package org.elasticsearch.shield;

import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import org.elasticsearch.action.ActionModule;
import org.elasticsearch.cluster.ClusterModule;
import org.elasticsearch.cluster.settings.Validator;
import org.elasticsearch.common.component.LifecycleComponent;
import org.elasticsearch.common.inject.Module;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.env.Environment;
import org.elasticsearch.http.HttpServerModule;
import org.elasticsearch.index.cache.IndexCacheModule;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.rest.RestModule;
import org.elasticsearch.shield.action.ShieldActionFilter;
import org.elasticsearch.shield.action.ShieldActionModule;
import org.elasticsearch.shield.action.authc.cache.ClearRealmCacheAction;
import org.elasticsearch.shield.action.authc.cache.TransportClearRealmCacheAction;
import org.elasticsearch.shield.audit.AuditTrailModule;
import org.elasticsearch.shield.audit.index.IndexAuditUserHolder;
import org.elasticsearch.shield.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.shield.authc.AuthenticationModule;
import org.elasticsearch.shield.authc.Realms;
import org.elasticsearch.shield.authc.support.SecuredString;
import org.elasticsearch.shield.authc.support.UsernamePasswordToken;
import org.elasticsearch.shield.authz.AuthorizationModule;
import org.elasticsearch.shield.authz.accesscontrol.AccessControlShardModule;
import org.elasticsearch.shield.authz.accesscontrol.OptOutQueryCache;
import org.elasticsearch.shield.authz.store.FileRolesStore;
import org.elasticsearch.shield.crypto.CryptoModule;
import org.elasticsearch.shield.crypto.InternalCryptoService;
import org.elasticsearch.shield.license.LicenseModule;
import org.elasticsearch.shield.license.ShieldLicensee;
import org.elasticsearch.shield.rest.ShieldRestModule;
import org.elasticsearch.shield.rest.action.RestShieldInfoAction;
import org.elasticsearch.shield.rest.action.authc.cache.RestClearRealmCacheAction;
import org.elasticsearch.shield.ssl.SSLModule;
import org.elasticsearch.shield.transport.ShieldClientTransportService;
import org.elasticsearch.shield.transport.ShieldServerTransportService;
import org.elasticsearch.shield.transport.ShieldTransportModule;
import org.elasticsearch.shield.transport.filter.IPFilter;
import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
import org.elasticsearch.shield.transport.netty.ShieldNettyTransport;
import org.elasticsearch.transport.TransportModule;

/* loaded from: input_file:org/elasticsearch/shield/ShieldPlugin.class */
public class ShieldPlugin extends Plugin {
    public static final String NAME = "shield";
    public static final String ENABLED_SETTING_NAME = "shield.enabled";
    public static final String OPT_OUT_QUERY_CACHE = "opt_out_cache";
    private static final boolean DEFAULT_ENABLED_SETTING = true;
    private final Settings settings;
    private final boolean enabled;
    private final boolean clientMode;

    public ShieldPlugin(Settings settings) {
        this.settings = settings;
        this.enabled = shieldEnabled(settings);
        this.clientMode = clientMode(settings);
        if (!this.enabled || this.clientMode) {
            return;
        }
        failIfShieldQueryCacheIsNotActive(settings, true);
    }

    public String name() {
        return NAME;
    }

    public String description() {
        return "Elasticsearch Shield (security)";
    }

    public Collection<Module> nodeModules() {
        return !this.enabled ? Collections.singletonList(new ShieldDisabledModule(this.settings)) : this.clientMode ? Arrays.asList(new ShieldTransportModule(this.settings), new SSLModule(this.settings)) : Arrays.asList(new ShieldModule(this.settings), new LicenseModule(this.settings), new CryptoModule(this.settings), new AuthenticationModule(this.settings), new AuthorizationModule(this.settings), new AuditTrailModule(this.settings), new ShieldRestModule(this.settings), new ShieldActionModule(this.settings), new ShieldTransportModule(this.settings), new SSLModule(this.settings));
    }

    public Collection<Module> indexModules(Settings settings) {
        if (this.enabled && !this.clientMode) {
            failIfShieldQueryCacheIsNotActive(settings, false);
        }
        return Collections.emptyList();
    }

    public Collection<Module> shardModules(Settings settings) {
        if (!this.enabled || this.clientMode) {
            return Collections.emptyList();
        }
        failIfShieldQueryCacheIsNotActive(settings, false);
        return Collections.singletonList(new AccessControlShardModule(settings));
    }

    public Collection<Class<? extends LifecycleComponent>> nodeServices() {
        if (!this.enabled || this.clientMode) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        if (AuditTrailModule.fileAuditLoggingEnabled(this.settings)) {
            arrayList.add(LoggingAuditTrail.class);
        }
        arrayList.add(ShieldLicensee.class);
        arrayList.add(InternalCryptoService.class);
        arrayList.add(FileRolesStore.class);
        arrayList.add(Realms.class);
        arrayList.add(IPFilter.class);
        return arrayList;
    }

    public Settings additionalSettings() {
        if (!this.enabled) {
            return Settings.EMPTY;
        }
        Settings.Builder builder = Settings.settingsBuilder();
        addUserSettings(builder);
        addTribeSettings(builder);
        addQueryCacheSettings(builder);
        return builder.build();
    }

