package org.elasticsearch.xpack.security.authc;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicLong;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.support.ContextPreservingActionListener;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cache.Cache;
import org.elasticsearch.common.cache.CacheBuilder;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.node.Node;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.xpack.core.common.IteratingActionListener;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationServiceField;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.security.audit.AuditTrailService;
import org.elasticsearch.xpack.security.audit.AuditUtil;
import org.elasticsearch.xpack.security.authc.kerberos.KerberosAuthenticationToken;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountService;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountToken;
import org.elasticsearch.xpack.security.authc.support.RealmUserLookup;
import org.elasticsearch.xpack.security.operator.OperatorPrivileges;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticationService.class */
public class AuthenticationService {
    static final Setting<Boolean> SUCCESS_AUTH_CACHE_ENABLED = Setting.boolSetting("xpack.security.authc.success_cache.enabled", true, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<Integer> SUCCESS_AUTH_CACHE_MAX_SIZE = Setting.intSetting("xpack.security.authc.success_cache.size", 10000, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<TimeValue> SUCCESS_AUTH_CACHE_EXPIRE_AFTER_ACCESS = Setting.timeSetting("xpack.security.authc.success_cache.expire_after_access", TimeValue.timeValueHours(1), new Setting.Property[]{Setting.Property.NodeScope});
    private static final Logger logger = LogManager.getLogger(AuthenticationService.class);
    private final Realms realms;
    private final AuditTrailService auditTrailService;
    private final AuthenticationFailureHandler failureHandler;
    private final ThreadContext threadContext;
    private final String nodeName;
    private final AnonymousUser anonymousUser;
    private final TokenService tokenService;
    private final Cache<String, Realm> lastSuccessfulAuthCache;
    private final AtomicLong numInvalidation = new AtomicLong();
    private final ApiKeyService apiKeyService;
    private final ServiceAccountService serviceAccountService;
    private final OperatorPrivileges.OperatorPrivilegesService operatorPrivilegesService;
    private final boolean runAsEnabled;
    private final boolean isAnonymousUserEnabled;
    private final AuthenticationContextSerializer authenticationSerializer;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticationService$AuditableRequest.class */
    public static abstract class AuditableRequest {
        final AuditTrail auditTrail;
        final AuthenticationFailureHandler failureHandler;
        final ThreadContext threadContext;

        AuditableRequest(AuditTrail auditTrail, AuthenticationFailureHandler authenticationFailureHandler, ThreadContext threadContext) {
            this.auditTrail = auditTrail;
            this.failureHandler = authenticationFailureHandler;
            this.threadContext = threadContext;
        }

        abstract void realmAuthenticationFailed(AuthenticationToken authenticationToken, String str);

        abstract ElasticsearchSecurityException tamperedRequest();

        abstract ElasticsearchSecurityException exceptionProcessingRequest(Exception exc, @Nullable AuthenticationToken authenticationToken);

        abstract ElasticsearchSecurityException authenticationFailed(AuthenticationToken authenticationToken);

        abstract ElasticsearchSecurityException anonymousAccessDenied();

        abstract ElasticsearchSecurityException runAsDenied(Authentication authentication, AuthenticationToken authenticationToken);

        abstract void authenticationSuccess(Authentication authentication);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticationService$AuditableRestRequest.class */
    public static class AuditableRestRequest extends AuditableRequest {
        private final RestRequest request;
        private final String requestId;

