package org.elasticsearch.xpack.security.rest;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.core.Strings;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestInterceptor;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestRequestFilter;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator;
import org.elasticsearch.xpack.security.authz.restriction.WorkflowService;
import org.elasticsearch.xpack.security.operator.OperatorPrivileges;

/* loaded from: input_file:org/elasticsearch/xpack/security/rest/SecurityRestFilter.class */
public class SecurityRestFilter implements RestInterceptor {
    private static final Logger logger = LogManager.getLogger(SecurityRestFilter.class);
    private final SecondaryAuthenticator secondaryAuthenticator;
    private final AuditTrailService auditTrailService;
    private final boolean enabled;
    private final ThreadContext threadContext;
    private final OperatorPrivileges.OperatorPrivilegesService operatorPrivilegesService;

    public SecurityRestFilter(boolean z, ThreadContext threadContext, SecondaryAuthenticator secondaryAuthenticator, AuditTrailService auditTrailService, OperatorPrivileges.OperatorPrivilegesService operatorPrivilegesService) {
        this.enabled = z;
        this.threadContext = threadContext;
        this.secondaryAuthenticator = secondaryAuthenticator;
        this.auditTrailService = auditTrailService;
        this.operatorPrivilegesService = operatorPrivilegesService == null ? OperatorPrivileges.NOOP_OPERATOR_PRIVILEGES_SERVICE : operatorPrivilegesService;
    }

    public void intercept(RestRequest restRequest, RestChannel restChannel, RestHandler restHandler, ActionListener<Boolean> actionListener) throws Exception {
        if (restRequest.method() == RestRequest.Method.OPTIONS) {
            handleException(restRequest, new ElasticsearchSecurityException("Cannot dispatch OPTIONS request, as they are not authenticated", new Object[0]), actionListener);
        } else {
            if (!this.enabled) {
                actionListener.onResponse(Boolean.TRUE);
                return;
            }
            RestRequest maybeWrapRestRequest = maybeWrapRestRequest(restRequest, restHandler);
            this.auditTrailService.get().authenticationSuccess(maybeWrapRestRequest);
            this.secondaryAuthenticator.authenticateAndAttachToContext(maybeWrapRestRequest, ActionListener.wrap(secondaryAuthentication -> {
                if (secondaryAuthentication != null) {
                    logger.trace("Found secondary authentication {} in REST request [{}]", secondaryAuthentication, restRequest.uri());
                }
                WorkflowService.resolveWorkflowAndStoreInThreadContext(restHandler, this.threadContext);
                doHandleRequest(restRequest, restChannel, restHandler, actionListener);
            }, exc -> {
                handleException(restRequest, exc, actionListener);
            }));
        }
    }

    private void doHandleRequest(RestRequest restRequest, RestChannel restChannel, RestHandler restHandler, ActionListener<Boolean> actionListener) {
        this.threadContext.sanitizeHeaders();
        if (this.operatorPrivilegesService.checkRest(restHandler, restRequest, restChannel, this.threadContext)) {
            actionListener.onResponse(Boolean.TRUE);
        } else {
            actionListener.onResponse(Boolean.FALSE);
        }
    }

    protected void handleException(RestRequest restRequest, Exception exc, ActionListener<?> actionListener) {
        logger.debug(() -> {
            return Strings.format("failed for REST request [%s]", new Object[]{restRequest.uri()});
        }, exc);
        this.threadContext.sanitizeHeaders();
        actionListener.onFailure(exc);
    }

    OperatorPrivileges.OperatorPrivilegesService getOperatorPrivilegesService() {
        return this.operatorPrivilegesService;
    }

    private RestRequest maybeWrapRestRequest(RestRequest restRequest, RestHandler restHandler) {
        return restHandler instanceof RestRequestFilter ? ((RestRequestFilter) restHandler).getFilteredRequest(restRequest) : restRequest;
    }
}
