package org.elasticsearch.xpack.security.authc;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.common.IteratingActionListener;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.authc.Authenticator;
import org.elasticsearch.xpack.security.authc.support.RealmUserLookup;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/authc/RealmsAuthenticator.class */
public class RealmsAuthenticator implements Authenticator {
    private static final Logger logger;
    private final AtomicLong numInvalidation;
    private final Cache<String, Realm> lastSuccessfulAuthCache;
    private boolean authenticationTokenExtracted = false;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public RealmsAuthenticator(AtomicLong atomicLong, Cache<String, Realm> cache) {
        this.numInvalidation = atomicLong;
        this.lastSuccessfulAuthCache = cache;
    }

    @Override // org.elasticsearch.xpack.security.authc.Authenticator
    public String name() {
        return "realms";
    }

    @Override // org.elasticsearch.xpack.security.authc.Authenticator
    public AuthenticationToken extractCredentials(Authenticator.Context context) {
        AuthenticationToken extractToken = extractToken(context);
        if (extractToken != null) {
            this.authenticationTokenExtracted = true;
        }
        return extractToken;
    }

    @Override // org.elasticsearch.xpack.security.authc.Authenticator
    public boolean canBeFollowedByNullTokenHandler() {
        return false == this.authenticationTokenExtracted;
    }

    @Override // org.elasticsearch.xpack.security.authc.Authenticator
    public void authenticate(Authenticator.Context context, ActionListener<AuthenticationResult<Authentication>> actionListener) {
        if (context.getMostRecentAuthenticationToken() == null) {
            actionListener.onFailure(new ElasticsearchSecurityException("authentication token must present for realms authentication", RestStatus.UNAUTHORIZED, new Object[0]));
        } else {
            if (!$assertionsDisabled && context.getMostRecentAuthenticationToken() == null) {
                throw new AssertionError("null token should be handled by fallback authenticator");
            }
            consumeToken(context, actionListener);
        }
    }

    static AuthenticationToken extractToken(Authenticator.Context context) {
        try {
            Iterator<Realm> it = context.getDefaultOrderedRealmList().iterator();
            while (it.hasNext()) {
                AuthenticationToken authenticationToken = it.next().token(context.getThreadContext());
                if (authenticationToken != null) {
                    logger.trace("Found authentication credentials [{}] for principal [{}] in request [{}]", authenticationToken.getClass().getName(), authenticationToken.principal(), context.getRequest());
                    return authenticationToken;
                }
            }
            if (context.getUnlicensedRealms().isEmpty()) {
                return null;
            }
            logger.warn("No authentication credential could be extracted using realms [{}]. Realms [{}] were skipped because they are not permitted on the current license", Strings.collectionToCommaDelimitedString(context.getDefaultOrderedRealmList()), Strings.collectionToCommaDelimitedString(context.getUnlicensedRealms()));
            return null;
        } catch (Exception e) {
            logger.warn("An exception occurred while attempting to find authentication credentials", e);
            throw context.getRequest().exceptionProcessingRequest(e, null);
        }
    }

