package org.elasticsearch.xpack.security.authc.esnative.tool;

import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLException;
import joptsimple.OptionParser;
import joptsimple.OptionSet;
import joptsimple.OptionSpec;
import org.apache.commons.io.IOUtils;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPut;
import org.apache.lucene.analysis.wikipedia.WikipediaTokenizer;
import org.bouncycastle.util.io.Streams;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.cli.EnvironmentAwareCommand;
import org.elasticsearch.cli.LoggingAwareMultiCommand;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.common.Booleans;
import org.elasticsearch.common.CheckedBiConsumer;
import org.elasticsearch.common.CheckedFunction;
import org.elasticsearch.common.settings.KeyStoreWrapper;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.json.JsonXContent;
import org.elasticsearch.env.Environment;
import org.elasticsearch.index.reindex.AbstractBulkByScrollRequest;
import org.elasticsearch.xpack.ml.job.process.autodetect.writer.ControlMsgToProcessWriter;
import org.elasticsearch.xpack.ml.job.process.autodetect.writer.RecordWriter;
import org.elasticsearch.xpack.ml.job.process.autodetect.writer.WriterConstants;
import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
import org.elasticsearch.xpack.security.support.Validation;
import org.elasticsearch.xpack.security.user.ElasticUser;
import org.elasticsearch.xpack.security.user.KibanaUser;
import org.elasticsearch.xpack.security.user.LogstashSystemUser;

/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.class */
public class SetupPasswordTool extends LoggingAwareMultiCommand {
    private static final char[] CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789~!@#$%^&*-_=+?".toCharArray();
    public static final List<String> USERS = Arrays.asList(ElasticUser.NAME, KibanaUser.NAME, LogstashSystemUser.NAME);
    private final CheckedFunction<Environment, CommandLineHttpClient, Exception> clientFunction;
    private final CheckedFunction<Environment, KeyStoreWrapper, Exception> keyStoreFunction;
    private CommandLineHttpClient client;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool$AutoSetup.class */
    public class AutoSetup extends SetupCommand {
        AutoSetup() {
            super("Uses randomly generated passwords");
        }

        @Override // org.elasticsearch.cli.EnvironmentAwareCommand
        protected void execute(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
            terminal.println(Terminal.Verbosity.VERBOSE, "Running with configuration path: " + environment.configFile());
            setupOptions(optionSet, environment);
            checkElasticKeystorePasswordValid(terminal, environment);
            if (this.shouldPrompt) {
                terminal.println("Initiating the setup of passwords for reserved users " + String.join(",", SetupPasswordTool.USERS) + RecordWriter.CONTROL_FIELD_NAME);
                terminal.println("The passwords will be randomly generated and printed to the console.");
                boolean promptYesNo = terminal.promptYesNo("Please confirm that you would like to continue", false);
                terminal.println(IOUtils.LINE_SEPARATOR_UNIX);
                if (!promptYesNo) {
                    throw new UserException(0, "User cancelled operation");
                }
            }
            SecureRandom secureRandom = new SecureRandom();
            changePasswords(str -> {
                return generatePassword(secureRandom, str);
            }, (str2, secureString) -> {
                changedPasswordCallback(terminal, str2, secureString);
            }, terminal);
        }

        private SecureString generatePassword(SecureRandom secureRandom, String str) {
            char[] cArr = new char[20];
            for (int i = 0; i < 20; i++) {
                cArr[i] = SetupPasswordTool.CHARS[secureRandom.nextInt(SetupPasswordTool.CHARS.length)];
            }
            return new SecureString(cArr);
        }

        private void changedPasswordCallback(Terminal terminal, String str, SecureString secureString) {
            terminal.println("Changed password for user " + str + "\nPASSWORD " + str + WriterConstants.EQUALS + ((Object) secureString) + IOUtils.LINE_SEPARATOR_UNIX);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool$InteractiveSetup.class */
    public class InteractiveSetup extends SetupCommand {
        InteractiveSetup() {
            super("Uses passwords entered by a user");
        }

