package com.amazon.opendistroforelasticsearch.security.auth;

import com.amazon.opendistroforelasticsearch.security.auditlog.AuditLog;
import com.amazon.opendistroforelasticsearch.security.auth.UserInjector;
import com.amazon.opendistroforelasticsearch.security.auth.blocking.ClientBlockRegistry;
import com.amazon.opendistroforelasticsearch.security.auth.internal.NoOpAuthenticationBackend;
import com.amazon.opendistroforelasticsearch.security.configuration.AdminDNs;
import com.amazon.opendistroforelasticsearch.security.http.XFFResolver;
import com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModel;
import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import com.amazon.opendistroforelasticsearch.security.support.HTTPHelper;
import com.amazon.opendistroforelasticsearch.security.user.AuthCredentials;
import com.amazon.opendistroforelasticsearch.security.user.User;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.RemovalListener;
import com.google.common.cache.RemovalNotification;
import com.google.common.collect.Multimap;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.SortedSet;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
import org.greenrobot.eventbus.Subscribe;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/auth/BackendRegistry.class */
public class BackendRegistry {
    private SortedSet<AuthDomain> restAuthDomains;
    private Set<AuthorizationBackend> restAuthorizers;
    private SortedSet<AuthDomain> transportAuthDomains;
    private Set<AuthorizationBackend> transportAuthorizers;
    private List<AuthFailureListener> ipAuthFailureListeners;
    private Multimap<String, AuthFailureListener> authBackendFailureListeners;
    private List<ClientBlockRegistry<InetAddress>> ipClientBlockRegistries;
    private Multimap<String, ClientBlockRegistry<String>> authBackendClientBlockRegistries;
    private volatile boolean initialized;
    private volatile boolean injectedUserEnabled;
    private final AdminDNs adminDns;
    private final XFFResolver xffResolver;
    private final Settings esSettings;
    private final AuditLog auditLog;
    private final ThreadPool threadPool;
    private final UserInjector userInjector;
    private final int ttlInMin;
    private Cache<AuthCredentials, User> userCache;
    private Cache<String, User> restImpersonationCache;
    private Cache<String, User> userCacheTransport;
    private Cache<AuthCredentials, User> authenticatedUserCacheTransport;
    private Cache<User, Set<String>> transportRoleCache;
    private Cache<User, Set<String>> restRoleCache;
    private Cache<String, User> transportImpersonationCache;
    protected final Logger log = LogManager.getLogger(getClass());
    private volatile boolean anonymousAuthEnabled = false;
    private volatile String transportUsernameAttribute = null;

    private void createCaches() {
        this.userCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<AuthCredentials, User>() { // from class: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.1
            public void onRemoval(RemovalNotification<AuthCredentials, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause());
            }
        }).build();
        this.userCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.2
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.authenticatedUserCacheTransport = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<AuthCredentials, User>() { // from class: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.3
            public void onRemoval(RemovalNotification<AuthCredentials, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", ((AuthCredentials) removalNotification.getKey()).getUsername(), removalNotification.getCause());
            }
        }).build();
        this.restImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.4
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.transportRoleCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<User, Set<String>>() { // from class: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.5
            public void onRemoval(RemovalNotification<User, Set<String>> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.restRoleCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<User, Set<String>>() { // from class: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.6
            public void onRemoval(RemovalNotification<User, Set<String>> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
        this.transportImpersonationCache = CacheBuilder.newBuilder().expireAfterWrite(this.ttlInMin, TimeUnit.MINUTES).removalListener(new RemovalListener<String, User>() { // from class: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.7
            public void onRemoval(RemovalNotification<String, User> removalNotification) {
                BackendRegistry.this.log.debug("Clear user cache for {} due to {}", removalNotification.getKey(), removalNotification.getCause());
            }
        }).build();
    }

    public BackendRegistry(Settings settings, AdminDNs adminDNs, XFFResolver xFFResolver, AuditLog auditLog, ThreadPool threadPool) {
        this.injectedUserEnabled = false;
        this.adminDns = adminDNs;
        this.esSettings = settings;
        this.xffResolver = xFFResolver;
        this.auditLog = auditLog;
        this.threadPool = threadPool;
        this.userInjector = new UserInjector(settings, threadPool, auditLog, xFFResolver);
        this.ttlInMin = settings.getAsInt(ConfigConstants.OPENDISTRO_SECURITY_CACHE_TTL_MINUTES, 60).intValue();
        this.injectedUserEnabled = this.esSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_UNSUPPORTED_INJECT_USER_ENABLED, false).booleanValue();
        createCaches();
    }

    public boolean isInitialized() {
        return this.initialized;
    }

    public void invalidateCache() {
        this.userCache.invalidateAll();
        this.userCacheTransport.invalidateAll();
        this.authenticatedUserCacheTransport.invalidateAll();
        this.restImpersonationCache.invalidateAll();
        this.restRoleCache.invalidateAll();
        this.transportRoleCache.invalidateAll();
        this.transportImpersonationCache.invalidateAll();
    }