        AuditableRestRequest(AuditTrail auditTrail, AuthenticationFailureHandler authenticationFailureHandler, ThreadContext threadContext, RestRequest restRequest) {
            super(auditTrail, authenticationFailureHandler, threadContext);
            this.request = restRequest;
            this.requestId = AuditUtil.generateRequestId(threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void authenticationSuccess(Authentication authentication) {
            this.auditTrail.authenticationSuccess(this.requestId, authentication, this.request);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void realmAuthenticationFailed(AuthenticationToken authenticationToken, String str) {
            this.auditTrail.authenticationFailed(this.requestId, str, authenticationToken, this.request);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException tamperedRequest() {
            this.auditTrail.tamperedRequest(this.requestId, this.request);
            return new ElasticsearchSecurityException("rest request attempted to inject a user", new Object[0]);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException exceptionProcessingRequest(Exception exc, @Nullable AuthenticationToken authenticationToken) {
            if (authenticationToken != null) {
                this.auditTrail.authenticationFailed(this.requestId, authenticationToken, this.request);
            } else {
                this.auditTrail.authenticationFailed(this.requestId, this.request);
            }
            return this.failureHandler.exceptionProcessingRequest(this.request, exc, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException authenticationFailed(AuthenticationToken authenticationToken) {
            this.auditTrail.authenticationFailed(this.requestId, authenticationToken, this.request);
            return this.failureHandler.failedAuthentication(this.request, authenticationToken, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException anonymousAccessDenied() {
            this.auditTrail.anonymousAccessDenied(this.requestId, this.request);
            return this.failureHandler.missingToken(this.request, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException runAsDenied(Authentication authentication, AuthenticationToken authenticationToken) {
            this.auditTrail.runAsDenied(this.requestId, authentication, this.request, AuthorizationEngine.EmptyAuthorizationInfo.INSTANCE);
            return this.failureHandler.failedAuthentication(this.request, authenticationToken, this.threadContext);
        }

        public String toString() {
            return "rest request uri [" + this.request.uri() + "]";
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticationService$AuditableTransportRequest.class */
    static class AuditableTransportRequest extends AuditableRequest {
        private final String action;
        private final TransportRequest transportRequest;
        private final String requestId;

        AuditableTransportRequest(AuditTrail auditTrail, AuthenticationFailureHandler authenticationFailureHandler, ThreadContext threadContext, String str, TransportRequest transportRequest) {
            super(auditTrail, authenticationFailureHandler, threadContext);
            this.action = str;
            this.transportRequest = transportRequest;
            this.requestId = AuditUtil.getOrGenerateRequestId(threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void authenticationSuccess(Authentication authentication) {
            this.auditTrail.authenticationSuccess(this.requestId, authentication, this.action, this.transportRequest);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        void realmAuthenticationFailed(AuthenticationToken authenticationToken, String str) {
            this.auditTrail.authenticationFailed(this.requestId, str, authenticationToken, this.action, this.transportRequest);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException tamperedRequest() {
            this.auditTrail.tamperedRequest(this.requestId, this.action, this.transportRequest);
            return new ElasticsearchSecurityException("failed to verify signed authentication information", new Object[0]);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException exceptionProcessingRequest(Exception exc, @Nullable AuthenticationToken authenticationToken) {
            if (authenticationToken != null) {
                this.auditTrail.authenticationFailed(this.requestId, authenticationToken, this.action, this.transportRequest);
            } else {
                this.auditTrail.authenticationFailed(this.requestId, this.action, this.transportRequest);
            }
            return this.failureHandler.exceptionProcessingRequest(this.transportRequest, this.action, exc, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException authenticationFailed(AuthenticationToken authenticationToken) {
            this.auditTrail.authenticationFailed(this.requestId, authenticationToken, this.action, this.transportRequest);
            return this.failureHandler.failedAuthentication(this.transportRequest, authenticationToken, this.action, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException anonymousAccessDenied() {
            this.auditTrail.anonymousAccessDenied(this.requestId, this.action, this.transportRequest);
            return this.failureHandler.missingToken(this.transportRequest, this.action, this.threadContext);
        }

        @Override // org.elasticsearch.xpack.security.authc.AuthenticationService.AuditableRequest
        ElasticsearchSecurityException runAsDenied(Authentication authentication, AuthenticationToken authenticationToken) {
            this.auditTrail.runAsDenied(this.requestId, authentication, this.action, this.transportRequest, AuthorizationEngine.EmptyAuthorizationInfo.INSTANCE);
            return this.failureHandler.failedAuthentication(this.transportRequest, authenticationToken, this.action, this.threadContext);
        }

        public String toString() {
            return "transport request action [" + this.action + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticationService$Authenticator.class */
    public class Authenticator {
        private final AuditableRequest request;
        private final User fallbackUser;
        private final boolean fallbackToAnonymous;
        private final List<Realm> defaultOrderedRealmList;
        private final ActionListener<Authentication> listener;
        private Authentication.RealmRef authenticatedBy;
        private Authentication.RealmRef lookedupBy;
        private AuthenticationToken authenticationToken;
        private AuthenticationResult authenticationResult;
        static final /* synthetic */ boolean $assertionsDisabled;

