package com.floragunn.searchguard.sgctl.commands;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.DocReader;
import com.floragunn.codova.documents.DocWriter;
import com.floragunn.codova.documents.Document;
import com.floragunn.codova.documents.DocumentParseException;
import com.floragunn.codova.documents.UnexpectedDocumentStructureException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.codova.validation.errors.MissingAttribute;
import com.floragunn.codova.validation.errors.ValidationError;
import com.floragunn.fluent.collections.ImmutableList;
import com.floragunn.searchguard.sgctl.SgctlException;
import com.floragunn.searchguard.sgctl.util.YamlRewriter;
import com.google.common.base.Charsets;
import com.google.common.collect.ImmutableMap;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.stream.Collectors;
import org.apache.http.HttpHost;
import picocli.CommandLine;

@CommandLine.Command(name = "migrate-config", description = {"Converts old-style sg_config.yml and kibana.yml into sg_authc.yml and sg_frontend_authc.yml"})
/* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig.class */
public class MigrateConfig implements Callable<Integer> {

    @CommandLine.Parameters
    List<String> parameters;

    @CommandLine.Option(names = {"-o", "--output-dir"}, description = {"Directory where to write new configuration files"})
    File outputDir;

    @CommandLine.Option(names = {"--target-platform"}, description = {"Specifies the target platform. Possible values: es (Elasticsearch), os (Opensearch), es711 (Elasticsearch 7.11 or newer)"})
    String targetPlatform;
    private static final Map<String, Object> SG_META = ImmutableMap.of();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$AuthzDomain.class */
    public static class AuthzDomain {
        private final ValidatingDocNode vNode;
        private final ValidationErrors validationErrors = new ValidationErrors();
        private DocNode config;
        private String oldType;

        AuthzDomain(DocNode docNode) {
            this.config = docNode;
            this.vNode = new ValidatingDocNode(docNode, this.validationErrors);
            this.oldType = this.vNode.get("authorization_backend.type").required().asString();
        }

        List<UserInformationBackend> toUserInformationBackends() {
            String str;
            if (this.oldType == null) {
                return Collections.emptyList();
            }
            String str2 = this.oldType;
            boolean z = -1;
            switch (str2.hashCode()) {
                case -1183762670:
                    if (str2.equals("intern")) {
                        z = false;
                        break;
                    }
                    break;
                case 3316647:
                    if (str2.equals("ldap")) {
                        z = 3;
                        break;
                    }
                    break;
                case 102816107:
                    if (str2.equals("ldap2")) {
                        z = 2;
                        break;
                    }
                    break;
                case 570410685:
                    if (str2.equals("internal")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                case true:
                    return Collections.singletonList(new UserInformationBackend("internal_users_db"));
                case true:
                case true:
                    UserInformationBackend userInformationBackend = new UserInformationBackend("ldap");
                    LinkedHashMap linkedHashMap = new LinkedHashMap();
                    LinkedHashMap linkedHashMap2 = new LinkedHashMap();
                    boolean asBoolean = this.vNode.get("authorization_backend.config.enable_ssl").withDefault(false).asBoolean();
                    linkedHashMap2.put("hosts", this.vNode.get("authorization_backend.config.hosts").required().asList().withEmptyListAsDefault().ofStrings().stream().map(str3 -> {
                        if (asBoolean && !str3.startsWith("ldaps://")) {
                            return "ldaps://" + str3;
                        }
                        return str3;
                    }).collect(Collectors.toList()));
                    DocNode asNode = this.config.getAsNode("authorization_backend", "config");
                    if (asNode.hasNonNull("bind_dn")) {
                        linkedHashMap2.put("bind_dn", asNode.getAsString("bind_dn"));
                    }
                    if (asNode.hasNonNull("password")) {
                        linkedHashMap2.put("password", asNode.getAsString("password"));
                    }
                    LinkedHashMap linkedHashMap3 = new LinkedHashMap();
                    boolean asBoolean2 = this.vNode.get("authorization_backend.config.enable_start_tls").withDefault(false).asBoolean();
                    boolean asBoolean3 = this.vNode.get("authorization_backend.config.enable_ssl_client_auth").withDefault(false).asBoolean();
                    boolean asBoolean4 = this.vNode.get("authorization_backend.config.verify_hostnames").withDefault(true).asBoolean();
                    String asString = this.vNode.get("authorization_backend.config.pemtrustedcas_filepath").asString();
                    String asString2 = this.vNode.get("authorization_backend.config.pemtrustedcas_content").asString();
                    String asString3 = this.vNode.get("authorization_backend.config.pemkey_filepath").asString();
                    String asString4 = this.vNode.get("authorization_backend.config.pemkey_password").asString();
                    String asString5 = this.vNode.get("authorization_backend.config.pemcert_filepath").asString();
                    String asString6 = this.vNode.get("authorization_backend.config.pemkey_content").asString();
                    String asString7 = this.vNode.get("authorization_backend.config.pemcert_content").asString();
                    if (asBoolean2) {
                        linkedHashMap3.put("start_tls", Boolean.valueOf(asBoolean2));
                    }
                    if (!asBoolean4) {
                        linkedHashMap3.put("verify_hostnames", Boolean.valueOf(asBoolean4));
                    }
                    if (asString2 != null) {
                        linkedHashMap3.put("trusted_cas", asString2);
                    } else if (asString != null) {
                        linkedHashMap3.put("trusted_cas", "#{file:" + asString + "}");
                    }
                    if (asBoolean3) {
                        LinkedHashMap linkedHashMap4 = new LinkedHashMap();
                        if (asString3 != null) {
                            linkedHashMap4.put("private_key", "#{file:" + asString3 + "}");
                        } else if (asString6 != null) {
                            linkedHashMap4.put("private_key", asString3);
                        }
                        if (asString5 != null) {
                            linkedHashMap4.put("certificate", "#{file:" + asString5 + "}");
                        } else if (asString7 != null) {
                            linkedHashMap4.put("certificate", asString7);
                        }
                        if (asString4 != null) {
                            linkedHashMap4.put("private_key_password", asString4);
                        }
                        linkedHashMap3.put("client_auth", linkedHashMap4);
                    }
                    if (!linkedHashMap3.isEmpty()) {
                        linkedHashMap2.put("tls", linkedHashMap3);
                    }
                    linkedHashMap.put("idp", linkedHashMap2);
                    LinkedHashMap linkedHashMap5 = new LinkedHashMap();
                    linkedHashMap5.put("base_dn", asNode.getAsString("userbase"));
                    if (asNode.hasNonNull("usersearch")) {
                        linkedHashMap5.put("filter", ImmutableMap.of("raw", asNode.getAsString("usersearch").replace("{0}", "${user.name}")));
                    }
                    linkedHashMap.put("user_search", linkedHashMap5);
                    if (asNode.hasNonNull("userrolename")) {
                        ((List) userInformationBackend.userMappingRoles.computeIfAbsent("from", str4 -> {
                            return new ArrayList();
                        })).add("$.ldap_user_entry[\"" + asNode.getAsString("userrolename") + "\"]");
                    }
                    LinkedHashMap linkedHashMap6 = new LinkedHashMap();
                    if (asNode.hasNonNull("rolebase")) {
                        linkedHashMap6.put("base_dn", asNode.getAsString("rolebase"));
                    }
                    if (asNode.hasNonNull("rolesearch")) {
                        if (asNode.hasNonNull("userroleattribute")) {
                            str = "${ldap_user_entry." + asNode.getAsString("userroleattribute") + "}";
                        } else {
                            str = "${ldap_user_entry.UNDEFINED_USER_ROLE_ATTRIBUTE}";
                            if (asNode.getAsString("rolesearch").contains("{2}")) {
                                this.validationErrors.add(new ValidationError("authorization_backend.config.rolesearch", "Uses {2} without defined userroleattribute"));
                            }
                        }
                        linkedHashMap6.put("filter", ImmutableMap.of("raw", asNode.getAsString("rolesearch").replace("{0}", "${dn}").replace("{1}", "${user.name}".replace("{2}", str))));
                    }
                    if (asNode.hasNonNull("rolename")) {
                        linkedHashMap6.put("role_name_attribute", asNode.getAsString("rolename"));
                    }
                    LinkedHashMap linkedHashMap7 = new LinkedHashMap();
                    if (asNode.hasNonNull("resolve_nested_roles") && Boolean.TRUE.equals(asNode.get("resolve_nested_roles"))) {
                        linkedHashMap7.put("enabled", true);
                    }
                    if (asNode.hasNonNull("nested_role_filter")) {
                        this.validationErrors.add(new ValidationError("authorization_backend.config.nested_role_filter", "nested_role_filter is not directly supported any more. You can use group_search.recursive.enabled_for, which is the opposite: A pattern of group dns for which group search shall be performed"));
                    }
                    if (!linkedHashMap7.isEmpty()) {
                        linkedHashMap6.put("recursive", linkedHashMap7);
                    }
                    if (!linkedHashMap6.isEmpty()) {
                        linkedHashMap.put("group_search", linkedHashMap6);
                    }
                    linkedHashMap.put("group_search", linkedHashMap6);
                    userInformationBackend.backendConfig = linkedHashMap;
                    if (!asNode.hasNonNull("users")) {
                        return asNode.hasNonNull("roles") ? addNewLdapBackendConfigMultiGroupBase(userInformationBackend) : Collections.singletonList(userInformationBackend);
                    }
                    List<UserInformationBackend> addNewLdapBackendConfigMultiUserBase = addNewLdapBackendConfigMultiUserBase(userInformationBackend);
                    if (!asNode.hasNonNull("roles")) {
                        return addNewLdapBackendConfigMultiUserBase;
                    }
                    ArrayList arrayList = new ArrayList();
                    Iterator<UserInformationBackend> it = addNewLdapBackendConfigMultiUserBase.iterator();
                    while (it.hasNext()) {
                        arrayList.addAll(addNewLdapBackendConfigMultiGroupBase(it.next()));
                    }
                    return arrayList;
                default:
                    this.validationErrors.add(new ValidationError(null, "Unknown authorization backend " + this.oldType));
                    return Collections.emptyList();
            }
        }

        List<UserInformationBackend> addNewLdapBackendConfigMultiUserBase(UserInformationBackend userInformationBackend) {
            Map<String, DocNode> mapOfNodes = this.config.getAsNode("authorization_backend", "config", "users").toMapOfNodes();
            ArrayList arrayList = new ArrayList();
            for (Map.Entry<String, DocNode> entry : mapOfNodes.entrySet()) {
                UserInformationBackend m101clone = userInformationBackend.m101clone();
                LinkedHashMap linkedHashMap = (LinkedHashMap) Document.toDeepBasicObject(userInformationBackend.backendConfig);
                Map map = (Map) linkedHashMap.computeIfAbsent("user_search", str -> {
                    return new LinkedHashMap();
                });
                map.put("base_dn", entry.getValue().getAsString("base"));
                if (entry.getValue().hasNonNull("search")) {
                    map.put("filter", ImmutableMap.of("raw", entry.getValue().getAsString("search").replace("{0}", "${user.name}")));
                }
                m101clone.backendConfig = linkedHashMap;
                arrayList.add(m101clone);
            }
            return arrayList;
        }

