package org.elasticsearch.shield.authc.pki;

import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.shield.ShieldSettingsFilter;
import org.elasticsearch.shield.User;
import org.elasticsearch.shield.authc.AuthenticationToken;
import org.elasticsearch.shield.authc.Realm;
import org.elasticsearch.shield.authc.RealmConfig;
import org.elasticsearch.shield.authc.support.DnRoleMapper;
import org.elasticsearch.shield.transport.SSLClientAuth;
import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.watcher.ResourceWatcherService;

/* loaded from: input_file:lib/shield.jar:org/elasticsearch/shield/authc/pki/PkiRealm.class */
public class PkiRealm extends Realm<X509AuthenticationToken> {
    public static final String PKI_CERT_HEADER_NAME = "__SHIELD_CLIENT_CERTIFICATE";
    public static final String TYPE = "pki";
    public static final String DEFAULT_USERNAME_PATTERN = "CN=(.*?)(?:,|$)";
    public static final String AUTH_TYPE = "UNKNOWN";
    private final X509TrustManager[] trustManagers;
    private final Pattern principalPattern;
    private final DnRoleMapper roleMapper;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:lib/shield.jar:org/elasticsearch/shield/authc/pki/PkiRealm$Factory.class */
    public static class Factory extends Realm.Factory<PkiRealm> {
        private final ResourceWatcherService watcherService;

        @Inject
        public Factory(ResourceWatcherService resourceWatcherService) {
            super(PkiRealm.TYPE, false);
            this.watcherService = resourceWatcherService;
        }

        @Override // org.elasticsearch.shield.authc.Realm.Factory
        public void filterOutSensitiveSettings(String str, ShieldSettingsFilter shieldSettingsFilter) {
            PkiRealm.filterOutSensitiveSettings(str, shieldSettingsFilter);
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.elasticsearch.shield.authc.Realm.Factory
        public PkiRealm create(RealmConfig realmConfig) {
            return new PkiRealm(realmConfig, new DnRoleMapper(PkiRealm.TYPE, realmConfig, this.watcherService, null));
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.elasticsearch.shield.authc.Realm.Factory
        public PkiRealm createDefault(String str) {
            return null;
        }
    }

    public PkiRealm(RealmConfig realmConfig, DnRoleMapper dnRoleMapper) {
        super(TYPE, realmConfig);
        this.trustManagers = trustManagers(realmConfig.settings(), realmConfig.env());
        this.principalPattern = Pattern.compile(realmConfig.settings().get("username_pattern", DEFAULT_USERNAME_PATTERN), 2);
        this.roleMapper = dnRoleMapper;
        checkSSLEnabled(realmConfig, this.logger);
    }

    @Override // org.elasticsearch.shield.authc.Realm
    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof X509AuthenticationToken;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.elasticsearch.shield.authc.Realm
    public X509AuthenticationToken token(RestRequest restRequest) {
        return token(restRequest.getFromContext(PKI_CERT_HEADER_NAME), this.principalPattern, this.logger);
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.elasticsearch.shield.authc.Realm
    public X509AuthenticationToken token(TransportMessage<?> transportMessage) {
        return token(transportMessage.getFromContext(PKI_CERT_HEADER_NAME), this.principalPattern, this.logger);
    }

    @Override // org.elasticsearch.shield.authc.Realm
    public User authenticate(X509AuthenticationToken x509AuthenticationToken) {
        if (!isCertificateChainTrusted(this.trustManagers, x509AuthenticationToken, this.logger)) {
            return null;
        }
        Set<String> resolveRoles = this.roleMapper.resolveRoles(x509AuthenticationToken.dn(), Collections.emptyList());
        return new User.Simple(x509AuthenticationToken.principal(), (String[]) resolveRoles.toArray(new String[resolveRoles.size()]));
    }

    @Override // org.elasticsearch.shield.authc.Realm
    public User lookupUser(String str) {
        return null;
    }

    @Override // org.elasticsearch.shield.authc.Realm
    public boolean userLookupSupported() {
        return false;
    }

    static X509AuthenticationToken token(Object obj, Pattern pattern, ESLogger eSLogger) {
        if (obj == null) {
            return null;
        }
        if (!$assertionsDisabled && !(obj instanceof X509Certificate[])) {
            throw new AssertionError();
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) obj;
        if (x509CertificateArr.length == 0) {
            return null;
        }
        String x500Principal = x509CertificateArr[0].getSubjectX500Principal().toString();
        Matcher matcher = pattern.matcher(x500Principal);
        if (!matcher.find()) {
            if (!eSLogger.isDebugEnabled()) {
                return null;
            }
            eSLogger.debug("certificate authentication succeeded for [{}] but could not extract principal from DN", new Object[]{x500Principal});
            return null;
        }
        String group = matcher.group(1);
        if (!Strings.isNullOrEmpty(group)) {
            return new X509AuthenticationToken(x509CertificateArr, group, x500Principal);
        }
        if (!eSLogger.isDebugEnabled()) {
            return null;
        }
        eSLogger.debug("certificate authentication succeeded for [{}] but extracted principal was empty", new Object[]{x500Principal});
        return null;
    }

