package org.elasticsearch.xpack.security;

import java.io.PrintStream;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.bulk.BackoffPolicy;
import org.elasticsearch.action.support.GroupedActionListener;
import org.elasticsearch.bootstrap.BootstrapInfo;
import org.elasticsearch.client.Client;
import org.elasticsearch.common.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.security.enrollment.InternalEnrollmentTokenGenerator;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.tool.CommandUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/InitialNodeSecurityAutoConfiguration.class */
public class InitialNodeSecurityAutoConfiguration {
    private static final Logger LOGGER = LogManager.getLogger(InitialNodeSecurityAutoConfiguration.class);
    private static final BackoffPolicy BACKOFF_POLICY = BackoffPolicy.exponentialBackoff();

    private InitialNodeSecurityAutoConfiguration() {
        throw new IllegalStateException("Class should not be instantiated");
    }

    public static void maybeGenerateEnrollmentTokensAndElasticCredentialsOnNodeStartup(NativeUsersStore nativeUsersStore, SecurityIndexManager securityIndexManager, SSLService sSLService, Client client, Environment environment) {
        if (false == ((Boolean) XPackSettings.ENROLLMENT_ENABLED.get(environment.settings())).booleanValue()) {
            return;
        }
        InternalEnrollmentTokenGenerator internalEnrollmentTokenGenerator = new InternalEnrollmentTokenGenerator(environment, sSLService, client);
        PrintStream consoleOutput = getConsoleOutput();
        if (consoleOutput == null) {
            LOGGER.info("Auto-configuration will not generate a password for the elastic built-in superuser, as we cannot  determine if there is a terminal attached to the elasticsearch process. You can use the `bin/elasticsearch-reset-password` tool to set the password for the elastic user.");
        } else {
            securityIndexManager.onStateRecovered(state -> {
                String str;
                if (false == state.indexExists()) {
                    try {
                        str = internalEnrollmentTokenGenerator.getHttpsCaFingerprint();
                        LOGGER.info("HTTPS has been configured with automatically generated certificates, and the CA's hex-encoded SHA-256 fingerprint is [" + str + "]");
                    } catch (Exception e) {
                        str = null;
                        LOGGER.error("Failed to compute the HTTPS CA fingerprint, probably the certs are not auto-generated", e);
                    }
                    String str2 = str;
                    GroupedActionListener groupedActionListener = new GroupedActionListener(ActionListener.wrap(collection -> {
                        HashMap hashMap = new HashMap();
                        Iterator it = collection.iterator();
                        while (it.hasNext()) {
                            hashMap.putAll((Map) it.next());
                        }
                        outputInformationToConsole((String) hashMap.get("generated_elastic_user_password"), (String) hashMap.get("kibana_enrollment_token"), (String) hashMap.get("node_enrollment_token"), str2, consoleOutput);
                    }, exc -> {
                        LOGGER.error("Unexpected exception during security auto-configuration", exc);
                    }), 3);
                    if (false == ReservedRealm.BOOTSTRAP_ELASTIC_PASSWORD.exists(environment.settings()) && false == ReservedRealm.AUTOCONFIG_ELASTIC_PASSWORD_HASH.exists(environment.settings())) {
                        char[] generatePassword = CommandUtils.generatePassword(20);
                        nativeUsersStore.createElasticUser(generatePassword, ActionListener.wrap(r8 -> {
                            LOGGER.debug("elastic credentials generated successfully");
                            groupedActionListener.onResponse(Map.of("generated_elastic_user_password", new String(generatePassword)));
                        }, exc2 -> {
                            LOGGER.error("Failed to generate credentials for the elastic built-in superuser", exc2);
                            groupedActionListener.onResponse(Map.of());
                        }));
                    } else {
                        if (false == ReservedRealm.BOOTSTRAP_ELASTIC_PASSWORD.exists(environment.settings())) {
                            LOGGER.info("Auto-configuration will not generate a password for the elastic built-in superuser, you should use the password specified in the node's secure setting [" + ReservedRealm.BOOTSTRAP_ELASTIC_PASSWORD.getKey() + "] in order to authenticate as elastic");
                        }
                        groupedActionListener.onResponse(Map.of("generated_elastic_user_password", ""));
                    }
                    Iterator<TimeValue> it = BACKOFF_POLICY.iterator();
                    internalEnrollmentTokenGenerator.createKibanaEnrollmentToken(enrollmentToken -> {
                        if (enrollmentToken == null) {
                            groupedActionListener.onResponse(Map.of());
                            return;
                        }
                        try {
                            LOGGER.debug("Successfully generated the kibana enrollment token");
                            groupedActionListener.onResponse(Map.of("kibana_enrollment_token", enrollmentToken.getEncoded()));
                        } catch (Exception e2) {
                            LOGGER.error("Failed to encode kibana enrollment token", e2);
                            groupedActionListener.onResponse(Map.of());
                        }
                    }, it);
                    internalEnrollmentTokenGenerator.maybeCreateNodeEnrollmentToken(str3 -> {
                        if (str3 != null) {
                            groupedActionListener.onResponse(Map.of("node_enrollment_token", str3));
                        } else {
                            groupedActionListener.onResponse(Map.of());
                        }
                    }, it);
                }
            });
        }
    }

