package org.elasticsearch.xpack.security.rest;

import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.client.internal.node.NodeClient;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Strings;
import org.elasticsearch.http.HttpPreRequest;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestRequestFilter;
import org.elasticsearch.rest.RestResponse;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator;

/* loaded from: input_file:org/elasticsearch/xpack/security/rest/SecurityRestFilter.class */
public class SecurityRestFilter implements RestHandler {
    private static final Logger logger = LogManager.getLogger(SecurityRestFilter.class);
    private final RestHandler restHandler;
    private final AuthenticationService authenticationService;
    private final SecondaryAuthenticator secondaryAuthenticator;
    private final AuditTrailService auditTrailService;
    private final boolean enabled;
    private final ThreadContext threadContext;

    public SecurityRestFilter(boolean z, ThreadContext threadContext, AuthenticationService authenticationService, SecondaryAuthenticator secondaryAuthenticator, AuditTrailService auditTrailService, RestHandler restHandler) {
        this.enabled = z;
        this.threadContext = threadContext;
        this.authenticationService = authenticationService;
        this.secondaryAuthenticator = secondaryAuthenticator;
        this.auditTrailService = auditTrailService;
        this.restHandler = restHandler;
    }

    public boolean allowSystemIndexAccessByDefault() {
        return this.restHandler.allowSystemIndexAccessByDefault();
    }

    public RestHandler getConcreteRestHandler() {
        return this.restHandler.getConcreteRestHandler();
    }

    public void handleRequest(RestRequest restRequest, RestChannel restChannel, NodeClient nodeClient) throws Exception {
        if (restRequest.method() == RestRequest.Method.OPTIONS) {
            this.restHandler.handleRequest(restRequest, restChannel, nodeClient);
        } else if (!this.enabled) {
            doHandleRequest(restRequest, restChannel, nodeClient);
        } else {
            RestRequest maybeWrapRestRequest = maybeWrapRestRequest(restRequest);
            this.authenticationService.authenticate((HttpPreRequest) maybeWrapRestRequest.getHttpRequest(), ActionListener.wrap(authentication -> {
                if (authentication == null) {
                    logger.trace("No authentication available for REST request [{}]", restRequest.uri());
                } else {
                    logger.trace("Authenticated REST request [{}] as {}", restRequest.uri(), authentication);
                }
                this.auditTrailService.get().authenticationSuccess(maybeWrapRestRequest);
                this.secondaryAuthenticator.authenticateAndAttachToContext(maybeWrapRestRequest, ActionListener.wrap(secondaryAuthentication -> {
                    if (secondaryAuthentication != null) {
                        logger.trace("Found secondary authentication {} in REST request [{}]", secondaryAuthentication, restRequest.uri());
                    }
                    doHandleRequest(restRequest, restChannel, nodeClient);
                }, exc -> {
                    handleException(restRequest, restChannel, exc);
                }));
            }, exc -> {
                handleException(restRequest, restChannel, exc);
            }));
        }
    }

    private void doHandleRequest(RestRequest restRequest, RestChannel restChannel, NodeClient nodeClient) throws Exception {
        this.threadContext.sanitizeHeaders();
        try {
            this.restHandler.handleRequest(restRequest, restChannel, nodeClient);
        } catch (Exception e) {
            logger.debug(() -> {
                return Strings.format("Request handling failed for REST request [%s]", new Object[]{restRequest.uri()});
            }, e);
            throw e;
        }
    }

    protected void handleException(RestRequest restRequest, RestChannel restChannel, Exception exc) {
        logger.debug(() -> {
            return Strings.format("failed for REST request [%s]", new Object[]{restRequest.uri()});
        }, exc);
        this.threadContext.sanitizeHeaders();
        try {
            restChannel.sendResponse(new RestResponse(restChannel, exc));
        } catch (Exception e) {
            e.addSuppressed(exc);
            logger.error(() -> {
                return "failed to send failure response for uri [" + restRequest.uri() + "]";
            }, e);
        }
    }

    public boolean canTripCircuitBreaker() {
        return this.restHandler.canTripCircuitBreaker();
    }

    public boolean supportsContentStream() {
        return this.restHandler.supportsContentStream();
    }

    public boolean allowsUnsafeBuffers() {
        return this.restHandler.allowsUnsafeBuffers();
    }

    public List<RestHandler.Route> routes() {
        return this.restHandler.routes();
    }

    private RestRequest maybeWrapRestRequest(RestRequest restRequest) {
        return this.restHandler instanceof RestRequestFilter ? this.restHandler.getFilteredRequest(restRequest) : restRequest;
    }

    public boolean mediaTypesValid(RestRequest restRequest) {
        return this.restHandler.mediaTypesValid(restRequest);
    }
}
