package org.elasticsearch.xpack.security.authc;

import java.util.List;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicLong;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.http.HttpPreRequest;
import org.elasticsearch.node.Node;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
import org.elasticsearch.xpack.core.security.authc.AuthenticationServiceField;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.AuditUtil;
import org.elasticsearch.xpack.security.authc.Authenticator;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountService;
import org.elasticsearch.xpack.security.operator.OperatorPrivileges;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticationService.class */
public class AuthenticationService {
    static final Setting<Boolean> SUCCESS_AUTH_CACHE_ENABLED = Setting.boolSetting("xpack.security.authc.success_cache.enabled", true, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<Integer> SUCCESS_AUTH_CACHE_MAX_SIZE = Setting.intSetting("xpack.security.authc.success_cache.size", 10000, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<TimeValue> SUCCESS_AUTH_CACHE_EXPIRE_AFTER_ACCESS = Setting.timeSetting("xpack.security.authc.success_cache.expire_after_access", TimeValue.timeValueHours(1), new Setting.Property[]{Setting.Property.NodeScope});
    private static final Logger logger = LogManager.getLogger(AuthenticationService.class);
    private final Realms realms;
    private final AuditTrailService auditTrailService;
    private final AuthenticationFailureHandler failureHandler;
    private final ThreadContext threadContext;
    private final Cache<String, Realm> lastSuccessfulAuthCache;
    private final AtomicLong numInvalidation = new AtomicLong();
    private final AuthenticatorChain authenticatorChain;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticationService$AuditableHttpRequest.class */
    public static class AuditableHttpRequest extends AuditableRequest {
        private final HttpPreRequest request;
        private final String requestId;

        AuditableHttpRequest(AuditTrail auditTrail, AuthenticationFailureHandler authenticationFailureHandler, ThreadContext threadContext, HttpPreRequest httpPreRequest) {
            super(auditTrail, authenticationFailureHandler, threadContext);
            this.request = httpPreRequest;
            this.requestId = AuditUtil.generateRequestId(threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void authenticationSuccess(Authentication authentication) {
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void realmAuthenticationFailed(AuthenticationToken authenticationToken, String str) {
            this.auditTrail.authenticationFailed(this.requestId, str, authenticationToken, this.request);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException tamperedRequest() {
            this.auditTrail.tamperedRequest(this.requestId, this.request);
            return new ElasticsearchSecurityException("rest request attempted to inject a user", new Object[0]);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException exceptionProcessingRequest(Exception exc, @Nullable AuthenticationToken authenticationToken) {
            if (authenticationToken != null) {
                this.auditTrail.authenticationFailed(this.requestId, authenticationToken, this.request);
            } else {
                this.auditTrail.authenticationFailed(this.requestId, this.request);
            }
            return this.failureHandler.exceptionProcessingRequest(this.request, exc, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException authenticationFailed(AuthenticationToken authenticationToken) {
            this.auditTrail.authenticationFailed(this.requestId, authenticationToken, this.request);
            return this.failureHandler.failedAuthentication(this.request, authenticationToken, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException anonymousAccessDenied() {
            this.auditTrail.anonymousAccessDenied(this.requestId, this.request);
            return this.failureHandler.missingToken(this.request, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException runAsDenied(Authentication authentication, AuthenticationToken authenticationToken) {
            this.auditTrail.runAsDenied(this.requestId, authentication, this.request, AuthorizationEngine.EmptyAuthorizationInfo.INSTANCE);
            return this.failureHandler.failedAuthentication(this.request, authenticationToken, this.threadContext);
        }

        public String toString() {
            return "rest request uri [" + this.request.uri() + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticationService$AuditableRequest.class */
    public static abstract class AuditableRequest {
        final AuditTrail auditTrail;
        final AuthenticationFailureHandler failureHandler;
        final ThreadContext threadContext;

        AuditableRequest(AuditTrail auditTrail, AuthenticationFailureHandler authenticationFailureHandler, ThreadContext threadContext) {
            this.auditTrail = auditTrail;
            this.failureHandler = authenticationFailureHandler;
            this.threadContext = threadContext;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract void realmAuthenticationFailed(AuthenticationToken authenticationToken, String str);