        List<UserInformationBackend> addNewLdapBackendConfigMultiGroupBase(UserInformationBackend userInformationBackend) {
            DocNode asNode = this.config.getAsNode("authorization_backend", "config");
            Map<String, DocNode> mapOfNodes = this.config.getAsNode("authorization_backend", "config", "roles").toMapOfNodes();
            String str = asNode.hasNonNull("userroleattribute") ? "${ldap_user_entry." + asNode.getAsString("userroleattribute") + "}" : "${ldap_user_entry.UNDEFINED_USER_ROLE_ATTRIBUTE}";
            ArrayList arrayList = new ArrayList();
            for (Map.Entry<String, DocNode> entry : mapOfNodes.entrySet()) {
                UserInformationBackend m101clone = userInformationBackend.m101clone();
                LinkedHashMap linkedHashMap = (LinkedHashMap) Document.toDeepBasicObject(userInformationBackend.backendConfig);
                Map map = (Map) linkedHashMap.computeIfAbsent("group_search", str2 -> {
                    return new LinkedHashMap();
                });
                map.put("base_dn", entry.getValue().getAsString("base"));
                if (entry.getValue().hasNonNull("search")) {
                    map.put("filter", ImmutableMap.of("raw", entry.getValue().getAsString("search").replace("{0}", "${dn}").replace("{1}", "${user.name}").replace("{2}", str)));
                }
                m101clone.backendConfig = linkedHashMap;
                arrayList.add(m101clone);
            }
            return arrayList;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$BackendUpdateInstructions.class */
    public static class BackendUpdateInstructions {
        SgAuthc sgAuthc;
        DocNode sgLicense;
        DocNode sgAuthTokenService;
        DocNode sgAuthz;
        DocNode sgFrontendMultiTenancy;
        Object sgAuthcTransport;
        List<String> infos = new ArrayList();
    }

    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$ConfigMigrator.class */
    public class ConfigMigrator {
        private final ValidationErrors oldSgConfigValidationErrors = new ValidationErrors();
        private final ValidationErrors oldKibanaConfigValidationErrors = new ValidationErrors();
        private final ValidatingDocNode oldSgConfig;
        private final ValidatingDocNode oldKibanaConfig;
        private final YamlRewriter kibanaConfigRewriter;
        private final boolean publicBaseUrlAvailable;
        private String dashboardConfigFileName;

        public ConfigMigrator(File file, File file2, boolean z, String str) throws FileNotFoundException, IOException, DocumentParseException, UnexpectedDocumentStructureException {
            this.oldSgConfig = new ValidatingDocNode(DocReader.yaml().readObject(file), this.oldSgConfigValidationErrors);
            this.oldKibanaConfig = file2 != null ? new ValidatingDocNode(DocReader.yaml().readObject(file2), this.oldKibanaConfigValidationErrors) : null;
            this.kibanaConfigRewriter = file2 != null ? new YamlRewriter(file2) : null;
            this.publicBaseUrlAvailable = z;
            this.dashboardConfigFileName = str;
        }

        public BackendUpdateInstructions createBackendUpdateInstructions() {
            BackendUpdateInstructions backendUpdateInstructions = new BackendUpdateInstructions();
            backendUpdateInstructions.sgAuthc = new SgAuthc();
            boolean asBoolean = this.oldSgConfig.get("sg_config.dynamic.http.anonymous_auth_enabled").withDefault(false).asBoolean();
            String asString = this.oldSgConfig.get("sg_config.dynamic.license").asString();
            com.floragunn.fluent.collections.ImmutableMap<String, Object> asMap = this.oldSgConfig.get("sg_config.dynamic.auth_token_provider").asMap();
            String asString2 = this.oldSgConfig.get("sg_config.dynamic.field_anonymization_salt2").asString();
            if (asString2 != null) {
                LinkedHashMap linkedHashMap = new LinkedHashMap();
                if (asString2 != null) {
                    linkedHashMap.put("field_anonymization.salt", asString2);
                }
                backendUpdateInstructions.sgAuthz = DocNode.wrap(linkedHashMap);
            }
            if (this.oldSgConfig.get("sg_config.dynamic.http.xff.enabled").withDefault(false).asBoolean()) {
                backendUpdateInstructions.sgAuthc.internalProxies = this.oldSgConfig.get("sg_config.dynamic.http.xff.internalProxies").asString();
                backendUpdateInstructions.sgAuthc.remoteIpHeader = this.oldSgConfig.get("sg_config.dynamic.http.xff.remoteIpHeader").asString();
            }
            if (this.oldSgConfig.get("sg_config.dynamic.kibana.multitenancy_enabled").withDefault(false).asBoolean()) {
                backendUpdateInstructions.sgFrontendMultiTenancy = DocNode.of("enabled", (Object) true, "index", (Object) this.oldSgConfig.get("sg_config.dynamic.kibana.index").asString(), "server_user", (Object) this.oldSgConfig.get("sg_config.dynamic.kibana.server_username").asString());
            }
            DocNode asNode = this.oldSgConfig.getDocumentNode().getAsNode("sg_config", "dynamic", "authz");
            ArrayList arrayList = new ArrayList();
            if (!asNode.isNull()) {
                for (Map.Entry<String, DocNode> entry : asNode.toMapOfNodes().entrySet()) {
                    if (!entry.getValue().hasNonNull("http_enabled") || !Boolean.FALSE.equals(entry.getValue().get("http_enabled"))) {
                        AuthzDomain authzDomain = new AuthzDomain(entry.getValue());
                        arrayList.addAll(authzDomain.toUserInformationBackends());
                        this.oldSgConfigValidationErrors.add("sg_config.dynamic.authz." + entry.getKey(), authzDomain.validationErrors);
                    }
                }
            }
            DocNode asNode2 = this.oldSgConfig.getDocumentNode().getAsNode("sg_config", "dynamic", "authc");
            ArrayList<OldAuthDomain> arrayList2 = new ArrayList();
            for (Map.Entry<String, DocNode> entry2 : asNode2.toMapOfNodes().entrySet()) {
                if (!entry2.getValue().hasNonNull("http_enabled") || !Boolean.FALSE.equals(entry2.getValue().get("http_enabled"))) {
                    if (entry2.getValue().hasNonNull("authentication_backend")) {
                        DocNode asNode3 = entry2.getValue().getAsNode("authentication_backend");
                        if (asNode3.hasNonNull("type") && asNode3.getAsString("type").equals("sg_auth_token")) {
                        }
                    }
                    arrayList2.add(new OldAuthDomain(entry2.getKey(), entry2.getValue()));
                }
            }
            Collections.sort(arrayList2);
            ArrayList arrayList3 = new ArrayList();
            for (OldAuthDomain oldAuthDomain : arrayList2) {
                arrayList3.addAll(oldAuthDomain.toNewAuthDomains(arrayList));
                this.oldSgConfigValidationErrors.add("sg_config.dynamic.authc." + oldAuthDomain.id, oldAuthDomain.validationErrors);
            }
            if (asBoolean) {
                NewAuthDomain newAuthDomain = new NewAuthDomain("anonymous", null, null, null, null, null);
                newAuthDomain.userMappingUserName.put("static", "sg_anonymous");
                newAuthDomain.userMappingRoles.put("static", "sg_anonymous_backendrole");
                arrayList3.add(newAuthDomain);
            }
            backendUpdateInstructions.sgAuthc.authDomains = arrayList3;
            if (asString != null) {
                backendUpdateInstructions.sgLicense = DocNode.of("key", (Object) asString);
            }
            if (asMap != null && asMap.size() != 0) {
                backendUpdateInstructions.sgAuthTokenService = DocNode.wrap(asMap);
            }
            return backendUpdateInstructions;
        }

        public FrontendUpdateInstructions createUpdateInstructions() throws SgctlException {
            if (this.oldKibanaConfig == null) {
                return null;
            }
            KibanaAuthType kibanaAuthType = (KibanaAuthType) this.oldKibanaConfig.get("searchguard.auth.type").withDefault((ValidatingDocNode.Attribute) KibanaAuthType.BASICAUTH).asEnum(KibanaAuthType.class);
            switch (kibanaAuthType) {
                case BASICAUTH:
                    return createSgFrontendConfigBasicAuth();
                case SAML:
                    return createSgFrontendConfigSaml();
                case OPENID:
                    return createSgFrontendConfigOidc();
                case JWT:
                    return createSgFrontendConfigJwt();
                case KERBEROS:
                case PROXY:
                default:
                    this.oldKibanaConfigValidationErrors.add(new ValidationError("searchguard.auth.type", "The Kibana authentication type " + kibanaAuthType + " is not supported"));
                    return null;
            }
        }

        public FrontendUpdateInstructions createSgFrontendConfigBasicAuth() {
            FrontendUpdateInstructions mainInstructions = new FrontendUpdateInstructions().mainInstructions("You have configured the Search Guard Kibana plugin to use basic authentication (user name and password based).");
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            String asString = this.oldKibanaConfig.get("searchguard.basicauth.login.subtitle").asString();
            LinkedHashMap linkedHashMap2 = new LinkedHashMap();
            linkedHashMap2.put("type", "basic");
            if (asString != null) {
                linkedHashMap2.put("message", asString);
            }
            linkedHashMap.put("auth_domains", Collections.singletonList(linkedHashMap2));
            String asString2 = this.oldKibanaConfig.get("searchguard.basicauth.loadbalancer_url").asString();
            if (asString2 != null) {
                String asString3 = this.oldKibanaConfig.get("server.publicBaseUrl").asString();
                if (asString3 == null) {
                    this.kibanaConfigRewriter.insertAtBeginning(new YamlRewriter.Attribute(this.publicBaseUrlAvailable ? "server.publicBaseUrl" : "searchguard.frontend_base_url", asString2));
                } else if (!asString3.equals(asString2)) {
                    this.oldKibanaConfigValidationErrors.add(new ValidationError("searchguard.basicauth.loadbalancer_url", "server.publicBaseUrl and searchguard.basicauth.loadbalancer_url have different values. This is an unexpected configuration."));
                }
            }
            Boolean asBoolean = this.oldKibanaConfig.get("searchguard.basicauth.login.showbrandimage").asBoolean();
            String asString4 = this.oldKibanaConfig.get("searchguard.basicauth.login.brandimage").asString();
            String asString5 = this.oldKibanaConfig.get("searchguard.basicauth.login.title").asString();
            String asString6 = this.oldKibanaConfig.get("searchguard.basicauth.login.buttonstyle").asString();
            if (asBoolean != null || asString4 != null || asString5 != null || asString6 != null) {
                LinkedHashMap linkedHashMap3 = new LinkedHashMap();
                if (asBoolean != null) {
                    linkedHashMap3.put("show_brand_image", asBoolean);
                }
                if (asString4 != null) {
                    linkedHashMap3.put("brand_image", asString4);
                }
                if (asString5 != null) {
                    linkedHashMap3.put("title", asString5);
                }
                if (asString6 != null) {
                    linkedHashMap3.put("button_style", asString6);
                }
                linkedHashMap.put("login_page", linkedHashMap3);
            }
            mainInstructions.sgFrontendConfig(ImmutableMap.of("default", linkedHashMap));
            this.kibanaConfigRewriter.remove("searchguard.auth.type");
            this.kibanaConfigRewriter.remove("searchguard.basicauth.loadbalancer_url");
            this.kibanaConfigRewriter.remove("searchguard.basicauth.login.showbrandimage");
            this.kibanaConfigRewriter.remove("searchguard.basicauth.login.brandimage");
            this.kibanaConfigRewriter.remove("searchguard.basicauth.login.title");
            this.kibanaConfigRewriter.remove("searchguard.basicauth.login.subtitle");
            this.kibanaConfigRewriter.remove("searchguard.basicauth.login.buttonstyle");
            try {
                YamlRewriter.RewriteResult rewrite = this.kibanaConfigRewriter.rewrite();
                if (rewrite.isChanged()) {
                    mainInstructions.kibanaConfigInstructions("Before starting Kibana with the updated plugin, you need to update the file config/" + this.dashboardConfigFileName + " in your Kibana installation. \n  The necessary changes are listed below. " + (MigrateConfig.this.outputDir != null ? "An automatically updated " + this.dashboardConfigFileName + " file has been put by this tool to " + MigrateConfig.this.outputDir + "." : CommandLine.Model.OptionSpec.DEFAULT_FALLBACK_VALUE) + "\n\n---------------------------------------------------------------------------------\n" + this.kibanaConfigRewriter.getManualInstructions() + "\n---------------------------------------------------------------------------------");
                    mainInstructions.kibanaConfig(rewrite.getYaml());
                } else {
                    mainInstructions.kibanaConfigInstructions("You do not need to update the Kibana configuration.");
                }
            } catch (YamlRewriter.RewriteException e) {
                mainInstructions.kibanaConfigInstructions("Before starting Kibana with the updated plugin, you need to update the file config/" + this.dashboardConfigFileName + " in your Kibana installation.\n  Please perform the following updates:\n\n" + e.getManualInstructions());
            }
            return mainInstructions;
        }

