package com.huawei.es.security.auth.server.transport;

import com.huawei.es.security.audit.AuditLog;
import com.huawei.es.security.auth.common.AuthConstants;
import com.huawei.es.security.auth.common.HttpHelper;
import com.huawei.es.security.auth.server.KerberosHandler;
import com.huawei.es.security.auth.server.transport.common.TransportConstant;
import com.huawei.es.security.auth.server.transport.common.TransportUtils;
import com.huawei.es.security.auth.signer.Signer;
import com.huawei.es.security.author.tool.AuthorityConstants;
import com.huawei.es.security.plugin.KerberosPlugin;
import com.huawei.solr.security.auth.common.AuthenticationException;
import com.huawei.solr.security.auth.server.AuthenticationToken;
import com.huawei.solr.security.auth.util.SignerException;
import io.netty.handler.codec.http.cookie.Cookie;
import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;

/* loaded from: input_file:com/huawei/es/security/auth/server/transport/KerberosRequestHandler.class */
public class KerberosRequestHandler<T extends TransportRequest> implements TransportRequestHandler<T> {
    private static final Logger LOG = Loggers.getLogger(KerberosRequestHandler.class, new String[]{"KerberosRequestHandler"});
    private Settings settings;
    private final String action;
    private final TransportRequestHandler<T> actualHandler;
    private final ThreadContext threadContext;
    private static final String SERVER_COOKIE = "Cookie";
    private Signer signer;
    private final ClusterService cs;
    private String cookiePath;
    private long validity;
    private static final String CLUSTER_MONITOR_ACTION = "cluster:monitor";
    private static final String INTERNAL_ACTION = "internal:";
    private static final String MAIN_ACTION = "cluster:monitor/main";
    private static final String INDICES_MONITOR_ACTION = "indices:monitor";
    public static final String CLIENT = "client";
    private final AuditLog auditlog;

    public KerberosRequestHandler(Settings settings, String str, TransportRequestHandler<T> transportRequestHandler, ThreadContext threadContext, Signer signer, ClusterService clusterService, AuditLog auditLog) {
        this.settings = settings;
        this.action = str;
        this.actualHandler = transportRequestHandler;
        this.threadContext = threadContext;
        this.signer = signer;
        this.cs = clusterService;
        this.cookiePath = this.settings.get(KerberosHandler.COOKIE_PATH, (String) null);
        this.validity = Long.parseLong(settings.get("token.validity", "36000")) * 1000;
        this.auditlog = auditLog;
    }

    public void messageReceived(T t, TransportChannel transportChannel, Task task) throws Exception {
        if (this.threadContext == null) {
            throw new UnsupportedOperationException("threadContext can't be null for this operation");
        }
        if (CLIENT.equals(this.threadContext.getHeader(TransportConstant.CUSTOMISED_MODE))) {
            LOG.debug("begin transport client messageReceived.");
            doAuthenticate(task);
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_REQ, AuditLog.OriginReq.TRANSPORT.toString());
            TransportAddress remoteAddress = t.remoteAddress();
            if (remoteAddress != null) {
                TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.REMOTE_ADDRESS, remoteAddress.getAddress() + AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID + remoteAddress.getPort());
            }
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.ORIGIN_LOCAL_ADDRESS, this.cs.localNode().getHostAddress() + AuthorityConstants.SEPARATOR_FOR_SECURITY_INDEX_DOC_ID + this.cs.localNode().getAddress().getPort());
        } else {
            verifyTokenAsSystemAndDealWithException(t, transportChannel, task);
        }
        messageReceivedDecorate(t, this.actualHandler, transportChannel, task);
    }

    private void verifyTokenAsSystemAndDealWithException(T t, TransportChannel transportChannel, Task task) throws IOException {
        if (KerberosTransportInterceptor.isSkipTransportTokenCheck) {
            LOG.trace("Settings cluster.skip.token.check is true, skip all action's verify.");
            return;
        }
        try {
            verifyTokenAsSystem(t, task);
        } catch (Exception e) {
            LOG.error("Verify token occur error:", e);
            transportChannel.sendResponse(e);
        }
    }

