package com.floragunn.searchguard.configuration;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.compliance.ComplianceConfig;
import com.floragunn.searchguard.modules.state.ComponentState;
import com.floragunn.searchguard.modules.state.ComponentStateProvider;
import com.floragunn.searchguard.sgconf.DynamicConfigFactory;
import com.floragunn.searchguard.sgconf.impl.CType;
import com.floragunn.searchguard.sgconf.impl.SgDynamicConfiguration;
import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.ConfigHelper;
import com.floragunn.searchguard.support.LicenseHelper;
import com.floragunn.searchguard.support.SgUtils;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.io.File;
import java.nio.file.Path;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.ResourceAlreadyExistsException;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.admin.indices.create.CreateIndexResponse;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.health.ClusterHealthStatus;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.cluster.metadata.MappingMetadata;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.XContentHelper;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.env.Environment;
import org.elasticsearch.index.engine.VersionConflictEngineException;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/configuration/ConfigurationRepository.class */
public class ConfigurationRepository implements ComponentStateProvider {
    private static final Logger LOGGER = LogManager.getLogger(ConfigurationRepository.class);
    private final String searchguardIndex;
    private final Client client;
    private final Cache<CType, SgDynamicConfiguration<?>> configCache;
    private final ConfigurationLoaderSG7 cl;
    private final Settings settings;
    private final ClusterService clusterService;
    private final AuditLog auditLog;
    private final ComplianceConfig complianceConfig;
    private final ThreadPool threadPool;
    private volatile SearchGuardLicense effectiveLicense;
    private DynamicConfigFactory dynamicConfigFactory;
    private final Thread bgThread;
    private final int configVersion = 2;
    private final AtomicBoolean installDefaultConfig = new AtomicBoolean();
    private final ComponentState componentState = new ComponentState(1, null, "config_repository", ConfigurationRepository.class);
    private final Lock LOCK = new ReentrantLock();
    private final List<ConfigurationChangeListener> configurationChangedListener = new ArrayList();
    private final List<LicenseChangeListener> licenseChangeListener = new ArrayList();

