package org.codelibs.elasticsearch.auth.service;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.UUID;
import org.apache.commons.codec.digest.DigestUtils;
import org.codelibs.elasticsearch.auth.AuthException;
import org.codelibs.elasticsearch.auth.filter.ContentFilter;
import org.codelibs.elasticsearch.auth.filter.LoginFilter;
import org.codelibs.elasticsearch.auth.filter.LogoutFilter;
import org.codelibs.elasticsearch.auth.security.Authenticator;
import org.codelibs.elasticsearch.auth.security.LoginConstraint;
import org.codelibs.elasticsearch.auth.util.MapUtil;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthStatus;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.admin.indices.exists.indices.IndicesExistsResponse;
import org.elasticsearch.action.admin.indices.refresh.RefreshResponse;
import org.elasticsearch.action.delete.DeleteResponse;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.common.component.AbstractLifecycleComponent;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.netty.handler.codec.http.Cookie;
import org.elasticsearch.common.netty.handler.codec.http.CookieDecoder;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.SearchHits;

/* loaded from: input_file:org/codelibs/elasticsearch/auth/service/AuthService.class */
public class AuthService extends AbstractLifecycleComponent<AuthService> {
    private static final String DEFAULT_CONSTRAINT_TYPE = "constraint";
    private static final String DEFAULT_CONSTRAINT_INDEX_NAME = "security";
    private static final String DEFAULT_COOKIE_TOKEN_NAME = "eaid";
    private static final String DEFAULT_GUEST_ROLE = "guest";
    private RestController restController;
    private Map<String, Authenticator> authenticatorMap;
    private Client client;
    private String constraintIndex;
    private String constraintType;
    private String authTokenIndex;
    private String tokenType;
    private String tokenKey;
    private String guestRole;
    private ContentFilter contentFilter;
    private boolean cookieToken;
    private String cookieTokenName;
    private boolean updateToken;

    @Inject
    public AuthService(Settings settings, Client client, RestController restController) {
        super(settings);
        this.authenticatorMap = new LinkedHashMap();
        this.authTokenIndex = "auth";
        this.tokenType = "token";
        this.tokenKey = "token";
        this.cookieToken = true;
        this.client = client;
        this.restController = restController;
        this.logger.info("Creating authenticators.", new Object[0]);
        this.constraintIndex = settings.get("auth.constraint.index", DEFAULT_CONSTRAINT_INDEX_NAME);
        this.constraintType = settings.get("auth.constraint.type", DEFAULT_CONSTRAINT_TYPE);
        this.cookieTokenName = settings.get("auth.token.cookie", DEFAULT_COOKIE_TOKEN_NAME);
        this.updateToken = settings.getAsBoolean("auth.token.update_by_request", true).booleanValue();
        this.guestRole = settings.get("auth.role.guest", DEFAULT_GUEST_ROLE);
        if (this.cookieTokenName.trim().length() == 0 || "false".equalsIgnoreCase(this.cookieTokenName)) {
            this.cookieToken = false;
        }
    }

    protected void doStart() throws ElasticsearchException {
        this.logger.info("Starting AuthService.", new Object[0]);
        LoginFilter loginFilter = new LoginFilter(this, this.authenticatorMap);
        String str = this.settings.get("auth.login.path");
        if (str != null) {
            loginFilter.setLoginPath(str);
        }
        String[] asArray = this.settings.getAsArray("auth.login.methods");
        if (asArray != null && asArray.length > 0) {
            loginFilter.setHttpMethods(createMethods(asArray));
        }
        this.restController.registerFilter(loginFilter);
        LogoutFilter logoutFilter = new LogoutFilter(this);
        String str2 = this.settings.get("auth.logout.path");
        if (str2 != null) {
            logoutFilter.setLogoutPath(str2);
        }
        String[] asArray2 = this.settings.getAsArray("auth.logout.methods");
        if (asArray2 != null && asArray2.length > 0) {
            logoutFilter.setHttpMethods(createMethods(asArray2));
        }
        this.restController.registerFilter(logoutFilter);
        this.contentFilter = new ContentFilter(this);
        this.restController.registerFilter(this.contentFilter);
    }

