package org.elasticsearch.xpack.core.ssl;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.net.ssl.TrustManagerFactory;
import org.elasticsearch.common.settings.SecureSetting;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.SslClientAuthenticationMode;
import org.elasticsearch.common.ssl.SslConfigurationLoader;
import org.elasticsearch.common.ssl.SslVerificationMode;
import org.elasticsearch.common.ssl.X509Field;
import org.elasticsearch.common.util.CollectionUtils;
import org.elasticsearch.xpack.core.common.notifications.AbstractAuditor;
import org.elasticsearch.xpack.core.ml.process.writer.RecordWriter;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.saml.SamlRealmSettings;

/* loaded from: input_file:org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings.class */
public class SSLConfigurationSettings {
    final X509KeyPairSettings x509KeyPair;
    final Setting<List<String>> ciphers;
    final Setting<List<String>> supportedProtocols;
    final Setting<Optional<String>> truststorePath;
    final Setting<SecureString> truststorePassword;
    final Setting<String> truststoreAlgorithm;
    final Setting<Optional<String>> truststoreType;
    final Setting<Optional<String>> trustRestrictionsPath;
    final Setting<List<X509Field>> trustRestrictionsX509Fields;
    final Setting<List<String>> caPaths;
    final Setting<Optional<SslClientAuthenticationMode>> clientAuth;
    final Setting<Optional<SslVerificationMode>> verificationMode;
    private final Setting<SecureString> legacyTruststorePassword;
    private final List<Setting<?>> enabledSettings;
    private final List<Setting<?>> disabledSettings;
    private static final Function<String, Setting<List<String>>> CIPHERS_SETTING_TEMPLATE;
    private static final SslSetting<List<String>> CIPHERS;
    private static final SslSetting<List<String>> SUPPORTED_PROTOCOLS;
    private static final SslSetting<Optional<String>> KEYSTORE_PATH;
    private static final SslSetting<SecureString> LEGACY_KEYSTORE_PASSWORD;
    private static final SslSetting<SecureString> KEYSTORE_PASSWORD;
    private static final SslSetting<SecureString> LEGACY_KEYSTORE_KEY_PASSWORD;
    private static final SslSetting<SecureString> KEYSTORE_KEY_PASSWORD;
    public static final SslSetting<Optional<String>> TRUSTSTORE_PATH;
    private static final SslSetting<Optional<String>> KEY_PATH;
    public static final SslSetting<SecureString> LEGACY_TRUSTSTORE_PASSWORD;
    public static final SslSetting<SecureString> TRUSTSTORE_PASSWORD;
    private static final SslSetting<String> KEY_STORE_ALGORITHM;
    public static final Function<String, Setting<String>> TRUST_STORE_ALGORITHM_TEMPLATE;
    public static final SslSetting<String> TRUSTSTORE_ALGORITHM;
    private static final SslSetting<Optional<String>> KEY_STORE_TYPE;
    public static final Function<String, Setting<Optional<String>>> TRUST_STORE_TYPE_TEMPLATE;
    public static final SslSetting<Optional<String>> TRUSTSTORE_TYPE;
    private static final Function<String, Setting<Optional<String>>> TRUST_RESTRICTIONS_PATH_TEMPLATE;
    private static final SslSetting<Optional<String>> TRUST_RESTRICTIONS_PATH;
    public static final Function<String, Setting<List<X509Field>>> TRUST_RESTRICTIONS_X509_FIELDS_TEMPLATE;
    public static final SslSetting<List<X509Field>> TRUST_RESTRICTIONS_X509_FIELDS;
    private static final SslSetting<SecureString> LEGACY_KEY_PASSWORD;
    private static final SslSetting<SecureString> KEY_PASSWORD;
    private static final SslSetting<Optional<String>> CERT;
    public static final Function<String, Setting<List<String>>> CAPATH_SETTING_TEMPLATE;
    public static final SslSetting<List<String>> CERT_AUTH_PATH;
    public static final Function<String, Setting.AffixSetting<List<String>>> CAPATH_SETTING_REALM;
    private static final Function<String, Setting<Optional<SslClientAuthenticationMode>>> CLIENT_AUTH_SETTING_TEMPLATE;
    private static final SslSetting<Optional<SslClientAuthenticationMode>> CLIENT_AUTH_SETTING;
    private static final Function<String, Setting<Optional<SslVerificationMode>>> VERIFICATION_MODE_SETTING_TEMPLATE;
    private static final SslSetting<Optional<SslVerificationMode>> VERIFICATION_MODE;
    public static final Function<String, Setting.AffixSetting<Optional<SslVerificationMode>>> VERIFICATION_MODE_SETTING_REALM;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings$IntendedUse.class */
    public enum IntendedUse {
        SERVER,
        CLIENT,
        BOTH
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/ssl/SSLConfigurationSettings$SslSetting.class */
    public static class SslSetting<T> {
        protected final String name;
        protected final Function<String, Setting<T>> template;

        public SslSetting(String str, Function<String, Setting<T>> function) {
            this.name = str;
            this.template = function;
        }

        public static SslSetting<SecureString> secureSetting(String str, Function<String, Setting<SecureString>> function) {
            return new SslSetting<>(str, function);
        }

        public static <T> SslSetting<T> setting(String str, Function<String, Setting<T>> function) {
            return new SslSetting<>(str, function);
        }

