package org.elasticsearch.xpack.security.rest;

import io.netty.handler.ssl.SslHandler;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import javax.net.ssl.SSLEngine;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.client.node.NodeClient;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.http.netty4.Netty4HttpRequest;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestHandler;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestRequestFilter;
import org.elasticsearch.xpack.core.ssl.TLSv1DeprecationHandler;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.transport.ServerTransportFilter;

/* loaded from: input_file:org/elasticsearch/xpack/security/rest/SecurityRestFilter.class */
public class SecurityRestFilter implements RestHandler {
    private static final Logger logger;
    private final RestHandler restHandler;
    private final AuthenticationService service;
    private final XPackLicenseState licenseState;
    private final ThreadContext threadContext;
    private final boolean extractClientCertificate;
    private final TLSv1DeprecationHandler tlsDeprecationHandler;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SecurityRestFilter(XPackLicenseState xPackLicenseState, ThreadContext threadContext, AuthenticationService authenticationService, RestHandler restHandler, boolean z, TLSv1DeprecationHandler tLSv1DeprecationHandler) {
        this.restHandler = restHandler;
        this.service = authenticationService;
        this.licenseState = xPackLicenseState;
        this.threadContext = threadContext;
        this.extractClientCertificate = z;
        this.tlsDeprecationHandler = tLSv1DeprecationHandler;
    }

    public void handleRequest(RestRequest restRequest, RestChannel restChannel, NodeClient nodeClient) throws Exception {
        if (this.tlsDeprecationHandler.shouldLogWarnings()) {
            this.tlsDeprecationHandler.checkAndLog(getSslEngine((Netty4HttpRequest) restRequest).getSession(), () -> {
                return "HTTP connection from " + remoteHost(restRequest);
            });
        }
        if (!this.licenseState.isAuthAllowed() || restRequest.method() == RestRequest.Method.OPTIONS) {
            this.restHandler.handleRequest(restRequest, restChannel, nodeClient);
            return;
        }
        if (this.extractClientCertificate) {
            Netty4HttpRequest netty4HttpRequest = (Netty4HttpRequest) restRequest;
            ServerTransportFilter.extractClientCertificates(logger, this.threadContext, getSslEngine(netty4HttpRequest), netty4HttpRequest.getChannel());
        }
        this.service.authenticate(maybeWrapRestRequest(restRequest), ActionListener.wrap(authentication -> {
            RemoteHostHeader.process(restRequest, this.threadContext);
            this.restHandler.handleRequest(restRequest, restChannel, nodeClient);
        }, exc -> {
            try {
                restChannel.sendResponse(new BytesRestResponse(restChannel, exc));
            } catch (Exception e) {
                e.addSuppressed(exc);
                logger.error(() -> {
                    return new ParameterizedMessage("failed to send failure response for uri [{}]", restRequest.uri());
                }, e);
            }
        }));
    }

    private String remoteHost(RestRequest restRequest) {
        SocketAddress remoteAddress = restRequest.getRemoteAddress();
        return remoteAddress instanceof InetSocketAddress ? ((InetSocketAddress) remoteAddress).getHostString() : remoteAddress.toString();
    }

    private SSLEngine getSslEngine(Netty4HttpRequest netty4HttpRequest) {
        SslHandler sslHandler = netty4HttpRequest.getChannel().pipeline().get(SslHandler.class);
        if ($assertionsDisabled || sslHandler != null) {
            return sslHandler.engine();
        }
        throw new AssertionError();
    }

    RestRequest maybeWrapRestRequest(RestRequest restRequest) throws IOException {
        return this.restHandler instanceof RestRequestFilter ? this.restHandler.getFilteredRequest(restRequest) : restRequest;
    }

    static {
        $assertionsDisabled = !SecurityRestFilter.class.desiredAssertionStatus();
        logger = LogManager.getLogger(SecurityRestFilter.class);
    }
}
