package org.elasticsearch.xpack.security.authc;

import java.io.IOException;
import java.util.List;
import java.util.function.Consumer;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.node.Node;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.xpack.common.IteratingActionListener;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.crypto.CryptoService;
import org.elasticsearch.xpack.security.user.AnonymousUser;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/authc/AuthenticationService.class */
public class AuthenticationService extends AbstractComponent {
    public static final Setting<Boolean> SIGN_USER_HEADER = Setting.boolSetting(Security.setting("authc.sign_user_header"), true, Setting.Property.NodeScope, Setting.Property.Deprecated);
    public static final Setting<Boolean> RUN_AS_ENABLED = Setting.boolSetting(Security.setting("authc.run_as.enabled"), true, Setting.Property.NodeScope);
    public static final String RUN_AS_USER_HEADER = "es-security-runas-user";
    private final Realms realms;
    private final AuditTrail auditTrail;
    private final CryptoService cryptoService;
    private final AuthenticationFailureHandler failureHandler;
    private final ThreadContext threadContext;
    private final String nodeName;
    private final AnonymousUser anonymousUser;
    private final boolean runAsEnabled;
    private final boolean isAnonymousUserEnabled;
    private final boolean signingEnabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/authc/AuthenticationService$AuditableRequest.class */
    public static abstract class AuditableRequest {
        final AuditTrail auditTrail;
        final AuthenticationFailureHandler failureHandler;
        final ThreadContext threadContext;

        AuditableRequest(AuditTrail auditTrail, AuthenticationFailureHandler authenticationFailureHandler, ThreadContext threadContext) {
            this.auditTrail = auditTrail;
            this.failureHandler = authenticationFailureHandler;
            this.threadContext = threadContext;
        }

        abstract void realmAuthenticationFailed(AuthenticationToken authenticationToken, String str);

        abstract ElasticsearchSecurityException tamperedRequest();

        abstract ElasticsearchSecurityException exceptionProcessingRequest(Exception exc, @Nullable AuthenticationToken authenticationToken);

        abstract ElasticsearchSecurityException authenticationFailed(AuthenticationToken authenticationToken);

        abstract ElasticsearchSecurityException anonymousAccessDenied();

        abstract ElasticsearchSecurityException runAsDenied(User user, AuthenticationToken authenticationToken);

        abstract void authenticationSuccess(String str, User user);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/authc/AuthenticationService$AuditableRestRequest.class */
    public static class AuditableRestRequest extends AuditableRequest {
        private final RestRequest request;

        AuditableRestRequest(AuditTrail auditTrail, AuthenticationFailureHandler authenticationFailureHandler, ThreadContext threadContext, RestRequest restRequest) {
            super(auditTrail, authenticationFailureHandler, threadContext);
            this.request = restRequest;
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void authenticationSuccess(String str, User user) {
            this.auditTrail.authenticationSuccess(str, user, this.request);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void realmAuthenticationFailed(AuthenticationToken authenticationToken, String str) {
            this.auditTrail.authenticationFailed(str, authenticationToken, this.request);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException tamperedRequest() {
            this.auditTrail.tamperedRequest(this.request);
            return new ElasticsearchSecurityException("rest request attempted to inject a user", new Object[0]);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException exceptionProcessingRequest(Exception exc, @Nullable AuthenticationToken authenticationToken) {
            if (authenticationToken != null) {
                this.auditTrail.authenticationFailed(authenticationToken, this.request);
            } else {
                this.auditTrail.authenticationFailed(this.request);
            }
            return this.failureHandler.exceptionProcessingRequest(this.request, exc, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException authenticationFailed(AuthenticationToken authenticationToken) {
            this.auditTrail.authenticationFailed(authenticationToken, this.request);
            return this.failureHandler.failedAuthentication(this.request, authenticationToken, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException anonymousAccessDenied() {
            this.auditTrail.anonymousAccessDenied(this.request);
            return this.failureHandler.missingToken(this.request, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException runAsDenied(User user, AuthenticationToken authenticationToken) {
            this.auditTrail.runAsDenied(user, this.request);
            return this.failureHandler.failedAuthentication(this.request, authenticationToken, this.threadContext);
        }

        public String toString() {
            return "rest request uri [" + this.request.uri() + "]";
        }
    }

