package com.huawei.es.security.plugin;

import com.google.common.collect.Lists;
import com.huawei.es.security.audit.AuditLog;
import com.huawei.es.security.audit.impl.AuditLogImpl;
import com.huawei.es.security.auth.bean.KerberosHttpServerTransportBean;
import com.huawei.es.security.auth.common.AuthConstants;
import com.huawei.es.security.auth.common.KerberosAuthenticationExecutor;
import com.huawei.es.security.auth.server.KerberosHttpServerTransport;
import com.huawei.es.security.auth.server.KerberosHttpServerTransport4Normal;
import com.huawei.es.security.auth.server.transport.KerberosNettyTransport;
import com.huawei.es.security.auth.server.transport.KerberosNettyTransport4Normal;
import com.huawei.es.security.auth.server.transport.KerberosTransportInterceptor;
import com.huawei.es.security.auth.server.transport.KerberosTransportInterceptor4Normal;
import com.huawei.es.security.auth.server.transport.actions.AuthenticateAction;
import com.huawei.es.security.auth.server.transport.actions.GetTokenAction;
import com.huawei.es.security.auth.server.transport.actions.ServerRealmAction;
import com.huawei.es.security.auth.server.transport.actions.TransportAuthenticateAction;
import com.huawei.es.security.auth.server.transport.actions.TransportGetTokenAction;
import com.huawei.es.security.auth.server.transport.actions.TransportServerRealmAction;
import com.huawei.es.security.auth.server.transport.authz.AuthorizationService;
import com.huawei.es.security.auth.server.transport.authz.PrivilegeHelper;
import com.huawei.es.security.auth.server.transport.bean.KerberosNettyTransport4NormalBean;
import com.huawei.es.security.auth.server.transport.filter.TransportNormalFilter;
import com.huawei.es.security.auth.server.transport.filter.TransportSecurityFilter;
import com.huawei.es.security.auth.server.transport.listener.SecurityIndexEventListener;
import com.huawei.es.security.auth.signer.Signer;
import com.huawei.es.security.auth.signer.ZKSignerSecretProvider;
import com.huawei.es.security.author.cache.CacheManager;
import com.huawei.es.security.author.handler.BulkSizeChecker;
import com.huawei.es.security.author.tool.Alias2IndexTurner;
import com.huawei.es.security.author.tool.AuthorityConstants;
import com.huawei.es.security.author.tool.AutoCreateIndexChecker;
import com.huawei.es.security.author.tool.GroupCacheTimeSetting;
import com.huawei.es.security.cluster.ClusterStateManager;
import com.huawei.es.security.index.SecurityIndexManager;
import com.huawei.es.security.ratelimiter.RateLimiterHandler;
import com.huawei.es.security.rest.EncryptPwdRestHandler;
import com.huawei.es.security.rest.GroupInfoRestHandler;
import com.huawei.es.security.rest.IndexOwnerRestHandler;
import com.huawei.es.security.rest.NodeHealthRestHandler;
import com.huawei.es.security.settings.CompatibilitySettings;
import com.huawei.es.security.ssl.HwSecurityConstants;
import com.huawei.es.security.ssl.HwSslKeyStore;
import com.huawei.es.security.ssl.HwSslKeyStoreImpl;
import com.huawei.es.security.util.ZkAclUtil;
import com.huawei.solr.security.author.bean.ManagerException;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.framework.api.ACLProvider;
import org.apache.curator.framework.imps.DefaultACLProvider;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.logging.log4j.Logger;
import org.apache.lucene.util.SetOnce;
import org.apache.solr.common.cloud.SolrZkClient;
import org.apache.zookeeper.data.ACL;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.action.support.ActionFilter;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.node.DiscoveryNodes;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.component.Lifecycle;
import org.elasticsearch.common.component.LifecycleComponent;
import org.elasticsearch.common.component.LifecycleListener;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.ClusterSettings;
import org.elasticsearch.common.settings.IndexScopedSettings;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.settings.SettingsFilter;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.common.util.PageCacheRecycler;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.common.xcontent.NamedXContentRegistry;
import org.elasticsearch.env.Environment;
import org.elasticsearch.env.NodeEnvironment;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.index.IndexModule;
import org.elasticsearch.indices.SystemIndexDescriptor;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.plugins.ActionPlugin;
import org.elasticsearch.plugins.NetworkPlugin;
import org.elasticsearch.plugins.Plugin;
import org.elasticsearch.plugins.SystemIndexPlugin;
import org.elasticsearch.repositories.RepositoriesService;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.script.ScriptService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.RemoteClusterService;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportInterceptor;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.watcher.ResourceWatcherService;