    @Subscribe
    public void onDynamicConfigModelChanged(DynamicConfigModel dynamicConfigModel) {
        invalidateCache();
        this.transportUsernameAttribute = dynamicConfigModel.getTransportUsernameAttribute();
        this.anonymousAuthEnabled = dynamicConfigModel.isAnonymousAuthenticationEnabled() && !this.esSettings.getAsBoolean(ConfigConstants.OPENDISTRO_SECURITY_COMPLIANCE_DISABLE_ANONYMOUS_AUTHENTICATION, false).booleanValue();
        this.restAuthDomains = Collections.unmodifiableSortedSet(dynamicConfigModel.getRestAuthDomains());
        this.transportAuthDomains = Collections.unmodifiableSortedSet(dynamicConfigModel.getTransportAuthDomains());
        this.restAuthorizers = Collections.unmodifiableSet(dynamicConfigModel.getRestAuthorizers());
        this.transportAuthorizers = Collections.unmodifiableSet(dynamicConfigModel.getTransportAuthorizers());
        this.ipAuthFailureListeners = dynamicConfigModel.getIpAuthFailureListeners();
        this.authBackendFailureListeners = dynamicConfigModel.getAuthBackendFailureListeners();
        this.ipClientBlockRegistries = dynamicConfigModel.getIpClientBlockRegistries();
        this.authBackendClientBlockRegistries = dynamicConfigModel.getAuthBackendClientBlockRegistries();
        this.initialized = !this.restAuthDomains.isEmpty() || this.anonymousAuthEnabled || this.injectedUserEnabled;
    }

    public User authenticate(TransportRequest transportRequest, String str, Task task, String str2) {
        User authcz;
        if (this.log.isDebugEnabled() && transportRequest.remoteAddress() != null) {
            this.log.debug("Transport authentication request from {}", transportRequest.remoteAddress());
        }
        if (transportRequest.remoteAddress() != null && isBlocked(transportRequest.remoteAddress().address().getAddress())) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Rejecting transport request because of blocked address: " + transportRequest.remoteAddress());
            return null;
        }
        UserInjector.InjectedUser injectedUser = this.userInjector.getInjectedUser();
        if (injectedUser != null) {
            this.auditLog.logSucceededLogin(injectedUser.getName(), true, null, transportRequest, str2, task);
            return injectedUser;
        }
        if (str == null) {
            return null;
        }
        User user = new User(str);
        if (this.adminDns.isAdmin(user)) {
            this.auditLog.logSucceededLogin(user.getName(), true, null, transportRequest, str2, task);
            return user;
        }
        if (!isInitialized()) {
            this.log.error("Not yet initialized (you may need to run securityadmin)");
            return null;
        }
        AuthCredentials extractCredentials = HTTPHelper.extractCredentials(this.threadPool.getThreadContext().getHeader("Authorization"), this.log);
        User user2 = null;
        if (extractCredentials != null && this.log.isDebugEnabled()) {
            this.log.debug("User {} submitted also basic credentials: {}", user.getName(), extractCredentials);
        }
        for (AuthDomain authDomain : this.transportAuthDomains) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Check transport authdomain {}/{} or {} in total", authDomain.getBackend().getType(), Integer.valueOf(authDomain.getOrder()), Integer.valueOf(this.transportAuthDomains.size()));
            }
            if (extractCredentials == null) {
                user2 = impersonate(transportRequest, user);
                user = resolveTransportUsernameAttribute(user);
                authcz = checkExistsAndAuthz(this.userCacheTransport, user2 == null ? user : user2, authDomain.getBackend(), this.transportAuthorizers);
            } else {
                authcz = authcz(this.authenticatedUserCacheTransport, this.transportRoleCache, extractCredentials, authDomain.getBackend(), this.transportAuthorizers);
            }
            if (authcz != null) {
                if (this.adminDns.isAdmin(authcz)) {
                    this.log.error("Cannot authenticate transport user because admin user is not permitted to login");
                    this.auditLog.logFailedLogin(authcz.getName(), true, null, transportRequest, task);
                    return null;
                }
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Transport user '{}' is authenticated", authcz);
                }
                this.auditLog.logSucceededLogin(authcz.getName(), false, user2 == null ? null : user.getName(), transportRequest, str2, task);
                return authcz;
            }
            Iterator it = this.authBackendFailureListeners.get(authDomain.getBackend().getClass().getName()).iterator();
            while (it.hasNext()) {
                ((AuthFailureListener) it.next()).onAuthFailure(transportRequest.remoteAddress() != null ? transportRequest.remoteAddress().address().getAddress() : null, extractCredentials, transportRequest);
            }
            if (this.log.isDebugEnabled()) {
                this.log.debug("Cannot authenticate transport user {} (or add roles) with authdomain {}/{} of {}, try next", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername(), authDomain.getBackend().getType(), Integer.valueOf(authDomain.getOrder()), Integer.valueOf(this.transportAuthDomains.size()));
            }
        }
        if (extractCredentials == null) {
            this.auditLog.logFailedLogin(user2 == null ? user.getName() : user2.getName(), false, user2 == null ? null : user.getName(), transportRequest, task);
        } else {
            this.auditLog.logFailedLogin(extractCredentials.getUsername(), false, null, transportRequest, task);
        }
        this.log.warn("Transport authentication finally failed for {} from {}", extractCredentials == null ? user2 == null ? user.getName() : user2.getName() : extractCredentials.getUsername(), transportRequest.remoteAddress());
        notifyIpAuthFailureListeners(transportRequest.remoteAddress() != null ? transportRequest.remoteAddress().address().getAddress() : null, extractCredentials, transportRequest);
        return null;
    }