        public FrontendUpdateInstructions createSgFrontendConfigSaml() throws SgctlException {
            MigrationResult migrateTlsConfig;
            LinkedHashMap linkedHashMap = new LinkedHashMap(MigrateConfig.SG_META);
            ImmutableList<DocNode> findNodesByJsonPath = this.oldSgConfig.getDocumentNode().findNodesByJsonPath("$.sg_config.dynamic.authc.*[?(@.http_authenticator.type == 'saml' || @.http_authenticator.type == 'com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator')]");
            String str = null;
            if (findNodesByJsonPath.isEmpty()) {
                return new FrontendUpdateInstructions().error("No auth domains of type 'saml' are defined in the provided sg_config.yml file, even though kibana.yml is configured to use SAML authentication. This is an invalid configuration. Please check if you have provided the correct configuration files.");
            }
            List<DocNode> list = (List) findNodesByJsonPath.stream().filter(docNode -> {
                return docNode.get("http_enabled") != Boolean.FALSE;
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                return new FrontendUpdateInstructions().error("All auth domains of type 'saml' defined in sg_config.yml are disabled, even though kibana.yml is configured to use SAML authentication. This is an invalid configuration. Please check if you have provided the correct configuration files.");
            }
            FrontendUpdateInstructions frontendUpdateInstructions = new FrontendUpdateInstructions();
            frontendUpdateInstructions.setSgFrontendConfigInstructionsTypeSpecific("You have configured Search Guard to use SAML authentication. The SAML configuration was moved to sg_frontend_authc.yml.");
            if (list.size() > 1) {
                frontendUpdateInstructions.sgFrontendConfigInstructionsAdvanced("sg_config.yml defines more than one auth domain of type 'saml'. This is a non-standard advanced cofiguration. The new Search Guard Kibana plugin will use this configuration to present a list of all available SAML auth domains when logging in. The user can then choose from one of the auth domains.");
                frontendUpdateInstructions.sgFrontendConfigInstructionsReview("Please review the settings. If one of the SAML auth domains is not necessary, you should remove it.");
            }
            ArrayList arrayList = new ArrayList();
            for (DocNode docNode2 : list) {
                LinkedHashMap linkedHashMap2 = new LinkedHashMap();
                arrayList.add(linkedHashMap2);
                linkedHashMap2.put("type", "saml");
                if (list.size() > 1) {
                    linkedHashMap2.put("label", docNode2.getKey());
                }
                ValidationErrors validationErrors = new ValidationErrors();
                ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode2, validationErrors);
                String asString = validatingDocNode.get("http_authenticator.config.kibana_url").required().asString();
                if (str == null) {
                    str = asString;
                } else if (asString != null && !str.equals(asString)) {
                    throw new SgctlException("You have two SAML auth domains for different Kibana URLs. This configuration is not supported by this tool. If you are running several Kibana instances, please check the Search Guard documentation on how to configure several Kibana instances.");
                }
                String asString2 = validatingDocNode.get("http_authenticator.config.idp.metadata_url").asString();
                String asString3 = validatingDocNode.get("http_authenticator.config.idp.metadata_file").asString();
                if (asString3 == null && asString2 == null) {
                    validationErrors.add(new MissingAttribute("http_authenticator.config.idp.metadata_url"));
                }
                String asString4 = validatingDocNode.get("http_authenticator.config.idp.entity_id").required().asString();
                LinkedHashMap linkedHashMap3 = new LinkedHashMap();
                if (asString2 != null) {
                    linkedHashMap3.put("metadata_url", asString2);
                }
                if (asString3 != null) {
                    linkedHashMap3.put("metadata_xml", "${file:" + asString3 + "}");
                }
                linkedHashMap3.put("entity_id", asString4);
                com.floragunn.fluent.collections.ImmutableMap<String, Object> asMap = validatingDocNode.get("http_authenticator.config.idp").asMap();
                if (asMap != null && (migrateTlsConfig = migrateTlsConfig(asMap)) != null) {
                    linkedHashMap3.put("tls", asMap);
                    this.oldSgConfigValidationErrors.add("http_authenticator.config.idp", migrateTlsConfig.getSourceValidationErrors());
                }
                linkedHashMap2.put("saml.idp", linkedHashMap3);
                String asString5 = validatingDocNode.get("http_authenticator.config.sp.entity_id").required().asString();
                String asString6 = validatingDocNode.get("http_authenticator.config.sp.signature_algorithm").asString();
                String asString7 = validatingDocNode.get("http_authenticator.config.sp.signature_private_key_password").asString();
                String asString8 = validatingDocNode.get("http_authenticator.config.sp.signature_private_key_filepath").asString();
                String asString9 = validatingDocNode.get("http_authenticator.config.sp.signature_private_key").asString();
                Boolean asBoolean = validatingDocNode.get("http_authenticator.config.sp.forceAuthn").asBoolean();
                LinkedHashMap linkedHashMap4 = new LinkedHashMap();
                linkedHashMap4.put("entity_id", asString5);
                if (asString6 != null) {
                    linkedHashMap4.put("signature_algorithm", asString6);
                }
                if (asString7 != null) {
                    linkedHashMap4.put("signature_private_key_password", asString7);
                }
                if (asString8 != null) {
                    linkedHashMap4.put("signature_private_key_filepath", asString8);
                }
                if (asString9 != null) {
                    linkedHashMap4.put("signature_private_key", asString9);
                }
                if (asBoolean != null) {
                    linkedHashMap4.put("forceAuthn", asBoolean);
                }
                linkedHashMap2.put("saml.sp", linkedHashMap4);
                String asString10 = validatingDocNode.get("http_authenticator.config.subject_key").asString();
                String asString11 = validatingDocNode.get("http_authenticator.config.subject_pattern").asString();
                if (asString11 != null) {
                    if (asString10 != null) {
                        linkedHashMap2.put("user_mapping.user_name.from.json_path", "$.saml_response['" + asString10 + "']");
                    }
                    linkedHashMap2.put("user_mapping.user_name.from.pattern", asString11);
                } else if (asString10 != null) {
                    linkedHashMap2.put("user_mapping.user_name.from", "$.saml_response['" + asString10 + "']");
                }
                String asString12 = validatingDocNode.get("http_authenticator.config.roles_key").required().asString();
                String asString13 = validatingDocNode.get("http_authenticator.config.roles_seperator").asString();
                if (asString13 != null && !",".equals(asString13)) {
                    if (asString12 != null) {
                        linkedHashMap2.put("user_mapping.roles.from.json_path", "$.saml_response['" + asString12 + "']");
                    }
                    linkedHashMap2.put("user_mapping.roles.from.split", asString13);
                } else if (asString12 != null) {
                    linkedHashMap2.put("user_mapping.roles.from_comma_separated_string", "$.saml_response['" + asString12 + "']");
                }
                Boolean asBoolean2 = validatingDocNode.get("http_authenticator.config.check_issuer").asBoolean();
                if (asBoolean2 != null) {
                    linkedHashMap2.put("saml.check_issuer", asBoolean2);
                }
                Object asAnything = validatingDocNode.get("http_authenticator.config.validator").asAnything();
                if (asAnything instanceof Map) {
                    linkedHashMap2.put("saml.validator", asAnything);
                }
                if (validationErrors.hasErrors()) {
                    this.oldSgConfigValidationErrors.add("sg_config.dynamic.authc." + docNode2.getKey(), validationErrors);
                }
            }
            linkedHashMap.put("auth_domains", arrayList);
            frontendUpdateInstructions.sgFrontendConfig(ImmutableMap.of("default", linkedHashMap));
            this.kibanaConfigRewriter.remove("searchguard.auth.type");
            this.kibanaConfigRewriter.remove("searchguard.basicauth.loadbalancer_url");
            if (!this.oldKibanaConfig.hasNonNull("server.publicBaseUrl")) {
                this.kibanaConfigRewriter.insertAtBeginning(new YamlRewriter.Attribute(this.publicBaseUrlAvailable ? "server.publicBaseUrl" : "searchguard.frontend_base_url", str));
            }
            try {
                YamlRewriter.RewriteResult rewrite = this.kibanaConfigRewriter.rewrite();
                if (rewrite.isChanged()) {
                    frontendUpdateInstructions.kibanaConfigInstructions("Before starting Kibana with the updated plugin, you need to update the file config/kibana.yml in your Kibana installation. \n  The necessary changes are listed below. " + (MigrateConfig.this.outputDir != null ? "An automatically updated kibana.yml file has been put by this tool to " + MigrateConfig.this.outputDir + "." : CommandLine.Model.OptionSpec.DEFAULT_FALLBACK_VALUE) + "\n\n---------------------------------------------------------------------------------\n" + this.kibanaConfigRewriter.getManualInstructions() + "\n---------------------------------------------------------------------------------");
                    frontendUpdateInstructions.kibanaConfig(rewrite.getYaml());
                } else {
                    frontendUpdateInstructions.kibanaConfigInstructions("You do not need to update the Kibana configuration.");
                }
            } catch (YamlRewriter.RewriteException e) {
                frontendUpdateInstructions.kibanaConfigInstructions("Before starting Kibana with the updated plugin, you need to update the file config/kibana.yml in your Kibana installation.\n  Please perform the following updates:\n\n" + e.getManualInstructions());
            }
            return frontendUpdateInstructions;
        }

