
        }
        for (AuthDomain authDomain : this.transportAuthDomains) {
            if (extractCredentials == null) {
                user2 = impersonate(transportRequest, user);
                user = resolveTransportUsernameAttribute(user);
                authcz = checkExistsAndAuthz(this.userCacheTransport, user2 == null ? user : user2, authDomain.getBackend(), this.transportAuthorizers);
            } else {
                authcz = authcz(this.authenticatedUserCacheTransport, this.transportRoleCache, extractCredentials, authDomain.getBackend(), this.transportAuthorizers);
            }
            if (authcz != null) {
                if (this.adminDns.isAdmin(authcz)) {
                    this.log.error("Cannot authenticate user because admin user is not permitted to login");
                    this.auditLog.logFailedLogin(authcz.getName(), true, null, transportRequest, task);
                    return null;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("User '{}' is authenticated", authcz);
                }
                this.auditLog.logSucceededLogin(authcz.getName(), false, user2 == null ? null : user.getName(), transportRequest, str2, task);
                return authcz;
            }
            Iterator it = this.authBackendFailureListeners.get(authDomain.getBackend().getClass().getName()).iterator();
            while (it.hasNext()) {
                ((AuthFailureListener) it.next()).onAuthFailure(transportRequest.remoteAddress() != null ? transportRequest.remoteAddress().address().getAddress() : null, extractCredentials, transportRequest);
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("Cannot authenticate user {} (or add roles) with authdomain {}/{}, try next", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername(), authDomain.getBackend().getType(), Integer.valueOf(authDomain.getOrder()));
            }
        }
        if (extractCredentials == null) {
            this.auditLog.logFailedLogin(user2 == null ? user.getName() : user2.getName(), false, user2 == null ? null : user.getName(), transportRequest, task);
        } else {
            this.auditLog.logFailedLogin(extractCredentials.getUsername(), false, null, transportRequest, task);
        }
        this.log.warn("Transport authentication finally failed for {} from {}", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername(), transportRequest.remoteAddress());
        notifyIpAuthFailureListeners(transportRequest.remoteAddress() != null ? transportRequest.remoteAddress().address().getAddress() : null, extractCredentials, transportRequest);
        return null;
    }

    /* JADX WARN: Code restructure failed: missing block: B:100:0x0442, code lost:
    
        return true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:101:?, code lost:
    
        return true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:103:0x0446, code lost:
    
        if (r16 == null) goto L133;
     */
    /* JADX WARN: Code restructure failed: missing block: B:105:0x0452, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L118;
     */
    /* JADX WARN: Code restructure failed: missing block: B:106:0x0455, code lost:
    
        r7.log.debug("Rerequest with {}", r16.getClass());
     */
    /* JADX WARN: Code restructure failed: missing block: B:108:0x046f, code lost:
    
        if (r16.reRequestAuthentication(r9, null) == false) goto L133;
     */
    /* JADX WARN: Code restructure failed: missing block: B:110:0x047b, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L123;
     */
    /* JADX WARN: Code restructure failed: missing block: B:111:0x047e, code lost:
    
        r7.log.debug("Rerequest {} failed", r16.getClass());
     */
    /* JADX WARN: Code restructure failed: missing block: B:112:0x048f, code lost:
    
        r0 = r7.log;
     */
    /* JADX WARN: Code restructure failed: missing block: B:113:0x0498, code lost:
    
        if (r15 != null) goto L126;
     */
    /* JADX WARN: Code restructure failed: missing block: B:114:0x049b, code lost:
    
        r2 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:115:0x04a4, code lost:
    
        r0.warn("Authentication finally failed for {} from {}", r2, r0);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:116:0x04b1, code lost:
    
        if (r15 != null) goto L130;
     */
    /* JADX WARN: Code restructure failed: missing block: B:117:0x04b4, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:118:0x04bd, code lost:
    
        r0.logFailedLogin(r1, false, null, r8);
        notifyIpAuthFailureListeners(r8, r15);
     */
    /* JADX WARN: Code restructure failed: missing block: B:119:0x04cd, code lost:
    
        return false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:120:0x04b8, code lost:
    
        r1 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:121:0x049f, code lost:
    
        r2 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:122:0x04ce, code lost:
    
        r0 = r7.log;
     */
    /* JADX WARN: Code restructure failed: missing block: B:123:0x04d7, code lost:
    
        if (r15 != null) goto L136;
     */
    /* JADX WARN: Code restructure failed: missing block: B:124:0x04da, code lost:
    