        Function<String, Setting<T>> template() {
            return this.template;
        }

        Setting<T> rawSetting() {
            return applyTemplate(this.name);
        }

        public Setting<T> withPrefix(String str) {
            if (str.length() == 0) {
                return rawSetting();
            }
            if (str.endsWith(RecordWriter.CONTROL_FIELD_NAME)) {
                return applyTemplate(str + this.name);
            }
            throw new IllegalArgumentException("The ssl config prefix (" + str + ") should end in '.'");
        }

        Setting<T> applyTemplate(String str) {
            return this.template.apply(str);
        }

        public Setting.AffixSetting<T> realm(String str) {
            return affixSetting("xpack.security.authc.realms." + str + ".", SamlRealmSettings.SSL_PREFIX);
        }

        public Setting<T> realm(RealmConfig.RealmIdentifier realmIdentifier) {
            return realm(realmIdentifier.getType()).getConcreteSettingForNamespace(realmIdentifier.getName());
        }

        Setting.AffixSetting<T> transportProfile() {
            return affixSetting("transport.profiles.", "xpack.security.ssl.");
        }

        public Setting.AffixSetting<T> affixSetting(String str, String str2) {
            return Setting.affixKeySetting(str, str2 + this.name, this.template, new Setting.AffixSettingDependency[0]);
        }

        public Setting<T> transportProfile(String str) {
            return transportProfile().getConcreteSetting(str);
        }
    }

    private SSLConfigurationSettings(String str, boolean z, IntendedUse intendedUse) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError("Prefix cannot be null (but can be blank)");
        }
        this.x509KeyPair = X509KeyPairSettings.withPrefix(str, z);
        this.ciphers = CIPHERS.withPrefix(str);
        this.supportedProtocols = SUPPORTED_PROTOCOLS.withPrefix(str);
        this.truststorePath = TRUSTSTORE_PATH.withPrefix(str);
        this.legacyTruststorePassword = LEGACY_TRUSTSTORE_PASSWORD.withPrefix(str);
        this.truststorePassword = TRUSTSTORE_PASSWORD.withPrefix(str);
        this.truststoreAlgorithm = TRUSTSTORE_ALGORITHM.withPrefix(str);
        this.truststoreType = TRUSTSTORE_TYPE.withPrefix(str);
        this.trustRestrictionsPath = TRUST_RESTRICTIONS_PATH.withPrefix(str);
        this.trustRestrictionsX509Fields = TRUST_RESTRICTIONS_X509_FIELDS.withPrefix(str);
        this.caPaths = CERT_AUTH_PATH.withPrefix(str);
        this.clientAuth = CLIENT_AUTH_SETTING.withPrefix(str);
        this.verificationMode = VERIFICATION_MODE.withPrefix(str);
        ArrayList arrayAsArrayList = CollectionUtils.arrayAsArrayList(new Setting[]{this.ciphers, this.supportedProtocols, this.truststorePath, this.truststorePassword, this.truststoreAlgorithm, this.truststoreType, this.trustRestrictionsPath, this.trustRestrictionsX509Fields, this.caPaths});
        switch (intendedUse) {
            case CLIENT:
                arrayAsArrayList.add(this.verificationMode);
                break;
            case SERVER:
                arrayAsArrayList.add(this.clientAuth);
                break;
            case BOTH:
                arrayAsArrayList.addAll(List.of(this.verificationMode, this.clientAuth));
                break;
            default:
                throw new IllegalArgumentException("invalid intended use [" + intendedUse + "]");
        }
        ArrayList arrayList = new ArrayList();
        if (z) {
            arrayAsArrayList.add(this.legacyTruststorePassword);
        } else {
            arrayList.add(this.legacyTruststorePassword);
        }
        arrayAsArrayList.addAll(this.x509KeyPair.getEnabledSettings());
        arrayList.addAll(this.x509KeyPair.getDisabledSettings());
        this.enabledSettings = Collections.unmodifiableList(arrayAsArrayList);
        this.disabledSettings = Collections.unmodifiableList(arrayList);
    }