        Authenticator(AuthenticationService authenticationService, RestRequest restRequest, boolean z, ActionListener<Authentication> actionListener) {
            this(new AuditableRestRequest(authenticationService.auditTrailService.get(), authenticationService.failureHandler, authenticationService.threadContext, restRequest), (User) null, z, actionListener);
        }

        Authenticator(AuthenticationService authenticationService, String str, TransportRequest transportRequest, boolean z, ActionListener<Authentication> actionListener) {
            this(new AuditableTransportRequest(authenticationService.auditTrailService.get(), authenticationService.failureHandler, authenticationService.threadContext, str, transportRequest), (User) null, z, actionListener);
        }

        Authenticator(AuthenticationService authenticationService, String str, TransportRequest transportRequest, User user, ActionListener<Authentication> actionListener) {
            this((AuditableRequest) new AuditableTransportRequest(authenticationService.auditTrailService.get(), authenticationService.failureHandler, authenticationService.threadContext, str, transportRequest), (User) Objects.requireNonNull(user, "Fallback user cannot be null"), false, actionListener);
        }

        private Authenticator(AuditableRequest auditableRequest, User user, boolean z, ActionListener<Authentication> actionListener) {
            this.authenticatedBy = null;
            this.lookedupBy = null;
            this.authenticationToken = null;
            this.authenticationResult = null;
            this.request = auditableRequest;
            this.fallbackUser = user;
            this.fallbackToAnonymous = z;
            this.defaultOrderedRealmList = AuthenticationService.this.realms.asList();
            this.listener = actionListener;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void authenticateAsync() {
            if (!this.defaultOrderedRealmList.isEmpty()) {
                lookForExistingAuthentication(authentication -> {
                    if (authentication == null) {
                        checkForBearerToken();
                    } else {
                        AuthenticationService.logger.trace("Found existing authentication [{}] in request [{}]", authentication, this.request);
                        this.listener.onResponse(authentication);
                    }
                });
            } else {
                AuthenticationService.logger.debug("No realms available, failing authentication");
                this.listener.onResponse((Object) null);
            }
        }

        private void checkForBearerToken() {
            SecureString extractBearerTokenFromHeader = AuthenticationService.this.tokenService.extractBearerTokenFromHeader(AuthenticationService.this.threadContext);
            ServiceAccountToken tryParseToken = ServiceAccountService.tryParseToken(extractBearerTokenFromHeader);
            if (tryParseToken != null) {
                AuthenticationService.this.serviceAccountService.authenticateToken(tryParseToken, AuthenticationService.this.nodeName, ActionListener.wrap(authentication -> {
                    if (!$assertionsDisabled && authentication == null) {
                        throw new AssertionError("service account authenticate should return either authentication or call onFailure");
                    }
                    this.authenticatedBy = authentication.getAuthenticatedBy();
                    writeAuthToContext(authentication);
                }, exc -> {
                    AuthenticationService.logger.debug(new ParameterizedMessage("Failed to validate service account token for request [{}]", this.request), exc);
                    this.listener.onFailure(this.request.exceptionProcessingRequest(exc, tryParseToken));
                }));
            } else {
                AuthenticationService.this.tokenService.tryAuthenticateToken(extractBearerTokenFromHeader, ActionListener.wrap(userToken -> {
                    if (userToken != null) {
                        writeAuthToContext(userToken.getAuthentication());
                    } else {
                        checkForApiKey();
                    }
                }, exc2 -> {
                    AuthenticationService.logger.debug(new ParameterizedMessage("Failed to validate token authentication for request [{}]", this.request), exc2);
                    if ((exc2 instanceof ElasticsearchSecurityException) && false == AuthenticationService.this.tokenService.isExpiredTokenException((ElasticsearchSecurityException) exc2)) {
                        this.request.tamperedRequest();
                    }
                    this.listener.onFailure(exc2);
                }));
            }
        }

