package org.elasticsearch.xpack.security.enrollment;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.function.Consumer;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.admin.cluster.node.info.NodeInfo;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoAction;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.client.internal.OriginSettingClient;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.transport.BoundTransportAddress;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.env.Environment;
import org.elasticsearch.http.HttpInfo;
import org.elasticsearch.transport.TransportInfo;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.EnrollmentToken;
import org.elasticsearch.xpack.core.security.action.apikey.CreateApiKeyAction;
import org.elasticsearch.xpack.core.security.action.apikey.CreateApiKeyRequest;
import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
import org.elasticsearch.xpack.core.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/enrollment/InternalEnrollmentTokenGenerator.class */
public class InternalEnrollmentTokenGenerator extends BaseEnrollmentTokenGenerator {
    private static final Logger LOGGER;
    private final Environment environment;
    private final SSLService sslService;
    private final Client client;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/enrollment/InternalEnrollmentTokenGenerator$EnrollmentTokenType.class */
    private enum EnrollmentTokenType {
        KIBANA { // from class: org.elasticsearch.xpack.security.enrollment.InternalEnrollmentTokenGenerator.EnrollmentTokenType.1
            @Override // java.lang.Enum
            public String toString() {
                return "cluster:admin/xpack/security/enroll/kibana";
            }
        },
        NODE { // from class: org.elasticsearch.xpack.security.enrollment.InternalEnrollmentTokenGenerator.EnrollmentTokenType.2
            @Override // java.lang.Enum
            public String toString() {
                return "cluster:admin/xpack/security/enroll/node";
            }
        }
    }

    public InternalEnrollmentTokenGenerator(Environment environment, SSLService sSLService, Client client) {
        this.environment = environment;
        this.sslService = sSLService;
        this.client = new OriginSettingClient(client, "security");
    }

    public void maybeCreateNodeEnrollmentToken(Consumer<String> consumer, Iterator<TimeValue> it) {
        this.client.execute(NodesInfoAction.INSTANCE, new NodesInfoRequest(new String[0]).nodesIds(new String[]{"_local"}).addMetrics(new String[]{NodesInfoRequest.Metric.HTTP.metricName(), NodesInfoRequest.Metric.TRANSPORT.metricName()}), ActionListener.wrap(nodesInfoResponse -> {
            if (!$assertionsDisabled && nodesInfoResponse.getNodes().size() != 1) {
                throw new AssertionError();
            }
            NodeInfo nodeInfo = (NodeInfo) nodesInfoResponse.getNodes().get(0);
            TransportInfo info = nodeInfo.getInfo(TransportInfo.class);
            HttpInfo httpInfo = (HttpInfo) nodeInfo.getInfo(HttpInfo.class);
            if (null == info || null == httpInfo) {
                if (it.hasNext()) {
                    LOGGER.debug("Local node's HTTP/transport info is not yet available, will retry...");
                    this.client.threadPool().schedule(() -> {
                        maybeCreateNodeEnrollmentToken(consumer, it);
                    }, (TimeValue) it.next(), "generic");
                    return;
                } else {
                    LOGGER.warn("Unable to get local node's HTTP/transport info after all retries.");
                    consumer.accept(null);
                    return;
                }
            }
            if (((List) splitAddresses(getAllTransportAddresses(info)).v2()).isEmpty()) {
                LOGGER.info("Will not generate node enrollment token because node is only bound on localhost for transport and cannot connect to nodes from other hosts");
                consumer.accept("");
            } else if (((List) splitAddresses(getAllHttpAddresses(httpInfo)).v2()).isEmpty()) {
                LOGGER.info("Will not generate node enrollment token because node is only bound on localhost for HTTPS and cannot enroll nodes from other hosts");
                consumer.accept("");
            } else {
                LOGGER.debug("Attempting to generate the node enrollment token");
                assembleToken(EnrollmentTokenType.NODE, httpInfo, enrollmentToken -> {
                    if (null == enrollmentToken) {
                        consumer.accept(null);
                        return;
                    }
                    try {
                        LOGGER.debug("Successfully generated the node enrollment token");
                        consumer.accept(enrollmentToken.getEncoded());
                    } catch (Exception e) {
                        LOGGER.error("Failed to encode node enrollment token", e);
                        consumer.accept(null);
                    }
                });
            }
        }, exc -> {
            LOGGER.error("Failed to create node enrollment token when retrieving local node's HTTP/transport info", exc);
            consumer.accept(null);
        }));
    }

