package org.elasticsearch.xpack.security.authc.esnative;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.license.License;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.ml.action.util.PageParams;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.SecurityLifecycleService;
import org.elasticsearch.xpack.security.authc.RealmConfig;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm;
import org.elasticsearch.xpack.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.support.UsernamePasswordToken;
import org.elasticsearch.xpack.security.support.Exceptions;
import org.elasticsearch.xpack.security.user.AnonymousUser;
import org.elasticsearch.xpack.security.user.BeatsSystemUser;
import org.elasticsearch.xpack.security.user.ElasticUser;
import org.elasticsearch.xpack.security.user.KibanaUser;
import org.elasticsearch.xpack.security.user.LogstashSystemUser;
import org.elasticsearch.xpack.security.user.User;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/esnative/ReservedRealm.class */
public class ReservedRealm extends CachingUsernamePasswordRealm {
    public static final String TYPE = "reserved";
    public static final SecureString DEFAULT_PASSWORD_TEXT;
    static final char[] DEFAULT_PASSWORD_HASH;
    private static final NativeUsersStore.ReservedUserInfo DEFAULT_USER_INFO;
    private static final NativeUsersStore.ReservedUserInfo DISABLED_USER_INFO;
    public static final Setting<Boolean> ACCEPT_DEFAULT_PASSWORD_SETTING;
    private final NativeUsersStore nativeUsersStore;
    private final AnonymousUser anonymousUser;
    private final boolean realmEnabled;
    private final boolean anonymousEnabled;
    private final boolean defaultPasswordEnabled;
    private final SecurityLifecycleService securityLifecycleService;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ReservedRealm(Environment environment, Settings settings, NativeUsersStore nativeUsersStore, AnonymousUser anonymousUser, SecurityLifecycleService securityLifecycleService, ThreadContext threadContext) {
        super(TYPE, new RealmConfig(TYPE, Settings.EMPTY, settings, environment, threadContext));
        this.nativeUsersStore = nativeUsersStore;
        this.realmEnabled = ((Boolean) XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings)).booleanValue();
        this.anonymousUser = anonymousUser;
        this.anonymousEnabled = AnonymousUser.isAnonymousEnabled(settings);
        this.defaultPasswordEnabled = ((Boolean) ACCEPT_DEFAULT_PASSWORD_SETTING.get(settings)).booleanValue();
        this.securityLifecycleService = securityLifecycleService;
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected void doAuthenticate(UsernamePasswordToken usernamePasswordToken, ActionListener<User> actionListener) {
        if (!this.realmEnabled) {
            actionListener.onResponse((Object) null);
            return;
        }
        if (!isReserved(usernamePasswordToken.principal(), this.config.globalSettings())) {
            actionListener.onResponse((Object) null);
            return;
        }
        String principal = usernamePasswordToken.principal();
        CheckedConsumer checkedConsumer = reservedUserInfo -> {
            Runnable runnable;
            if (reservedUserInfo != null) {
                try {
                    if (verifyPassword(reservedUserInfo, usernamePasswordToken)) {
                        User user = getUser(usernamePasswordToken.principal(), reservedUserInfo);
                        runnable = () -> {
                            actionListener.onResponse(user);
                        };
                    } else {
                        runnable = () -> {
                            actionListener.onFailure(Exceptions.authenticationError("failed to authenticate user [{}]", usernamePasswordToken.principal()));
                        };
                    }
                } finally {
                    if (reservedUserInfo.passwordHash != DEFAULT_PASSWORD_HASH) {
                        Arrays.fill(reservedUserInfo.passwordHash, (char) 0);
                    }
                }
            } else {
                runnable = () -> {
                    actionListener.onFailure(Exceptions.authenticationError("failed to authenticate user [{}]", usernamePasswordToken.principal()));
                };
            }
            runnable.run();
        };
        actionListener.getClass();
        getUserInfo(principal, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
    }

    private boolean verifyPassword(NativeUsersStore.ReservedUserInfo reservedUserInfo, UsernamePasswordToken usernamePasswordToken) {
        if (Hasher.BCRYPT.verify(usernamePasswordToken.credentials(), reservedUserInfo.passwordHash)) {
            return !reservedUserInfo.hasDefaultPassword || this.defaultPasswordEnabled;
        }
        return false;
    }