        private void checkForApiKey() {
            AuthenticationService.this.apiKeyService.authenticateWithApiKeyIfPresent(AuthenticationService.this.threadContext, ActionListener.wrap(authenticationResult -> {
                if (authenticationResult.isAuthenticated()) {
                    Authentication createApiKeyAuthentication = AuthenticationService.this.apiKeyService.createApiKeyAuthentication(authenticationResult, AuthenticationService.this.nodeName);
                    this.authenticatedBy = createApiKeyAuthentication.getAuthenticatedBy();
                    writeAuthToContext(createApiKeyAuthentication);
                } else if (authenticationResult.getStatus() == AuthenticationResult.Status.TERMINATE) {
                    Exception exception = authenticationResult.getException() != null ? authenticationResult.getException() : Exceptions.authenticationError(authenticationResult.getMessage(), new Object[0]);
                    AuthenticationService.logger.debug(new ParameterizedMessage("API key service terminated authentication for request [{}]", this.request), exception);
                    this.listener.onFailure(exception);
                } else {
                    if (authenticationResult.getMessage() != null) {
                        if (authenticationResult.getException() != null) {
                            AuthenticationService.logger.warn(new ParameterizedMessage("Authentication using apikey failed - {}", authenticationResult.getMessage()), authenticationResult.getException());
                        } else {
                            AuthenticationService.logger.warn("Authentication using apikey failed - {}", authenticationResult.getMessage());
                        }
                    }
                    extractToken(this::consumeToken);
                }
            }, exc -> {
                this.listener.onFailure(this.request.exceptionProcessingRequest(exc, null));
            }));
        }

        private void lookForExistingAuthentication(Consumer<Authentication> consumer) {
            Runnable runnable;
            try {
                Authentication readFromContext = AuthenticationService.this.authenticationSerializer.readFromContext(AuthenticationService.this.threadContext);
                runnable = (readFromContext == null || !(this.request instanceof AuditableRestRequest)) ? () -> {
                    consumer.accept(readFromContext);
                } : () -> {
                    this.listener.onFailure(this.request.tamperedRequest());
                };
            } catch (Exception e) {
                AuthenticationService.logger.error(() -> {
                    return new ParameterizedMessage("caught exception while trying to read authentication from request [{}]", this.request);
                }, e);
                runnable = () -> {
                    this.listener.onFailure(this.request.tamperedRequest());
                };
            }
            runnable.run();
        }

        void extractToken(Consumer<AuthenticationToken> consumer) {
            Runnable runnable = () -> {
                consumer.accept(null);
            };
            try {
                if (this.authenticationToken != null) {
                    runnable = () -> {
                        consumer.accept(this.authenticationToken);
                    };
                } else {
                    Iterator<Realm> it = this.defaultOrderedRealmList.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        AuthenticationToken authenticationToken = it.next().token(AuthenticationService.this.threadContext);
                        if (authenticationToken != null) {
                            AuthenticationService.logger.trace("Found authentication credentials [{}] for principal [{}] in request [{}]", authenticationToken.getClass().getName(), authenticationToken.principal(), this.request);
                            runnable = () -> {
                                consumer.accept(authenticationToken);
                            };
                            break;
                        }
                    }
                }
            } catch (Exception e) {
                AuthenticationService.logger.warn("An exception occurred while attempting to find authentication credentials", e);
                runnable = () -> {
                    this.listener.onFailure(this.request.exceptionProcessingRequest(e, null));
                };
            }
            runnable.run();
        }