        @Override // org.elasticsearch.cli.EnvironmentAwareCommand
        protected void execute(Terminal terminal, OptionSet optionSet, Environment environment) throws Exception {
            terminal.println(Terminal.Verbosity.VERBOSE, "Running with configuration path: " + environment.configFile());
            setupOptions(optionSet, environment);
            checkElasticKeystorePasswordValid(terminal, environment);
            if (this.shouldPrompt) {
                terminal.println("Initiating the setup of passwords for reserved users " + String.join(",", SetupPasswordTool.USERS) + RecordWriter.CONTROL_FIELD_NAME);
                terminal.println("You will be prompted to enter passwords as the process progresses.");
                boolean promptYesNo = terminal.promptYesNo("Please confirm that you would like to continue", false);
                terminal.println(IOUtils.LINE_SEPARATOR_UNIX);
                if (!promptYesNo) {
                    throw new UserException(0, "User cancelled operation");
                }
            }
            changePasswords(str -> {
                return promptForPassword(terminal, str);
            }, (str2, secureString) -> {
                changedPasswordCallback(terminal, str2, secureString);
            }, terminal);
        }

        private SecureString promptForPassword(Terminal terminal, String str) throws UserException {
            SecureString secureString;
            SecureString secureString2;
            Throwable th;
            while (true) {
                secureString = new SecureString(terminal.readSecret("Enter password for [" + str + "]: "));
                Validation.Error validatePassword = Validation.Users.validatePassword(secureString.getChars());
                if (validatePassword != null) {
                    terminal.println(validatePassword.toString());
                    terminal.println("Try again.");
                    secureString.close();
                } else {
                    secureString2 = new SecureString(terminal.readSecret("Reenter password for [" + str + "]: "));
                    th = null;
                    try {
                        try {
                            if (secureString.equals(secureString2)) {
                                break;
                            }
                            terminal.println("Passwords do not match.");
                            terminal.println("Try again.");
                            secureString.close();
                            if (secureString2 != null) {
                                if (0 != 0) {
                                    try {
                                        secureString2.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    secureString2.close();
                                }
                            }
                        } finally {
                        }
                    } catch (Throwable th3) {
                        if (secureString2 != null) {
                            if (th != null) {
                                try {
                                    secureString2.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                secureString2.close();
                            }
                        }
                        throw th3;
                    }
                }
            }
            if (secureString2 != null) {
                if (0 != 0) {
                    try {
                        secureString2.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    secureString2.close();
                }
            }
            return secureString;
        }

        private void changedPasswordCallback(Terminal terminal, String str, SecureString secureString) {
            terminal.println("Changed password for user [" + str + "]");
        }
    }

    /* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool$SetupCommand.class */
    private abstract class SetupCommand extends EnvironmentAwareCommand {
        boolean shouldPrompt;
        private OptionSpec<String> urlOption;
        private OptionSpec<String> noPromptOption;
        private String elasticUser;
        private SecureString elasticUserPassword;
        private URL url;

        SetupCommand(String str) {
            super(str);
            this.elasticUser = ElasticUser.NAME;
            setParser();
        }

        void setupOptions(OptionSet optionSet, Environment environment) throws Exception {
            SetupPasswordTool.this.client = (CommandLineHttpClient) SetupPasswordTool.this.clientFunction.apply(environment);
            KeyStoreWrapper keyStoreWrapper = (KeyStoreWrapper) SetupPasswordTool.this.keyStoreFunction.apply(environment);
            Throwable th = null;
            try {
                try {
                    String value = this.urlOption.value(optionSet);
                    this.url = new URL(value == null ? SetupPasswordTool.this.client.getDefaultURL() : value);
                    setShouldPrompt(optionSet);
                    keyStoreWrapper.decrypt(new char[0]);
                    this.elasticUserPassword = ReservedRealm.BOOTSTRAP_ELASTIC_PASSWORD.get(Settings.builder().setSecureSettings(keyStoreWrapper).build());
                    if (keyStoreWrapper != null) {
                        if (0 == 0) {
                            keyStoreWrapper.close();
                            return;
                        }
                        try {
                            keyStoreWrapper.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (keyStoreWrapper != null) {
                    if (th != null) {
                        try {
                            keyStoreWrapper.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        keyStoreWrapper.close();
                    }
                }
                throw th4;
            }
        }

