package org.elasticsearch.xpack.security.authc.pki;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.watcher.ResourceWatcherService;
import org.elasticsearch.xpack.security.authc.AuthenticationToken;
import org.elasticsearch.xpack.security.authc.Realm;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.RealmSettings;
import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
import org.elasticsearch.xpack.security.authc.support.mapper.CompositeRoleMapper;
import org.elasticsearch.xpack.security.authc.support.mapper.NativeRoleMappingStore;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.ssl.CertUtils;
import org.elasticsearch.xpack.ssl.SSLConfigurationSettings;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/pki/PkiRealm.class */
public class PkiRealm extends Realm {
    public static final String PKI_CERT_HEADER_NAME = "__SECURITY_CLIENT_CERTIFICATE";
    public static final String TYPE = "pki";
    static final String DEFAULT_USERNAME_PATTERN = "CN=(.*?)(?:,|$)";
    private static final Setting<Pattern> USERNAME_PATTERN_SETTING;
    private static final SSLConfigurationSettings SSL_SETTINGS;
    private static final String AUTH_TYPE = "UNKNOWN";
    private final X509TrustManager trustManager;
    private final Pattern principalPattern;
    private final UserRoleMapper roleMapper;
    static final /* synthetic */ boolean $assertionsDisabled;

    public PkiRealm(RealmConfig realmConfig, ResourceWatcherService resourceWatcherService, NativeRoleMappingStore nativeRoleMappingStore) {
        this(realmConfig, new CompositeRoleMapper(TYPE, realmConfig, resourceWatcherService, nativeRoleMappingStore));
    }

    PkiRealm(RealmConfig realmConfig, UserRoleMapper userRoleMapper) {
        super(TYPE, realmConfig);
        this.trustManager = trustManagers(realmConfig);
        this.principalPattern = (Pattern) USERNAME_PATTERN_SETTING.get(realmConfig.settings());
        this.roleMapper = userRoleMapper;
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public boolean supports(AuthenticationToken authenticationToken) {
        return authenticationToken instanceof X509AuthenticationToken;
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public X509AuthenticationToken token(ThreadContext threadContext) {
        return token(threadContext.getTransient(PKI_CERT_HEADER_NAME), this.principalPattern, this.logger);
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public User authenticate(AuthenticationToken authenticationToken) {
        throw new UnsupportedOperationException("internal realms do not support blocking calls");
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public void authenticate(AuthenticationToken authenticationToken, ActionListener<User> actionListener) {
        X509AuthenticationToken x509AuthenticationToken = (X509AuthenticationToken) authenticationToken;
        if (!isCertificateChainTrusted(this.trustManager, x509AuthenticationToken, this.logger)) {
            actionListener.onResponse((Object) null);
            return;
        }
        Map singletonMap = Collections.singletonMap("pki_dn", x509AuthenticationToken.dn());
        UserRoleMapper.UserData userData = new UserRoleMapper.UserData(x509AuthenticationToken.principal(), x509AuthenticationToken.dn(), Collections.emptySet(), singletonMap, this.config);
        UserRoleMapper userRoleMapper = this.roleMapper;
        CheckedConsumer checkedConsumer = set -> {
            actionListener.onResponse(new User(x509AuthenticationToken.principal(), (String[]) set.toArray(new String[set.size()]), null, null, singletonMap, true));
        };
        actionListener.getClass();
        userRoleMapper.resolveRoles(userData, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public User lookupUser(String str) {
        return null;
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public boolean userLookupSupported() {
        return false;
    }

    static X509AuthenticationToken token(Object obj, Pattern pattern, Logger logger) {
        if (obj == null) {
            return null;
        }
        if (!$assertionsDisabled && !(obj instanceof X509Certificate[])) {
            throw new AssertionError();
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) obj;
        if (x509CertificateArr.length == 0) {
            return null;
        }
        String x500Principal = x509CertificateArr[0].getSubjectX500Principal().toString();
        Matcher matcher = pattern.matcher(x500Principal);
        if (!matcher.find()) {
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.debug("certificate authentication succeeded for [{}] but could not extract principal from DN", x500Principal);
            return null;
        }
        String group = matcher.group(1);
        if (!Strings.isNullOrEmpty(group)) {
            return new X509AuthenticationToken(x509CertificateArr, group, x500Principal);
        }
        if (!logger.isDebugEnabled()) {
            return null;
        }
        logger.debug("certificate authentication succeeded for [{}] but extracted principal was empty", x500Principal);
        return null;
    }

