package org.elasticsearch.xpack.security.authc.file.tool;

import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import joptsimple.OptionSet;
import joptsimple.OptionSpec;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.cli.MultiCommand;
import org.elasticsearch.cli.ProcessInfo;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.cli.EnvironmentAwareCommand;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.Maps;
import org.elasticsearch.common.util.set.Sets;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.authc.support.Hasher;
import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore;
import org.elasticsearch.xpack.core.security.support.Validation;
import org.elasticsearch.xpack.security.authc.file.FileUserPasswdStore;
import org.elasticsearch.xpack.security.authc.file.FileUserRolesStore;
import org.elasticsearch.xpack.security.authz.store.FileRolesStore;
import org.elasticsearch.xpack.security.support.FileAttributesChecker;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/file/tool/UsersTool.class */
class UsersTool extends MultiCommand {
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/file/tool/UsersTool$AddUserCommand.class */
    public static class AddUserCommand extends EnvironmentAwareCommand {
        private final OptionSpec<String> passwordOption;
        private final OptionSpec<String> rolesOption;
        private final OptionSpec<String> arguments;

        AddUserCommand() {
            super("Adds a file user");
            this.passwordOption = this.parser.acceptsAll(Arrays.asList("p", "password"), "The user password").withRequiredArg();
            this.rolesOption = this.parser.acceptsAll(Arrays.asList("r", "roles"), "Comma-separated list of the roles of the user").withRequiredArg().defaultsTo("", new String[0]);
            this.arguments = this.parser.nonOptions("username");
        }

        protected void printAdditionalHelp(Terminal terminal) {
            terminal.println("Adds a file based user to elasticsearch (via internal realm). The user will");
            terminal.println("be added to the \"users\" file and its roles will be added to the");
            terminal.println("\"users_roles\" file in the elasticsearch config directory.");
            terminal.println("");
        }

        public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
            HashMap hashMap;
            String parseUsername = UsersTool.parseUsername(this.arguments.values(optionSet), environment.settings());
            Validation.Error validateUsername = Validation.Users.validateUsername(parseUsername, !((Boolean) XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(environment.settings())).booleanValue(), environment.settings());
            if (validateUsername != null) {
                throw new UserException(65, "Invalid username [" + parseUsername + "]... " + String.valueOf(validateUsername));
            }
            char[] passwordHash = UsersTool.getPasswordHash(terminal, environment, (String) this.passwordOption.value(optionSet));
            String[] parseRoles = UsersTool.parseRoles(terminal, environment, (String) this.rolesOption.value(optionSet));
            Path resolveFile = FileUserPasswdStore.resolveFile(environment);
            Path resolveFile2 = FileUserRolesStore.resolveFile(environment);
            FileAttributesChecker fileAttributesChecker = new FileAttributesChecker(resolveFile, resolveFile2);
            Map<String, char[]> parseFile = FileUserPasswdStore.parseFile(resolveFile, null, environment.settings());
            if (parseFile == null) {
                throw new UserException(78, "Configuration file [" + String.valueOf(resolveFile) + "] is missing");
            }
            if (parseFile.containsKey(parseUsername)) {
                throw new UserException(70, "User [" + parseUsername + "] already exists");
            }
            HashMap hashMap2 = new HashMap(parseFile);
            hashMap2.put(parseUsername, passwordHash);
            FileUserPasswdStore.writeFile(hashMap2, resolveFile);
            if (parseRoles.length > 0) {
                if (Files.exists(resolveFile2, new LinkOption[0])) {
                    hashMap = new HashMap(FileUserRolesStore.parseFile(resolveFile2, null));
                } else {
                    terminal.println("Roles file [" + String.valueOf(resolveFile2) + "] does not exist, will attempt to create it");
                    hashMap = new HashMap();
                }
                hashMap.put(parseUsername, parseRoles);
                FileUserRolesStore.writeFile(hashMap, resolveFile2);
            }
            fileAttributesChecker.check(terminal);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/file/tool/UsersTool$DeleteUserCommand.class */
    public static class DeleteUserCommand extends EnvironmentAwareCommand {
        private final OptionSpec<String> arguments;

