package org.elasticsearch.xpack.security.authc.esnative;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.logging.DeprecationCategory;
import org.elasticsearch.common.logging.DeprecationLogger;
import org.elasticsearch.common.settings.KeyStoreWrapper;
import org.elasticsearch.common.settings.SecureSetting;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.esnative.ClientReservedRealm;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.core.security.user.APMSystemUser;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.BeatsSystemUser;
import org.elasticsearch.xpack.core.security.user.ElasticUser;
import org.elasticsearch.xpack.core.security.user.KibanaSystemUser;
import org.elasticsearch.xpack.core.security.user.KibanaUser;
import org.elasticsearch.xpack.core.security.user.LogstashSystemUser;
import org.elasticsearch.xpack.core.security.user.RemoteMonitoringUser;
import org.elasticsearch.xpack.core.security.user.ReservedUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm;
import org.elasticsearch.xpack.security.support.SecuritySystemIndices;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.class */
public class ReservedRealm extends CachingUsernamePasswordRealm {
    public static final String TYPE = "reserved";
    public static final String NAME = "reserved";
    private final NativeUsersStore.ReservedUserInfo bootstrapUserInfo;
    private final NativeUsersStore.ReservedUserInfo autoconfigUserInfo;
    public static final Setting<SecureString> BOOTSTRAP_ELASTIC_PASSWORD;
    public static final Setting<SecureString> AUTOCONFIG_ELASTIC_PASSWORD_HASH;
    private final NativeUsersStore nativeUsersStore;
    private final AnonymousUser anonymousUser;
    private final boolean realmEnabled;
    private final boolean anonymousEnabled;
    private final boolean elasticUserAutoconfigured;
    private final DeprecationLogger deprecationLogger;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ReservedRealm(Environment environment, Settings settings, NativeUsersStore nativeUsersStore, AnonymousUser anonymousUser, ThreadPool threadPool) {
        super(new RealmConfig(new RealmConfig.RealmIdentifier("reserved", "reserved"), Settings.builder().put(settings).put(RealmSettings.realmSettingPrefix(new RealmConfig.RealmIdentifier("reserved", "reserved")) + "order", Integer.MIN_VALUE).build(), environment, threadPool.getThreadContext()), threadPool);
        this.deprecationLogger = DeprecationLogger.getLogger(this.logger.getName());
        this.nativeUsersStore = nativeUsersStore;
        this.realmEnabled = ((Boolean) XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings)).booleanValue();
        this.anonymousUser = anonymousUser;
        this.anonymousEnabled = AnonymousUser.isAnonymousEnabled(settings);
        char[] cArr = null;
        if (AUTOCONFIG_ELASTIC_PASSWORD_HASH.exists(settings)) {
            cArr = ((SecureString) AUTOCONFIG_ELASTIC_PASSWORD_HASH.get(settings)).getChars();
            if (cArr.length == 0 || Set.of(Hasher.SHA1, Hasher.MD5, Hasher.SSHA256, Hasher.NOOP).contains(Hasher.resolveFromHash(cArr))) {
                throw new IllegalArgumentException("Invalid password hash for elastic user auto configuration");
            }
        }
        this.elasticUserAutoconfigured = AUTOCONFIG_ELASTIC_PASSWORD_HASH.exists(settings) && false == BOOTSTRAP_ELASTIC_PASSWORD.exists(settings);
        if (this.elasticUserAutoconfigured) {
            this.autoconfigUserInfo = new NativeUsersStore.ReservedUserInfo(cArr, true);
            this.bootstrapUserInfo = null;
        } else {
            this.autoconfigUserInfo = null;
            this.bootstrapUserInfo = new NativeUsersStore.ReservedUserInfo(((SecureString) BOOTSTRAP_ELASTIC_PASSWORD.get(settings)).length() == 0 ? new char[0] : Hasher.resolve((String) XPackSettings.PASSWORD_HASHING_ALGORITHM.get(settings)).hash((SecureString) BOOTSTRAP_ELASTIC_PASSWORD.get(settings)), true);
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected void doAuthenticate(UsernamePasswordToken usernamePasswordToken, ActionListener<AuthenticationResult<User>> actionListener) {
        if (!this.realmEnabled) {
            actionListener.onResponse(AuthenticationResult.notHandled());
        } else if (ClientReservedRealm.isReserved(usernamePasswordToken.principal(), this.config.settings())) {
            getUserInfo(usernamePasswordToken.principal(), reservedUserInfo -> {
                if (reservedUserInfo == null) {
                    actionListener.onResponse(AuthenticationResult.terminate("failed to authenticate user [" + usernamePasswordToken.principal() + "]"));
                    return;
                }
                if (reservedUserInfo.hasEmptyPassword()) {
                    actionListener.onResponse(AuthenticationResult.terminate("failed to authenticate user [" + usernamePasswordToken.principal() + "]"));
                    return;
                }
                ActionListener runBefore = ActionListener.runBefore(actionListener, () -> {
                    if (reservedUserInfo == this.bootstrapUserInfo || reservedUserInfo == this.autoconfigUserInfo) {
                        return;
                    }
                    Arrays.fill(reservedUserInfo.passwordHash, (char) 0);
                });
                if (!reservedUserInfo.verifyPassword(usernamePasswordToken.credentials())) {
                    runBefore.onResponse(AuthenticationResult.terminate("failed to authenticate user [" + usernamePasswordToken.principal() + "]"));
                    return;
                }
                ReservedUser user = getUser(usernamePasswordToken.principal(), reservedUserInfo);
                logDeprecatedUser(user);
                if (reservedUserInfo != this.autoconfigUserInfo) {
                    runBefore.onResponse(AuthenticationResult.success(user));
                } else {
                    if (!$assertionsDisabled && !"elastic".equals(usernamePasswordToken.principal())) {
                        throw new AssertionError();
                    }
                    this.nativeUsersStore.createElasticUser(reservedUserInfo.passwordHash, ActionListener.wrap(r5 -> {
                        runBefore.onResponse(AuthenticationResult.success(user));
                    }, exc -> {
                        actionListener.onFailure(Exceptions.authenticationProcessError("failed to promote the auto-configured elastic password hash", exc, new Object[0]));
                    }));
                }
            });
        } else {
            actionListener.onResponse(AuthenticationResult.notHandled());
        }
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected void doLookupUser(String str, ActionListener<User> actionListener) {
        if (!this.realmEnabled) {
            if (this.anonymousEnabled && AnonymousUser.isAnonymousUsername(str, this.config.settings())) {
                actionListener.onResponse(this.anonymousUser);
                return;
            } else {
                actionListener.onResponse((Object) null);
                return;
            }
        }
        if (!ClientReservedRealm.isReserved(str, this.config.settings())) {
            actionListener.onResponse((Object) null);
        } else if (AnonymousUser.isAnonymousUsername(str, this.config.settings())) {
            actionListener.onResponse(this.anonymousEnabled ? this.anonymousUser : null);
        } else {
            getUserInfo(str, reservedUserInfo -> {
                if (reservedUserInfo != null) {
                    actionListener.onResponse(getUser(str, reservedUserInfo));
                } else {
                    actionListener.onFailure(Exceptions.authenticationError("failed to lookup user [{}]", new Object[]{str}));
                }
            });
        }
    }