    @Override // org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm
    protected void doLookupUser(String str, ActionListener<User> actionListener) {
        if (!this.realmEnabled) {
            if (this.anonymousEnabled && AnonymousUser.isAnonymousUsername(str, this.config.globalSettings())) {
                actionListener.onResponse(this.anonymousUser);
            }
            actionListener.onResponse((Object) null);
            return;
        }
        if (!isReserved(str, this.config.globalSettings())) {
            actionListener.onResponse((Object) null);
        } else {
            if (AnonymousUser.isAnonymousUsername(str, this.config.globalSettings())) {
                actionListener.onResponse(this.anonymousEnabled ? this.anonymousUser : null);
                return;
            }
            CheckedConsumer checkedConsumer = reservedUserInfo -> {
                if (reservedUserInfo != null) {
                    actionListener.onResponse(getUser(str, reservedUserInfo));
                } else {
                    actionListener.onFailure(Exceptions.authenticationError("failed to lookup user [{}]", str));
                }
            };
            actionListener.getClass();
            getUserInfo(str, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }
    }

    public static boolean isReserved(String str, Settings settings) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -2055632259:
                if (str.equals(LogstashSystemUser.NAME)) {
                    z = 2;
                    break;
                }
                break;
            case -2050648783:
                if (str.equals(BeatsSystemUser.NAME)) {
                    z = 3;
                    break;
                }
                break;
            case -1666338091:
                if (str.equals(ElasticUser.NAME)) {
                    z = false;
                    break;
                }
                break;
            case -1131662192:
                if (str.equals(KibanaUser.NAME)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case PageParams.DEFAULT_FROM /* 0 */:
            case License.VERSION_START /* 1 */:
            case true:
            case true:
                return ((Boolean) XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings)).booleanValue();
            default:
                return AnonymousUser.isAnonymousUsername(str, settings);
        }
    }

    private User getUser(String str, NativeUsersStore.ReservedUserInfo reservedUserInfo) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -2055632259:
                if (str.equals(LogstashSystemUser.NAME)) {
                    z = 2;
                    break;
                }
                break;
            case -2050648783:
                if (str.equals(BeatsSystemUser.NAME)) {
                    z = 3;
                    break;
                }
                break;
            case -1666338091:
                if (str.equals(ElasticUser.NAME)) {
                    z = false;
                    break;
                }
                break;
            case -1131662192:
                if (str.equals(KibanaUser.NAME)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case PageParams.DEFAULT_FROM /* 0 */:
                return new ElasticUser(reservedUserInfo.enabled);
            case License.VERSION_START /* 1 */:
                return new KibanaUser(reservedUserInfo.enabled);
            case true:
                return new LogstashSystemUser(reservedUserInfo.enabled);
            case true:
                return new BeatsSystemUser(reservedUserInfo.enabled);
            default:
                if (this.anonymousEnabled && this.anonymousUser.principal().equals(str)) {
                    return this.anonymousUser;
                }
                return null;
        }
    }

