package org.elasticsearch.xpack.security.cli;

import java.io.BufferedWriter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.net.InetAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.nio.file.attribute.UserPrincipal;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.function.BiFunction;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.security.auth.x500.X500Principal;
import joptsimple.OptionSet;
import joptsimple.OptionSpec;
import org.apache.commons.io.FileUtils;
import org.apache.lucene.util.SetOnce;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.cli.ProcessInfo;
import org.elasticsearch.cli.Terminal;
import org.elasticsearch.cli.UserException;
import org.elasticsearch.cluster.coordination.ClusterBootstrapService;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.node.DiscoveryNodeRole;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.UUIDs;
import org.elasticsearch.common.cli.EnvironmentAwareCommand;
import org.elasticsearch.common.network.InetAddresses;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.network.NetworkUtils;
import org.elasticsearch.common.settings.KeyStoreWrapper;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.PemUtils;
import org.elasticsearch.core.CheckedConsumer;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.core.PathUtils;
import org.elasticsearch.core.SuppressForbidden;
import org.elasticsearch.discovery.DiscoveryModule;
import org.elasticsearch.discovery.SettingsBasedSeedHostsProvider;
import org.elasticsearch.env.Environment;
import org.elasticsearch.http.HttpTransportSettings;
import org.elasticsearch.node.Node;
import org.elasticsearch.transport.TransportSettings;
import org.elasticsearch.xcontent.XContentType;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.CommandLineHttpClient;
import org.elasticsearch.xpack.core.security.EnrollmentToken;
import org.elasticsearch.xpack.core.security.HttpResponse;
import org.elasticsearch.xpack.core.ssl.CertParsingUtils;

/* loaded from: input_file:org/elasticsearch/xpack/security/cli/AutoConfigureNode.class */
public class AutoConfigureNode extends EnvironmentAwareCommand {
    public static final String AUTO_CONFIG_ALT_DN = "CN=Elasticsearch security auto-configuration HTTP CA";
    private static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
    private static final String TRANSPORT_AUTOGENERATED_KEYSTORE_NAME = "transport";
    private static final String TRANSPORT_KEY_KEYSTORE_ENTRY = "transport";
    private static final String TRANSPORT_CA_CERT_KEYSTORE_ENTRY = "transport_ca";
    private static final String ELASTICSEARCH_GROUP_OWNER = "elasticsearch";
    private static final int TRANSPORT_CERTIFICATE_DAYS = 36135;
    private static final int TRANSPORT_CA_CERTIFICATE_DAYS = 36135;
    private static final int TRANSPORT_KEY_SIZE = 4096;
    private static final int TRANSPORT_CA_KEY_SIZE = 4096;
    static final String HTTP_AUTOGENERATED_KEYSTORE_NAME = "http";
    static final String HTTP_KEY_KEYSTORE_ENTRY = "http";
    static final String HTTP_CA_KEY_KEYSTORE_ENTRY = "http_ca";
    static final String HTTP_AUTOGENERATED_CA_NAME = "http_ca";
    private static final int HTTP_CA_CERTIFICATE_DAYS = 1095;
    private static final int HTTP_CA_KEY_SIZE = 4096;
    private static final int HTTP_CERTIFICATE_DAYS = 730;
    private static final int HTTP_KEY_SIZE = 4096;
    static final String TLS_GENERATED_CERTS_DIR_NAME = "certs";
    static final String AUTO_CONFIGURATION_START_MARKER = "#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------";
    static final String AUTO_CONFIGURATION_END_MARKER = "#----------------------- END SECURITY AUTO CONFIGURATION -------------------------";
    private final OptionSpec<String> enrollmentTokenParam;
    private final boolean inReconfigureMode;
    private final BiFunction<Environment, String, CommandLineHttpClient> clientFunction;

    public AutoConfigureNode(boolean z, BiFunction<Environment, String, CommandLineHttpClient> biFunction) {
        super("Generates all the necessary security configuration for a node in a secured cluster");
        this.enrollmentTokenParam = this.parser.accepts("enrollment-token", "The enrollment token to use").withRequiredArg();
        this.parser.allowsUnrecognizedOptions();
        this.inReconfigureMode = z;
        this.clientFunction = biFunction;
    }

    public AutoConfigureNode(boolean z) {
        this(z, CommandLineHttpClient::new);
    }