        public FrontendUpdateInstructions createSgFrontendConfigOidc() {
            MigrationResult migrateTlsConfig;
            LinkedHashMap linkedHashMap = new LinkedHashMap(MigrateConfig.SG_META);
            ImmutableList<DocNode> findNodesByJsonPath = this.oldSgConfig.getDocumentNode().findNodesByJsonPath("$.sg_config.dynamic.authc.*[?(@.http_authenticator.type == 'openid')]");
            String asString = this.oldKibanaConfig.get("searchguard.openid.base_redirect_url").asString();
            if (asString == null) {
                asString = getFrontendBaseUrlFromKibanaYaml();
            }
            if (findNodesByJsonPath.isEmpty()) {
                return new FrontendUpdateInstructions().error("No auth domains of type 'openid' are defined in the provided sg_config.yml, even though kibana.yml is configured to use OIDC authentication. This is an invalid configuration. Please check if you have provided the correct configuration files.");
            }
            List<DocNode> list = (List) findNodesByJsonPath.stream().filter(docNode -> {
                return docNode.get("http_enabled") != Boolean.FALSE;
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                return new FrontendUpdateInstructions().error("All auth domains of type 'openid' defined in sg_config.yml are disabled, even though kibana.yml is configured to use OIDC authentication. This is an invalid configuration. Please check if you have provided the correct configuration files.");
            }
            FrontendUpdateInstructions mainInstructions = new FrontendUpdateInstructions().mainInstructions("You have configured Search Guard to use OIDC authentication.");
            if (list.size() > 1) {
                mainInstructions.mainInstructions("You have defined several OIDC authentication domains. The configuration will be converted in such a way that the user can choose from a list of authentication domains. If you are using a setup with multiple Kibana instances, please refer to the Search Guard documentation on how to configure such a setup.");
            }
            ArrayList arrayList = new ArrayList();
            for (DocNode docNode2 : list) {
                LinkedHashMap linkedHashMap2 = new LinkedHashMap();
                arrayList.add(linkedHashMap2);
                linkedHashMap2.put("type", "oidc");
                if (list.size() > 1) {
                    linkedHashMap2.put("label", docNode2.getKey());
                }
                ValidationErrors validationErrors = new ValidationErrors();
                ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode2, validationErrors);
                String asString2 = validatingDocNode.get("http_authenticator.config.openid_connect_url").required().asString();
                String asString3 = this.oldKibanaConfig.get("searchguard.openid.connect_url").asString();
                if (asString2 != null && asString3 != null && !asString2.equals(asString3)) {
                    validationErrors.add(new ValidationError("http_authenticator.config.openid_connect_url", "The openid_connect_url in sg_config.yml and kibana.yml must be equal. However, in the given configuration the URLs differ."));
                }
                String asString4 = this.oldKibanaConfig.get("searchguard.openid.client_id").required().asString();
                String asString5 = this.oldKibanaConfig.get("searchguard.openid.client_secret").required().asString();
                String asString6 = this.oldKibanaConfig.get("searchguard.openid.scope").asString();
                String asString7 = this.oldKibanaConfig.get("searchguard.openid.logout_url").asString();
                linkedHashMap2.put("oidc.idp.openid_configuration_url", asString2);
                linkedHashMap2.put("oidc.client_id", asString4);
                linkedHashMap2.put("oidc.client_secret", asString5);
                if (asString6 != null) {
                    linkedHashMap2.put("oidc.scope", asString6);
                }
                if (asString7 != null) {
                    linkedHashMap2.put("oidc.logout_url", asString7);
                }
                String asString8 = validatingDocNode.get("http_authenticator.config.subject_key").asString();
                String asString9 = validatingDocNode.get("http_authenticator.config.subject_pattern").asString();
                String asString10 = validatingDocNode.get("http_authenticator.config.subject_path").asString();
                if (asString9 != null) {
                    if (asString8 != null) {
                        linkedHashMap2.put("user_mapping.user_name.from.json_path", "$.oidc_id_token['" + asString8 + "']");
                    }
                    if (asString10 != null) {
                        linkedHashMap2.put("user_mapping.user_name.from.json_path", "$.oidc_id_token." + asString10);
                    }
                    linkedHashMap2.put("user_mapping.user_name.from.pattern", asString9);
                } else {
                    if (asString8 != null) {
                        linkedHashMap2.put("user_mapping.user_name.from", "$.oidc_id_token['" + asString8 + "']");
                    }
                    if (asString10 != null) {
                        linkedHashMap2.put("user_mapping.user_name.from", "$.oidc_id_token." + asString10);
                    }
                }
                String asString11 = validatingDocNode.get("http_authenticator.config.roles_key").asString();
                if (asString11 != null) {
                    linkedHashMap2.put("user_mapping.roles.from_comma_separated_string", "$.oidc_id_token['" + asString11 + "']");
                }
                String asString12 = validatingDocNode.get("http_authenticator.config.roles_path").asString();
                if (asString12 != null) {
                    linkedHashMap2.put("user_mapping.roles.from_comma_separated_string", asString12);
                }
                Object asAnything = validatingDocNode.get("http_authenticator.config.map_claims_to_user_attrs").asAnything();
                if (asAnything != null) {
                    linkedHashMap2.put("user_mapping.attrs.from", asAnything);
                }
                Object asAnything2 = validatingDocNode.get("http_authenticator.config.proxy").asAnything();
                if (asAnything2 != null) {
                    linkedHashMap2.put("oidc.idp.proxy", asAnything2);
                }
                com.floragunn.fluent.collections.ImmutableMap<String, Object> asMap = validatingDocNode.get("http_authenticator.config.openid_connect_idp").asMap();
                if (asMap != null && (migrateTlsConfig = migrateTlsConfig(asMap)) != null) {
                    linkedHashMap2.put("oidc.idp.tls", asMap);
                    this.oldSgConfigValidationErrors.add("http_authenticator.config.openid_connect_idp", migrateTlsConfig.getSourceValidationErrors());
                }
                migrateAttribute("idp_request_timeout_ms", validatingDocNode, linkedHashMap2, "oidc");
                migrateAttribute("idp_queued_thread_timeout_ms", validatingDocNode, linkedHashMap2, "oidc");
                migrateAttribute("refresh_rate_limit_time_window_ms", validatingDocNode, linkedHashMap2, "oidc");
                migrateAttribute("refresh_rate_limit_count", validatingDocNode, linkedHashMap2, "oidc");
                migrateAttribute("cache_jwks_endpoint", validatingDocNode, linkedHashMap2, "oidc");
                if (validationErrors.hasErrors()) {
                    this.oldSgConfigValidationErrors.add("sg_config.dynamic.authc." + docNode2.getKey(), validationErrors);
                }
            }
            linkedHashMap.put("auth_domains", arrayList);
            if (!this.oldKibanaConfig.hasNonNull("server.publicBaseUrl")) {
                this.kibanaConfigRewriter.insertAtBeginning(new YamlRewriter.Attribute(this.publicBaseUrlAvailable ? "server.publicBaseUrl" : "searchguard.frontend_base_url", asString));
            }
            mainInstructions.sgFrontendConfig(ImmutableMap.of("default", linkedHashMap));
            this.kibanaConfigRewriter.remove("searchguard.auth.type");
            this.kibanaConfigRewriter.remove("searchguard.basicauth.loadbalancer_url");
            this.kibanaConfigRewriter.remove("searchguard.openid.connect_url");
            this.kibanaConfigRewriter.remove("searchguard.openid.client_id");
            this.kibanaConfigRewriter.remove("searchguard.openid.client_secret");
            this.kibanaConfigRewriter.remove("searchguard.openid.scope");
            this.kibanaConfigRewriter.remove("searchguard.openid.header");
            this.kibanaConfigRewriter.remove("searchguard.openid.base_redirect_url");
            this.kibanaConfigRewriter.remove("searchguard.openid.logout_url");
            try {
                YamlRewriter.RewriteResult rewrite = this.kibanaConfigRewriter.rewrite();
                if (rewrite.isChanged()) {
                    mainInstructions.kibanaConfigInstructions("Before starting Kibana with the updated plugin, you need to update the file config/kibana.yml in your Kibana installation. \n  The necessary changes are listed below. " + (MigrateConfig.this.outputDir != null ? "An automatically updated kibana.yml file has been put by this tool to " + MigrateConfig.this.outputDir + "." : CommandLine.Model.OptionSpec.DEFAULT_FALLBACK_VALUE) + "\n\n" + this.kibanaConfigRewriter.getManualInstructions());
                    mainInstructions.kibanaConfig(rewrite.getYaml());
                } else {
                    mainInstructions.kibanaConfigInstructions("You do not need to update the Kibana configuration.");
                }
            } catch (YamlRewriter.RewriteException e) {
                mainInstructions.kibanaConfigInstructions("Before starting Kibana with the updated plugin, you need to update the file config/kibana.yml in your Kibana installation.\n  Please perform the following updates:\n\n" + e.getManualInstructions());
            }
            return mainInstructions;
        }

        public FrontendUpdateInstructions createSgFrontendConfigJwt() throws SgctlException {
            String asString = this.oldKibanaConfig.get("searchguard.jwt.url_parameter").asString();
            String asString2 = this.oldKibanaConfig.get("searchguard.jwt.login_endpoint").asString();
            FrontendUpdateInstructions frontendUpdateInstructions = new FrontendUpdateInstructions();
            if (asString == null) {
                throw new SgctlException("You have configured Search Guard to use authentication using a JWT provided as an Authorization header. This is an advanced configuration, usually only found in combination with a proxy which adds the Authorization header to HTTP requests. This configuration is not supported by this tool. Please refer to the Search Guard documentation for details.");
            }
            frontendUpdateInstructions.mainInstructions("You have configured Search Guard to use authentication using a JWT specified as URL parameter.");
            this.kibanaConfigRewriter.insertAfter("searchguard.auth.type", new YamlRewriter.Attribute("searchguard.auth.jwt.enabled", true));
            this.kibanaConfigRewriter.insertAfter("searchguard.auth.type", new YamlRewriter.Attribute("searchguard.auth.jwt.url_parameter", asString));
            this.kibanaConfigRewriter.remove("searchguard.auth.type");
            this.kibanaConfigRewriter.remove("searchguard.jwt.header");
            this.kibanaConfigRewriter.remove("searchguard.jwt.login_endpoint");
            this.kibanaConfigRewriter.remove("searchguard.jwt.url_parameter");
            try {
                YamlRewriter.RewriteResult rewrite = this.kibanaConfigRewriter.rewrite();
                if (rewrite.isChanged()) {
                    frontendUpdateInstructions.kibanaConfigInstructions("Before starting Kibana with the updated plugin, you need to update the file config/kibana.yml in your Kibana installation. \n  The necessary changes are listed below. " + (MigrateConfig.this.outputDir != null ? "An automatically updated kibana.yml file has been put by this tool to " + MigrateConfig.this.outputDir + "." : CommandLine.Model.OptionSpec.DEFAULT_FALLBACK_VALUE) + "\n\n" + this.kibanaConfigRewriter.getManualInstructions());
                    frontendUpdateInstructions.kibanaConfig(rewrite.getYaml());
                } else {
                    frontendUpdateInstructions.kibanaConfigInstructions("You do not need to update the Kibana configuration.");
                }
            } catch (YamlRewriter.RewriteException e) {
                frontendUpdateInstructions.kibanaConfigInstructions("Before starting Kibana with the updated plugin, you need to update the file config/kibana.yml in your Kibana installation.\n  Please perform the following updates:\n\n" + e.getManualInstructions());
            }
            if (asString2 == null) {
                frontendUpdateInstructions.sgFrontendConfigInstructions("In the current configuration, the Search Guard Kibana plugin does not provide a login form. The only way to login is opening a Kibana URL with the URL parameter " + asString + ". Thus, the sg_frontend_authc.yml file generated by this tool will also define no authenticators. If you want to have more login methods, you can add these to sg_frontend_authc.yml.");
                frontendUpdateInstructions.sgFrontendConfig(Collections.emptyMap());
                return frontendUpdateInstructions;
            }
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("auth_domains", Collections.singletonList(ImmutableMap.of("type", "link", "url", asString2)));
            frontendUpdateInstructions.sgFrontendConfig(ImmutableMap.of("default", linkedHashMap));
            return frontendUpdateInstructions;
        }

        private String getFrontendBaseUrlFromKibanaYaml() {
            boolean asBoolean = this.oldKibanaConfig.get("server.ssl.enabled").withDefault(false).asBoolean();
            String asString = this.oldKibanaConfig.get("server.host").required().asString();
            int intValue = this.oldKibanaConfig.get("server.port").withDefault((Number) (-1)).asInteger().intValue();
            String asString2 = this.oldKibanaConfig.get("server.basepath").asString();
            if (intValue == 80 && !asBoolean) {
                intValue = -1;
            } else if (intValue == 443 && asBoolean) {
                intValue = -1;
            }
            try {
                return new URI(asBoolean ? "https" : HttpHost.DEFAULT_SCHEME_NAME, null, asString, intValue, asString2, null, null).toString();
            } catch (URISyntaxException e) {
                throw new RuntimeException(e);
            }
        }

        private void migrateAttribute(String str, ValidatingDocNode validatingDocNode, Map<String, Object> map, String str2) {
            Object asAnything = validatingDocNode.get("http_authenticator.config." + str).asAnything();
            if (asAnything != null) {
                map.put(str2 + "." + str, asAnything);
            }
        }

