package org.elasticsearch.xpack.security.authc.esnative;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.License;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm;
import org.elasticsearch.xpack.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.support.SecuredString;
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.support.Exceptions;
import org.elasticsearch.xpack.security.user.AnonymousUser;
import org.elasticsearch.xpack.security.user.ElasticUser;
import org.elasticsearch.xpack.security.user.KibanaUser;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.class */
public class ReservedRealm extends CachingUsernamePasswordRealm {
    public static final String TYPE = "reserved";
    static final char[] DEFAULT_PASSWORD_HASH;
    private static final NativeUsersStore.ReservedUserInfo DEFAULT_USER_INFO;
    private final NativeUsersStore nativeUsersStore;
    private final AnonymousUser anonymousUser;
    private final boolean anonymousEnabled;
    private final boolean enabled;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ReservedRealm(Environment environment, Settings settings, NativeUsersStore nativeUsersStore, AnonymousUser anonymousUser) {
        super(TYPE, new RealmConfig(TYPE, Settings.EMPTY, settings, environment));
        this.nativeUsersStore = nativeUsersStore;
        this.enabled = ((Boolean) XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings)).booleanValue();
        this.anonymousUser = anonymousUser;
        this.anonymousEnabled = AnonymousUser.isAnonymousEnabled(settings);
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected User doAuthenticate(UsernamePasswordToken usernamePasswordToken) {
        if (!this.enabled || !isReserved(usernamePasswordToken.principal(), this.config.globalSettings())) {
            return null;
        }
        NativeUsersStore.ReservedUserInfo userInfo = getUserInfo(usernamePasswordToken.principal());
        if (userInfo != null) {
            try {
                if (Hasher.BCRYPT.verify(usernamePasswordToken.credentials(), userInfo.passwordHash)) {
                    User user = getUser(usernamePasswordToken.principal(), userInfo);
                    if (userInfo.passwordHash != DEFAULT_PASSWORD_HASH) {
                        Arrays.fill(userInfo.passwordHash, (char) 0);
                    }
                    return user;
                }
                if (userInfo.passwordHash != DEFAULT_PASSWORD_HASH) {
                    Arrays.fill(userInfo.passwordHash, (char) 0);
                }
            } catch (Throwable th) {
                if (userInfo.passwordHash != DEFAULT_PASSWORD_HASH) {
                    Arrays.fill(userInfo.passwordHash, (char) 0);
                }
                throw th;
            }
        }
        throw Exceptions.authenticationError("failed to authenticate user [{}]", usernamePasswordToken.principal());
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected User doLookupUser(String str) {
        if (!this.enabled) {
            if (this.anonymousEnabled && AnonymousUser.isAnonymousUsername(str, this.config.globalSettings())) {
                return this.anonymousUser;
            }
            return null;
        }
        if (!isReserved(str, this.config.globalSettings())) {
            return null;
        }
        if (AnonymousUser.isAnonymousUsername(str, this.config.globalSettings())) {
            if (this.anonymousEnabled) {
                return this.anonymousUser;
            }
            return null;
        }
        NativeUsersStore.ReservedUserInfo userInfo = getUserInfo(str);
        if (userInfo != null) {
            return getUser(str, userInfo);
        }
        throw Exceptions.authenticationError("failed to lookup user [{}]", str);
    }

    @Override // org.elasticsearch.xpack.security.authc.Realm
    public boolean userLookupSupported() {
        return true;
    }

    public static boolean isReserved(String str, Settings settings) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -1666338091:
                if (str.equals(ElasticUser.NAME)) {
                    z = false;
                    break;
                }
                break;
            case -1131662192:
                if (str.equals("kibana")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case License.VERSION_START /* 1 */:
                return ((Boolean) XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings)).booleanValue();
            default:
                return AnonymousUser.isAnonymousUsername(str, settings);
        }
    }

    private User getUser(String str, NativeUsersStore.ReservedUserInfo reservedUserInfo) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -1666338091:
                if (str.equals(ElasticUser.NAME)) {
                    z = false;
                    break;
                }
                break;
            case -1131662192:
                if (str.equals("kibana")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new ElasticUser(reservedUserInfo.enabled);
            case License.VERSION_START /* 1 */:
                return new KibanaUser(reservedUserInfo.enabled);
            default:
                if (this.anonymousEnabled && this.anonymousUser.principal().equals(str)) {
                    return this.anonymousUser;
                }
                return null;
        }
    }

    public void users(ActionListener<Collection<User>> actionListener) {
        if (this.nativeUsersStore.started() && this.enabled) {
            this.nativeUsersStore.getAllReservedUserInfo(ActionListener.wrap(map -> {
                ArrayList arrayList = new ArrayList(3);
                NativeUsersStore.ReservedUserInfo reservedUserInfo = (NativeUsersStore.ReservedUserInfo) map.get(ElasticUser.NAME);
                arrayList.add(new ElasticUser(reservedUserInfo == null || reservedUserInfo.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo2 = (NativeUsersStore.ReservedUserInfo) map.get("kibana");
                arrayList.add(new KibanaUser(reservedUserInfo2 == null || reservedUserInfo2.enabled));
                if (this.anonymousEnabled) {
                    arrayList.add(this.anonymousUser);
                }
                actionListener.onResponse(arrayList);
            }, exc -> {
                this.logger.error("failed to retrieve reserved users", exc);
                actionListener.onResponse(this.anonymousEnabled ? Collections.singletonList(this.anonymousUser) : Collections.emptyList());
            }));
        } else {
            actionListener.onResponse(this.anonymousEnabled ? Collections.singletonList(this.anonymousUser) : Collections.emptyList());
        }
    }

    private NativeUsersStore.ReservedUserInfo getUserInfo(String str) {
        if (!this.nativeUsersStore.started()) {
            return null;
        }
        if (!this.nativeUsersStore.securityIndexExists()) {
            return DEFAULT_USER_INFO;
        }
        try {
            NativeUsersStore.ReservedUserInfo reservedUserInfo = this.nativeUsersStore.getReservedUserInfo(str);
            return reservedUserInfo == null ? DEFAULT_USER_INFO : reservedUserInfo;
        } catch (Exception e) {
            this.logger.error(() -> {
                return new ParameterizedMessage("failed to retrieve password hash for reserved user [{}]", str);
            }, e);
            return null;
        }
    }

    static {
        $assertionsDisabled = !ReservedRealm.class.desiredAssertionStatus();
        DEFAULT_PASSWORD_HASH = Hasher.BCRYPT.hash(new SecuredString("changeme".toCharArray()));
        DEFAULT_USER_INFO = new NativeUsersStore.ReservedUserInfo(DEFAULT_PASSWORD_HASH, true);
    }
}
