package org.elasticsearch.xpack.security.authc;

import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Strings;
import org.elasticsearch.node.Node;
import org.elasticsearch.xpack.core.common.IteratingActionListener;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.AuthenticationResult;
import org.elasticsearch.xpack.core.security.authc.AuthenticationServiceField;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.core.security.authc.Realm;
import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
import org.elasticsearch.xpack.core.security.support.Exceptions;
import org.elasticsearch.xpack.core.security.user.AnonymousUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.Authenticator;
import org.elasticsearch.xpack.security.operator.OperatorPrivileges;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/authc/AuthenticatorChain.class */
public class AuthenticatorChain {
    private static final Logger logger;
    private final String nodeName;
    private final boolean runAsEnabled;
    private final OperatorPrivileges.OperatorPrivilegesService operatorPrivilegesService;
    private final AnonymousUser anonymousUser;
    private final boolean isAnonymousUserEnabled;
    private final AuthenticationContextSerializer authenticationSerializer;
    private final RealmsAuthenticator realmsAuthenticator;
    private final List<Authenticator> allAuthenticators;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticatorChain(Settings settings, OperatorPrivileges.OperatorPrivilegesService operatorPrivilegesService, AnonymousUser anonymousUser, AuthenticationContextSerializer authenticationContextSerializer, ServiceAccountAuthenticator serviceAccountAuthenticator, OAuth2TokenAuthenticator oAuth2TokenAuthenticator, ApiKeyAuthenticator apiKeyAuthenticator, RealmsAuthenticator realmsAuthenticator) {
        this.nodeName = (String) Node.NODE_NAME_SETTING.get(settings);
        this.runAsEnabled = ((Boolean) AuthenticationServiceField.RUN_AS_ENABLED.get(settings)).booleanValue();
        this.operatorPrivilegesService = operatorPrivilegesService;
        this.anonymousUser = anonymousUser;
        this.isAnonymousUserEnabled = AnonymousUser.isAnonymousEnabled(settings);
        this.authenticationSerializer = authenticationContextSerializer;
        this.realmsAuthenticator = realmsAuthenticator;
        this.allAuthenticators = List.of(serviceAccountAuthenticator, oAuth2TokenAuthenticator, apiKeyAuthenticator, realmsAuthenticator);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void authenticateAsync(Authenticator.Context context, ActionListener<Authentication> actionListener) {
        if (!$assertionsDisabled && false != context.getDefaultOrderedRealmList().isEmpty()) {
            throw new AssertionError("realm list must not be empty");
        }
        ActionListener<Authentication> map = actionListener.map(authentication -> {
            this.operatorPrivilegesService.maybeMarkOperatorUser(authentication, context.getThreadContext());
            return authentication;
        });
        if (context.getMostRecentAuthenticationToken() != null) {
            authenticateAsyncWithExistingAuthenticationToken(context, map);
            return;
        }
        try {
            Authentication lookForExistingAuthentication = lookForExistingAuthentication(context);
            if (lookForExistingAuthentication != null) {
                logger.trace("Found existing authentication [{}] in request [{}]", lookForExistingAuthentication, context.getRequest());
                map.onResponse(lookForExistingAuthentication);
            } else {
                Objects.requireNonNull(context);
                doAuthenticate(context, true, ActionListener.runBefore(map, context::close));
            }
        } catch (Exception e) {
            map.onFailure(e);
        }
    }

    private void authenticateAsyncWithExistingAuthenticationToken(Authenticator.Context context, ActionListener<Authentication> actionListener) {
        if (!$assertionsDisabled && context.getMostRecentAuthenticationToken() == null) {
            throw new AssertionError("existing authentication token must not be null");
        }
        context.setHandleNullToken(false);
        doAuthenticate(context, false, actionListener);
    }

    private void doAuthenticate(Authenticator.Context context, boolean z, ActionListener<Authentication> actionListener) {
        CheckedConsumer checkedConsumer = authenticationResult -> {
            if (!$assertionsDisabled && authenticationResult.getStatus() == AuthenticationResult.Status.TERMINATE) {
                throw new AssertionError("terminate should already be handled by each individual authenticator");
            }
            if (authenticationResult.getStatus() == AuthenticationResult.Status.SUCCESS) {
                maybeLookupRunAsUser(context, (Authentication) authenticationResult.getValue(), actionListener);
            } else if (context.shouldHandleNullToken()) {
                handleNullToken(context, actionListener);
            } else {
                actionListener.onFailure(Exceptions.authenticationError("failed to authenticate", authenticationResult.getException(), new Object[0]));
            }
        };
        Objects.requireNonNull(actionListener);
        new IteratingActionListener(ActionListener.wrap(checkedConsumer, actionListener::onFailure), getAuthenticatorConsumer(context, z), this.allAuthenticators, context.getThreadContext(), Function.identity(), authenticationResult2 -> {
            return authenticationResult2.getStatus() == AuthenticationResult.Status.CONTINUE;
        }).run();
    }