        private void consumeToken(AuthenticationToken authenticationToken) {
            if (authenticationToken == null) {
                handleNullToken();
                return;
            }
            this.authenticationToken = authenticationToken;
            List<Realm> realmList = getRealmList(this.authenticationToken.principal());
            AuthenticationService.logger.trace("Checking token of type [{}] against [{}] realm(s)", authenticationToken.getClass().getName(), Integer.valueOf(realmList.size()));
            long j = AuthenticationService.this.numInvalidation.get();
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            try {
                new IteratingActionListener(ContextPreservingActionListener.wrapPreservingContext(ActionListener.wrap(user -> {
                    consumeUser(user, linkedHashMap);
                }, exc -> {
                    if (exc != null) {
                        this.listener.onFailure(this.request.exceptionProcessingRequest(exc, authenticationToken));
                    } else {
                        this.listener.onFailure(this.request.authenticationFailed(authenticationToken));
                    }
                }), AuthenticationService.this.threadContext), (realm, actionListener) -> {
                    if (!realm.supports(this.authenticationToken)) {
                        actionListener.onResponse((Object) null);
                    } else {
                        AuthenticationService.logger.trace("Trying to authenticate [{}] using realm [{}] with token [{}] ", authenticationToken.principal(), realm, authenticationToken.getClass().getName());
                        realm.authenticate(this.authenticationToken, ActionListener.wrap(authenticationResult -> {
                            if (!$assertionsDisabled && authenticationResult == null) {
                                throw new AssertionError("Realm " + realm + " produced a null authentication result");
                            }
                            AuthenticationService.logger.debug("Authentication of [{}] using realm [{}] with token [{}] was [{}]", authenticationToken.principal(), realm, authenticationToken.getClass().getSimpleName(), authenticationResult);
                            if (authenticationResult.getStatus() == AuthenticationResult.Status.SUCCESS) {
                                this.authenticatedBy = new Authentication.RealmRef(realm.name(), realm.type(), AuthenticationService.this.nodeName);
                                this.authenticationResult = authenticationResult;
                                if (AuthenticationService.this.lastSuccessfulAuthCache != null && j == AuthenticationService.this.numInvalidation.get()) {
                                    AuthenticationService.this.lastSuccessfulAuthCache.put(this.authenticationToken.principal(), realm);
                                }
                                actionListener.onResponse(authenticationResult.getUser());
                                return;
                            }
                            this.request.realmAuthenticationFailed(this.authenticationToken, realm.name());
                            if (authenticationResult.getStatus() != AuthenticationResult.Status.TERMINATE) {
                                if (authenticationResult.getMessage() != null) {
                                    linkedHashMap.put(realm, new Tuple(authenticationResult.getMessage(), authenticationResult.getException()));
                                }
                                actionListener.onResponse((Object) null);
                            } else {
                                if (authenticationResult.getException() != null) {
                                    AuthenticationService.logger.info(new ParameterizedMessage("Authentication of [{}] was terminated by realm [{}] - {}", new Object[]{this.authenticationToken.principal(), realm.name(), authenticationResult.getMessage()}), authenticationResult.getException());
                                } else {
                                    AuthenticationService.logger.info("Authentication of [{}] was terminated by realm [{}] - {}", this.authenticationToken.principal(), realm.name(), authenticationResult.getMessage());
                                }
                                actionListener.onFailure(authenticationResult.getException());
                            }
                        }, exc2 -> {
                            AuthenticationService.logger.warn(new ParameterizedMessage("An error occurred while attempting to authenticate [{}] against realm [{}]", this.authenticationToken.principal(), realm.name()), exc2);
                            actionListener.onFailure(exc2);
                        }));
                    }
                }, realmList, AuthenticationService.this.threadContext).run();
            } catch (Exception e) {
                AuthenticationService.logger.debug(new ParameterizedMessage("Authentication of [{}] with token [{}] failed", authenticationToken.principal(), authenticationToken.getClass().getName()), e);
                this.listener.onFailure(this.request.exceptionProcessingRequest(e, authenticationToken));
            }
        }

        private List<Realm> getRealmList(String str) {
            Realm realm;
            int indexOf;
            List<Realm> list = this.defaultOrderedRealmList;
            if (AuthenticationService.this.lastSuccessfulAuthCache == null || (realm = (Realm) AuthenticationService.this.lastSuccessfulAuthCache.get(str)) == null || (indexOf = list.indexOf(realm)) <= 0) {
                return list;
            }
            ArrayList arrayList = new ArrayList(list.size());
            arrayList.add(realm);
            for (int i = 0; i < list.size(); i++) {
                if (i != indexOf) {
                    arrayList.add(list.get(i));
                }
            }
            if ($assertionsDisabled || (arrayList.size() == list.size() && arrayList.containsAll(list))) {
                return Collections.unmodifiableList(arrayList);
            }
            throw new AssertionError("Element mismatch between SmartOrder=" + arrayList + " and DefaultOrder=" + list);
        }