    protected void doStop() throws ElasticsearchException {
        this.logger.info("Stopping AuthService", new Object[0]);
    }

    protected void doClose() throws ElasticsearchException {
        this.logger.info("Closing AuthService.", new Object[0]);
    }

    public void registerAuthenticator(String str, Authenticator authenticator) {
        this.authenticatorMap.put(str, authenticator);
    }

    public void init(final ActionListener<Void> actionListener) {
        this.client.admin().cluster().prepareHealth(new String[0]).setWaitForYellowStatus().execute(new ActionListener<ClusterHealthResponse>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.1
            public void onResponse(ClusterHealthResponse clusterHealthResponse) {
                if (clusterHealthResponse.getStatus() == ClusterHealthStatus.RED) {
                    actionListener.onFailure(new AuthException(RestStatus.SERVICE_UNAVAILABLE, "This cluster is not ready."));
                } else {
                    AuthService.this.createConstraintIndexIfNotExist(actionListener);
                }
            }

            public void onFailure(Throwable th) {
                actionListener.onFailure(th);
            }
        });
    }

    protected void createConstraintIndexIfNotExist(final ActionListener<Void> actionListener) {
        this.client.admin().indices().prepareExists(new String[]{this.constraintIndex}).execute(new ActionListener<IndicesExistsResponse>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.2
            public void onResponse(IndicesExistsResponse indicesExistsResponse) {
                if (indicesExistsResponse.isExists()) {
                    AuthService.this.reload(actionListener);
                } else {
                    AuthService.this.createConstraintIndex(actionListener);
                }
            }

            public void onFailure(Throwable th) {
                actionListener.onFailure(th);
            }
        });
    }

    protected void createConstraintIndex(final ActionListener<Void> actionListener) {
        this.client.admin().indices().prepareCreate(this.constraintIndex).execute(new ActionListener<CreateIndexResponse>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.3
            public void onResponse(CreateIndexResponse createIndexResponse) {
                AuthService.this.reload(actionListener);
            }

            public void onFailure(Throwable th) {
                actionListener.onFailure(th);
            }
        });
    }

    public void reload(final ActionListener<Void> actionListener) {
        this.client.admin().indices().prepareRefresh(new String[]{this.constraintIndex}).setForce(true).execute(new ActionListener<RefreshResponse>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.4
            public void onResponse(RefreshResponse refreshResponse) {
                AuthService.this.loadLoginConstraints(new ActionListener<LoginConstraint[]>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.4.1
                    public void onResponse(LoginConstraint[] loginConstraintArr) {
                        if (AuthService.this.logger.isDebugEnabled()) {
                            AuthService.this.logger.debug("Load {} constraint(s).", new Object[]{Integer.valueOf(loginConstraintArr.length)});
                        }
                        AuthService.this.contentFilter.setLoginConstraints(loginConstraintArr);
                        actionListener.onResponse((Object) null);
                    }

                    public void onFailure(Throwable th) {
                        actionListener.onFailure(th);
                    }
                });
            }

            public void onFailure(Throwable th) {
                actionListener.onFailure(th);
            }
        });
    }

    public void createToken(Set<String> set, final ActionListener<String> actionListener) {
        if (set == null || set.isEmpty()) {
            actionListener.onFailure(new AuthException(RestStatus.BAD_REQUEST, "Role is empty."));
            return;
        }
        final String generateToken = generateToken();
        HashMap hashMap = new HashMap();
        hashMap.put("roles", set);
        hashMap.put("lastModified", new Date());
        this.client.prepareIndex(this.authTokenIndex, this.tokenType, generateToken).setSource(hashMap).setRefresh(true).execute(new ActionListener<IndexResponse>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.5
            public void onResponse(IndexResponse indexResponse) {
                actionListener.onResponse(generateToken);
            }