    public List<Setting<?>> getEnabledSettings() {
        return this.enabledSettings;
    }

    public List<Setting<?>> getDisabledSettings() {
        return this.disabledSettings;
    }

    public static SSLConfigurationSettings withoutPrefix(boolean z) {
        return new SSLConfigurationSettings(AbstractAuditor.All_RESOURCES_ID, z, IntendedUse.BOTH);
    }

    public static SSLConfigurationSettings withPrefix(String str, boolean z) {
        if ($assertionsDisabled || str.endsWith(RecordWriter.CONTROL_FIELD_NAME)) {
            return new SSLConfigurationSettings(str, z, IntendedUse.BOTH);
        }
        throw new AssertionError("The ssl config prefix (" + str + ") should end in '.'");
    }

    public static SSLConfigurationSettings withPrefix(String str, boolean z, IntendedUse intendedUse) {
        if ($assertionsDisabled || str.endsWith(RecordWriter.CONTROL_FIELD_NAME)) {
            return new SSLConfigurationSettings(str, z, intendedUse);
        }
        throw new AssertionError("The ssl config prefix (" + str + ") should end in '.'");
    }

    private static Collection<SslSetting<?>> settings() {
        return Arrays.asList(CIPHERS, SUPPORTED_PROTOCOLS, KEYSTORE_PATH, LEGACY_KEYSTORE_PASSWORD, KEYSTORE_PASSWORD, LEGACY_KEYSTORE_KEY_PASSWORD, KEYSTORE_KEY_PASSWORD, TRUSTSTORE_PATH, LEGACY_TRUSTSTORE_PASSWORD, TRUSTSTORE_PASSWORD, KEY_STORE_ALGORITHM, TRUSTSTORE_ALGORITHM, KEY_STORE_TYPE, TRUSTSTORE_TYPE, TRUST_RESTRICTIONS_PATH, TRUST_RESTRICTIONS_X509_FIELDS, KEY_PATH, LEGACY_KEY_PASSWORD, KEY_PASSWORD, CERT, CERT_AUTH_PATH, CLIENT_AUTH_SETTING, VERIFICATION_MODE);
    }

    public static Collection<Setting<?>> getProfileSettings() {
        return (Collection) settings().stream().map((v0) -> {
            return v0.transportProfile();
        }).collect(Collectors.toUnmodifiableList());
    }

    public static Collection<Setting.AffixSetting<?>> getRealmSettings(String str) {
        return (Collection) settings().stream().map(sslSetting -> {
            return sslSetting.realm(str);
        }).collect(Collectors.toList());
    }

    public List<Setting<? extends SecureString>> getSecureSettingsInUse(Settings settings) {
        return (List) getSecureSettings().stream().filter(setting -> {
            return setting.exists(settings);
        }).collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<Setting<? extends SecureString>> getSecureSettings() {
        return List.of(this.truststorePassword, this.x509KeyPair.keyPassword, this.x509KeyPair.keystorePassword, this.x509KeyPair.keystoreKeyPassword);
    }

