package com.floragunn.searchguard.ssl.http.netty;

import com.floragunn.searchguard.ssl.SearchGuardKeyStore;
import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.ssl.util.HeaderHelper;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.http.HttpChannel;
import org.elasticsearch.http.HttpRequest;
import org.elasticsearch.http.netty.NettyHttpRequest;
import org.elasticsearch.http.netty.NettyHttpServerTransport;
import org.elasticsearch.rest.RestRequest;
import org.jboss.netty.channel.ChannelHandlerContext;
import org.jboss.netty.channel.ChannelPipeline;
import org.jboss.netty.channel.ChannelPipelineFactory;
import org.jboss.netty.channel.ExceptionEvent;
import org.jboss.netty.handler.ssl.NotSslRecordException;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:com/floragunn/searchguard/ssl/http/netty/SearchGuardSSLNettyHttpServerTransport.class */
public class SearchGuardSSLNettyHttpServerTransport extends NettyHttpServerTransport {
    private final SearchGuardKeyStore sgks;
    private final PrincipalExtractor principalExtractor;

    /* loaded from: input_file:com/floragunn/searchguard/ssl/http/netty/SearchGuardSSLNettyHttpServerTransport$SSLHttpChannelPipelineFactory.class */
    protected static class SSLHttpChannelPipelineFactory extends NettyHttpServerTransport.HttpChannelPipelineFactory {
        protected final ESLogger log;
        private final SearchGuardKeyStore sgks;

        public SSLHttpChannelPipelineFactory(NettyHttpServerTransport nettyHttpServerTransport, Settings settings, boolean z, SearchGuardKeyStore searchGuardKeyStore) {
            super(nettyHttpServerTransport, z);
            this.log = Loggers.getLogger(getClass());
            this.sgks = searchGuardKeyStore;
        }

        public ChannelPipeline getPipeline() throws Exception {
            this.log.trace("SslHandler configured and added to netty pipeline", new Object[0]);
            ChannelPipeline pipeline = super.getPipeline();
            SslHandler sslHandler = new SslHandler(this.sgks.createHTTPSSLEngine());
            sslHandler.setEnableRenegotiation(false);
            pipeline.addFirst("ssl_http", sslHandler);
            return pipeline;
        }
    }

    @Inject
    public SearchGuardSSLNettyHttpServerTransport(Settings settings, NetworkService networkService, BigArrays bigArrays, SearchGuardKeyStore searchGuardKeyStore, PrincipalExtractor principalExtractor) {
        super(settings, networkService, bigArrays);
        this.sgks = searchGuardKeyStore;
        this.principalExtractor = principalExtractor;
    }

    public ChannelPipelineFactory configureServerChannelPipelineFactory() {
        return new SSLHttpChannelPipelineFactory(this, this.settings, this.detailedErrorsEnabled, this.sgks);
    }

    protected void exceptionCaught(ChannelHandlerContext channelHandlerContext, ExceptionEvent exceptionEvent) throws Exception {
        if (this.lifecycle.started()) {
            Throwable cause = exceptionEvent.getCause();
            if (cause instanceof NotSslRecordException) {
                this.logger.warn("Someone speaks plaintext instead of ssl, will close the channel", new Object[0]);
                channelHandlerContext.getChannel().close();
                return;
            } else if (cause instanceof SSLException) {
                this.logger.error("SSL Problem " + cause.getMessage(), cause, new Object[0]);
                channelHandlerContext.getChannel().close();
                return;
            } else if (cause instanceof SSLHandshakeException) {
                this.logger.error("Problem during handshake " + cause.getMessage(), new Object[0]);
                channelHandlerContext.getChannel().close();
                return;
            }
        }
        super.exceptionCaught(channelHandlerContext, exceptionEvent);
    }

    protected void dispatchRequest(HttpRequest httpRequest, HttpChannel httpChannel) {
        HeaderHelper.checkSGHeader((RestRequest) httpRequest);
        NettyHttpRequest nettyHttpRequest = (NettyHttpRequest) httpRequest;
        SslHandler sslHandler = nettyHttpRequest.getChannel().getPipeline().get("ssl_http");
        SSLEngine engine = sslHandler.getEngine();
        if (engine.getNeedClientAuth() || engine.getWantClientAuth()) {
            try {
                Certificate[] peerCertificates = sslHandler.getEngine().getSession().getPeerCertificates();
                if (peerCertificates != null && peerCertificates.length > 0 && (peerCertificates[0] instanceof X509Certificate)) {
                    X509Certificate[] x509CertificateArr = (X509Certificate[]) Arrays.copyOf(peerCertificates, peerCertificates.length, X509Certificate[].class);
                    httpRequest.putInContext("_sg_ssl_principal", this.principalExtractor.extractPrincipal(x509CertificateArr[0], PrincipalExtractor.Type.HTTP));
                    httpRequest.putInContext("_sg_ssl_peer_certificates", x509CertificateArr);
                } else if (engine.getNeedClientAuth()) {
                    ElasticsearchException elasticsearchException = new ElasticsearchException("No client certificates found but such are needed (SG 9).", new Object[0]);
                    errorThrown(elasticsearchException, nettyHttpRequest);
                    throw elasticsearchException;
                }
            } catch (SSLPeerUnverifiedException e) {
                if (engine.getNeedClientAuth()) {
                    this.logger.error("No client certificates found but such are needed (SG 8).", new Object[0]);
                    errorThrown(e, nettyHttpRequest);
                    throw ExceptionsHelper.convertToElastic(e);
                }
            } catch (Exception e2) {
                this.logger.error("Unknow error (SG 8) : " + e2, e2, new Object[0]);
                errorThrown(e2, nettyHttpRequest);
                throw ExceptionsHelper.convertToElastic(e2);
            }
        } else {
            httpRequest.putInContext("_sg_ssl_client_auth_none", true);
        }
        httpRequest.putInContext("_sg_ssl_protocol", sslHandler.getEngine().getSession().getProtocol());
        httpRequest.putInContext("_sg_ssl_cipher", sslHandler.getEngine().getSession().getCipherSuite());
        super.dispatchRequest(httpRequest, httpChannel);
    }

    protected void errorThrown(Throwable th, NettyHttpRequest nettyHttpRequest) {
    }
}
