package org.elasticsearch.xpack.security.authc.pki;

import java.security.MessageDigest;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.ssl.SslTrustConfig;
import org.elasticsearch.common.util.concurrent.ReleasableLock;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.pki.PkiRealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
import org.elasticsearch.xpack.core.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.ssl.SslSettingsLoader;
import org.elasticsearch.xpack.security.authc.BytesKey;
import org.elasticsearch.xpack.security.authc.TokenService;
import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;
import org.elasticsearch.xpack.security.authc.support.mapper.CompositeRoleMapper;
import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/pki/PkiRealm.class */
public class PkiRealm extends Realm implements CachingRealm {
    public static final String PKI_CERT_HEADER_NAME = "__SECURITY_CLIENT_CERTIFICATE";
    private static final String AUTH_TYPE = "UNKNOWN";
    private final ReleasableLock readLock;
    private final ReleasableLock writeLock;
    private final X509TrustManager trustManager;
    private final Pattern principalPattern;
    private final UserRoleMapper roleMapper;
    private final Cache<BytesKey, User> cache;
    private DelegatedAuthorizationSupport delegatedRealms;
    private final boolean delegationEnabled;
    static final /* synthetic */ boolean $assertionsDisabled;

    public PkiRealm(RealmConfig realmConfig, ResourceWatcherService resourceWatcherService, NativeRoleMappingStore nativeRoleMappingStore) {
        this(realmConfig, new CompositeRoleMapper(realmConfig, resourceWatcherService, nativeRoleMappingStore));
    }

    PkiRealm(RealmConfig realmConfig, UserRoleMapper userRoleMapper) {
        super(realmConfig);
        ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock();
        this.readLock = new ReleasableLock(reentrantReadWriteLock.readLock());
        this.writeLock = new ReleasableLock(reentrantReadWriteLock.writeLock());
        this.delegationEnabled = ((Boolean) realmConfig.getSetting(PkiRealmSettings.DELEGATION_ENABLED_SETTING)).booleanValue();
        this.trustManager = trustManagers(realmConfig);
        this.principalPattern = (Pattern) realmConfig.getSetting(PkiRealmSettings.USERNAME_PATTERN_SETTING);
        this.roleMapper = userRoleMapper;
        this.roleMapper.refreshRealmOnChange(this);
        this.cache = CacheBuilder.builder().setExpireAfterWrite((TimeValue) realmConfig.getSetting(PkiRealmSettings.CACHE_TTL_SETTING)).setMaximumWeight(((Integer) realmConfig.getSetting(PkiRealmSettings.CACHE_MAX_USERS_SETTING)).intValue()).build();
        this.delegatedRealms = null;
        validateAuthenticationDelegationConfiguration(realmConfig);
    }

    public void initialize(Iterable<Realm> iterable, XPackLicenseState xPackLicenseState) {
        if (this.delegatedRealms != null) {
            throw new IllegalStateException("Realm has already been initialized");
        }
        this.delegatedRealms = new DelegatedAuthorizationSupport(iterable, this.config, xPackLicenseState);
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof X509AuthenticationToken;
    }

    /* renamed from: token, reason: merged with bridge method [inline-methods] */
    public X509AuthenticationToken m105token(ThreadContext threadContext) {
        X509AuthenticationToken x509AuthenticationToken;
        String principalFromSubjectDN;
        Object obj = threadContext.getTransient(PKI_CERT_HEADER_NAME);
        if (obj == null) {
            return null;
        }
        if (!$assertionsDisabled && !(obj instanceof X509Certificate[])) {
            throw new AssertionError();
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) obj;
        if (x509CertificateArr.length == 0 || (principalFromSubjectDN = getPrincipalFromSubjectDN(this.principalPattern, (x509AuthenticationToken = new X509AuthenticationToken(x509CertificateArr)), this.logger)) == null) {
            return null;
        }
        x509AuthenticationToken.setPrincipal(principalFromSubjectDN);
        return x509AuthenticationToken;
    }