/* loaded from: input_file:com/huawei/es/security/plugin/KerberosPlugin.class */
public class KerberosPlugin extends Plugin implements NetworkPlugin, ActionPlugin, SystemIndexPlugin {
    private static boolean restSslEnable;
    private static boolean transportSslEnable;
    private static final String NETTY_HTTP_FOR_NORMAL_TRANSPORT_NAME = "hw_httptransport_netty4_for_normal";
    private static final String NETTY_TRANSPORT_FOR_NORMAL_TRANSPORT_NAME = "hw_transport_netty4_for_normal";
    private static final String NETTY_HTTP_TRANSPORT_NAME = "hw_httptransport_netty4";
    private static final String NETTY_TRANSPORT_NAME = "hw_transport_netty4";
    private static String serviceName;
    private static String defaultGroupName;
    private static String supergroupName;
    private Settings settings;
    private final boolean isTransportClientMode;
    private Path configPath;
    private AuthorizationService authzService;
    private ClusterService clusterService;
    private AuditLog auditLog;
    private SolrZkClient zkClient;
    private String zkServer;
    private volatile TransportSecurityFilter transportSecurityFilter;
    private volatile TransportNormalFilter transportNormalFilter;
    private HwSslKeyStore hwSslKeyStore;
    private SecurityIndexManager securityIndexManager;
    private static boolean kerberosEnable = true;
    public static final CacheManager CACHE_MANAGER = new CacheManager();
    private static final Logger LOG = Loggers.getLogger(KerberosPlugin.class, new String[]{"KerberosPlugin"});
    private static final String ELASTICSEARCH_SECURITY_ENABLE = "elasticsearch_security_enable";
    private static final Setting<Boolean> SETTING_ELASTICSEARCH_SECURITY_ENABLE = Setting.boolSetting(ELASTICSEARCH_SECURITY_ENABLE, false, new Setting.Property[]{Setting.Property.NodeScope});
    private static final String ELASTICSEARCH_INDEXCHECK_ENABLE = "elasticsearch_indexcheck_enable";
    private static final Setting<Boolean> SETTING_ELASTICSEARCH_INDEXCHECK_ENABLE = Setting.boolSetting(ELASTICSEARCH_INDEXCHECK_ENABLE, false, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<Boolean> SETTING_ELASTICSEARCH_RANGER_AUTHORIZATION_ENABLE = Setting.boolSetting("elasticsearch.ranger.authorization.enable", true, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> PRIVDER_ZOOKEEPER_AUTH_TYPE = Setting.simpleString("signer.secret.provider.zookeeper.auth.type", new Setting.Property[]{Setting.Property.NodeScope});
    private static final String MUTI_SERVICE_NAME = "muti.cluster.service.name";
    private static final Setting<String> SETTING_MUTI_SERVICE_NAME = Setting.simpleString(MUTI_SERVICE_NAME, new Setting.Property[]{Setting.Property.NodeScope});
    private static final String MULTI_CLUSTER_SUPERGROUP_NAME = "multi.cluster.supergroup.name";
    private static final Setting<String> SETTING_MULTI_SUPERGROUP_NAME = Setting.simpleString(MULTI_CLUSTER_SUPERGROUP_NAME, new Setting.Property[]{Setting.Property.NodeScope});
    private static final String MUTI_GROUP_NAME = "muti.cluster.group.name";
    private static final Setting<String> SETTING_MUTI_GROUP_NAME = Setting.simpleString(MUTI_GROUP_NAME, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> ZOOKEEPER_URL = Setting.simpleString(AuthConstants.ZK_SERVER_ADDRESS_KEY, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> SIGNER_PROVIDER_ZOOKEEPER_PATH = Setting.simpleString("signer.secret.provider.zookeeper.path", new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> AUTH_KERBEROS_KEYTAB_VALUE = Setting.simpleString("signer.secret.provider.zookeeper.kerberos.keytab", new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> AUTH_KERBEROS_ZOOKEEPER_PRINCIPAL = Setting.simpleString("signer.secret.provider.zookeeper.kerberos.principal", new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> TYPE_KEYTAB = Setting.simpleString(KerberosAuthenticationExecutor.KEYTAB, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> AUTH_TYPE = Setting.simpleString(AuthorityConstants.SECURITY_INDEX_FIELD_TYPE, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<Long> TOKEN_VALIDITY = Setting.longSetting("token.validity", 3600, 0, new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<String> CUSTOMIZED_AUTHORIZED_PATTERN2IMPLEMENTCLASSNAME_MAPPING = Setting.simpleString("customized.authorize.pattern2implementClassName.mapping", new Setting.Property[]{Setting.Property.NodeScope});
    private static final Setting<Boolean> AUTH_WITH_SECURITY_INFO_INDEX = Setting.boolSetting(AuthorityConstants.AUTH_WITH_SECURITY_INFO_INDEX, false, new Setting.Property[]{Setting.Property.NodeScope});
    public static final Setting<Boolean> STORE_SECURITY_INFO = Setting.boolSetting("store.security.info", true, new Setting.Property[]{Setting.Property.NodeScope});
    private final SetOnce<Signer> signer = new SetOnce<>();
    private int timeOut = 90000;
    private IndexNameExpressionResolver resolver = new IndexNameExpressionResolver(new ThreadContext(Settings.EMPTY));
    private final ClusterStateManager clusterStateManager = new ClusterStateManager();