    private void messageReceivedDecorate(T t, TransportRequestHandler<T> transportRequestHandler, TransportChannel transportChannel, Task task) throws Exception {
        transportRequestHandler.messageReceived(t, transportChannel, task);
    }

    private void doAuthenticate(Task task) throws AuthenticationException, IOException {
        AuthenticationToken verifyAndGetToken;
        if ("server:serverrealm/get".equals(task.getAction())) {
            return;
        }
        if ("cluster:token/get".equals(task.getAction()) && "api".equals(this.threadContext.getHeaders().get(TransportConstant.CUSTOMISED_AUTHORIZATION_TYPE))) {
            return;
        }
        LOG.debug("Start to do authenticate for {}.", this.action);
        String header = this.threadContext.getHeader(TransportConstant.CUSTOMISED_COOKIE);
        String header2 = this.threadContext.getHeader(TransportConstant.CUSTOMISED_COOKIE_REMOTE);
        boolean z = false;
        try {
            if (header == null && header2 == null) {
                LOG.debug("Go to verify service ticket for {}. ", task.getAction());
                verifyAndGetToken = KerberosHandler.getAuthExecutor().authenticate(this.threadContext);
                if (verifyAndGetToken != null && verifyAndGetToken.getExpires() != 0 && verifyAndGetToken != AuthenticationToken.ANONYMOUS) {
                    verifyAndGetToken.setExpires(System.currentTimeMillis() + this.validity);
                }
                z = true;
            } else {
                verifyAndGetToken = verifyAndGetToken(header, header2);
            }
            if (verifyAndGetToken == null) {
                LOG.error("Neither get token from cookie nor generate new one.");
                throw new AuthenticationException("Invalid AuthenticationToken.");
            }
            if (verifyAndGetToken.getUserName() != null) {
                TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.CUSTOMISED_USER, verifyAndGetToken.getUserName());
            }
            List list = (List) this.threadContext.getResponseHeaders().get(SERVER_COOKIE);
            if ((null == list || list.isEmpty()) && z && !verifyAndGetToken.isExpired() && verifyAndGetToken != AuthenticationToken.ANONYMOUS) {
                createAuthCookie(this.signer.sign(verifyAndGetToken.toString()), this.cookiePath, verifyAndGetToken.getExpires());
            }
            LOG.debug("End to do authenticate for {}.", this.action);
        } catch (AuthenticationException | IOException e) {
            this.auditlog.logTransportAuthenticate(this.action, null, false);
            throw e;
        }
    }

    private String getTokenFromCookies(String str) {
        String str2 = AuthorityConstants.EMPYT_STRING;
        Set<Cookie> cookies = HttpHelper.getCookies(str);
        if (null != cookies && !cookies.isEmpty()) {
            Iterator<Cookie> it = cookies.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Cookie next = it.next();
                if (next.name().equals(AuthConstants.AUTH_COOKIE)) {
                    str2 = next.value();
                    break;
                }
            }
        }
        return str2;
    }

    /* JADX WARN: Code restructure failed: missing block: B:13:0x001a, code lost:
    
