package org.elasticsearch.repositories.encrypted;

import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.Build;
import org.elasticsearch.cluster.metadata.RepositoryMetadata;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.settings.SecureSetting;
import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.env.Environment;
import org.elasticsearch.indices.recovery.RecoverySettings;
import org.elasticsearch.license.LicenseUtils;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.plugins.RepositoryPlugin;
import org.elasticsearch.repositories.Repository;
import org.elasticsearch.repositories.blobstore.BlobStoreRepository;
import org.elasticsearch.xpack.core.XPackPlugin;

/* loaded from: input_file:org/elasticsearch/repositories/encrypted/EncryptedRepositoryPlugin.class */
public class EncryptedRepositoryPlugin extends Plugin implements RepositoryPlugin {
    private static final Boolean ENCRYPTED_REPOSITORY_FEATURE_FLAG_REGISTERED;
    static final Logger logger;
    static final String REPOSITORY_TYPE_NAME = "encrypted";
    static final List<String> SUPPORTED_ENCRYPTED_TYPE_NAMES;
    static final Setting.AffixSetting<SecureString> ENCRYPTION_PASSWORD_SETTING;
    static final Setting<String> DELEGATE_TYPE_SETTING;
    static final Setting<String> PASSWORD_NAME_SETTING;

    protected XPackLicenseState getLicenseState() {
        return XPackPlugin.getSharedLicenseState();
    }

    public List<Setting<?>> getSettings() {
        return Collections.singletonList(ENCRYPTION_PASSWORD_SETTING);
    }

    public static boolean isDisabled() {
        return false == Build.CURRENT.isSnapshot() && (ENCRYPTED_REPOSITORY_FEATURE_FLAG_REGISTERED == null || !ENCRYPTED_REPOSITORY_FEATURE_FLAG_REGISTERED.booleanValue());
    }

    public Map<String, Repository.Factory> getRepositories(Environment environment, final NamedXContentRegistry namedXContentRegistry, final ClusterService clusterService, final BigArrays bigArrays, final RecoverySettings recoverySettings) {
        if (isDisabled()) {
            return Collections.emptyMap();
        }
        final HashMap hashMap = new HashMap();
        for (String str : ENCRYPTION_PASSWORD_SETTING.getNamespaces(environment.settings())) {
            hashMap.put(str, (SecureString) ENCRYPTION_PASSWORD_SETTING.getConcreteSettingForNamespace(str).get(environment.settings()));
            logger.debug("Loaded repository password [{}] from the node keystore", str);
        }
        return Collections.singletonMap(REPOSITORY_TYPE_NAME, new Repository.Factory() { // from class: org.elasticsearch.repositories.encrypted.EncryptedRepositoryPlugin.1
            public Repository create(RepositoryMetadata repositoryMetadata) {
                throw new UnsupportedOperationException();
            }

