package io.fabric8.insight.elasticsearch.auth.plugin;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.Principal;
import java.util.Arrays;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AccountException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.elasticsearch.common.Base64;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.http.HttpChannel;
import org.elasticsearch.http.HttpRequest;
import org.elasticsearch.http.HttpServer;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.node.service.NodeService;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:io/fabric8/insight/elasticsearch/auth/plugin/HttpBasicServer.class */
public class HttpBasicServer extends HttpServer {
    private static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final String HEADER_AUTHORIZATION = "Authorization";
    private static final String AUTHENTICATION_SCHEME_BASIC = "Basic";
    private String realm;
    private String[] roles;
    private final boolean log;

    @Inject
    public HttpBasicServer(Settings settings, Environment environment, HttpServerTransport httpServerTransport, RestController restController, NodeService nodeService) {
        super(settings, environment, httpServerTransport, restController, nodeService);
        this.realm = settings.get("http.basic.realm", "karaf");
        this.roles = settings.getAsArray("http.basic.roles", new String[]{"admin", "manager", "viewer", "Monitor", "Operator", "Maintainer", "Deployer", "Auditor", "Administrator", "SuperUser"});
        this.log = settings.getAsBoolean("http.basic.log", false).booleanValue();
        Loggers.getLogger(getClass()).info("using realm: [{}] and authorized roles: [{}]", new Object[]{this.realm, this.roles});
    }

    public void internalDispatchRequest(HttpRequest httpRequest, HttpChannel httpChannel) {
        if (this.log) {
            logRequest(httpRequest);
        }
        if (healthCheck(httpRequest)) {
            httpChannel.sendResponse(new BytesRestResponse(RestStatus.OK, "{\"OK\":{}}"));
            return;
        }
        if (authorized(httpRequest)) {
            super.internalDispatchRequest(httpRequest, httpChannel);
            return;
        }
        logUnAuthorizedRequest(httpRequest);
        BytesRestResponse bytesRestResponse = new BytesRestResponse(RestStatus.UNAUTHORIZED, "Authentication Required");
        bytesRestResponse.addHeader(HEADER_WWW_AUTHENTICATE, "Basic realm=\"" + this.realm + "\"");
        httpChannel.sendResponse(bytesRestResponse);
    }

    private boolean healthCheck(HttpRequest httpRequest) {
        return httpRequest.method() == RestRequest.Method.GET && httpRequest.path().equals("/");
    }

    private boolean authorized(HttpRequest httpRequest) {
        return allowOptionsForCORS(httpRequest) || authBasic(httpRequest);
    }

    public String getDecodedAuthHeader(HttpRequest httpRequest) {
        String header = httpRequest.header(HEADER_AUTHORIZATION);
        if (header == null || header.length() <= 0) {
            this.logger.debug("Http Basic authentication Header: [{}] not  present.", new Object[]{HEADER_AUTHORIZATION});
            return "";
        }
        String trim = header.trim();
        int indexOf = trim.indexOf(32);
        if (indexOf <= 0) {
            this.logger.debug("Http Basic authentication Header: [{}] impossible to base 64 decode.", new Object[]{trim});
            return "";
        }
        String substring = trim.substring(0, indexOf);
        String trim2 = trim.substring(indexOf).trim();
        if (!substring.equalsIgnoreCase(AUTHENTICATION_SCHEME_BASIC)) {
            this.logger.debug("Http Basic authentication Schema: [{}] not supported only [{}] is supported.", new Object[]{substring, AUTHENTICATION_SCHEME_BASIC});
            return "";
        }
        try {
            return new String(Base64.decode(trim2));
        } catch (IOException e) {
            this.logger.debug("Http Basic credentials: [{}] impossible to base 64 decode.", new Object[]{trim2});
            return "";
        }
    }

    private boolean authBasic(HttpRequest httpRequest) {
        String decodedAuthHeader = getDecodedAuthHeader(httpRequest);
        if (decodedAuthHeader.isEmpty()) {
            return false;
        }
        String[] split = decodedAuthHeader.split(":", 2);
        return doAuthenticate(split[0], split[1]) != null;
    }

    private Subject doAuthenticate(final String str, final String str2) {
        try {
            Subject subject = new Subject();
            new LoginContext(this.realm, subject, new CallbackHandler() { // from class: io.fabric8.insight.elasticsearch.auth.plugin.HttpBasicServer.1
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                    for (int i = 0; i < callbackArr.length; i++) {
                        if (callbackArr[i] instanceof NameCallback) {
                            ((NameCallback) callbackArr[i]).setName(str);
                        } else {
                            if (!(callbackArr[i] instanceof PasswordCallback)) {
                                throw new UnsupportedCallbackException(callbackArr[i]);
                            }
                            ((PasswordCallback) callbackArr[i]).setPassword(str2.toCharArray());
                        }
                    }
                }
            }).login();
            this.logger.debug("Login successful: {}", new Object[]{subject.toString()});
            boolean z = false;
            for (String str3 : this.roles) {
                if (str3 != null && str3.length() > 0 && !z) {
                    String trim = str3.trim();
                    int indexOf = trim.indexOf(58);
                    if (indexOf > 0) {
                        trim = trim.substring(indexOf + 1);
                    }
                    Iterator<Principal> it = subject.getPrincipals().iterator();
                    while (true) {
                        if (it.hasNext()) {
                            Principal next = it.next();
                            this.logger.debug("Principal found in real: {}", new Object[]{next.getName()});
                            if (next.getName().equals(trim)) {
                                z = true;
                                break;
                            }
                        }
                    }
                }
            }
            if (z) {
                return subject;
            }
            throw new FailedLoginException("User does not have the required role " + Arrays.asList(this.roles));
        } catch (LoginException e) {
            this.logger.debug("Login failed {}", new Object[]{e.getMessage()});
            return null;
        } catch (AccountException e2) {
            this.logger.warn("Account failure {}", new Object[]{e2.getMessage()});
            return null;
        }
    }

    private boolean allowOptionsForCORS(HttpRequest httpRequest) {
        if (httpRequest.method() != RestRequest.Method.OPTIONS) {
            return false;
        }
        this.logger.debug("CORS type {}, address {}, path {}, request {}, content {}", new Object[]{httpRequest.method(), getAddress(httpRequest), httpRequest.path(), httpRequest.params(), httpRequest.content().toUtf8()});
        return true;
    }

    private void logRequest(HttpRequest httpRequest) {
        this.logger.info("Authorization:{}, Host:{}, Path:{}, Request-IP:{}, Client-IP:{}, X-Client-IP{}", new Object[]{httpRequest.header(HEADER_AUTHORIZATION), httpRequest.header("Host"), httpRequest.path(), getAddress(httpRequest).getHostAddress(), httpRequest.header("X-Client-IP"), httpRequest.header("Client-IP")});
    }

    private void logUnAuthorizedRequest(HttpRequest httpRequest) {
        this.logger.warn("UNAUTHORIZED type:{}, address:{}, path:{}, request:{},content:{}, credentials:{}", new Object[]{httpRequest.method(), getAddress(httpRequest).getHostAddress(), httpRequest.path(), httpRequest.params(), httpRequest.content().toUtf8(), getDecodedAuthHeader(httpRequest)});
    }

    private InetAddress getAddress(HttpRequest httpRequest) {
        return ((InetSocketAddress) httpRequest.getRemoteAddress()).getAddress();
    }
}