    private ReservedUser getUser(String str, NativeUsersStore.ReservedUserInfo reservedUserInfo) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -2055632259:
                if (str.equals("logstash_system")) {
                    z = 3;
                    break;
                }
                break;
            case -2050648783:
                if (str.equals("beats_system")) {
                    z = 4;
                    break;
                }
                break;
            case -1843433623:
                if (str.equals("remote_monitoring_user")) {
                    z = 6;
                    break;
                }
                break;
            case -1666338091:
                if (str.equals("elastic")) {
                    z = false;
                    break;
                }
                break;
            case -1131662192:
                if (str.equals("kibana")) {
                    z = true;
                    break;
                }
                break;
            case -431556418:
                if (str.equals("kibana_system")) {
                    z = 2;
                    break;
                }
                break;
            case 355530608:
                if (str.equals("apm_system")) {
                    z = 5;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new ElasticUser(reservedUserInfo.enabled);
            case true:
                return new KibanaUser(reservedUserInfo.enabled);
            case true:
                return new KibanaSystemUser(reservedUserInfo.enabled);
            case true:
                return new LogstashSystemUser(reservedUserInfo.enabled);
            case true:
                return new BeatsSystemUser(reservedUserInfo.enabled);
            case true:
                return new APMSystemUser(reservedUserInfo.enabled);
            case SecuritySystemIndices.INTERNAL_MAIN_INDEX_FORMAT /* 6 */:
                return new RemoteMonitoringUser(reservedUserInfo.enabled);
            default:
                if (this.anonymousEnabled && this.anonymousUser.principal().equals(str)) {
                    return this.anonymousUser;
                }
                return null;
        }
    }

