package com.atlassian.elasticsearch.buckler;

import com.atlassian.elasticsearch.buckler.config.AuthConfig;
import com.atlassian.elasticsearch.buckler.config.BucklerConfig;
import com.atlassian.elasticsearch.buckler.security.AuthRateLimiter;
import com.atlassian.elasticsearch.buckler.security.RequestIdentifier;
import io.netty.handler.codec.http.HttpHeaderNames;
import java.util.Collections;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.client.node.NodeClient;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/atlassian/elasticsearch/buckler/RestAuthenticationHandler.class */
class RestAuthenticationHandler implements RestHandler {
    private static final Logger log = LogManager.getLogger(RestAuthenticationHandler.class.getName());
    private final BucklerConfig bucklerConfig;
    private final AuthRateLimiter limiter;
    private final RestHandler restHandler;

    public RestAuthenticationHandler(RestHandler restHandler, BucklerConfig bucklerConfig, AuthRateLimiter authRateLimiter) {
        this.restHandler = restHandler;
        this.bucklerConfig = bucklerConfig;
        this.limiter = authRateLimiter;
    }

    public void handleRequest(RestRequest restRequest, RestChannel restChannel, NodeClient nodeClient) throws Exception {
        if (!this.bucklerConfig.getAuthConfig().isEnabledForHttp() || allow(restRequest, this.bucklerConfig.getAuthConfig())) {
            this.restHandler.handleRequest(restRequest, restChannel, nodeClient);
            return;
        }
        BytesRestResponse bytesRestResponse = new BytesRestResponse(restChannel, RestStatus.UNAUTHORIZED, (Exception) null);
        bytesRestResponse.addHeader(HttpHeaderNames.WWW_AUTHENTICATE.toString(), "Basic realm=\"Restricted\"");
        restChannel.sendResponse(bytesRestResponse);
    }

    private boolean allow(RestRequest restRequest, AuthConfig authConfig) {
        List list = (List) restRequest.getHeaders().getOrDefault(HttpHeaderNames.AUTHORIZATION.toString(), Collections.emptyList());
        RequestIdentifier from = RequestIdentifier.from(restRequest);
        if (list.size() != 1) {
            return false;
        }
        if (this.limiter.isRequestAllowed(from) && authConfig.isAuthorized((String) list.get(0))) {
            this.limiter.addTrustedRequest(from);
            return true;
        }
        if ("".equals(list.get(0))) {
            return false;
        }
        log.warn("Request has been blocked due to AuthRateLimiter settings or and incorrect password from: {}", restRequest.getHttpChannel().getRemoteAddress().toString());
        this.limiter.registerFailure(from);
        return false;
    }
}