    private static BiConsumer<Authenticator, ActionListener<AuthenticationResult<Authentication>>> getAuthenticatorConsumer(Authenticator.Context context, boolean z) {
        return (authenticator, actionListener) -> {
            if (z) {
                try {
                    AuthenticationToken extractCredentials = authenticator.extractCredentials(context);
                    if (extractCredentials == null) {
                        actionListener.onResponse(AuthenticationResult.notHandled());
                        return;
                    }
                    context.addAuthenticationToken(extractCredentials);
                } catch (Exception e) {
                    if (e instanceof ElasticsearchSecurityException) {
                        actionListener.onFailure(e);
                        return;
                    } else {
                        context.addUnsuccessfulMessage(authenticator.name() + ": " + e.getMessage());
                        actionListener.onResponse(AuthenticationResult.unsuccessful(e.getMessage(), e));
                        return;
                    }
                }
            }
            context.setHandleNullToken(context.shouldHandleNullToken() && authenticator.canBeFollowedByNullTokenHandler());
            Consumer consumer = exc -> {
                if (!$assertionsDisabled && exc == null) {
                    throw new AssertionError("exception cannot be null");
                }
                if (exc instanceof ElasticsearchSecurityException) {
                    ElasticsearchSecurityException elasticsearchSecurityException = (ElasticsearchSecurityException) exc;
                    if (false == context.getUnsuccessfulMessages().isEmpty()) {
                        addMetadata(context, elasticsearchSecurityException);
                    }
                }
                actionListener.onFailure(exc);
            };
            authenticator.authenticate(context, ActionListener.wrap(authenticationResult -> {
                if (authenticationResult.getStatus() == AuthenticationResult.Status.TERMINATE) {
                    consumer.accept(authenticationResult.getException());
                    return;
                }
                if (authenticationResult.getStatus() == AuthenticationResult.Status.CONTINUE && authenticationResult.getMessage() != null) {
                    context.addUnsuccessfulMessage(authenticator.name() + ": " + authenticationResult.getMessage());
                }
                actionListener.onResponse(authenticationResult);
            }, consumer));
        };
    }

    void maybeLookupRunAsUser(Authenticator.Context context, Authentication authentication, ActionListener<Authentication> actionListener) {
        if (false == this.runAsEnabled) {
            finishAuthentication(context, authentication, actionListener);
            return;
        }
        String header = context.getThreadContext().getHeader("es-security-runas-user");
        if (header == null) {
            finishAuthentication(context, authentication, actionListener);
            return;
        }
        if (false == authentication.supportsRunAs(this.anonymousUser)) {
            logger.info("ignore run-as header since it is currently not supported for authentication [{}]", authentication);
            finishAuthentication(context, authentication, actionListener);
        } else {
            RealmsAuthenticator realmsAuthenticator = this.realmsAuthenticator;
            CheckedConsumer checkedConsumer = tuple -> {
                Authentication runAs;
                if (tuple == null) {
                    logger.debug("Cannot find run-as user [{}] for authenticated user [{}]", header, authentication.getUser().principal());
                    runAs = authentication.runAs(new User(header, (String[]) null, (String) null, (String) null, Map.of(), true), (Authentication.RealmRef) null);
                } else {
                    runAs = authentication.runAs((User) tuple.v1(), ((Realm) tuple.v2()).realmRef());
                }
                finishAuthentication(context, runAs, actionListener);
            };
            Objects.requireNonNull(actionListener);
            realmsAuthenticator.lookupRunAsUser(context, authentication, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }
    }

    private Authentication lookForExistingAuthentication(Authenticator.Context context) {
        try {
            Authentication readFromContext = this.authenticationSerializer.readFromContext(context.getThreadContext());
            if (readFromContext == null || !(context.getRequest() instanceof AuthenticationService.AuditableRestRequest)) {
                return readFromContext;
            }
            throw context.getRequest().tamperedRequest();
        } catch (Exception e) {
            logger.error(() -> {
                return Strings.format("caught exception while trying to read authentication from request [%s]", new Object[]{context.getRequest()});
            }, e);
            throw context.getRequest().tamperedRequest();
        }
    }