    /* loaded from: input_file:com/huawei/es/security/plugin/KerberosPlugin$GuiceHolder.class */
    public static class GuiceHolder implements LifecycleComponent {
        private static RepositoriesService repositoriesService;
        private static RemoteClusterService remoteClusterService;

        @Inject
        public GuiceHolder(RepositoriesService repositoriesService2, TransportService transportService) {
            repositoriesService = repositoriesService2;
            remoteClusterService = transportService.getRemoteClusterService();
        }

        public static RepositoriesService getRepositoriesService() {
            return repositoriesService;
        }

        public static RemoteClusterService getRemoteClusterService() {
            return remoteClusterService;
        }

        public void close() {
        }

        public Lifecycle.State lifecycleState() {
            return null;
        }

        public void addLifecycleListener(LifecycleListener lifecycleListener) {
        }

        public void removeLifecycleListener(LifecycleListener lifecycleListener) {
        }

        public void start() {
        }

        public void stop() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/huawei/es/security/plugin/KerberosPlugin$SASLOwnerACLProvider.class */
    public static class SASLOwnerACLProvider implements ACLProvider {
        private final List<ACL> saslACL;

        private SASLOwnerACLProvider() {
            this.saslACL = new ArrayList();
            ZkAclUtil.addSuperUserACLs(this.saslACL, ZkAclUtil.SYSTEM_REALM);
        }

        public List<ACL> getDefaultAcl() {
            return this.saslACL;
        }

        public List<ACL> getAclForPath(String str) {
            return this.saslACL;
        }
    }

    public static boolean isKerberosEnable() {
        return kerberosEnable;
    }

    public static boolean isRestSslEnable() {
        return restSslEnable;
    }

    public static boolean isTransportSslEnable() {
        return transportSslEnable;
    }

