package org.elasticsearch.common.settings;

import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.ClusterStateUpdateTask;
import org.elasticsearch.cluster.LocalNodeMasterListener;
import org.elasticsearch.cluster.metadata.Metadata;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Priority;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.hash.MessageDigests;
import org.elasticsearch.common.settings.Setting;

/* loaded from: input_file:lib/elasticsearch-7.17.1.jar:org/elasticsearch/common/settings/ConsistentSettingsService.class */
public final class ConsistentSettingsService {
    private static final Logger logger;
    private final Settings settings;
    private final ClusterService clusterService;
    private final Collection<Setting<?>> secureSettingsCollection;
    private final SecretKeyFactory pbkdf2KeyFactory;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/elasticsearch-7.17.1.jar:org/elasticsearch/common/settings/ConsistentSettingsService$HashesPublisher.class */
    public static final class HashesPublisher implements LocalNodeMasterListener {
        final Map<String, String> computedHashesOfConsistentSettings;
        final ClusterService clusterService;

        HashesPublisher(Map<String, String> map, ClusterService clusterService) {
            this.computedHashesOfConsistentSettings = Collections.unmodifiableMap(map);
            this.clusterService = clusterService;
        }

        @Override // org.elasticsearch.cluster.LocalNodeMasterListener
        public void onMaster() {
            this.clusterService.submitStateUpdateTask("publish-secure-settings-hashes", new ClusterStateUpdateTask(Priority.URGENT) { // from class: org.elasticsearch.common.settings.ConsistentSettingsService.HashesPublisher.1
                @Override // org.elasticsearch.cluster.ClusterStateUpdateTask
                public ClusterState execute(ClusterState clusterState) {
                    if (!HashesPublisher.this.computedHashesOfConsistentSettings.equals(clusterState.metadata().hashesOfConsistentSettings())) {
                        return ClusterState.builder(clusterState).metadata(Metadata.builder(clusterState.metadata()).hashesOfConsistentSettings(HashesPublisher.this.computedHashesOfConsistentSettings)).build();
                    }
                    ConsistentSettingsService.logger.debug("Nothing to publish. What is already published matches this node's view.");
                    return clusterState;
                }

                @Override // org.elasticsearch.cluster.ClusterStateUpdateTask, org.elasticsearch.cluster.ClusterStateTaskListener
                public void onFailure(String str, Exception exc) {
                    ConsistentSettingsService.logger.error("unable to publish secure settings hashes", (Throwable) exc);
                }
            });
        }

        @Override // org.elasticsearch.cluster.LocalNodeMasterListener
        public void offMaster() {
            ConsistentSettingsService.logger.trace("I am no longer master, nothing to do");
        }
    }

    public ConsistentSettingsService(Settings settings, ClusterService clusterService, Collection<Setting<?>> collection) {
        this.settings = settings;
        this.clusterService = clusterService;
        this.secureSettingsCollection = collection;
        try {
            this.pbkdf2KeyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("The \"PBKDF2WithHmacSHA512\" algorithm is required for consistent secure settings' hashes", e);
        }
    }

    public LocalNodeMasterListener newHashPublisher() {
        return new HashesPublisher(computeHashesOfConsistentSecureSettings(), this.clusterService);
    }

