package org.elasticsearch.xpack.security;

import java.util.Map;
import org.elasticsearch.bootstrap.BootstrapCheck;
import org.elasticsearch.bootstrap.BootstrapContext;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.security.authc.RealmSettings;
import org.elasticsearch.xpack.security.authc.pki.PkiRealm;
import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4Transport;
import org.elasticsearch.xpack.ssl.SSLService;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.class */
public class PkiRealmBootstrapCheck implements BootstrapCheck {
    private final SSLService sslService;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PkiRealmBootstrapCheck(SSLService sSLService) {
        this.sslService = sSLService;
    }

    @Override // org.elasticsearch.bootstrap.BootstrapCheck
    public BootstrapCheck.BootstrapCheckResult check(BootstrapContext bootstrapContext) {
        Settings settings = bootstrapContext.settings;
        if (!settings.getGroups(RealmSettings.PREFIX).values().stream().filter(settings2 -> {
            return PkiRealm.TYPE.equals(settings2.get("type"));
        }).anyMatch(settings3 -> {
            return settings3.getAsBoolean("enabled", true).booleanValue();
        })) {
            return BootstrapCheck.BootstrapCheckResult.success();
        }
        boolean booleanValue = XPackSettings.HTTP_SSL_ENABLED.get(settings).booleanValue();
        boolean isSSLClientAuthEnabled = this.sslService.isSSLClientAuthEnabled(SSLService.getHttpTransportSSLSettings(settings));
        if (booleanValue && isSSLClientAuthEnabled) {
            return BootstrapCheck.BootstrapCheckResult.success();
        }
        boolean booleanValue2 = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings).booleanValue();
        Settings byPrefix = settings.getByPrefix(Security.setting("transport.ssl."));
        boolean isSSLClientAuthEnabled2 = this.sslService.isSSLClientAuthEnabled(byPrefix);
        if (booleanValue2 && isSSLClientAuthEnabled2) {
            return BootstrapCheck.BootstrapCheckResult.success();
        }
        for (Map.Entry<String, Settings> entry : settings.getGroups("transport.profiles.").entrySet()) {
            if (booleanValue2 && this.sslService.isSSLClientAuthEnabled(SecurityNetty4Transport.profileSslSettings(entry.getValue()), byPrefix)) {
                return BootstrapCheck.BootstrapCheckResult.success();
            }
        }
        return BootstrapCheck.BootstrapCheckResult.failure("a PKI realm is enabled but cannot be used as neither HTTP or Transport have SSL and client authentication enabled");
    }

    @Override // org.elasticsearch.bootstrap.BootstrapCheck
    public boolean alwaysEnforce() {
        return true;
    }
}