    public void execute(Terminal terminal, OptionSet optionSet, Environment environment, ProcessInfo processInfo) throws Exception {
        List<String> transportAddresses;
        X509Certificate parseCertificateFromPem;
        PrivateKey parseKeyFromPem;
        X509Certificate parseCertificateFromPem2;
        PrivateKey parseKeyFromPem2;
        X509Certificate parseCertificateFromPem3;
        boolean has = optionSet.has(this.enrollmentTokenParam);
        for (Path path : environment.dataFiles()) {
            if (Files.isDirectory(path, new LinkOption[0]) && false == isDirEmpty(path)) {
                notifyOfFailure(has, terminal, Terminal.Verbosity.VERBOSE, 80, "Skipping security auto configuration because it appears that the node is not starting up for the first time. The node might already be part of a cluster and this auto setup utility is designed to configure Security for new clusters only.");
            }
        }
        Path resolve = environment.configFile().resolve("elasticsearch.yml");
        if (false == Files.exists(resolve, new LinkOption[0]) || false == Files.isRegularFile(resolve, LinkOption.NOFOLLOW_LINKS)) {
            notifyOfFailure(has, terminal, Terminal.Verbosity.NORMAL, 78, String.format(Locale.ROOT, "Skipping security auto configuration because the configuration file [%s] is missing or is not a regular file", resolve));
        }
        if (false == Files.isReadable(resolve)) {
            notifyOfFailure(has, terminal, Terminal.Verbosity.NORMAL, 80, String.format(Locale.ROOT, "Skipping security auto configuration because the current user does not have permission to read  configuration file [%s]", resolve));
        }
        Path keystorePath = KeyStoreWrapper.keystorePath(environment.configFile());
        if (Files.exists(keystorePath, new LinkOption[0]) && (false == Files.isRegularFile(keystorePath, LinkOption.NOFOLLOW_LINKS) || false == Files.isReadable(keystorePath))) {
            notifyOfFailure(has, terminal, Terminal.Verbosity.NORMAL, 80, String.format(Locale.ROOT, "Skipping security auto configuration because the node keystore file [%s] is not a readable regular file", keystorePath));
        }
        if (this.inReconfigureMode) {
            if (false == has) {
                throw new UserException(64, "enrollment-token is a mandatory parameter when reconfiguring the node");
            }
            environment = possiblyReconfigureNode(environment, terminal, optionSet, processInfo);
        }
        checkExistingConfiguration(environment.settings(), has, terminal);
        ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
        Path resolve2 = environment.configFile().resolve(String.format(Locale.ROOT, "certs.%d.tmp", Long.valueOf(now.toInstant().getEpochSecond())));
        try {
            Files.createDirectory(resolve2, new FileAttribute[0]);
            PosixFileAttributeView posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(resolve2, PosixFileAttributeView.class, new LinkOption[0]);
            if (posixFileAttributeView != null) {
                posixFileAttributeView.setPermissions(PosixFilePermissions.fromString("rwxr-x---"));
            }
            UserPrincipal owner = Files.getOwner(resolve2, LinkOption.NOFOLLOW_LINKS);
            if (false == owner.equals(Files.getOwner(environment.configFile(), LinkOption.NOFOLLOW_LINKS))) {
                UserException userException = new UserException(78, "Aborting auto configuration because of config dir ownership mismatch. Config dir is owned by " + Files.getOwner(environment.configFile(), LinkOption.NOFOLLOW_LINKS).getName() + " but auto-configuration directory would be owned by " + owner.getName());
                try {
                    deleteDirectory(resolve2);
                } catch (Exception e) {
                    userException.addSuppressed(e);
                }
                throw userException;
            }
            X500Principal x500Principal = new X500Principal("CN=" + (Node.NODE_NAME_SETTING.exists(environment.settings()) ? (String) Node.NODE_NAME_SETTING.get(environment.settings()) : System.getenv("HOSTNAME")));
            X500Principal x500Principal2 = new X500Principal(AUTO_CONFIG_ALT_DN);
            if (has) {
                try {
                    EnrollmentToken decodeFromString = EnrollmentToken.decodeFromString((String) this.enrollmentTokenParam.value(optionSet));
                    CommandLineHttpClient apply = this.clientFunction.apply(environment, decodeFromString.getFingerprint());
                    HttpResponse httpResponse = null;
                    URL url = null;
                    Iterator it = decodeFromString.getBoundAddress().iterator();
                    while (it.hasNext()) {
                        try {
                            url = CommandLineHttpClient.createURL(new URL("https://" + ((String) it.next())), "/_security/enroll/node", "");
                            httpResponse = apply.execute("GET", url, new SecureString(decodeFromString.getApiKey().toCharArray()), () -> {
                                return null;
                            }, CommandLineHttpClient::responseBuilder);
                            break;
                        } catch (Exception e2) {
                            terminal.errorPrint(Terminal.Verbosity.NORMAL, "Unable to communicate with the node on " + url + ". Error was " + e2.getMessage());
                        }
                    }
                    if (httpResponse == null || httpResponse.getHttpStatus() != 200) {
                        UserException userException2 = new UserException(69, "Aborting enrolling to cluster. Could not communicate with the node on any of the addresses from the enrollment token. All of " + decodeFromString.getBoundAddress() + " were attempted.");
                        try {
                            deleteDirectory(resolve2);
                        } catch (Exception e3) {
                            userException2.addSuppressed(e3);
                        }
                        throw userException2;
                    }
                    Map<String, Object> responseBody = httpResponse.getResponseBody();
                    if (responseBody == null) {
                        UserException userException3 = new UserException(65, "Aborting enrolling to cluster. Empty response when calling the enroll node API (" + url + ")");
                        try {
                            deleteDirectory(resolve2);
                        } catch (Exception e4) {
                            userException3.addSuppressed(e4);
                        }
                        throw userException3;
                    }
                    ArrayList arrayList = new ArrayList();
                    String str = (String) responseBody.get("http_ca_key");
                    if (Strings.isNullOrEmpty(str)) {
                        arrayList.add("http_ca_key");
                    }
                    String str2 = (String) responseBody.get("http_ca_cert");
                    if (Strings.isNullOrEmpty(str2)) {
                        arrayList.add("http_ca_cert");
                    }
                    String str3 = (String) responseBody.get("transport_key");
                    if (Strings.isNullOrEmpty(str3)) {
                        arrayList.add("transport_key");
                    }
                    String str4 = (String) responseBody.get("transport_ca_cert");
                    if (Strings.isNullOrEmpty(str4)) {
                        arrayList.add("transport_ca_cert");
                    }
                    String str5 = (String) responseBody.get("transport_cert");
                    if (Strings.isNullOrEmpty(str5)) {
                        arrayList.add("transport_cert");
                    }
                    transportAddresses = getTransportAddresses(responseBody);
                    if (null == transportAddresses || transportAddresses.isEmpty()) {
                        arrayList.add("nodes_addresses");
                    }
                    if (false == arrayList.isEmpty()) {
                        UserException userException4 = new UserException(65, "Aborting enrolling to cluster. Invalid response when calling the enroll node API (" + url + "). The following fields were empty or missing : " + arrayList);
                        try {
                            deleteDirectory(resolve2);
                        } catch (Exception e5) {
                            userException4.addSuppressed(e5);
                        }
                        throw userException4;
                    }
                    parseCertificateFromPem = parseCertificateFromPem(str4, terminal);
                    parseKeyFromPem = parseKeyFromPem(str, terminal);
                    parseCertificateFromPem2 = parseCertificateFromPem(str2, terminal);
                    parseKeyFromPem2 = parseKeyFromPem(str3, terminal);
                    parseCertificateFromPem3 = parseCertificateFromPem(str5, terminal);
                } catch (Exception e6) {
                    try {
                        deleteDirectory(resolve2);
                    } catch (Exception e7) {
                        e6.addSuppressed(e7);
                    }
                    terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
                    terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "Failed to parse enrollment token : " + ((String) this.enrollmentTokenParam.value(optionSet)) + " . Error was: " + e6.getMessage());
                    terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
                    terminal.errorPrintln(Terminal.Verbosity.VERBOSE, ExceptionsHelper.stackTrace(e6));
                    terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
                    throw new UserException(65, "Aborting auto configuration. Invalid enrollment token", e6);
                }
            } else {
                try {
                    transportAddresses = List.of();
                    KeyPair generateKeyPair = CertGenUtils.generateKeyPair(4096);
                    PrivateKey privateKey = generateKeyPair.getPrivate();
