package org.elasticsearch.xpack.security.rest;

import java.io.IOException;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.client.node.NodeClient;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.security.rest.RestRequestFilter;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.support.SecondaryAuthenticator;
import org.elasticsearch.xpack.security.transport.SSLEngineUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/rest/SecurityRestFilter.class */
public class SecurityRestFilter implements RestHandler {
    private static final Logger logger = LogManager.getLogger(SecurityRestFilter.class);
    private final RestHandler restHandler;
    private final AuthenticationService authenticationService;
    private final SecondaryAuthenticator secondaryAuthenticator;
    private final XPackLicenseState licenseState;
    private final ThreadContext threadContext;
    private final boolean extractClientCertificate;

    public SecurityRestFilter(XPackLicenseState xPackLicenseState, ThreadContext threadContext, AuthenticationService authenticationService, SecondaryAuthenticator secondaryAuthenticator, RestHandler restHandler, boolean z) {
        this.licenseState = xPackLicenseState;
        this.threadContext = threadContext;
        this.authenticationService = authenticationService;
        this.secondaryAuthenticator = secondaryAuthenticator;
        this.restHandler = restHandler;
        this.extractClientCertificate = z;
    }

    public void handleRequest(RestRequest restRequest, RestChannel restChannel, NodeClient nodeClient) throws Exception {
        if (!this.licenseState.isSecurityEnabled() || restRequest.method() == RestRequest.Method.OPTIONS) {
            this.restHandler.handleRequest(restRequest, restChannel, nodeClient);
            return;
        }
        if (this.extractClientCertificate) {
            SSLEngineUtils.extractClientCertificates(logger, this.threadContext, restRequest.getHttpChannel());
        }
        String uri = restRequest.uri();
        this.authenticationService.authenticate(maybeWrapRestRequest(restRequest), ActionListener.wrap(authentication -> {
            if (authentication == null) {
                logger.trace("No authentication available for REST request [{}]", uri);
            } else {
                logger.trace("Authenticated REST request [{}] as {}", uri, authentication);
            }
            this.secondaryAuthenticator.authenticateAndAttachToContext(restRequest, ActionListener.wrap(secondaryAuthentication -> {
                if (secondaryAuthentication != null) {
                    logger.trace("Found secondary authentication {} in REST request [{}]", secondaryAuthentication, uri);
                }
                RemoteHostHeader.process(restRequest, this.threadContext);
                this.restHandler.handleRequest(restRequest, restChannel, nodeClient);
            }, exc -> {
                handleException("Secondary authentication", restRequest, restChannel, exc);
            }));
        }, exc -> {
            handleException("Authentication", restRequest, restChannel, exc);
        }));
    }

    private void handleException(String str, RestRequest restRequest, RestChannel restChannel, Exception exc) {
        logger.debug(new ParameterizedMessage("{} failed for REST request [{}]", str, restRequest.uri()), exc);
        final RestStatus status = ExceptionsHelper.status(exc);
        try {
            restChannel.sendResponse(new BytesRestResponse(restChannel, status, exc) { // from class: org.elasticsearch.xpack.security.rest.SecurityRestFilter.1
                protected boolean skipStackTrace() {
                    return status == RestStatus.UNAUTHORIZED;
                }
            });
        } catch (Exception e) {
            e.addSuppressed(exc);
            logger.error(() -> {
                return new ParameterizedMessage("failed to send failure response for uri [{}]", restRequest.uri());
            }, e);
        }
    }

    public boolean canTripCircuitBreaker() {
        return this.restHandler.canTripCircuitBreaker();
    }

    public boolean supportsContentStream() {
        return this.restHandler.supportsContentStream();
    }

    public boolean allowsUnsafeBuffers() {
        return this.restHandler.allowsUnsafeBuffers();
    }

    public List<RestHandler.Route> routes() {
        return this.restHandler.routes();
    }

    public List<RestHandler.DeprecatedRoute> deprecatedRoutes() {
        return this.restHandler.deprecatedRoutes();
    }

    public List<RestHandler.ReplacedRoute> replacedRoutes() {
        return this.restHandler.replacedRoutes();
    }

    private RestRequest maybeWrapRestRequest(RestRequest restRequest) throws IOException {
        return this.restHandler instanceof RestRequestFilter ? this.restHandler.getFilteredRequest(restRequest) : restRequest;
    }
}