    /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/authc/AuthenticationService$AuditableTransportRequest.class */
    static class AuditableTransportRequest extends AuditableRequest {
        private final String action;
        private final TransportMessage message;

        AuditableTransportRequest(AuditTrail auditTrail, AuthenticationFailureHandler authenticationFailureHandler, ThreadContext threadContext, String str, TransportMessage transportMessage) {
            super(auditTrail, authenticationFailureHandler, threadContext);
            this.action = str;
            this.message = transportMessage;
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void authenticationSuccess(String str, User user) {
            this.auditTrail.authenticationSuccess(str, user, this.action, this.message);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void realmAuthenticationFailed(AuthenticationToken authenticationToken, String str) {
            this.auditTrail.authenticationFailed(str, authenticationToken, this.action, this.message);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException tamperedRequest() {
            this.auditTrail.tamperedRequest(this.action, this.message);
            return new ElasticsearchSecurityException("failed to verify signed authentication information", new Object[0]);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException exceptionProcessingRequest(Exception exc, @Nullable AuthenticationToken authenticationToken) {
            if (authenticationToken != null) {
                this.auditTrail.authenticationFailed(authenticationToken, this.action, this.message);
            } else {
                this.auditTrail.authenticationFailed(this.action, this.message);
            }
            return this.failureHandler.exceptionProcessingRequest(this.message, this.action, exc, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException authenticationFailed(AuthenticationToken authenticationToken) {
            this.auditTrail.authenticationFailed(authenticationToken, this.action, this.message);
            return this.failureHandler.failedAuthentication(this.message, authenticationToken, this.action, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException anonymousAccessDenied() {
            this.auditTrail.anonymousAccessDenied(this.action, this.message);
            return this.failureHandler.missingToken(this.message, this.action, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException runAsDenied(User user, AuthenticationToken authenticationToken) {
            this.auditTrail.runAsDenied(user, this.action, this.message);
            return this.failureHandler.failedAuthentication(this.message, authenticationToken, this.action, this.threadContext);
        }

        public String toString() {
            return "transport request action [" + this.action + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/authc/AuthenticationService$Authenticator.class */
    public class Authenticator {
        private final AuditableRequest request;
        private final User fallbackUser;
        private final ActionListener<Authentication> listener;
        private final Version version;
        private Authentication.RealmRef authenticatedBy;
        private Authentication.RealmRef lookedupBy;
        private AuthenticationToken authenticationToken;
        static final /* synthetic */ boolean $assertionsDisabled;

        Authenticator(AuthenticationService authenticationService, RestRequest restRequest, ActionListener<Authentication> actionListener) {
            this(new AuditableRestRequest(authenticationService.auditTrail, authenticationService.failureHandler, authenticationService.threadContext, restRequest), null, Version.CURRENT, actionListener);
        }

        Authenticator(AuthenticationService authenticationService, String str, TransportMessage transportMessage, User user, Version version, ActionListener<Authentication> actionListener) {
            this(new AuditableTransportRequest(authenticationService.auditTrail, authenticationService.failureHandler, authenticationService.threadContext, str, transportMessage), user, version, actionListener);
        }

        private Authenticator(AuditableRequest auditableRequest, User user, Version version, ActionListener<Authentication> actionListener) {
            this.authenticatedBy = null;
            this.lookedupBy = null;
            this.authenticationToken = null;
            this.request = auditableRequest;
            this.fallbackUser = user;
            this.listener = actionListener;
            this.version = version;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void authenticateAsync() {
            lookForExistingAuthentication(authentication -> {
                if (authentication != null) {
                    this.listener.onResponse(authentication);
                } else {
                    extractToken(this::consumeToken);
                }
            });
        }