                    parseCertificateFromPem = CertGenUtils.generateSignedCertificate(x500Principal2, null, generateKeyPair, null, null, true, 36135, SIGNATURE_ALGORITHM);
                    KeyPair generateKeyPair2 = CertGenUtils.generateKeyPair(4096);
                    parseKeyFromPem2 = generateKeyPair2.getPrivate();
                    parseCertificateFromPem3 = CertGenUtils.generateSignedCertificate(x500Principal, null, generateKeyPair2, parseCertificateFromPem, privateKey, false, 36135, SIGNATURE_ALGORITHM);
                    KeyPair generateKeyPair3 = CertGenUtils.generateKeyPair(4096);
                    parseKeyFromPem = generateKeyPair3.getPrivate();
                    parseCertificateFromPem2 = CertGenUtils.generateSignedCertificate(x500Principal2, null, generateKeyPair3, null, null, true, HTTP_CA_CERTIFICATE_DAYS, SIGNATURE_ALGORITHM);
                } finally {
                    try {
                        deleteDirectory(resolve2);
                    } catch (Exception e8) {
                        th.addSuppressed(e8);
                    }
                }
            }
            try {
                KeyPair generateKeyPair4 = CertGenUtils.generateKeyPair(4096);
                PrivateKey privateKey2 = generateKeyPair4.getPrivate();
                X509Certificate generateSignedCertificate = CertGenUtils.generateSignedCertificate(x500Principal, getSubjectAltNames(environment.settings()), generateKeyPair4, parseCertificateFromPem2, parseKeyFromPem, false, HTTP_CERTIFICATE_DAYS, SIGNATURE_ALGORITHM, (Set<ExtendedKeyUsage>) Set.of(new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)));
                X509Certificate x509Certificate = parseCertificateFromPem2;
                fullyWriteFile(resolve2, "http_ca.crt", false, this.inReconfigureMode ? ELASTICSEARCH_GROUP_OWNER : null, outputStream -> {
                    JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new BufferedWriter(new OutputStreamWriter(outputStream, StandardCharsets.UTF_8)));
                    try {
                        jcaPEMWriter.writeObject(x509Certificate);
                        jcaPEMWriter.close();
                    } catch (Throwable th) {
                        try {
                            jcaPEMWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                });
                Path resolve3 = environment.configFile().resolve(String.format(Locale.ROOT, "elasticsearch.keystore.%d.orig", Long.valueOf(now.toInstant().getEpochSecond())));
                if (Files.exists(keystorePath, new LinkOption[0])) {
                    try {
                        Files.copy(keystorePath, resolve3, StandardCopyOption.COPY_ATTRIBUTES);
                    } finally {
                        try {
                            deleteDirectory(resolve2);
                        } catch (Exception e9) {
                            th.addSuppressed(e9);
                        }
                    }
                }
                SetOnce setOnce = new SetOnce();
                try {
                    try {
                        KeyStoreWrapper bootstrap = KeyStoreWrapper.bootstrap(environment.configFile(), () -> {
                            setOnce.set(new SecureString(terminal.readSecret("")));
                            return ((SecureString) setOnce.get()).clone();
                        });
                        try {
                            if (bootstrap.getSettingNames().contains("xpack.security.transport.ssl.keystore.secure_password") || bootstrap.getSettingNames().contains("xpack.security.transport.ssl.truststore.secure_password") || bootstrap.getSettingNames().contains("xpack.security.http.ssl.keystore.secure_password")) {
                                throw new UserException(78, "Aborting auto configuration because the node keystore contains password settings already");
                            }
                            SecureString newKeystorePassword = newKeystorePassword();
                            try {
                                KeyStore keyStore = KeyStore.getInstance("PKCS12");
                                keyStore.load(null);
                                keyStore.setKeyEntry("transport", parseKeyFromPem2, newKeystorePassword.getChars(), new Certificate[]{parseCertificateFromPem3});
                                keyStore.setCertificateEntry(TRANSPORT_CA_CERT_KEYSTORE_ENTRY, parseCertificateFromPem);
                                fullyWriteFile(resolve2, "transport.p12", false, this.inReconfigureMode ? ELASTICSEARCH_GROUP_OWNER : null, outputStream2 -> {
                                    keyStore.store(outputStream2, newKeystorePassword.getChars());
                                });
                                bootstrap.setString("xpack.security.transport.ssl.keystore.secure_password", newKeystorePassword.getChars());
                                bootstrap.setString("xpack.security.transport.ssl.truststore.secure_password", newKeystorePassword.getChars());
                                if (newKeystorePassword != null) {
                                    newKeystorePassword.close();
                                }
                                newKeystorePassword = newKeystorePassword();
                                try {
                                    KeyStore keyStore2 = KeyStore.getInstance("PKCS12");
                                    keyStore2.load(null);
                                    keyStore2.setKeyEntry("http_ca", parseKeyFromPem, newKeystorePassword.getChars(), new Certificate[]{parseCertificateFromPem2});
                                    keyStore2.setKeyEntry("http", privateKey2, newKeystorePassword.getChars(), new Certificate[]{generateSignedCertificate, parseCertificateFromPem2});
                                    fullyWriteFile(resolve2, "http.p12", false, this.inReconfigureMode ? ELASTICSEARCH_GROUP_OWNER : null, outputStream3 -> {
                                        keyStore2.store(outputStream3, newKeystorePassword.getChars());
                                    });
                                    bootstrap.setString("xpack.security.http.ssl.keystore.secure_password", newKeystorePassword.getChars());
                                    if (newKeystorePassword != null) {
                                        newKeystorePassword.close();
                                    }
                                    bootstrap.save(environment.configFile(), setOnce.get() == null ? new char[0] : ((SecureString) setOnce.get()).getChars());
                                    if (bootstrap != null) {
                                        bootstrap.close();
                                    }
                                    try {
                                        if (Files.exists(environment.configFile().resolve(TLS_GENERATED_CERTS_DIR_NAME), new LinkOption[0])) {
                                            moveDirectory(environment.configFile().resolve(TLS_GENERATED_CERTS_DIR_NAME), environment.configFile().resolve(String.format(Locale.ROOT, "certs.%d.orig", Long.valueOf(now.toInstant().getEpochSecond()))));
                                        }
                                        moveDirectory(resolve2, environment.configFile().resolve(TLS_GENERATED_CERTS_DIR_NAME));
                                        try {
                                            Environment environment2 = environment;
                                            DateTimeFormatter ofPattern = DateTimeFormatter.ofPattern("dd-MM-yyyy HH:mm:ss", Locale.ROOT);
                                            List<String> readAllLines = Files.readAllLines(resolve, StandardCharsets.UTF_8);
                                            List<String> list = transportAddresses;
                                            fullyWriteFile(environment.configFile(), "elasticsearch.yml", true, outputStream4 -> {
                                                BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(outputStream4, StandardCharsets.UTF_8));
                                                try {
                                                    Iterator it2 = readAllLines.iterator();
                                                    while (it2.hasNext()) {
                                                        bufferedWriter.write((String) it2.next());
                                                        bufferedWriter.newLine();
                                                    }
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write(AUTO_CONFIGURATION_START_MARKER);
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("#");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("# The following settings, TLS certificates, and keys have been automatically      ");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("# generated to configure Elasticsearch security features on ");
                                                    bufferedWriter.write(now.format(ofPattern));
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("#");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("# --------------------------------------------------------------------------------");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("# Enable security features");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write(XPackSettings.SECURITY_ENABLED.getKey() + ": true");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.newLine();
                                                    if (false == (environment2.settings().hasValue(XPackSettings.ENROLLMENT_ENABLED.getKey()) && false == ((Boolean) XPackSettings.ENROLLMENT_ENABLED.get(environment2.settings())).booleanValue())) {
                                                        bufferedWriter.write(XPackSettings.ENROLLMENT_ENABLED.getKey() + ": true");
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.newLine();
                                                    }