    private ConfigurationRepository(final Settings settings, final Path path, final ThreadPool threadPool, final Client client, final ClusterService clusterService, AuditLog auditLog, ComplianceConfig complianceConfig) {
        this.searchguardIndex = settings.get(ConfigConstants.SEARCHGUARD_CONFIG_INDEX_NAME, ConfigConstants.SG_DEFAULT_CONFIG_INDEX);
        this.settings = settings;
        this.client = client;
        this.threadPool = threadPool;
        this.clusterService = clusterService;
        this.auditLog = auditLog;
        this.complianceConfig = complianceConfig;
        this.componentState.setMandatory(true);
        this.cl = new ConfigurationLoaderSG7(client, threadPool, settings, clusterService, this.componentState);
        this.configCache = CacheBuilder.newBuilder().build();
        this.bgThread = new Thread(new Runnable() { // from class: com.floragunn.searchguard.configuration.ConfigurationRepository.1
            @Override // java.lang.Runnable
            public void run() {
                ClusterHealthResponse clusterHealthResponse;
                try {
                    ConfigurationRepository.LOGGER.info("Background init thread started. Install default config?: " + ConfigurationRepository.this.installDefaultConfig.get());
                    if (ConfigurationRepository.this.installDefaultConfig.get()) {
                        ConfigurationRepository.this.componentState.setState(ComponentState.State.INITIALIZING, "install_default_config");
                        try {
                            try {
                                String property = System.getProperty("sg.default_init.dir");
                                String str = property != null ? property + "/" : new Environment(settings, path).pluginsFile().toAbsolutePath().toString() + "/search-guard-7/sgconfig/";
                                File file = new File(str + "sg_config.yml");
                                if (file.exists()) {
                                    ThreadContext threadContext = threadPool.getThreadContext();
                                    ThreadContext.StoredContext stashContext = threadContext.stashContext();
                                    try {
                                        threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true");
                                        ConfigurationRepository.LOGGER.info("Will create {} index so we can apply default config", ConfigurationRepository.this.searchguardIndex);
                                        HashMap hashMap = new HashMap();
                                        hashMap.put("index.number_of_shards", 1);
                                        hashMap.put("index.auto_expand_replicas", "0-all");
                                        boolean isAcknowledged = ((CreateIndexResponse) client.admin().indices().create(new CreateIndexRequest(ConfigurationRepository.this.searchguardIndex).settings(hashMap)).actionGet()).isAcknowledged();
                                        ConfigurationRepository.LOGGER.info("Index {} created?: {}", ConfigurationRepository.this.searchguardIndex, Boolean.valueOf(isAcknowledged));
                                        if (isAcknowledged) {
                                            ConfigHelper.uploadFile(client, str + "sg_config.yml", ConfigurationRepository.this.searchguardIndex, CType.CONFIG, 2);
                                            ConfigHelper.uploadFile(client, str + "sg_roles.yml", ConfigurationRepository.this.searchguardIndex, CType.ROLES, 2);
                                            ConfigHelper.uploadFile(client, str + "sg_roles_mapping.yml", ConfigurationRepository.this.searchguardIndex, CType.ROLESMAPPING, 2);
                                            ConfigHelper.uploadFile(client, str + "sg_internal_users.yml", ConfigurationRepository.this.searchguardIndex, CType.INTERNALUSERS, 2);
                                            ConfigHelper.uploadFile(client, str + "sg_action_groups.yml", ConfigurationRepository.this.searchguardIndex, CType.ACTIONGROUPS, 2);
                                            ConfigHelper.uploadFile(client, str + "sg_tenants.yml", ConfigurationRepository.this.searchguardIndex, CType.TENANTS, 2);
                                            ConfigHelper.uploadFile(client, str + "sg_blocks.yml", ConfigurationRepository.this.searchguardIndex, CType.BLOCKS, 2);
                                            ConfigurationRepository.LOGGER.info("Default config applied");
                                        } else {
                                            ConfigurationRepository.LOGGER.error("Can not create {} index", ConfigurationRepository.this.searchguardIndex);
                                            ConfigurationRepository.this.componentState.setFailed("Index creation was not acknowledged");
                                        }
                                        if (stashContext != null) {
                                            stashContext.close();
                                        }
                                    } catch (Throwable th) {
                                        if (stashContext != null) {
                                            try {
                                                stashContext.close();
                                            } catch (Throwable th2) {
                                                th.addSuppressed(th2);
                                            }
                                        }
                                        throw th;
                                    }
                                } else {
                                    ConfigurationRepository.LOGGER.error("{} does not exist", file.getAbsolutePath());
                                    ConfigurationRepository.this.componentState.setFailed(file.getAbsolutePath() + " does not exist");
                                }
                            } catch (Exception e) {
                                ConfigurationRepository.LOGGER.error("Cannot apply default config (this is maybe not an error!) due to {}", e.getMessage());
                                ConfigurationRepository.this.componentState.setFailed(e);
                            }
                        } catch (ResourceAlreadyExistsException e2) {
                            ConfigurationRepository.LOGGER.debug("Cannot apply default config (this is maybe not an error!) due to {}", e2.getMessage());
                        }
                    }
                    ConfigurationRepository.LOGGER.debug("Node started, try to initialize it. Wait for at least yellow cluster state....");
                    ConfigurationRepository.this.componentState.setState(ComponentState.State.INITIALIZING, "waiting_for_yellow_index");
                    clusterHealthResponse = null;
                    try {
                        clusterHealthResponse = (ClusterHealthResponse) client.admin().cluster().health(new ClusterHealthRequest(new String[]{ConfigurationRepository.this.searchguardIndex}).waitForActiveShards(1).waitForYellowStatus()).actionGet();
                    } catch (Exception e3) {
                        ConfigurationRepository.LOGGER.debug("Catched a {} but we just try again ...", e3.toString());
                    }
                } catch (Exception e4) {
                    ConfigurationRepository.LOGGER.error("Unexpected exception while initializing node " + e4, e4);
                    ConfigurationRepository.this.componentState.setFailed(e4);
                    return;
                }
                while (true) {
                    if (clusterHealthResponse != null && !clusterHealthResponse.isTimedOut() && clusterHealthResponse.getStatus() != ClusterHealthStatus.RED) {
                        break;
                    }
                    ConfigurationRepository.LOGGER.debug("index '{}' not healthy yet, we try again ... (Reason: {})", ConfigurationRepository.this.searchguardIndex, clusterHealthResponse == null ? "no response" : clusterHealthResponse.isTimedOut() ? "timeout" : "other, maybe red cluster");
                    try {
                        Thread.sleep(500L);
                    } catch (InterruptedException e5) {
                        Thread.currentThread().interrupt();
                    }
                    ConfigurationRepository.this.componentState.startNextTry();
                    try {
                        clusterHealthResponse = (ClusterHealthResponse) client.admin().cluster().health(new ClusterHealthRequest(new String[]{ConfigurationRepository.this.searchguardIndex}).waitForYellowStatus()).actionGet();
                    } catch (Exception e6) {
                        ConfigurationRepository.LOGGER.debug("Catched again a {} but we just try again ...", e6.toString());
                    }
                    ConfigurationRepository.LOGGER.error("Unexpected exception while initializing node " + e4, e4);
                    ConfigurationRepository.this.componentState.setFailed(e4);
                    return;
                }
                ConfigurationRepository.this.componentState.setState(ComponentState.State.INITIALIZING, "loading");
                while (!ConfigurationRepository.this.dynamicConfigFactory.isInitialized()) {
                    ConfigurationRepository.this.componentState.startNextTry();
                    try {
                        ConfigurationRepository.LOGGER.debug("Try to load config ...");
                        ConfigurationRepository.this.reloadConfiguration(Arrays.asList(CType.values()));
                        break;
                    } catch (Exception e7) {
                        ConfigurationRepository.LOGGER.debug("Unable to load configuration due to {}", String.valueOf(ExceptionUtils.getRootCause(e7)));
                        try {
                            Thread.sleep(3000L);
                        } catch (InterruptedException e8) {
                            Thread.currentThread().interrupt();
                            ConfigurationRepository.LOGGER.debug("Thread was interrupted so we cancel initialization");
                        }
                    }
                }
                ConfigurationRepository.LOGGER.info("Node '{}' initialized", clusterService.localNode().getName());
                ConfigurationRepository.this.componentState.setInitialized();
            }
        });
    }