        private void lookForExistingAuthentication(Consumer<Authentication> consumer) {
            Runnable runnable;
            try {
                Authentication readFromContext = Authentication.readFromContext(AuthenticationService.this.threadContext, AuthenticationService.this.cryptoService, AuthenticationService.this.settings, this.version, AuthenticationService.this.signingEnabled);
                runnable = (readFromContext == null || !(this.request instanceof AuditableRestRequest)) ? () -> {
                    consumer.accept(readFromContext);
                } : () -> {
                    this.listener.onFailure(this.request.tamperedRequest());
                };
            } catch (Exception e) {
                AuthenticationService.this.logger.error(() -> {
                    return new ParameterizedMessage("caught exception while trying to read authentication from request [{}]", this.request);
                }, (Throwable) e);
                runnable = () -> {
                    this.listener.onFailure(this.request.tamperedRequest());
                };
            }
            runnable.run();
        }

        /* JADX WARN: Code restructure failed: missing block: B:10:0x0039, code lost:
        
            r5 = () -> { // java.lang.Runnable.run():void
                lambda$extractToken$6(r0, r1);
            };
         */
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        void extractToken(java.util.function.Consumer<org.elasticsearch.xpack.security.authc.AuthenticationToken> r4) {
            /*
                r3 = this;
                r0 = r4
                void r0 = () -> { // java.lang.Runnable.run():void
                    lambda$extractToken$5(r0);
                }
                r5 = r0
                r0 = r3
                org.elasticsearch.xpack.security.authc.AuthenticationService r0 = org.elasticsearch.xpack.security.authc.AuthenticationService.this     // Catch: java.lang.Exception -> L4b
                org.elasticsearch.xpack.security.authc.Realms r0 = org.elasticsearch.xpack.security.authc.AuthenticationService.access$800(r0)     // Catch: java.lang.Exception -> L4b
                java.util.Iterator r0 = r0.iterator()     // Catch: java.lang.Exception -> L4b
                r6 = r0
            L12:
                r0 = r6
                boolean r0 = r0.hasNext()     // Catch: java.lang.Exception -> L4b
                if (r0 == 0) goto L48
                r0 = r6
                java.lang.Object r0 = r0.next()     // Catch: java.lang.Exception -> L4b
                org.elasticsearch.xpack.security.authc.Realm r0 = (org.elasticsearch.xpack.security.authc.Realm) r0     // Catch: java.lang.Exception -> L4b
                r7 = r0
                r0 = r7
                r1 = r3
                org.elasticsearch.xpack.security.authc.AuthenticationService r1 = org.elasticsearch.xpack.security.authc.AuthenticationService.this     // Catch: java.lang.Exception -> L4b
                org.elasticsearch.common.util.concurrent.ThreadContext r1 = org.elasticsearch.xpack.security.authc.AuthenticationService.access$300(r1)     // Catch: java.lang.Exception -> L4b
                org.elasticsearch.xpack.security.authc.AuthenticationToken r0 = r0.token(r1)     // Catch: java.lang.Exception -> L4b
                r8 = r0
                r0 = r8
                if (r0 == 0) goto L45
                r0 = r4
                r1 = r8
                void r0 = () -> { // java.lang.Runnable.run():void
                    lambda$extractToken$6(r0, r1);
                }     // Catch: java.lang.Exception -> L4b
                r5 = r0
                goto L48
            L45:
                goto L12
            L48:
                goto L54
            L4b:
                r6 = move-exception
                r0 = r3
                r1 = r6
                void r0 = () -> { // java.lang.Runnable.run():void
                    r0.lambda$extractToken$7(r1);
                }
                r5 = r0
            L54:
                r0 = r5
                r0.run()
                return
            */
            throw new UnsupportedOperationException("Method not decompiled: org.elasticsearch.xpack.security.authc.AuthenticationService.Authenticator.extractToken(java.util.function.Consumer):void");
        }

