package org.elasticsearch.shield.authc;

import java.io.IOException;
import java.util.Iterator;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Base64;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.shield.User;
import org.elasticsearch.shield.audit.AuditTrail;
import org.elasticsearch.shield.crypto.CryptoService;
import org.elasticsearch.shield.support.Exceptions;
import org.elasticsearch.transport.TransportMessage;

/* loaded from: input_file:org/elasticsearch/shield/authc/InternalAuthenticationService.class */
public class InternalAuthenticationService extends AbstractComponent implements AuthenticationService {
    public static final String SETTING_SIGN_USER_HEADER = "shield.authc.sign_user_header";
    public static final String SETTING_RUN_AS_ENABLED = "shield.authc.run_as.enabled";
    public static final String RUN_AS_USER_HEADER = "es-shield-runas-user";
    static final String TOKEN_KEY = "_shield_token";
    public static final String USER_KEY = "_shield_user";
    private final Realms realms;
    private final AuditTrail auditTrail;
    private final CryptoService cryptoService;
    private final AnonymousService anonymousService;
    private final AuthenticationFailureHandler failureHandler;
    private final boolean signUserHeader;
    private final boolean runAsEnabled;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public InternalAuthenticationService(Settings settings, Realms realms, AuditTrail auditTrail, CryptoService cryptoService, AnonymousService anonymousService, AuthenticationFailureHandler authenticationFailureHandler) {
        super(settings);
        this.realms = realms;
        this.auditTrail = auditTrail;
        this.cryptoService = cryptoService;
        this.anonymousService = anonymousService;
        this.failureHandler = authenticationFailureHandler;
        this.signUserHeader = settings.getAsBoolean(SETTING_SIGN_USER_HEADER, true).booleanValue();
        this.runAsEnabled = settings.getAsBoolean(SETTING_RUN_AS_ENABLED, true).booleanValue();
    }

    @Override // org.elasticsearch.shield.authc.AuthenticationService
    public User authenticate(RestRequest restRequest) throws ElasticsearchSecurityException {
        String header;
        try {
            AuthenticationToken authenticationToken = token(restRequest);
            if (authenticationToken == null) {
                if (this.anonymousService.enabled()) {
                    restRequest.putInContext(USER_KEY, this.anonymousService.anonymousUser());
                    return this.anonymousService.anonymousUser();
                }
                this.auditTrail.anonymousAccessDenied(restRequest);
                throw this.failureHandler.missingToken(restRequest);
            }
            try {
                User authenticate = authenticate(restRequest, authenticationToken);
                if (authenticate == null) {
                    throw this.failureHandler.unsuccessfulAuthentication(restRequest, authenticationToken);
                }
                if (this.runAsEnabled && (header = restRequest.header(RUN_AS_USER_HEADER)) != null) {
                    if (header.isEmpty()) {
                        this.logger.warn("user [{}] attempted to runAs with an empty username", new Object[]{authenticate.principal()});
                        this.auditTrail.authenticationFailed(authenticationToken, restRequest);
                        throw this.failureHandler.unsuccessfulAuthentication(restRequest, authenticationToken);
                    }
                    try {
                        User lookupUser = lookupUser(header);
                        try {
                            authenticate = lookupUser != null ? new User.Simple(authenticate.principal(), authenticate.roles(), lookupUser) : new User.Simple(authenticate.principal(), authenticate.roles(), new User.Simple(header, null));
                        } catch (Exception e) {
                            if (this.logger.isDebugEnabled()) {
                                this.logger.debug("user creation failed for principal [{}], uri [{}], run as username [{}]", e, new Object[]{authenticationToken.principal(), restRequest.uri(), header});
                            }
                            this.auditTrail.authenticationFailed(authenticationToken, restRequest);
                            throw this.failureHandler.exceptionProcessingRequest(restRequest, e);
                        }
                    } catch (Exception e2) {
                        if (this.logger.isDebugEnabled()) {
                            this.logger.debug("lookup of run as user failed for principal [{}], uri [{}], run as username [{}]", e2, new Object[]{authenticationToken.principal(), restRequest.uri(), header});
                        }
                        this.auditTrail.authenticationFailed(authenticationToken, restRequest);
                        throw this.failureHandler.exceptionProcessingRequest(restRequest, e2);
                    }
                }
                restRequest.putInContext(USER_KEY, authenticate);
                return authenticate;
            } catch (Exception e3) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("authentication of request failed for principal [{}], uri [{}]", e3, new Object[]{authenticationToken.principal(), restRequest.uri()});
                }
                this.auditTrail.authenticationFailed(authenticationToken, restRequest);
                throw this.failureHandler.exceptionProcessingRequest(restRequest, e3);
            }
        } catch (Exception e4) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("failed to extract token from request", e4, new Object[0]);
            } else {
                this.logger.warn("failed to extract token from request: {}", new Object[]{e4.getMessage()});
            }
            this.auditTrail.authenticationFailed(restRequest);
            throw this.failureHandler.exceptionProcessingRequest(restRequest, e4);
        }
    }