    public void initOnNodeStart() {
        LOGGER.info("Check if " + this.searchguardIndex + " index exists ...");
        try {
            if (this.clusterService.state().getMetadata().hasConcreteIndex(this.searchguardIndex)) {
                LOGGER.info("{} index does already exist, so we try to load the config from it", this.searchguardIndex);
                this.bgThread.start();
            } else if (this.settings.getAsBoolean(ConfigConstants.SEARCHGUARD_ALLOW_DEFAULT_INIT_SGINDEX, false).booleanValue()) {
                LOGGER.info("{} index does not exist yet, so we create a default config", this.searchguardIndex);
                this.installDefaultConfig.set(true);
                this.bgThread.start();
            } else if (this.settings.getAsBoolean(ConfigConstants.SEARCHGUARD_BACKGROUND_INIT_IF_SGINDEX_NOT_EXIST, true).booleanValue()) {
                LOGGER.info("{} index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster", this.searchguardIndex);
                this.bgThread.start();
            } else {
                LOGGER.info("{} index does not exist yet, use sgadmin to initialize the cluster. We will not perform background initialization", this.searchguardIndex);
            }
        } catch (Throwable th) {
            LOGGER.error("Error during node initialization: {}", th, th);
            this.bgThread.start();
            this.componentState.addLastException("initOnNodeStart", th);
        }
    }

    public static ConfigurationRepository create(Settings settings, Path path, ThreadPool threadPool, Client client, ClusterService clusterService, AuditLog auditLog, ComplianceConfig complianceConfig) {
        return new ConfigurationRepository(settings, path, threadPool, client, clusterService, auditLog, complianceConfig);
    }

    public void setDynamicConfigFactory(DynamicConfigFactory dynamicConfigFactory) {
        this.dynamicConfigFactory = dynamicConfigFactory;
    }

    public SgDynamicConfiguration<?> getConfiguration(CType cType) {
        SgDynamicConfiguration sgDynamicConfiguration = (SgDynamicConfiguration) this.configCache.getIfPresent(cType);
        return sgDynamicConfiguration != null ? sgDynamicConfiguration.deepClone() : SgDynamicConfiguration.empty();
    }