    public boolean areAllConsistent() {
        ClusterState state = this.clusterService.state();
        Map<String, String> hashesOfConsistentSettings = state.metadata().hashesOfConsistentSettings();
        HashSet<String> hashSet = new HashSet();
        hashSet.addAll(hashesOfConsistentSettings.keySet());
        AtomicBoolean atomicBoolean = new AtomicBoolean(true);
        forEachConcreteSecureSettingDo(secureSetting -> {
            String str = (String) hashesOfConsistentSettings.get(secureSetting.getKey());
            byte[] secretDigest = secureSetting.getSecretDigest(this.settings);
            if (str == null && secretDigest == null) {
                logger.debug("no published hash for the consistent secure setting [{}] but it also does NOT exist on the local node", secureSetting.getKey());
            } else if (str == null && secretDigest != null) {
                logger.warn("no published hash for the consistent secure setting [{}] but it exists on the local node", secureSetting.getKey());
                if (state.nodes().isLocalNodeElectedMaster()) {
                    throw new IllegalStateException("Master node cannot validate consistent setting. No published hash for [" + secureSetting.getKey() + "] but setting exists.");
                }
                atomicBoolean.set(false);
            } else if (str != null && secretDigest == null) {
                logger.warn("the consistent secure setting [{}] does not exist on the local node but there is a published hash for it", secureSetting.getKey());
                atomicBoolean.set(false);
            } else {
                if (!$assertionsDisabled && str == null) {
                    throw new AssertionError();
                }
                if (!$assertionsDisabled && secretDigest == null) {
                    throw new AssertionError();
                }
                String[] split = str.split(ParameterizedMessage.ERROR_MSG_SEPARATOR);
                if (split == null || split.length != 2) {
                    throw new IllegalArgumentException("published hash [" + str + " ] for secure setting [" + secureSetting.getKey() + "] is invalid");
                }
                String str2 = split[0];
                String str3 = split[1];
                String str4 = new String(Base64.getEncoder().encode(computeSaltedPBKDF2Hash(secretDigest, str2.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8);
                if (false == str3.equals(str4)) {
                    logger.warn("the published hash [{}] of the consistent secure setting [{}] differs from the locally computed one [{}]", str3, secureSetting.getKey(), str4);
                    if (state.nodes().isLocalNodeElectedMaster()) {
                        throw new IllegalStateException("Master node cannot validate consistent setting. The published hash [" + str3 + "] of the consistent secure setting [" + secureSetting.getKey() + "] differs from the locally computed one [" + str4 + "].");
                    }
                    atomicBoolean.set(false);
                }
            }
            hashSet.remove(secureSetting.getKey());
        });
        for (String str : hashSet) {
            Iterator<Setting<?>> it = this.secureSettingsCollection.iterator();
            while (it.hasNext()) {
                if (it.next().match(str)) {
                    logger.warn("the consistent secure setting [{}] does not exist on the local node but there is a published hash for it", str);
                    atomicBoolean.set(false);
                }
            }
        }
        return atomicBoolean.get();
    }

    private void forEachConcreteSecureSettingDo(Consumer<SecureSetting<?>> consumer) {
        for (Setting<?> setting : this.secureSettingsCollection) {
            if (!$assertionsDisabled && !setting.isConsistent()) {
                throw new AssertionError("[" + setting.getKey() + "] is not a consistent setting");
            }
            if (setting instanceof Setting.AffixSetting) {
                ((Setting.AffixSetting) setting).getAllConcreteSettings(this.settings).forEach(setting2 -> {
                    if (!$assertionsDisabled && !(setting2 instanceof SecureSetting)) {
                        throw new AssertionError("[" + setting2.getKey() + "] is not a secure setting");
                    }
                    consumer.accept((SecureSetting) setting2);
                });
            } else if (setting instanceof SecureSetting) {
                consumer.accept((SecureSetting) setting);
            } else if (!$assertionsDisabled) {
                throw new AssertionError("Unrecognized consistent secure setting [" + setting.getKey() + "]");
            }
        }
    }

    private Map<String, String> computeHashesOfConsistentSecureSettings() {
        HashMap hashMap = new HashMap();
        forEachConcreteSecureSettingDo(secureSetting -> {
            byte[] secretDigest = secureSetting.getSecretDigest(this.settings);
            if (secretDigest != null) {
                String randomBase64UUID = UUIDs.randomBase64UUID();
                hashMap.put(secureSetting.getKey(), randomBase64UUID + ParameterizedMessage.ERROR_MSG_SEPARATOR + new String(Base64.getEncoder().encode(computeSaltedPBKDF2Hash(secretDigest, randomBase64UUID.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8));
            }
        });
        return hashMap;
    }

    private byte[] computeSaltedPBKDF2Hash(byte[] bArr, byte[] bArr2) {
        char[] cArr = null;
        try {
            try {
                cArr = MessageDigests.toHexCharArray(bArr);
                byte[] encoded = this.pbkdf2KeyFactory.generateSecret(new PBEKeySpec(cArr, bArr2, 5000, 512)).getEncoded();
                if (cArr != null) {
                    Arrays.fill(cArr, '0');
                }
                return encoded;
            } catch (InvalidKeySpecException e) {
                throw new RuntimeException("Unexpected exception when computing PBKDF2 hash", e);
            }
        } catch (Throwable th) {
            if (cArr != null) {
                Arrays.fill(cArr, '0');
            }
            throw th;
        }
    }

    static {
        $assertionsDisabled = !ConsistentSettingsService.class.desiredAssertionStatus();
        logger = LogManager.getLogger((Class<?>) ConsistentSettingsService.class);
    }
}