    public KerberosPlugin(Settings settings, Path path) {
        this.settings = settings;
        this.configPath = path;
        kerberosEnable = settings.getAsBoolean(ELASTICSEARCH_SECURITY_ENABLE, false).booleanValue();
        restSslEnable = settings.getAsBoolean(HwSecurityConstants.SECURITY_SSL_HTTP_ENABLED, false).booleanValue();
        transportSslEnable = settings.getAsBoolean(HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED, false).booleanValue();
        this.isTransportClientMode = "transport".equals(settings.get(Client.CLIENT_TYPE_SETTING_S.getKey()));
        serviceName = settings.get(MUTI_SERVICE_NAME);
        defaultGroupName = settings.get(MUTI_GROUP_NAME);
        supergroupName = settings.get(MULTI_CLUSTER_SUPERGROUP_NAME);
        LOG.info("The serviceNames is {}, the default group name is {},supergroup name is {}.", serviceName, defaultGroupName, supergroupName);
        if (isKerberosEnable()) {
            this.hwSslKeyStore = new HwSslKeyStoreImpl(settings, path);
        }
        CompatibilitySettings.initSettings(settings);
    }

    public static String getServiceName() {
        return serviceName;
    }

    public static String getDefaultGroupName() {
        return defaultGroupName;
    }

    public static String getSupergroupName() {
        return supergroupName;
    }

    public List<Setting<?>> getSettings() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(SETTING_ELASTICSEARCH_SECURITY_ENABLE);
        arrayList.add(SETTING_ELASTICSEARCH_INDEXCHECK_ENABLE);
        arrayList.add(SETTING_ELASTICSEARCH_RANGER_AUTHORIZATION_ENABLE);
        arrayList.add(SETTING_MUTI_SERVICE_NAME);
        arrayList.add(SETTING_MULTI_SUPERGROUP_NAME);
        arrayList.add(SETTING_MUTI_GROUP_NAME);
        arrayList.add(PRIVDER_ZOOKEEPER_AUTH_TYPE);
        arrayList.add(ZOOKEEPER_URL);
        arrayList.add(SIGNER_PROVIDER_ZOOKEEPER_PATH);
        arrayList.add(AUTH_KERBEROS_KEYTAB_VALUE);
        arrayList.add(AUTH_KERBEROS_ZOOKEEPER_PRINCIPAL);
        arrayList.add(AUTH_TYPE);
        arrayList.add(AUTH_WITH_SECURITY_INFO_INDEX);
        arrayList.add(TOKEN_VALIDITY);
        arrayList.add(TYPE_KEYTAB);
        arrayList.add(CUSTOMIZED_AUTHORIZED_PATTERN2IMPLEMENTCLASSNAME_MAPPING);
        arrayList.add(BulkSizeChecker.BULK_SIZE_LIMIT);
        arrayList.add(RateLimiterHandler.RATE_LIMITER_SWITCH);
        arrayList.add(RateLimiterHandler.PERMITS_NODE_PER_SECOND);
        arrayList.add(RateLimiterHandler.PERMITS_CLIENT_PER_SECOND);
        arrayList.add(KerberosTransportInterceptor.SKIP_CHECK_TOKEN);
        arrayList.add(GroupCacheTimeSetting.GROUP_MAPPING_CACHE_TIMEOUT);
        arrayList.add(STORE_SECURITY_INFO);
        addSecurityHttpSslSettings(arrayList);
        addSecurityTransportSslSettings(arrayList);
        addKernelRemovedSettings(arrayList);
        CompatibilitySettings.setSettings(arrayList);
        return arrayList;
    }

    private void addKernelRemovedSettings(List<Setting<?>> list) {
        list.add(Setting.intSetting("thread_pool.index.size", 1, 1, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Deprecated}));
        list.add(Setting.intSetting("thread_pool.index.queue_size", 1, 1, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Deprecated}));
        list.add(Setting.intSetting("thread_pool.bulk.size", 1, 1, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Deprecated}));
        list.add(Setting.intSetting("thread_pool.bulk.queue_size", 1, 1, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Deprecated}));
    }