                                                    bufferedWriter.write("# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("xpack.security.http.ssl:");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("  enabled: true");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("  keystore.path: certs/http.p12");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("# Enable encryption and mutual authentication between cluster nodes");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("xpack.security.transport.ssl:");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("  enabled: true");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("  verification_mode: certificate");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("  keystore.path: certs/transport.p12");
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write("  truststore.path: certs/transport.p12");
                                                    if (has) {
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write("# Discover existing nodes in the cluster");
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write(SettingsBasedSeedHostsProvider.DISCOVERY_SEED_HOSTS_SETTING.getKey() + ": [" + ((String) list.stream().map(str6 -> {
                                                            return "\"" + str6 + "\"";
                                                        }).collect(Collectors.joining(", "))) + "]");
                                                        bufferedWriter.newLine();
                                                    } else if (false == DiscoveryModule.isSingleNodeDiscovery(environment2.settings()) && false == ClusterBootstrapService.INITIAL_MASTER_NODES_SETTING.exists(environment2.settings())) {
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write("# Create a new cluster with the current node only");
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write("# Additional nodes can still join the cluster later");
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write(ClusterBootstrapService.INITIAL_MASTER_NODES_SETTING.getKey() + ": " + initialMasterNodesSettingValue(environment2));
                                                        bufferedWriter.newLine();
                                                    }
                                                    if (false == (environment2.settings().hasValue(HttpTransportSettings.SETTING_HTTP_HOST.getKey()) || environment2.settings().hasValue(HttpTransportSettings.SETTING_HTTP_BIND_HOST.getKey()) || environment2.settings().hasValue(HttpTransportSettings.SETTING_HTTP_PUBLISH_HOST.getKey()) || environment2.settings().hasValue(NetworkService.GLOBAL_NETWORK_HOST_SETTING.getKey()) || environment2.settings().hasValue(NetworkService.GLOBAL_NETWORK_BIND_HOST_SETTING.getKey()) || environment2.settings().hasValue(NetworkService.GLOBAL_NETWORK_PUBLISH_HOST_SETTING.getKey()))) {
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write("# Allow HTTP API connections from anywhere");
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write("# Connections are encrypted and require user authentication");
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write(HttpTransportSettings.SETTING_HTTP_HOST.getKey() + ": 0.0.0.0");
                                                        bufferedWriter.newLine();
                                                    }
                                                    if (false == (environment2.settings().hasValue(TransportSettings.HOST.getKey()) || environment2.settings().hasValue(TransportSettings.BIND_HOST.getKey()) || environment2.settings().hasValue(TransportSettings.PUBLISH_HOST.getKey()) || environment2.settings().hasValue(NetworkService.GLOBAL_NETWORK_HOST_SETTING.getKey()) || environment2.settings().hasValue(NetworkService.GLOBAL_NETWORK_BIND_HOST_SETTING.getKey()) || environment2.settings().hasValue(NetworkService.GLOBAL_NETWORK_PUBLISH_HOST_SETTING.getKey()))) {
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write("# Allow other nodes to join the cluster from anywhere");
                                                        bufferedWriter.newLine();
                                                        bufferedWriter.write("# Connections are encrypted and mutually authenticated");
                                                        bufferedWriter.newLine();
                                                        if (false == has || false == anyRemoteHostNodeAddress(list, NetworkUtils.getAllAddresses())) {
                                                            bufferedWriter.write("#");
                                                        }
                                                        bufferedWriter.write(TransportSettings.HOST.getKey() + ": 0.0.0.0");
                                                        bufferedWriter.newLine();
                                                    }
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.write(AUTO_CONFIGURATION_END_MARKER);
                                                    bufferedWriter.newLine();
                                                    bufferedWriter.close();
                                                } catch (Throwable th) {
                                                    try {
                                                        bufferedWriter.close();
                                                    } catch (Throwable th2) {
                                                        th.addSuppressed(th2);
                                                    }
                                                    throw th;
                                                }
                                            });
                                            if (Files.exists(resolve3, new LinkOption[0])) {
                                                Files.delete(resolve3);
                                            }
                                        } catch (Throwable th) {
                                            try {
                                                if (Files.exists(resolve3, new LinkOption[0])) {
                                                    Files.move(resolve3, keystorePath, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
                                                } else {
                                                    Files.deleteIfExists(keystorePath);
                                                }
                                            } catch (Exception e10) {
                                                th.addSuppressed(e10);
                                            }
                                            try {
                                                deleteDirectory(environment.configFile().resolve(TLS_GENERATED_CERTS_DIR_NAME));
                                            } catch (Exception e11) {
                                                th.addSuppressed(e11);
                                            }
                                            Path resolve4 = environment.configFile().resolve(String.format(Locale.ROOT, "certs.%d.orig", Long.valueOf(now.toInstant().getEpochSecond())));
                                            if (Files.exists(resolve4, new LinkOption[0])) {
                                                moveDirectory(resolve4, environment.configFile().resolve(TLS_GENERATED_CERTS_DIR_NAME));
                                            }
                                            throw th;
                                        }
                                    } catch (Throwable th2) {
                                        try {
                                            if (Files.exists(resolve3, new LinkOption[0])) {
                                                Files.move(resolve3, keystorePath, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.COPY_ATTRIBUTES);
                                            } else {
                                                Files.deleteIfExists(keystorePath);
                                            }
                                        } catch (Exception e12) {
                                            th2.addSuppressed(e12);
                                        }
                                        try {
                                            if (Files.exists(environment.configFile().resolve(String.format(Locale.ROOT, "certs.%d.orig", Long.valueOf(now.toInstant().getEpochSecond()))), new LinkOption[0])) {
                                                moveDirectory(environment.configFile().resolve(String.format(Locale.ROOT, "certs.%d.orig", Long.valueOf(now.toInstant().getEpochSecond()))), environment.configFile().resolve(TLS_GENERATED_CERTS_DIR_NAME));
                                            }
                                        } catch (Exception e13) {
                                            th2.addSuppressed(e13);
                                        }
                                        throw th2;
                                    }
                                } finally {
                                }
                            } finally {
                            }
                        } catch (Throwable th3) {
                            if (bootstrap != null) {
                                try {
                                    bootstrap.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            }
                            throw th3;
                        }
                    } finally {
                        if (setOnce.get() != null) {
                            ((SecureString) setOnce.get()).close();
                        }
                    }
                } finally {
                }
            } finally {
                try {
                    deleteDirectory(resolve2);
                } catch (Exception e14) {
                    th.addSuppressed(e14);
                }
            }
        } catch (Throwable th5) {
            try {
                deleteDirectory(resolve2);
            } catch (Exception e15) {
                th5.addSuppressed(e15);
            }
            throw new UserException(73, "Could not create auto-configuration directory", th5);
        }
    }