        DeleteUserCommand() {
            super("Deletes a file based user");
            this.arguments = this.parser.nonOptions("username");
        }

        protected void printAdditionalHelp(Terminal terminal) {
            terminal.println("Removes an existing file based user from elasticsearch. The user will be");
            terminal.println("removed from the \"users\" file and its roles will be removed from the");
            terminal.println("\"users_roles\" file in the elasticsearch config directory.");
            terminal.println("");
        }

        public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
            String parseUsername = UsersTool.parseUsername(this.arguments.values(optionSet), environment.settings());
            Path resolveFile = FileUserPasswdStore.resolveFile(environment);
            Path resolveFile2 = FileUserRolesStore.resolveFile(environment);
            FileAttributesChecker fileAttributesChecker = new FileAttributesChecker(resolveFile, resolveFile2);
            Map<String, char[]> parseFile = FileUserPasswdStore.parseFile(resolveFile, null, environment.settings());
            if (parseFile == null) {
                throw new UserException(78, "Configuration file [" + String.valueOf(resolveFile) + "] is missing");
            }
            if (!parseFile.containsKey(parseUsername)) {
                throw new UserException(67, "User [" + parseUsername + "] doesn't exist");
            }
            if (Files.exists(resolveFile, new LinkOption[0])) {
                HashMap hashMap = new HashMap(parseFile);
                if (((char[]) hashMap.remove(parseUsername)) != null) {
                    FileUserPasswdStore.writeFile(hashMap, resolveFile);
                }
            }
            HashMap hashMap2 = new HashMap(FileUserRolesStore.parseFile(resolveFile2, null));
            if (Files.exists(resolveFile2, new LinkOption[0]) && ((String[]) hashMap2.remove(parseUsername)) != null) {
                FileUserRolesStore.writeFile(hashMap2, resolveFile2);
            }
            fileAttributesChecker.check(terminal);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/file/tool/UsersTool$ListCommand.class */
    public static class ListCommand extends EnvironmentAwareCommand {
        private final OptionSpec<String> arguments;

        ListCommand() {
            super("List existing file based users and their corresponding roles");
            this.arguments = this.parser.nonOptions("username");
        }

        protected void printAdditionalHelp(Terminal terminal) {
            terminal.println("");
            terminal.println("");
        }

        public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
            String str = null;
            if (optionSet.has(this.arguments)) {
                str = (String) this.arguments.value(optionSet);
            }
            UsersTool.listUsersAndRoles(terminal, environment, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/file/tool/UsersTool$PasswordCommand.class */
    public static class PasswordCommand extends EnvironmentAwareCommand {
        private final OptionSpec<String> passwordOption;
        private final OptionSpec<String> arguments;

        PasswordCommand() {
            super("Changes the password of an existing file based user");
            this.passwordOption = this.parser.acceptsAll(Arrays.asList("p", "password"), "The user password").withRequiredArg();
            this.arguments = this.parser.nonOptions("username");
        }

        protected void printAdditionalHelp(Terminal terminal) {
            terminal.println("The passwd command changes passwords for file based users. The tool");
            terminal.println("prompts twice for a replacement password. The second entry is compared");
            terminal.println("against the first and both are required to match in order for the");
            terminal.println("password to be changed.");
            terminal.println("");
        }

        public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
            String parseUsername = UsersTool.parseUsername(this.arguments.values(optionSet), environment.settings());
            char[] passwordHash = UsersTool.getPasswordHash(terminal, environment, (String) this.passwordOption.value(optionSet));
            Path resolveFile = FileUserPasswdStore.resolveFile(environment);
            FileAttributesChecker fileAttributesChecker = new FileAttributesChecker(resolveFile);
            Map<String, char[]> parseFile = FileUserPasswdStore.parseFile(resolveFile, null, environment.settings());
            if (parseFile == null) {
                throw new UserException(78, "Configuration file [" + String.valueOf(resolveFile) + "] is missing");
            }
            if (!parseFile.containsKey(parseUsername)) {
                throw new UserException(67, "User [" + parseUsername + "] doesn't exist");
            }
            HashMap hashMap = new HashMap(parseFile);
            hashMap.put(parseUsername, passwordHash);
            FileUserPasswdStore.writeFile(hashMap, resolveFile);
            fileAttributesChecker.check(terminal);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/file/tool/UsersTool$RolesCommand.class */
    public static class RolesCommand extends EnvironmentAwareCommand {
        private final OptionSpec<String> addOption;
        private final OptionSpec<String> removeOption;
        private final OptionSpec<String> arguments;

