package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport;
import com.floragunn.searchguard.ssl.http.netty.ValidatingDispatcher;
import com.floragunn.searchguard.ssl.rest.SearchGuardSSLInfoAction;
import com.floragunn.searchguard.ssl.transport.DefaultPrincipalExtractor;
import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport;
import com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportInterceptor;
import com.floragunn.searchguard.ssl.util.SSLConfigConstants;
import io.netty.handler.ssl.OpenSsl;
import io.netty.util.internal.PlatformDependent;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.node.DiscoveryNodes;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.ClusterSettings;
import org.elasticsearch.common.settings.IndexScopedSettings;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsFilter;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.plugins.ActionPlugin;
import org.elasticsearch.plugins.NetworkPlugin;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.watcher.ResourceWatcherService;

/* loaded from: input_file:com/floragunn/searchguard/ssl/SearchGuardSSLPlugin.class */
public final class SearchGuardSSLPlugin extends Plugin implements ActionPlugin, NetworkPlugin {
    private final Logger log = LogManager.getLogger(getClass());
    static final String CLIENT_TYPE = "client.type";
    private final boolean client;
    private final boolean httpSSLEnabled;
    private final boolean transportSSLEnabled;
    private final Settings settings;
    private final SearchGuardKeyStore sgks;
    private PrincipalExtractor principalExtractor;

    public SearchGuardSSLPlugin(Settings settings) {
        if (Boolean.parseBoolean(System.getProperty("jdk.tls.rejectClientInitiatedRenegotiation"))) {
            this.log.debug("Client side initiated TLS renegotiation disabled. This can prevent DoS attacks. (jdk.tls.rejectClientInitiatedRenegotiation is true).");
        } else {
            this.log.warn("Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.");
            System.out.println("Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.");
            System.err.println("Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.");
        }
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                System.setProperty("es.set.netty.runtime.available.processors", "false");
                PlatformDependent.newFixedMpscQueue(1);
                OpenSsl.isAvailable();
                return null;
            }
        });
        this.settings = settings;
        this.client = !"node".equals(this.settings.get(CLIENT_TYPE));
        this.httpSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, false).booleanValue();
        this.transportSSLEnabled = settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true).booleanValue();
        if (!this.httpSSLEnabled && !this.transportSSLEnabled) {
            this.log.error("SSL not activated for http and/or transport.");
            System.out.println("SSL not activated for http and/or transport.");
        }
        if (ExternalSearchGuardKeyStore.hasExternalSslContext(settings)) {
            this.sgks = new ExternalSearchGuardKeyStore(settings);
        } else {
            this.sgks = new DefaultSearchGuardKeyStore(settings);
        }
    }

    public Map<String, Supplier<HttpServerTransport>> getHttpTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays, CircuitBreakerService circuitBreakerService, NamedWriteableRegistry namedWriteableRegistry, NamedXContentRegistry namedXContentRegistry, NetworkService networkService, HttpServerTransport.Dispatcher dispatcher) {
        HashMap hashMap = new HashMap(1);
        if (!this.client && this.httpSSLEnabled) {
            ValidatingDispatcher validatingDispatcher = new ValidatingDispatcher(threadPool.getThreadContext(), dispatcher, settings);
            SearchGuardSSLNettyHttpServerTransport searchGuardSSLNettyHttpServerTransport = new SearchGuardSSLNettyHttpServerTransport(settings, networkService, bigArrays, threadPool, this.sgks, namedXContentRegistry, validatingDispatcher);
            validatingDispatcher.setAuditErrorHandler(searchGuardSSLNettyHttpServerTransport);
            hashMap.put("com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport", () -> {
                return searchGuardSSLNettyHttpServerTransport;
            });
        }
        return hashMap;
    }

    public List<RestHandler> getRestHandlers(Settings settings, RestController restController, ClusterSettings clusterSettings, IndexScopedSettings indexScopedSettings, SettingsFilter settingsFilter, IndexNameExpressionResolver indexNameExpressionResolver, Supplier<DiscoveryNodes> supplier) {
        ArrayList arrayList = new ArrayList(1);
        if (!this.client) {
            arrayList.add(new SearchGuardSSLInfoAction(settings, restController, this.sgks, (PrincipalExtractor) Objects.requireNonNull(this.principalExtractor)));
        }
        return arrayList;
    }

    public List<TransportInterceptor> getTransportInterceptors(ThreadContext threadContext) {
        ArrayList arrayList = new ArrayList(1);
        if (this.transportSSLEnabled && !this.client) {
            arrayList.add(new SearchGuardSSLTransportInterceptor(this.settings, null, null));
        }
        return arrayList;
    }

    public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays, CircuitBreakerService circuitBreakerService, NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) {
        HashMap hashMap = new HashMap();
        if (this.transportSSLEnabled) {
            hashMap.put("com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyTransport", () -> {
                return new SearchGuardSSLNettyTransport(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService, this.sgks);
            });
        }
        return hashMap;
    }

    public Collection<Object> createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry namedXContentRegistry) {
        ArrayList arrayList = new ArrayList(1);
        String str = this.settings.get(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, (String) null);
        if (str == null) {
            this.principalExtractor = new DefaultPrincipalExtractor();
        } else {
            try {
                this.log.debug("Try to load and instantiate '{}'", str);
                this.principalExtractor = (PrincipalExtractor) Class.forName(str).newInstance();
            } catch (Exception e) {
                this.log.error("Unable to load '{}' due to {}", e, str, e.toString());
                throw new ElasticsearchException(e);
            }
        }
        arrayList.add(this.principalExtractor);
        return arrayList;
    }

    public List<Setting<?>> getSettings() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CLIENTAUTH_MODE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_ALIAS, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_PASSWORD, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_KEYSTORE_TYPE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_ALIAS, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_PASSWORD, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_TRUSTSTORE_TYPE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLE_OPENSSL_IF_AVAILABLE, true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_ALIAS, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_TYPE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_ALIAS, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_TYPE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.listSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope}));
        arrayList.add(Setting.listSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope}));
        arrayList.add(Setting.listSetting(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope}));
        arrayList.add(Setting.listSetting(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_CLIENT_EXTERNAL_CONTEXT_ID, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PRINCIPAL_EXTRACTOR_CLASS, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_PASSWORD, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_PASSWORD, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_FILE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_VALIDATE, false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_PREFER_CRLFILE_OVER_OCSP, false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_CHECK_ONLY_END_ENTITIES, true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_DISABLE_CRLDP, false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.boolSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_DISABLE_OCSP, false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.longSetting(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_CRL_VALIDATION_DATE, -1L, -1L, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        arrayList.add(Setting.simpleString("node.client", new Setting.Property[]{Setting.Property.NodeScope}));
        arrayList.add(Setting.simpleString("node.local", new Setting.Property[]{Setting.Property.NodeScope}));
        return arrayList;
    }

    public Settings additionalSettings() {
        Settings.Builder builder = Settings.builder();
        if (!this.client && this.httpSSLEnabled) {
            builder.put("http.type", "com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport");
        }
        if (this.transportSSLEnabled) {
            builder.put("transport.type", "com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyTransport");
        }
        return builder.build();
    }

    public List<String> getSettingsFilter() {
        ArrayList arrayList = new ArrayList();
        arrayList.add("searchguard.*");
        return arrayList;
    }
}