            public void onFailure(Throwable th) {
                actionListener.onFailure(th);
            }
        });
    }

    public void authenticate(final String str, final String[] strArr, final ActionListener<Boolean> actionListener) {
        if (str != null) {
            this.client.prepareGet(this.authTokenIndex, this.tokenType, str).execute(new ActionListener<GetResponse>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.6
                public void onResponse(GetResponse getResponse) {
                    Map source = getResponse.getSource();
                    if (source != null) {
                        String[] asArray = MapUtil.getAsArray(source, "roles", new String[0]);
                        for (String str2 : strArr) {
                            for (String str3 : asArray) {
                                if (str2.equals(str3)) {
                                    actionListener.onResponse(true);
                                    if (AuthService.this.updateToken) {
                                        AuthService.this.updateToken(str, source);
                                        return;
                                    }
                                    return;
                                }
                            }
                        }
                    }
                    actionListener.onResponse(false);
                }

                public void onFailure(Throwable th) {
                    actionListener.onFailure(th);
                }
            });
            return;
        }
        if (strArr != null) {
            for (String str2 : strArr) {
                if (this.guestRole.equals(str2)) {
                    actionListener.onResponse(true);
                    return;
                }
            }
        }
        actionListener.onResponse(false);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void updateToken(final String str, Map<String, Object> map) {
        map.put("lastModified", new Date());
        this.client.prepareIndex(this.authTokenIndex, this.tokenType, str).setSource(map).execute(new ActionListener<IndexResponse>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.7
            public void onResponse(IndexResponse indexResponse) {
            }

            public void onFailure(Throwable th) {
                AuthService.this.logger.warn("Failed to update token: " + str, th, new Object[0]);
            }
        });
    }

    public void createUser(String str, String str2, String str3, String[] strArr, ActionListener<Void> actionListener) {
        if (str == null || str2 == null || str3 == null || strArr == null) {
            actionListener.onFailure(new AuthException(RestStatus.BAD_REQUEST, "authenticator, username, passowrd or roles is null."));
        } else {
            getAuthenticator(str).createUser(str2, str3, strArr, actionListener);
        }
    }

    public void updateUser(String str, String str2, String str3, String[] strArr, ActionListener<Void> actionListener) {
        if (str == null || str2 == null || (str3 == null && strArr == null)) {
            actionListener.onFailure(new AuthException(RestStatus.BAD_REQUEST, "authenticator, username, passowrd or roles are null."));
        } else {
            getAuthenticator(str).updateUser(str2, str3, strArr, actionListener);
        }
    }

    public void deleteUser(String str, String str2, ActionListener<Void> actionListener) {
        if (str == null || str2 == null) {
            actionListener.onFailure(new AuthException(RestStatus.BAD_REQUEST, "authenticator or username are null."));
        } else {
            getAuthenticator(str).deleteUser(str2, actionListener);
        }
    }

    public void deleteToken(String str, final ActionListener<Void> actionListener) {
        this.client.prepareDelete(this.authTokenIndex, this.tokenType, str).setRefresh(true).execute(new ActionListener<DeleteResponse>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.8
            public void onResponse(DeleteResponse deleteResponse) {
                if (deleteResponse.isFound()) {
                    actionListener.onResponse((Object) null);
                } else {
                    actionListener.onFailure(new AuthException(RestStatus.BAD_REQUEST, "The token does not exist."));
                }
            }

            public void onFailure(Throwable th) {
                actionListener.onFailure(th);
            }
        });
    }

    public String getToken(RestRequest restRequest) {
        String header;
        String param = restRequest.param(this.tokenKey);
        if (param == null && this.cookieToken && (header = restRequest.header("Cookie")) != null) {
            Iterator it = new CookieDecoder().decode(header).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Cookie cookie = (Cookie) it.next();
                if (this.cookieTokenName.equals(cookie.getName())) {
                    param = cookie.getValue();
                    break;
                }
            }
        }
        return param;
    }