        if (r9.isEmpty() != false) goto L9;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private com.huawei.solr.security.auth.server.AuthenticationToken verifyAndGetToken(java.lang.String r5, java.lang.String r6) throws com.huawei.solr.security.auth.common.AuthenticationException {
        /*
            r4 = this;
            r0 = 0
            r7 = r0
            r0 = 0
            r8 = r0
            r0 = r5
            if (r0 == 0) goto L30
            r0 = r4
            r1 = r5
            java.lang.String r0 = r0.getTokenFromCookies(r1)
            r9 = r0
            r0 = r9
            if (r0 == 0) goto L1d
            r0 = r9
            boolean r0 = r0.isEmpty()     // Catch: java.lang.Exception -> L2b
            if (r0 == 0) goto L20
        L1d:
            r0 = r5
            r9 = r0
        L20:
            r0 = r4
            r1 = r9
            com.huawei.solr.security.auth.server.AuthenticationToken r0 = r0.verifyAndGetToken(r1)     // Catch: java.lang.Exception -> L2b
            r8 = r0
            goto L30
        L2b:
            r10 = move-exception
            r0 = r10
            r7 = r0
        L30:
            r0 = r7
            if (r0 != 0) goto L3c
            r0 = r8
            if (r0 == 0) goto L3c
            r0 = r8
            return r0
        L3c:
            r0 = r6
            if (r0 == 0) goto L4a
            r0 = r4
            r1 = r4
            r2 = r6
            java.lang.String r1 = r1.getTokenFromCookies(r2)
            com.huawei.solr.security.auth.server.AuthenticationToken r0 = r0.verifyAndGetToken(r1)
            return r0
        L4a:
            r0 = r7
            if (r0 == 0) goto L57
            com.huawei.solr.security.auth.common.AuthenticationException r0 = new com.huawei.solr.security.auth.common.AuthenticationException
            r1 = r0
            r2 = r7
            r1.<init>(r2)
            throw r0
        L57:
            r0 = 0
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.huawei.es.security.auth.server.transport.KerberosRequestHandler.verifyAndGetToken(java.lang.String, java.lang.String):com.huawei.solr.security.auth.server.AuthenticationToken");
    }

    private AuthenticationToken verifyAndGetToken(String str) throws AuthenticationException {
        try {
            String verifyAndExtract = this.signer.verifyAndExtract(str);
            if (verifyAndExtract == null) {
                throw new AuthenticationException("Invalid AuthenticationToken, action[" + this.action + "].");
            }
            AuthenticationToken parse = AuthenticationToken.parse(verifyAndExtract);
            if (!parse.getType().equals("kerberos")) {
                throw new AuthenticationException("Invalid AuthenticationToken type[" + parse.getType() + "], aciton[" + this.action + "].");
            }
            if (parse.isExpired()) {
                throw new AuthenticationException("AuthenticationToken expired.");
            }
            return parse;
        } catch (SignerException e) {
            throw new AuthenticationException(e);
        }
    }

    private void verifyTokenAsSystem(T t, Task task) throws AuthenticationException {
        if (this.action.startsWith(INTERNAL_ACTION) || ((this.action.startsWith(CLUSTER_MONITOR_ACTION) && !this.action.equals(MAIN_ACTION)) || this.action.startsWith(INDICES_MONITOR_ACTION) || this.action.startsWith("indices:admin/seq_no"))) {
            LOG.trace("Skip verify whiteList  action:{}.", this.action);
            TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.CUSTOMISED_USER, AuthorityConstants.SUPER_USER);
            return;
        }
        LOG.trace("Verify action:{}.", this.action);
        String header = this.threadContext.getHeader(TransportConstant.CUSTOMISED_COOKIE);
        if (null == header) {
            LOG.error("Invalid AuthenticationToken info for action[" + this.action + "].");
            throw new AuthenticationException("Invalid AuthenticationToken info for action[" + this.action + "].");
        }
        try {
            AuthenticationToken verifyAndGetToken = verifyAndGetToken(header, this.threadContext.getHeader(TransportConstant.CUSTOMISED_COOKIE_REMOTE));
            if (verifyAndGetToken == null) {
                LOG.warn("Token is null");
            } else {
                TransportUtils.putHeaderIfNonExisting(this.threadContext, TransportConstant.CUSTOMISED_USER, verifyAndGetToken.getUserName());
            }
        } catch (AuthenticationException e) {
            String str = "Verify token failed." + e.getMessage() + "action:" + this.action + "headers:" + this.threadContext.getHeaders() + "remoteAddress:" + t.remoteAddress();
            LOG.warn(str);
            throw new AuthenticationException(str);
        }
    }

    private void createAuthCookie(String str, String str2, long j) {
        this.threadContext.addResponseHeader(SERVER_COOKIE, KerberosHandler.createAuthCookie(str, str2, j, KerberosPlugin.isTransportSslEnable()).toString());
    }
}
