package org.apache.solr.cli;

import java.io.Console;
import java.io.File;
import java.io.IOException;
import java.io.PrintStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Locale;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option;
import org.apache.lucene.util.Constants;
import org.apache.solr.common.cloud.SolrZkClient;
import org.apache.solr.common.util.StrUtils;
import org.apache.solr.core.CoreDescriptor;
import org.apache.solr.search.join.CrossCollectionJoinQParser;
import org.apache.solr.security.BasicAuthPlugin;
import org.apache.solr.security.Sha256AuthenticationProvider;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.data.Stat;

/* loaded from: input_file:org/apache/solr/cli/AuthTool.class */
public class AuthTool extends ToolBase {
    List<String> authenticationVariables;
    static final /* synthetic */ boolean $assertionsDisabled;

    public AuthTool() {
        this(CLIO.getOutStream());
    }

    public AuthTool(PrintStream printStream) {
        super(printStream);
        this.authenticationVariables = Arrays.asList("SOLR_AUTHENTICATION_CLIENT_BUILDER", "SOLR_AUTH_TYPE", "SOLR_AUTHENTICATION_OPTS");
    }

    @Override // org.apache.solr.cli.Tool
    public String getName() {
        return "auth";
    }

    @Override // org.apache.solr.cli.Tool
    public List<Option> getOptions() {
        return List.of((Object[]) new Option[]{Option.builder("type").argName("type").hasArg().desc("The authentication mechanism to enable (basicAuth or kerberos). Defaults to 'basicAuth'.").build(), Option.builder("credentials").argName("credentials").hasArg().desc("Credentials in the format username:password. Example: -credentials solr:SolrRocks").build(), Option.builder("prompt").argName("prompt").hasArg().desc("Prompts the user to provide the credentials. Use either -credentials or -prompt, not both.").build(), Option.builder(CoreDescriptor.CORE_CONFIG).argName(CoreDescriptor.CORE_CONFIG).hasArgs().desc("Configuration parameters (Solr startup parameters). Required for Kerberos authentication.").build(), Option.builder(BasicAuthPlugin.PROPERTY_BLOCK_UNKNOWN).argName(BasicAuthPlugin.PROPERTY_BLOCK_UNKNOWN).desc("Blocks all access for unknown users (requires authentication for all endpoints).").hasArg().build(), Option.builder("solrIncludeFile").argName("solrIncludeFile").hasArg().desc("The Solr include file which contains overridable environment variables for configuring Solr configurations.").build(), Option.builder("updateIncludeFileOnly").argName("updateIncludeFileOnly").desc("Only update the solr.in.sh or solr.in.cmd file, and skip actual enabling/disabling authentication (i.e. don't update security.json).").hasArg().build(), Option.builder("authConfDir").argName("authConfDir").hasArg().required().desc("This is where any authentication related configuration files, if any, would be placed.").build(), Option.builder(CrossCollectionJoinQParser.SOLR_URL).argName(CrossCollectionJoinQParser.SOLR_URL).hasArg().desc("Solr URL.").build(), Option.builder("zkHost").argName("zkHost").hasArg().desc("ZooKeeper host to connect to.").build(), SolrCLI.OPTION_VERBOSE});
    }

    private void ensureArgumentIsValidBooleanIfPresent(CommandLine commandLine, String str) {
        if (commandLine.hasOption(str)) {
            String optionValue = commandLine.getOptionValue(str);
            if ("true".equalsIgnoreCase(optionValue) || "false".equalsIgnoreCase(optionValue)) {
                return;
            }
            echo("Argument [" + str + "] must be either true or false, but was [" + optionValue + "]");
            SolrCLI.exit(1);
        }
    }

    @Override // org.apache.solr.cli.ToolBase, org.apache.solr.cli.Tool
    public int runTool(CommandLine commandLine) throws Exception {
        SolrCLI.raiseLogLevelUnlessVerbose(commandLine);
        if (commandLine.getOptions().length == 0 || commandLine.getArgs().length == 0 || commandLine.getArgs().length > 1 || commandLine.hasOption("h")) {
            new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", SolrCLI.getToolOptions(this));
            return 1;
        }
        ensureArgumentIsValidBooleanIfPresent(commandLine, BasicAuthPlugin.PROPERTY_BLOCK_UNKNOWN);
        ensureArgumentIsValidBooleanIfPresent(commandLine, "updateIncludeFileOnly");
        String optionValue = commandLine.getOptionValue("type", "basicAuth");
        boolean z = -1;
        switch (optionValue.hashCode()) {
            case -1699717386:
                if (optionValue.equals("basicAuth")) {
                    z = false;
                    break;
                }
                break;
            case 303053659:
                if (optionValue.equals("kerberos")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return handleBasicAuth(commandLine);
            case true:
                return handleKerberos(commandLine);
            default:
                CLIO.out("Only type=basicAuth or kerberos supported at the moment.");
                SolrCLI.exit(1);
                return 1;
        }
    }