        private void setParser() {
            this.urlOption = this.parser.acceptsAll(Arrays.asList(ControlMsgToProcessWriter.UPDATE_MESSAGE_CODE, "url"), "The url for the change password request.").withRequiredArg();
            this.noPromptOption = this.parser.acceptsAll(Arrays.asList(WikipediaTokenizer.BOLD, "batch"), "If enabled, run the change password process without prompting the user.").withOptionalArg();
        }

        private void setShouldPrompt(OptionSet optionSet) {
            String value = this.noPromptOption.value(optionSet);
            if (optionSet.has(this.noPromptOption)) {
                this.shouldPrompt = (value == null || Booleans.parseBoolean(value)) ? false : true;
            } else {
                this.shouldPrompt = true;
            }
        }

        void checkElasticKeystorePasswordValid(Terminal terminal, Environment environment) throws Exception {
            URL url = new URL(this.url, (this.url.toURI().getPath() + "/_xpack/security/_authenticate").replaceAll("/+", "/") + "?pretty");
            terminal.println(Terminal.Verbosity.VERBOSE, "");
            terminal.println(Terminal.Verbosity.VERBOSE, "Testing if bootstrap password is valid for " + url.toString());
            try {
                int postURL = SetupPasswordTool.this.client.postURL(HttpGet.METHOD_NAME, url, this.elasticUser, this.elasticUserPassword, () -> {
                    return null;
                }, inputStream -> {
                    verboseLogResponse(inputStream, terminal);
                });
                if (postURL == 401) {
                    terminal.println("");
                    terminal.println("Failed to authenticate user '" + this.elasticUser + "' against " + url.toString());
                    terminal.println("Possible causes include:");
                    terminal.println(" * The password for the '" + this.elasticUser + "' user has already been changed on this cluster");
                    terminal.println(" * Your elasticsearch node is running against a different keystore");
                    terminal.println("   This tool used the keystore at " + KeyStoreWrapper.keystorePath(environment.configFile()));
                    terminal.println("");
                    throw new UserException(78, "Failed to verify bootstrap password");
                }
                if (postURL != 200) {
                    terminal.println("");
                    terminal.println("Unexpected response code [" + postURL + "] from calling GET " + url.toString());
                    terminal.println("Possible causes include:");
                    terminal.println(" * The relative path of the URL is incorrect. Is there a proxy in-between?");
                    terminal.println(" * The protocol (http/https) does not match the port.");
                    terminal.println(" * Is this really an Elasticsearch server?");
                    terminal.println("");
                    throw new UserException(78, "Uknown error");
                }
            } catch (SSLException e) {
                terminal.println("");
                terminal.println("SSL connection to " + url.toString() + " failed: " + e.getMessage());
                terminal.println("Please check the elasticsearch SSL settings under " + CommandLineHttpClient.HTTP_SSL_SETTING);
                terminal.println(Terminal.Verbosity.VERBOSE, "");
                terminal.println(Terminal.Verbosity.VERBOSE, ExceptionsHelper.stackTrace(e));
                terminal.println("");
                throw new UserException(78, "Failed to establish SSL connection to elasticsearch at " + url.toString() + ". ", e);
            } catch (IOException e2) {
                terminal.println("");
                terminal.println("Connection failure to: " + url.toString() + " failed: " + e2.getMessage());
                terminal.println(Terminal.Verbosity.VERBOSE, "");
                terminal.println(Terminal.Verbosity.VERBOSE, ExceptionsHelper.stackTrace(e2));
                terminal.println("");
                throw new UserException(78, "Failed to connect to elasticsearch at " + url.toString() + ". Is the URL correct and elasticsearch running?", e2);
            }
        }