    public void users(ActionListener<Collection<User>> actionListener) {
        if (this.realmEnabled) {
            this.nativeUsersStore.getAllReservedUserInfo(ActionListener.wrap(map -> {
                ArrayList arrayList = new ArrayList(8);
                NativeUsersStore.ReservedUserInfo reservedUserInfo = (NativeUsersStore.ReservedUserInfo) map.get("elastic");
                arrayList.add(new ElasticUser(reservedUserInfo == null || reservedUserInfo.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo2 = (NativeUsersStore.ReservedUserInfo) map.get("kibana");
                arrayList.add(new KibanaUser(reservedUserInfo2 == null || reservedUserInfo2.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo3 = (NativeUsersStore.ReservedUserInfo) map.get("kibana_system");
                arrayList.add(new KibanaSystemUser(reservedUserInfo3 == null || reservedUserInfo3.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo4 = (NativeUsersStore.ReservedUserInfo) map.get("logstash_system");
                arrayList.add(new LogstashSystemUser(reservedUserInfo4 == null || reservedUserInfo4.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo5 = (NativeUsersStore.ReservedUserInfo) map.get("beats_system");
                arrayList.add(new BeatsSystemUser(reservedUserInfo5 == null || reservedUserInfo5.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo6 = (NativeUsersStore.ReservedUserInfo) map.get("apm_system");
                arrayList.add(new APMSystemUser(reservedUserInfo6 == null || reservedUserInfo6.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo7 = (NativeUsersStore.ReservedUserInfo) map.get("remote_monitoring_user");
                arrayList.add(new RemoteMonitoringUser(reservedUserInfo7 == null || reservedUserInfo7.enabled));
                if (this.anonymousEnabled) {
                    arrayList.add(this.anonymousUser);
                }
                actionListener.onResponse(arrayList);
            }, exc -> {
                this.logger.error("failed to retrieve reserved users", exc);
                actionListener.onResponse(this.anonymousEnabled ? Collections.singletonList(this.anonymousUser) : Collections.emptyList());
            }));
        } else {
            actionListener.onResponse(this.anonymousEnabled ? Collections.singletonList(this.anonymousUser) : Collections.emptyList());
        }
    }

    private void getUserInfo(String str, Consumer<NativeUsersStore.ReservedUserInfo> consumer) {
        this.nativeUsersStore.getReservedUserInfo(str, ActionListener.wrap(reservedUserInfo -> {
            if (reservedUserInfo == null) {
                consumer.accept(getDefaultUserInfo(str));
            } else {
                consumer.accept(reservedUserInfo);
            }
        }, exc -> {
            this.logger.error(() -> {
                return "failed to retrieve password hash for reserved user [" + str + "]";
            }, exc);
            consumer.accept(null);
        }));
    }

    private void logDeprecatedUser(User user) {
        Map metadata = user.metadata();
        if (Boolean.TRUE.equals(metadata.get("_deprecated"))) {
            this.deprecationLogger.warn(DeprecationCategory.SECURITY, "deprecated_user-" + user.principal(), "The user [" + user.principal() + "] is deprecated and will be removed in a future version of Elasticsearch. " + String.valueOf(metadata.get("_deprecated_reason")), new Object[0]);
        }
    }

    private NativeUsersStore.ReservedUserInfo getDefaultUserInfo(String str) {
        if (!"elastic".equals(str)) {
            return NativeUsersStore.ReservedUserInfo.defaultEnabledUserInfo();
        }
        if (this.elasticUserAutoconfigured) {
            if (!$assertionsDisabled && this.bootstrapUserInfo != null) {
                throw new AssertionError();
            }
            if ($assertionsDisabled || this.autoconfigUserInfo != null) {
                return this.autoconfigUserInfo;
            }
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.bootstrapUserInfo == null) {
            throw new AssertionError();
        }
        if ($assertionsDisabled || this.autoconfigUserInfo == null) {
            return this.bootstrapUserInfo;
        }
        throw new AssertionError();
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(BOOTSTRAP_ELASTIC_PASSWORD);
        list.add(AUTOCONFIG_ELASTIC_PASSWORD_HASH);
    }

    static {
        $assertionsDisabled = !ReservedRealm.class.desiredAssertionStatus();
        BOOTSTRAP_ELASTIC_PASSWORD = SecureSetting.secureString("bootstrap.password", KeyStoreWrapper.SEED_SETTING, new Setting.Property[0]);
        AUTOCONFIG_ELASTIC_PASSWORD_HASH = SecureSetting.secureString("autoconfiguration.password_hash", (Setting) null, new Setting.Property[0]);
    }
}