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ElasticsearchSecurityException tamperedRequest();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ElasticsearchSecurityException exceptionProcessingRequest(Exception exc, @Nullable AuthenticationToken authenticationToken);

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ElasticsearchSecurityException authenticationFailed(AuthenticationToken authenticationToken);

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ElasticsearchSecurityException anonymousAccessDenied();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ElasticsearchSecurityException runAsDenied(Authentication authentication, AuthenticationToken authenticationToken);

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract void authenticationSuccess(Authentication authentication);
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticationService$AuditableTransportRequest.class */
    static class AuditableTransportRequest extends AuditableRequest {
        private final String action;
        private final TransportRequest transportRequest;
        private final String requestId;

        AuditableTransportRequest(AuditTrail auditTrail, AuthenticationFailureHandler authenticationFailureHandler, ThreadContext threadContext, String str, TransportRequest transportRequest) {
            super(auditTrail, authenticationFailureHandler, threadContext);
            this.action = str;
            this.transportRequest = transportRequest;
            this.requestId = AuditUtil.getOrGenerateRequestId(threadContext);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        public void authenticationSuccess(Authentication authentication) {
            this.auditTrail.authenticationSuccess(this.requestId, authentication, this.action, this.transportRequest);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        public void realmAuthenticationFailed(AuthenticationToken authenticationToken, String str) {
            this.auditTrail.authenticationFailed(this.requestId, str, authenticationToken, this.action, this.transportRequest);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        public ElasticsearchSecurityException tamperedRequest() {
            this.auditTrail.tamperedRequest(this.requestId, this.action, this.transportRequest);
            return new ElasticsearchSecurityException("failed to verify signed authentication information", new Object[0]);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        public ElasticsearchSecurityException exceptionProcessingRequest(Exception exc, @Nullable AuthenticationToken authenticationToken) {
            if (authenticationToken != null) {
                this.auditTrail.authenticationFailed(this.requestId, authenticationToken, this.action, this.transportRequest);
            } else {
                this.auditTrail.authenticationFailed(this.requestId, this.action, this.transportRequest);
            }
            return this.failureHandler.exceptionProcessingRequest(this.transportRequest, this.action, exc, this.threadContext);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        public ElasticsearchSecurityException authenticationFailed(AuthenticationToken authenticationToken) {
            this.auditTrail.authenticationFailed(this.requestId, authenticationToken, this.action, this.transportRequest);
            return this.failureHandler.failedAuthentication(this.transportRequest, authenticationToken, this.action, this.threadContext);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        public ElasticsearchSecurityException anonymousAccessDenied() {
            this.auditTrail.anonymousAccessDenied(this.requestId, this.action, this.transportRequest);
            return this.failureHandler.missingToken(this.transportRequest, this.action, this.threadContext);
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        public ElasticsearchSecurityException runAsDenied(Authentication authentication, AuthenticationToken authenticationToken) {
            this.auditTrail.runAsDenied(this.requestId, authentication, this.action, this.transportRequest, AuthorizationEngine.EmptyAuthorizationInfo.INSTANCE);
            return this.failureHandler.failedAuthentication(this.transportRequest, authenticationToken, this.action, this.threadContext);
        }

        public String toString() {
            return "transport request action [" + this.action + "]";
        }
    }

    public AuthenticationService(Settings settings, Realms realms, AuditTrailService auditTrailService, AuthenticationFailureHandler authenticationFailureHandler, ThreadPool threadPool, AnonymousUser anonymousUser, TokenService tokenService, ApiKeyService apiKeyService, ServiceAccountService serviceAccountService, OperatorPrivileges.OperatorPrivilegesService operatorPrivilegesService) {
        this.realms = realms;
        this.auditTrailService = auditTrailService;
        this.failureHandler = authenticationFailureHandler;
        this.threadContext = threadPool.getThreadContext();
        if (((Boolean) SUCCESS_AUTH_CACHE_ENABLED.get(settings)).booleanValue()) {
            this.lastSuccessfulAuthCache = CacheBuilder.builder().setMaximumWeight(Integer.toUnsignedLong(((Integer) SUCCESS_AUTH_CACHE_MAX_SIZE.get(settings)).intValue())).setExpireAfterAccess((TimeValue) SUCCESS_AUTH_CACHE_EXPIRE_AFTER_ACCESS.get(settings)).build();
        } else {
            this.lastSuccessfulAuthCache = null;
        }
        String str = (String) Node.NODE_NAME_SETTING.get(settings);
        this.authenticatorChain = new AuthenticatorChain(settings, operatorPrivilegesService, anonymousUser, new AuthenticationContextSerializer(), new ServiceAccountAuthenticator(serviceAccountService, str), new OAuth2TokenAuthenticator(tokenService), new ApiKeyAuthenticator(apiKeyService, str), new RealmsAuthenticator(this.numInvalidation, this.lastSuccessfulAuthCache));
    }

