package org.elasticsearch.xpack.core.security.authc;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.xpack.core.security.support.Exceptions;

/* loaded from: input_file:lib/org.elasticsearch.xpack.core-6.5.0.jar:org/elasticsearch/xpack/core/security/authc/DefaultAuthenticationFailureHandler.class */
public class DefaultAuthenticationFailureHandler implements AuthenticationFailureHandler {
    private final Map<String, List<String>> defaultFailureResponseHeaders;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Deprecated
    public DefaultAuthenticationFailureHandler() {
        this(null);
    }

    public DefaultAuthenticationFailureHandler(Map<String, List<String>> map) {
        if (map == null || map.isEmpty()) {
            this.defaultFailureResponseHeaders = Collections.singletonMap("WWW-Authenticate", Collections.singletonList("Basic realm=\"security\" charset=\"UTF-8\""));
        } else {
            this.defaultFailureResponseHeaders = Collections.unmodifiableMap((Map) map.entrySet().stream().collect(Collectors.toMap(entry -> {
                return (String) entry.getKey();
            }, entry2 -> {
                if (!((String) entry2.getKey()).equalsIgnoreCase("WWW-Authenticate")) {
                    return Collections.unmodifiableList((List) entry2.getValue());
                }
                ArrayList arrayList = new ArrayList((Collection) entry2.getValue());
                Collections.sort(arrayList, (str, str2) -> {
                    return authSchemePriority(str).compareTo(authSchemePriority(str2));
                });
                return Collections.unmodifiableList(arrayList);
            })));
        }
    }

    private static Integer authSchemePriority(String str) {
        if (str.regionMatches(true, 0, "negotiate", 0, "negotiate".length())) {
            return 0;
        }
        if (str.regionMatches(true, 0, "bearer", 0, "bearer".length())) {
            return 1;
        }
        return str.regionMatches(true, 0, "basic", 0, "basic".length()) ? 2 : 3;
    }

    @Override // org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler
    public ElasticsearchSecurityException failedAuthentication(RestRequest restRequest, AuthenticationToken authenticationToken, ThreadContext threadContext) {
        return createAuthenticationError("unable to authenticate user [{}] for REST request [{}]", null, authenticationToken.principal(), restRequest.uri());
    }

    @Override // org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler
    public ElasticsearchSecurityException failedAuthentication(TransportMessage transportMessage, AuthenticationToken authenticationToken, String str, ThreadContext threadContext) {
        return createAuthenticationError("unable to authenticate user [{}] for action [{}]", null, authenticationToken.principal(), str);
    }

    @Override // org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler
    public ElasticsearchSecurityException exceptionProcessingRequest(RestRequest restRequest, Exception exc, ThreadContext threadContext) {
        return createAuthenticationError("error attempting to authenticate request", exc, (Object[]) null);
    }

    @Override // org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler
    public ElasticsearchSecurityException exceptionProcessingRequest(TransportMessage transportMessage, String str, Exception exc, ThreadContext threadContext) {
        return createAuthenticationError("error attempting to authenticate request", exc, (Object[]) null);
    }

    @Override // org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler
    public ElasticsearchSecurityException missingToken(RestRequest restRequest, ThreadContext threadContext) {
        return createAuthenticationError("missing authentication token for REST request [{}]", null, restRequest.uri());
    }

    @Override // org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler
    public ElasticsearchSecurityException missingToken(TransportMessage transportMessage, String str, ThreadContext threadContext) {
        return createAuthenticationError("missing authentication token for action [{}]", null, str);
    }

    @Override // org.elasticsearch.xpack.core.security.authc.AuthenticationFailureHandler
    public ElasticsearchSecurityException authenticationRequired(String str, ThreadContext threadContext) {
        return createAuthenticationError("action [{}] requires authentication", null, str);
    }

    private ElasticsearchSecurityException createAuthenticationError(String str, Throwable th, Object... objArr) {
        ElasticsearchSecurityException authenticationError;
        boolean z;
        if (!(th instanceof ElasticsearchSecurityException)) {
            authenticationError = Exceptions.authenticationError(str, th, objArr);
            z = false;
        } else {
            if (!$assertionsDisabled && ((ElasticsearchSecurityException) th).status() != RestStatus.UNAUTHORIZED) {
                throw new AssertionError();
            }
            authenticationError = (ElasticsearchSecurityException) th;
            z = (authenticationError.getHeader("WWW-Authenticate") == null || authenticationError.getHeader("WWW-Authenticate").isEmpty()) ? false : authenticationError.getHeader("WWW-Authenticate").stream().anyMatch(str2 -> {
                return str2 != null && str2.regionMatches(true, 0, "Negotiate ", 0, "Negotiate ".length());
            });
        }
        boolean z2 = z;
        ElasticsearchSecurityException elasticsearchSecurityException = authenticationError;
        this.defaultFailureResponseHeaders.entrySet().stream().forEach(entry -> {
            if (z2 && ((String) entry.getKey()).equalsIgnoreCase("WWW-Authenticate")) {
                return;
            }
            elasticsearchSecurityException.addHeader((String) entry.getKey(), (List<String>) entry.getValue());
        });
        return authenticationError;
    }

    static {
        $assertionsDisabled = !DefaultAuthenticationFailureHandler.class.desiredAssertionStatus();
    }
}
