package org.elasticsearch.xpack.security.authc.support;

import java.util.Arrays;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.lucene.util.SetOnce;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.discovery.DiscoveryModule;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.xpack.core.XPackSettings;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/support/HttpTlsRuntimeCheck.class */
public class HttpTlsRuntimeCheck {
    private static final Logger logger = LogManager.getLogger(HttpTlsRuntimeCheck.class);
    private final AtomicBoolean initialized = new AtomicBoolean(false);
    private final Boolean httpTlsEnabled;
    private final SetOnce<Transport> transportReference;
    private final Boolean securityEnabled;
    private final boolean singleNodeDiscovery;
    private boolean enforce;

    public HttpTlsRuntimeCheck(Settings settings, SetOnce<Transport> setOnce) {
        this.transportReference = setOnce;
        this.securityEnabled = (Boolean) XPackSettings.SECURITY_ENABLED.get(settings);
        this.httpTlsEnabled = (Boolean) XPackSettings.HTTP_SSL_ENABLED.get(settings);
        this.singleNodeDiscovery = "single-node".equals(DiscoveryModule.DISCOVERY_TYPE_SETTING.get(settings));
    }

    public void checkTlsThenExecute(Consumer<Exception> consumer, String str, Runnable runnable) {
        if (this.securityEnabled.booleanValue() && false == this.httpTlsEnabled.booleanValue()) {
            if (false == this.initialized.get()) {
                Transport transport = (Transport) this.transportReference.get();
                if (transport == null) {
                    consumer.accept(new ElasticsearchException("transport cannot be null", new Object[0]));
                    return;
                } else {
                    this.enforce = false == (Arrays.stream(transport.boundAddress().boundAddresses()).allMatch(transportAddress -> {
                        return transportAddress.address().getAddress().isLoopbackAddress();
                    }) && transport.boundAddress().publishAddress().address().getAddress().isLoopbackAddress()) && false == this.singleNodeDiscovery;
                    this.initialized.set(true);
                }
            }
            if (this.enforce) {
                ParameterizedMessage parameterizedMessage = new ParameterizedMessage("[{}] requires TLS for the HTTP interface", str);
                logger.debug(parameterizedMessage);
                consumer.accept(new ElasticsearchException(parameterizedMessage.getFormattedMessage(), new Object[0]));
                return;
            }
        }
        runnable.run();
    }
}