    static {
        $assertionsDisabled = !SSLConfigurationSettings.class.desiredAssertionStatus();
        CIPHERS_SETTING_TEMPLATE = str -> {
            return Setting.listSetting(str, List.of(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
        };
        CIPHERS = SslSetting.setting("cipher_suites", CIPHERS_SETTING_TEMPLATE);
        SUPPORTED_PROTOCOLS = SslSetting.setting("supported_protocols", str2 -> {
            return Setting.listSetting(str2, List.of(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
        });
        KEYSTORE_PATH = SslSetting.setting("keystore.path", X509KeyPairSettings.KEYSTORE_PATH_TEMPLATE);
        LEGACY_KEYSTORE_PASSWORD = SslSetting.setting("keystore.password", X509KeyPairSettings.LEGACY_KEYSTORE_PASSWORD_TEMPLATE);
        KEYSTORE_PASSWORD = SslSetting.secureSetting("keystore.secure_password", X509KeyPairSettings.KEYSTORE_PASSWORD_TEMPLATE);
        LEGACY_KEYSTORE_KEY_PASSWORD = SslSetting.setting("keystore.key_password", X509KeyPairSettings.LEGACY_KEYSTORE_KEY_PASSWORD_TEMPLATE);
        KEYSTORE_KEY_PASSWORD = SslSetting.secureSetting("keystore.secure_key_password", X509KeyPairSettings.KEYSTORE_KEY_PASSWORD_TEMPLATE);
        TRUSTSTORE_PATH = SslSetting.setting("truststore.path", str3 -> {
            return new Setting(str3, settings -> {
                return null;
            }, (v0) -> {
                return Optional.ofNullable(v0);
            }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
        });
        KEY_PATH = SslSetting.setting("key", X509KeyPairSettings.KEY_PATH_TEMPLATE);
        LEGACY_TRUSTSTORE_PASSWORD = SslSetting.setting("truststore.password", str4 -> {
            return new Setting(str4, AbstractAuditor.All_RESOURCES_ID, SecureString::new, new Setting.Property[]{Setting.Property.DeprecatedWarning, Setting.Property.Filtered, Setting.Property.NodeScope});
        });
        TRUSTSTORE_PASSWORD = SslSetting.secureSetting("truststore.secure_password", str5 -> {
            return SecureSetting.secureString(str5, LEGACY_TRUSTSTORE_PASSWORD.template().apply(str5.replace("truststore.secure_password", "truststore.password")), new Setting.Property[0]);
        });
        KEY_STORE_ALGORITHM = SslSetting.setting("keystore.algorithm", X509KeyPairSettings.KEY_STORE_ALGORITHM_TEMPLATE);
        TRUST_STORE_ALGORITHM_TEMPLATE = str6 -> {
            return new Setting(str6, settings -> {
                return TrustManagerFactory.getDefaultAlgorithm();
            }, Function.identity(), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
        };
        TRUSTSTORE_ALGORITHM = SslSetting.setting("truststore.algorithm", TRUST_STORE_ALGORITHM_TEMPLATE);
        KEY_STORE_TYPE = SslSetting.setting("keystore.type", X509KeyPairSettings.KEY_STORE_TYPE_TEMPLATE);
        TRUST_STORE_TYPE_TEMPLATE = X509KeyPairSettings.KEY_STORE_TYPE_TEMPLATE;
        TRUSTSTORE_TYPE = SslSetting.setting("truststore.type", TRUST_STORE_TYPE_TEMPLATE);
        TRUST_RESTRICTIONS_PATH_TEMPLATE = str7 -> {
            return new Setting(str7, settings -> {
                return null;
            }, (v0) -> {
                return Optional.ofNullable(v0);
            }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
        };
        TRUST_RESTRICTIONS_PATH = SslSetting.setting("trust_restrictions.path", TRUST_RESTRICTIONS_PATH_TEMPLATE);
        TRUST_RESTRICTIONS_X509_FIELDS_TEMPLATE = str8 -> {
            return Setting.listSetting(str8, (List) SslConfigurationLoader.GLOBAL_DEFAULT_RESTRICTED_TRUST_FIELDS.stream().map((v0) -> {
                return v0.toString();
            }).collect(Collectors.toList()), X509Field::parseForRestrictedTrust, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
        };
        TRUST_RESTRICTIONS_X509_FIELDS = SslSetting.setting("trust_restrictions.x509_fields", TRUST_RESTRICTIONS_X509_FIELDS_TEMPLATE);
        LEGACY_KEY_PASSWORD = SslSetting.setting("key_passphrase", X509KeyPairSettings.LEGACY_KEY_PASSWORD_TEMPLATE);
        KEY_PASSWORD = SslSetting.secureSetting("secure_key_passphrase", X509KeyPairSettings.KEY_PASSWORD_TEMPLATE);
        CERT = SslSetting.setting("certificate", X509KeyPairSettings.CERT_TEMPLATE);
        CAPATH_SETTING_TEMPLATE = str9 -> {
            return Setting.listSetting(str9, Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
        };
        CERT_AUTH_PATH = SslSetting.setting("certificate_authorities", CAPATH_SETTING_TEMPLATE);
        SslSetting<List<String>> sslSetting = CERT_AUTH_PATH;
        Objects.requireNonNull(sslSetting);
        CAPATH_SETTING_REALM = sslSetting::realm;
        CLIENT_AUTH_SETTING_TEMPLATE = str10 -> {
            return new Setting(str10, (String) null, str10 -> {
                return str10 == null ? Optional.empty() : Optional.of(SslClientAuthenticationMode.parse(str10));
            }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
        };
        CLIENT_AUTH_SETTING = SslSetting.setting("client_authentication", CLIENT_AUTH_SETTING_TEMPLATE);
        VERIFICATION_MODE_SETTING_TEMPLATE = str11 -> {
            return new Setting(str11, (String) null, str11 -> {
                return str11 == null ? Optional.empty() : Optional.of(SslVerificationMode.parse(str11));
            }, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered});
        };
        VERIFICATION_MODE = SslSetting.setting("verification_mode", VERIFICATION_MODE_SETTING_TEMPLATE);
        SslSetting<Optional<SslVerificationMode>> sslSetting2 = VERIFICATION_MODE;
        Objects.requireNonNull(sslSetting2);
        VERIFICATION_MODE_SETTING_REALM = sslSetting2::realm;
    }
}