    @Override // org.elasticsearch.shield.authc.AuthenticationService
    public User authenticate(String str, TransportMessage transportMessage, User user) throws IOException {
        User user2 = (User) transportMessage.getFromContext(USER_KEY);
        if (user2 != null) {
            return user2;
        }
        String str2 = (String) transportMessage.getHeader(USER_KEY);
        if (str2 != null) {
            if (this.signUserHeader) {
                try {
                    str2 = this.cryptoService.unsignAndVerify(str2);
                } catch (Exception e) {
                    this.auditTrail.tamperedRequest(str, transportMessage);
                    throw e;
                }
            }
            user2 = decodeUser(str2);
        }
        if (user2 == null) {
            user2 = authenticateWithRealms(str, transportMessage, user);
            transportMessage.putHeader(USER_KEY, this.signUserHeader ? this.cryptoService.sign(encodeUser(user2, this.logger)) : encodeUser(user2, this.logger));
        }
        transportMessage.putInContext(USER_KEY, user2);
        return user2;
    }

    @Override // org.elasticsearch.shield.authc.AuthenticationService
    public void attachUserHeaderIfMissing(TransportMessage transportMessage, User user) throws IOException {
        if (transportMessage.hasHeader(USER_KEY)) {
            return;
        }
        User user2 = (User) transportMessage.getFromContext(USER_KEY);
        if (user2 != null) {
            transportMessage.putHeader(USER_KEY, this.signUserHeader ? this.cryptoService.sign(encodeUser(user2, this.logger)) : encodeUser(user2, this.logger));
        } else {
            transportMessage.putInContext(USER_KEY, user);
            transportMessage.putHeader(USER_KEY, this.signUserHeader ? this.cryptoService.sign(encodeUser(user, this.logger)) : encodeUser(user, this.logger));
        }
    }

    static User decodeUser(String str) {
        try {
            return User.readFrom(StreamInput.wrap(Base64.decode(str)));
        } catch (IOException e) {
            throw Exceptions.authenticationError("could not read authenticated user", e, new Object[0]);
        }
    }

    static String encodeUser(User user, ESLogger eSLogger) {
        try {
            BytesStreamOutput bytesStreamOutput = new BytesStreamOutput();
            User.writeTo(user, bytesStreamOutput);
            return Base64.encodeBytes(bytesStreamOutput.bytes().toBytes());
        } catch (IOException e) {
            if (eSLogger == null) {
                return null;
            }
            eSLogger.error("could not encode authenticated user in message header... falling back to token headers", e, new Object[0]);
            return null;
        }
    }

    User authenticateWithRealms(String str, TransportMessage<?> transportMessage, User user) throws ElasticsearchSecurityException {
        String str2;
        try {
            AuthenticationToken authenticationToken = token(str, transportMessage);
            if (authenticationToken == null) {
                if (user != null) {
                    return user;
                }
                if (this.anonymousService.enabled()) {
                    return this.anonymousService.anonymousUser();
                }
                this.auditTrail.anonymousAccessDenied(str, transportMessage);
                throw this.failureHandler.missingToken(transportMessage, str);
            }
            try {
                User authenticate = authenticate(transportMessage, authenticationToken, str);
                if (authenticate == null) {
                    throw this.failureHandler.unsuccessfulAuthentication(transportMessage, authenticationToken, str);
                }
                if (this.runAsEnabled && (str2 = (String) transportMessage.getHeader(RUN_AS_USER_HEADER)) != null) {
                    if (str2.isEmpty()) {
                        this.logger.warn("user [{}] attempted to runAs with an empty username", new Object[]{authenticate.principal()});
                        this.auditTrail.authenticationFailed(authenticationToken, str, transportMessage);
                        throw this.failureHandler.unsuccessfulAuthentication(transportMessage, authenticationToken, str);
                    }
                    try {
                        User lookupUser = lookupUser(str2);
                        try {
                            authenticate = lookupUser != null ? new User.Simple(authenticate.principal(), authenticate.roles(), lookupUser) : new User.Simple(authenticate.principal(), authenticate.roles(), new User.Simple(str2, null));
                        } catch (Exception e) {
                            if (this.logger.isDebugEnabled()) {
                                this.logger.debug("user creation failed for principal [{}], action [{}], run as username [{}]", e, new Object[]{authenticationToken.principal(), str, str2});
                            }
                            this.auditTrail.authenticationFailed(authenticationToken, str, transportMessage);
                            throw this.failureHandler.exceptionProcessingRequest(transportMessage, e);
                        }
                    } catch (Exception e2) {
                        if (this.logger.isDebugEnabled()) {
                            this.logger.debug("lookup of run as user failed for principal [{}], action [{}], run as username [{}]", e2, new Object[]{authenticationToken.principal(), str, str2});
                        }
                        this.auditTrail.authenticationFailed(authenticationToken, str, transportMessage);
                        throw this.failureHandler.exceptionProcessingRequest(transportMessage, e2);
                    }
                }
                return authenticate;
            } catch (Exception e3) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("authentication of transport message failed for principal [{}], action [{}]", e3, new Object[]{authenticationToken.principal(), str});
                }
                this.auditTrail.authenticationFailed(authenticationToken, str, transportMessage);
                throw this.failureHandler.exceptionProcessingRequest(transportMessage, e3);
            }
        } catch (Exception e4) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("failed to extract token from transport message", e4, new Object[0]);
            } else {
                this.logger.warn("failed to extract token from transport message: ", new Object[]{e4.getMessage()});
            }
            this.auditTrail.authenticationFailed(str, transportMessage);
            throw this.failureHandler.exceptionProcessingRequest(transportMessage, e4);
        }
    }