    /* JADX WARN: Code restructure failed: missing block: B:100:0x0450, code lost:
    
        r10.putTransient(com.amazon.opendistroforelasticsearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_USER, com.amazon.opendistroforelasticsearch.security.user.User.ANONYMOUS);
        r7.auditLog.logSucceededLogin(com.amazon.opendistroforelasticsearch.security.user.User.ANONYMOUS.getName(), false, null, r8);
     */
    /* JADX WARN: Code restructure failed: missing block: B:101:0x0474, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L176;
     */
    /* JADX WARN: Code restructure failed: missing block: B:102:0x0477, code lost:
    
        r7.log.debug("Anonymous User is authenticated");
     */
    /* JADX WARN: Code restructure failed: missing block: B:103:0x0482, code lost:
    
        return true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:104:?, code lost:
    
        return true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:106:0x0486, code lost:
    
        if (r16 == null) goto L136;
     */
    /* JADX WARN: Code restructure failed: missing block: B:108:0x0492, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L121;
     */
    /* JADX WARN: Code restructure failed: missing block: B:109:0x0495, code lost:
    
        r7.log.debug("Rerequest with {}", r16.getClass());
     */
    /* JADX WARN: Code restructure failed: missing block: B:111:0x04ae, code lost:
    
        if (r16.reRequestAuthentication(r9, null) == false) goto L136;
     */
    /* JADX WARN: Code restructure failed: missing block: B:113:0x04ba, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L126;
     */
    /* JADX WARN: Code restructure failed: missing block: B:114:0x04bd, code lost:
    
        r7.log.debug("Rerequest {} failed", r16.getClass());
     */
    /* JADX WARN: Code restructure failed: missing block: B:115:0x04cd, code lost:
    
        r0 = r7.log;
     */
    /* JADX WARN: Code restructure failed: missing block: B:116:0x04d5, code lost:
    
        if (r15 != null) goto L129;
     */
    /* JADX WARN: Code restructure failed: missing block: B:117:0x04d8, code lost:
    
        r2 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:118:0x04e1, code lost:
    
        r0.warn("Authentication finally failed for {} from {}", r2, r0);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:119:0x04ee, code lost:
    
        if (r15 != null) goto L133;
     */
    /* JADX WARN: Code restructure failed: missing block: B:120:0x04f1, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:121:0x04fa, code lost:
    
        r0.logFailedLogin(r1, false, null, r8);
     */
    /* JADX WARN: Code restructure failed: missing block: B:122:0x0503, code lost:
    
        return false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:123:0x04f5, code lost:
    
