package com.floragunn.searchguard.ssl.transport;

import com.floragunn.searchguard.ssl.SearchGuardKeyStore;
import com.floragunn.searchguard.ssl.SslExceptionHandler;
import com.floragunn.searchguard.ssl.util.SSLConfigConstants;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelOutboundHandlerAdapter;
import io.netty.channel.ChannelPromise;
import io.netty.handler.codec.DecoderException;
import io.netty.handler.ssl.NotSslRecordException;
import io.netty.handler.ssl.SslHandler;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TcpChannel;
import org.elasticsearch.transport.netty4.Netty4Transport;

/* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLNettyTransport.class */
public class SearchGuardSSLNettyTransport extends Netty4Transport {
    private final SearchGuardKeyStore sgks;
    private final SslExceptionHandler errorHandler;

    /* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLNettyTransport$ClientSSLHandler.class */
    protected static class ClientSSLHandler extends ChannelOutboundHandlerAdapter {
        private final Logger log;
        private final SearchGuardKeyStore sgks;
        private final boolean hostnameVerificationEnabled;
        private final boolean hostnameVerificationResovleHostName;
        private final SslExceptionHandler errorHandler;

        private ClientSSLHandler(SearchGuardKeyStore searchGuardKeyStore, boolean z, boolean z2, SslExceptionHandler sslExceptionHandler) {
            this.log = LogManager.getLogger(getClass());
            this.sgks = searchGuardKeyStore;
            this.hostnameVerificationEnabled = z;
            this.hostnameVerificationResovleHostName = z2;
            this.errorHandler = sslExceptionHandler;
        }

        public final void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            if ((th instanceof DecoderException) && th != null) {
                th = th.getCause();
            }
            this.errorHandler.logError(th, false);
            if (th instanceof NotSslRecordException) {
                this.log.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channelHandlerContext.channel().remoteAddress());
                channelHandlerContext.channel().close();
            } else if (th instanceof SSLException) {
                this.log.error("SSL Problem " + th.getMessage(), th);
                channelHandlerContext.channel().close();
            } else if (!(th instanceof SSLHandshakeException)) {
                super.exceptionCaught(channelHandlerContext, th);
            } else {
                this.log.error("Problem during handshake " + th.getMessage());
                channelHandlerContext.channel().close();
            }
        }

        public void connect(ChannelHandlerContext channelHandlerContext, SocketAddress socketAddress, SocketAddress socketAddress2, ChannelPromise channelPromise) throws Exception {
            SSLEngine createClientTransportSSLEngine;
            try {
                if (this.hostnameVerificationEnabled) {
                    InetSocketAddress inetSocketAddress = (InetSocketAddress) socketAddress;
                    String hostName = this.hostnameVerificationResovleHostName ? inetSocketAddress.getHostName() : inetSocketAddress.getHostString();
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Hostname of peer is {} ({}/{}) with hostnameVerificationResovleHostName: {}", hostName, inetSocketAddress.getHostName(), inetSocketAddress.getHostString(), Boolean.valueOf(this.hostnameVerificationResovleHostName));
                    }
                    createClientTransportSSLEngine = this.sgks.createClientTransportSSLEngine(hostName, inetSocketAddress.getPort());
                } else {
                    createClientTransportSSLEngine = this.sgks.createClientTransportSSLEngine(null, -1);
                }
                channelHandlerContext.pipeline().replace(this, "ssl_client", new SslHandler(createClientTransportSSLEngine));
                super.connect(channelHandlerContext, socketAddress, socketAddress2, channelPromise);
            } catch (SSLException e) {
                throw ExceptionsHelper.convertToElastic(e);
            }
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLNettyTransport$SSLClientChannelInitializer.class */
    protected class SSLClientChannelInitializer extends Netty4Transport.ClientChannelInitializer {
        private final boolean hostnameVerificationEnabled;
        private final boolean hostnameVerificationResovleHostName;

        public SSLClientChannelInitializer(DiscoveryNode discoveryNode) {
            super(SearchGuardSSLNettyTransport.this);
            this.hostnameVerificationEnabled = SearchGuardSSLNettyTransport.this.settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true).booleanValue();
            this.hostnameVerificationResovleHostName = SearchGuardSSLNettyTransport.this.settings.getAsBoolean(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, true).booleanValue();
        }

