package com.floragunn.searchguard.auditlog.sink;

import com.floragunn.dlic.auth.ldap.util.ConfigConstants;
import com.floragunn.searchguard.auditlog.impl.AuditMessage;
import com.floragunn.searchguard.httpclient.HttpClient;
import com.floragunn.searchguard.support.PemKeyReader;
import java.io.IOException;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.elasticsearch.common.settings.Settings;
import org.joda.time.format.DateTimeFormat;
import org.joda.time.format.DateTimeFormatter;

/* loaded from: input_file:com/floragunn/searchguard/auditlog/sink/ExternalESSink.class */
public final class ExternalESSink extends AuditLogSink {
    private static final List<String> DEFAULT_TLS_PROTOCOLS = Arrays.asList("TLSv1.2", "TLSv1.1");
    private final String index;
    private final String type;
    private final HttpClient client;
    private List<String> servers;
    private DateTimeFormatter indexPattern;
    static final String PKCS12 = "PKCS12";

    public ExternalESSink(String str, Settings settings, String str2, Path path, AuditLogSink auditLogSink) throws Exception {
        super(str, settings, str2, auditLogSink);
        char[] charArray;
        String str3;
        KeyStore keyStore;
        KeyStore keyStore2;
        Settings asSettings = settings.getAsSettings(str2);
        this.servers = asSettings.getAsList("http_endpoints");
        if (this.servers == null || this.servers.size() == 0) {
            this.log.error("No http endpoints configured for external Elasticsearch endpoint '{}', falling back to localhost.", str);
            this.servers = Collections.singletonList("localhost:9200");
        }
        this.index = asSettings.get("index", "'sg7-auditlog-'YYYY.MM.dd");
        try {
            this.indexPattern = DateTimeFormat.forPattern(this.index);
        } catch (IllegalArgumentException e) {
            this.log.debug("Unable to parse index pattern due to {}. If you have no date pattern configured you can safely ignore this message", e.getMessage());
        }
        this.type = asSettings.get("type", (String) null);
        boolean booleanValue = asSettings.getAsBoolean("verify_hostnames", true).booleanValue();
        boolean booleanValue2 = asSettings.getAsBoolean("enable_ssl", false).booleanValue();
        boolean booleanValue3 = asSettings.getAsBoolean("enable_ssl_client_auth", false).booleanValue();
        String str4 = asSettings.get("username");
        String str5 = asSettings.get(ConfigConstants.LDAP_PASSWORD);
        HttpClient.HttpClientBuilder builder = HttpClient.builder((String[]) this.servers.toArray(new String[0]));
        if (booleanValue2) {
            if ((asSettings.get("pemtrustedcas_filepath", (String) null) == null && asSettings.get("pemtrustedcas_content", (String) null) == null) ? false : true) {
                X509Certificate[] loadCertificatesFromStream = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream("pemtrustedcas_content", asSettings));
                loadCertificatesFromStream = loadCertificatesFromStream == null ? PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve(asSettings.get("pemtrustedcas_filepath"), "pemtrustedcas_filepath", settings, path, true)) : loadCertificatesFromStream;
                X509Certificate[] loadCertificatesFromStream2 = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream("pemcert_content", asSettings));
                loadCertificatesFromStream2 = loadCertificatesFromStream2 == null ? PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve(asSettings.get("pemcert_filepath"), "pemcert_filepath", settings, path, booleanValue3)) : loadCertificatesFromStream2;
                PrivateKey loadKeyFromStream = PemKeyReader.loadKeyFromStream(asSettings.get("pemkey_password"), PemKeyReader.resolveStream("pemkey_content", asSettings));
                loadKeyFromStream = loadKeyFromStream == null ? PemKeyReader.loadKeyFromFile(asSettings.get("pemkey_password"), PemKeyReader.resolve(asSettings.get("pemkey_filepath"), "pemkey_filepath", settings, path, booleanValue3)) : loadKeyFromStream;
                charArray = PemKeyReader.randomChars(12);
                str3 = "al";
                keyStore = PemKeyReader.toTruststore(str3, loadCertificatesFromStream);
                keyStore2 = PemKeyReader.toKeystore(str3, charArray, loadCertificatesFromStream2, loadKeyFromStream);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Use PEM to secure communication with auditlog server (client auth is {})", Boolean.valueOf(loadKeyFromStream != null));
                }
            } else {
                KeyStore loadKeyStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve("searchguard.ssl.transport.truststore_filepath", settings, path, true), settings.get("searchguard.ssl.transport.truststore_password", "changeit"), settings.get("searchguard.ssl.transport.truststore_type"));
                KeyStore loadKeyStore2 = PemKeyReader.loadKeyStore(PemKeyReader.resolve("searchguard.ssl.transport.keystore_filepath", settings, path, booleanValue3), settings.get("searchguard.ssl.transport.keystore_password", "changeit"), settings.get("searchguard.ssl.transport.keystore_type"));
                String str6 = settings.get("searchguard.ssl.transport.keystore_password", "changeit");
                charArray = (str6 == null || str6.isEmpty()) ? null : str6.toCharArray();
                str3 = asSettings.get("cert_alias", (String) null);
                if (booleanValue3 && str3 == null) {
                    throw new IllegalArgumentException("cert_alias not given");
                }
                keyStore = loadKeyStore;
                keyStore2 = loadKeyStore2;
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Use Trust-/Keystore to secure communication with LDAP server (client auth is {})", Boolean.valueOf(loadKeyStore2 != null));
                    this.log.debug("keyStoreAlias: {}", str3);
                }
            }
            List asList = asSettings.getAsList(ConfigConstants.LDAPS_ENABLED_SSL_CIPHERS, (List) null);
            List asList2 = asSettings.getAsList(ConfigConstants.LDAPS_ENABLED_SSL_PROTOCOLS, DEFAULT_TLS_PROTOCOLS);
            builder.setSupportedCipherSuites(asList == null ? null : (String[]) asList.toArray(new String[0]));
            builder.setSupportedProtocols((String[]) asList2.toArray(new String[0]));
            builder.enableSsl(keyStore, booleanValue);
            if (booleanValue3) {
                builder.setPkiCredentials(keyStore2, charArray, str3);
            }
        }
        if (str4 != null && str5 != null) {
            builder.setBasicCredentials(str4, str5);
        }
        this.client = builder.build();
    }

    @Override // com.floragunn.searchguard.auditlog.sink.AuditLogSink
    public void close() throws IOException {
        if (this.client != null) {
            this.client.close();
        }
    }

    @Override // com.floragunn.searchguard.auditlog.sink.AuditLogSink
    public boolean doStore(AuditMessage auditMessage) {
        try {
            boolean index = this.client.index(auditMessage.toString(), getExpandedIndexName(this.indexPattern, this.index), this.type, true);
            if (!index) {
                this.log.error("Unable to send audit log {} to one of these servers: {}", auditMessage, this.servers);
            }
            return index;
        } catch (Exception e) {
            this.log.error("Unable to send audit log {} due to", auditMessage, e);
            return false;
        }
    }
}