    private String initialMasterNodesSettingValue(Environment environment) {
        return Node.NODE_NAME_SETTING.exists(environment.settings()) ? "[\"" + ((String) Node.NODE_NAME_SETTING.get(environment.settings())) + "\"]" : "[\"${HOSTNAME}\"]";
    }

    protected static boolean anyRemoteHostNodeAddress(List<String> list, InetAddress[] inetAddressArr) {
        List asList = Arrays.asList(inetAddressArr);
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            try {
                InetAddress byName = InetAddress.getByName(new URI("http://" + it.next()).getHost());
                if (false == byName.isLoopbackAddress() && false == asList.contains(byName)) {
                    return true;
                }
            } catch (URISyntaxException | UnknownHostException e) {
            }
        }
        return false;
    }

    private Environment possiblyReconfigureNode(Environment environment, Terminal terminal, OptionSet optionSet, ProcessInfo processInfo) throws UserException {
        try {
            List<String> readAllLines = Files.readAllLines(environment.configFile().resolve("elasticsearch.yml"), StandardCharsets.UTF_8);
            List<String> removePreviousAutoconfiguration = removePreviousAutoconfiguration(readAllLines);
            if (false != readAllLines.equals(removePreviousAutoconfiguration) || !Files.exists(environment.configFile().resolve(TLS_GENERATED_CERTS_DIR_NAME), new LinkOption[0])) {
                throw new UserException(64, "Aborting enrolling to cluster. This node doesn't appear to be auto-configured for security. Expected configuration is missing from elasticsearch.yml.");
            }
            terminal.println("");
            terminal.println("This node will be reconfigured to join an existing cluster, using the enrollment token that you provided.");
            terminal.println("This operation will overwrite the existing configuration. Specifically: ");
            terminal.println("  - Security auto configuration will be removed from elasticsearch.yml");
            terminal.println("  - The [certs] config directory will be removed");
            terminal.println("  - Security auto configuration related secure settings will be removed from the elasticsearch.keystore");
            if (!terminal.promptYesNo("Do you want to continue with the reconfiguration process", false)) {
                throw new UserException(0, "User cancelled operation");
            }
            removeAutoConfigurationFromKeystore(environment, terminal);
            try {
                fullyWriteFile(environment.configFile(), "elasticsearch.yml", true, outputStream -> {
                    BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(outputStream, StandardCharsets.UTF_8));
                    try {
                        Iterator it = removePreviousAutoconfiguration.iterator();
                        while (it.hasNext()) {
                            bufferedWriter.write((String) it.next());
                            bufferedWriter.newLine();
                        }
                        bufferedWriter.close();
                    } catch (Throwable th) {
                        try {
                            bufferedWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                    }
                });
                deleteDirectory(environment.configFile().resolve(TLS_GENERATED_CERTS_DIR_NAME));
                return createEnv(optionSet, processInfo);
            } catch (Throwable th) {
                throw new UserException(74, "Aborting enrolling to cluster. Unable to remove existing security configuration.", th);
            }
        } catch (IOException e) {
            throw new UserException(74, "Aborting enrolling to cluster. Unable to read elasticsearch.yml.", e);
        }
    }

