package org.elasticsearch.xpack.security.tool;

import java.net.URL;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import java.util.stream.Collectors;
import joptsimple.OptionSet;
import joptsimple.OptionSpec;
import joptsimple.OptionSpecBuilder;
import org.elasticsearch.cli.ProcessInfo;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.ReferenceDocs;
import org.elasticsearch.common.cli.KeyStoreAwareCommand;
import org.elasticsearch.common.settings.KeyStoreWrapper;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.CheckedFunction;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.CommandLineHttpClient;
import org.elasticsearch.xpack.core.security.HttpResponse;
import org.elasticsearch.xpack.core.security.authc.RealmConfig;
import org.elasticsearch.xpack.core.security.authc.RealmSettings;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.security.authc.file.FileUserPasswdStore;
import org.elasticsearch.xpack.security.authc.file.FileUserRolesStore;
import org.elasticsearch.xpack.security.support.FileAttributesChecker;

/* loaded from: input_file:org/elasticsearch/xpack/security/tool/BaseRunAsSuperuserCommand.class */
public abstract class BaseRunAsSuperuserCommand extends KeyStoreAwareCommand {
    private static final String[] ROLES = {"superuser"};
    private static final int PASSWORD_LENGTH = 14;
    private final OptionSpecBuilder force;
    protected final OptionSpec<String> urlOption;
    private final Function<Environment, CommandLineHttpClient> clientFunction;
    private final CheckedFunction<Environment, KeyStoreWrapper, Exception> keyStoreFunction;

    public BaseRunAsSuperuserCommand(Function<Environment, CommandLineHttpClient> function, CheckedFunction<Environment, KeyStoreWrapper, Exception> checkedFunction, String str) {
        super(str);
        this.clientFunction = function;
        this.keyStoreFunction = checkedFunction;
        this.force = this.parser.acceptsAll(List.of("f", "force"), "Use this option to force execution of the command against a cluster that is currently unhealthy.");
        this.urlOption = this.parser.accepts("url", "the URL where the elasticsearch node listens for connections.").withRequiredArg();
    }

    public final void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
        Environment environment2;
        Settings settings;
        validate(terminal, optionSet, environment);
        ensureFileRealmEnabled(environment.settings());
        KeyStoreWrapper keyStoreWrapper = (KeyStoreWrapper) this.keyStoreFunction.apply(environment);
        if (keyStoreWrapper != null) {
            decryptKeyStore(keyStoreWrapper, terminal);
            Settings.Builder builder = Settings.builder();
            builder.put(environment.settings(), true);
            if (builder.getSecureSettings() == null) {
                builder.setSecureSettings(keyStoreWrapper);
            }
            settings = builder.build();
            environment2 = new Environment(settings, environment.configDir());
        } else {
            environment2 = environment;
            settings = environment.settings();
        }
        String generateUsername = CommandUtils.generateUsername("autogenerated_", null, 8);
        try {
            try {
                SecureString secureString = new SecureString(CommandUtils.generatePassword(PASSWORD_LENGTH));
                try {
                    Hasher resolve = Hasher.resolve((String) XPackSettings.PASSWORD_HASHING_ALGORITHM.get(settings));
                    Path resolveFile = FileUserPasswdStore.resolveFile(environment2);
                    Path resolveFile2 = FileUserRolesStore.resolveFile(environment2);
                    FileAttributesChecker fileAttributesChecker = new FileAttributesChecker(resolveFile, resolveFile2);
                    Map<String, String[]> parseFile = FileUserRolesStore.parseFile(resolveFile2, null);
                    if (parseFile == null) {
                        throw new IllegalStateException("File realm configuration file [" + String.valueOf(resolveFile2) + "] is missing");
                    }
                    HashMap hashMap = new HashMap(parseFile);
                    hashMap.put(generateUsername, ROLES);
                    FileUserRolesStore.writeFile(hashMap, resolveFile2);
                    Map<String, char[]> parseFile2 = FileUserPasswdStore.parseFile(resolveFile, null, settings);
                    if (parseFile2 == null) {
                        throw new IllegalStateException("File realm configuration file [" + String.valueOf(resolveFile) + "] is missing");
                    }
                    HashMap hashMap2 = new HashMap(parseFile2);
                    hashMap2.put(generateUsername, resolve.hash(secureString));
                    FileUserPasswdStore.writeFile(hashMap2, resolveFile);
                    fileAttributesChecker.check(terminal);
                    checkClusterHealthWithRetries(environment2, optionSet, terminal, generateUsername, secureString, 5, optionSet.has(this.force));
                    executeCommand(terminal, optionSet, environment2, generateUsername, secureString);
                    secureString.close();
                } catch (Throwable th) {
                    try {
                        secureString.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (Exception e) {
                throw new UserException(e instanceof UserException ? e.exitCode : 65, e.getMessage());
            }
        } finally {
            cleanup(terminal, environment2, generateUsername);
        }
    }