    User authenticate(TransportMessage<?> transportMessage, AuthenticationToken authenticationToken, String str) throws ElasticsearchSecurityException {
        if (!$assertionsDisabled && authenticationToken == null) {
            throw new AssertionError("cannot authenticate null tokens");
        }
        try {
            Iterator<Realm> it = this.realms.iterator();
            while (it.hasNext()) {
                Realm next = it.next();
                if (next.supports(authenticationToken)) {
                    User authenticate = next.authenticate(authenticationToken);
                    if (authenticate != null) {
                        return authenticate;
                    }
                    this.auditTrail.authenticationFailed(next.type(), authenticationToken, str, transportMessage);
                }
            }
            this.auditTrail.authenticationFailed(authenticationToken, str, transportMessage);
            authenticationToken.clearCredentials();
            return null;
        } finally {
            authenticationToken.clearCredentials();
        }
    }

    User authenticate(RestRequest restRequest, AuthenticationToken authenticationToken) throws ElasticsearchSecurityException {
        if (!$assertionsDisabled && authenticationToken == null) {
            throw new AssertionError("cannot authenticate null tokens");
        }
        try {
            Iterator<Realm> it = this.realms.iterator();
            while (it.hasNext()) {
                Realm next = it.next();
                if (next.supports(authenticationToken)) {
                    User authenticate = next.authenticate(authenticationToken);
                    if (authenticate != null) {
                        return authenticate;
                    }
                    this.auditTrail.authenticationFailed(next.type(), authenticationToken, restRequest);
                }
            }
            this.auditTrail.authenticationFailed(authenticationToken, restRequest);
            authenticationToken.clearCredentials();
            return null;
        } finally {
            authenticationToken.clearCredentials();
        }
    }

    AuthenticationToken token(RestRequest restRequest) throws ElasticsearchSecurityException {
        Iterator<Realm> it = this.realms.iterator();
        while (it.hasNext()) {
            AuthenticationToken authenticationToken = it.next().token(restRequest);
            if (authenticationToken != null) {
                restRequest.putInContext(TOKEN_KEY, authenticationToken);
                return authenticationToken;
            }
        }
        return null;
    }

    AuthenticationToken token(String str, TransportMessage<?> transportMessage) {
        AuthenticationToken authenticationToken = (AuthenticationToken) transportMessage.getFromContext(TOKEN_KEY);
        if (authenticationToken != null) {
            return authenticationToken;
        }
        Iterator<Realm> it = this.realms.iterator();
        while (it.hasNext()) {
            Realm next = it.next();
            AuthenticationToken authenticationToken2 = next.token(transportMessage);
            if (authenticationToken2 != null) {
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("realm [{}] resolved authentication token [{}] from transport request with action [{}]", new Object[]{next, authenticationToken2.principal(), str});
                }
                transportMessage.putInContext(TOKEN_KEY, authenticationToken2);
                return authenticationToken2;
            }
        }
        return null;
    }

    User lookupUser(String str) {
        User lookupUser;
        Iterator<Realm> it = this.realms.iterator();
        while (it.hasNext()) {
            Realm next = it.next();
            if (next.userLookupSupported() && (lookupUser = next.lookupUser(str)) != null) {
                return lookupUser;
            }
        }
        return null;
    }

    static {
        $assertionsDisabled = !InternalAuthenticationService.class.desiredAssertionStatus();
    }
}
