package org.elasticsearch.xpack.security.authc.support;

import java.util.Objects;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.SecurityContext;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.support.SecondaryAuthentication;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/SecondaryAuthenticator.class */
public class SecondaryAuthenticator {
    public static final String SECONDARY_AUTH_HEADER_NAME = "es-secondary-authorization";
    private final Logger logger;
    private final SecurityContext securityContext;
    private final AuthenticationService authenticationService;
    private final AuditTrailService auditTrailService;

    public SecondaryAuthenticator(Settings settings, ThreadContext threadContext, AuthenticationService authenticationService, AuditTrailService auditTrailService) {
        this(new SecurityContext(settings, threadContext), authenticationService, auditTrailService);
    }

    public SecondaryAuthenticator(SecurityContext securityContext, AuthenticationService authenticationService, AuditTrailService auditTrailService) {
        this.logger = LogManager.getLogger();
        this.securityContext = securityContext;
        this.authenticationService = authenticationService;
        this.auditTrailService = auditTrailService;
    }

    public void authenticate(String str, TransportRequest transportRequest, ActionListener<SecondaryAuthentication> actionListener) {
        authenticate(actionListener2 -> {
            this.authenticationService.authenticate(str, transportRequest, false, (ActionListener<Authentication>) actionListener2);
        }, actionListener);
    }

    public void authenticateAndAttachToContext(RestRequest restRequest, ActionListener<SecondaryAuthentication> actionListener) {
        ThreadContext threadContext = this.securityContext.getThreadContext();
        Consumer<ActionListener<Authentication>> consumer = actionListener2 -> {
            this.authenticationService.authenticate(restRequest.getHttpRequest(), false, actionListener2.delegateFailure((actionListener2, authentication) -> {
                this.auditTrailService.get().authenticationSuccess(restRequest);
                actionListener2.onResponse(authentication);
            }));
        };
        CheckedConsumer checkedConsumer = secondaryAuthentication -> {
            if (secondaryAuthentication != null) {
                secondaryAuthentication.writeToContext(threadContext);
            }
            actionListener.onResponse(secondaryAuthentication);
        };
        Objects.requireNonNull(actionListener);
        authenticate(consumer, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void authenticate(Consumer<ActionListener<Authentication>> consumer, ActionListener<SecondaryAuthentication> actionListener) {
        ThreadContext threadContext = this.securityContext.getThreadContext();
        String header = threadContext.getHeader(SECONDARY_AUTH_HEADER_NAME);
        if (Strings.isNullOrEmpty(header)) {
            this.logger.trace("no secondary authentication credentials found (the [{}] header is [{}])", SECONDARY_AUTH_HEADER_NAME, header);
            actionListener.onResponse((Object) null);
            return;
        }
        ContextPreservingActionListener contextPreservingActionListener = new ContextPreservingActionListener(threadContext.newRestorableContext(false), ActionListener.wrap(authentication -> {
            if (authentication == null) {
                this.logger.debug("secondary authentication failed - authentication service returned a null authentication object");
                actionListener.onFailure(new ElasticsearchSecurityException("Failed to authenticate secondary user", new Object[0]));
            } else {
                this.logger.debug("secondary authentication succeeded [{}]", authentication);
                actionListener.onResponse(new SecondaryAuthentication(this.securityContext, authentication));
            }
        }, exc -> {
            this.logger.debug("secondary authentication failed - authentication service responded with failure", exc);
            actionListener.onFailure(new ElasticsearchSecurityException("Failed to authenticate secondary user", exc, new Object[0]));
        }));
        ThreadContext.StoredContext stashContext = threadContext.stashContext();
        try {
            this.logger.trace("found secondary authentication credentials, placing them in the internal [{}] header for authentication", KerberosAuthenticationToken.AUTH_HEADER);
            threadContext.putHeader(KerberosAuthenticationToken.AUTH_HEADER, header);
            consumer.accept(contextPreservingActionListener);
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