    static boolean isCertificateChainTrusted(X509TrustManager x509TrustManager, X509AuthenticationToken x509AuthenticationToken, Logger logger) {
        if (x509TrustManager == null) {
            return true;
        }
        try {
            x509TrustManager.checkClientTrusted(x509AuthenticationToken.credentials(), AUTH_TYPE);
            return true;
        } catch (CertificateException e) {
            if (logger.isTraceEnabled()) {
                logger.trace(() -> {
                    return new ParameterizedMessage("failed certificate validation for principal [{}]", x509AuthenticationToken.principal());
                }, e);
                return false;
            }
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("failed certificate validation for principal [{}]", x509AuthenticationToken.principal());
            return false;
        }
    }

    static X509TrustManager trustManagers(RealmConfig realmConfig) {
        Settings settings = realmConfig.settings();
        Environment env = realmConfig.env();
        String[] asArray = settings.getAsArray(SSL_SETTINGS.caPaths.getKey(), (String[]) null);
        String str = (String) ((Optional) SSL_SETTINGS.truststorePath.get(settings)).orElse(null);
        if (str == null && asArray == null) {
            return null;
        }
        if (str == null || asArray == null) {
            return str != null ? trustManagersFromTruststore(str, realmConfig) : trustManagersFromCAs(settings, env);
        }
        throw new IllegalArgumentException("[" + RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.truststorePath) + "] and [" + RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.caPaths) + "] cannot be used at the same time");
    }

    private static X509TrustManager trustManagersFromTruststore(String str, RealmConfig realmConfig) {
        Settings settings = realmConfig.settings();
        if (!SSL_SETTINGS.truststorePassword.exists(settings)) {
            throw new IllegalArgumentException("[" + RealmSettings.getFullSettingKey(realmConfig, (Setting<?>) SSL_SETTINGS.truststorePassword) + "] is not configured");
        }
        SecureString secureString = (SecureString) SSL_SETTINGS.truststorePassword.get(settings);
        Throwable th = null;
        try {
            try {
                try {
                    X509ExtendedTrustManager trustManager = CertUtils.trustManager(str, secureString.getChars(), (String) SSL_SETTINGS.truststoreAlgorithm.get(settings), realmConfig.env());
                    if (secureString != null) {
                        if (0 != 0) {
                            try {
                                secureString.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            secureString.close();
                        }
                    }
                    return trustManager;
                } catch (Exception e) {
                    throw new IllegalArgumentException("failed to load specified truststore", e);
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (secureString != null) {
                if (th != null) {
                    try {
                        secureString.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    secureString.close();
                }
            }
            throw th3;
        }
    }

    private static X509TrustManager trustManagersFromCAs(Settings settings, Environment environment) {
        String[] asArray = settings.getAsArray(SSL_SETTINGS.caPaths.getKey(), (String[]) null);
        if (!$assertionsDisabled && asArray == null) {
            throw new AssertionError();
        }
        try {
            return CertUtils.trustManager(CertUtils.readCertificates(Arrays.asList(asArray), environment));
        } catch (Exception e) {
            throw new ElasticsearchException("failed to load certificate authorities for PKI realm", e, new Object[0]);
        }
    }

    public static Set<Setting<?>> getSettings() {
        HashSet hashSet = new HashSet();
        hashSet.add(USERNAME_PATTERN_SETTING);
        hashSet.add(SSL_SETTINGS.truststorePath);
        hashSet.add(SSL_SETTINGS.truststorePassword);
        hashSet.add(SSL_SETTINGS.legacyTruststorePassword);
        hashSet.add(SSL_SETTINGS.truststoreAlgorithm);
        hashSet.add(SSL_SETTINGS.caPaths);
        hashSet.addAll(CompositeRoleMapper.getSettings());
        return hashSet;
    }

    static {
        $assertionsDisabled = !PkiRealm.class.desiredAssertionStatus();
        USERNAME_PATTERN_SETTING = new Setting<>("username_pattern", DEFAULT_USERNAME_PATTERN, str -> {
            return Pattern.compile(str, 2);
        }, new Setting.Property[]{Setting.Property.NodeScope});
        SSL_SETTINGS = SSLConfigurationSettings.withoutPrefix();
    }
}