    public void users(ActionListener<Collection<User>> actionListener) {
        if (this.realmEnabled) {
            this.nativeUsersStore.getAllReservedUserInfo(ActionListener.wrap(map -> {
                ArrayList arrayList = new ArrayList(4);
                NativeUsersStore.ReservedUserInfo reservedUserInfo = (NativeUsersStore.ReservedUserInfo) map.get(ElasticUser.NAME);
                arrayList.add(new ElasticUser(reservedUserInfo == null || reservedUserInfo.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo2 = (NativeUsersStore.ReservedUserInfo) map.get(KibanaUser.NAME);
                arrayList.add(new KibanaUser(reservedUserInfo2 == null || reservedUserInfo2.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo3 = (NativeUsersStore.ReservedUserInfo) map.get(LogstashSystemUser.NAME);
                arrayList.add(new LogstashSystemUser(reservedUserInfo3 == null || reservedUserInfo3.enabled));
                NativeUsersStore.ReservedUserInfo reservedUserInfo4 = (NativeUsersStore.ReservedUserInfo) map.get(BeatsSystemUser.NAME);
                arrayList.add(new BeatsSystemUser(reservedUserInfo4 == null || reservedUserInfo4.enabled));
                if (this.anonymousEnabled) {
                    arrayList.add(this.anonymousUser);
                }
                actionListener.onResponse(arrayList);
            }, exc -> {
                this.logger.error("failed to retrieve reserved users", exc);
                actionListener.onResponse(this.anonymousEnabled ? Collections.singletonList(this.anonymousUser) : Collections.emptyList());
            }));
        } else {
            actionListener.onResponse(this.anonymousEnabled ? Collections.singletonList(this.anonymousUser) : Collections.emptyList());
        }
    }

    private void getUserInfo(String str, ActionListener<NativeUsersStore.ReservedUserInfo> actionListener) {
        if (!userIsDefinedForCurrentSecurityMapping(str)) {
            this.logger.debug("Marking user [{}] as disabled because the security mapping is not at the required version", str);
            actionListener.onResponse(DISABLED_USER_INFO);
        } else if (this.securityLifecycleService.isSecurityIndexExisting()) {
            this.nativeUsersStore.getReservedUserInfo(str, ActionListener.wrap(reservedUserInfo -> {
                if (reservedUserInfo == null) {
                    actionListener.onResponse(DEFAULT_USER_INFO);
                } else {
                    actionListener.onResponse(reservedUserInfo);
                }
            }, exc -> {
                this.logger.error(() -> {
                    return new ParameterizedMessage("failed to retrieve password hash for reserved user [{}]", str);
                }, exc);
                actionListener.onResponse((Object) null);
            }));
        } else {
            actionListener.onResponse(DEFAULT_USER_INFO);
        }
    }

    private boolean userIsDefinedForCurrentSecurityMapping(String str) {
        Version definedVersion = getDefinedVersion(str);
        SecurityLifecycleService securityLifecycleService = this.securityLifecycleService;
        definedVersion.getClass();
        return securityLifecycleService.checkSecurityMappingVersion(definedVersion::onOrBefore);
    }

    private Version getDefinedVersion(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -2055632259:
                if (str.equals(LogstashSystemUser.NAME)) {
                    z = false;
                    break;
                }
                break;
            case -2050648783:
                if (str.equals(BeatsSystemUser.NAME)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case PageParams.DEFAULT_FROM /* 0 */:
                return LogstashSystemUser.DEFINED_SINCE;
            case License.VERSION_START /* 1 */:
                return BeatsSystemUser.DEFINED_SINCE;
            default:
                return Version.V_5_0_0;
        }
    }

    public static void addSettings(List<Setting<?>> list) {
        list.add(ACCEPT_DEFAULT_PASSWORD_SETTING);
    }

    static {
        $assertionsDisabled = !ReservedRealm.class.desiredAssertionStatus();
        DEFAULT_PASSWORD_TEXT = new SecureString("changeme".toCharArray());
        DEFAULT_PASSWORD_HASH = Hasher.BCRYPT.hash(DEFAULT_PASSWORD_TEXT);
        DEFAULT_USER_INFO = new NativeUsersStore.ReservedUserInfo(DEFAULT_PASSWORD_HASH, true, true);
        DISABLED_USER_INFO = new NativeUsersStore.ReservedUserInfo(DEFAULT_PASSWORD_HASH, false, true);
        ACCEPT_DEFAULT_PASSWORD_SETTING = Setting.boolSetting(Security.setting("authc.accept_default_password"), true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
    }
}