    public void reloadConfiguration(Collection<CType> collection) throws ConfigUpdateAlreadyInProgressException {
        try {
            if (!this.LOCK.tryLock(60L, TimeUnit.SECONDS)) {
                throw new ConfigUpdateAlreadyInProgressException("A config update is already imn progress", new Object[0]);
            }
            try {
                reloadConfiguration0(collection);
                this.LOCK.unlock();
            } catch (Throwable th) {
                this.LOCK.unlock();
                throw th;
            }
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
            throw new ConfigUpdateAlreadyInProgressException("Interrupted config update", new Object[0]);
        }
    }

    private void reloadConfiguration0(Collection<CType> collection) {
        Map<CType, SgDynamicConfiguration<?>> configurationsFromIndex = getConfigurationsFromIndex(collection, false);
        this.configCache.putAll(configurationsFromIndex);
        notifyAboutChanges(configurationsFromIndex);
        SearchGuardLicense license = getLicense();
        notifyAboutLicenseChanges(license);
        LOGGER.info("Search Guard License Info: " + (license == null ? "No license needed because enterprise modules are not enabled" : license.toString()));
        if (license != null) {
            LOGGER.info("Search Guard License Type: " + license.getType() + ", " + (license.isValid() ? "valid" : "invalid"));
            if (license.getExpiresInDays() <= 30 && license.isValid()) {
                LOGGER.warn("Your Search Guard license expires in " + license.getExpiresInDays() + " days.");
                System.out.println("Your Search Guard license expires in " + license.getExpiresInDays() + " days.");
            }
            if (license.isValid()) {
                return;
            }
            String join = String.join("; ", license.getMsgs());
            LOGGER.error("You are running an unlicensed version of Search Guard. Reason(s): " + join);
            System.out.println("You are running an unlicensed version of Search Guard. Reason(s): " + join);
            System.err.println("You are running an unlicensed version of Search Guard. Reason(s): " + join);
        }
    }

    public synchronized void subscribeOnChange(ConfigurationChangeListener configurationChangeListener) {
        this.configurationChangedListener.add(configurationChangeListener);
    }

    public synchronized void subscribeOnLicenseChange(LicenseChangeListener licenseChangeListener) {
        if (licenseChangeListener != null) {
            this.licenseChangeListener.add(licenseChangeListener);
        }
    }

    private synchronized void notifyAboutLicenseChanges(SearchGuardLicense searchGuardLicense) {
        Iterator<LicenseChangeListener> it = this.licenseChangeListener.iterator();
        while (it.hasNext()) {
            it.next().onChange(searchGuardLicense);
        }
    }

    private synchronized void notifyAboutChanges(Map<CType, SgDynamicConfiguration<?>> map) {
        for (ConfigurationChangeListener configurationChangeListener : this.configurationChangedListener) {
            try {
                LOGGER.debug("Notify {} listener about change configuration with type {}", configurationChangeListener);
                configurationChangeListener.onChange(map);
            } catch (Exception e) {
                LOGGER.error("{} listener errored: " + e, configurationChangeListener, e);
                throw ExceptionsHelper.convertToElastic(e);
            }
        }
    }

    public Map<CType, SgDynamicConfiguration<?>> getConfigurationsFromIndex(Collection<CType> collection, boolean z) {
        ThreadContext threadContext = this.threadPool.getThreadContext();
        HashMap hashMap = new HashMap();
        try {
            ThreadContext.StoredContext stashContext = threadContext.stashContext();
            try {
                threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true");
                IndexMetadata index = this.clusterService.state().getMetadata().index(this.searchguardIndex);
                MappingMetadata mapping = index == null ? null : index.mapping();
                if (index == null || mapping == null) {
                    LOGGER.debug("sg index not exists (yet)");
                    hashMap.putAll(validate(this.cl.load((CType[]) collection.toArray(new CType[0]), 10L, TimeUnit.SECONDS), collection.size()));
                } else {
                    if ("sg".equals(mapping.type())) {
                        LOGGER.debug("sg index exists and was created before ES 7 (legacy layout)");
                    } else {
                        LOGGER.debug("sg index exists and was created with ES 7 (new layout)");
                    }
                    hashMap.putAll(validate(this.cl.load((CType[]) collection.toArray(new CType[0]), 10L, TimeUnit.SECONDS), collection.size()));
                }
                if (stashContext != null) {
                    stashContext.close();
                }
                if (z && this.complianceConfig.isEnabled()) {
                    CType next = collection.iterator().next();
                    HashMap hashMap2 = new HashMap();
                    hashMap2.put(next.toLCString(), Strings.toString((ToXContent) hashMap.get(next)));
                    this.auditLog.logDocumentRead(this.searchguardIndex, next.toLCString(), null, hashMap2, this.complianceConfig);
                }
                return hashMap;
            } finally {
            }
        } catch (Exception e) {
            throw new ElasticsearchException(e);
        }
    }