        r2 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:125:0x04e3, code lost:
    
        r0.warn("Authentication finally failed for {} from {}", r2, r0);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:126:0x04f0, code lost:
    
        if (r15 != null) goto L140;
     */
    /* JADX WARN: Code restructure failed: missing block: B:127:0x04f3, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:128:0x04fc, code lost:
    
        r0.logFailedLogin(r1, false, null, r8);
        notifyIpAuthFailureListeners(r8, r15);
        r9.sendResponse(new org.elasticsearch.rest.BytesRestResponse(org.elasticsearch.rest.RestStatus.UNAUTHORIZED, "Authentication finally failed"));
     */
    /* JADX WARN: Code restructure failed: missing block: B:129:0x051e, code lost:
    
        return false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:130:0x04f7, code lost:
    
        r1 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:131:0x04de, code lost:
    
        r2 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:78:0x039f, code lost:
    
        if (r13 == false) goto L101;
     */
    /* JADX WARN: Code restructure failed: missing block: B:79:0x03a2, code lost:
    
        r0 = impersonate(r8, r14);
     */
    /* JADX WARN: Code restructure failed: missing block: B:80:0x03b0, code lost:
    
        if (r0 != null) goto L95;
     */
    /* JADX WARN: Code restructure failed: missing block: B:81:0x03b3, code lost:
    
        r2 = r14;
     */
    /* JADX WARN: Code restructure failed: missing block: B:82:0x03ba, code lost:
    
        r10.putTransient(com.floragunn.searchguard.support.ConfigConstants.SG_USER, r2);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:83:0x03c3, code lost:
    
        if (r0 != null) goto L99;
     */
    /* JADX WARN: Code restructure failed: missing block: B:84:0x03c6, code lost:
    
        r1 = r14;
     */
    /* JADX WARN: Code restructure failed: missing block: B:85:0x03cd, code lost:
    
        r0.logSucceededLogin(r1.getName(), false, r14.getName(), r8);
     */
    /* JADX WARN: Code restructure failed: missing block: B:87:0x0521, code lost:
    
        return r13;
     */
    /* JADX WARN: Code restructure failed: missing block: B:88:0x03cb, code lost:
    
        r1 = r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:89:0x03b8, code lost:
    
        r2 = r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:91:0x03e8, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L104;
     */
    /* JADX WARN: Code restructure failed: missing block: B:92:0x03eb, code lost:
    
        r7.log.debug("User still not authenticated after checking {} auth domains", java.lang.Integer.valueOf(r7.restAuthDomains.size()));
     */
    /* JADX WARN: Code restructure failed: missing block: B:94:0x0405, code lost:
    
        if (r15 != null) goto L113;
     */
    /* JADX WARN: Code restructure failed: missing block: B:96:0x040c, code lost:
    
        if (r7.anonymousAuthEnabled == false) goto L113;
     */
    /* JADX WARN: Code restructure failed: missing block: B:97:0x040f, code lost:
    
        r10.putTransient(com.floragunn.searchguard.support.ConfigConstants.SG_USER, com.floragunn.searchguard.user.User.ANONYMOUS);
        r7.auditLog.logSucceededLogin(com.floragunn.searchguard.user.User.ANONYMOUS.getName(), false, null, r8);
     */
    /* JADX WARN: Code restructure failed: missing block: B:98:0x0433, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L173;
     */
    /* JADX WARN: Code restructure failed: missing block: B:99:0x0436, code lost:
    
        r7.log.debug("Anonymous User is authenticated");
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean authenticate(org.elasticsearch.rest.RestRequest r8, org.elasticsearch.rest.RestChannel r9, org.elasticsearch.common.util.concurrent.ThreadContext r10) {
        /*
            Method dump skipped, instructions count: 1314
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.floragunn.searchguard.auth.BackendRegistry.authenticate(org.elasticsearch.rest.RestRequest, org.elasticsearch.rest.RestChannel, org.elasticsearch.common.util.concurrent.ThreadContext):boolean");
    }

    private void notifyIpAuthFailureListeners(RestRequest restRequest, AuthCredentials authCredentials) {
        notifyIpAuthFailureListeners(restRequest.getRemoteAddress() instanceof InetSocketAddress ? ((InetSocketAddress) restRequest.getRemoteAddress()).getAddress() : null, authCredentials, restRequest);
    }