        void handleNullToken() {
            Authentication authentication;
            Runnable runnable;
            List<Realm> unlicensedRealms = AuthenticationService.this.realms.getUnlicensedRealms();
            if (!unlicensedRealms.isEmpty()) {
                AuthenticationService.logger.warn("No authentication credential could be extracted using realms [{}]. Realms [{}] were skipped because they are not permitted on the current license", Strings.collectionToCommaDelimitedString(this.defaultOrderedRealmList), Strings.collectionToCommaDelimitedString(unlicensedRealms));
            }
            if (this.fallbackUser != null) {
                AuthenticationService.logger.trace("No valid credentials found in request [{}], using fallback [{}]", this.request, this.fallbackUser.principal());
                authentication = new Authentication(this.fallbackUser, new Authentication.RealmRef("__fallback", "__fallback", AuthenticationService.this.nodeName), (Authentication.RealmRef) null, Version.CURRENT, Authentication.AuthenticationType.INTERNAL, Collections.emptyMap());
            } else if (this.fallbackToAnonymous) {
                AuthenticationService.logger.trace("No valid credentials found in request [{}], using anonymous [{}]", this.request, AuthenticationService.this.anonymousUser.principal());
                authentication = new Authentication(AuthenticationService.this.anonymousUser, new Authentication.RealmRef("__anonymous", "__anonymous", AuthenticationService.this.nodeName), (Authentication.RealmRef) null, Version.CURRENT, Authentication.AuthenticationType.ANONYMOUS, Collections.emptyMap());
            } else {
                authentication = null;
            }
            if (authentication != null) {
                Authentication authentication2 = authentication;
                runnable = () -> {
                    writeAuthToContext(authentication2);
                };
            } else {
                runnable = () -> {
                    AuthenticationService.logger.debug("No valid credentials found in request [{}], rejecting", this.request);
                    this.listener.onFailure(this.request.anonymousAccessDenied());
                };
            }
            runnable.run();
        }

        private void consumeUser(User user, Map<Realm, Tuple<String, Exception>> map) {
            if (user == null) {
                map.forEach((realm, tuple) -> {
                    AuthenticationService.logger.warn("Authentication to realm {} failed - {}{}", realm.name(), (String) tuple.v1(), tuple.v2() == null ? "" : " (Caused by " + tuple.v2() + ")");
                });
                List<Realm> unlicensedRealms = AuthenticationService.this.realms.getUnlicensedRealms();
                if (!unlicensedRealms.isEmpty()) {
                    AuthenticationService.logger.warn("Authentication failed using realms [{}]. Realms [{}] were skipped because they are not permitted on the current license", Strings.collectionToCommaDelimitedString(this.defaultOrderedRealmList), Strings.collectionToCommaDelimitedString(unlicensedRealms));
                }
                AuthenticationService.logger.trace("Failed to authenticate request [{}]", this.request);
                this.listener.onFailure(this.request.authenticationFailed(this.authenticationToken));
                return;
            }
            AuthenticationService.this.threadContext.putTransient(AuthenticationResult.THREAD_CONTEXT_KEY, this.authenticationResult);
            if (!AuthenticationService.this.runAsEnabled) {
                finishAuthentication(user);
                return;
            }
            String header = AuthenticationService.this.threadContext.getHeader("es-security-runas-user");
            if (header != null && !header.isEmpty()) {
                lookupRunAsUser(user, header, this::finishAuthentication);
                return;
            }
            if (header == null) {
                finishAuthentication(user);
            } else {
                if (!$assertionsDisabled && !header.isEmpty()) {
                    throw new AssertionError("the run as username may not be empty");
                }
                AuthenticationService.logger.debug("user [{}] attempted to runAs with an empty username", user.principal());
                this.listener.onFailure(this.request.runAsDenied(new Authentication(new User(header, (String[]) null, user), this.authenticatedBy, this.lookedupBy), this.authenticationToken));
            }
        }

