package org.elasticsearch.xpack.security;

import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.bulk.BackoffPolicy;
import org.elasticsearch.action.support.GroupedActionListener;
import org.elasticsearch.bootstrap.BootstrapInfo;
import org.elasticsearch.bootstrap.ConsoleLoader;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.util.concurrent.AbstractRunnable;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.env.Environment;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.security.enrollment.InternalEnrollmentTokenGenerator;
import org.elasticsearch.xpack.security.support.SecurityIndexManager;
import org.elasticsearch.xpack.security.tool.CommandUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/InitialNodeSecurityAutoConfiguration.class */
public class InitialNodeSecurityAutoConfiguration {
    private static final Logger LOGGER = LogManager.getLogger(InitialNodeSecurityAutoConfiguration.class);
    private static final BackoffPolicy BACKOFF_POLICY = BackoffPolicy.exponentialBackoff();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/InitialNodeSecurityAutoConfiguration$OnNodeStartedListener.class */
    public interface OnNodeStartedListener {
        void run(Runnable runnable);
    }

    private InitialNodeSecurityAutoConfiguration() {
        throw new IllegalStateException("Class should not be instantiated");
    }

    public static void maybeGenerateEnrollmentTokensAndElasticCredentialsOnNodeStartup(NativeUsersStore nativeUsersStore, SecurityIndexManager securityIndexManager, SSLService sSLService, Client client, Environment environment, OnNodeStartedListener onNodeStartedListener, ThreadPool threadPool) {
        if (false == ((Boolean) XPackSettings.ENROLLMENT_ENABLED.get(environment.settings())).booleanValue()) {
            return;
        }
        InternalEnrollmentTokenGenerator internalEnrollmentTokenGenerator = new InternalEnrollmentTokenGenerator(environment, sSLService, client);
        ConsoleLoader.Console console = getConsole();
        if (console == null) {
            LOGGER.info("Auto-configuration will not generate a password for the elastic built-in superuser, as we cannot  determine if there is a terminal attached to the elasticsearch process. You can use the `bin/elasticsearch-reset-password` tool to set the password for the elastic user.");
        } else {
            securityIndexManager.onStateRecovered(state -> {
                if (false == state.indexExists()) {
                    onNodeStartedListener.run(() -> {
                        threadPool.schedule(new AbstractRunnable() { // from class: org.elasticsearch.xpack.security.InitialNodeSecurityAutoConfiguration.1
                            public void onFailure(Exception exc) {
                                InitialNodeSecurityAutoConfiguration.LOGGER.error("Unexpected exception when auto configuring the initial node for Security", exc);
                            }