    private void notifyIpAuthFailureListeners(InetAddress inetAddress, AuthCredentials authCredentials, Object obj) {
        Iterator<AuthFailureListener> it = this.ipAuthFailureListeners.iterator();
        while (it.hasNext()) {
            it.next().onAuthFailure(inetAddress, authCredentials, obj);
        }
    }

    private User checkExistsAndAuthz(Cache<String, User> cache, final User user, final AuthenticationBackend authenticationBackend, final Set<AuthorizationBackend> set) {
        if (user == null) {
            return null;
        }
        try {
            return (User) cache.get(user.getName(), new Callable<User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.8
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public User call() throws Exception {
                    if (BackendRegistry.this.log.isTraceEnabled()) {
                        BackendRegistry.this.log.trace("Credentials for user " + user.getName() + " not cached, return from " + authenticationBackend.getType() + " backend directly");
                    }
                    if (authenticationBackend.exists(user)) {
                        BackendRegistry.this.authz(user, null, set);
                        return user;
                    }
                    if (!BackendRegistry.this.log.isDebugEnabled()) {
                        return null;
                    }
                    BackendRegistry.this.log.debug("User " + user.getName() + " does not exist in " + authenticationBackend.getType());
                    return null;
                }
            });
        } catch (Exception e) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Can not check and authorize " + user.getName() + " due to " + e.toString(), e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void authz(User user, Cache<User, Set<String>> cache, Set<AuthorizationBackend> set) {
        Set set2;
        if (user == null) {
            return;
        }
        if (cache != null && (set2 = (Set) cache.getIfPresent(user)) != null) {
            user.addRoles(new HashSet(set2));
            return;
        }
        if (set == null || set.isEmpty()) {
            return;
        }
        for (AuthorizationBackend authorizationBackend : set) {
            try {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("Backend roles for " + user.getName() + " not cached, return from " + authorizationBackend.getType() + " backend directly");
                }
                authorizationBackend.fillRoles(user, new AuthCredentials(user.getName(), new String[0]));
            } catch (Exception e) {
                this.log.error("Cannot retrieve roles for {} from {} due to {}", user, authorizationBackend.getType(), e.toString(), e);
            }
        }
        if (cache != null) {
            cache.put(user, new HashSet(user.getRoles()));
        }
    }

    private User authcz(Cache<AuthCredentials, User> cache, final Cache<User, Set<String>> cache2, final AuthCredentials authCredentials, final AuthenticationBackend authenticationBackend, final Set<AuthorizationBackend> set) {
        try {
            if (authCredentials == null) {
                return null;
            }
            try {
                if (authenticationBackend.getClass() == NoOpAuthenticationBackend.class && set.isEmpty()) {
                    User authenticate = authenticationBackend.authenticate(authCredentials);
                    authCredentials.clearSecrets();
                    return authenticate;
                }
                User user = (User) cache.get(authCredentials, new Callable<User>() { // from class: com.floragunn.searchguard.auth.BackendRegistry.9
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public User call() throws Exception {
                        if (BackendRegistry.this.log.isTraceEnabled()) {
                            BackendRegistry.this.log.trace("Credentials for user " + authCredentials.getUsername() + " not cached, return from " + authenticationBackend.getType() + " backend directly");
                        }
                        User authenticate2 = authenticationBackend.authenticate(authCredentials);
                        BackendRegistry.this.authz(authenticate2, cache2, set);
                        return authenticate2;
                    }
                });
                authCredentials.clearSecrets();
                return user;
            } catch (Exception e) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Can not authenticate " + authCredentials.getUsername() + " due to " + e.toString(), e);
                }
                authCredentials.clearSecrets();
                return null;
            }
        } catch (Throwable th) {
            authCredentials.clearSecrets();
            throw th;
        }
    }

