package org.apache.nifi.processors.grpc;

import io.grpc.Attributes;
import io.grpc.Context;
import io.grpc.Contexts;
import io.grpc.Grpc;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.Status;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.Objects;
import java.util.regex.Pattern;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.cert.X509Certificate;
import org.apache.nifi.logging.ComponentLog;

/* loaded from: input_file:org/apache/nifi/processors/grpc/FlowFileIngestServiceInterceptor.class */
public class FlowFileIngestServiceInterceptor implements ServerInterceptor {
    public static final String DEFAULT_FOUND_SUBJECT = "none";
    private static final String UNKNOWN_IP = "unknown-ip";
    private static final String DN_UNAUTHORIZED = "The client DN does not have permission to send gRPC requests to this NiFi. ";
    private static final ServerCall.Listener IDENTITY_LISTENER = new ServerCall.Listener() { // from class: org.apache.nifi.processors.grpc.FlowFileIngestServiceInterceptor.1
    };
    public static final Context.Key<String> REMOTE_HOST_KEY = Context.key(GRPCAttributeNames.REMOTE_HOST);
    public static final Context.Key<String> REMOTE_DN_KEY = Context.key(GRPCAttributeNames.REMOTE_USER_DN);
    private final ComponentLog logger;
    private Pattern authorizedDNPattern;

    public FlowFileIngestServiceInterceptor(ComponentLog componentLog) {
        this.logger = (ComponentLog) Objects.requireNonNull(componentLog);
    }

    public FlowFileIngestServiceInterceptor enforceDNPattern(Pattern pattern) {
        this.authorizedDNPattern = (Pattern) Objects.requireNonNull(pattern);
        return this;
    }

    public <I, O> ServerCall.Listener<I> interceptCall(ServerCall<I, O> serverCall, Metadata metadata, ServerCallHandler<I, O> serverCallHandler) {
        Attributes attributes = serverCall.getAttributes();
        String clientIp = clientIp((SocketAddress) attributes.get(Grpc.TRANSPORT_ATTR_REMOTE_ADDR));
        String str = DEFAULT_FOUND_SUBJECT;
        SSLSession sSLSession = (SSLSession) attributes.get(Grpc.TRANSPORT_ATTR_SSL_SESSION);
        if (this.authorizedDNPattern != null && sSLSession != null) {
            try {
                X509Certificate[] peerCertificateChain = sSLSession.getPeerCertificateChain();
                if (peerCertificateChain != null && peerCertificateChain.length > 0 && 0 < peerCertificateChain.length) {
                    str = peerCertificateChain[0].getSubjectDN().getName();
                    if (!this.authorizedDNPattern.matcher(str).matches()) {
                        this.logger.warn("Rejecting transfer attempt from " + str + " because the DN is not authorized, host=" + clientIp);
                        serverCall.close(Status.PERMISSION_DENIED.withDescription(DN_UNAUTHORIZED + str), metadata);
                        return IDENTITY_LISTENER;
                    }
                }
            } catch (SSLPeerUnverifiedException e) {
                this.logger.debug("Skipping DN authorization for request from {}", new Object[]{clientIp, e});
            }
        }
        return Contexts.interceptCall(Context.current().withValue(REMOTE_HOST_KEY, clientIp).withValue(REMOTE_DN_KEY, str), serverCall, metadata, serverCallHandler);
    }

    private String clientIp(SocketAddress socketAddress) {
        if (socketAddress == null) {
            return UNKNOWN_IP;
        }
        if (!(socketAddress instanceof InetSocketAddress)) {
            return socketAddress.toString();
        }
        String hostString = ((InetSocketAddress) socketAddress).getHostString();
        return hostString == null ? UNKNOWN_IP : hostString;
    }
}
