package com.floragunn.searchguard.ssl.http.netty;

import com.floragunn.searchguard.ssl.SearchGuardKeyStore;
import com.floragunn.searchguard.ssl.util.SSLRequestHelper;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.NotSslRecordException;
import io.netty.handler.ssl.SslHandler;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.http.netty4.Netty4HttpServerTransport;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.threadpool.ThreadPool;

/* loaded from: input_file:com/floragunn/searchguard/ssl/http/netty/SearchGuardSSLNettyHttpServerTransport.class */
public class SearchGuardSSLNettyHttpServerTransport extends Netty4HttpServerTransport {
    private final SearchGuardKeyStore sgks;
    private final ThreadContext threadContext;

    /* loaded from: input_file:com/floragunn/searchguard/ssl/http/netty/SearchGuardSSLNettyHttpServerTransport$SSLHttpChannelHandler.class */
    protected class SSLHttpChannelHandler extends Netty4HttpServerTransport.HttpChannelHandler {
        protected SSLHttpChannelHandler(Netty4HttpServerTransport netty4HttpServerTransport, SearchGuardKeyStore searchGuardKeyStore) {
            super(netty4HttpServerTransport, SearchGuardSSLNettyHttpServerTransport.this.detailedErrorsEnabled, SearchGuardSSLNettyHttpServerTransport.this.threadContext);
        }

        protected void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            channel.pipeline().addFirst("ssl_http", new SslHandler(SearchGuardSSLNettyHttpServerTransport.this.sgks.createHTTPSSLEngine()));
        }
    }

    @Inject
    public SearchGuardSSLNettyHttpServerTransport(Settings settings, NetworkService networkService, BigArrays bigArrays, ThreadPool threadPool, SearchGuardKeyStore searchGuardKeyStore) {
        super(settings, networkService, bigArrays, threadPool);
        this.sgks = searchGuardKeyStore;
        this.threadContext = threadPool.getThreadContext();
    }

    public ChannelHandler configureServerChannelHandler() {
        return new SSLHttpChannelHandler(this, this.sgks);
    }

    protected void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
        if (this.lifecycle.started()) {
            if (th instanceof NotSslRecordException) {
                this.logger.warn("Someone speaks plaintext instead of ssl, will close the channel");
                channelHandlerContext.channel().close();
                return;
            } else if (th instanceof SSLException) {
                this.logger.error("SSL Problem " + th.getMessage(), th);
                channelHandlerContext.channel().close();
                return;
            } else if (th instanceof SSLHandshakeException) {
                this.logger.error("Problem during handshake " + th.getMessage());
                channelHandlerContext.channel().close();
                return;
            }
        }
        super.exceptionCaught(channelHandlerContext, th);
    }

    protected void dispatchRequest(RestRequest restRequest, RestChannel restChannel) {
        if (SSLRequestHelper.containsBadHeader(this.threadContext, "_sg_ssl_")) {
            Throwable elasticsearchException = new ElasticsearchException("bad header found", new Object[0]);
            errorThrown(elasticsearchException, restRequest);
            throw elasticsearchException;
        }
        try {
            if (SSLRequestHelper.getSSLInfo(restRequest) == null) {
                this.logger.error("Not an SSL request");
                throw new ElasticsearchSecurityException("Not an SSL request", RestStatus.INTERNAL_SERVER_ERROR, new Object[0]);
            }
            super.dispatchRequest(restRequest, restChannel);
        } catch (SSLPeerUnverifiedException e) {
            this.logger.error("No client certificates found but such are needed (SG 8).");
            errorThrown(e, restRequest);
            throw ExceptionsHelper.convertToElastic(e);
        }
    }

    protected void errorThrown(Throwable th, RestRequest restRequest) {
    }
}