    private void notifyOfFailure(boolean z, Terminal terminal, Terminal.Verbosity verbosity, int i, String str) throws UserException {
        if (z) {
            throw new UserException(i, str);
        }
        terminal.println(verbosity, str);
        throw new UserException(i, (String) null);
    }

    @SuppressForbidden(reason = "Commons IO lib uses the File API")
    private void deleteDirectory(Path path) throws IOException {
        FileUtils.deleteDirectory(path.toFile());
    }

    @SuppressForbidden(reason = "Commons IO lib uses the File API")
    private void moveDirectory(Path path, Path path2) throws IOException {
        FileUtils.moveDirectory(path.toFile(), path2.toFile());
    }

    private GeneralNames getSubjectAltNames(Settings settings) throws IOException {
        HashSet hashSet = new HashSet();
        for (InetAddress inetAddress : NetworkUtils.getAllAddresses()) {
            hashSet.add(new GeneralName(7, NetworkAddress.format(inetAddress)));
        }
        hashSet.add(new GeneralName(2, "localhost"));
        hashSet.add(new GeneralName(2, System.getenv("HOSTNAME")));
        Iterator it = List.of(NetworkService.GLOBAL_NETWORK_PUBLISH_HOST_SETTING.exists(settings) ? (List) NetworkService.GLOBAL_NETWORK_PUBLISH_HOST_SETTING.get(settings) : List.of(), HttpTransportSettings.SETTING_HTTP_PUBLISH_HOST.exists(settings) ? (List) HttpTransportSettings.SETTING_HTTP_PUBLISH_HOST.get(settings) : List.of()).iterator();
        while (it.hasNext()) {
            for (String str : (List) it.next()) {
                if (InetAddresses.isInetAddress(str)) {
                    hashSet.add(new GeneralName(7, str));
                } else {
                    hashSet.add(new GeneralName(2, str));
                }
            }
        }
        return new GeneralNames((GeneralName[]) hashSet.toArray(new GeneralName[0]));
    }

