package com.floragunn.searchguard.tools.tlsdiag;

import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.JsonMappingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
import com.floragunn.searchguard.tools.tlsdiag.tasks.DumpCert;
import com.floragunn.searchguard.tools.tlsdiag.tasks.Task;
import com.floragunn.searchguard.tools.tlsdiag.tasks.ValidateCert;
import com.floragunn.searchguard.tools.tlstool.ToolException;
import com.floragunn.searchguard.tools.util.EsNodeConfig;
import com.floragunn.searchguard.tools.util.PemFileUtils;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.core.config.Configurator;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

/* loaded from: input_file:com/floragunn/searchguard/tools/tlsdiag/SearchGuardTlsDiagnosis.class */
public class SearchGuardTlsDiagnosis {
    private static final ObjectMapper objectMapper = new ObjectMapper(new YAMLFactory());
    private static final Provider securityProvider = new BouncyCastleProvider();
    private static final Logger log = LogManager.getLogger((Class<?>) SearchGuardTlsDiagnosis.class);
    private static Options options;
    private CommandLine commandLine;
    private List<Task> tasks = new ArrayList();

    public static void main(String[] strArr) {
        Security.addProvider(securityProvider);
        objectMapper.configure(DeserializationFeature.ACCEPT_SINGLE_VALUE_AS_ARRAY, true);
        try {
            new SearchGuardTlsDiagnosis(parseOptions(strArr)).run();
        } catch (ToolException e) {
            log.error(e.getMessage());
            log.debug("Exception: ", (Throwable) e);
            System.exit(1);
        }
    }

    private static CommandLine parseOptions(String[] strArr) {
        options = new Options();
        options.addOption(Option.builder("es").longOpt("es-config").hasArg().desc("Path to the ElasticSearch config file containing the SearchGuard TLS configuration").build());
        options.addOption(Option.builder("ca").longOpt("trusted-ca").hasArgs().desc("Path to a PEM file containing the certificate of a trusted CA").build());
        options.addOption(Option.builder("crt").longOpt("certificates").hasArgs().desc("Path to PEM files containing certificates to be checked").build());
        options.addOption(Option.builder("v").longOpt("verbose").desc("Enable detailed output").build());
        try {
            return new DefaultParser().parse(options, strArr);
        } catch (ParseException e) {
            new HelpFormatter().printHelp("sgtlsdiag.sh", options, true);
            System.exit(1);
            return null;
        }
    }

    SearchGuardTlsDiagnosis(CommandLine commandLine) {
        this.commandLine = commandLine;
    }

    private void run() throws ToolException {
        if (this.commandLine.hasOption("v")) {
            Configurator.setRootLevel(Level.DEBUG);
            Configurator.setLevel("STDOUT", Level.DEBUG);
            System.setProperty("java.security.debug", "certpath");
        }
        if (this.commandLine.hasOption("ca") && !this.commandLine.hasOption("crt")) {
            throw new ToolException("You must specifiy at least one certificate to check using the --certificates option");
        }
        if (this.commandLine.hasOption("crt")) {
            if (!this.commandLine.hasOption("ca")) {
                throw new ToolException("You must specify the certificate of the trusted CA using the --trusted-ca option");
            }
            Set<TrustAnchor> loadTrustAnchors = loadTrustAnchors((Set) Stream.of((Object[]) this.commandLine.getOptionValues("ca")).map(str -> {
                return new File(str);
            }).collect(Collectors.toSet()));
            for (String str2 : this.commandLine.getOptionValues("crt")) {
                this.tasks.add(new ValidateCert(loadTrustAnchors, new File(str2)));
            }
            if (this.commandLine.hasOption("v")) {
                for (String str3 : this.commandLine.getOptionValues("ca")) {
                    this.tasks.add(new DumpCert(new File(str3)));
                }
            }
        }
        if (this.commandLine.hasOption("es")) {
            processEsConfigFile(new File(this.commandLine.getOptionValue("es")));
        }
        if (!this.commandLine.hasOption("crt") && !this.commandLine.hasOption("es")) {
            new HelpFormatter().printHelp("sgtlsdiag.sh", options, true);
            System.exit(1);
        }
        Iterator<Task> it = this.tasks.iterator();
        while (it.hasNext()) {
            it.next().run();
        }
    }

    private Set<TrustAnchor> loadTrustAnchors(Set<File> set) throws ToolException {
        HashSet hashSet = new HashSet();
        for (File file : set) {
            try {
                Iterator<X509Certificate> it = PemFileUtils.readCertificatesFromPemFile(file).iterator();
                while (it.hasNext()) {
                    hashSet.add(new TrustAnchor(it.next(), null));
                }
            } catch (FileNotFoundException e) {
                throw new ToolException("The file " + file + " does not exist", e);
            } catch (Exception e2) {
                throw new ToolException("Error while reading " + file + ": " + e2, e2);
            }
        }
        return hashSet;
    }

    private void processEsConfigFile(File file) throws ToolException {
        try {
            log.info("Reading node config file " + file);
            EsNodeConfig esNodeConfig = (EsNodeConfig) objectMapper.readValue(file, EsNodeConfig.class);
            Set<TrustAnchor> hashSet = new HashSet();
            Set<TrustAnchor> hashSet2 = new HashSet();
            HashSet hashSet3 = new HashSet();
            if (esNodeConfig.isKeystoreOrTruststoreAttributeSet()) {
                log.error("\nWARNING: The config file '" + file.getName() + "' is configured to use JKS files, which are deprecated since Search Guard 6. This tool only supports checking PEM files.\n");
            }
            if (esNodeConfig.getTransportPemTrustedCasFilePath() != null) {
                File file2 = new File(file.getParentFile(), esNodeConfig.getTransportPemTrustedCasFilePath());
                hashSet = loadTrustAnchors(Collections.singleton(file2));
                hashSet3.add(file2);
            }
            if (esNodeConfig.getHttpPemTrustedCasFilePath() != null) {
                File file3 = new File(file.getParentFile(), esNodeConfig.getHttpPemTrustedCasFilePath());
                hashSet2 = loadTrustAnchors(Collections.singleton(file3));
                hashSet3.add(file3);
            }
            if (esNodeConfig.getTransportPemCertFilePath() != null) {
                this.tasks.add(new ValidateCert(hashSet, new File(file.getParentFile(), esNodeConfig.getTransportPemCertFilePath())));
            }
            if (esNodeConfig.getHttpPemCertFilePath() != null) {
                this.tasks.add(new ValidateCert(hashSet2, new File(file.getParentFile(), esNodeConfig.getHttpPemCertFilePath())));
            }
            Iterator it = hashSet3.iterator();
            while (it.hasNext()) {
                this.tasks.add(new DumpCert((File) it.next()));
            }
        } catch (JsonParseException | JsonMappingException e) {
            throw new ToolException("ES node config file " + file + " is invalid: " + file, e);
        } catch (FileNotFoundException e2) {
            throw new ToolException("ES node config file does not exist: " + file);
        } catch (IOException e3) {
            throw new ToolException("Error while reading " + file + ": " + e3, e3);
        }
    }
}