        r1 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:124:0x04dc, code lost:
    
        r2 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:125:0x0504, code lost:
    
        r0 = r7.log;
     */
    /* JADX WARN: Code restructure failed: missing block: B:126:0x050c, code lost:
    
        if (r15 != null) goto L139;
     */
    /* JADX WARN: Code restructure failed: missing block: B:127:0x050f, code lost:
    
        r2 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:128:0x0518, code lost:
    
        r0.warn("Authentication finally failed for {} from {}", r2, r0);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:129:0x0525, code lost:
    
        if (r15 != null) goto L143;
     */
    /* JADX WARN: Code restructure failed: missing block: B:130:0x0528, code lost:
    
        r1 = null;
     */
    /* JADX WARN: Code restructure failed: missing block: B:131:0x0531, code lost:
    
        r0.logFailedLogin(r1, false, null, r8);
        notifyIpAuthFailureListeners(r8, r15);
        r9.sendResponse(new org.elasticsearch.rest.BytesRestResponse(org.elasticsearch.rest.RestStatus.UNAUTHORIZED, "Authentication finally failed"));
     */
    /* JADX WARN: Code restructure failed: missing block: B:132:0x0553, code lost:
    
        return false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:133:0x052c, code lost:
    
        r1 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:134:0x0513, code lost:
    
        r2 = r15.getUsername();
     */
    /* JADX WARN: Code restructure failed: missing block: B:81:0x03e1, code lost:
    
        if (r13 == false) goto L104;
     */
    /* JADX WARN: Code restructure failed: missing block: B:82:0x03e4, code lost:
    
        r0 = impersonate(r8, r14);
     */
    /* JADX WARN: Code restructure failed: missing block: B:83:0x03f2, code lost:
    
        if (r0 != null) goto L98;
     */
    /* JADX WARN: Code restructure failed: missing block: B:84:0x03f5, code lost:
    
        r2 = r14;
     */
    /* JADX WARN: Code restructure failed: missing block: B:85:0x03fc, code lost:
    
        r10.putTransient(com.amazon.opendistroforelasticsearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_USER, r2);
        r0 = r7.auditLog;
     */
    /* JADX WARN: Code restructure failed: missing block: B:86:0x0405, code lost:
    
        if (r0 != null) goto L102;
     */
    /* JADX WARN: Code restructure failed: missing block: B:87:0x0408, code lost:
    
        r1 = r14;
     */
    /* JADX WARN: Code restructure failed: missing block: B:88:0x040f, code lost:
    
        r0.logSucceededLogin(r1.getName(), false, r14.getName(), r8);
     */
    /* JADX WARN: Code restructure failed: missing block: B:90:0x0556, code lost:
    
        return r13;
     */
    /* JADX WARN: Code restructure failed: missing block: B:91:0x040d, code lost:
    
        r1 = r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:92:0x03fa, code lost:
    
        r2 = r0;
     */
    /* JADX WARN: Code restructure failed: missing block: B:94:0x042a, code lost:
    
        if (r7.log.isDebugEnabled() == false) goto L107;
     */
    /* JADX WARN: Code restructure failed: missing block: B:95:0x042d, code lost:
    
        r7.log.debug("User still not authenticated after checking {} auth domains", java.lang.Integer.valueOf(r7.restAuthDomains.size()));
     */
    /* JADX WARN: Code restructure failed: missing block: B:97:0x0446, code lost:
    
        if (r15 != null) goto L116;
     */
    /* JADX WARN: Code restructure failed: missing block: B:99:0x044d, code lost:
    
        if (r7.anonymousAuthEnabled == false) goto L116;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean authenticate(org.elasticsearch.rest.RestRequest r8, org.elasticsearch.rest.RestChannel r9, org.elasticsearch.common.util.concurrent.ThreadContext r10) {
        /*
            Method dump skipped, instructions count: 1367
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.authenticate(org.elasticsearch.rest.RestRequest, org.elasticsearch.rest.RestChannel, org.elasticsearch.common.util.concurrent.ThreadContext):boolean");
    }

    private void notifyIpAuthFailureListeners(RestRequest restRequest, AuthCredentials authCredentials) {
        notifyIpAuthFailureListeners(restRequest.getHttpChannel().getRemoteAddress() instanceof InetSocketAddress ? restRequest.getHttpChannel().getRemoteAddress().getAddress() : null, authCredentials, restRequest);
    }

