package org.elasticsearch.xpack.security.authc.kerberos;

import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.security.auth.login.LoginException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.kerberos.KerberosRealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.CachingRealm;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.authc.support.DelegatedAuthorizationSupport;
import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
import org.ietf.jgss.GSSException;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/kerberos/KerberosRealm.class */
public final class KerberosRealm extends Realm implements CachingRealm {
    public static final String KRB_METADATA_REALM_NAME_KEY = "kerberos_realm";
    public static final String KRB_METADATA_UPN_KEY = "kerberos_user_principal_name";
    private final Cache<String, User> userPrincipalNameToUserCache;
    private final NativeRoleMappingStore userRoleMapper;
    private final KerberosTicketValidator kerberosTicketValidator;
    private final ThreadPool threadPool;
    private final Path keytabPath;
    private final boolean enableKerberosDebug;
    private final boolean removeRealmName;
    private DelegatedAuthorizationSupport delegatedRealms;
    static final /* synthetic */ boolean $assertionsDisabled;

    public KerberosRealm(RealmConfig realmConfig, NativeRoleMappingStore nativeRoleMappingStore, ThreadPool threadPool) {
        this(realmConfig, nativeRoleMappingStore, new KerberosTicketValidator(), threadPool, null);
    }

    KerberosRealm(RealmConfig realmConfig, NativeRoleMappingStore nativeRoleMappingStore, KerberosTicketValidator kerberosTicketValidator, ThreadPool threadPool, Cache<String, User> cache) {
        super("kerberos", realmConfig);
        this.userRoleMapper = nativeRoleMappingStore;
        this.userRoleMapper.refreshRealmOnChange(this);
        if (((TimeValue) KerberosRealmSettings.CACHE_TTL_SETTING.get(realmConfig.settings())).getNanos() > 0) {
            this.userPrincipalNameToUserCache = cache == null ? CacheBuilder.builder().setExpireAfterWrite((TimeValue) KerberosRealmSettings.CACHE_TTL_SETTING.get(realmConfig.settings())).setMaximumWeight(((Integer) KerberosRealmSettings.CACHE_MAX_USERS_SETTING.get(realmConfig.settings())).intValue()).build() : cache;
        } else {
            this.userPrincipalNameToUserCache = null;
        }
        this.kerberosTicketValidator = kerberosTicketValidator;
        this.threadPool = threadPool;
        this.keytabPath = realmConfig.env().configFile().resolve((String) KerberosRealmSettings.HTTP_SERVICE_KEYTAB_PATH.get(realmConfig.settings()));
        if (!Files.exists(this.keytabPath, new LinkOption[0])) {
            throw new IllegalArgumentException("configured service key tab file [" + this.keytabPath + "] does not exist");
        }
        if (Files.isDirectory(this.keytabPath, new LinkOption[0])) {
            throw new IllegalArgumentException("configured service key tab file [" + this.keytabPath + "] is a directory");
        }
        if (!Files.isReadable(this.keytabPath)) {
            throw new IllegalArgumentException("configured service key tab file [" + this.keytabPath + "] must have read permission");
        }
        this.enableKerberosDebug = ((Boolean) KerberosRealmSettings.SETTING_KRB_DEBUG_ENABLE.get(realmConfig.settings())).booleanValue();
        this.removeRealmName = ((Boolean) KerberosRealmSettings.SETTING_REMOVE_REALM_NAME.get(realmConfig.settings())).booleanValue();
        this.delegatedRealms = null;
    }

    public void initialize(Iterable<Realm> iterable, XPackLicenseState xPackLicenseState) {
        if (this.delegatedRealms != null) {
            throw new IllegalStateException("Realm has already been initialized");
        }
        this.delegatedRealms = new DelegatedAuthorizationSupport(iterable, this.config, xPackLicenseState);
    }

    public Map<String, List<String>> getAuthenticationFailureHeaders() {
        return Collections.singletonMap(KerberosAuthenticationToken.WWW_AUTHENTICATE, Collections.singletonList(KerberosAuthenticationToken.NEGOTIATE_SCHEME_NAME));
    }

    public void expire(String str) {
        if (this.userPrincipalNameToUserCache != null) {
            this.userPrincipalNameToUserCache.invalidate(str);
        }
    }

    public void expireAll() {
        if (this.userPrincipalNameToUserCache != null) {
            this.userPrincipalNameToUserCache.invalidateAll();
        }
    }

