package org.elasticsearch.xpack.security.transport.netty4;

import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelOutboundHandlerAdapter;
import io.netty.channel.ChannelPromise;
import io.netty.handler.ssl.SslHandler;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.net.ssl.SSLEngine;
import org.apache.logging.log4j.message.Message;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.netty4.Netty4Transport;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.transport.SSLExceptionHelper;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
import org.elasticsearch.xpack.ssl.SSLConfiguration;
import org.elasticsearch.xpack.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4Transport.class */
public class SecurityNetty4Transport extends Netty4Transport {
    private final SSLService sslService;

    @Nullable
    private final IPFilter authenticator;
    private final SSLConfiguration sslConfiguration;
    private final Map<String, SSLConfiguration> profileConfiguration;
    private final boolean sslEnabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4Transport$ClientSslHandlerInitializer.class */
    private static class ClientSslHandlerInitializer extends ChannelOutboundHandlerAdapter {
        private final boolean hostnameVerificationEnabled;
        private final SSLConfiguration sslConfiguration;
        private final SSLService sslService;

        private ClientSslHandlerInitializer(SSLConfiguration sSLConfiguration, SSLService sSLService, boolean z) {
            this.sslConfiguration = sSLConfiguration;
            this.hostnameVerificationEnabled = z;
            this.sslService = sSLService;
        }

        @Override // io.netty.channel.ChannelOutboundHandlerAdapter, io.netty.channel.ChannelOutboundHandler
        public void connect(ChannelHandlerContext channelHandlerContext, SocketAddress socketAddress, SocketAddress socketAddress2, ChannelPromise channelPromise) throws Exception {
            SSLEngine createSSLEngine;
            if (this.hostnameVerificationEnabled) {
                InetSocketAddress inetSocketAddress = (InetSocketAddress) socketAddress;
                createSSLEngine = this.sslService.createSSLEngine(this.sslConfiguration, inetSocketAddress.getHostString(), inetSocketAddress.getPort());
            } else {
                createSSLEngine = this.sslService.createSSLEngine(this.sslConfiguration, null, -1);
            }
            createSSLEngine.setUseClientMode(true);
            channelHandlerContext.pipeline().replace(this, HttpExporter.SSL_SETTING, new SslHandler(createSSLEngine));
            super.connect(channelHandlerContext, socketAddress, socketAddress2, channelPromise);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4Transport$IPFilterServerChannelInitializer.class */
    class IPFilterServerChannelInitializer extends Netty4Transport.ServerChannelInitializer {
        IPFilterServerChannelInitializer(String str) {
            super(str);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.elasticsearch.transport.netty4.Netty4Transport.ServerChannelInitializer, io.netty.channel.ChannelInitializer
        public void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (SecurityNetty4Transport.this.authenticator != null) {
                channel.pipeline().addFirst("ipfilter", new IpFilterRemoteAddressFilter(SecurityNetty4Transport.this.authenticator, this.name));
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4Transport$SecurityClientChannelInitializer.class */
    private class SecurityClientChannelInitializer extends Netty4Transport.ClientChannelInitializer {
        private final boolean hostnameVerificationEnabled;

        SecurityClientChannelInitializer() {
            super();
            this.hostnameVerificationEnabled = SecurityNetty4Transport.this.sslEnabled && SecurityNetty4Transport.this.sslConfiguration.verificationMode().isHostnameVerificationEnabled();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.elasticsearch.transport.netty4.Netty4Transport.ClientChannelInitializer, io.netty.channel.ChannelInitializer
        public void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (SecurityNetty4Transport.this.sslEnabled) {
                channel.pipeline().addFirst(new ClientSslHandlerInitializer(SecurityNetty4Transport.this.sslConfiguration, SecurityNetty4Transport.this.sslService, this.hostnameVerificationEnabled));
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4Transport$SecurityServerChannelInitializer.class */
    class SecurityServerChannelInitializer extends IPFilterServerChannelInitializer {
        private final SSLConfiguration configuration;