        RolesCommand() {
            super("Edit roles of an existing user");
            this.addOption = this.parser.acceptsAll(Arrays.asList("a", "add"), "Adds supplied roles to the specified user").withRequiredArg().defaultsTo("", new String[0]);
            this.removeOption = this.parser.acceptsAll(Arrays.asList("r", "remove"), "Remove supplied roles from the specified user").withRequiredArg().defaultsTo("", new String[0]);
            this.arguments = this.parser.nonOptions("username");
        }

        protected void printAdditionalHelp(Terminal terminal) {
            terminal.println("The roles command allows editing roles for file based users.");
            terminal.println("You can also list a user's roles by omitting the -a and -r");
            terminal.println("parameters.");
            terminal.println("");
        }

        public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
            String parseUsername = UsersTool.parseUsername(this.arguments.values(optionSet), environment.settings());
            String[] parseRoles = UsersTool.parseRoles(terminal, environment, (String) this.addOption.value(optionSet));
            String[] parseRoles2 = UsersTool.parseRoles(terminal, environment, (String) this.removeOption.value(optionSet));
            if (parseRoles2.length == 0 && parseRoles.length == 0) {
                UsersTool.listUsersAndRoles(terminal, environment, parseUsername);
                return;
            }
            Path resolveFile = FileUserPasswdStore.resolveFile(environment);
            Path resolveFile2 = FileUserRolesStore.resolveFile(environment);
            FileAttributesChecker fileAttributesChecker = new FileAttributesChecker(resolveFile, resolveFile2);
            if (!FileUserPasswdStore.parseFile(resolveFile, null, environment.settings()).containsKey(parseUsername)) {
                throw new UserException(67, "User [" + parseUsername + "] doesn't exist");
            }
            Map<String, String[]> parseFile = FileUserRolesStore.parseFile(resolveFile2, null);
            ArrayList arrayList = new ArrayList();
            if (parseFile.get(parseUsername) != null) {
                arrayList.addAll(Arrays.asList(parseFile.get(parseUsername)));
            }
            arrayList.addAll(Arrays.asList(parseRoles));
            arrayList.removeAll(Arrays.asList(parseRoles2));
            Map newMapWithExpectedSize = Maps.newMapWithExpectedSize(parseFile.size());
            newMapWithExpectedSize.putAll(parseFile);
            if (arrayList.isEmpty()) {
                newMapWithExpectedSize.remove(parseUsername);
            } else {
                newMapWithExpectedSize.put(parseUsername, (String[]) new LinkedHashSet(arrayList).toArray(new String[0]));
            }
            FileUserRolesStore.writeFile(newMapWithExpectedSize, resolveFile2);
            fileAttributesChecker.check(terminal);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public UsersTool() {
        super("Manages elasticsearch file users");
        this.subcommands.put("useradd", newAddUserCommand());
        this.subcommands.put("userdel", newDeleteUserCommand());
        this.subcommands.put("passwd", newPasswordCommand());
        this.subcommands.put("roles", newRolesCommand());
        this.subcommands.put("list", newListCommand());
    }

    protected AddUserCommand newAddUserCommand() {
        return new AddUserCommand();
    }

    protected DeleteUserCommand newDeleteUserCommand() {
        return new DeleteUserCommand();
    }

    protected PasswordCommand newPasswordCommand() {
        return new PasswordCommand();
    }

    protected RolesCommand newRolesCommand() {
        return new RolesCommand();
    }