    private Map<CType, SgDynamicConfiguration<?>> validate(Map<CType, SgDynamicConfiguration<?>> map, int i) throws InvalidConfigException {
        if (map == null || map.size() != i) {
            throw new InvalidConfigException("Retrieved only partial configuration");
        }
        return map;
    }

    private static String formatDate(long j) {
        return new SimpleDateFormat("yyyy-MM-dd", SgUtils.EN_Locale).format(new Date(j));
    }

    public SearchGuardLicense getLicense() {
        if (!this.settings.getAsBoolean(ConfigConstants.SEARCHGUARD_ENTERPRISE_MODULES_ENABLED, true).booleanValue()) {
            return null;
        }
        String licenseString = this.dynamicConfigFactory.getLicenseString();
        if (licenseString == null || licenseString.isEmpty()) {
            return this.effectiveLicense != null ? this.effectiveLicense : createOrGetTrial(null);
        }
        try {
            SearchGuardLicense searchGuardLicense = new SearchGuardLicense(XContentHelper.convertToMap(XContentType.JSON.xContent(), LicenseHelper.validateLicense(licenseString), true), this.clusterService);
            this.effectiveLicense = searchGuardLicense;
            return searchGuardLicense;
        } catch (Exception e) {
            LOGGER.error("Unable to verify license", e);
            return this.effectiveLicense != null ? this.effectiveLicense : createOrGetTrial("Unable to verify license due to " + ExceptionUtils.getRootCause(e));
        }
    }

    private SearchGuardLicense createOrGetTrial(String str) {
        IndexMetadata index = this.clusterService.state().getMetadata().index(this.searchguardIndex);
        if (index == null) {
            LOGGER.error("Unable to retrieve trial license (or create  a new one) because {} index does not exist", this.searchguardIndex);
            throw new RuntimeException(this.searchguardIndex + " does not exist");
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Create or retrieve trial license from {} created with version {} and mapping type: {}", this.searchguardIndex, index.getCreationVersion(), index.mapping().type());
        }
        String str2 = index.mapping().type().equals("sg") ? "sg" : "_doc";
        long currentTimeMillis = System.currentTimeMillis();
        ThreadContext threadContext = this.threadPool.getThreadContext();
        ThreadContext.StoredContext stashContext = threadContext.stashContext();
        try {
            threadContext.putHeader(ConfigConstants.SG_CONF_REQUEST_HEADER, "true");
            GetResponse getResponse = this.client.prepareGet(this.searchguardIndex, str2, "tattr").get();
            if (getResponse.isExists()) {
                currentTimeMillis = ((Long) getResponse.getSource().get("val")).longValue();
            } else {
                try {
                    this.client.index(new IndexRequest(this.searchguardIndex).type(str2).id("tattr").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).create(true).source("{\"val\": " + System.currentTimeMillis() + "}", XContentType.JSON)).actionGet();
                } catch (Exception e) {
                    LOGGER.error("Unable to index tattr", e);
                } catch (VersionConflictEngineException e2) {
                }
            }
            if (stashContext != null) {
                stashContext.close();
            }
            return SearchGuardLicense.createTrialLicense(formatDate(currentTimeMillis), this.clusterService, str);
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // com.floragunn.searchguard.modules.state.ComponentStateProvider
    public ComponentState getComponentState() {
        return this.componentState;
    }
}
