package org.elasticsearch.xpack.security.authc.service;

import java.nio.file.Path;
import java.util.List;
import java.util.TreeMap;
import java.util.function.Predicate;
import joptsimple.OptionSet;
import joptsimple.OptionSpec;
import org.elasticsearch.cli.EnvironmentAwareCommand;
import org.elasticsearch.cli.LoggingAwareMultiCommand;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.support.Validation;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.authc.service.ServiceAccount;
import org.elasticsearch.xpack.security.authc.service.ServiceAccountToken;
import org.elasticsearch.xpack.security.support.FileAttributesChecker;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/FileTokensTool.class */
public class FileTokensTool extends LoggingAwareMultiCommand {

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/FileTokensTool$CreateFileTokenCommand.class */
    public static class CreateFileTokenCommand extends EnvironmentAwareCommand {
        private final OptionSpec<String> arguments;

        CreateFileTokenCommand() {
            super("Create a file token for specified service account and token name");
            this.arguments = this.parser.nonOptions("service-account-principal token-name");
        }

        protected void execute(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
            ServiceAccountToken.ServiceAccountTokenId parsePrincipalAndTokenName = FileTokensTool.parsePrincipalAndTokenName(this.arguments.values(optionSet), environment.settings());
            Hasher resolve = Hasher.resolve((String) XPackSettings.SERVICE_TOKEN_HASHING_ALGORITHM.get(environment.settings()));
            Path resolveFile = FileServiceAccountTokenStore.resolveFile(environment);
            FileAttributesChecker fileAttributesChecker = new FileAttributesChecker(resolveFile);
            TreeMap treeMap = new TreeMap(FileServiceAccountTokenStore.parseFile(resolveFile, null));
            ServiceAccountToken newToken = ServiceAccountToken.newToken(parsePrincipalAndTokenName.getAccountId(), parsePrincipalAndTokenName.getTokenName());
            try {
                if (treeMap.containsKey(newToken.getQualifiedName())) {
                    throw new UserException(70, "Service token [" + newToken.getQualifiedName() + "] already exists");
                }
                treeMap.put(newToken.getQualifiedName(), resolve.hash(newToken.getSecret()));
                FileServiceAccountTokenStore.writeFile(resolveFile, treeMap);
                terminal.println("SERVICE_TOKEN " + newToken.getQualifiedName() + " = " + newToken.asBearerString());
                if (newToken != null) {
                    newToken.close();
                }
                fileAttributesChecker.check(terminal);
            } catch (Throwable th) {
                if (newToken != null) {
                    try {
                        newToken.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/FileTokensTool$DeleteFileTokenCommand.class */
    public static class DeleteFileTokenCommand extends EnvironmentAwareCommand {
        private final OptionSpec<String> arguments;

        DeleteFileTokenCommand() {
            super("Remove a file token for specified service account and token name");
            this.arguments = this.parser.nonOptions("service-account-principal token-name");
        }

        protected void execute(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
            String qualifiedName = FileTokensTool.parsePrincipalAndTokenName(this.arguments.values(optionSet), environment.settings()).getQualifiedName();
            Path resolveFile = FileServiceAccountTokenStore.resolveFile(environment);
            FileAttributesChecker fileAttributesChecker = new FileAttributesChecker(resolveFile);
            TreeMap treeMap = new TreeMap(FileServiceAccountTokenStore.parseFile(resolveFile, null));
            if (treeMap.remove(qualifiedName) == null) {
                throw new UserException(70, "Service token [" + qualifiedName + "] does not exist");
            }
            FileServiceAccountTokenStore.writeFile(resolveFile, treeMap);
            fileAttributesChecker.check(terminal);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/service/FileTokensTool$ListFileTokenCommand.class */
    public static class ListFileTokenCommand extends EnvironmentAwareCommand {
        private final OptionSpec<String> arguments;

        ListFileTokenCommand() {
            super("List file tokens for the specified service account");
            this.arguments = this.parser.nonOptions("service-account-principal");
        }

        protected void execute(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
            List values = this.arguments.values(optionSet);
            if (values.size() > 1) {
                throw new UserException(64, "Expected at most one argument, service-account-principal, found extra: [" + Strings.collectionToCommaDelimitedString(values) + "]");
            }
            Predicate predicate = str -> {
                return true;
            };
            if (values.size() == 1) {
                String str2 = (String) values.get(0);
                if (false == ServiceAccountService.isServiceAccountPrincipal(str2)) {
                    throw new UserException(67, "Unknown service account principal: [" + str2 + "]. Must be one of [" + Strings.collectionToDelimitedString(ServiceAccountService.getServiceAccountPrincipals(), ",") + "]");
                }
                predicate = predicate.and(str3 -> {
                    return str3.startsWith(str2 + "/");
                });
            }
            for (String str4 : new TreeMap(FileServiceAccountTokenStore.parseFile(FileServiceAccountTokenStore.resolveFile(environment), null)).keySet()) {
                if (predicate.test(str4)) {
                    terminal.println(str4);
                }
            }
        }
    }

    public static void main(String[] strArr) throws Exception {
        exit(new FileTokensTool().main(strArr, Terminal.DEFAULT));
    }

    public FileTokensTool() {
        super("Manages elasticsearch service account file-tokens");
        this.subcommands.put(LoggingAuditTrail.CREATE_CONFIG_FIELD_NAME, newCreateFileTokenCommand());
        this.subcommands.put(LoggingAuditTrail.DELETE_CONFIG_FIELD_NAME, newDeleteFileTokenCommand());
        this.subcommands.put("list", newListFileTokenCommand());
    }

    protected CreateFileTokenCommand newCreateFileTokenCommand() {
        return new CreateFileTokenCommand();
    }

    protected DeleteFileTokenCommand newDeleteFileTokenCommand() {
        return new DeleteFileTokenCommand();
    }

    protected ListFileTokenCommand newListFileTokenCommand() {
        return new ListFileTokenCommand();
    }

    static ServiceAccountToken.ServiceAccountTokenId parsePrincipalAndTokenName(List<String> list, Settings settings) throws UserException {
        if (list.isEmpty()) {
            throw new UserException(64, "Missing service-account-principal and token-name arguments");
        }
        if (list.size() == 1) {
            throw new UserException(64, "Missing token-name argument");
        }
        if (list.size() > 2) {
            throw new UserException(64, "Expected two arguments, service-account-principal and token-name, found extra: [" + Strings.collectionToCommaDelimitedString(list) + "]");
        }
        String str = list.get(0);
        String str2 = list.get(1);
        if (false == ServiceAccountService.isServiceAccountPrincipal(str)) {
            throw new UserException(67, "Unknown service account principal: [" + str + "]. Must be one of [" + Strings.collectionToDelimitedString(ServiceAccountService.getServiceAccountPrincipals(), ",") + "]");
        }
        if (false == Validation.isValidServiceAccountTokenName(str2)) {
            throw new UserException(70, Validation.formatInvalidServiceTokenNameErrorMessage(str2));
        }
        return new ServiceAccountToken.ServiceAccountTokenId(ServiceAccount.ServiceAccountId.fromPrincipal(str), str2);
    }
}