    private void addSecurityHttpSslSettings(List<Setting<?>> list) {
        list.add(Setting.boolSetting(HwSecurityConstants.SECURITY_SSL_HTTP_ENABLED, false, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.listSetting(HwSecurityConstants.SECURITY_SSL_HTTP_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope}));
        list.add(Setting.listSetting(HwSecurityConstants.SECURITY_SSL_HTTP_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_PEMCERT_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_PEMKEY_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_TYPE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_CONF, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_CONF, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_TYPE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_TRUSTSTORE_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_HTTP_KEYSTORE_ALIAS, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
    }

    private void addSecurityTransportSslSettings(List<Setting<?>> list) {
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_TYPE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_CONF, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_CONF, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_TYPE, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_KEYSTORE_ALIAS, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.boolSetting(HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED, true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.listSetting(HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED_PROTOCOLS, Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope}));
        list.add(Setting.listSetting(HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED_CIPHERS, Collections.emptyList(), Function.identity(), new Setting.Property[]{Setting.Property.NodeScope}));
        list.add(Setting.boolSetting(HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_PEMCERT_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_PEMKEY_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
        list.add(Setting.simpleString(HwSecurityConstants.SECURITY_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, new Setting.Property[]{Setting.Property.NodeScope, Setting.Property.Filtered}));
    }

    public Settings additionalSettings() {
        Settings.Builder builder = Settings.builder();
        if (!isKerberosEnable()) {
            builder.put("http.type", NETTY_HTTP_FOR_NORMAL_TRANSPORT_NAME);
            return builder.build();
        }
        builder.put("http.type", NETTY_TRANSPORT_NAME);
        builder.put("http.type", NETTY_HTTP_TRANSPORT_NAME);
        return builder.build();
    }

    public Map<String, Supplier<HttpServerTransport>> getHttpTransports(Settings settings, ThreadPool threadPool, BigArrays bigArrays, PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService, NamedXContentRegistry namedXContentRegistry, NetworkService networkService, HttpServerTransport.Dispatcher dispatcher, ClusterSettings clusterSettings) {
        HashMap hashMap = new HashMap(1);
        if (isKerberosEnable()) {
            LOG.info("Add SPNEGO netty transport HTTP.");
            hashMap.put(NETTY_HTTP_TRANSPORT_NAME, () -> {
                return new KerberosHttpServerTransport(this.hwSslKeyStore, this.zkClient, this.clusterStateManager, new KerberosHttpServerTransportBean(settings, networkService, bigArrays, threadPool, dispatcher, namedXContentRegistry, this.clusterService.getClusterSettings()), (Signer) this.signer.get(), this.securityIndexManager);
            });
        } else {
            LOG.info("Add SPNEGO netty transport HTTP for normal model.");
            hashMap.put(NETTY_HTTP_FOR_NORMAL_TRANSPORT_NAME, () -> {
                return new KerberosHttpServerTransport4Normal(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher, this.clusterStateManager, this.clusterService.getClusterSettings());
            });
        }
        return hashMap;
    }

    public Map<String, Supplier<Transport>> getTransports(Settings settings, ThreadPool threadPool, PageCacheRecycler pageCacheRecycler, CircuitBreakerService circuitBreakerService, NamedWriteableRegistry namedWriteableRegistry, NetworkService networkService) {
        if (this.isTransportClientMode) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap(1);
        if (isKerberosEnable()) {
            hashMap.put(NETTY_TRANSPORT_NAME, () -> {
                return new KerberosNettyTransport(new KerberosNettyTransport4NormalBean(settings, Version.CURRENT, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService), this.hwSslKeyStore, this.zkClient, this.auditLog, this.clusterService, this.securityIndexManager);
            });
        } else {
            hashMap.put(NETTY_TRANSPORT_FOR_NORMAL_TRANSPORT_NAME, () -> {
                return new KerberosNettyTransport4Normal(new KerberosNettyTransport4NormalBean(settings, Version.CURRENT, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService), this.clusterService);
            });
        }
        return hashMap;
    }