    private void notifyIpAuthFailureListeners(InetAddress inetAddress, AuthCredentials authCredentials, Object obj) {
        Iterator<AuthFailureListener> it = this.ipAuthFailureListeners.iterator();
        while (it.hasNext()) {
            it.next().onAuthFailure(inetAddress, authCredentials, obj);
        }
    }

    private User checkExistsAndAuthz(Cache<String, User> cache, final User user, final AuthenticationBackend authenticationBackend, final Set<AuthorizationBackend> set) {
        if (user == null) {
            return null;
        }
        try {
            return (User) cache.get(user.getName(), new Callable<User>() { // from class: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.8
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public User call() throws Exception {
                    if (BackendRegistry.this.log.isTraceEnabled()) {
                        BackendRegistry.this.log.trace("Credentials for user " + user.getName() + " not cached, return from " + authenticationBackend.getType() + " backend directly");
                    }
                    if (authenticationBackend.exists(user)) {
                        BackendRegistry.this.authz(user, null, set);
                        return user;
                    }
                    if (!BackendRegistry.this.log.isDebugEnabled()) {
                        return null;
                    }
                    BackendRegistry.this.log.debug("User " + user.getName() + " does not exist in " + authenticationBackend.getType());
                    return null;
                }
            });
        } catch (Exception e) {
            if (!this.log.isDebugEnabled()) {
                return null;
            }
            this.log.debug("Can not check and authorize " + user.getName() + " due to " + e.toString(), e);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void authz(User user, Cache<User, Set<String>> cache, Set<AuthorizationBackend> set) {
        Set set2;
        if (user == null) {
            return;
        }
        if (cache != null && (set2 = (Set) cache.getIfPresent(user)) != null) {
            user.addRoles(new HashSet(set2));
            return;
        }
        if (set == null || set.isEmpty()) {
            return;
        }
        for (AuthorizationBackend authorizationBackend : set) {
            try {
                if (this.log.isTraceEnabled()) {
                    this.log.trace("Backend roles for " + user.getName() + " not cached, return from " + authorizationBackend.getType() + " backend directly");
                }
                authorizationBackend.fillRoles(user, new AuthCredentials(user.getName(), new String[0]));
            } catch (Exception e) {
                this.log.error("Cannot retrieve roles for {} from {} due to {}", user, authorizationBackend.getType(), e.toString(), e);
            }
        }
        if (cache != null) {
            cache.put(user, new HashSet(user.getRoles()));
        }
    }

    private User authcz(Cache<AuthCredentials, User> cache, final Cache<User, Set<String>> cache2, final AuthCredentials authCredentials, final AuthenticationBackend authenticationBackend, final Set<AuthorizationBackend> set) {
        try {
            if (authCredentials == null) {
                return null;
            }
            try {
                if (authenticationBackend.getClass() == NoOpAuthenticationBackend.class && set.isEmpty()) {
                    User authenticate = authenticationBackend.authenticate(authCredentials);
                    authCredentials.clearSecrets();
                    return authenticate;
                }
                User user = (User) cache.get(authCredentials, new Callable<User>() { // from class: com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.9
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public User call() throws Exception {
                        if (BackendRegistry.this.log.isTraceEnabled()) {
                            BackendRegistry.this.log.trace("Credentials for user " + authCredentials.getUsername() + " not cached, return from " + authenticationBackend.getType() + " backend directly");
                        }
                        User authenticate2 = authenticationBackend.authenticate(authCredentials);
                        BackendRegistry.this.authz(authenticate2, cache2, set);
                        return authenticate2;
                    }
                });
                authCredentials.clearSecrets();
                return user;
            } catch (Exception e) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Can not authenticate " + authCredentials.getUsername() + " due to " + e.toString(), e);
                }
                authCredentials.clearSecrets();
                return null;
            }
        } catch (Throwable th) {
            authCredentials.clearSecrets();
            throw th;
        }
    }