    void handleNullToken(Authenticator.Context context, ActionListener<Authentication> actionListener) {
        Authentication authentication;
        if (context.getFallbackUser() != null) {
            logger.trace("No valid credentials found in request [{}], using fallback [{}]", context.getRequest(), context.getFallbackUser().principal());
            authentication = Authentication.newInternalFallbackAuthentication(context.getFallbackUser(), this.nodeName);
        } else if (shouldFallbackToAnonymous(context)) {
            logger.trace("No valid credentials found in request [{}], using anonymous [{}]", context.getRequest(), this.anonymousUser.principal());
            authentication = Authentication.newAnonymousAuthentication(this.anonymousUser, this.nodeName);
        } else {
            authentication = null;
        }
        if (authentication != null) {
            writeAuthToContext(context, authentication, actionListener);
            return;
        }
        ElasticsearchSecurityException anonymousAccessDenied = context.getRequest().anonymousAccessDenied();
        if (false != context.getUnsuccessfulMessages().isEmpty()) {
            logger.debug("No valid credentials found in request [{}], rejecting", context.getRequest());
            actionListener.onFailure(anonymousAccessDenied);
            return;
        }
        logger.debug("Authenticating with null credentials is unsuccessful in request [{}] after unsuccessful attempts of other credentials", context.getRequest());
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("unable to authenticate with provided credentials and anonymous access is not allowed for this request", anonymousAccessDenied.status(), anonymousAccessDenied.getCause(), new Object[0]);
        anonymousAccessDenied.getHeaderKeys().forEach(str -> {
            elasticsearchSecurityException.addHeader(str, anonymousAccessDenied.getHeader(str));
        });
        addMetadata(context, elasticsearchSecurityException);
        actionListener.onFailure(elasticsearchSecurityException);
    }

    void finishAuthentication(Authenticator.Context context, Authentication authentication, ActionListener<Authentication> actionListener) {
        if (authentication.getUser().enabled() && authentication.getAuthenticatingSubject().getUser().enabled()) {
            writeAuthToContext(context, authentication, actionListener);
        } else {
            logger.debug("user [{}] is disabled. failing authentication", authentication.getUser());
            actionListener.onFailure(context.getRequest().authenticationFailed(context.getMostRecentAuthenticationToken()));
        }
    }

    void writeAuthToContext(Authenticator.Context context, Authentication authentication, ActionListener<Authentication> actionListener) {
        try {
            this.authenticationSerializer.writeToContext(authentication, context.getThreadContext());
            context.getRequest().authenticationSuccess(authentication);
            logger.trace("Established authentication [{}] for request [{}]", authentication, context.getRequest());
            actionListener.onResponse(authentication);
        } catch (Exception e) {
            logger.debug(() -> {
                return Strings.format("Failed to store authentication [%s] for request [%s]", new Object[]{authentication, context.getRequest()});
            }, e);
            ElasticsearchSecurityException exceptionProcessingRequest = context.getRequest().exceptionProcessingRequest(e, context.getMostRecentAuthenticationToken());
            addMetadata(context, exceptionProcessingRequest);
            actionListener.onFailure(exceptionProcessingRequest);
        }
    }

    private static void addMetadata(Authenticator.Context context, ElasticsearchSecurityException elasticsearchSecurityException) {
        if (false == context.getUnsuccessfulMessages().isEmpty()) {
            elasticsearchSecurityException.addMetadata("es.additional_unsuccessful_credentials", context.getUnsuccessfulMessages());
        }
    }

    private boolean shouldFallbackToAnonymous(Authenticator.Context context) {
        if (!this.isAnonymousUserEnabled || !context.isAllowAnonymous()) {
            return false;
        }
        String header = context.getThreadContext().getHeader("Authorization");
        if (!org.elasticsearch.common.Strings.hasText(header)) {
            return true;
        }
        if (!header.regionMatches(true, 0, "Bearer ", 0, "Bearer ".length()) || header.length() <= "Bearer ".length()) {
            return !header.regionMatches(true, 0, "ApiKey ", 0, "ApiKey ".length()) || header.length() <= "ApiKey ".length();
        }
        return false;
    }

    static {
        $assertionsDisabled = !AuthenticatorChain.class.desiredAssertionStatus();
        logger = LogManager.getLogger(AuthenticatorChain.class);
    }
}
