package org.elasticsearch.xpack.security.enrollment;

import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.CheckedSupplier;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.io.Streams;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.core.Tuple;
import org.elasticsearch.env.Environment;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.json.JsonXContent;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.CommandLineHttpClient;
import org.elasticsearch.xpack.core.security.EnrollmentToken;
import org.elasticsearch.xpack.core.security.HttpResponse;
import org.elasticsearch.xpack.core.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/enrollment/ExternalEnrollmentTokenGenerator.class */
public class ExternalEnrollmentTokenGenerator extends BaseEnrollmentTokenGenerator {
    protected static final String ENROLL_API_KEY_EXPIRATION = "30m";
    private static final Logger logger = LogManager.getLogger(ExternalEnrollmentTokenGenerator.class);
    private final Environment environment;
    private final SSLService sslService;
    private final CommandLineHttpClient client;

    public ExternalEnrollmentTokenGenerator(Environment environment) throws MalformedURLException {
        this(environment, new CommandLineHttpClient(environment));
    }

    protected ExternalEnrollmentTokenGenerator(Environment environment, CommandLineHttpClient commandLineHttpClient) {
        this.environment = environment;
        this.sslService = new SSLService(environment);
        this.client = commandLineHttpClient;
    }

    public EnrollmentToken createNodeEnrollmentToken(String str, SecureString secureString, URL url) throws Exception {
        return create(str, secureString, "cluster:admin/xpack/security/enroll/node", url);
    }

    public EnrollmentToken createKibanaEnrollmentToken(String str, SecureString secureString, URL url) throws Exception {
        return create(str, secureString, "cluster:admin/xpack/security/enroll/kibana", url);
    }

    protected EnrollmentToken create(String str, SecureString secureString, String str2, URL url) throws Exception {
        if (!((Boolean) XPackSettings.ENROLLMENT_ENABLED.get(this.environment.settings())).booleanValue()) {
            throw new IllegalStateException("[xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token");
        }
        String httpsCaFingerprint = getHttpsCaFingerprint(this.sslService);
        String apiKeyCredentials = getApiKeyCredentials(str, secureString, str2, url);
        Tuple<List<String>, String> nodeInfo = getNodeInfo(str, secureString, url);
        return new EnrollmentToken(apiKeyCredentials, httpsCaFingerprint, (String) nodeInfo.v2(), (List) nodeInfo.v1());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static HttpResponse.HttpResponseBuilder responseBuilder(InputStream inputStream) throws IOException {
        HttpResponse.HttpResponseBuilder httpResponseBuilder = new HttpResponse.HttpResponseBuilder();
        if (inputStream != null) {
            String utf8ToString = Streams.readFully(inputStream).utf8ToString();
            logger.debug(utf8ToString);
            httpResponseBuilder.withResponseBody(utf8ToString);
        } else {
            logger.debug("Error building http response body: null response");
        }
        return httpResponseBuilder;
    }

    protected static URL createAPIKeyUrl(URL url) throws MalformedURLException, URISyntaxException {
        return new URL(url, (url.toURI().getPath() + "/_security/api_key").replaceAll("/+", "/"));
    }

    protected static URL getHttpInfoUrl(URL url) throws MalformedURLException, URISyntaxException {
        return new URL(url, (url.toURI().getPath() + "/_nodes/_local/http").replaceAll("/+", "/"));
    }

    protected static List<String> getBoundAddresses(Map<?, ?> map) {
        Map map2 = (Map) ((Map) ((Map) map.get("nodes")).values().iterator().next()).get("http");
        ArrayList arrayList = new ArrayList();
        arrayList.addAll((Collection) map2.get("bound_address"));
        arrayList.add(getIpFromPublishAddress((String) map2.get("publish_address")));
        return arrayList;
    }

    static String getVersion(Map<?, ?> map) {
        return ((Map) ((Map) map.get("nodes")).values().iterator().next()).get("version").toString();
    }

    protected String getApiKeyCredentials(String str, SecureString secureString, String str2, URL url) throws Exception {
        CheckedSupplier checkedSupplier = () -> {
            XContentBuilder contentBuilder = JsonXContent.contentBuilder();
            contentBuilder.startObject().field("name", "enrollment_token_API_key_" + UUIDs.base64UUID()).field("expiration", ENROLL_API_KEY_EXPIRATION).startObject("role_descriptors").startObject("create_enrollment_token").array("cluster", new String[]{str2}).endObject().endObject().endObject();
            return Strings.toString(contentBuilder);
        };
        URL createAPIKeyUrl = createAPIKeyUrl(url);
        HttpResponse execute = this.client.execute("POST", createAPIKeyUrl, str, secureString, checkedSupplier, ExternalEnrollmentTokenGenerator::responseBuilder);
        int httpStatus = execute.getHttpStatus();
        if (httpStatus != 200) {
            logger.error("Error " + httpStatus + "when calling GET " + createAPIKeyUrl + ". ResponseBody: " + execute.getResponseBody());
            throw new IllegalStateException("Unexpected response code [" + httpStatus + "] from calling POST " + createAPIKeyUrl);
        }
        String objects = Objects.toString(execute.getResponseBody().get("api_key"), "");
        String objects2 = Objects.toString(execute.getResponseBody().get("id"), "");
        if (Strings.isNullOrEmpty(objects) || Strings.isNullOrEmpty(objects2)) {
            throw new IllegalStateException("Could not create an api key.");
        }
        return objects2 + ":" + objects;
    }

    protected Tuple<List<String>, String> getNodeInfo(String str, SecureString secureString, URL url) throws Exception {
        URL httpInfoUrl = getHttpInfoUrl(url);
        HttpResponse execute = this.client.execute("GET", httpInfoUrl, str, secureString, () -> {
            return null;
        }, inputStream -> {
            return responseBuilder(inputStream);
        });
        int httpStatus = execute.getHttpStatus();
        if (httpStatus != 200) {
            logger.error("Error " + httpStatus + "when calling GET " + httpInfoUrl + ". ResponseBody: " + execute.getResponseBody());
            throw new IllegalStateException("Unexpected response code [" + httpStatus + "] from calling GET " + httpInfoUrl);
        }
        List<String> boundAddresses = getBoundAddresses(execute.getResponseBody());
        if (boundAddresses == null || boundAddresses.isEmpty()) {
            logger.error("No bound addresses found in response from calling GET " + httpInfoUrl + ". ResponseBody: " + execute.getResponseBody());
            throw new IllegalStateException("No bound addresses found in response from calling GET " + httpInfoUrl);
        }
        List<String> filteredAddresses = getFilteredAddresses(boundAddresses);
        String version = getVersion(execute.getResponseBody());
        if (version == null || version.isEmpty()) {
            throw new IllegalStateException("Could not retrieve the version.");
        }
        return new Tuple<>(filteredAddresses, version);
    }
}