    public void onModule(ClusterModule clusterModule) {
        clusterModule.registerClusterDynamicSetting("shield.transport.filter.*", Validator.EMPTY);
        clusterModule.registerClusterDynamicSetting("shield.http.filter.*", Validator.EMPTY);
        clusterModule.registerClusterDynamicSetting("transport.profiles.*", Validator.EMPTY);
        clusterModule.registerClusterDynamicSetting(IPFilter.IP_FILTER_ENABLED_SETTING, Validator.EMPTY);
        clusterModule.registerClusterDynamicSetting(IPFilter.IP_FILTER_ENABLED_HTTP_SETTING, Validator.EMPTY);
    }

    public void onModule(ActionModule actionModule) {
        if (this.enabled) {
            if (!this.clientMode) {
                actionModule.registerFilter(ShieldActionFilter.class);
            }
            actionModule.registerAction(ClearRealmCacheAction.INSTANCE, TransportClearRealmCacheAction.class, new Class[0]);
        }
    }

    public void onModule(TransportModule transportModule) {
        if (this.enabled) {
            transportModule.setTransport(ShieldNettyTransport.class, NAME);
            if (this.clientMode) {
                transportModule.setTransportService(ShieldClientTransportService.class, NAME);
            } else {
                transportModule.setTransportService(ShieldServerTransportService.class, NAME);
            }
        }
    }

    public void onModule(HttpServerModule httpServerModule) {
        if (!this.enabled || this.clientMode) {
            return;
        }
        httpServerModule.setHttpServerTransport(ShieldNettyHttpServerTransport.class, NAME);
    }

    public void onModule(RestModule restModule) {
        if (this.enabled && !this.clientMode) {
            restModule.addRestAction(RestClearRealmCacheAction.class);
        }
        restModule.addRestAction(RestShieldInfoAction.class);
    }

    public void onModule(AuthorizationModule authorizationModule) {
        if (this.enabled && AuditTrailModule.auditingEnabled(this.settings)) {
            authorizationModule.registerReservedRole(IndexAuditUserHolder.ROLE);
        }
    }

    public void onModule(IndexCacheModule indexCacheModule) {
        if (!this.enabled || this.clientMode) {
            return;
        }
        indexCacheModule.registerQueryCache(OPT_OUT_QUERY_CACHE, OptOutQueryCache.class);
    }

    private void addUserSettings(Settings.Builder builder) {
        String str;
        if (this.settings.get("request.headers.Authorization") == null && (str = this.settings.get("shield.user")) != null) {
            int indexOf = str.indexOf(":");
            if (indexOf < 0 || indexOf == str.length() - DEFAULT_ENABLED_SETTING) {
                throw new IllegalArgumentException("invalid [shield.user] setting. must be in the form of \"<username>:<password>\"");
            }
            builder.put("request.headers.Authorization", UsernamePasswordToken.basicAuthHeaderValue(str.substring(0, indexOf), new SecuredString(str.substring(indexOf + DEFAULT_ENABLED_SETTING).toCharArray())));
        }
    }

    private void addTribeSettings(Settings.Builder builder) {
        Map groups = this.settings.getGroups("tribe", true);
        if (groups.isEmpty()) {
            return;
        }
        for (Map.Entry entry : groups.entrySet()) {
            String str = "tribe." + ((String) entry.getKey()) + ".";
            String[] asArray = ((Settings) entry.getValue()).getAsArray("plugin.mandatory", (String[]) null);
            if (asArray == null) {
                builder.putArray(str + "plugin.mandatory", new String[]{NAME});
            } else if (!isShieldMandatory(asArray)) {
                throw new IllegalStateException("when [plugin.mandatory] is explicitly configured, [shield] must be included in this list");
            }
            String str2 = str + ENABLED_SETTING_NAME;
            if (this.settings.get(str2) == null) {
                builder.put(str2, true);
            } else if (!shieldEnabled((Settings) entry.getValue())) {
                throw new IllegalStateException("tribe setting [" + str2 + "] must be set to true but the value is [" + this.settings.get(str2) + "]");
            }
        }
    }

    private void addQueryCacheSettings(Settings.Builder builder) {
        builder.put("index.queries.cache.type", OPT_OUT_QUERY_CACHE);
    }

    private static boolean isShieldMandatory(String[] strArr) {
        int length = strArr.length;
        for (int i = 0; i < length; i += DEFAULT_ENABLED_SETTING) {
            if (NAME.equals(strArr[i])) {
                return true;
            }
        }
        return false;
    }

    public static Path configDir(Environment environment) {
        return environment.configFile().resolve(NAME);
    }

    public static Path resolveConfigFile(Environment environment, String str) {
        return configDir(environment).resolve(str);
    }

    public static boolean clientMode(Settings settings) {
        return !"node".equals(settings.get("client.type"));
    }

    public static boolean shieldEnabled(Settings settings) {
        return settings.getAsBoolean(ENABLED_SETTING_NAME, true).booleanValue();
    }

    private void failIfShieldQueryCacheIsNotActive(Settings settings, boolean z) {
        String str = z ? settings.get("index.queries.cache.type", OPT_OUT_QUERY_CACHE) : settings.get("index.queries.cache.type");
        if (!OPT_OUT_QUERY_CACHE.equals(str)) {
            throw new IllegalStateException("shield does not support a user specified query cache. remove the setting [index.queries.cache.type] with value [" + str + "]");
        }
    }
}