        private void consumeToken(AuthenticationToken authenticationToken) {
            if (authenticationToken == null) {
                handleNullToken();
                return;
            }
            this.authenticationToken = authenticationToken;
            List<Realm> asList = AuthenticationService.this.realms.asList();
            try {
                new IteratingActionListener(ActionListener.wrap(this::consumeUser, exc -> {
                    this.listener.onFailure(this.request.exceptionProcessingRequest(exc, authenticationToken));
                }), (realm, actionListener) -> {
                    if (realm.supports(this.authenticationToken)) {
                        realm.authenticate(this.authenticationToken, ActionListener.wrap(user -> {
                            if (user == null) {
                                this.request.realmAuthenticationFailed(this.authenticationToken, realm.name());
                            } else {
                                this.authenticatedBy = new Authentication.RealmRef(realm.name(), realm.type(), AuthenticationService.this.nodeName);
                            }
                            actionListener.onResponse(user);
                        }, exc2 -> {
                            AuthenticationService.this.logger.warn("An error occurred while attempting to authenticate [{}] against realm [{}] - {}", this.authenticationToken.principal(), realm.name(), exc2);
                            AuthenticationService.this.logger.debug("Authentication failed due to exception", (Throwable) exc2);
                            actionListener.onFailure(exc2);
                        }));
                    } else {
                        actionListener.onResponse(null);
                    }
                }, asList, AuthenticationService.this.threadContext).run();
            } catch (Exception e) {
                this.listener.onFailure(this.request.exceptionProcessingRequest(e, authenticationToken));
            }
        }

        void handleNullToken() {
            Authentication authentication;
            Runnable runnable;
            if (this.fallbackUser != null) {
                authentication = new Authentication(this.fallbackUser, new Authentication.RealmRef("__fallback", "__fallback", AuthenticationService.this.nodeName), null);
            } else if (AuthenticationService.this.isAnonymousUserEnabled) {
                authentication = new Authentication(AuthenticationService.this.anonymousUser, new Authentication.RealmRef("__anonymous", "__anonymous", AuthenticationService.this.nodeName), null);
            } else {
                authentication = null;
            }
            if (authentication != null) {
                try {
                    authentication.writeToContext(AuthenticationService.this.threadContext, AuthenticationService.this.cryptoService, AuthenticationService.this.settings, this.version, AuthenticationService.this.signingEnabled);
                    this.request.authenticationSuccess(authentication.getAuthenticatedBy().getName(), authentication.getUser());
                    Authentication authentication2 = authentication;
                    runnable = () -> {
                        this.listener.onResponse(authentication2);
                    };
                } catch (Exception e) {
                    runnable = () -> {
                        this.listener.onFailure(this.request.exceptionProcessingRequest(e, this.authenticationToken));
                    };
                }
            } else {
                runnable = () -> {
                    this.listener.onFailure(this.request.anonymousAccessDenied());
                };
            }
            runnable.run();
        }

        private void consumeUser(User user) {
            if (user == null) {
                Realm.getAuthenticationFailureDetails(AuthenticationService.this.threadContext).forEach((realm, tuple) -> {
                    AuthenticationService.this.logger.warn("Authentication to realm {} failed - {}{}", realm.name(), (String) tuple.v1(), tuple.v2() == null ? "" : " (Caused by " + tuple.v2() + ")");
                });
                this.listener.onFailure(this.request.authenticationFailed(this.authenticationToken));
                return;
            }
            if (!AuthenticationService.this.runAsEnabled) {
                finishAuthentication(user);
                return;
            }
            String header = AuthenticationService.this.threadContext.getHeader(AuthenticationService.RUN_AS_USER_HEADER);
            if (header != null && !header.isEmpty()) {
                lookupRunAsUser(user, header, this::finishAuthentication);
                return;
            }
            if (header == null) {
                finishAuthentication(user);
            } else {
                if (!$assertionsDisabled && !header.isEmpty()) {
                    throw new AssertionError("the run as username may not be empty");
                }
                AuthenticationService.this.logger.debug("user [{}] attempted to runAs with an empty username", user.principal());
                this.listener.onFailure(this.request.runAsDenied(new User(header, null, user), this.authenticationToken));
            }
        }