    private int handleKerberos(CommandLine commandLine) throws Exception {
        SolrZkClient build;
        String str = commandLine.getArgs()[0];
        boolean parseBoolean = Boolean.parseBoolean(commandLine.getOptionValue("updateIncludeFileOnly", "false"));
        boolean z = -1;
        switch (str.hashCode()) {
            case -1298848381:
                if (str.equals("enable")) {
                    z = false;
                    break;
                }
                break;
            case 1671308008:
                if (str.equals("disable")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                String str2 = null;
                boolean z2 = false;
                if (!parseBoolean) {
                    try {
                        str2 = SolrCLI.getZkHost(commandLine);
                    } catch (Exception e) {
                        CLIO.out("Unable to access ZooKeeper. Please add the following security.json to ZooKeeper (in case of SolrCloud):\n" + "{\n  \"authentication\":{\n   \"class\":\"solr.KerberosPlugin\"\n  }\n}" + "\n");
                        z2 = true;
                    }
                    if (str2 == null && !z2) {
                        CLIO.out("Unable to access ZooKeeper. Please add the following security.json to ZooKeeper (in case of SolrCloud):\n" + "{\n  \"authentication\":{\n   \"class\":\"solr.KerberosPlugin\"\n  }\n}" + "\n");
                        z2 = true;
                    }
                    if (!z2) {
                        try {
                            build = new SolrZkClient.Builder().withUrl(str2).withTimeout(10000, TimeUnit.MILLISECONDS).build();
                            try {
                                checkSecurityJsonExists(build);
                                if (build != null) {
                                    build.close();
                                }
                            } finally {
                            }
                        } catch (Exception e2) {
                            CLIO.out("Unable to access ZooKeeper. Please add the following security.json to ZooKeeper (in case of SolrCloud):\n" + "{\n  \"authentication\":{\n   \"class\":\"solr.KerberosPlugin\"\n  }\n}" + "\n");
                            z2 = true;
                        }
                    }
                }
                if (!parseBoolean && !z2) {
                    echoIfVerbose("Uploading following security.json: " + "{\n  \"authentication\":{\n   \"class\":\"solr.KerberosPlugin\"\n  }\n}", commandLine);
                    try {
                        build = new SolrZkClient.Builder().withUrl(str2).withTimeout(10000, TimeUnit.MILLISECONDS).build();
                        try {
                            build.setData("/security.json", "{\n  \"authentication\":{\n   \"class\":\"solr.KerberosPlugin\"\n  }\n}".getBytes(StandardCharsets.UTF_8), true);
                            if (build != null) {
                                build.close();
                            }
                        } finally {
                        }
                    } catch (Exception e3) {
                        CLIO.out("Unable to access ZooKeeper. Please add the following security.json to ZooKeeper (in case of SolrCloud):\n" + "{\n  \"authentication\":{\n   \"class\":\"solr.KerberosPlugin\"\n  }\n}");
                    }
                }
                String replace = new String(Base64.getDecoder().decode(StrUtils.join(Arrays.asList(commandLine.getOptionValues(CoreDescriptor.CORE_CONFIG)), ' ').replace(" ", "").getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8).replace("\n", "").replace("\r", "");
                String optionValue = commandLine.getOptionValue("solrIncludeFile");
                File file = new File(optionValue);
                if (!file.exists() || !file.canWrite()) {
                    CLIO.out("Solr include file " + optionValue + " doesn't exist or is not writeable.");
                    printAuthEnablingInstructions(replace);
                    System.exit(0);
                }
                updateIncludeFileEnableAuth(file.toPath(), null, replace, commandLine);
                echo("Successfully enabled Kerberos authentication; please restart any running Solr nodes.");
                return 0;
            case true:
                clearSecurityJson(commandLine, parseBoolean);
                String optionValue2 = commandLine.getOptionValue("solrIncludeFile");
                File file2 = new File(optionValue2);
                if (!file2.exists() || !file2.canWrite()) {
                    CLIO.out("Solr include file " + optionValue2 + " doesn't exist or is not writeable.");
                    CLIO.out("Security has been disabled. Please remove any SOLR_AUTH_TYPE or SOLR_AUTHENTICATION_OPTS configuration from solr.in.sh/solr.in.cmd.\n");
                    System.exit(0);
                }
                updateIncludeFileDisableAuth(file2.toPath(), commandLine);
                return 0;
            default:
                CLIO.out("Valid auth commands are: enable, disable.");
                SolrCLI.exit(1);
                CLIO.out("Options not understood.");
                new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", SolrCLI.getToolOptions(this));
                return 1;
        }
    }