    private String generateToken() {
        return DigestUtils.sha512Hex(UUID.randomUUID().toString());
    }

    private Authenticator getAuthenticator(String str) {
        Authenticator authenticator = this.authenticatorMap.get(str);
        if (authenticator == null) {
            throw new AuthException(RestStatus.BAD_REQUEST, "Unknown authenticator: " + str);
        }
        return authenticator;
    }

    protected void loadLoginConstraints(final ActionListener<LoginConstraint[]> actionListener) {
        this.client.prepareSearch(new String[]{this.constraintIndex}).setTypes(new String[]{this.constraintType}).setQuery(QueryBuilders.queryString("*:*")).execute(new ActionListener<SearchResponse>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.9
            public void onResponse(SearchResponse searchResponse) {
                TreeMap treeMap = new TreeMap(new Comparator<String>() { // from class: org.codelibs.elasticsearch.auth.service.AuthService.9.1
                    @Override // java.util.Comparator
                    public int compare(String str, String str2) {
                        int length = str.length();
                        int length2 = str2.length();
                        return length == length2 ? (-1) * str.compareTo(str2) : length < length2 ? -1 : 1;
                    }
                });
                SearchHits hits = searchResponse.getHits();
                if (hits.totalHits() != 0) {
                    Iterator it = hits.iterator();
                    while (it.hasNext()) {
                        Map sourceAsMap = ((SearchHit) it.next()).sourceAsMap();
                        List<String> asList = MapUtil.getAsList(sourceAsMap, "methods", Collections.emptyList());
                        List<String> asList2 = MapUtil.getAsList(sourceAsMap, "paths", Collections.emptyList());
                        List<String> asList3 = MapUtil.getAsList(sourceAsMap, "roles", Collections.emptyList());
                        if (asList2.isEmpty() || asList3.isEmpty()) {
                            AuthService.this.logger.warn("Invaid login settings: " + sourceAsMap, new Object[0]);
                        } else {
                            for (String str : asList2) {
                                LoginConstraint loginConstraint = (LoginConstraint) treeMap.get(str);
                                if (loginConstraint == null) {
                                    loginConstraint = new LoginConstraint();
                                    loginConstraint.setPath(str);
                                    treeMap.put(str, loginConstraint);
                                }
                                loginConstraint.addCondition((String[]) asList.toArray(new String[asList.size()]), (String[]) asList3.toArray(new String[asList3.size()]));
                            }
                        }
                    }
                }
                actionListener.onResponse(treeMap.values().toArray(new LoginConstraint[treeMap.size()]));
            }

            public void onFailure(Throwable th) {
                actionListener.onFailure(new AuthException(RestStatus.INTERNAL_SERVER_ERROR, AuthService.this.constraintIndex + ":" + AuthService.this.constraintType + " is not found.", th));
            }
        });
    }

    private RestRequest.Method[] createMethods(String[] strArr) {
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            if ("get".equalsIgnoreCase(str)) {
                arrayList.add(RestRequest.Method.GET);
            } else if ("post".equalsIgnoreCase(str)) {
                arrayList.add(RestRequest.Method.POST);
            } else if ("head".equalsIgnoreCase(str)) {
                arrayList.add(RestRequest.Method.HEAD);
            } else if ("options".equalsIgnoreCase(str)) {
                arrayList.add(RestRequest.Method.OPTIONS);
            } else if ("put".equalsIgnoreCase(str)) {
                arrayList.add(RestRequest.Method.PUT);
            } else if ("delete".equalsIgnoreCase(str)) {
                arrayList.add(RestRequest.Method.DELETE);
            }
        }
        return (RestRequest.Method[]) arrayList.toArray(new RestRequest.Method[arrayList.size()]);
    }
}