    private void consumeToken(Authenticator.Context context, ActionListener<AuthenticationResult<Authentication>> actionListener) {
        AuthenticationToken mostRecentAuthenticationToken = context.getMostRecentAuthenticationToken();
        List<Realm> realmList = getRealmList(context, mostRecentAuthenticationToken.principal());
        logger.trace("Checking token of type [{}] against [{}] realm(s)", mostRecentAuthenticationToken.getClass().getName(), Integer.valueOf(realmList.size()));
        long j = this.numInvalidation.get();
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        AtomicReference atomicReference = new AtomicReference();
        AtomicReference atomicReference2 = new AtomicReference();
        try {
            new IteratingActionListener(ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(user -> {
                if (user == null) {
                    consumeNullUser(context, linkedHashMap, actionListener);
                    return;
                }
                AuthenticationResult authenticationResult = (AuthenticationResult) atomicReference2.get();
                if (!$assertionsDisabled && authenticationResult == null) {
                    throw new AssertionError("authentication result must not be null when user is not null");
                }
                context.getThreadContext().putTransient(AuthenticationResult.THREAD_CONTEXT_KEY, authenticationResult);
                actionListener.onResponse(AuthenticationResult.success(Authentication.newRealmAuthentication(user, ((Realm) atomicReference.get()).realmRef())));
            }, exc -> {
                if (exc != null) {
                    actionListener.onFailure(context.getRequest().exceptionProcessingRequest(exc, mostRecentAuthenticationToken));
                } else {
                    actionListener.onFailure(context.getRequest().authenticationFailed(mostRecentAuthenticationToken));
                }
            }), context.getThreadContext()), (realm, actionListener2) -> {
                if (!realm.supports(mostRecentAuthenticationToken)) {
                    actionListener2.onResponse((Object) null);
                } else {
                    logger.trace("Trying to authenticate [{}] using realm [{}] with token [{}] ", mostRecentAuthenticationToken.principal(), realm, mostRecentAuthenticationToken.getClass().getName());
                    realm.authenticate(mostRecentAuthenticationToken, ActionListener.wrap(authenticationResult -> {
                        if (!$assertionsDisabled && authenticationResult == null) {
                            throw new AssertionError("Realm " + realm + " produced a null authentication result");
                        }
                        logger.debug("Authentication of [{}] using realm [{}] with token [{}] was [{}]", mostRecentAuthenticationToken.principal(), realm, mostRecentAuthenticationToken.getClass().getSimpleName(), authenticationResult);
                        if (authenticationResult.getStatus() == AuthenticationResult.Status.SUCCESS) {
                            atomicReference.set(realm);
                            atomicReference2.set(authenticationResult);
                            if (this.lastSuccessfulAuthCache != null && j == this.numInvalidation.get()) {
                                this.lastSuccessfulAuthCache.put(mostRecentAuthenticationToken.principal(), realm);
                            }
                            actionListener2.onResponse((User) authenticationResult.getValue());
                            return;
                        }
                        context.getRequest().realmAuthenticationFailed(mostRecentAuthenticationToken, realm.name());
                        if (authenticationResult.getStatus() != AuthenticationResult.Status.TERMINATE) {
                            if (authenticationResult.getMessage() != null) {
                                linkedHashMap.put(realm, new Tuple(authenticationResult.getMessage(), authenticationResult.getException()));
                            }
                            actionListener2.onResponse((Object) null);
                        } else {
                            if (authenticationResult.getException() != null) {
                                logger.info(new ParameterizedMessage("Authentication of [{}] was terminated by realm [{}] - {}", new Object[]{mostRecentAuthenticationToken.principal(), realm.name(), authenticationResult.getMessage()}), authenticationResult.getException());
                            } else {
                                logger.info("Authentication of [{}] was terminated by realm [{}] - {}", mostRecentAuthenticationToken.principal(), realm.name(), authenticationResult.getMessage());
                            }
                            actionListener2.onFailure(authenticationResult.getException());
                        }
                    }, exc2 -> {
                        logger.warn(new ParameterizedMessage("An error occurred while attempting to authenticate [{}] against realm [{}]", mostRecentAuthenticationToken.principal(), realm.name()), exc2);
                        actionListener2.onFailure(exc2);
                    }));
                }
            }, realmList, context.getThreadContext()).run();
        } catch (Exception e) {
            logger.debug(new ParameterizedMessage("Authentication of [{}] with token [{}] failed", mostRecentAuthenticationToken.principal(), mostRecentAuthenticationToken.getClass().getName()), e);
            actionListener.onFailure(context.getRequest().exceptionProcessingRequest(e, mostRecentAuthenticationToken));
        }
    }