    private int handleBasicAuth(CommandLine commandLine) throws Exception {
        SolrZkClient build;
        String trim;
        String str;
        String str2 = commandLine.getArgs()[0];
        boolean parseBoolean = Boolean.parseBoolean(commandLine.getOptionValue("prompt", "false"));
        boolean parseBoolean2 = Boolean.parseBoolean(commandLine.getOptionValue("updateIncludeFileOnly", "false"));
        boolean z = -1;
        switch (str2.hashCode()) {
            case -1298848381:
                if (str2.equals("enable")) {
                    z = false;
                    break;
                }
                break;
            case 1671308008:
                if (str2.equals("disable")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (!parseBoolean && !commandLine.hasOption("credentials")) {
                    CLIO.out("Option -credentials or -prompt is required with enable.");
                    new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", SolrCLI.getToolOptions(this));
                    SolrCLI.exit(1);
                } else if (!parseBoolean && (commandLine.getOptionValue("credentials") == null || !commandLine.getOptionValue("credentials").contains(":"))) {
                    CLIO.out("Option -credentials is not in correct format.");
                    new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", SolrCLI.getToolOptions(this));
                    SolrCLI.exit(1);
                }
                String str3 = null;
                if (!parseBoolean2) {
                    try {
                        str3 = SolrCLI.getZkHost(commandLine);
                    } catch (Exception e) {
                        if (commandLine.hasOption("zkHost")) {
                            CLIO.out("Couldn't get ZooKeeper host. Please make sure that ZooKeeper is running and the correct zkHost has been passed in.");
                        } else {
                            CLIO.out("Couldn't get ZooKeeper host. Please make sure Solr is running in cloud mode, or a zkHost has been passed in.");
                        }
                        SolrCLI.exit(1);
                    }
                    if (str3 == null) {
                        if (commandLine.hasOption("zkHost")) {
                            CLIO.out("Couldn't get ZooKeeper host. Please make sure that ZooKeeper is running and the correct zkHost has been passed in.");
                        } else {
                            CLIO.out("Couldn't get ZooKeeper host. Please make sure Solr is running in cloud mode, or a zkHost has been passed in.");
                        }
                        SolrCLI.exit(1);
                    }
                    build = new SolrZkClient.Builder().withUrl(str3).withTimeout(10000, TimeUnit.MILLISECONDS).build();
                    try {
                        checkSecurityJsonExists(build);
                        if (build != null) {
                            build.close();
                        }
                    } finally {
                    }
                }
                if (commandLine.hasOption("credentials")) {
                    String optionValue = commandLine.getOptionValue("credentials");
                    trim = optionValue.split(":")[0];
                    str = optionValue.split(":")[1];
                } else {
                    Console console = System.console();
                    while (true) {
                        String readLine = console.readLine("Enter username: ", new Object[0]);
                        if (readLine != null && readLine.trim().length() != 0) {
                            trim = readLine.trim();
                            do {
                                str = new String(console.readPassword("Enter password: ", new Object[0]));
                            } while (str.length() == 0);
                        }
                    }
                }
                String str4 = "{\n  \"authentication\":{\n   \"blockUnknown\": " + Boolean.parseBoolean(commandLine.getOptionValue(BasicAuthPlugin.PROPERTY_BLOCK_UNKNOWN, "true")) + ",\n   \"class\":\"solr.BasicAuthPlugin\",\n   \"credentials\":{\"" + trim + "\":\"" + Sha256AuthenticationProvider.getSaltedHashedValue(str) + "\"}\n  },\n  \"authorization\":{\n   \"class\":\"solr.RuleBasedAuthorizationPlugin\",\n   \"permissions\":[\n {\"name\":\"security-edit\", \"role\":\"admin\"},\n {\"name\":\"security-read\", \"role\":\"admin\"},\n {\"name\":\"config-edit\", \"role\":\"admin\"},\n {\"name\":\"config-read\", \"role\":\"admin\"},\n {\"name\":\"collection-admin-edit\", \"role\":\"admin\"},\n {\"name\":\"collection-admin-read\", \"role\":\"admin\"},\n {\"name\":\"core-admin-edit\", \"role\":\"admin\"},\n {\"name\":\"core-admin-read\", \"role\":\"admin\"},\n {\"name\":\"all\", \"role\":\"admin\"}\n   ],\n   \"user-role\":{\"" + trim + "\":\"admin\"}\n  }\n}";
                if (!parseBoolean2) {
                    echoIfVerbose("Uploading following security.json: " + str4, commandLine);
                    build = new SolrZkClient.Builder().withUrl(str3).withTimeout(10000, TimeUnit.MILLISECONDS).build();
                    try {
                        build.setData("/security.json", str4.getBytes(StandardCharsets.UTF_8), true);
                        if (build != null) {
                            build.close();
                        }
                    } finally {
                    }
                }
                String optionValue2 = commandLine.getOptionValue("solrIncludeFile");
                File file = new File(optionValue2);
                if (!file.exists() || !file.canWrite()) {
                    CLIO.out("Solr include file " + optionValue2 + " doesn't exist or is not writeable.");
                    printAuthEnablingInstructions(trim, str);
                    System.exit(0);
                }
                File file2 = new File(commandLine.getOptionValue("authConfDir") + File.separator + "basicAuth.conf");
                if (!file2.getParentFile().canWrite()) {
                    CLIO.out("Cannot write to file: " + file2.getAbsolutePath());
                    printAuthEnablingInstructions(trim, str);
                    System.exit(0);
                }
                Files.writeString(file2.toPath(), "httpBasicAuthUser=" + trim + "\nhttpBasicAuthPassword=" + str, StandardCharsets.UTF_8, new OpenOption[0]);
                updateIncludeFileEnableAuth(file.toPath(), file2.getAbsolutePath(), null, commandLine);
                echo(String.format(Locale.ROOT, "Successfully enabled basic auth with username [%s] and password [%s].", trim, str));
                return 0;
            case true:
                clearSecurityJson(commandLine, parseBoolean2);
                String optionValue3 = commandLine.getOptionValue("solrIncludeFile");
                File file3 = new File(optionValue3);
                if (!file3.exists() || !file3.canWrite()) {
                    CLIO.out("Solr include file " + optionValue3 + " doesn't exist or is not writeable.");
                    CLIO.out("Security has been disabled. Please remove any SOLR_AUTH_TYPE or SOLR_AUTHENTICATION_OPTS configuration from solr.in.sh/solr.in.cmd.\n");
                    System.exit(0);
                }
                updateIncludeFileDisableAuth(file3.toPath(), commandLine);
                return 0;
            default:
                CLIO.out("Valid auth commands are: enable, disable.");
                SolrCLI.exit(1);
                CLIO.out("Options not understood.");
                new HelpFormatter().printHelp("bin/solr auth <enable|disable> [OPTIONS]", SolrCLI.getToolOptions(this));
                return 1;
        }
    }