            public Repository create(RepositoryMetadata repositoryMetadata, Function<String, Repository.Factory> function) throws Exception {
                String str2 = (String) EncryptedRepositoryPlugin.DELEGATE_TYPE_SETTING.get(repositoryMetadata.settings());
                if (!Strings.hasLength(str2)) {
                    throw new IllegalArgumentException("Repository setting [" + EncryptedRepositoryPlugin.DELEGATE_TYPE_SETTING.getKey() + "] must be set");
                }
                if (EncryptedRepositoryPlugin.REPOSITORY_TYPE_NAME.equals(str2)) {
                    throw new IllegalArgumentException("Cannot encrypt an already encrypted repository. [" + EncryptedRepositoryPlugin.DELEGATE_TYPE_SETTING.getKey() + "] must not be equal to [" + EncryptedRepositoryPlugin.REPOSITORY_TYPE_NAME + "]");
                }
                Repository.Factory apply = function.apply(str2);
                if (null == apply || false == EncryptedRepositoryPlugin.SUPPORTED_ENCRYPTED_TYPE_NAMES.contains(str2)) {
                    throw new IllegalArgumentException("Unsupported delegate repository type [" + str2 + "] for setting [" + EncryptedRepositoryPlugin.DELEGATE_TYPE_SETTING.getKey() + "]");
                }
                String str3 = (String) EncryptedRepositoryPlugin.PASSWORD_NAME_SETTING.get(repositoryMetadata.settings());
                if (!Strings.hasLength(str3)) {
                    throw new IllegalArgumentException("Repository setting [" + EncryptedRepositoryPlugin.PASSWORD_NAME_SETTING.getKey() + "] must be set");
                }
                SecureString secureString = (SecureString) hashMap.get(str3);
                if (secureString == null) {
                    throw new IllegalArgumentException("Secure setting [" + EncryptedRepositoryPlugin.ENCRYPTION_PASSWORD_SETTING.getConcreteSettingForNamespace(str3).getKey() + "] must be set");
                }
                BlobStoreRepository create = apply.create(new RepositoryMetadata(repositoryMetadata.name(), str2, repositoryMetadata.settings()));
                if (false == (create instanceof BlobStoreRepository) || (create instanceof EncryptedRepository)) {
                    throw new IllegalArgumentException("Unsupported delegate repository type [" + EncryptedRepositoryPlugin.DELEGATE_TYPE_SETTING.getKey() + "]");
                }
                if (false == EncryptedRepositoryPlugin.this.getLicenseState().checkFeature(XPackLicenseState.Feature.ENCRYPTED_SNAPSHOT)) {
                    EncryptedRepositoryPlugin.logger.warn(new ParameterizedMessage("Encrypted snapshots are not allowed for the currently installed license [{}]. Snapshots to the [{}] encrypted repository are not permitted. All the other operations, including restore, work without restrictions.", EncryptedRepositoryPlugin.this.getLicenseState().getOperationMode().description(), repositoryMetadata.name()), LicenseUtils.newComplianceException("encrypted snapshots"));
                }
                return EncryptedRepositoryPlugin.this.createEncryptedRepository(repositoryMetadata, namedXContentRegistry, clusterService, bigArrays, recoverySettings, create, () -> {
                    return EncryptedRepositoryPlugin.this.getLicenseState();
                }, secureString);
            }
        });
    }

    protected EncryptedRepository createEncryptedRepository(RepositoryMetadata repositoryMetadata, NamedXContentRegistry namedXContentRegistry, ClusterService clusterService, BigArrays bigArrays, RecoverySettings recoverySettings, BlobStoreRepository blobStoreRepository, Supplier<XPackLicenseState> supplier, SecureString secureString) throws GeneralSecurityException {
        return new EncryptedRepository(repositoryMetadata, namedXContentRegistry, clusterService, bigArrays, recoverySettings, blobStoreRepository, supplier, secureString);
    }

    static {
        String property = System.getProperty("es.encrypted_repository_feature_flag_registered");
        if (Build.CURRENT.isSnapshot() && property != null) {
            throw new IllegalArgumentException("es.encrypted_repository_feature_flag_registered is only supported in non-snapshot builds");
        }
        if ("true".equals(property)) {
            ENCRYPTED_REPOSITORY_FEATURE_FLAG_REGISTERED = true;
        } else if ("false".equals(property)) {
            ENCRYPTED_REPOSITORY_FEATURE_FLAG_REGISTERED = false;
        } else {
            if (property != null) {
                throw new IllegalArgumentException("expected es.encrypted_repository_feature_flag_registered to be unset or [true|false] but was [" + property + "]");
            }
            ENCRYPTED_REPOSITORY_FEATURE_FLAG_REGISTERED = null;
        }
        logger = LogManager.getLogger(EncryptedRepositoryPlugin.class);
        SUPPORTED_ENCRYPTED_TYPE_NAMES = Arrays.asList("fs", "gcs", "azure", "s3");
        ENCRYPTION_PASSWORD_SETTING = Setting.affixKeySetting("repository.encrypted.", "password", str -> {
            return SecureSetting.secureString(str, (Setting) null, new Setting.Property[0]);
        }, new Setting.AffixSettingDependency[0]);
        DELEGATE_TYPE_SETTING = Setting.simpleString("delegate_type", "", new Setting.Property[0]);
        PASSWORD_NAME_SETTING = Setting.simpleString("password_name", "", new Setting.Property[0]);
    }
}