                            protected void doRun() {
                                String str;
                                try {
                                    str = InternalEnrollmentTokenGenerator.this.getHttpsCaFingerprint();
                                    InitialNodeSecurityAutoConfiguration.LOGGER.info("HTTPS has been configured with automatically generated certificates, and the CA's hex-encoded SHA-256 fingerprint is [" + str + "]");
                                } catch (Exception e) {
                                    str = null;
                                    InitialNodeSecurityAutoConfiguration.LOGGER.error("Failed to compute the HTTPS CA fingerprint, probably the certs are not auto-generated", e);
                                }
                                String str2 = str;
                                ConsoleLoader.Console console2 = console;
                                GroupedActionListener groupedActionListener = new GroupedActionListener(3, ActionListener.wrap(collection -> {
                                    HashMap hashMap = new HashMap();
                                    Iterator it = collection.iterator();
                                    while (it.hasNext()) {
                                        hashMap.putAll((Map) it.next());
                                    }
                                    InitialNodeSecurityAutoConfiguration.outputInformationToConsole((String) hashMap.get("generated_elastic_user_password"), (String) hashMap.get("kibana_enrollment_token"), (String) hashMap.get("node_enrollment_token"), str2, console2);
                                }, exc -> {
                                    InitialNodeSecurityAutoConfiguration.LOGGER.error("Unexpected exception during security auto-configuration", exc);
                                }));
                                if (false == ReservedRealm.BOOTSTRAP_ELASTIC_PASSWORD.exists(environment.settings()) && false == ReservedRealm.AUTOCONFIG_ELASTIC_PASSWORD_HASH.exists(environment.settings())) {
                                    char[] generatePassword = CommandUtils.generatePassword(20);
                                    nativeUsersStore.createElasticUser(generatePassword, ActionListener.wrap(r8 -> {
                                        InitialNodeSecurityAutoConfiguration.LOGGER.debug("elastic credentials generated successfully");
                                        groupedActionListener.onResponse(Map.of("generated_elastic_user_password", new String(generatePassword)));
                                    }, exc2 -> {
                                        InitialNodeSecurityAutoConfiguration.LOGGER.error("Failed to generate credentials for the elastic built-in superuser", exc2);
                                        groupedActionListener.onResponse(Map.of());
                                    }));
                                } else {
                                    if (false == ReservedRealm.BOOTSTRAP_ELASTIC_PASSWORD.exists(environment.settings())) {
                                        InitialNodeSecurityAutoConfiguration.LOGGER.info("Auto-configuration will not generate a password for the elastic built-in superuser, you should use the password specified in the node's secure setting [" + ReservedRealm.BOOTSTRAP_ELASTIC_PASSWORD.getKey() + "] in order to authenticate as elastic");
                                    }
                                    groupedActionListener.onResponse(Map.of("generated_elastic_user_password", ""));
                                }
                                Iterator<TimeValue> it = InitialNodeSecurityAutoConfiguration.BACKOFF_POLICY.iterator();
                                InternalEnrollmentTokenGenerator.this.createKibanaEnrollmentToken(enrollmentToken -> {
                                    if (enrollmentToken == null) {
                                        groupedActionListener.onResponse(Map.of());
                                        return;
                                    }
                                    try {
                                        InitialNodeSecurityAutoConfiguration.LOGGER.debug("Successfully generated the kibana enrollment token");
                                        groupedActionListener.onResponse(Map.of("kibana_enrollment_token", enrollmentToken.getEncoded()));
                                    } catch (Exception e2) {
                                        InitialNodeSecurityAutoConfiguration.LOGGER.error("Failed to encode kibana enrollment token", e2);
                                        groupedActionListener.onResponse(Map.of());
                                    }
                                }, it);
                                InternalEnrollmentTokenGenerator.this.maybeCreateNodeEnrollmentToken(str3 -> {
                                    if (str3 != null) {
                                        groupedActionListener.onResponse(Map.of("node_enrollment_token", str3));
                                    } else {
                                        groupedActionListener.onResponse(Map.of());
                                    }
                                }, it);
                            }
                        }, TimeValue.timeValueSeconds(9L), threadPool.generic());
                    });
                }
            });
        }
    }

    private static ConsoleLoader.Console getConsole() {
        ConsoleLoader.Console console = BootstrapInfo.getConsole();
        if (console == null) {
            return null;
        }
        console.printStream().println();
        if (console.printStream().checkError()) {
            return null;
        }
        return console;
    }

