package com.floragunn.searchguard.ssl.transport;

import com.floragunn.searchguard.ssl.SslExceptionHandler;
import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import com.floragunn.searchguard.ssl.util.SSLRequestHelper;
import io.netty.handler.ssl.SslHandler;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TaskTransportChannel;
import org.elasticsearch.transport.TcpTransportChannel;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.netty4.NettyTcpChannel;

/* loaded from: input_file:com/floragunn/searchguard/ssl/transport/SearchGuardSSLRequestHandler.class */
public class SearchGuardSSLRequestHandler<T extends TransportRequest> implements TransportRequestHandler<T> {
    private final String action;
    private final TransportRequestHandler<T> actualHandler;
    private final ThreadPool threadPool;
    protected final Logger log = LogManager.getLogger(getClass());
    private final PrincipalExtractor principalExtractor;
    private final SslExceptionHandler errorHandler;

    public SearchGuardSSLRequestHandler(String str, TransportRequestHandler<T> transportRequestHandler, ThreadPool threadPool, PrincipalExtractor principalExtractor, SslExceptionHandler sslExceptionHandler) {
        this.action = str;
        this.actualHandler = transportRequestHandler;
        this.threadPool = threadPool;
        this.principalExtractor = principalExtractor;
        this.errorHandler = sslExceptionHandler;
    }

    protected ThreadContext getThreadContext() {
        if (this.threadPool == null) {
            return null;
        }
        return this.threadPool.getThreadContext();
    }

    @Override // org.elasticsearch.transport.TransportRequestHandler
    public final void messageReceived(T t, TransportChannel transportChannel) throws Exception {
        messageReceived(t, transportChannel, null);
    }

    @Override // org.elasticsearch.transport.TransportRequestHandler
    public final void messageReceived(T t, TransportChannel transportChannel, Task task) throws Exception {
        NettyTcpChannel channel;
        ThreadContext threadContext = getThreadContext();
        if (SSLRequestHelper.containsBadHeader(threadContext, "_sg_ssl_")) {
            ElasticsearchException createBadHeaderException = ExceptionUtils.createBadHeaderException();
            transportChannel.sendResponse(createBadHeaderException);
            throw createBadHeaderException;
        }
        if (!"netty".equals(transportChannel.getChannelType())) {
            messageReceivedDecorate(t, this.actualHandler, transportChannel, task);
            return;
        }
        try {
            if (transportChannel instanceof TaskTransportChannel) {
                channel = (NettyTcpChannel) ((TcpTransportChannel) ((TaskTransportChannel) transportChannel).getChannel()).getChannel();
            } else {
                if (!(transportChannel instanceof TcpTransportChannel)) {
                    throw new Exception("Invalid channel of type " + transportChannel.getClass() + " (" + transportChannel.getChannelType() + ")");
                }
                channel = ((TcpTransportChannel) transportChannel).getChannel();
            }
            SslHandler sslHandler = (SslHandler) channel.getLowLevelChannel().pipeline().get("ssl_server");
            if (sslHandler == null) {
                ElasticsearchException elasticsearchException = new ElasticsearchException("No ssl handler found (SG 11)", new Object[0]);
                transportChannel.sendResponse(elasticsearchException);
                throw elasticsearchException;
            }
            Certificate[] peerCertificates = sslHandler.engine().getSession().getPeerCertificates();
            Certificate[] localCertificates = sslHandler.engine().getSession().getLocalCertificates();
            if (peerCertificates == null || peerCertificates.length <= 0 || !(peerCertificates[0] instanceof X509Certificate) || localCertificates == null || localCertificates.length <= 0 || !(localCertificates[0] instanceof X509Certificate)) {
                ElasticsearchException elasticsearchException2 = new ElasticsearchException("No X509 transport client certificates found (SG 12)", new Object[0]);
                this.errorHandler.logError(elasticsearchException2, t, this.action, task, 0);
                transportChannel.sendResponse(elasticsearchException2);
                throw elasticsearchException2;
            }
            X509Certificate[] x509CertificateArr = (X509Certificate[]) Arrays.copyOf(peerCertificates, peerCertificates.length, X509Certificate[].class);
            X509Certificate[] x509CertificateArr2 = (X509Certificate[]) Arrays.copyOf(localCertificates, localCertificates.length, X509Certificate[].class);
            String extractPrincipal = this.principalExtractor == null ? null : this.principalExtractor.extractPrincipal(x509CertificateArr[0], PrincipalExtractor.Type.TRANSPORT);
            addAdditionalContextValues(this.action, t, x509CertificateArr2, x509CertificateArr, extractPrincipal);
            if (threadContext != null) {
                threadContext.putTransient("_sg_ssl_transport_principal", extractPrincipal);
                threadContext.putTransient("_sg_ssl_transport_peer_certificates", x509CertificateArr);
                threadContext.putTransient("_sg_ssl_transport_local_certificates", x509CertificateArr2);
                threadContext.putTransient("_sg_ssl_transport_protocol", sslHandler.engine().getSession().getProtocol());
                threadContext.putTransient("_sg_ssl_transport_cipher", sslHandler.engine().getSession().getCipherSuite());
            }
            messageReceivedDecorate(t, this.actualHandler, transportChannel, task);
        } catch (SSLPeerUnverifiedException e) {
            this.errorHandler.logError(e, t, this.action, task, 0);
            ElasticsearchException convertToElastic = ExceptionsHelper.convertToElastic(e);
            transportChannel.sendResponse(convertToElastic);
            throw convertToElastic;
        } catch (Exception e2) {
            this.errorHandler.logError(e2, t, this.action, task, 0);
            throw e2;
        }
    }

    protected void addAdditionalContextValues(String str, TransportRequest transportRequest, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, String str2) throws Exception {
    }

    protected void messageReceivedDecorate(T t, TransportRequestHandler<T> transportRequestHandler, TransportChannel transportChannel, Task task) throws Exception {
        transportRequestHandler.messageReceived(t, transportChannel, task);
    }
}