    static boolean isCertificateChainTrusted(X509TrustManager[] x509TrustManagerArr, X509AuthenticationToken x509AuthenticationToken, ESLogger eSLogger) {
        if (x509TrustManagerArr.length <= 0) {
            return true;
        }
        boolean z = false;
        for (X509TrustManager x509TrustManager : x509TrustManagerArr) {
            try {
                x509TrustManager.checkClientTrusted(x509AuthenticationToken.credentials(), AUTH_TYPE);
                z = true;
                break;
            } catch (CertificateException e) {
                if (eSLogger.isTraceEnabled()) {
                    eSLogger.trace("failed certificate validation for principal [{}]", e, new Object[]{x509AuthenticationToken.principal()});
                } else if (eSLogger.isDebugEnabled()) {
                    eSLogger.debug("failed certificate validation for principal [{}]", new Object[]{x509AuthenticationToken.principal()});
                }
            }
        }
        return z;
    }

    static X509TrustManager[] trustManagers(Settings settings, Environment environment) {
        String str = settings.get("truststore.path");
        if (str == null) {
            return new X509TrustManager[0];
        }
        String str2 = settings.get("truststore.password");
        if (str2 == null) {
            throw new IllegalArgumentException("no truststore password configured");
        }
        String str3 = settings.get("truststore.algorithm", System.getProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactory.getDefaultAlgorithm()));
        try {
            InputStream newInputStream = Files.newInputStream(environment.binFile().getParent().resolve(str), new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    KeyStore keyStore = KeyStore.getInstance("jks");
                    keyStore.load(newInputStream, str2.toCharArray());
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(str3);
                    trustManagerFactory.init(keyStore);
                    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    ArrayList arrayList = new ArrayList();
                    for (TrustManager trustManager : trustManagers) {
                        if (trustManager instanceof X509TrustManager) {
                            arrayList.add((X509TrustManager) trustManager);
                        }
                    }
                    if (arrayList.isEmpty()) {
                        throw new IllegalArgumentException("no valid certificates found in truststore");
                    }
                    return (X509TrustManager[]) arrayList.toArray(new X509TrustManager[arrayList.size()]);
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            throw new IllegalArgumentException("failed to load specified truststore", e);
        }
    }

    static void filterOutSensitiveSettings(String str, ShieldSettingsFilter shieldSettingsFilter) {
        shieldSettingsFilter.filterOut("shield.authc.realms." + str + ".truststore.password");
        shieldSettingsFilter.filterOut("shield.authc.realms." + str + ".truststore.path");
        shieldSettingsFilter.filterOut("shield.authc.realms." + str + ".truststore.algorithm");
    }

    static void checkSSLEnabled(RealmConfig realmConfig, ESLogger eSLogger) {
        Settings globalSettings = realmConfig.globalSettings();
        if (globalSettings.getAsBoolean(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, false).booleanValue() && SSLClientAuth.parse(globalSettings.get(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING), ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_DEFAULT).enabled()) {
            return;
        }
        boolean booleanValue = globalSettings.getAsBoolean(ShieldNettyTransport.TRANSPORT_SSL_SETTING, false).booleanValue();
        SSLClientAuth parse = SSLClientAuth.parse(globalSettings.get(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING), ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_DEFAULT);
        if (booleanValue && parse.enabled()) {
            return;
        }
        Iterator it = globalSettings.getGroups("transport.profiles.").entrySet().iterator();
        while (it.hasNext()) {
            Settings byPrefix = ((Settings) ((Map.Entry) it.next()).getValue()).getByPrefix("shield.filter.");
            if (byPrefix.getAsBoolean(ShieldNettyTransport.TRANSPORT_PROFILE_SSL_SETTING, Boolean.valueOf(booleanValue)).booleanValue() && SSLClientAuth.parse(byPrefix.get(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING), parse).enabled()) {
                return;
            }
        }
        eSLogger.error("PKI realm [{}] is enabled but cannot be used as neither HTTP or Transport have both SSL and client authentication enabled", new Object[]{realmConfig.name()});
    }

    @Override // org.elasticsearch.shield.authc.Realm
    public /* bridge */ /* synthetic */ X509AuthenticationToken token(TransportMessage transportMessage) {
        return token((TransportMessage<?>) transportMessage);
    }

    static {
        $assertionsDisabled = !PkiRealm.class.desiredAssertionStatus();
    }
}