    private static void outputInformationToConsole(String str, String str2, String str3, String str4, ConsoleLoader.Console console) {
        boolean z = StandardCharsets.UTF_8.equals(console.charset()) || StandardCharsets.UTF_16.equals(console.charset()) || StandardCharsets.UTF_16LE.equals(console.charset()) || StandardCharsets.UTF_16BE.equals(console.charset());
        String str5 = z ? "ℹ️" : "->";
        String str6 = z ? "•" : "*";
        String str7 = z ? "⁃" : "-";
        String str8 = z ? "❌" : "X";
        String str9 = z ? "✅" : "->";
        String str10 = z ? "━" : "-";
        String str11 = console.ansiEnabled().booleanValue() ? "\u001b[1m" : "";
        String str12 = console.ansiEnabled().booleanValue() ? "\u001b[22m" : "";
        int intValue = ((Integer) console.width().get()).intValue();
        StringBuilder sb = new StringBuilder();
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append(str10.repeat(intValue));
        sb.append(System.lineSeparator());
        sb.append(str9 + " Elasticsearch security features have been automatically configured!");
        sb.append(System.lineSeparator());
        sb.append(str9 + " Authentication is enabled and cluster connections are encrypted.");
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        if (str == null) {
            sb.append(str8 + " Unable to auto-generate the password for the " + str11 + "elastic" + str12 + " built-in superuser.");
        } else if (false == Strings.isEmpty(str)) {
            sb.append(str5 + "  Password for the " + str11 + "elastic" + str12 + " user (reset with `bin/elasticsearch-reset-password -u elastic`):");
            sb.append(System.lineSeparator());
            sb.append("  " + str11 + str + str12);
        }
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        if (null != str4) {
            sb.append(str5 + "  HTTP CA certificate SHA-256 fingerprint:");
            sb.append(System.lineSeparator());
            sb.append("  " + str11 + str4 + str12);
        }
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        if (null != str2) {
            sb.append(str5 + "  Configure Kibana to use this cluster:");
            sb.append(System.lineSeparator());
            sb.append(str6 + " Run Kibana and click the configuration link in the terminal when Kibana starts.");
            sb.append(System.lineSeparator());
            sb.append(str6 + " Copy the following enrollment token and paste it into Kibana in your browser ");
            sb.append("(valid for the next 30 minutes):");
            sb.append(System.lineSeparator());
            sb.append("  " + str11 + str2 + str12);
        } else {
            sb.append(str8 + " Unable to generate an enrollment token for Kibana instances, ");
            sb.append("try invoking `bin/elasticsearch-create-enrollment-token -s kibana`.");
        }
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        if (null == str3) {
            sb.append(str8 + " An enrollment token to enroll new nodes wasn't generated.");
            sb.append(" To add nodes and enroll them into this cluster:");
            sb.append(System.lineSeparator());
            sb.append(str6 + " On this node:");
            sb.append(System.lineSeparator());
            sb.append("  " + str7 + " Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.");
            sb.append(System.lineSeparator());
            sb.append("  " + str7 + " Restart Elasticsearch.");
            sb.append(System.lineSeparator());
            sb.append(str6 + " On other nodes:");
            sb.append(System.lineSeparator());
            sb.append("  " + str7 + " Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.");
        } else if (Strings.isEmpty(str3)) {
            sb.append(str5 + "  Configure other nodes to join this cluster:");
            sb.append(System.lineSeparator());
            sb.append(str6 + " On this node:");
            sb.append(System.lineSeparator());
            sb.append("  " + str7 + " Create an enrollment token with `bin/elasticsearch-create-enrollment-token -s node`.");
            sb.append(System.lineSeparator());
            sb.append("  " + str7 + " Uncomment the " + str11 + "transport.host" + str12 + " setting at the end of " + str11 + "config/elasticsearch.yml" + str12 + ".");
            sb.append(System.lineSeparator());
            sb.append("  " + str7 + " Restart Elasticsearch.");
            sb.append(System.lineSeparator());
            sb.append(str6 + " On other nodes:");
            sb.append(System.lineSeparator());
            sb.append("  " + str7 + " Start Elasticsearch with `bin/elasticsearch --enrollment-token <token>`, using the enrollment token that you generated.");
        } else {
            sb.append(str5 + " Configure other nodes to join this cluster:");
            sb.append(System.lineSeparator());
            sb.append(str6 + " Copy the following enrollment token and start new Elasticsearch nodes with `bin/elasticsearch --enrollment-token <token>` (valid for the next 30 minutes):");
            sb.append(System.lineSeparator());
            sb.append("  " + str11 + str3 + str12);
            sb.append(System.lineSeparator());
            sb.append(System.lineSeparator());
            sb.append("  If you're running in Docker, copy the enrollment token and run:");
            sb.append(System.lineSeparator());
            sb.append("  `docker run -e \"ENROLLMENT_TOKEN=<token>\" docker.elastic.co/elasticsearch/elasticsearch:" + String.valueOf(Version.CURRENT) + "`");
        }
        sb.append(System.lineSeparator());
        sb.append(str10.repeat(intValue));
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        sb.append(System.lineSeparator());
        console.printStream().println(sb);
    }
}