        private MigrationResult migrateTlsConfig(Map<String, Object> map) {
            if (map == null) {
                return null;
            }
            ValidationErrors validationErrors = new ValidationErrors();
            ValidatingDocNode validatingDocNode = new ValidatingDocNode(map, validationErrors);
            if (!validatingDocNode.get("enable_ssl").withDefault(false).asBoolean()) {
                return null;
            }
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            if (validatingDocNode.hasNonNull("pemtrustedcas_content")) {
                ImmutableList<String> asListOfStrings = validatingDocNode.get("pemtrustedcas_content").asListOfStrings();
                linkedHashMap.put("trusted_cas", asListOfStrings.size() == 1 ? asListOfStrings.get(0) : asListOfStrings);
            } else if (validatingDocNode.hasNonNull("pemtrustedcas_filepath")) {
                linkedHashMap.put("trusted_cas", "${file:" + validatingDocNode.get("pemtrustedcas_filepath").asString() + "}");
            }
            if (validatingDocNode.get("enable_ssl_client_auth").withDefault(false).asBoolean()) {
                LinkedHashMap linkedHashMap2 = new LinkedHashMap();
                if (validatingDocNode.hasNonNull("pemcert_content")) {
                    ImmutableList<String> asListOfStrings2 = validatingDocNode.get("pemcert_content").asListOfStrings();
                    linkedHashMap2.put("certificate", asListOfStrings2.size() == 1 ? asListOfStrings2.get(0) : asListOfStrings2);
                } else if (validatingDocNode.hasNonNull("pemcert_filepath")) {
                    linkedHashMap2.put("certificate", "${file:" + validatingDocNode.get("pemcert_filepath").asString() + "}");
                }
                if (validatingDocNode.hasNonNull("pemkey_content")) {
                    ImmutableList<String> asListOfStrings3 = validatingDocNode.get("pemkey_content").asListOfStrings();
                    linkedHashMap2.put("private_key", asListOfStrings3.size() == 1 ? asListOfStrings3.get(0) : asListOfStrings3);
                } else if (validatingDocNode.hasNonNull("pemkey_filepath")) {
                    linkedHashMap2.put("private_key", "${file:" + validatingDocNode.get("pemkey_filepath").asString() + "}");
                }
                if (validatingDocNode.hasNonNull("pemkey_password")) {
                    linkedHashMap2.put("private_key_password", validatingDocNode.get("pemkey_password").asString());
                }
                if (linkedHashMap2.size() != 0) {
                    linkedHashMap.put("client_auth", linkedHashMap2);
                }
            }
            if (validatingDocNode.hasNonNull("enabled_ssl_protocols")) {
                linkedHashMap.put("enabled_protocols", validatingDocNode.get("enabled_ssl_protocols").asListOfStrings());
            }
            if (validatingDocNode.hasNonNull("enabled_ssl_ciphers")) {
                linkedHashMap.put("enabled_ciphers", validatingDocNode.get("enabled_ssl_ciphers").asListOfStrings());
            }
            if (validatingDocNode.hasNonNull("trust_all")) {
                linkedHashMap.put("trust_all", validatingDocNode.get("trust_all").asBoolean());
            }
            if (validatingDocNode.hasNonNull("verify_hostnames")) {
                linkedHashMap.put("verify_hostnames", validatingDocNode.get("verify_hostnames").asBoolean());
            }
            return new MigrationResult(linkedHashMap, validationErrors);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$FrontendUpdateInstructions.class */
    public static class FrontendUpdateInstructions {
        private String mainInstructions;
        private String error;
        private String sgFrontendConfigInstructionsAdvanced;
        private Map<String, Object> sgFrontendConfig;
        private String kibanaConfigInstructions;
        private String kibanaConfig;
        private String esPluginUpdateInstructions = CommandLine.Model.OptionSpec.DEFAULT_FALLBACK_VALUE;
        private String sgFrontendConfigInstructions = null;
        private String sgFrontendConfigInstructionsReview = "Please review the settings.";
        private String sgFrontendConfigInstructionsTypeSpecific = null;
        private String kibanaPluginUpdateInstructions = "After the new sg_frontend_authc.yml has been successfully uploaded to Search Guard, you can update the Search Guard Kibana plugin.";

        FrontendUpdateInstructions() {
        }

        public Map<String, Object> getSgFrontendConfig() {
            return this.sgFrontendConfig;
        }

        public FrontendUpdateInstructions sgFrontendConfig(Map<String, Object> map) {
            this.sgFrontendConfig = map;
            return this;
        }

        public String getKibanaConfig() {
            return this.kibanaConfig;
        }

        public FrontendUpdateInstructions kibanaConfig(String str) {
            this.kibanaConfig = str;
            return this;
        }

        public String getMainInstructions() {
            return this.mainInstructions;
        }

        public FrontendUpdateInstructions mainInstructions(String str) {
            this.mainInstructions = str;
            return this;
        }

        public String getSgFrontendConfigInstructions() {
            return this.sgFrontendConfigInstructions;
        }

        public FrontendUpdateInstructions sgFrontendConfigInstructions(String str) {
            this.sgFrontendConfigInstructions = str;
            return this;
        }

        public String getKibanaConfigInstructions() {
            return this.kibanaConfigInstructions;
        }

        public FrontendUpdateInstructions kibanaConfigInstructions(String str) {
            this.kibanaConfigInstructions = str;
            return this;
        }

        public String getError() {
            return this.error;
        }

        public FrontendUpdateInstructions error(String str) {
            this.error = str;
            return this;
        }

        public String getEsPluginUpdateInstructions() {
            return this.esPluginUpdateInstructions;
        }

        public FrontendUpdateInstructions esPluginUpdateInstructions(String str) {
            this.esPluginUpdateInstructions = str;
            return this;
        }

        public String getKibanaPluginUpdateInstructions() {
            return this.kibanaPluginUpdateInstructions;
        }

        public FrontendUpdateInstructions kibanaPluginUpdateInstructions(String str) {
            this.kibanaPluginUpdateInstructions = str;
            return this;
        }

        public String getSgFrontendConfigInstructionsAdvanced() {
            return this.sgFrontendConfigInstructionsAdvanced;
        }

        public FrontendUpdateInstructions sgFrontendConfigInstructionsAdvanced(String str) {
            this.sgFrontendConfigInstructionsAdvanced = str;
            return this;
        }

        public String getSgFrontendConfigInstructionsReview() {
            return this.sgFrontendConfigInstructionsReview;
        }

        public FrontendUpdateInstructions sgFrontendConfigInstructionsReview(String str) {
            this.sgFrontendConfigInstructionsReview = str;
            return this;
        }

        public String getSgFrontendConfigInstructionsTypeSpecific() {
            return this.sgFrontendConfigInstructionsTypeSpecific;
        }

        public void setSgFrontendConfigInstructionsTypeSpecific(String str) {
            this.sgFrontendConfigInstructionsTypeSpecific = str;
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$KibanaAuthType.class */
    public enum KibanaAuthType {
        BASICAUTH,
        JWT,
        OPENID,
        PROXY,
        KERBEROS,
        SAML
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$MigrationResult.class */
    public static class MigrationResult {
        private final Map<String, Object> config;
        private final ValidationErrors sourceValidationErrors;

        MigrationResult(Map<String, Object> map, ValidationErrors validationErrors) {
            this.config = map;
            this.sourceValidationErrors = validationErrors;
        }

        public Map<String, Object> getConfig() {
            return this.config;
        }

        public ValidationErrors getSourceValidationErrors() {
            return this.sourceValidationErrors;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$NewAuthDomain.class */
    public static class NewAuthDomain implements Document<NewAuthDomain> {
        private String frontendType;
        private String backendType;
        private List<String> skipUsers;
        private List<String> acceptIps;
        Map<String, Object> frontendConfig;
        Map<String, Object> backendConfig;
        private LinkedHashMap<String, Object> userMappingUserName = new LinkedHashMap<>();
        private LinkedHashMap<String, Object> userMappingRoles = new LinkedHashMap<>();
        private LinkedHashMap<String, Object> userMappingAttributes = new LinkedHashMap<>();
        private List<UserInformationBackend> userInformationBackends;

        public NewAuthDomain(String str, String str2, List<String> list, List<String> list2, Map<String, Object> map, Map<String, Object> map2) {
            this.frontendType = str;
            this.backendType = str2;
            this.skipUsers = list;
            this.acceptIps = list2;
            this.frontendConfig = map;
            this.backendConfig = map2;
        }

        @Override // com.floragunn.codova.documents.Document
        public Object toBasicObject() {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("type", this.backendType != null ? this.frontendType + "/" + this.backendType : this.frontendType);
            if (this.skipUsers != null && this.skipUsers.size() != 0) {
                linkedHashMap.put("skip", ImmutableMap.of("users", this.skipUsers));
            }
            if (this.acceptIps != null && this.acceptIps.size() != 0) {
                linkedHashMap.put("accept", ImmutableMap.of("ips", this.acceptIps));
            }
            if (this.frontendConfig != null && this.frontendConfig.size() != 0) {
                linkedHashMap.put(this.frontendType, this.frontendConfig);
            }
            if (this.backendConfig != null && this.backendConfig.size() != 0) {
                linkedHashMap.put(this.backendType, this.backendConfig);
            }
            if (this.userInformationBackends != null && this.userInformationBackends.size() != 0) {
                linkedHashMap.put("additional_user_information", this.userInformationBackends);
            }
            if (this.userMappingUserName.size() != 0 || this.userMappingRoles.size() != 0 || this.userMappingAttributes.size() != 0) {
                LinkedHashMap linkedHashMap2 = new LinkedHashMap();
                if (this.userMappingUserName.size() != 0) {
                    linkedHashMap2.put("user_name", this.userMappingUserName);
                }
                if (this.userMappingRoles.size() != 0) {
                    linkedHashMap2.put("roles", this.userMappingRoles);
                }
                if (this.userMappingAttributes.size() != 0) {
                    linkedHashMap2.put("attrs", this.userMappingAttributes);
                }
                linkedHashMap.put("user_mapping", linkedHashMap2);
            }
            return linkedHashMap;
        }

        /* renamed from: clone, reason: merged with bridge method [inline-methods] */
        public NewAuthDomain m100clone() {
            NewAuthDomain newAuthDomain = new NewAuthDomain(this.frontendType, this.backendType, this.skipUsers, this.acceptIps, this.frontendConfig, this.backendConfig);
            newAuthDomain.userMappingUserName = new LinkedHashMap<>(this.userMappingUserName);
            newAuthDomain.userMappingRoles = new LinkedHashMap<>(this.userMappingRoles);
            newAuthDomain.userMappingAttributes = new LinkedHashMap<>(this.userMappingAttributes);
            newAuthDomain.userInformationBackends = this.userInformationBackends != null ? new ArrayList(this.userInformationBackends) : null;
            return newAuthDomain;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$OldAuthDomain.class */
    public static class OldAuthDomain implements Comparable<OldAuthDomain>, Document<OldAuthDomain> {
        private final DocNode docNode;
        private final ValidatingDocNode vNode;
        private final ValidationErrors validationErrors = new ValidationErrors();
        private final String id;
        private int order;
        private String oldFrontendType;
        private String oldBackendType;
        private String newFrontendType;
        private String newBackendType;
        private List<String> skipUsers;
        private List<String> acceptIps;
        DocNode oldFrontendConfig;
        DocNode oldBackendConfig;

        OldAuthDomain(String str, DocNode docNode) {
            this.id = str;
            this.docNode = docNode;
            this.vNode = new ValidatingDocNode(docNode, this.validationErrors);
            this.order = this.vNode.get("order").withDefault((Number) 0).asInt();
            this.oldFrontendType = this.vNode.get("http_authenticator.type").asString();
            this.oldBackendType = this.vNode.get("authentication_backend.type").withDefault("intern").asString();
            if (this.oldBackendType.equals("noop")) {
                this.newBackendType = null;
            } else if (this.oldBackendType.equals("intern") || this.oldBackendType.equals("internal")) {
                this.newBackendType = "internal_users_db";
            } else if (this.oldBackendType.equals("ldap2")) {
                this.oldBackendType = "ldap";
                this.newBackendType = "ldap";
            } else {
                this.newBackendType = this.oldBackendType;
            }
            this.newFrontendType = this.oldFrontendType;
            this.oldFrontendConfig = this.vNode.get("http_authenticator.config").asDocNode();
            this.oldBackendConfig = this.vNode.get("authentication_backend.config").asDocNode();
            this.skipUsers = this.vNode.get("skip_users").asListOfStrings();
            this.acceptIps = this.vNode.get("enabled_only_for_ips").asListOfStrings();
        }

