package com.huawei.es.security.auth.server.transport;

import com.google.common.collect.Maps;
import com.huawei.es.security.audit.AuditLog;
import com.huawei.es.security.auth.common.KerberosUtil;
import com.huawei.es.security.auth.server.transport.common.TransportConstant;
import com.huawei.es.security.auth.signer.Signer;
import com.huawei.solr.security.auth.server.AuthenticationToken;
import java.io.IOException;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.TransportRequestOptions;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.transport.TransportResponseHandler;

/* loaded from: input_file:com/huawei/es/security/auth/server/transport/KerberosTransportInterceptor.class */
public final class KerberosTransportInterceptor implements TransportInterceptor {
    protected final ThreadContext threadContext;
    private Settings settings;
    private TransportAuthenToken authToken = new TransportAuthenToken();
    private final ClusterService cs;
    private long validity;
    private Signer signer;
    private final AuditLog auditlog;
    public static volatile boolean isSkipTransportTokenCheck;
    private static final Logger LOG = LogManager.getLogger(KerberosTransportInterceptor.class);
    public static final Setting<Boolean> SKIP_CHECK_TOKEN = Setting.boolSetting("cluster.skip.token.check", false, new Setting.Property[]{Setting.Property.Dynamic, Setting.Property.NodeScope});

    public KerberosTransportInterceptor(Settings settings, ThreadContext threadContext, ClusterService clusterService, AuditLog auditLog, Signer signer) {
        this.settings = settings;
        this.threadContext = threadContext;
        this.cs = clusterService;
        this.signer = signer;
        this.auditlog = auditLog;
        isSkipTransportTokenCheck = ((Boolean) SKIP_CHECK_TOKEN.get(settings)).booleanValue();
        this.validity = Long.parseLong(settings.get("token.validity", "36000")) * 1000;
        clusterService.getClusterSettings().addSettingsUpdateConsumer(SKIP_CHECK_TOKEN, (v1) -> {
            setSkipCheckToken(v1);
        });
    }

    private void setSkipCheckToken(boolean z) {
        isSkipTransportTokenCheck = z;
    }

    public <T extends TransportRequest> TransportRequestHandler<T> interceptHandler(String str, String str2, boolean z, TransportRequestHandler<T> transportRequestHandler) {
        return new KerberosRequestHandler(this.settings, str, transportRequestHandler, this.threadContext, this.signer, this.cs, this.auditlog);
    }

    public TransportInterceptor.AsyncSender interceptSender(final TransportInterceptor.AsyncSender asyncSender) {
        return new TransportInterceptor.AsyncSender() { // from class: com.huawei.es.security.auth.server.transport.KerberosTransportInterceptor.1
            public <T extends TransportResponse> void sendRequest(Transport.Connection connection, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
                Map headers = KerberosTransportInterceptor.this.threadContext.getHeaders();
                if (KerberosTransportInterceptor.LOG.isDebugEnabled() && !headers.entrySet().isEmpty()) {
                    KerberosTransportInterceptor.LOG.debug("------------sendRequest begin-------------");
                    for (Map.Entry entry : headers.entrySet()) {
                        if (!TransportConstant.CUSTOMISED_AUTHORIZATION.equals(entry.getKey()) && !TransportConstant.CUSTOMISED_COOKIE.equals(entry.getKey())) {
                            KerberosTransportInterceptor.LOG.debug("{}:{}", entry.getKey(), entry.getValue());
                        }
                    }
                }
                String header = KerberosTransportInterceptor.this.threadContext.getHeader(TransportConstant.CUSTOMISED_MODE);
                String header2 = KerberosTransportInterceptor.this.threadContext.getHeader(TransportConstant.ORIGIN_REQ);
                ThreadContext.StoredContext stashContext = KerberosTransportInterceptor.this.threadContext.stashContext();
                try {
                    if (KerberosRequestHandler.CLIENT.equals(header)) {
                        KerberosTransportInterceptor.this.threadContext.putHeader(Maps.filterKeys(headers, str2 -> {
                            return str2 != null && (str2.equals(TransportConstant.CUSTOMISED_MODE) || str2.equals(TransportConstant.CUSTOMISED_AUTHORIZATION) || str2.equals(TransportConstant.CUSTOMISED_COOKIE) || str2.equals(TransportConstant.CUSTOMISED_USER) || str2.equals(TransportConstant.ORIGIN_REQ) || str2.equals(TransportConstant.REMOTE_ADDRESS) || str2.equals(TransportConstant.ORIGIN_INDEX) || str2.equals(TransportConstant.ORIGIN_ACTION_NAME) || str2.equals(TransportConstant.ORIGIN_TEMPLATE2TYPE) || str2.equals(TransportConstant.ORIGIN_PIPELINE2TYPE) || str2.equals(TransportConstant.ORIGIN_INDEX2TYPE) || str2.equals(TransportConstant.ORIGIN_LOCAL_ADDRESS) || str2.equals(TransportConstant.CUSTOMISED_COOKIE_REMOTE) || str2.equals(TransportConstant.CUSTOMISED_AUTHORIZATION_TYPE));
                        }));
                        KerberosTransportInterceptor.this.updateHeaders(header2);
                    } else {
                        KerberosTransportInterceptor.this.threadContext.putHeader(TransportConstant.CUSTOMISED_COOKIE, KerberosTransportInterceptor.this.generateTokenAsSystem());
                        KerberosTransportInterceptor.this.threadContext.putHeader(Maps.filterKeys(headers, str3 -> {
                            return str3 != null && str3.equals(TransportConstant.CUSTOMISED_COOKIE_REMOTE);
                        }));
                    }
                    asyncSender.sendRequest(connection, str, transportRequest, transportRequestOptions, transportResponseHandler);
                    if (stashContext != null) {
                        stashContext.close();
                    }
                } catch (Throwable th) {
                    if (stashContext != null) {
                        try {
                            stashContext.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void updateHeaders(String str) {
        if (str == null) {
            this.threadContext.putHeader(TransportConstant.ORIGIN_REQ, AuditLog.OriginReq.LOCAL.toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String generateTokenAsSystem() {
        try {
            generateNewToken();
            return this.authToken.getSecertToken();
        } catch (IOException e) {
            LOG.error("generateTokenAsSystem failed.", e);
            return null;
        }
    }

    public Settings getSettings() {
        return this.settings;
    }

    private void generateNewToken() throws IOException {
        AuthenticationToken generateAuthenticationToken = KerberosUtil.generateAuthenticationToken();
        if (null == generateAuthenticationToken || generateAuthenticationToken.isExpired() || generateAuthenticationToken == AuthenticationToken.ANONYMOUS) {
            LOG.error("Generate new token occur error.");
            return;
        }
        generateAuthenticationToken.setExpires(System.currentTimeMillis() + this.validity);
        this.authToken.setAuthenticationToken(generateAuthenticationToken);
        this.authToken.setSecertToken(this.signer.sign(generateAuthenticationToken.toString()));
    }
}