    private static PrintStream getConsoleOutput() {
        PrintStream consoleOutput = BootstrapInfo.getConsoleOutput();
        if (consoleOutput == null) {
            return null;
        }
        consoleOutput.println();
        if (consoleOutput.checkError()) {
            return null;
        }
        return consoleOutput;
    }

    private static void outputInformationToConsole(String str, String str2, String str3, String str4, PrintStream printStream) {
        StringBuilder sb = new StringBuilder();
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append("--------------------------------------------------------------------------------------------------------------");
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        if (str == null) {
            sb.append("Unable to auto-generate the password for the elastic built-in superuser.");
        } else if (Strings.isEmpty(str)) {
            sb.append("The generated password for the elastic built-in superuser has not been changed.");
        } else {
            sb.append("The generated password for the elastic built-in superuser is:");
            sb.append(System.lineSeparator());
            sb.append(str);
        }
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        if (null != str2) {
            sb.append("The enrollment token for Kibana instances, valid for the next ");
            sb.append(30L);
            sb.append(" minutes:");
            sb.append(System.lineSeparator());
            sb.append(str2);
        } else {
            sb.append("Unable to generate an enrollment token for Kibana instances.");
        }
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        if (str3 == null) {
            sb.append("Unable to generate an enrollment token for Elasticsearch nodes.");
            sb.append(System.lineSeparator());
            sb.append(System.lineSeparator());
        } else if (false == Strings.isEmpty(str3)) {
            sb.append("The enrollment token for Elasticsearch instances, valid for the next ");
            sb.append(30L);
            sb.append(" minutes:");
            sb.append(System.lineSeparator());
            sb.append(str3);
            sb.append(System.lineSeparator());
            sb.append(System.lineSeparator());
        }
        if (null != str4) {
            sb.append("The hex-encoded SHA-256 fingerprint of the generated HTTPS CA DER-encoded certificate:");
            sb.append(System.lineSeparator());
            sb.append(str4);
            sb.append(System.lineSeparator());
        }
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append("You can complete the following actions at any time:");
        sb.append(System.lineSeparator());
        sb.append("Reset the password of the elastic built-in superuser with 'bin/elasticsearch-reset-password -u elastic'.");
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append("Generate an enrollment token for Kibana instances with 'bin/elasticsearch-create-enrollment-token -s kibana'.");
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append("Generate an enrollment token for Elasticsearch nodes with 'bin/elasticsearch-create-enrollment-token -s node'.");
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append("--------------------------------------------------------------------------------------------------------------");
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        printStream.println(sb);
    }
}