        List<NewAuthDomain> toNewAuthDomains(List<UserInformationBackend> list) {
            if (this.oldFrontendType == null || this.oldFrontendType.equals("saml") || this.oldFrontendType.equals("openid")) {
                return Collections.emptyList();
            }
            NewAuthDomain newFrontendConfig = toNewFrontendConfig();
            return "ldap".equalsIgnoreCase(this.oldBackendType) ? addNewLdapBackendConfig(newFrontendConfig, list) : Collections.singletonList(addNewBackendConfig(newFrontendConfig, list));
        }

        NewAuthDomain toNewFrontendConfig() {
            NewAuthDomain newAuthDomain = new NewAuthDomain(this.newFrontendType, this.newBackendType, this.skipUsers, this.acceptIps, null, null);
            String lowerCase = this.oldFrontendType.toLowerCase();
            boolean z = -1;
            switch (lowerCase.hashCode()) {
                case -979795068:
                    if (lowerCase.equals("proxy2")) {
                        z = 4;
                        break;
                    }
                    break;
                case 105671:
                    if (lowerCase.equals("jwt")) {
                        z = true;
                        break;
                    }
                    break;
                case 93508654:
                    if (lowerCase.equals("basic")) {
                        z = false;
                        break;
                    }
                    break;
                case 106941038:
                    if (lowerCase.equals("proxy")) {
                        z = 3;
                        break;
                    }
                    break;
                case 303053659:
                    if (lowerCase.equals("kerberos")) {
                        z = 5;
                        break;
                    }
                    break;
                case 1102880879:
                    if (lowerCase.equals("clientcert")) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return newAuthDomain;
                case true:
                    LinkedHashMap linkedHashMap = new LinkedHashMap();
                    String asString = this.vNode.get("http_authenticator.config.signing_key").required().asString();
                    if (asString != null) {
                        try {
                            byte[] decode = Base64.getDecoder().decode(asString.replace("-----BEGIN PUBLIC KEY-----\n", CommandLine.Model.OptionSpec.DEFAULT_FALLBACK_VALUE).replace("-----END PUBLIC KEY-----", CommandLine.Model.OptionSpec.DEFAULT_FALLBACK_VALUE).trim());
                            try {
                                getPublicKey(decode, "RSA");
                                linkedHashMap.put("signing", ImmutableMap.of("rsa", ImmutableMap.of("public_key", asString)));
                            } catch (Exception e) {
                                try {
                                    getPublicKey(decode, "EC");
                                    linkedHashMap.put("signing", ImmutableMap.of("ec", ImmutableMap.of("public_key", asString)));
                                } catch (Exception e2) {
                                    this.validationErrors.add(new ValidationError("http_authenticator.config.signing_key", "Unsupported key").cause(e2));
                                }
                            }
                        } catch (Exception e3) {
                            this.validationErrors.add(new ValidationError("http_authenticator.config.signing_key", "Unsupported encoding: " + e3.getMessage()).cause(e3));
                            return newAuthDomain;
                        }
                    }
                    if (this.oldFrontendConfig.hasNonNull("jwt_header")) {
                        linkedHashMap.put(CommandLine.Model.UsageMessageSpec.SECTION_KEY_HEADER, this.oldFrontendConfig.get("jwt_header"));
                    }
                    if (this.oldFrontendConfig.hasNonNull("jwt_url_parameter")) {
                        linkedHashMap.put("url_parameter", this.oldFrontendConfig.get("jwt_url_parameter"));
                    }
                    if (this.oldFrontendConfig.hasNonNull("required_audience")) {
                        linkedHashMap.put("required_audience", this.oldFrontendConfig.get("required_audience"));
                    }
                    if (this.oldFrontendConfig.hasNonNull("required_issuer")) {
                        linkedHashMap.put("required_issuer", this.oldFrontendConfig.get("required_issuer"));
                    }
                    if (this.oldFrontendConfig.hasNonNull("subject_key")) {
                        newAuthDomain.userMappingUserName.put("from", "$[\"jwt\"][\"" + this.oldFrontendConfig.get("subject_key") + "\"]");
                    }
                    if (this.oldFrontendConfig.hasNonNull("subject_path")) {
                        newAuthDomain.userMappingUserName.put("from", addPrefixToJsonPath("jwt", this.oldFrontendConfig.get("subject_path").toString()));
                    }
                    if (this.oldFrontendConfig.hasNonNull("roles_key")) {
                        newAuthDomain.userMappingRoles.put("from_comma_separated_string", "$[\"jwt\"][\"" + this.oldFrontendConfig.get("roles_key") + "\"]");
                    }
                    if (this.oldFrontendConfig.hasNonNull("roles_path")) {
                        newAuthDomain.userMappingRoles.put("from_comma_separated_string", addPrefixToJsonPath("jwt", this.oldFrontendConfig.get("roles_path").toString()));
                    }
                    if (this.oldFrontendConfig.hasNonNull("map_claims_to_user_attrs")) {
                        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
                        for (Map.Entry<String, Object> entry : this.oldFrontendConfig.getAsNode("map_claims_to_user_attrs").entrySet()) {
                            linkedHashMap2.put(entry.getKey(), addPrefixToJsonPath("jwt", entry.getValue().toString()));
                        }
                        newAuthDomain.userMappingAttributes.put("from", linkedHashMap2);
                    }
                    newAuthDomain.frontendConfig = linkedHashMap;
                    return newAuthDomain;
                case true:
                    String asString2 = this.oldFrontendConfig.getAsString("username_attribute");
                    if (asString2 != null) {
                        newAuthDomain.userMappingUserName.put("from", "clientcert.subject." + asString2);
                    }
                    return newAuthDomain;
                case true:
                    newAuthDomain.frontendType = "trusted_origin";
                    if (this.oldFrontendConfig.hasNonNull("user_header")) {
                        newAuthDomain.userMappingUserName.put("from", "$.request.headers[\"" + this.oldFrontendConfig.getAsString("user_header") + "\"]");
                    }
                    if (this.oldFrontendConfig.hasNonNull("roles_header")) {
                        if (this.oldFrontendConfig.hasNonNull("roles_separator")) {
                            newAuthDomain.userMappingRoles.put("from", ImmutableMap.of("json_path", "$.request.headers[\"" + this.oldFrontendConfig.getAsString("roles_header") + "\"]", "split", this.oldFrontendConfig.getAsString("roles_separator")));
                        } else {
                            newAuthDomain.userMappingRoles.put("from_comma_separated_string", "$.request.headers[\"" + this.oldFrontendConfig.getAsString("roles_header") + "\"]");
                        }
                    }
                    return newAuthDomain;
                case true:
                    if (this.oldFrontendConfig.hasNonNull("user_header")) {
                        newAuthDomain.userMappingUserName.put("from", "$.request.headers[\"" + this.oldFrontendConfig.getAsString("user_header") + "\"]");
                    }
                    if (this.oldFrontendConfig.hasNonNull("roles_header")) {
                        if (this.oldFrontendConfig.hasNonNull("roles_separator")) {
                            newAuthDomain.userMappingRoles.put("from", ImmutableMap.of("json_path", "$.request.headers[\"" + this.oldFrontendConfig.getAsString("roles_header") + "\"]", "split", this.oldFrontendConfig.getAsString("roles_separator")));
                        } else {
                            newAuthDomain.userMappingRoles.put("from_comma_separated_string", "$.request.headers[\"" + this.oldFrontendConfig.getAsString("roles_header") + "\"]");
                        }
                    }
                    String lowerCase2 = this.oldFrontendConfig.hasNonNull("auth_mode") ? this.oldFrontendConfig.getAsString("auth_mode").toLowerCase() : "both";
                    boolean z2 = -1;
                    switch (lowerCase2.hashCode()) {
                        case -1302894395:
                            if (lowerCase2.equals("either")) {
                                z2 = 3;
                                break;
                            }
                            break;
                        case 3367:
                            if (lowerCase2.equals("ip")) {
                                z2 = false;
                                break;
                            }
                            break;
                        case 3029889:
                            if (lowerCase2.equals("both")) {
                                z2 = 2;
                                break;
                            }
                            break;
                        case 3050020:
                            if (lowerCase2.equals("cert")) {
                                z2 = true;
                                break;
                            }
                            break;
                    }
                    switch (z2) {
                        case false:
                            newAuthDomain.frontendType = "trusted_origin";
                            return newAuthDomain;
                        case true:
                            newAuthDomain.frontendType = "clientcert";
                            return newAuthDomain;
                        case true:
                        case true:
                            this.validationErrors.add(new ValidationError("http_authenticator.config.type", "The proxy2 authenticator cannot be automatically converted when auth_mode " + lowerCase2 + " is used. Please check the documentation."));
                            return newAuthDomain;
                        default:
                            this.validationErrors.add(new ValidationError("http_authenticator.config.auth_mode", "Invalid auth_mode " + lowerCase2));
                            return newAuthDomain;
                    }
                case true:
                    LinkedHashMap linkedHashMap3 = new LinkedHashMap();
                    if (this.oldFrontendConfig.hasNonNull("krb_debug")) {
                        linkedHashMap3.put("debug", this.oldFrontendConfig.get("krb_debug"));
                    }
                    if (this.oldFrontendConfig.hasNonNull("strip_realm_from_principal")) {
                        linkedHashMap3.put("strip_realm_from_principal", this.oldFrontendConfig.get("strip_realm_from_principal"));
                    }
                    linkedHashMap3.put("acceptor_keytab", "## Please move from searchguard.kerberos.acceptor_keytab_filepath in elasticsearch.yml");
                    linkedHashMap3.put("acceptor_principal", "## Please move from searchguard.kerberos.acceptor_keytab_filepath in elasticsearch.yml");
                    this.validationErrors.add(new ValidationError("http_authenticator.config", "For kerberos, you need to complete the values acceptor_keytab and acceptor_principal"));
                    newAuthDomain.frontendConfig = linkedHashMap3;
                    return newAuthDomain;
                default:
                    this.validationErrors.add(new ValidationError("http_authenticator.type", "Unknown HTTP authenticator" + this.oldFrontendType));
                    return newAuthDomain;
            }
        }