    public void createKibanaEnrollmentToken(Consumer<EnrollmentToken> consumer, Iterator<TimeValue> it) {
        this.client.execute(NodesInfoAction.INSTANCE, new NodesInfoRequest(new String[0]).nodesIds(new String[]{"_local"}).addMetric(NodesInfoRequest.Metric.HTTP.metricName()), ActionListener.wrap(nodesInfoResponse -> {
            if (!$assertionsDisabled && nodesInfoResponse.getNodes().size() != 1) {
                throw new AssertionError();
            }
            HttpInfo httpInfo = (HttpInfo) ((NodeInfo) nodesInfoResponse.getNodes().get(0)).getInfo(HttpInfo.class);
            if (null != httpInfo) {
                assembleToken(EnrollmentTokenType.KIBANA, httpInfo, consumer);
            } else if (it.hasNext()) {
                LOGGER.info("Local node's HTTP info is not yet available, will retry...");
                this.client.threadPool().schedule(() -> {
                    createKibanaEnrollmentToken(consumer, it);
                }, (TimeValue) it.next(), "generic");
            } else {
                LOGGER.warn("Unable to get local node's HTTP info after all retries.");
                consumer.accept(null);
            }
        }, exc -> {
            LOGGER.error("Failed to create kibana enrollment token when retrieving local nodes HTTP info", exc);
            consumer.accept(null);
        }));
    }

    private void assembleToken(EnrollmentTokenType enrollmentTokenType, HttpInfo httpInfo, Consumer<EnrollmentToken> consumer) {
        if (false == ((Boolean) XPackSettings.ENROLLMENT_ENABLED.get(this.environment.settings())).booleanValue()) {
            LOGGER.error("Cannot create enrollment token [" + enrollmentTokenType + "] because enrollment is disabled with setting [" + XPackSettings.ENROLLMENT_ENABLED.getKey() + "] set to [false]");
            consumer.accept(null);
            return;
        }
        try {
            String httpsCaFingerprint = getHttpsCaFingerprint();
            try {
                List<String> filteredAddresses = getFilteredAddresses(getAllHttpAddresses(httpInfo));
                CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest("enrollment_token_API_key_" + UUIDs.base64UUID(), List.of(new RoleDescriptor("create_enrollment_token", new String[]{enrollmentTokenType.toString()}, (RoleDescriptor.IndicesPrivileges[]) null, (String[]) null)), TimeValue.timeValueMinutes(30L));
                createApiKeyRequest.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE);
                this.client.execute(CreateApiKeyAction.INSTANCE, createApiKeyRequest, ActionListener.wrap(createApiKeyResponse -> {
                    consumer.accept(new EnrollmentToken(createApiKeyResponse.getId() + ":" + createApiKeyResponse.getKey().toString(), httpsCaFingerprint, Version.CURRENT.toString(), filteredAddresses));
                }, exc -> {
                    LOGGER.error("Failed to create enrollment token when generating API key", exc);
                    consumer.accept(null);
                }));
            } catch (Exception e) {
                LOGGER.error("Failed to create enrollment when extracting HTTPS bound addresses", e);
                consumer.accept(null);
            }
        } catch (Exception e2) {
            LOGGER.error("Failed to create enrollment token when computing HTTPS CA fingerprint, possibly the certs are not auto-generated", e2);
            consumer.accept(null);
        }
    }

    public String getHttpsCaFingerprint() throws Exception {
        return getHttpsCaFingerprint(this.sslService);
    }

    private static List<String> getAllHttpAddresses(HttpInfo httpInfo) {
        ArrayList arrayList = new ArrayList();
        collectAllAddresses(httpInfo.getAddress(), arrayList);
        return arrayList;
    }

    private static List<String> getAllTransportAddresses(TransportInfo transportInfo) {
        ArrayList arrayList = new ArrayList();
        collectAllAddresses(transportInfo.getAddress(), arrayList);
        transportInfo.getProfileAddresses().values().forEach(boundTransportAddress -> {
            collectAllAddresses(boundTransportAddress, arrayList);
        });
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void collectAllAddresses(BoundTransportAddress boundTransportAddress, List<String> list) {
        list.add(boundTransportAddress.publishAddress().toString());
        Stream map = Arrays.stream(boundTransportAddress.boundAddresses()).map((v0) -> {
            return v0.toString();
        });
        Objects.requireNonNull(list);
        map.forEach((v1) -> {
            r1.add(v1);
        });
    }

    static {
        $assertionsDisabled = !InternalEnrollmentTokenGenerator.class.desiredAssertionStatus();
        LOGGER = LogManager.getLogger(InternalEnrollmentTokenGenerator.class);
    }
}