    public void close() {
    }

    public Collection<Object> createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry namedXContentRegistry, Environment environment, NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry, IndexNameExpressionResolver indexNameExpressionResolver, Supplier<RepositoriesService> supplier) {
        Alias2IndexTurner.setRpcClient(client);
        this.clusterService = clusterService;
        clusterService.addListener(this.clusterStateManager);
        Alias2IndexTurner.setClusterStateManager(this.clusterStateManager);
        ArrayList arrayList = new ArrayList();
        this.auditLog = new AuditLogImpl(this.settings, threadPool, this.resolver, clusterService);
        this.securityIndexManager = new SecurityIndexManager(client, clusterService);
        clusterService.addListener(this.securityIndexManager);
        if (!isKerberosEnable()) {
            this.transportNormalFilter = new TransportNormalFilter(threadPool.getThreadContext(), this.resolver, this.auditLog);
            return arrayList;
        }
        initZkClient();
        this.authzService = new AuthorizationService(threadPool, this.settings, this.configPath, new PrivilegeHelper(clusterService, threadPool.getThreadContext(), this.securityIndexManager, this.zkClient, this.auditLog), this.auditLog);
        this.transportSecurityFilter = new TransportSecurityFilter(threadPool, this.authzService);
        arrayList.add(this.authzService);
        GroupCacheTimeSetting.init(this.settings, clusterService.getClusterSettings());
        long parseLong = Long.parseLong(this.settings.get("token.validity", "36000")) * 1000;
        ZKSignerSecretProvider zKSignerSecretProvider = new ZKSignerSecretProvider(this.settings, parseLong, createCuratorClient(this.settings));
        zKSignerSecretProvider.init(parseLong);
        Signer signer = new Signer(zKSignerSecretProvider);
        this.signer.set(signer);
        arrayList.add(signer);
        return arrayList;
    }

    protected CuratorFramework createCuratorClient(Settings settings) throws SecurityException, NullPointerException, IllegalArgumentException {
        SASLOwnerACLProvider defaultACLProvider;
        String str = settings.get(AuthConstants.ZK_SERVER_ADDRESS_KEY, "localhost:2181");
        ExponentialBackoffRetry exponentialBackoffRetry = new ExponentialBackoffRetry(1000, 3);
        if (ZkAclUtil.ACL_SCHEMA_SASL.equals(settings.get("signer.secret.provider.zookeeper.auth.type", "none"))) {
            defaultACLProvider = new SASLOwnerACLProvider();
        } else {
            LOG.info("Connecting to ZooKeeper without authentication");
            defaultACLProvider = new DefaultACLProvider();
        }
        int parseInt = Integer.parseInt(settings.get("signer.secret.provider.zookeeper.session.timeout", "60000"));
        CuratorFramework build = CuratorFrameworkFactory.builder().connectString(str).retryPolicy(exponentialBackoffRetry).aclProvider(defaultACLProvider).sessionTimeoutMs(parseInt).connectionTimeoutMs(Integer.parseInt(settings.get("signer.secret.provider.zookeeper.connect.timeout", "30000"))).build();
        build.start();
        return build;
    }

    public List<TransportInterceptor> getTransportInterceptors(NamedWriteableRegistry namedWriteableRegistry, ThreadContext threadContext) {
        ArrayList arrayList = new ArrayList(1);
        if (this.isTransportClientMode) {
            return Collections.emptyList();
        }
        if (isKerberosEnable()) {
            try {
                arrayList.add(new KerberosTransportInterceptor(this.settings, threadContext, this.clusterService, this.auditLog, (Signer) this.signer.get()));
            } catch (Exception e) {
                throw new ElasticsearchException("Unable to generate KerberosTransportInterceptor.", new Object[0]);
            }
        } else {
            arrayList.add(new KerberosTransportInterceptor4Normal(threadContext, this.clusterService));
        }
        return arrayList;
    }