    private void checkSecurityJsonExists(SolrZkClient solrZkClient) throws KeeperException, InterruptedException {
        if (solrZkClient.exists("/security.json", true).booleanValue()) {
            byte[] data = solrZkClient.getData("/security.json", (Watcher) null, (Stat) null, true);
            if ("{}".equals(new String(data, StandardCharsets.UTF_8).trim())) {
                return;
            }
            CLIO.out("Security is already enabled. You can disable it with 'bin/solr auth disable'. Existing security.json: \n" + new String(data, StandardCharsets.UTF_8));
            SolrCLI.exit(1);
        }
    }

    private void clearSecurityJson(CommandLine commandLine, boolean z) throws Exception {
        if (z) {
            return;
        }
        String zkHost = SolrCLI.getZkHost(commandLine);
        if (zkHost == null) {
            this.stdout.print("ZK Host not found. Solr should be running in cloud mode.");
            SolrCLI.exit(1);
        }
        echoIfVerbose("Uploading following security.json: {}", commandLine);
        SolrZkClient build = new SolrZkClient.Builder().withUrl(zkHost).withTimeout(10000, TimeUnit.MILLISECONDS).build();
        try {
            build.setData("/security.json", "{}".getBytes(StandardCharsets.UTF_8), true);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void printAuthEnablingInstructions(String str, String str2) {
        if (Constants.WINDOWS) {
            CLIO.out("\nAdd the following lines to the solr.in.cmd file so that the solr.cmd script can use subsequently.\n");
            CLIO.out("set SOLR_AUTH_TYPE=basic\nset SOLR_AUTHENTICATION_OPTS=\"-Dbasicauth=" + str + ":" + str2 + "\"\n");
        } else {
            CLIO.out("\nAdd the following lines to the solr.in.sh file so that the ./solr script can use subsequently.\n");
            CLIO.out("SOLR_AUTH_TYPE=\"basic\"\nSOLR_AUTHENTICATION_OPTS=\"-Dbasicauth=" + str + ":" + str2 + "\"\n");
        }
    }