    public void authenticate(AuthenticationToken authenticationToken, ActionListener<AuthenticationResult<User>> actionListener) {
        if (!$assertionsDisabled && this.delegatedRealms == null) {
            throw new AssertionError("Realm has not been initialized correctly");
        }
        X509AuthenticationToken x509AuthenticationToken = (X509AuthenticationToken) authenticationToken;
        try {
            BytesKey computeTokenFingerprint = computeTokenFingerprint(x509AuthenticationToken);
            User user = (User) this.cache.get(computeTokenFingerprint);
            if (user != null) {
                this.logger.debug(() -> {
                    return Strings.format("Using cached authentication for DN [%s], as principal [%s]", new Object[]{x509AuthenticationToken.dn(), user.principal()});
                });
                if (this.delegatedRealms.hasDelegation()) {
                    this.delegatedRealms.resolve(user.principal(), actionListener);
                } else {
                    actionListener.onResponse(AuthenticationResult.success(user));
                }
            } else if (false == this.delegationEnabled && x509AuthenticationToken.isDelegated()) {
                actionListener.onResponse(AuthenticationResult.unsuccessful("Realm does not permit delegation for " + x509AuthenticationToken.dn(), (Exception) null));
            } else if (false == isCertificateChainTrusted(x509AuthenticationToken)) {
                actionListener.onResponse(AuthenticationResult.unsuccessful("Certificate for " + x509AuthenticationToken.dn() + " is not trusted", (Exception) null));
            } else {
                String principalFromSubjectDN = getPrincipalFromSubjectDN(this.principalPattern, x509AuthenticationToken, this.logger);
                if (principalFromSubjectDN == null) {
                    this.logger.debug(() -> {
                        return Strings.format("the extracted principal after cert chain validation, from DN [%s], using pattern [%s] is null", new Object[]{x509AuthenticationToken.dn(), this.principalPattern.toString()});
                    });
                    actionListener.onResponse(AuthenticationResult.unsuccessful("Could not parse principal from Subject DN " + x509AuthenticationToken.dn(), (Exception) null));
                } else {
                    CheckedConsumer checkedConsumer = authenticationResult -> {
                        if (authenticationResult.isAuthenticated()) {
                            ReleasableLock acquire = this.readLock.acquire();
                            try {
                                this.cache.put(computeTokenFingerprint, (User) authenticationResult.getValue());
                                if (acquire != null) {
                                    acquire.close();
                                }
                            } catch (Throwable th) {
                                if (acquire != null) {
                                    try {
                                        acquire.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                }
                                throw th;
                            }
                        }
                        actionListener.onResponse(authenticationResult);
                    };
                    Objects.requireNonNull(actionListener);
                    ActionListener<AuthenticationResult<User>> wrap = ActionListener.wrap(checkedConsumer, actionListener::onFailure);
                    if (false == principalFromSubjectDN.equals(x509AuthenticationToken.principal())) {
                        this.logger.debug(() -> {
                            return Strings.format("the extracted principal before [%s] and after [%s] cert chain validation, for DN [%s], are different", new Object[]{x509AuthenticationToken.principal(), principalFromSubjectDN, x509AuthenticationToken.dn()});
                        });
                    }
                    if (this.delegatedRealms.hasDelegation()) {
                        this.delegatedRealms.resolve(principalFromSubjectDN, wrap);
                    } else {
                        buildUser(x509AuthenticationToken, principalFromSubjectDN, wrap);
                    }
                }
            }
        } catch (CertificateEncodingException e) {
            actionListener.onResponse(AuthenticationResult.unsuccessful("Certificate for " + x509AuthenticationToken.dn() + " has encoding issues", e));
        }
    }

    private void buildUser(X509AuthenticationToken x509AuthenticationToken, String str, ActionListener<AuthenticationResult<User>> actionListener) {
        Map of = x509AuthenticationToken.isDelegated() ? Map.of("pki_dn", x509AuthenticationToken.dn(), "pki_delegated_by_user", x509AuthenticationToken.getDelegateeAuthentication().getEffectiveSubject().getUser().principal(), "pki_delegated_by_realm", x509AuthenticationToken.getDelegateeAuthentication().getEffectiveSubject().getRealm().getName()) : Map.of("pki_dn", x509AuthenticationToken.dn());
        UserRoleMapper.UserData userData = new UserRoleMapper.UserData(str, x509AuthenticationToken.dn(), Set.of(), of, this.config);
        UserRoleMapper userRoleMapper = this.roleMapper;
        Map map = of;
        CheckedConsumer checkedConsumer = set -> {
            actionListener.onResponse(AuthenticationResult.success(new User(str, (String[]) set.toArray(new String[set.size()]), (String) null, (String) null, map, true)));
        };
        Objects.requireNonNull(actionListener);
        userRoleMapper.resolveRoles(userData, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void lookupUser(String str, ActionListener<User> actionListener) {
        actionListener.onResponse((Object) null);
    }

    static String getPrincipalFromSubjectDN(Pattern pattern, X509AuthenticationToken x509AuthenticationToken, Logger logger) {
        String x500Principal = x509AuthenticationToken.m106credentials()[0].getSubjectX500Principal().toString();
        Matcher matcher = pattern.matcher(x500Principal);
        if (false == matcher.find()) {
            logger.debug(() -> {
                return Strings.format("could not extract principal from DN [%s] using pattern [%s]", new Object[]{x500Principal, pattern.toString()});
            });
            return null;
        }
        String group = matcher.group(1);
        if (!org.elasticsearch.common.Strings.isNullOrEmpty(group)) {
            return group;
        }
        logger.debug(() -> {
            return Strings.format("the extracted principal from DN [%s] using pattern [%s] is empty", new Object[]{x500Principal, pattern.toString()});
        });
        return null;
    }