        NewAuthDomain addNewBackendConfig(NewAuthDomain newAuthDomain, List<UserInformationBackend> list) {
            String lowerCase = this.oldBackendType.toLowerCase();
            boolean z = -1;
            switch (lowerCase.hashCode()) {
                case -1183762670:
                    if (lowerCase.equals("intern")) {
                        z = false;
                        break;
                    }
                    break;
                case 3387234:
                    if (lowerCase.equals("noop")) {
                        z = 2;
                        break;
                    }
                    break;
                case 570410685:
                    if (lowerCase.equals("internal")) {
                        z = true;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                case true:
                    newAuthDomain.backendType = "internal_users_db";
                    newAuthDomain.userInformationBackends = list;
                    LinkedHashMap linkedHashMap = new LinkedHashMap();
                    if (this.oldFrontendConfig.hasNonNull("map_db_attrs_to_user_attrs")) {
                        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
                        for (Map.Entry<String, Object> entry : this.oldFrontendConfig.getAsNode("map_claims_to_user_attrs").entrySet()) {
                            linkedHashMap2.put(entry.getKey(), addPrefixToJsonPath("user_entry.attributes", entry.getValue().toString()));
                        }
                        newAuthDomain.userMappingAttributes.put("from", linkedHashMap2);
                    }
                    newAuthDomain.backendConfig = linkedHashMap;
                    if (list != null && list.size() != 0) {
                        List<String> mergedRoleMappingFrom = UserInformationBackend.mergedRoleMappingFrom(list);
                        if (mergedRoleMappingFrom.size() != 0) {
                            newAuthDomain.userMappingRoles.put("from", mergedRoleMappingFrom);
                        }
                    }
                    return newAuthDomain;
                case true:
                    newAuthDomain.backendType = null;
                    newAuthDomain.userInformationBackends = list;
                    if (list != null && list.size() != 0) {
                        List<String> mergedRoleMappingFrom2 = UserInformationBackend.mergedRoleMappingFrom(list);
                        if (mergedRoleMappingFrom2.size() != 0) {
                            newAuthDomain.userMappingRoles.put("from", mergedRoleMappingFrom2);
                        }
                    }
                    return newAuthDomain;
                default:
                    this.validationErrors.add(new ValidationError("authentication_backend.type", "Unknown authentication backend type" + this.oldBackendType));
                    return newAuthDomain;
            }
        }

        List<NewAuthDomain> addNewLdapBackendConfig(NewAuthDomain newAuthDomain, List<UserInformationBackend> list) {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            LinkedHashMap linkedHashMap2 = new LinkedHashMap();
            boolean asBoolean = this.vNode.get("authentication_backend.config.enable_ssl").withDefault(false).asBoolean();
            linkedHashMap2.put("hosts", this.oldBackendConfig.getAsListOfStrings("hosts").stream().map(str -> {
                if (asBoolean && !str.startsWith("ldaps://")) {
                    return "ldaps://" + str;
                }
                return str;
            }).collect(Collectors.toList()));
            if (this.oldBackendConfig.hasNonNull("bind_dn")) {
                linkedHashMap2.put("bind_dn", this.oldBackendConfig.getAsString("bind_dn"));
            }
            if (this.oldBackendConfig.hasNonNull("password")) {
                linkedHashMap2.put("password", this.oldBackendConfig.getAsString("password"));
            }
            LinkedHashMap linkedHashMap3 = new LinkedHashMap();
            boolean asBoolean2 = this.vNode.get("authentication_backend.config.enable_start_tls").withDefault(false).asBoolean();
            boolean asBoolean3 = this.vNode.get("authentication_backend.config.enable_ssl_client_auth").withDefault(false).asBoolean();
            boolean asBoolean4 = this.vNode.get("authentication_backend.config.verify_hostnames").withDefault(true).asBoolean();
            String asString = this.vNode.get("authentication_backend.config.pemtrustedcas_filepath").asString();
            String asString2 = this.vNode.get("authentication_backend.config.pemtrustedcas_content").asString();
            String asString3 = this.vNode.get("authentication_backend.config.pemkey_filepath").asString();
            String asString4 = this.vNode.get("authentication_backend.config.pemkey_password").asString();
            String asString5 = this.vNode.get("authentication_backend.config.pemcert_filepath").asString();
            String asString6 = this.vNode.get("authentication_backend.config.pemkey_content").asString();
            String asString7 = this.vNode.get("authentication_backend.config.pemcert_content").asString();
            if (asBoolean2) {
                linkedHashMap3.put("start_tls", Boolean.valueOf(asBoolean2));
            }
            if (!asBoolean4) {
                linkedHashMap3.put("verify_hostnames", Boolean.valueOf(asBoolean4));
            }
            if (asString2 != null) {
                linkedHashMap3.put("trusted_cas", asString2);
            } else if (asString != null) {
                linkedHashMap3.put("trusted_cas", "#{file:" + asString + "}");
            }
            if (asBoolean3) {
                LinkedHashMap linkedHashMap4 = new LinkedHashMap();
                if (asString3 != null) {
                    linkedHashMap4.put("private_key", "#{file:" + asString3 + "}");
                } else if (asString6 != null) {
                    linkedHashMap4.put("private_key", asString3);
                }
                if (asString5 != null) {
                    linkedHashMap4.put("certificate", "#{file:" + asString5 + "}");
                } else if (asString7 != null) {
                    linkedHashMap4.put("certificate", asString7);
                }
                if (asString4 != null) {
                    linkedHashMap4.put("private_key_password", asString4);
                }
                linkedHashMap3.put("client_auth", linkedHashMap4);
            }
            if (!linkedHashMap3.isEmpty()) {
                linkedHashMap2.put("tls", linkedHashMap3);
            }
            linkedHashMap.put("idp", linkedHashMap2);
            LinkedHashMap linkedHashMap5 = new LinkedHashMap();
            linkedHashMap5.put("base_dn", this.oldBackendConfig.getAsString("userbase"));
            if (this.oldBackendConfig.hasNonNull("usersearch")) {
                linkedHashMap5.put("filter", ImmutableMap.of("raw", this.oldBackendConfig.getAsString("usersearch").replace("{0}", "${user.name}")));
            }
            linkedHashMap.put("user_search", linkedHashMap5);
            newAuthDomain.backendConfig = linkedHashMap;
            if (this.oldBackendConfig.hasNonNull("username_attribute")) {
                newAuthDomain.userMappingUserName.put("from_backend", addPrefixToJsonPath("ldap_user_entry", this.oldBackendConfig.getAsString("username_attribute")));
            }
            if (this.oldBackendConfig.hasNonNull("map_ldap_attrs_to_user_attrs")) {
                LinkedHashMap linkedHashMap6 = new LinkedHashMap();
                for (Map.Entry<String, Object> entry : this.oldBackendConfig.getAsNode("map_ldap_attrs_to_user_attrs").entrySet()) {
                    linkedHashMap6.put(entry.getKey(), addPrefixToJsonPath("ldap_user_entry", entry.getValue().toString()));
                }
                newAuthDomain.userMappingAttributes.put("from", linkedHashMap6);
            }
            if (this.oldBackendConfig.hasNonNull("users")) {
                return addNewLdapBackendConfigMultiBase(newAuthDomain, list);
            }
            if (list != null && list.size() > 0) {
                List<String> mergedRoleMappingFrom = UserInformationBackend.mergedRoleMappingFrom(list);
                if (mergedRoleMappingFrom.size() != 0) {
                    newAuthDomain.userMappingRoles.put("from", mergedRoleMappingFrom);
                }
                List list2 = (List) list.stream().filter(userInformationBackend -> {
                    return userInformationBackend.type.equals("ldap") && (!userInformationBackend.backendConfig.containsKey("user_search") || userInformationBackend.backendConfig.get("user_search").equals(linkedHashMap5)) && userInformationBackend.backendConfig.containsKey("idp") && userInformationBackend.backendConfig.get("idp").equals(linkedHashMap2);
                }).collect(Collectors.toList());
                List list3 = (List) list.stream().filter(userInformationBackend2 -> {
                    return !list2.contains(userInformationBackend2);
                }).collect(Collectors.toList());
                if (list2.size() == 1) {
                    UserInformationBackend userInformationBackend3 = (UserInformationBackend) list2.get(0);
                    if (userInformationBackend3.backendConfig.containsKey("group_search")) {
                        linkedHashMap.put("group_search", userInformationBackend3.backendConfig.get("group_search"));
                    }
                    newAuthDomain.userInformationBackends = list3;
                } else {
                    newAuthDomain.userInformationBackends = list;
                }
            }
            return Collections.singletonList(newAuthDomain);
        }

        List<NewAuthDomain> addNewLdapBackendConfigMultiBase(NewAuthDomain newAuthDomain, List<UserInformationBackend> list) {
            Map<String, DocNode> mapOfNodes = this.oldBackendConfig.getAsNode("users").toMapOfNodes();
            ArrayList arrayList = new ArrayList();
            for (Map.Entry<String, DocNode> entry : mapOfNodes.entrySet()) {
                NewAuthDomain m100clone = newAuthDomain.m100clone();
                LinkedHashMap linkedHashMap = (LinkedHashMap) Document.toDeepBasicObject(newAuthDomain.backendConfig);
                Map map = (Map) linkedHashMap.computeIfAbsent("user_search", str -> {
                    return new LinkedHashMap();
                });
                map.put("base_dn", entry.getValue().getAsString("base"));
                if (entry.getValue().hasNonNull("search")) {
                    map.put("filter", ImmutableMap.of("raw", entry.getValue().getAsString("search").replace("{0}", "${user.name}")));
                }
                if (list != null && list.size() > 0) {
                    List<String> mergedRoleMappingFrom = UserInformationBackend.mergedRoleMappingFrom(list);
                    if (mergedRoleMappingFrom.size() != 0) {
                        m100clone.userMappingRoles.put("from", mergedRoleMappingFrom);
                    }
                    List list2 = (List) list.stream().filter(userInformationBackend -> {
                        return userInformationBackend.type.equals("ldap") && (!userInformationBackend.backendConfig.containsKey("user_search") || userInformationBackend.backendConfig.get("user_search").equals(map)) && userInformationBackend.backendConfig.containsKey("idp") && userInformationBackend.backendConfig.get("idp").equals(newAuthDomain.backendConfig.get("idp"));
                    }).collect(Collectors.toList());
                    List list3 = (List) list.stream().filter(userInformationBackend2 -> {
                        return !list2.contains(userInformationBackend2);
                    }).collect(Collectors.toList());
                    if (list2.size() == 1) {
                        UserInformationBackend userInformationBackend3 = (UserInformationBackend) list2.get(0);
                        if (userInformationBackend3.backendConfig.containsKey("group_search")) {
                            linkedHashMap.put("group_search", userInformationBackend3.backendConfig.get("group_search"));
                        }
                        m100clone.userInformationBackends = list3;
                    } else {
                        m100clone.userInformationBackends = list;
                    }
                }
                m100clone.backendConfig = linkedHashMap;
                arrayList.add(m100clone);
            }
            return arrayList;
        }

        private static String addPrefixToJsonPath(String str, String str2) {
            if (!str2.startsWith("$.") && !str2.startsWith("$[")) {
                return "$." + str + "." + str2;
            }
            return "$." + str + str2.substring(1);
        }

        @Override // java.lang.Comparable
        public int compareTo(OldAuthDomain oldAuthDomain) {
            return this.order - oldAuthDomain.order;
        }

        @Override // com.floragunn.codova.documents.Document
        public Object toBasicObject() {
            return this.docNode;
        }

        private static PublicKey getPublicKey(byte[] bArr, String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
            return KeyFactory.getInstance(str).generatePublic(new X509EncodedKeySpec(bArr));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$SgAuthc.class */
    public static class SgAuthc implements Document<SgAuthc> {
        private List<NewAuthDomain> authDomains;
        private String internalProxies = null;
        private String remoteIpHeader = null;

        SgAuthc() {
        }

        @Override // com.floragunn.codova.documents.Document
        public Object toBasicObject() {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("auth_domains", this.authDomains);
            if (this.internalProxies != null || this.remoteIpHeader != null) {
                LinkedHashMap linkedHashMap2 = new LinkedHashMap();
                if (this.internalProxies != null) {
                    linkedHashMap2.put("trusted_proxies_regex", this.internalProxies);
                }
                if (this.remoteIpHeader != null) {
                    linkedHashMap2.put(HttpHost.DEFAULT_SCHEME_NAME, ImmutableMap.of("remote_ip_header", this.remoteIpHeader));
                }
                linkedHashMap.put("network", linkedHashMap2);
            }
            return linkedHashMap;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/sgctl/commands/MigrateConfig$UserInformationBackend.class */
    public static class UserInformationBackend implements Document<UserInformationBackend> {
        private String type;
        private Map<String, Object> backendConfig = new LinkedHashMap();
        private Map<String, Object> userMappingUserName = new LinkedHashMap();
        private Map<String, Object> userMappingRoles = new LinkedHashMap();
        private Map<String, Object> userMappingAttributes = new LinkedHashMap();