    SecureString newKeystorePassword() {
        return UUIDs.randomBase64UUIDSecureString();
    }

    void checkExistingConfiguration(Settings settings, boolean z, Terminal terminal) throws UserException {
        if (!((Boolean) XPackSettings.SECURITY_AUTOCONFIGURATION_ENABLED.get(settings)).booleanValue()) {
            notifyOfFailure(z, terminal, Terminal.Verbosity.VERBOSE, 80, "Skipping security auto configuration because [" + XPackSettings.SECURITY_AUTOCONFIGURATION_ENABLED.getKey() + "] is false");
        }
        if (XPackSettings.SECURITY_ENABLED.exists(settings)) {
            notifyOfFailure(z, terminal, Terminal.Verbosity.VERBOSE, 80, "Skipping security auto configuration because it appears that security is already configured.");
        }
        if (false == settings.getByPrefix(XPackSettings.TRANSPORT_SSL_PREFIX).isEmpty() || false == settings.getByPrefix(XPackSettings.HTTP_SSL_PREFIX).isEmpty()) {
            notifyOfFailure(z, terminal, Terminal.Verbosity.VERBOSE, 80, "Skipping security auto configuration because it appears that TLS is already configured.");
        }
        if (false == isInitialClusterNode(settings)) {
            notifyOfFailure(z, terminal, Terminal.Verbosity.VERBOSE, 80, "Skipping security auto configuration because this node is configured to bootstrap or to join a multi-node cluster, which is not supported.");
        }
        if (z) {
            return;
        }
        if (false == (DiscoveryNode.isMasterNode(settings) && false == DiscoveryNode.hasRole(settings, DiscoveryNodeRole.VOTING_ONLY_NODE_ROLE))) {
            terminal.println(Terminal.Verbosity.VERBOSE, "Skipping security auto configuration because the node is configured such that it cannot become master.");
            throw new UserException(80, (String) null);
        }
        if (false == DiscoveryNode.canContainData(settings)) {
            terminal.println(Terminal.Verbosity.VERBOSE, "Skipping security auto configuration because the node is configured such that it cannot contain data.");
            throw new UserException(80, (String) null);
        }
    }

    private boolean isInitialClusterNode(Settings settings) {
        return DiscoveryModule.isSingleNodeDiscovery(settings) || (((List) ClusterBootstrapService.INITIAL_MASTER_NODES_SETTING.get(settings)).isEmpty() && ((List) SettingsBasedSeedHostsProvider.DISCOVERY_SEED_HOSTS_SETTING.get(settings)).isEmpty() && ((List) DiscoveryModule.DISCOVERY_SEED_PROVIDERS_SETTING.get(settings)).isEmpty()) || ((List) ClusterBootstrapService.INITIAL_MASTER_NODES_SETTING.get(settings)).equals(List.of((String) Node.NODE_NAME_SETTING.get(settings)));
    }

    private static void fullyWriteFile(Path path, String str, boolean z, @Nullable String str2, CheckedConsumer<OutputStream, Exception> checkedConsumer) throws Exception {
        PosixFileAttributeView posixFileAttributeView;
        Path resolve = path.resolve(str);
        if (false == z && Files.exists(resolve, new LinkOption[0])) {
            throw new UserException(74, String.format(Locale.ROOT, "Output file [%s] already exists and will not be replaced", resolve));
        }
        Set<PosixFilePermission> fromString = PosixFilePermissions.fromString("rw-rw----");
        if (Files.exists(resolve, new LinkOption[0]) && (posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(resolve, PosixFileAttributeView.class, new LinkOption[0])) != null) {
            fromString = posixFileAttributeView.readAttributes().permissions();
        }
        Path resolve2 = path.resolve(str + "." + UUIDs.randomBase64UUID() + ".tmp");
        OutputStream newOutputStream = Files.newOutputStream(resolve2, StandardOpenOption.CREATE_NEW);
        try {
            checkedConsumer.accept(newOutputStream);
            if (newOutputStream != null) {
                newOutputStream.close();
            }
            try {
                PosixFileAttributeView posixFileAttributeView2 = (PosixFileAttributeView) Files.getFileAttributeView(resolve2, PosixFileAttributeView.class, new LinkOption[0]);
                if (posixFileAttributeView2 != null) {
                    posixFileAttributeView2.setPermissions(fromString);
                    if (null != str2) {
                        posixFileAttributeView2.setGroup(PathUtils.getDefaultFileSystem().getUserPrincipalLookupService().lookupPrincipalByGroupName(str2));
                    }
                }
                if (z) {
                    Files.move(resolve2, resolve, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.ATOMIC_MOVE);
                } else {
                    Files.move(resolve2, resolve, StandardCopyOption.ATOMIC_MOVE);
                }
            } finally {
                Files.deleteIfExists(resolve2);
            }
        } catch (Throwable th) {
            if (newOutputStream != null) {
                try {
                    newOutputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void fullyWriteFile(Path path, String str, boolean z, CheckedConsumer<OutputStream, Exception> checkedConsumer) throws Exception {
        fullyWriteFile(path, str, z, null, checkedConsumer);
    }