        protected void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            channel.pipeline().addFirst("client_ssl_handler", new ClientSSLHandler(SearchGuardSSLNettyTransport.this.sgks, this.hostnameVerificationEnabled, this.hostnameVerificationResovleHostName, SearchGuardSSLNettyTransport.this.errorHandler));
        }

        public final void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            if (SearchGuardSSLNettyTransport.this.lifecycle.started()) {
                if ((th instanceof DecoderException) && th != null) {
                    th = th.getCause();
                }
                SearchGuardSSLNettyTransport.this.errorHandler.logError(th, false);
                if (th instanceof NotSslRecordException) {
                    SearchGuardSSLNettyTransport.this.logger.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channelHandlerContext.channel().remoteAddress());
                    channelHandlerContext.channel().close();
                    return;
                } else if (th instanceof SSLException) {
                    SearchGuardSSLNettyTransport.this.logger.error("SSL Problem " + th.getMessage(), th);
                    channelHandlerContext.channel().close();
                    return;
                } else if (th instanceof SSLHandshakeException) {
                    SearchGuardSSLNettyTransport.this.logger.error("Problem during handshake " + th.getMessage());
                    channelHandlerContext.channel().close();
                    return;
                }
            }
            super.exceptionCaught(channelHandlerContext, th);
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLNettyTransport$SSLServerChannelInitializer.class */
    protected class SSLServerChannelInitializer extends Netty4Transport.ServerChannelInitializer {
        public SSLServerChannelInitializer(String str) {
            super(SearchGuardSSLNettyTransport.this, str);
        }

        protected void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            channel.pipeline().addFirst("ssl_server", new SslHandler(SearchGuardSSLNettyTransport.this.sgks.createServerTransportSSLEngine()));
        }

        public final void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            if (SearchGuardSSLNettyTransport.this.lifecycle.started()) {
                if ((th instanceof DecoderException) && th != null) {
                    th = th.getCause();
                }
                SearchGuardSSLNettyTransport.this.errorHandler.logError(th, false);
                if (th instanceof NotSslRecordException) {
                    SearchGuardSSLNettyTransport.this.logger.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channelHandlerContext.channel().remoteAddress());
                    channelHandlerContext.channel().close();
                    return;
                } else if (th instanceof SSLException) {
                    SearchGuardSSLNettyTransport.this.logger.error("SSL Problem " + th.getMessage(), th);
                    channelHandlerContext.channel().close();
                    return;
                } else if (th instanceof SSLHandshakeException) {
                    SearchGuardSSLNettyTransport.this.logger.error("Problem during handshake " + th.getMessage());
                    channelHandlerContext.channel().close();
                    return;
                }
            }
            super.exceptionCaught(channelHandlerContext, th);
        }
    }

    public SearchGuardSSLNettyTransport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays, NamedWriteableRegistry namedWriteableRegistry, CircuitBreakerService circuitBreakerService, SearchGuardKeyStore searchGuardKeyStore, SslExceptionHandler sslExceptionHandler) {
        super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService);
        this.sgks = searchGuardKeyStore;
        this.errorHandler = sslExceptionHandler;
    }

    protected void onException(TcpChannel tcpChannel, Exception exc) {
        if (this.lifecycle.started()) {
            Exception exc2 = exc;
            if ((exc instanceof DecoderException) && exc != null) {
                exc2 = exc.getCause();
            }
            this.errorHandler.logError(exc2, false);
            if (exc2 instanceof NotSslRecordException) {
                this.logger.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", tcpChannel.getLocalAddress());
                TcpChannel.closeChannel(tcpChannel, false);
                return;
            } else if (exc2 instanceof SSLException) {
                this.logger.error("SSL Problem " + exc2.getMessage(), exc2);
                TcpChannel.closeChannel(tcpChannel, false);
                return;
            } else if (exc2 instanceof SSLHandshakeException) {
                this.logger.error("Problem during handshake " + exc2.getMessage());
                TcpChannel.closeChannel(tcpChannel, false);
                return;
            }
        }
        super.onException(tcpChannel, exc);
    }

    protected ChannelHandler getServerChannelInitializer(String str) {
        return new SSLServerChannelInitializer(str);
    }

    protected ChannelHandler getClientChannelInitializer(DiscoveryNode discoveryNode) {
        return new SSLClientChannelInitializer(discoveryNode);
    }
}
