package com.floragunn.searchguard.ssl.transport;

import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.ssl.util.HeaderHelper;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.concurrent.Callable;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.DelegatingTransportChannel;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.transport.netty.NettyTransportChannel;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLTransportService.class */
public class SearchGuardSSLTransportService extends TransportService {
    private final PrincipalExtractor principalExtractor;

    /* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLTransportService$Interceptor.class */
    private class Interceptor<Request extends TransportRequest> extends TransportRequestHandler<Request> {
        private final ESLogger log = Loggers.getLogger(getClass());
        private final TransportRequestHandler<Request> handler;
        private final String action;

        public Interceptor(TransportRequestHandler<Request> transportRequestHandler, String str) {
            this.handler = transportRequestHandler;
            this.action = str;
        }

        public void messageReceived(Request request, TransportChannel transportChannel) throws Exception {
            messageReceived(request, transportChannel, null);
        }

        public void messageReceived(Request request, TransportChannel transportChannel, Task task) throws Exception {
            HeaderHelper.checkSGHeader((TransportMessage<?>) request);
            NettyTransportChannel nettyTransportChannel = null;
            if (transportChannel instanceof DelegatingTransportChannel) {
                TransportChannel channel = ((DelegatingTransportChannel) transportChannel).getChannel();
                if (channel instanceof NettyTransportChannel) {
                    nettyTransportChannel = (NettyTransportChannel) channel;
                }
            } else if (transportChannel instanceof NettyTransportChannel) {
                nettyTransportChannel = (NettyTransportChannel) transportChannel;
            }
            if (nettyTransportChannel == null) {
                SearchGuardSSLTransportService.this.messageReceivedDecorate(request, this.handler, transportChannel, task);
                return;
            }
            try {
                SslHandler sslHandler = nettyTransportChannel.getChannel().getPipeline().get("ssl_server");
                if (sslHandler == null) {
                    this.log.error("No ssl handler found (SG 11)", new Object[0]);
                    ElasticsearchException elasticsearchException = new ElasticsearchException("No ssl handler found (SG 11)", new Object[0]);
                    nettyTransportChannel.sendResponse(elasticsearchException);
                    throw elasticsearchException;
                }
                Certificate[] peerCertificates = sslHandler.getEngine().getSession().getPeerCertificates();
                Certificate[] localCertificates = sslHandler.getEngine().getSession().getLocalCertificates();
                if (peerCertificates == null || peerCertificates.length <= 0 || !(peerCertificates[0] instanceof X509Certificate) || localCertificates == null || localCertificates.length <= 0 || !(localCertificates[0] instanceof X509Certificate)) {
                    this.log.error("No X509 transport client certificates found (SG 12)", new Object[0]);
                    Throwable elasticsearchException2 = new ElasticsearchException("No X509 transport client certificates found (SG 12)", new Object[0]);
                    SearchGuardSSLTransportService.this.errorThrown(elasticsearchException2, request, this.action);
                    nettyTransportChannel.sendResponse(elasticsearchException2);
                    throw elasticsearchException2;
                }
                X509Certificate[] x509CertificateArr = (X509Certificate[]) Arrays.copyOf(peerCertificates, peerCertificates.length, X509Certificate[].class);
                X509Certificate[] x509CertificateArr2 = (X509Certificate[]) Arrays.copyOf(localCertificates, localCertificates.length, X509Certificate[].class);
                String extractPrincipal = SearchGuardSSLTransportService.this.principalExtractor.extractPrincipal(x509CertificateArr[0], PrincipalExtractor.Type.TRANSPORT);
                SearchGuardSSLTransportService.this.addAdditionalContextValues(this.action, request, x509CertificateArr2, x509CertificateArr, extractPrincipal);
                SearchGuardSSLTransportService.this.addAdditionalContextValues(this.action, request, x509CertificateArr);
                request.putInContext("_sg_ssl_transport_principal", extractPrincipal);
                request.putInContext("_sg_ssl_transport_peer_certificates", x509CertificateArr);
                request.putInContext("_sg_ssl_transport_local_certificates", x509CertificateArr2);
                request.putInContext("_sg_ssl_transport_protocol", sslHandler.getEngine().getSession().getProtocol());
                request.putInContext("_sg_ssl_transport_cipher", sslHandler.getEngine().getSession().getCipherSuite());
                SearchGuardSSLTransportService.this.messageReceivedDecorate(request, this.handler, transportChannel, task);
            } catch (SSLPeerUnverifiedException e) {
                this.log.error("Can not verify SSL peer (SG 13) due to {}", e, new Object[]{e});
                SearchGuardSSLTransportService.this.errorThrown(e, request, this.action);
                ElasticsearchException convertToElastic = ExceptionsHelper.convertToElastic(e);
                nettyTransportChannel.sendResponse(convertToElastic);
                throw convertToElastic;
            } catch (Exception e2) {
                this.log.debug("Unexpected but unproblematic exception (SG 14) for '{}' due to {}", new Object[]{this.action, e2.getMessage()});
                SearchGuardSSLTransportService.this.errorThrown(e2, request, this.action);
                throw e2;
            }
        }
    }

    @Inject
    public SearchGuardSSLTransportService(Settings settings, Transport transport, ThreadPool threadPool, PrincipalExtractor principalExtractor) {
        super(settings, transport, threadPool);
        this.principalExtractor = principalExtractor;
    }

    public <Request extends TransportRequest> void registerRequestHandler(String str, Callable<Request> callable, String str2, TransportRequestHandler<Request> transportRequestHandler) {
        super.registerRequestHandler(str, callable, str2, new Interceptor(transportRequestHandler, str));
    }

    public <Request extends TransportRequest> void registerRequestHandler(String str, Callable<Request> callable, String str2, boolean z, boolean z2, TransportRequestHandler<Request> transportRequestHandler) {
        super.registerRequestHandler(str, callable, str2, z, z2, new Interceptor(transportRequestHandler, str));
    }

    public <Request extends TransportRequest> void registerRequestHandler(String str, Class<Request> cls, String str2, boolean z, boolean z2, TransportRequestHandler<Request> transportRequestHandler) {
        super.registerRequestHandler(str, cls, str2, z, z2, new Interceptor(transportRequestHandler, str));
    }

    protected void addAdditionalContextValues(String str, TransportRequest transportRequest, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, String str2) throws Exception {
    }

    @Deprecated
    protected void addAdditionalContextValues(String str, TransportRequest transportRequest, X509Certificate[] x509CertificateArr) throws Exception {
    }

    protected void messageReceivedDecorate(TransportRequest transportRequest, TransportRequestHandler transportRequestHandler, TransportChannel transportChannel, Task task) throws Exception {
        transportRequestHandler.messageReceived(transportRequest, transportChannel, task);
    }

    protected void errorThrown(Throwable th, TransportRequest transportRequest, String str) {
    }
}