    protected ListCommand newListCommand() {
        return new ListCommand();
    }

    static void listUsersAndRoles(Terminal terminal, Environment environment, String str) throws Exception {
        Path resolveFile = FileUserRolesStore.resolveFile(environment);
        Map<String, String[]> parseFile = FileUserRolesStore.parseFile(resolveFile, null);
        if (parseFile == null) {
            throw new UserException(78, "Configuration file [" + String.valueOf(resolveFile) + "] is missing");
        }
        Path resolveFile2 = FileUserPasswdStore.resolveFile(environment);
        Map<String, char[]> parseFile2 = FileUserPasswdStore.parseFile(resolveFile2, null, environment.settings());
        if (parseFile2 == null) {
            throw new UserException(78, "Configuration file [" + String.valueOf(resolveFile2) + "] is missing");
        }
        Path resolveFile3 = FileRolesStore.resolveFile(environment);
        Set union = Sets.union(FileRolesStore.parseFileForRoleNames(resolveFile3, null), ReservedRolesStore.names());
        if (union == null) {
            throw new UserException(78, "Configuration file [" + String.valueOf(resolveFile3) + "] is missing");
        }
        if (str != null) {
            if (!parseFile2.containsKey(str)) {
                throw new UserException(67, "User [" + str + "] doesn't exist");
            }
            if (!parseFile.containsKey(str)) {
                terminal.println(String.format(Locale.ROOT, "%-15s: -", str));
                return;
            }
            String[] strArr = parseFile.get(str);
            Set difference = Sets.difference(Sets.newHashSet(strArr), union);
            terminal.println(String.format(Locale.ROOT, "%-15s: %s", str, Arrays.stream(markUnknownRoles(strArr, difference)).map(str2 -> {
                return str2 == null ? "-" : str2;
            }).collect(Collectors.joining(","))));
            if (difference.isEmpty()) {
                return;
            }
            Path absolutePath = FileRolesStore.resolveFile(environment).toAbsolutePath();
            terminal.println("");
            terminal.println(" [*]   Role is not in the [" + String.valueOf(absolutePath.toAbsolutePath()) + "] file. If the role has been created using the API, please disregard this message.");
            return;
        }
        boolean z = false;
        boolean z2 = false;
        for (Map.Entry<String, String[]> entry : parseFile.entrySet()) {
            String[] value = entry.getValue();
            Set difference2 = Sets.difference(Sets.newHashSet(value), union);
            terminal.println(String.format(Locale.ROOT, "%-15s: %s", entry.getKey(), String.join(",", markUnknownRoles(value, difference2))));
            z = z || !difference2.isEmpty();
            z2 = true;
        }
        HashSet newHashSet = Sets.newHashSet(parseFile2.keySet());
        newHashSet.removeAll(parseFile.keySet());
        Iterator it = newHashSet.iterator();
        while (it.hasNext()) {
            terminal.println(String.format(Locale.ROOT, "%-15s: -", (String) it.next()));
            z2 = true;
        }
        if (!z2) {
            terminal.println("No users found");
        } else if (z) {
            Path absolutePath2 = FileRolesStore.resolveFile(environment).toAbsolutePath();
            terminal.println("");
            terminal.println(" [*]   Role is not in the [" + String.valueOf(absolutePath2.toAbsolutePath()) + "] file. If the role has been created using the API, please disregard this message.");
        }
    }

    private static String[] markUnknownRoles(String[] strArr, Set<String> set) {
        if (set.isEmpty()) {
            return strArr;
        }
        String[] strArr2 = new String[strArr.length];
        for (int i = 0; i < strArr.length; i++) {
            if (set.contains(strArr[i])) {
                strArr2[i] = strArr[i] + "*";
            } else {
                strArr2[i] = strArr[i];
            }
        }
        return strArr2;
    }