    private static void cleanup(Terminal terminal, Environment environment, String str) throws Exception {
        Path resolveFile = FileUserPasswdStore.resolveFile(environment);
        Path resolveFile2 = FileUserRolesStore.resolveFile(environment);
        ArrayList arrayList = new ArrayList();
        FileAttributesChecker fileAttributesChecker = new FileAttributesChecker(resolveFile, resolveFile2);
        Map<String, char[]> parseFile = FileUserPasswdStore.parseFile(resolveFile, null, environment.settings());
        if (parseFile == null) {
            arrayList.add("File realm configuration file [" + String.valueOf(resolveFile) + "] is missing");
        } else {
            HashMap hashMap = new HashMap(parseFile);
            char[] cArr = (char[]) hashMap.remove(str);
            if (cArr != null) {
                FileUserPasswdStore.writeFile(hashMap, resolveFile);
                Arrays.fill(cArr, (char) 0);
            }
        }
        Map<String, String[]> parseFile2 = FileUserRolesStore.parseFile(resolveFile2, null);
        if (parseFile2 == null) {
            arrayList.add("File realm configuration file [" + String.valueOf(resolveFile2) + "] is missing");
        } else {
            HashMap hashMap2 = new HashMap(parseFile2);
            if (((String[]) hashMap2.remove(str)) != null) {
                FileUserRolesStore.writeFile(hashMap2, resolveFile2);
            }
        }
        if (!arrayList.isEmpty()) {
            throw new UserException(78, String.join(" , ", arrayList));
        }
        fileAttributesChecker.check(terminal);
    }

    private static void ensureFileRealmEnabled(Settings settings) throws Exception {
        Map map = (Map) RealmSettings.getRealmSettings(settings).entrySet().stream().filter(entry -> {
            return ((RealmConfig.RealmIdentifier) entry.getKey()).getType().equals("file");
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        if (map.size() == 1) {
            if (!((Boolean) ((Setting.AffixSetting) RealmSettings.ENABLED_SETTING.apply("file")).getConcreteSettingForNamespace(((RealmConfig.RealmIdentifier) ((Map.Entry) map.entrySet().iterator().next()).getKey()).getName()).get(settings)).booleanValue()) {
                throw new UserException(78, "File realm must be enabled");
            }
        }
    }

    private void checkClusterHealthWithRetries(Environment environment, OptionSet optionSet, Terminal terminal, String str, SecureString secureString, int i, boolean z) throws Exception {
        CommandLineHttpClient apply = this.clientFunction.apply(environment);
        try {
            HttpResponse execute = apply.execute("GET", CommandLineHttpClient.createURL(optionSet.has(this.urlOption) ? new URL((String) optionSet.valueOf(this.urlOption)) : new URL(apply.getDefaultURL()), "_cluster/health", "?pretty"), str, secureString, () -> {
                return null;
            }, CommandLineHttpClient::responseBuilder);
            int httpStatus = execute.getHttpStatus();
            if (httpStatus != 200) {
                if ((httpStatus != 401 && httpStatus != 403) || i <= 0) {
                    throw new UserException(65, "Failed to determine the health of the cluster. Unexpected http status [" + httpStatus + "]");
                }
                terminal.println(Terminal.Verbosity.VERBOSE, "Unexpected http status [" + httpStatus + "] while attempting to determine cluster health. Will retry at most " + i + " more times.");
                Thread.sleep(1000L);
                checkClusterHealthWithRetries(environment, optionSet, terminal, str, secureString, i - 1, z);
                return;
            }
            String objects = Objects.toString(execute.getResponseBody().get("status"), "");
            if (objects.isEmpty()) {
                throw new UserException(65, "Failed to determine the health of the cluster. Cluster health API did not return a status value.");
            }
            if (!"red".equalsIgnoreCase(objects) || z) {
                return;
            }
            terminal.errorPrintln("Failed to determine the health of the cluster. Cluster health is currently RED.");
            terminal.errorPrintln("This means that some cluster data is unavailable and your cluster is not fully functional.");
            terminal.errorPrintln("The cluster logs (" + String.valueOf(ReferenceDocs.LOGGING) + ") might contain information/indications for the underlying cause");
            terminal.errorPrintln("It is recommended that you resolve the issues with your cluster before continuing");
            terminal.errorPrintln("It is very likely that the command will fail when run against an unhealthy cluster.");
            terminal.errorPrintln("");
            terminal.errorPrintln("If you still want to attempt to execute this command against an unhealthy cluster, you can pass the `-f` parameter.");
            throw new UserException(69, "Failed to determine the health of the cluster. Cluster health is currently RED.");
        } catch (Exception e) {
            throw new UserException(69, "Failed to determine the health of the cluster.", e);
        }
    }

    protected abstract void executeCommand(Terminal terminal, OptionSet optionSet, Environment environment, String str, SecureString secureString) throws Exception;

    protected abstract void validate(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception;
}