    public void authenticate(HttpPreRequest httpPreRequest, ActionListener<Authentication> actionListener) {
        authenticate(httpPreRequest, true, actionListener);
    }

    public void authenticate(HttpPreRequest httpPreRequest, boolean z, ActionListener<Authentication> actionListener) {
        authenticate(new Authenticator.Context(this.threadContext, new AuditableHttpRequest(this.auditTrailService.get(), this.failureHandler, this.threadContext, httpPreRequest), null, z, this.realms), actionListener);
    }

    public void authenticate(String str, TransportRequest transportRequest, User user, ActionListener<Authentication> actionListener) {
        Objects.requireNonNull(user, "fallback user may not be null");
        authenticate(new Authenticator.Context(this.threadContext, new AuditableTransportRequest(this.auditTrailService.get(), this.failureHandler, this.threadContext, str, transportRequest), user, false, this.realms), actionListener);
    }

    public void authenticate(String str, TransportRequest transportRequest, boolean z, ActionListener<Authentication> actionListener) {
        authenticate(new Authenticator.Context(this.threadContext, new AuditableTransportRequest(this.auditTrailService.get(), this.failureHandler, this.threadContext, str, transportRequest), null, z, this.realms), actionListener);
    }

    public void authenticate(String str, TransportRequest transportRequest, AuthenticationToken authenticationToken, ActionListener<Authentication> actionListener) {
        Authenticator.Context context = new Authenticator.Context(this.threadContext, new AuditableTransportRequest(this.auditTrailService.get(), this.failureHandler, this.threadContext, str, transportRequest), null, true, this.realms);
        context.addAuthenticationToken(authenticationToken);
        this.authenticatorChain.authenticateAsync(context, actionListener);
    }

    public void expire(String str) {
        if (this.lastSuccessfulAuthCache != null) {
            this.numInvalidation.incrementAndGet();
            this.lastSuccessfulAuthCache.invalidate(str);
        }
    }

    public void expireAll() {
        if (this.lastSuccessfulAuthCache != null) {
            this.numInvalidation.incrementAndGet();
            this.lastSuccessfulAuthCache.invalidateAll();
        }
    }

    public void onSecurityIndexStateChange(SecurityIndexManager.State state, SecurityIndexManager.State state2) {
        if (this.lastSuccessfulAuthCache != null) {
            if (SecurityIndexManager.isMoveFromRedToNonRed(state, state2) || SecurityIndexManager.isIndexDeleted(state, state2) || !Objects.equals(state.indexUUID, state2.indexUUID)) {
                expireAll();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Authenticator.Context newContext(String str, TransportRequest transportRequest, boolean z) {
        return new Authenticator.Context(this.threadContext, new AuditableTransportRequest(this.auditTrailService.get(), this.failureHandler, this.threadContext, str, transportRequest), null, z, this.realms);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void authenticate(Authenticator.Context context, ActionListener<Authentication> actionListener) {
        this.authenticatorChain.authenticateAsync(context, actionListener);
    }

    long getNumInvalidation() {
        return this.numInvalidation.get();
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(AuthenticationServiceField.RUN_AS_ENABLED);
        list.add(SUCCESS_AUTH_CACHE_ENABLED);
        list.add(SUCCESS_AUTH_CACHE_MAX_SIZE);
        list.add(SUCCESS_AUTH_CACHE_EXPIRE_AFTER_ACCESS);
    }
}