        private void changeUserPassword(String str, SecureString secureString, Terminal terminal) throws Exception {
            URL url = new URL(this.url, (this.url.toURI().getPath() + "/_xpack/security/user/" + str + "/_password").replaceAll("/+", "/") + "?pretty");
            terminal.println(Terminal.Verbosity.VERBOSE, "");
            terminal.println(Terminal.Verbosity.VERBOSE, "Trying user password change call " + url.toString());
            try {
                SecureString m4029clone = secureString.m4029clone();
                int postURL = SetupPasswordTool.this.client.postURL(HttpPut.METHOD_NAME, url, this.elasticUser, this.elasticUserPassword, () -> {
                    try {
                        XContentBuilder contentBuilder = JsonXContent.contentBuilder();
                        contentBuilder.startObject().field("password", m4029clone.toString()).endObject();
                        return contentBuilder.string();
                    } finally {
                        m4029clone.close();
                    }
                }, inputStream -> {
                    verboseLogResponse(inputStream, terminal);
                });
                if (postURL != 200) {
                    terminal.println("");
                    terminal.println("Unexpected response code [" + postURL + "] from calling PUT " + url.toString());
                    terminal.println("Possible next steps:");
                    terminal.println("* Try running this tool again.");
                    terminal.println("* Check the elasticsearch logs for additional error details.");
                    terminal.println("* Use the change password API manually. ");
                    terminal.println("");
                    throw new UserException(75, "Failed to set password for user [" + str + "].");
                }
            } catch (IOException e) {
                terminal.println("");
                terminal.println("Connection failure to: " + url.toString() + " failed: " + e.getMessage());
                terminal.println(Terminal.Verbosity.VERBOSE, "");
                terminal.println(Terminal.Verbosity.VERBOSE, ExceptionsHelper.stackTrace(e));
                terminal.println("");
                throw new UserException(75, "Failed to set password for user [" + str + "].", e);
            }
        }

        /* JADX WARN: Multi-variable type inference failed */
        void changePasswords(CheckedFunction<String, SecureString, UserException> checkedFunction, CheckedBiConsumer<String, SecureString, Exception> checkedBiConsumer, Terminal terminal) throws Exception {
            HashMap hashMap = new HashMap(SetupPasswordTool.USERS.size());
            try {
                for (String str : SetupPasswordTool.USERS) {
                    hashMap.put(str, checkedFunction.apply(str));
                }
                Map.Entry entry = null;
                for (Map.Entry entry2 : hashMap.entrySet()) {
                    if (((String) entry2.getKey()).equals(this.elasticUser)) {
                        entry = entry2;
                    } else {
                        changeUserPassword((String) entry2.getKey(), (SecureString) entry2.getValue(), terminal);
                        checkedBiConsumer.accept(entry2.getKey(), entry2.getValue());
                    }
                }
                if (entry != null) {
                    changeUserPassword((String) entry.getKey(), (SecureString) entry.getValue(), terminal);
                    checkedBiConsumer.accept(entry.getKey(), entry.getValue());
                }
            } finally {
                hashMap.forEach((str2, secureString) -> {
                    secureString.close();
                });
            }
        }

        private void verboseLogResponse(InputStream inputStream, Terminal terminal) throws IOException {
            if (inputStream == null) {
                terminal.println(Terminal.Verbosity.VERBOSE, "<Empty response>");
            } else {
                terminal.println(Terminal.Verbosity.VERBOSE, new String(Streams.readAll(inputStream), StandardCharsets.UTF_8));
            }
        }
    }

    SetupPasswordTool() {
        this(environment -> {
            return new CommandLineHttpClient(environment.settings(), environment);
        }, environment2 -> {
            KeyStoreWrapper load = KeyStoreWrapper.load(environment2.configFile());
            if (load == null) {
                throw new UserException(78, "Elasticsearch keystore file is missing [" + KeyStoreWrapper.keystorePath(environment2.configFile()) + "]");
            }
            return load;
        });
    }

    SetupPasswordTool(CheckedFunction<Environment, CommandLineHttpClient, Exception> checkedFunction, CheckedFunction<Environment, KeyStoreWrapper, Exception> checkedFunction2) {
        super("Sets the passwords for reserved users");
        this.subcommands.put(AbstractBulkByScrollRequest.AUTO_SLICES_VALUE, newAutoSetup());
        this.subcommands.put("interactive", newInteractiveSetup());
        this.clientFunction = checkedFunction;
        this.keyStoreFunction = checkedFunction2;
    }

    protected AutoSetup newAutoSetup() {
        return new AutoSetup();
    }

    protected InteractiveSetup newInteractiveSetup() {
        return new InteractiveSetup();
    }

    public static void main(String[] strArr) throws Exception {
        exit(new SetupPasswordTool().main(strArr, Terminal.DEFAULT));
    }

    OptionParser getParser() {
        return this.parser;
    }
}