        private void lookupRunAsUser(User user, String str, Consumer<User> consumer) {
            AuthenticationService.logger.trace("Looking up run-as user [{}] for authenticated user [{}]", str, user.principal());
            RealmUserLookup realmUserLookup = new RealmUserLookup(getRealmList(str), AuthenticationService.this.threadContext);
            long j = AuthenticationService.this.numInvalidation.get();
            realmUserLookup.lookup(str, ActionListener.wrap(tuple -> {
                if (tuple == null) {
                    AuthenticationService.logger.debug("Cannot find run-as user [{}] for authenticated user [{}]", str, user.principal());
                    consumer.accept(new User(str, (String[]) null, user));
                    return;
                }
                User user2 = (User) Objects.requireNonNull((User) tuple.v1());
                Realm realm = (Realm) Objects.requireNonNull((Realm) tuple.v2());
                this.lookedupBy = new Authentication.RealmRef(realm.name(), realm.type(), AuthenticationService.this.nodeName);
                if (AuthenticationService.this.lastSuccessfulAuthCache != null && j == AuthenticationService.this.numInvalidation.get()) {
                    AuthenticationService.this.lastSuccessfulAuthCache.computeIfAbsent(str, str2 -> {
                        return realm;
                    });
                }
                AuthenticationService.logger.trace("Using run-as user [{}] with authenticated user [{}]", user2, user.principal());
                consumer.accept(new User(user2, user));
            }, exc -> {
                this.listener.onFailure(this.request.exceptionProcessingRequest(exc, this.authenticationToken));
            }));
        }

        void finishAuthentication(User user) {
            if (user.enabled() && user.authenticatedUser().enabled()) {
                writeAuthToContext(new Authentication(user, this.authenticatedBy, this.lookedupBy));
            } else {
                AuthenticationService.logger.debug("user [{}] is disabled. failing authentication", user);
                this.listener.onFailure(this.request.authenticationFailed(this.authenticationToken));
            }
        }

        void writeAuthToContext(Authentication authentication) {
            Runnable runnable = () -> {
                AuthenticationService.logger.trace("Established authentication [{}] for request [{}]", authentication, this.request);
                this.listener.onResponse(authentication);
            };
            try {
                AuthenticationService.this.authenticationSerializer.writeToContext(authentication, AuthenticationService.this.threadContext);
                this.request.authenticationSuccess(authentication);
                AuthenticationService.this.operatorPrivilegesService.maybeMarkOperatorUser(authentication, AuthenticationService.this.threadContext);
            } catch (Exception e) {
                runnable = () -> {
                    AuthenticationService.logger.debug(new ParameterizedMessage("Failed to store authentication [{}] for request [{}]", authentication, this.request), e);
                    this.listener.onFailure(this.request.exceptionProcessingRequest(e, this.authenticationToken));
                };
            }
            runnable.run();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void authenticateToken(AuthenticationToken authenticationToken) {
            consumeToken(authenticationToken);
        }

        static {
            $assertionsDisabled = !AuthenticationService.class.desiredAssertionStatus();
        }
    }

    public AuthenticationService(Settings settings, Realms realms, AuditTrailService auditTrailService, AuthenticationFailureHandler authenticationFailureHandler, ThreadPool threadPool, AnonymousUser anonymousUser, TokenService tokenService, ApiKeyService apiKeyService, ServiceAccountService serviceAccountService, OperatorPrivileges.OperatorPrivilegesService operatorPrivilegesService) {
        this.nodeName = (String) Node.NODE_NAME_SETTING.get(settings);
        this.realms = realms;
        this.auditTrailService = auditTrailService;
        this.failureHandler = authenticationFailureHandler;
        this.threadContext = threadPool.getThreadContext();
        this.anonymousUser = anonymousUser;
        this.runAsEnabled = ((Boolean) AuthenticationServiceField.RUN_AS_ENABLED.get(settings)).booleanValue();
        this.isAnonymousUserEnabled = AnonymousUser.isAnonymousEnabled(settings);
        this.tokenService = tokenService;
        if (((Boolean) SUCCESS_AUTH_CACHE_ENABLED.get(settings)).booleanValue()) {
            this.lastSuccessfulAuthCache = CacheBuilder.builder().setMaximumWeight(Integer.toUnsignedLong(((Integer) SUCCESS_AUTH_CACHE_MAX_SIZE.get(settings)).intValue())).setExpireAfterAccess((TimeValue) SUCCESS_AUTH_CACHE_EXPIRE_AFTER_ACCESS.get(settings)).build();
        } else {
            this.lastSuccessfulAuthCache = null;
        }
        this.apiKeyService = apiKeyService;
        this.serviceAccountService = serviceAccountService;
        this.operatorPrivilegesService = operatorPrivilegesService;
        this.authenticationSerializer = new AuthenticationContextSerializer();
    }