    private void printAuthEnablingInstructions(String str) {
        if (Constants.WINDOWS) {
            CLIO.out("\nAdd the following lines to the solr.in.cmd file so that the solr.cmd script can use subsequently.\n");
            CLIO.out("set SOLR_AUTH_TYPE=kerberos\nset SOLR_AUTHENTICATION_OPTS=\"" + str + "\"\n");
        } else {
            CLIO.out("\nAdd the following lines to the solr.in.sh file so that the ./solr script can use subsequently.\n");
            CLIO.out("SOLR_AUTH_TYPE=\"kerberos\"\nSOLR_AUTHENTICATION_OPTS=\"" + str + "\"\n");
        }
    }

    private void updateIncludeFileEnableAuth(Path path, String str, String str2, CommandLine commandLine) throws IOException {
        if (!$assertionsDisabled && str != null && str2 != null) {
            throw new AssertionError();
        }
        List<String> readAllLines = Files.readAllLines(path, StandardCharsets.UTF_8);
        for (int i = 0; i < readAllLines.size(); i++) {
            String str3 = readAllLines.get(i);
            if (this.authenticationVariables.contains(str3.trim().split("=")[0].trim())) {
                readAllLines.set(i, "# " + str3);
            }
            if (str3.trim().split("=")[0].trim().startsWith("set ") && this.authenticationVariables.contains(str3.trim().split("=")[0].trim().substring(4))) {
                readAllLines.set(i, "REM " + str3);
            }
        }
        readAllLines.add("");
        if (str != null) {
            if (Constants.WINDOWS) {
                readAllLines.add("REM The following lines added by solr.cmd for enabling BasicAuth");
                readAllLines.add("set SOLR_AUTH_TYPE=basic");
                readAllLines.add("set SOLR_AUTHENTICATION_OPTS=\"-Dsolr.httpclient.config=" + str + "\"");
            } else {
                readAllLines.add("# The following lines added by ./solr for enabling BasicAuth");
                readAllLines.add("SOLR_AUTH_TYPE=\"basic\"");
                readAllLines.add("SOLR_AUTHENTICATION_OPTS=\"-Dsolr.httpclient.config=" + str + "\"");
            }
        } else if (Constants.WINDOWS) {
            readAllLines.add("REM The following lines added by solr.cmd for enabling BasicAuth");
            readAllLines.add("set SOLR_AUTH_TYPE=kerberos");
            readAllLines.add("set SOLR_AUTHENTICATION_OPTS=\"-Dsolr.httpclient.config=" + str + "\"");
        } else {
            readAllLines.add("# The following lines added by ./solr for enabling BasicAuth");
            readAllLines.add("SOLR_AUTH_TYPE=\"kerberos\"");
            readAllLines.add("SOLR_AUTHENTICATION_OPTS=\"" + str2 + "\"");
        }
        Files.writeString(path, (String) readAllLines.stream().collect(Collectors.joining(System.lineSeparator())), StandardCharsets.UTF_8, new OpenOption[0]);
        if (str != null) {
            echoIfVerbose("Written out credentials file: " + str, commandLine);
        }
        echoIfVerbose("Updated Solr include file: " + path.toAbsolutePath(), commandLine);
    }

    private void updateIncludeFileDisableAuth(Path path, CommandLine commandLine) throws IOException {
        List<String> readAllLines = Files.readAllLines(path, StandardCharsets.UTF_8);
        boolean z = false;
        for (int i = 0; i < readAllLines.size(); i++) {
            String str = readAllLines.get(i);
            if (this.authenticationVariables.contains(str.trim().split("=")[0].trim())) {
                readAllLines.set(i, "# " + str);
                z = true;
            }
            if (str.trim().split("=")[0].trim().startsWith("set ") && this.authenticationVariables.contains(str.trim().split("=")[0].trim().substring(4))) {
                readAllLines.set(i, "REM " + str);
                z = true;
            }
        }
        if (z) {
            Files.writeString(path, (String) readAllLines.stream().collect(Collectors.joining(System.lineSeparator())), StandardCharsets.UTF_8, new OpenOption[0]);
            echoIfVerbose("Commented out necessary lines from " + path.toAbsolutePath(), commandLine);
        }
    }

    @Override // org.apache.solr.cli.ToolBase
    public void runImpl(CommandLine commandLine) throws Exception {
    }

    static {
        $assertionsDisabled = !AuthTool.class.desiredAssertionStatus();
    }
}
