package org.elasticsearch.xpack.security;

import java.util.Iterator;
import java.util.Map;
import org.elasticsearch.bootstrap.BootstrapCheck;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.security.authc.RealmSettings;
import org.elasticsearch.xpack.security.authc.pki.PkiRealm;
import org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4Transport;
import org.elasticsearch.xpack.ssl.SSLService;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/elasticsearch/xpack/security/PkiRealmBootstrapCheck.class */
public class PkiRealmBootstrapCheck implements BootstrapCheck {
    private final SSLService sslService;
    private final Settings settings;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PkiRealmBootstrapCheck(Settings settings, SSLService sSLService) {
        this.settings = settings;
        this.sslService = sSLService;
    }

    public boolean check() {
        if (!this.settings.getGroups(RealmSettings.PREFIX).values().stream().filter(settings -> {
            return PkiRealm.TYPE.equals(settings.get("type"));
        }).anyMatch(settings2 -> {
            return settings2.getAsBoolean("enabled", true).booleanValue();
        })) {
            return false;
        }
        boolean booleanValue = ((Boolean) XPackSettings.HTTP_SSL_ENABLED.get(this.settings)).booleanValue();
        boolean isSSLClientAuthEnabled = this.sslService.isSSLClientAuthEnabled(SSLService.getHttpTransportSSLSettings(this.settings));
        if (booleanValue && isSSLClientAuthEnabled) {
            return false;
        }
        Settings byPrefix = this.settings.getByPrefix(Security.setting("transport.ssl."));
        if (this.sslService.isSSLClientAuthEnabled(byPrefix)) {
            return false;
        }
        Iterator it = this.settings.getGroups("transport.profiles.").entrySet().iterator();
        while (it.hasNext()) {
            if (this.sslService.isSSLClientAuthEnabled(SecurityNetty4Transport.profileSslSettings((Settings) ((Map.Entry) it.next()).getValue()), byPrefix)) {
                return false;
            }
        }
        return true;
    }

    public String errorMessage() {
        return "A PKI realm is enabled but cannot be used as neither HTTP or Transport have SSL and client authentication enabled";
    }

    public boolean alwaysEnforce() {
        return true;
    }
}