    public List<RestHandler> getRestHandlers(Settings settings, RestController restController, ClusterSettings clusterSettings, IndexScopedSettings indexScopedSettings, SettingsFilter settingsFilter, IndexNameExpressionResolver indexNameExpressionResolver, Supplier<DiscoveryNodes> supplier) {
        ArrayList newArrayList = Lists.newArrayList();
        newArrayList.add(new GroupInfoRestHandler());
        newArrayList.add(new IndexOwnerRestHandler());
        newArrayList.add(new NodeHealthRestHandler(this.clusterStateManager));
        newArrayList.add(new EncryptPwdRestHandler());
        return newArrayList;
    }

    public void onIndexModule(IndexModule indexModule) {
        if (!isKerberosEnable() || this.isTransportClientMode) {
            return;
        }
        indexModule.addIndexEventListener(new SecurityIndexEventListener(this.auditLog, this.clusterService));
    }

    public Collection<SystemIndexDescriptor> getSystemIndexDescriptors(Settings settings) {
        return Collections.singletonList(new SystemIndexDescriptor(SecurityIndexManager.SECURITY_INDEX, "System indices for security."));
    }

    public List<ActionFilter> getActionFilters() {
        ArrayList arrayList = new ArrayList(1);
        if (isKerberosEnable() && !this.isTransportClientMode) {
            arrayList.add(this.transportSecurityFilter);
        }
        if (!isKerberosEnable()) {
            arrayList.add(this.transportNormalFilter);
        }
        return arrayList;
    }

    public Collection<Class<? extends LifecycleComponent>> getGuiceServiceClasses() {
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(AutoCreateIndexChecker.class);
        if (!isKerberosEnable() || this.isTransportClientMode) {
            arrayList.add(GuiceHolder.class);
        }
        return arrayList;
    }

    private void setParameter() {
        this.zkServer = this.settings.get(AuthConstants.ZK_SERVER_ADDRESS_KEY);
        if (null == this.zkServer) {
            this.zkServer = System.getProperty(AuthConstants.ZK_HOST);
            if (null == this.zkServer || this.zkServer.isEmpty()) {
                throw new IllegalArgumentException("zkHost:" + this.zkServer + " is illegal.");
            }
        }
        this.timeOut = Integer.parseInt(this.settings.get(AuthConstants.ZK_CLIENT_TIMEOUT_KEY, AuthConstants.ZK_CLIENT_TIMEOUT_DEFAULT));
    }

    private void initZkClient() throws ElasticsearchException {
        try {
            setParameter();
            try {
                this.zkClient = ZkAclUtil.createSolrZkClient(this.zkServer, this.timeOut);
                CACHE_MANAGER.init(this.zkClient, this.settings, this.securityIndexManager);
                LOG.info("init authorization handler success.");
            } catch (ManagerException e) {
                LOG.error("start authorization handler failed.");
                throw new ManagerException(e);
            }
        } catch (ManagerException e2) {
            LOG.error("failed to init initZkClient because : ", e2);
            throw new ElasticsearchException("Unable to init zookeeper client.", new Object[0]);
        }
    }

    public List<ActionPlugin.ActionHandler<? extends ActionRequest, ? extends ActionResponse>> getActions() {
        return !isKerberosEnable() ? Collections.emptyList() : Arrays.asList(new ActionPlugin.ActionHandler(ServerRealmAction.INSTANCE, TransportServerRealmAction.class, new Class[0]), new ActionPlugin.ActionHandler(GetTokenAction.INSTANCE, TransportGetTokenAction.class, new Class[0]), new ActionPlugin.ActionHandler(AuthenticateAction.INSTANCE, TransportAuthenticateAction.class, new Class[0]));
    }
}