        SecurityServerChannelInitializer(String str, SSLConfiguration sSLConfiguration) {
            super(str);
            this.configuration = sSLConfiguration;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4Transport.IPFilterServerChannelInitializer, org.elasticsearch.transport.netty4.Netty4Transport.ServerChannelInitializer, io.netty.channel.ChannelInitializer
        public void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            SSLEngine createSSLEngine = SecurityNetty4Transport.this.sslService.createSSLEngine(this.configuration, null, -1);
            createSSLEngine.setUseClientMode(false);
            IpFilterRemoteAddressFilter ipFilterRemoteAddressFilter = (IpFilterRemoteAddressFilter) channel.pipeline().get(IpFilterRemoteAddressFilter.class);
            SslHandler sslHandler = new SslHandler(createSSLEngine);
            if (ipFilterRemoteAddressFilter == null) {
                channel.pipeline().addFirst("sslhandler", sslHandler);
            } else {
                channel.pipeline().addAfter("ipfilter", "sslhandler", sslHandler);
            }
        }
    }

    public SecurityNetty4Transport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays, NamedWriteableRegistry namedWriteableRegistry, CircuitBreakerService circuitBreakerService, @Nullable IPFilter iPFilter, SSLService sSLService) {
        super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService);
        this.authenticator = iPFilter;
        this.sslService = sSLService;
        this.sslEnabled = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings).booleanValue();
        Settings byPrefix = settings.getByPrefix(Security.setting("transport.ssl."));
        if (!this.sslEnabled) {
            this.profileConfiguration = Collections.emptyMap();
            this.sslConfiguration = null;
            return;
        }
        this.sslConfiguration = sSLService.sslConfiguration(byPrefix, Settings.EMPTY);
        Map<String, Settings> groups = settings.getGroups("transport.profiles.", true);
        HashMap hashMap = new HashMap(groups.size() + 1);
        for (Map.Entry<String, Settings> entry : groups.entrySet()) {
            hashMap.put(entry.getKey(), sSLService.sslConfiguration(profileSslSettings(entry.getValue()), byPrefix));
        }
        if (!hashMap.containsKey("default")) {
            hashMap.put("default", this.sslConfiguration);
        }
        this.profileConfiguration = Collections.unmodifiableMap(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.elasticsearch.transport.netty4.Netty4Transport, org.elasticsearch.transport.TcpTransport, org.elasticsearch.common.component.AbstractLifecycleComponent
    public void doStart() {
        super.doStart();
        if (this.authenticator != null) {
            this.authenticator.setBoundTransportAddress(boundAddress(), profileBoundAddresses());
        }
    }

    @Override // org.elasticsearch.transport.netty4.Netty4Transport
    protected ChannelHandler getServerChannelInitializer(String str) {
        if (!this.sslEnabled) {
            return new IPFilterServerChannelInitializer(str);
        }
        SSLConfiguration sSLConfiguration = this.profileConfiguration.get(str);
        if (sSLConfiguration == null) {
            throw new IllegalStateException("unknown profile: " + str);
        }
        return new SecurityServerChannelInitializer(str, sSLConfiguration);
    }

    @Override // org.elasticsearch.transport.netty4.Netty4Transport
    protected ChannelHandler getClientChannelInitializer() {
        return new SecurityClientChannelInitializer();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.elasticsearch.transport.TcpTransport
    public void onException(Channel channel, Exception exc) {
        if (!this.lifecycle.started()) {
            closeChannelWhileHandlingExceptions(channel);
            return;
        }
        if (SSLExceptionHelper.isNotSslRecordException(exc)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace((Message) new ParameterizedMessage("received plaintext traffic on an encrypted channel, closing connection {}", channel), (Throwable) exc);
            } else {
                this.logger.warn("received plaintext traffic on an encrypted channel, closing connection {}", channel);
            }
            closeChannelWhileHandlingExceptions(channel);
            return;
        }
        if (SSLExceptionHelper.isCloseDuringHandshakeException(exc)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace((Message) new ParameterizedMessage("connection {} closed during ssl handshake", channel), (Throwable) exc);
            } else {
                this.logger.warn("connection {} closed during handshake", channel);
            }
            closeChannelWhileHandlingExceptions(channel);
            return;
        }
        if (!SSLExceptionHelper.isReceivedCertificateUnknownException(exc)) {
            super.onException((SecurityNetty4Transport) channel, exc);
            return;
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace((Message) new ParameterizedMessage("client did not trust server's certificate, closing connection {}", channel), (Throwable) exc);
        } else {
            this.logger.warn("client did not trust this server's certificate, closing connection {}", channel);
        }
        closeChannelWhileHandlingExceptions(channel);
    }

    public static Settings profileSslSettings(Settings settings) {
        return settings.getByPrefix(Security.setting("ssl."));
    }
}