    private static void consumeNullUser(Authenticator.Context context, Map<Realm, Tuple<String, Exception>> map, ActionListener<AuthenticationResult<Authentication>> actionListener) {
        map.forEach((realm, tuple) -> {
            logger.warn("Authentication to realm {} failed - {}{}", realm.name(), (String) tuple.v1(), tuple.v2() == null ? "" : " (Caused by " + tuple.v2() + ")");
        });
        if (!context.getUnlicensedRealms().isEmpty()) {
            logger.warn("Authentication failed using realms [{}]. Realms [{}] were skipped because they are not permitted on the current license", Strings.collectionToCommaDelimitedString(context.getDefaultOrderedRealmList()), Strings.collectionToCommaDelimitedString(context.getUnlicensedRealms()));
        }
        logger.trace("Failed to authenticate request [{}]", context.getRequest());
        actionListener.onFailure(context.getRequest().authenticationFailed(context.getMostRecentAuthenticationToken()));
    }

    public void lookupRunAsUser(Authenticator.Context context, Authentication authentication, ActionListener<Tuple<User, Realm>> actionListener) {
        if (!$assertionsDisabled && authentication.getLookedUpBy() != null) {
            throw new AssertionError("authentication already has a lookup realm");
        }
        String header = context.getThreadContext().getHeader("es-security-runas-user");
        if (header != null && !header.isEmpty()) {
            logger.trace("Looking up run-as user [{}] for authenticated user [{}]", header, authentication.getUser().principal());
            RealmUserLookup realmUserLookup = new RealmUserLookup(getRealmList(context, header), context.getThreadContext());
            long j = this.numInvalidation.get();
            realmUserLookup.lookup(header, ActionListener.wrap(tuple -> {
                if (tuple == null) {
                    logger.debug("Cannot find run-as user [{}] for authenticated user [{}]", header, authentication.getUser().principal());
                    actionListener.onResponse((Object) null);
                    return;
                }
                User user = (User) Objects.requireNonNull((User) tuple.v1());
                Realm realm = (Realm) Objects.requireNonNull((Realm) tuple.v2());
                if (this.lastSuccessfulAuthCache != null && j == this.numInvalidation.get()) {
                    this.lastSuccessfulAuthCache.computeIfAbsent(header, str -> {
                        return realm;
                    });
                }
                logger.trace("Using run-as user [{}] with authenticated user [{}]", user, authentication.getUser().principal());
                actionListener.onResponse(tuple);
            }, exc -> {
                actionListener.onFailure(context.getRequest().exceptionProcessingRequest(exc, context.getMostRecentAuthenticationToken()));
            }));
            return;
        }
        if (header == null) {
            actionListener.onResponse((Object) null);
        } else {
            logger.debug("user [{}] attempted to runAs with an empty username", authentication.getUser().principal());
            actionListener.onFailure(context.getRequest().runAsDenied(authentication.runAs(new User(header, new String[0]), (Authentication.RealmRef) null), context.getMostRecentAuthenticationToken()));
        }
    }

    private List<Realm> getRealmList(Authenticator.Context context, String str) {
        Realm realm;
        int indexOf;
        List<Realm> defaultOrderedRealmList = context.getDefaultOrderedRealmList();
        if (this.lastSuccessfulAuthCache == null || (realm = (Realm) this.lastSuccessfulAuthCache.get(str)) == null || (indexOf = defaultOrderedRealmList.indexOf(realm)) <= 0) {
            return defaultOrderedRealmList;
        }
        ArrayList arrayList = new ArrayList(defaultOrderedRealmList.size());
        arrayList.add(realm);
        for (int i = 0; i < defaultOrderedRealmList.size(); i++) {
            if (i != indexOf) {
                arrayList.add(defaultOrderedRealmList.get(i));
            }
        }
        if ($assertionsDisabled || (arrayList.size() == defaultOrderedRealmList.size() && arrayList.containsAll(defaultOrderedRealmList))) {
            return Collections.unmodifiableList(arrayList);
        }
        throw new AssertionError("Element mismatch between SmartOrder=" + arrayList + " and DefaultOrder=" + defaultOrderedRealmList);
    }

    static {
        $assertionsDisabled = !RealmsAuthenticator.class.desiredAssertionStatus();
        logger = LogManager.getLogger(RealmsAuthenticator.class);
    }
}