    private boolean isCertificateChainTrusted(X509AuthenticationToken x509AuthenticationToken) {
        if (this.trustManager == null) {
            return !x509AuthenticationToken.isDelegated();
        }
        try {
            this.trustManager.checkClientTrusted(x509AuthenticationToken.m106credentials(), AUTH_TYPE);
            return true;
        } catch (CertificateException e) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("failed certificate validation for Subject DN [" + x509AuthenticationToken.dn() + "]", e);
                return false;
            }
            if (!this.logger.isDebugEnabled()) {
                return false;
            }
            this.logger.debug("failed certificate validation for Subject DN [{}]", x509AuthenticationToken.dn());
            return false;
        }
    }

    private X509TrustManager trustManagers(RealmConfig realmConfig) {
        SslTrustConfig trustConfig = SslSettingsLoader.load(realmConfig.settings(), RealmSettings.realmSettingPrefix(realmConfig.identifier()), realmConfig.env()).trustConfig();
        if (trustConfig.isSystemDefault()) {
            return null;
        }
        X509ExtendedTrustManager createTrustManager = trustConfig.createTrustManager();
        if (createTrustManager.getAcceptedIssuers().length == 0) {
            this.logger.warn("PKI Realm [{}] uses trust configuration [{}] which has no accepted certificate issuers", this, trustConfig);
        }
        return createTrustManager;
    }

    public void expire(String str) {
        ReleasableLock acquire = this.writeLock.acquire();
        try {
            Iterator it = this.cache.values().iterator();
            while (it.hasNext()) {
                if (((User) it.next()).principal().equals(str)) {
                    it.remove();
                }
            }
            if (acquire != null) {
                acquire.close();
            }
        } catch (Throwable th) {
            if (acquire != null) {
                try {
                    acquire.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void expireAll() {
        ReleasableLock acquire = this.readLock.acquire();
        try {
            this.cache.invalidateAll();
            if (acquire != null) {
                acquire.close();
            }
        } catch (Throwable th) {
            if (acquire != null) {
                try {
                    acquire.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void usageStats(ActionListener<Map<String, Object>> actionListener) {
        CheckedConsumer checkedConsumer = map -> {
            map.put("has_truststore", Boolean.valueOf(this.trustManager != null));
            map.put("has_authorization_realms", Boolean.valueOf(this.delegatedRealms != null && this.delegatedRealms.hasDelegation()));
            map.put("has_default_username_pattern", Boolean.valueOf("CN=(.*?)(?:,|$)".equals(this.principalPattern.pattern())));
            map.put("is_authentication_delegated", Boolean.valueOf(this.delegationEnabled));
            actionListener.onResponse(map);
        };
        Objects.requireNonNull(actionListener);
        super.usageStats(ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private void validateAuthenticationDelegationConfiguration(RealmConfig realmConfig) {
        if (this.delegationEnabled) {
            ArrayList arrayList = new ArrayList(2);
            if (this.trustManager == null) {
                arrayList.add("a trust configuration (" + realmConfig.getConcreteSetting(PkiRealmSettings.CAPATH_SETTING).getKey() + " or " + realmConfig.getConcreteSetting(PkiRealmSettings.TRUST_STORE_PATH).getKey() + ")");
            }
            if (false == TokenService.isTokenServiceEnabled(realmConfig.settings()).booleanValue()) {
                arrayList.add("that the token service be also enabled (" + XPackSettings.TOKEN_SERVICE_ENABLED_SETTING.getKey() + ")");
            }
            if (false == arrayList.isEmpty()) {
                String str = "PKI realms with delegation enabled require " + ((String) arrayList.get(0));
                if (arrayList.size() == 2) {
                    str = str + " and " + ((String) arrayList.get(1));
                }
                throw new IllegalStateException(str);
            }
        }
    }

    static BytesKey computeTokenFingerprint(X509AuthenticationToken x509AuthenticationToken) throws CertificateEncodingException {
        MessageDigest sha256 = MessageDigests.sha256();
        for (X509Certificate x509Certificate : x509AuthenticationToken.m106credentials()) {
            sha256.update(x509Certificate.getEncoded());
        }
        return new BytesKey(sha256.digest());
    }

    static {
        $assertionsDisabled = !PkiRealm.class.desiredAssertionStatus();
    }
}