    public void authenticate(RestRequest restRequest, ActionListener<Authentication> actionListener) {
        authenticate(restRequest, true, actionListener);
    }

    public void authenticate(RestRequest restRequest, boolean z, ActionListener<Authentication> actionListener) {
        createAuthenticator(restRequest, z, actionListener).authenticateAsync();
    }

    public void authenticate(String str, TransportRequest transportRequest, User user, ActionListener<Authentication> actionListener) {
        Objects.requireNonNull(user, "fallback user may not be null");
        createAuthenticator(str, transportRequest, user, actionListener).authenticateAsync();
    }

    public void authenticate(String str, TransportRequest transportRequest, boolean z, ActionListener<Authentication> actionListener) {
        createAuthenticator(str, transportRequest, z, actionListener).authenticateAsync();
    }

    public void authenticate(String str, TransportRequest transportRequest, AuthenticationToken authenticationToken, ActionListener<Authentication> actionListener) {
        new Authenticator(this, str, transportRequest, shouldFallbackToAnonymous(true), actionListener).authenticateToken(authenticationToken);
    }

    public void expire(String str) {
        if (this.lastSuccessfulAuthCache != null) {
            this.numInvalidation.incrementAndGet();
            this.lastSuccessfulAuthCache.invalidate(str);
        }
    }

    public void expireAll() {
        if (this.lastSuccessfulAuthCache != null) {
            this.numInvalidation.incrementAndGet();
            this.lastSuccessfulAuthCache.invalidateAll();
        }
    }

    public void onSecurityIndexStateChange(SecurityIndexManager.State state, SecurityIndexManager.State state2) {
        if (this.lastSuccessfulAuthCache != null) {
            if (SecurityIndexManager.isMoveFromRedToNonRed(state, state2) || SecurityIndexManager.isIndexDeleted(state, state2) || !Objects.equals(state.indexUUID, state2.indexUUID)) {
                expireAll();
            }
        }
    }

    Authenticator createAuthenticator(RestRequest restRequest, boolean z, ActionListener<Authentication> actionListener) {
        return new Authenticator(this, restRequest, shouldFallbackToAnonymous(z), actionListener);
    }

    Authenticator createAuthenticator(String str, TransportRequest transportRequest, boolean z, ActionListener<Authentication> actionListener) {
        return new Authenticator(this, str, transportRequest, shouldFallbackToAnonymous(z), actionListener);
    }

    Authenticator createAuthenticator(String str, TransportRequest transportRequest, User user, ActionListener<Authentication> actionListener) {
        return new Authenticator(this, str, transportRequest, user, actionListener);
    }

    long getNumInvalidation() {
        return this.numInvalidation.get();
    }

    boolean shouldFallbackToAnonymous(boolean z) {
        if (!this.isAnonymousUserEnabled || !z) {
            return false;
        }
        String header = this.threadContext.getHeader(KerberosAuthenticationToken.AUTH_HEADER);
        if (!Strings.hasText(header)) {
            return true;
        }
        if (!header.regionMatches(true, 0, "Bearer ", 0, "Bearer ".length()) || header.length() <= "Bearer ".length()) {
            return !header.regionMatches(true, 0, "ApiKey ", 0, "ApiKey ".length()) || header.length() <= "ApiKey ".length();
        }
        return false;
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(AuthenticationServiceField.RUN_AS_ENABLED);
        list.add(SUCCESS_AUTH_CACHE_ENABLED);
        list.add(SUCCESS_AUTH_CACHE_MAX_SIZE);
        list.add(SUCCESS_AUTH_CACHE_EXPIRE_AFTER_ACCESS);
    }
}