    private User impersonate(TransportRequest transportRequest, User user) throws ElasticsearchSecurityException {
        String header = this.threadPool.getThreadContext().getHeader("opendistro_security_impersonate_as");
        if (Strings.isNullOrEmpty(header)) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Open Distro Security is not yet initialized", new Object[0]);
        }
        if (user == null) {
            throw new ElasticsearchSecurityException("no original PKI user found", new Object[0]);
        }
        if (this.adminDns.isAdminDN(header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as an adminuser  '" + header + "'", new Object[0]);
        }
        if (header != null) {
            try {
                if (!this.adminDns.isTransportImpersonationAllowed(new LdapName(user.getName()), header)) {
                    throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as '" + header + "'", new Object[0]);
                }
            } catch (InvalidNameException e) {
                throw new ElasticsearchSecurityException("PKI does not have a valid name ('" + user.getName() + "'), should never happen", e, new Object[0]);
            }
        }
        if (header == null) {
            return user;
        }
        Iterator<AuthDomain> it = this.transportAuthDomains.iterator();
        while (it.hasNext()) {
            AuthenticationBackend backend = it.next().getBackend();
            User checkExistsAndAuthz = checkExistsAndAuthz(this.transportImpersonationCache, new User(header), backend, this.transportAuthorizers);
            if (checkExistsAndAuthz != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Impersonate transport user from '{}' to '{}'", user.getName(), header);
                }
                return checkExistsAndAuthz;
            }
            this.log.debug("Unable to impersonate transport user from '{}' to '{}' because the impersonated user does not exists in {}, try next ...", user.getName(), header, backend.getType());
        }
        this.log.debug("Unable to impersonate transport user from '{}' to '{}' because the impersonated user does not exists", user.getName(), header);
        throw new ElasticsearchSecurityException("No such transport user: " + header, RestStatus.FORBIDDEN, new Object[0]);
    }

    private User impersonate(RestRequest restRequest, User user) throws ElasticsearchSecurityException {
        String header = restRequest.header("opendistro_security_impersonate_as");
        if (Strings.isNullOrEmpty(header) || user == null) {
            return null;
        }
        if (!isInitialized()) {
            throw new ElasticsearchSecurityException("Could not check for impersonation because Open Distro Security is not yet initialized", new Object[0]);
        }
        if (this.adminDns.isAdminDN(header)) {
            throw new ElasticsearchSecurityException("It is not allowed to impersonate as an adminuser  '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        if (!this.adminDns.isRestImpersonationAllowed(user.getName(), header)) {
            throw new ElasticsearchSecurityException("'" + user.getName() + "' is not allowed to impersonate as '" + header + "'", RestStatus.FORBIDDEN, new Object[0]);
        }
        Iterator<AuthDomain> it = this.restAuthDomains.iterator();
        while (it.hasNext()) {
            AuthenticationBackend backend = it.next().getBackend();
            User checkExistsAndAuthz = checkExistsAndAuthz(this.restImpersonationCache, new User(header), backend, this.restAuthorizers);
            if (checkExistsAndAuthz != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Impersonate rest user from '{}' to '{}'", user.toStringWithAttributes(), checkExistsAndAuthz.toStringWithAttributes());
                }
                checkExistsAndAuthz.setRequestedTenant(user.getRequestedTenant());
                return checkExistsAndAuthz;
            }
            this.log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists in {}, try next ...", user.getName(), header, backend.getType());
        }
        this.log.debug("Unable to impersonate rest user from '{}' to '{}' because the impersonated user does not exists", user.getName(), header);
        throw new ElasticsearchSecurityException("No such user:" + header, RestStatus.FORBIDDEN, new Object[0]);
    }

    private User resolveTransportUsernameAttribute(User user) {
        if (this.transportUsernameAttribute != null && !this.transportUsernameAttribute.isEmpty()) {
            try {
                for (Rdn rdn : new LdapName(user.getName()).getRdns()) {
                    if (rdn.getType().equals(this.transportUsernameAttribute)) {
                        return new User((String) rdn.getValue());
                    }
                }
            } catch (InvalidNameException e) {
            }
        }
        return user;
    }

    private boolean isBlocked(InetAddress inetAddress) {
        if (this.ipClientBlockRegistries == null || this.ipClientBlockRegistries.isEmpty()) {
            return false;
        }
        Iterator<ClientBlockRegistry<InetAddress>> it = this.ipClientBlockRegistries.iterator();
        while (it.hasNext()) {
            if (it.next().isBlocked(inetAddress)) {
                return true;
            }
        }
        return false;
    }

    private boolean isBlocked(String str, String str2) {
        if (this.authBackendClientBlockRegistries == null) {
            return false;
        }
        Collection collection = this.authBackendClientBlockRegistries.get(str);
        if (collection.isEmpty()) {
            return false;
        }
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            if (((ClientBlockRegistry) it.next()).isBlocked(str2)) {
                return true;
            }
        }
        return false;
    }
}