        UserInformationBackend(String str) {
            this.type = str;
        }

        @Override // com.floragunn.codova.documents.Document
        public Object toBasicObject() {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("type", this.type);
            linkedHashMap.put(this.type, this.backendConfig);
            return linkedHashMap;
        }

        /* renamed from: clone, reason: merged with bridge method [inline-methods] */
        public UserInformationBackend m101clone() {
            UserInformationBackend userInformationBackend = new UserInformationBackend(this.type);
            userInformationBackend.userMappingUserName.putAll(this.userMappingUserName);
            userInformationBackend.userMappingRoles.putAll(this.userMappingRoles);
            userInformationBackend.userMappingAttributes.putAll(this.userMappingAttributes);
            userInformationBackend.backendConfig.putAll(this.backendConfig);
            return userInformationBackend;
        }

        static List<String> mergedRoleMappingFrom(List<UserInformationBackend> list) {
            if (list == null || list.isEmpty()) {
                return Collections.emptyList();
            }
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            Iterator<UserInformationBackend> it = list.iterator();
            while (it.hasNext()) {
                Object obj = it.next().userMappingRoles.get("from");
                if (obj instanceof String) {
                    linkedHashSet.add((String) obj);
                } else if (obj instanceof List) {
                    ((List) obj).forEach(obj2 -> {
                        linkedHashSet.add(String.valueOf(obj2));
                    });
                }
            }
            return new ArrayList(linkedHashSet);
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // java.util.concurrent.Callable
    public Integer call() throws Exception {
        if (this.parameters == null) {
            System.err.println("You must specify the paths to the Search Guard configuration files sg_config.yml and optionally kibana.yml on the command line");
            return 1;
        }
        System.out.println("Welcome to the Search Guard config migration tool.\n\nThis tool converts legacy Search Guard configuration to configuration suitable for the next generation Search Guard release.\nThe tool also provides basic guidance for a seamless update process without outages.\n");
        File file = null;
        File file2 = null;
        for (String str : this.parameters) {
            File file3 = new File(str);
            if (file3.getName().startsWith("sg_config") && file3.getName().endsWith(".yml")) {
                file = file3;
            } else if (str.endsWith("kibana.yml")) {
                file2 = file3;
            }
        }
        if (file == null) {
            System.out.flush();
            System.err.println("You must specify a path to a sg_config.yml on the command line");
            return 1;
        }
        if (!file.exists()) {
            System.out.flush();
            System.err.println("The file " + file + " does not exist");
            return 1;
        }
        if (file2 != null && !file2.exists()) {
            System.out.flush();
            System.err.println("The file " + file2 + " does not exist");
            return 1;
        }
        String str2 = ("os".equalsIgnoreCase(this.targetPlatform) || "opensearch".equalsIgnoreCase(this.targetPlatform)) ? "opensearch_dashboard.yml" : "kibana.yml";
        try {
            ConfigMigrator configMigrator = new ConfigMigrator(file, file2, "es711".equalsIgnoreCase(this.targetPlatform), str2);
            BackendUpdateInstructions createBackendUpdateInstructions = configMigrator.createBackendUpdateInstructions();
            FrontendUpdateInstructions createUpdateInstructions = configMigrator.createUpdateInstructions();
            if (configMigrator.oldKibanaConfigValidationErrors.hasErrors() || configMigrator.oldSgConfigValidationErrors.hasErrors()) {
                System.out.println("\nWARNING: We detected validation errors in the provided configuration files. We try to create the new configuration files anyway.\nHowever, you might want to review the validation errors and the generated files.\n");
                if (configMigrator.oldKibanaConfigValidationErrors.hasErrors()) {
                    System.out.println("Errors in " + file2 + "\n" + configMigrator.oldKibanaConfigValidationErrors + "\n");
                }
                if (configMigrator.oldSgConfigValidationErrors.hasErrors()) {
                    System.out.println("Errors in " + file + "\n" + configMigrator.oldSgConfigValidationErrors + "\n");
                }
            }
            if (createBackendUpdateInstructions != null && this.outputDir != null) {
                if (createBackendUpdateInstructions.sgAuthc != null) {
                    try {
                        Files.write(new File(this.outputDir, "sg_authc.yml").toPath(), DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgAuthc).getBytes(Charsets.UTF_8), new OpenOption[0]);
                    } catch (Exception e) {
                        System.out.flush();
                        System.err.println("Error writing " + new File(this.outputDir, "sg_authc.yml"));
                        return 1;
                    }
                }
                if (createBackendUpdateInstructions.sgAuthz != null) {
                    try {
                        Files.write(new File(this.outputDir, "sg_authz.yml").toPath(), DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgAuthz).getBytes(Charsets.UTF_8), new OpenOption[0]);
                    } catch (Exception e2) {
                        System.out.flush();
                        System.err.println("Error writing " + new File(this.outputDir, "sg_authz.yml"));
                        return 1;
                    }
                }
                if (createBackendUpdateInstructions.sgFrontendMultiTenancy != null) {
                    try {
                        Files.write(new File(this.outputDir, "sg_frontend_multi_tenancy.yml").toPath(), DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgFrontendMultiTenancy).getBytes(Charsets.UTF_8), new OpenOption[0]);
                    } catch (Exception e3) {
                        System.out.flush();
                        System.err.println("Error writing " + new File(this.outputDir, "sg_frontend_multi_tenancy.yml"));
                        return 1;
                    }
                }
                if (createBackendUpdateInstructions.sgLicense != null) {
                    try {
                        Files.write(new File(this.outputDir, "sg_license_key.yml").toPath(), DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgLicense).getBytes(Charsets.UTF_8), new OpenOption[0]);
                    } catch (Exception e4) {
                        System.out.flush();
                        System.err.println("Error writing " + new File(this.outputDir, "sg_license_key.yml"));
                        return 1;
                    }
                }
                if (createBackendUpdateInstructions.sgAuthTokenService != null) {
                    try {
                        Files.write(new File(this.outputDir, "sg_auth_token_service.yml").toPath(), DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgAuthTokenService).getBytes(Charsets.UTF_8), new OpenOption[0]);
                    } catch (Exception e5) {
                        System.out.flush();
                        System.err.println("Error writing " + new File(this.outputDir, "sg_auth_token_service.yml"));
                        return 1;
                    }
                }
            }
            if (createUpdateInstructions != null && this.outputDir != null) {
                if (createUpdateInstructions.sgFrontendConfig != null && !createUpdateInstructions.sgFrontendConfig.isEmpty()) {
                    try {
                        Files.write(new File(this.outputDir, "sg_frontend_authc.yml").toPath(), DocWriter.yaml().writeAsString(createUpdateInstructions.sgFrontendConfig).getBytes(Charsets.UTF_8), new OpenOption[0]);
                    } catch (Exception e6) {
                        System.out.flush();
                        System.err.println("Error writing " + new File(this.outputDir, "sg_frontend_authc.yml"));
                        return 1;
                    }
                }
                if (createUpdateInstructions.kibanaConfig != null) {
                    try {
                        Files.write(new File(this.outputDir, str2).toPath(), createUpdateInstructions.kibanaConfig.getBytes(Charsets.UTF_8), new OpenOption[0]);
                    } catch (Exception e7) {
                        System.out.flush();
                        System.err.println("Error writing " + new File(this.outputDir, str2));
                        return 1;
                    }
                }
            }
            if (file2 == null) {
                System.out.println("You have not specified a kibana.yml file. Thus, we are assuming that you are not using Kibana. If you are using Kibana and want to adapt the migration, please specify the path to your kibana.yml file on the command line.\n\n");
            }
            System.out.println("The update process consists of these steps:\n");
            System.out.println("- Update the Search Guard plugin for Elasticsearch on all nodes of your cluster. In this step, you do not yet need to modify the configuration.\n");
            System.out.println("- After having updated the Search Guard Elasticsearch plugin, please upload the new configuration files with sgctl:\n");
            if (createUpdateInstructions == null || createUpdateInstructions.sgFrontendConfig == null || createUpdateInstructions.sgFrontendConfig.isEmpty()) {
                System.out.println("$ ./sgctl.sh update-config sg_authc.yml\n");
                System.out.print("The files have been automatically generated from the settings in sg_config.yml. ");
            } else {
                System.out.println("$ ./sgctl.sh update-config sg_authc.yml sg_frontend_authc.yml\n");
                System.out.print("The files have been automatically generated from the settings in sg_config.yml and kibana.yml. ");
            }
            if (this.outputDir != null) {
                System.out.println(" The files are listed below and have been also put to " + this.outputDir + ".\n");
            } else {
                System.out.println(" The files are listed below. Use the -o switch of this tool to write the files to an output directory.\n");
            }
            if (createUpdateInstructions != null) {
                if (createUpdateInstructions.sgFrontendConfigInstructionsAdvanced != null) {
                    System.out.println(createUpdateInstructions.sgFrontendConfigInstructionsAdvanced);
                }
                if (createUpdateInstructions.sgFrontendConfigInstructionsReview != null) {
                    System.out.println(createUpdateInstructions.sgFrontendConfigInstructionsReview);
                }
            }
            System.out.println("\n----------------------------- sg_authc.yml --------------------------------------");
            System.out.println(DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgAuthc));
            System.out.println("\n---------------------------------------------------------------------------------\n");
            if (createBackendUpdateInstructions.sgAuthz != null) {
                System.out.println("\n----------------------------- sg_authz.yml --------------------------------------");
                System.out.println(DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgAuthz));
                System.out.println("\n---------------------------------------------------------------------------------\n");
            }
            if (createBackendUpdateInstructions.sgFrontendMultiTenancy != null) {
                System.out.println("\n--------------------- sg_frontend_multi_tenancy.yml -------------------------------");
                System.out.println(DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgFrontendMultiTenancy));
                System.out.println("\n----------------------------------------------------------------------------------\n");
            }
            if (createBackendUpdateInstructions.sgLicense != null) {
                System.out.println("\n--------------------------- sg_license_key.yml ------------------------------------");
                System.out.println(DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgLicense));
                System.out.println("\n----------------------------------------------------------------------------------\n");
            }
            if (createBackendUpdateInstructions.sgAuthTokenService != null) {
                System.out.println("\n----------------------- sg_auth_token_service.yml --------------------------------");
                System.out.println(DocWriter.yaml().writeAsString((Document<?>) createBackendUpdateInstructions.sgAuthTokenService));
                System.out.println("\n----------------------------------------------------------------------------------\n");
            }
            if (createUpdateInstructions != null) {
                if (createUpdateInstructions.sgFrontendConfig == null || createUpdateInstructions.sgFrontendConfig.isEmpty()) {
                    System.out.println("- " + createUpdateInstructions.sgFrontendConfigInstructions);
                } else {
                    System.out.println("\n------------------------ sg_frontend_authc.yml ---------------------------------");
                    System.out.println(DocWriter.yaml().writeAsString(createUpdateInstructions.sgFrontendConfig));
                    System.out.println("----------------------------------------------------------------------------------\n");
                }
            }
            if (createUpdateInstructions != null) {
                if (createUpdateInstructions.sgFrontendConfigInstructionsAdvanced != null) {
                    System.out.println(createUpdateInstructions.sgFrontendConfigInstructionsAdvanced);
                }
                if (createUpdateInstructions.sgFrontendConfigInstructionsReview != null) {
                    System.out.println(createUpdateInstructions.sgFrontendConfigInstructionsReview);
                }
                System.out.println("\n- Afterwards, you need to update the Search Guard plugin for Kibana.\n  " + createUpdateInstructions.kibanaConfigInstructions);
            }
            return 0;
        } catch (Exception e8) {
            e8.printStackTrace();
            return 1;
        }
    }
}
