package org.elasticsearch.xpack.security.action.enrollment;

import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.admin.cluster.node.info.NodeInfo;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoAction;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoMetrics;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest;
import org.elasticsearch.action.support.ActionFilters;
import org.elasticsearch.action.support.HandledTransportAction;
import org.elasticsearch.client.internal.Client;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.ssl.SslKeyConfig;
import org.elasticsearch.common.ssl.StoreKeyConfig;
import org.elasticsearch.common.util.concurrent.EsExecutors;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportInfo;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.core.ClientHelper;
import org.elasticsearch.xpack.core.security.action.enrollment.NodeEnrollmentRequest;
import org.elasticsearch.xpack.core.security.action.enrollment.NodeEnrollmentResponse;
import org.elasticsearch.xpack.core.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/action/enrollment/TransportNodeEnrollmentAction.class */
public class TransportNodeEnrollmentAction extends HandledTransportAction<NodeEnrollmentRequest, NodeEnrollmentResponse> {
    private final SSLService sslService;
    private final Client client;

    @Inject
    public TransportNodeEnrollmentAction(TransportService transportService, SSLService sSLService, Client client, ActionFilters actionFilters) {
        super("cluster:admin/xpack/security/enroll/node", transportService, actionFilters, NodeEnrollmentRequest::new, EsExecutors.DIRECT_EXECUTOR_SERVICE);
        this.sslService = sSLService;
        this.client = client;
    }

    protected void doExecute(Task task, NodeEnrollmentRequest nodeEnrollmentRequest, ActionListener<NodeEnrollmentResponse> actionListener) {
        StoreKeyConfig keyConfig = this.sslService.getTransportSSLConfiguration().keyConfig();
        SslKeyConfig keyConfig2 = this.sslService.getHttpTransportSSLConfiguration().keyConfig();
        if (!(keyConfig instanceof StoreKeyConfig)) {
            actionListener.onFailure(new IllegalStateException("Unable to enroll node. Elasticsearch node transport layer SSL configuration is not configured with a keystore"));
            return;
        }
        if (!(keyConfig2 instanceof StoreKeyConfig)) {
            actionListener.onFailure(new IllegalStateException("Unable to enroll node. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore"));
            return;
        }
        List keys = keyConfig.getKeys();
        List list = keyConfig2.getKeys().stream().filter(tuple -> {
            return ((X509Certificate) tuple.v2()).getBasicConstraints() != -1;
        }).toList();
        if (keys.isEmpty()) {
            actionListener.onFailure(new IllegalStateException("Unable to enroll node. Elasticsearch node transport layer SSL configuration doesn't contain any keys"));
            return;
        }
        if (keys.size() > 1) {
            actionListener.onFailure(new IllegalStateException("Unable to enroll node. Elasticsearch node transport layer SSL configuration contains multiple keys"));
            return;
        }
        try {
            List list2 = (List) keyConfig.getConfiguredCertificates().stream().map((v0) -> {
                return v0.certificate();
            }).filter(x509Certificate -> {
                return x509Certificate.getBasicConstraints() != -1;
            }).collect(Collectors.toList());
            if (list2.size() != 1) {
                actionListener.onFailure(new ElasticsearchException("Unable to enroll Elasticsearch node. Elasticsearch node transport layer SSL configuration Keystore [xpack.security.transport.ssl.keystore] doesn't contain a single CA certificate", new Object[0]));
            }
            if (list.isEmpty()) {
                actionListener.onFailure(new IllegalStateException("Unable to enroll node. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate"));
                return;
            }
            if (list.size() > 1) {
                actionListener.onFailure(new IllegalStateException("Unable to enroll node. Elasticsearch node HTTP layer SSL configuration Keystore contain multiple PrivateKey entries where the associated certificate is a CA certificate"));
                return;
            }
            ArrayList arrayList = new ArrayList();
            NodesInfoRequest addMetric = new NodesInfoRequest(new String[0]).addMetric(NodesInfoMetrics.Metric.TRANSPORT.metricName());
            Client client = this.client;
            NodesInfoAction nodesInfoAction = NodesInfoAction.INSTANCE;
            CheckedConsumer checkedConsumer = nodesInfoResponse -> {
                Iterator it = nodesInfoResponse.getNodes().iterator();
                while (it.hasNext()) {
                    arrayList.add(((NodeInfo) it.next()).getInfo(TransportInfo.class).getAddress().publishAddress().toString());
                }
                try {
                    actionListener.onResponse(new NodeEnrollmentResponse(Base64.getEncoder().encodeToString(((PrivateKey) ((Tuple) list.get(0)).v1()).getEncoded()), Base64.getEncoder().encodeToString(((X509Certificate) ((Tuple) list.get(0)).v2()).getEncoded()), Base64.getEncoder().encodeToString(((X509Certificate) list2.get(0)).getEncoded()), Base64.getEncoder().encodeToString(((PrivateKey) ((Tuple) keys.get(0)).v1()).getEncoded()), Base64.getEncoder().encodeToString(((X509Certificate) ((Tuple) keys.get(0)).v2()).getEncoded()), arrayList));
                } catch (CertificateEncodingException e) {
                    actionListener.onFailure(new ElasticsearchException("Unable to enroll node", e, new Object[0]));
                }
            };
            Objects.requireNonNull(actionListener);
            ClientHelper.executeAsyncWithOrigin(client, "security", nodesInfoAction, addMetric, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        } catch (Exception e) {
            actionListener.onFailure(new ElasticsearchException("Unable to enroll node. Cannot retrieve CA certificate for the transport layer of the Elasticsearch node.", e, new Object[0]));
        }
    }

    protected /* bridge */ /* synthetic */ void doExecute(Task task, ActionRequest actionRequest, ActionListener actionListener) {
        doExecute(task, (NodeEnrollmentRequest) actionRequest, (ActionListener<NodeEnrollmentResponse>) actionListener);
    }
}