        private void lookupRunAsUser(User user, String str, Consumer<User> consumer) {
            List<Realm> asList = AuthenticationService.this.realms.asList();
            try {
                new IteratingActionListener(ActionListener.wrap(user2 -> {
                    if (user2 == null) {
                        consumer.accept(new User(str, null, user));
                    } else {
                        consumer.accept(new User(user2, user));
                    }
                }, exc -> {
                    this.listener.onFailure(this.request.exceptionProcessingRequest(exc, this.authenticationToken));
                }), (realm, actionListener) -> {
                    if (!realm.userLookupSupported()) {
                        actionListener.onResponse(null);
                        return;
                    }
                    CheckedConsumer checkedConsumer = user3 -> {
                        if (user3 == null) {
                            actionListener.onResponse(null);
                        } else {
                            this.lookedupBy = new Authentication.RealmRef(realm.name(), realm.type(), AuthenticationService.this.nodeName);
                            actionListener.onResponse(user3);
                        }
                    };
                    actionListener.getClass();
                    realm.lookupUser(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
                }, asList, AuthenticationService.this.threadContext).run();
            } catch (Exception e) {
                this.listener.onFailure(this.request.exceptionProcessingRequest(e, this.authenticationToken));
            }
        }

        void finishAuthentication(User user) {
            if (!user.enabled() || !user.authenticatedUser().enabled()) {
                AuthenticationService.this.logger.debug("user [{}] is disabled. failing authentication", user);
                this.listener.onFailure(this.request.authenticationFailed(this.authenticationToken));
                return;
            }
            this.request.authenticationSuccess(this.authenticatedBy.getName(), user);
            Authentication authentication = new Authentication(user, this.authenticatedBy, this.lookedupBy);
            Runnable runnable = () -> {
                this.listener.onResponse(authentication);
            };
            try {
                authentication.writeToContext(AuthenticationService.this.threadContext, AuthenticationService.this.cryptoService, AuthenticationService.this.settings, this.version, AuthenticationService.this.signingEnabled);
            } catch (Exception e) {
                runnable = () -> {
                    this.listener.onFailure(this.request.exceptionProcessingRequest(e, this.authenticationToken));
                };
            }
            runnable.run();
        }

        static {
            $assertionsDisabled = !AuthenticationService.class.desiredAssertionStatus();
        }
    }

    public AuthenticationService(Settings settings, Realms realms, AuditTrailService auditTrailService, CryptoService cryptoService, AuthenticationFailureHandler authenticationFailureHandler, ThreadPool threadPool, AnonymousUser anonymousUser) {
        super(settings);
        this.nodeName = Node.NODE_NAME_SETTING.get(settings);
        this.realms = realms;
        this.auditTrail = auditTrailService;
        this.cryptoService = cryptoService;
        this.failureHandler = authenticationFailureHandler;
        this.threadContext = threadPool.getThreadContext();
        this.anonymousUser = anonymousUser;
        this.runAsEnabled = RUN_AS_ENABLED.get(settings).booleanValue();
        this.isAnonymousUserEnabled = AnonymousUser.isAnonymousEnabled(settings);
        this.signingEnabled = SIGN_USER_HEADER.get(settings).booleanValue();
    }

    public void authenticate(RestRequest restRequest, ActionListener<Authentication> actionListener) {
        createAuthenticator(restRequest, actionListener).authenticateAsync();
    }

    public void authenticate(String str, TransportMessage transportMessage, User user, Version version, ActionListener<Authentication> actionListener) {
        createAuthenticator(str, transportMessage, user, version, actionListener).authenticateAsync();
    }

    void attachUserIfMissing(User user, Version version) throws IOException {
        new Authentication(user, new Authentication.RealmRef("__attach", "__attach", this.nodeName), null).writeToContextIfMissing(this.threadContext, this.cryptoService, this.settings, version, this.signingEnabled);
    }

    Authenticator createAuthenticator(RestRequest restRequest, ActionListener<Authentication> actionListener) {
        return new Authenticator(this, restRequest, actionListener);
    }

    Authenticator createAuthenticator(String str, TransportMessage transportMessage, User user, Version version, ActionListener<Authentication> actionListener) {
        return new Authenticator(this, str, transportMessage, user, version, actionListener);
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(SIGN_USER_HEADER);
        list.add(RUN_AS_ENABLED);
    }
}