    static String parseUsername(List<String> list, Settings settings) throws UserException {
        if (list.isEmpty()) {
            throw new UserException(64, "Missing username argument");
        }
        if (list.size() > 1) {
            throw new UserException(64, "Expected a single username argument, found extra: " + list.toString());
        }
        String str = list.get(0);
        Validation.Error validateUsername = Validation.Users.validateUsername(str, !((Boolean) XPackSettings.RESERVED_REALM_ENABLED_SETTING.get(settings)).booleanValue(), settings);
        if (validateUsername != null) {
            throw new UserException(65, "Invalid username [" + str + "]... " + String.valueOf(validateUsername));
        }
        return str;
    }

    private static char[] getPasswordHash(Terminal terminal, Environment environment, String str) throws UserException {
        Hasher resolve = Hasher.resolve((String) XPackSettings.PASSWORD_HASHING_ALGORITHM.get(environment.settings()));
        if (((Boolean) XPackSettings.FIPS_MODE_ENABLED.get(environment.settings())).booleanValue() && !resolve.name().toLowerCase(Locale.ROOT).startsWith("pbkdf2")) {
            throw new UserException(78, "Only PBKDF2 is allowed for password hashing in a FIPS 140 JVM. Please set the appropriate value for [ " + XPackSettings.PASSWORD_HASHING_ALGORITHM.getKey() + " ] setting.");
        }
        try {
            SecureString parsePassword = parsePassword(terminal, str);
            try {
                char[] hash = resolve.hash(parsePassword);
                if (parsePassword != null) {
                    parsePassword.close();
                }
                return hash;
            } finally {
            }
        } catch (ElasticsearchException e) {
            throw new UserException(65, "Error storing the password for the new user", e);
        }
    }

    static SecureString parsePassword(Terminal terminal, String str) throws UserException {
        SecureString secureString;
        if (str != null) {
            secureString = new SecureString(str.toCharArray());
            Validation.Error validatePassword = Validation.Users.validatePassword(secureString);
            if (validatePassword != null) {
                throw new UserException(65, "Invalid password..." + String.valueOf(validatePassword));
            }
        } else {
            secureString = new SecureString(terminal.readSecret("Enter new password: "));
            Validation.Error validatePassword2 = Validation.Users.validatePassword(secureString);
            if (validatePassword2 != null) {
                throw new UserException(65, "Invalid password..." + String.valueOf(validatePassword2));
            }
            if (!Arrays.equals(secureString.getChars(), terminal.readSecret("Retype new password: "))) {
                throw new UserException(65, "Password mismatch");
            }
        }
        return secureString;
    }

    private static void verifyRoles(Terminal terminal, Environment environment, String[] strArr) {
        Path resolveFile = FileRolesStore.resolveFile(environment);
        if (!$assertionsDisabled && !Files.exists(resolveFile, new LinkOption[0])) {
            throw new AssertionError();
        }
        Set union = Sets.union(FileRolesStore.parseFileForRoleNames(resolveFile, null), ReservedRolesStore.names());
        Set difference = Sets.difference(Sets.newHashSet(strArr), union);
        if (difference.isEmpty()) {
            return;
        }
        terminal.errorPrintln(String.format(Locale.ROOT, "Warning: The following roles [%s] are not in the [%s] file. Make sure the names are correct. If the names are correct and the roles were created using the API please disregard this message. Nonetheless the user will still be associated with all specified roles", Strings.collectionToCommaDelimitedString(difference), resolveFile.toAbsolutePath()));
        terminal.errorPrintln("Known roles: " + union.toString());
    }

    static String[] parseRoles(Terminal terminal, Environment environment, String str) throws UserException {
        if (str.isEmpty()) {
            return Strings.EMPTY_ARRAY;
        }
        String[] split = str.split(",");
        for (String str2 : split) {
            Validation.Error validateRoleName = Validation.Roles.validateRoleName(str2, true);
            if (validateRoleName != null) {
                throw new UserException(65, "Invalid role [" + str2 + "]... " + String.valueOf(validateRoleName));
            }
        }
        verifyRoles(terminal, environment, split);
        return split;
    }

    static {
        $assertionsDisabled = !UsersTool.class.desiredAssertionStatus();
        new ReservedRolesStore();
    }
}