    private User impersonate(TransportRequest transportRequest, User user) throws ElasticsearchSecurityException {
        String header = this.threadPool.getThreadContext().getHeader("sg_impersonate_as");
        if (Strings.isNullOrEmpty(header)) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized", new Object[0]);
        }
        if (user == null) {
            throw new ElasticsearchSecurityException("no original PKI user found", new Object[0]);
        }
        if (this.adminDns.isAdminDN(header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as an adminuser  '" + header + "'", new Object[0]);
        }
        if (header != null) {
            try {
                if (!this.adminDns.isTransportImpersonationAllowed(new LdapName(user.getName()), header)) {
                    throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as transport user '" + header + "'", new Object[0]);
                }
            } catch (InvalidNameException e) {
                throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + user.getName() + "'), should never happen", e, new Object[0]);
            }
        }
        if (header == null) {
            return user;
        }
        Iterator<AuthDomain> it = this.transportAuthDomains.iterator();
        while (it.hasNext()) {
            AuthenticationBackend backend = it.next().getBackend();
            User checkExistsAndAuthz = checkExistsAndAuthz(this.transportImpersonationCache, new User(header), backend, this.transportAuthorizers);
            if (checkExistsAndAuthz != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Impersonate transport user from '{}' to '{}'", user.getName(), header);
                }
                return checkExistsAndAuthz;
            }
            this.log.debug("Unable to impersonate transport user from '{}' to '{}' because the impersonated user does not exists in {}, try next ...", user.getName(), header, backend.getType());
        }
        this.log.debug("Unable to impersonate transport user from '{}' to '{}' because the impersonated user does not exists", user.getName(), header);
        throw new ElasticsearchSecurityException("No such transport user: " + header, RestStatus.FORBIDDEN, new Object[0]);
    }

    private User impersonate(RestRequest restRequest, User user) throws ElasticsearchSecurityException {
        String header = restRequest.header("sg_impersonate_as");
        if (Strings.isNullOrEmpty(header) || user == null) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Search Guard is not yet initialized", new Object[0]);
        }
        if (this.adminDns.isAdminDN(header)) {
            throw new ElasticsearchSecurityException("It is not allowed to impersonate as an adminuser  '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        if (!this.adminDns.isRestImpersonationAllowed(user.getName(), header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        Iterator<AuthDomain> it = this.restAuthDomains.iterator();
        while (it.hasNext()) {
            AuthenticationBackend backend = it.next().getBackend();
            User checkExistsAndAuthz = checkExistsAndAuthz(this.restImpersonationCache, new User(header), backend, this.restAuthorizers);
            if (checkExistsAndAuthz != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Impersonate rest user from '{}' to '{}'", user.getName(), header);
                }
                return checkExistsAndAuthz;
            }
            this.log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists in {}, try next ...", user.getName(), header, backend.getType());
        }
        this.log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists", user.getName(), header);
        throw new ElasticsearchSecurityException("No such user:" + header, RestStatus.FORBIDDEN, new Object[0]);
    }

    private <T> T newInstance(String str, String str2, Settings settings, Path path) {
        String str3 = str;
        boolean z = false;
        if (this.authImplMap.containsKey(str3 + "_" + str2)) {
            str3 = this.authImplMap.get(str3 + "_" + str2);
        } else {
            z = true;
        }
        if (ReflectionHelper.isEnterpriseAAAModule(str3)) {
            z = true;
        }
        return (T) ReflectionHelper.instantiateAAA(str3, settings, path, z);
    }

    private String translateShortcutToClassName(String str, String str2) {
        return this.authImplMap.containsKey(new StringBuilder().append(str).append("_").append(str2).toString()) ? this.authImplMap.get(str + "_" + str2) : str;
    }

    private void destroyDestroyables(List<Destroyable> list) {
        for (Destroyable destroyable : list) {
            try {
                destroyable.destroy();
            } catch (Exception e) {
                this.log.error("Error while destroying " + destroyable, e);
            }
        }
    }

    private User resolveTransportUsernameAttribute(User user) {
        if (this.transportUsernameAttribute != null && !this.transportUsernameAttribute.isEmpty()) {
            try {
                for (Rdn rdn : new LdapName(user.getName()).getRdns()) {
                    if (rdn.getType().equals(this.transportUsernameAttribute)) {
                        return new User((String) rdn.getValue());
                    }
                }
            } catch (InvalidNameException e) {
            }
        }
        return user;
    }

    private boolean isBlocked(InetAddress inetAddress) {
        if (this.ipClientBlockRegistries == null || this.ipClientBlockRegistries.isEmpty()) {
            return false;
        }
        Iterator<ClientBlockRegistry<InetAddress>> it = this.ipClientBlockRegistries.iterator();
        while (it.hasNext()) {
            if (it.next().isBlocked(inetAddress)) {
                return true;
            }
        }
        return false;
    }

    private boolean isBlocked(String str, String str2) {
        if (this.authBackendClientBlockRegistries == null) {
            return false;
        }
        Collection collection = this.authBackendClientBlockRegistries.get(str);
        if (collection.isEmpty()) {
            return false;
        }
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            if (((ClientBlockRegistry) it.next()).isBlocked(str2)) {
                return true;
            }
        }
        return false;
    }
}