    private static boolean isDirEmpty(Path path) throws IOException {
        Stream<Path> list = Files.list(path);
        try {
            boolean z = false == list.findAny().isPresent();
            if (list != null) {
                list.close();
            }
            return z;
        } catch (Throwable th) {
            if (list != null) {
                try {
                    list.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private X509Certificate parseCertificateFromPem(String str, Terminal terminal) throws Exception {
        try {
            List readCertificates = CertParsingUtils.readCertificates(Base64.getDecoder().wrap(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))));
            if (readCertificates.size() != 1) {
                throw new IllegalStateException("Enroll node API returned multiple certificates");
            }
            return (X509Certificate) readCertificates.get(0);
        } catch (Exception e) {
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "Failed to parse Certificate from the response of the Enroll Node API: " + e.getMessage());
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, ExceptionsHelper.stackTrace(e));
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
            throw new UserException(65, "Aborting enrolling to cluster. Failed to parse Certificate from the response of the Enroll Node API", e);
        }
    }

    private PrivateKey parseKeyFromPem(String str, Terminal terminal) throws UserException {
        try {
            return PemUtils.parsePKCS8PemString(str);
        } catch (Exception e) {
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "Failed to parse Private Key from the response of the Enroll Node API: " + e.getMessage());
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, ExceptionsHelper.stackTrace(e));
            terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
            throw new UserException(65, "Aborting enrolling to cluster. Failed to parse Private Key from the response of the Enroll Node API", e);
        }
    }

    private List<String> getTransportAddresses(Map<String, Object> map) {
        return (List) map.get("nodes_addresses");
    }

    static List<String> removePreviousAutoconfiguration(List<String> list) throws UserException {
        Pattern compile = Pattern.compile("(?s)(" + Pattern.quote(AUTO_CONFIGURATION_START_MARKER) + ".*?" + Pattern.quote(AUTO_CONFIGURATION_END_MARKER) + ")");
        String str = (String) list.stream().collect(Collectors.joining(System.lineSeparator()));
        Matcher matcher = compile.matcher(str);
        if (!matcher.find()) {
            return list;
        }
        String group = matcher.group(1);
        try {
            Settings build = Settings.builder().loadFromSource(group, XContentType.YAML).build();
            TreeSet treeSet = new TreeSet(List.of("xpack.security.enabled", "xpack.security.enrollment.enabled", "xpack.security.transport.ssl.keystore.path", "xpack.security.transport.ssl.truststore.path", "xpack.security.transport.ssl.verification_mode", "xpack.security.http.ssl.enabled", "xpack.security.transport.ssl.enabled", "xpack.security.http.ssl.keystore.path", "cluster.initial_master_nodes", "http.host"));
            HashSet<String> hashSet = new HashSet(build.keySet());
            hashSet.removeAll(treeSet);
            List<String> list2 = (List) Arrays.stream(str.replace(group, "").split(System.lineSeparator())).collect(Collectors.toList());
            if (false == hashSet.isEmpty()) {
                for (String str2 : hashSet) {
                    list2.add(str2 + ": " + build.get(str2));
                }
            }
            return list2;
        } catch (Exception e) {
            throw new UserException(74, "Aborting enrolling to cluster. Unable to parse existing configuration file. Error was: " + e.getMessage(), e);
        }
    }

    private void removeAutoConfigurationFromKeystore(Environment environment, Terminal terminal) throws UserException {
        if (Files.exists(KeyStoreWrapper.keystorePath(environment.configFile()), new LinkOption[0])) {
            try {
                KeyStoreWrapper load = KeyStoreWrapper.load(environment.configFile());
                try {
                    SecureString secureString = load.hasPassword() ? new SecureString(terminal.readSecret("Enter password for the elasticsearch keystore: ")) : new SecureString(new char[0]);
                    try {
                        load.decrypt(secureString.getChars());
                        for (String str : List.of("xpack.security.transport.ssl.keystore.secure_password", "xpack.security.transport.ssl.truststore.secure_password", "xpack.security.http.ssl.keystore.secure_password", "autoconfiguration.password_hash")) {
                            if (!load.getSettingNames().contains(str)) {
                                throw new UserException(74, "Aborting enrolling to cluster. Unable to remove existing security configuration, elasticsearch.keystore did not contain expected setting [" + str + "].");
                            }
                            load.remove(str);
                        }
                        load.save(environment.configFile(), secureString.getChars());
                        if (secureString != null) {
                            secureString.close();
                        }
                        if (load != null) {
                            load.close();
                        }
                    } catch (Throwable th) {
                        if (secureString != null) {
                            try {
                                secureString.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } finally {
                }
            } catch (Exception e) {
                terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
                terminal.errorPrintln(Terminal.Verbosity.VERBOSE, ExceptionsHelper.stackTrace(e));
                terminal.errorPrintln(Terminal.Verbosity.VERBOSE, "");
                throw new UserException(74, "Aborting enrolling to cluster. Unable to remove existing secure settings. Error was: " + e.getMessage(), e);
            }
        }
    }
}