    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof KerberosAuthenticationToken;
    }

    public AuthenticationToken token(ThreadContext threadContext) {
        return KerberosAuthenticationToken.extractToken(threadContext.getHeader(KerberosAuthenticationToken.AUTH_HEADER));
    }

    public void authenticate(AuthenticationToken authenticationToken, ActionListener<AuthenticationResult> actionListener) {
        if (!$assertionsDisabled && this.delegatedRealms == null) {
            throw new AssertionError("Realm has not been initialized correctly");
        }
        if (!$assertionsDisabled && !(authenticationToken instanceof KerberosAuthenticationToken)) {
            throw new AssertionError();
        }
        this.kerberosTicketValidator.validateTicket((byte[]) ((KerberosAuthenticationToken) authenticationToken).credentials(), this.keytabPath, this.enableKerberosDebug, ActionListener.wrap(tuple -> {
            if (tuple.v1() != null) {
                resolveUser((String) tuple.v1(), (String) tuple.v2(), actionListener);
            } else {
                actionListener.onResponse(AuthenticationResult.terminate("failed to authenticate user, gss context negotiation not complete", KerberosAuthenticationToken.unauthorizedWithOutputToken(KerberosAuthenticationToken.unauthorized("failed to authenticate user, gss context negotiation not complete", null, new Object[0]), (String) tuple.v2())));
            }
        }, exc -> {
            handleException(exc, actionListener);
        }));
    }

    private String[] splitUserPrincipalName(String str) {
        return str.split("@");
    }

    private void handleException(Exception exc, ActionListener<AuthenticationResult> actionListener) {
        if (exc instanceof LoginException) {
            this.logger.debug("failed to authenticate user, service login failure", exc);
            actionListener.onResponse(AuthenticationResult.terminate("failed to authenticate user, service login failure", KerberosAuthenticationToken.unauthorized(exc.getLocalizedMessage(), exc, new Object[0])));
        } else if (exc instanceof GSSException) {
            this.logger.debug("failed to authenticate user, gss context negotiation failure", exc);
            actionListener.onResponse(AuthenticationResult.terminate("failed to authenticate user, gss context negotiation failure", KerberosAuthenticationToken.unauthorized(exc.getLocalizedMessage(), exc, new Object[0])));
        } else {
            this.logger.debug("failed to authenticate user", exc);
            actionListener.onFailure(exc);
        }
    }

    private void resolveUser(String str, String str2, ActionListener<AuthenticationResult> actionListener) {
        if (Strings.hasText(str2)) {
            this.threadPool.getThreadContext().addResponseHeader(KerberosAuthenticationToken.WWW_AUTHENTICATE, KerberosAuthenticationToken.NEGOTIATE_AUTH_HEADER_PREFIX + str2);
        }
        String[] splitUserPrincipalName = splitUserPrincipalName(str);
        String str3 = this.removeRealmName ? splitUserPrincipalName[0] : str;
        if (this.delegatedRealms.hasDelegation()) {
            this.delegatedRealms.resolve(str3, actionListener);
            return;
        }
        User user = this.userPrincipalNameToUserCache != null ? (User) this.userPrincipalNameToUserCache.get(str3) : null;
        if (user != null) {
            actionListener.onResponse(AuthenticationResult.success(user));
            return;
        }
        String str4 = splitUserPrincipalName.length > 1 ? splitUserPrincipalName[1] : null;
        HashMap hashMap = new HashMap();
        hashMap.put(KRB_METADATA_REALM_NAME_KEY, str4);
        hashMap.put(KRB_METADATA_UPN_KEY, str);
        buildUser(str3, hashMap, actionListener);
    }

    private void buildUser(String str, Map<String, Object> map, ActionListener<AuthenticationResult> actionListener) {
        UserRoleMapper.UserData userData = new UserRoleMapper.UserData(str, null, Collections.emptySet(), map, this.config);
        NativeRoleMappingStore nativeRoleMappingStore = this.userRoleMapper;
        CheckedConsumer checkedConsumer = set -> {
            User user = new User(str, (String[]) set.toArray(new String[set.size()]), (String) null, (String) null, userData.getMetadata(), true);
            if (this.userPrincipalNameToUserCache != null) {
                this.userPrincipalNameToUserCache.put(str, user);
            }
            actionListener.onResponse(AuthenticationResult.success(user));
        };
        Objects.requireNonNull(actionListener);
        nativeRoleMappingStore.resolveRoles(userData, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    public void lookupUser(String str, ActionListener<User> actionListener) {
        actionListener.onResponse((Object) null);
    }

    static {
        $assertionsDisabled = !KerberosRealm.class.desiredAssertionStatus();
    }
}
