package org.elasticsearch.xpack.security.transport.nio;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.channels.ServerSocketChannel;
import java.nio.channels.SocketChannel;
import java.util.Collections;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.Function;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.Version;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.PageCacheRecycler;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.nio.BytesChannelContext;
import org.elasticsearch.nio.Config;
import org.elasticsearch.nio.InboundChannelBuffer;
import org.elasticsearch.nio.NioSelector;
import org.elasticsearch.nio.ServerChannelContext;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.ConnectTransportException;
import org.elasticsearch.transport.TcpChannel;
import org.elasticsearch.transport.TcpTransport;
import org.elasticsearch.transport.nio.NioGroupFactory;
import org.elasticsearch.transport.nio.NioTcpChannel;
import org.elasticsearch.transport.nio.NioTcpServerChannel;
import org.elasticsearch.transport.nio.NioTransport;
import org.elasticsearch.transport.nio.TcpReadWriteHandler;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.transport.ProfileConfigurations;
import org.elasticsearch.xpack.core.security.transport.SecurityTransportExceptionHandler;
import org.elasticsearch.xpack.core.ssl.SSLConfiguration;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport.class */
public class SecurityNioTransport extends NioTransport {
    private static final Logger logger = LogManager.getLogger(SecurityNioTransport.class);
    private final SecurityTransportExceptionHandler exceptionHandler;
    private final IPFilter ipFilter;
    private final SSLService sslService;
    private final Map<String, SSLConfiguration> profileConfiguration;
    private final boolean sslEnabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport$SecurityClientTcpChannelFactory.class */
    private class SecurityClientTcpChannelFactory extends SecurityTcpChannelFactory {
        private final SNIHostName serverName;

        private SecurityClientTcpChannelFactory(TcpTransport.ProfileSettings profileSettings, SNIHostName sNIHostName) {
            super(profileSettings, true);
            this.serverName = sNIHostName;
        }

        @Override // org.elasticsearch.xpack.security.transport.nio.SecurityNioTransport.SecurityTcpChannelFactory
        /* renamed from: createServerChannel, reason: merged with bridge method [inline-methods] */
        public NioTcpServerChannel mo152createServerChannel(NioSelector nioSelector, ServerSocketChannel serverSocketChannel, Config.ServerSocket serverSocket) {
            throw new AssertionError("Cannot create TcpServerChannel with client factory");
        }

        @Override // org.elasticsearch.xpack.security.transport.nio.SecurityNioTransport.SecurityTcpChannelFactory
        protected SSLEngine createSSLEngine(Config.Socket socket) throws IOException {
            SSLEngine createSSLEngine = super.createSSLEngine(socket);
            if (this.serverName != null) {
                SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
                sSLParameters.setServerNames(Collections.singletonList(this.serverName));
                createSSLEngine.setSSLParameters(sSLParameters);
            }
            return createSSLEngine;
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/nio/SecurityNioTransport$SecurityTcpChannelFactory.class */
    private class SecurityTcpChannelFactory extends NioTransport.TcpChannelFactory {
        private final String profileName;
        private final boolean isClient;

        private SecurityTcpChannelFactory(TcpTransport.ProfileSettings profileSettings, boolean z) {
            super(profileSettings);
            this.profileName = profileSettings.profileName;
            this.isClient = z;
        }

        /* renamed from: createChannel, reason: merged with bridge method [inline-methods] */
        public NioTcpChannel m153createChannel(NioSelector nioSelector, SocketChannel socketChannel, Config.Socket socket) throws IOException {
            NioTcpChannel nioTcpChannel = new NioTcpChannel(!this.isClient, this.profileName, socketChannel);
            NioIPFilter tcpReadWriteHandler = new TcpReadWriteHandler(nioTcpChannel, SecurityNioTransport.this.pageCacheRecycler, SecurityNioTransport.this);
            NioIPFilter nioIPFilter = SecurityNioTransport.this.ipFilter != null ? new NioIPFilter(tcpReadWriteHandler, socket.getRemoteAddress(), SecurityNioTransport.this.ipFilter, this.profileName) : tcpReadWriteHandler;
            InboundChannelBuffer inboundChannelBuffer = new InboundChannelBuffer(SecurityNioTransport.this.pageAllocator);
            Consumer consumer = exc -> {
                SecurityNioTransport.this.onException(nioTcpChannel, exc);
            };
            nioTcpChannel.setContext(SecurityNioTransport.this.sslEnabled ? new SSLChannelContext(nioTcpChannel, nioSelector, socket, consumer, new SSLDriver(createSSLEngine(socket), SecurityNioTransport.this.pageAllocator, this.isClient), nioIPFilter, inboundChannelBuffer, new InboundChannelBuffer(SecurityNioTransport.this.pageAllocator)) : new BytesChannelContext(nioTcpChannel, nioSelector, socket, consumer, nioIPFilter, inboundChannelBuffer));
            return nioTcpChannel;
        }

        @Override // 
        /* renamed from: createServerChannel */
        public NioTcpServerChannel mo152createServerChannel(NioSelector nioSelector, ServerSocketChannel serverSocketChannel, Config.ServerSocket serverSocket) {
            NioTcpServerChannel nioTcpServerChannel = new NioTcpServerChannel(serverSocketChannel);
            Consumer consumer = exc -> {
                SecurityNioTransport.this.onServerException(nioTcpServerChannel, exc);
            };
            SecurityNioTransport securityNioTransport = SecurityNioTransport.this;
            nioTcpServerChannel.setContext(new ServerChannelContext(nioTcpServerChannel, this, nioSelector, serverSocket, nioSocketChannel -> {
                securityNioTransport.acceptChannel(nioSocketChannel);
            }, consumer));
            return nioTcpServerChannel;
        }

        protected SSLEngine createSSLEngine(Config.Socket socket) throws IOException {
            SSLEngine createSSLEngine;
            SSLConfiguration sSLConfiguration = (SSLConfiguration) SecurityNioTransport.this.profileConfiguration.getOrDefault(this.profileName, (SSLConfiguration) SecurityNioTransport.this.profileConfiguration.get("default"));
            if (!sSLConfiguration.verificationMode().isHostnameVerificationEnabled() || socket.isAccepted()) {
                createSSLEngine = SecurityNioTransport.this.sslService.createSSLEngine(sSLConfiguration, (String) null, -1);
            } else {
                InetSocketAddress remoteAddress = socket.getRemoteAddress();
                createSSLEngine = SecurityNioTransport.this.sslService.createSSLEngine(sSLConfiguration, remoteAddress.getHostString(), remoteAddress.getPort());
            }
            return createSSLEngine;
        }
    }

    public SecurityNioTransport(Settings settings, Version version, ThreadPool threadPool, NetworkService networkService, PageCacheRecycler pageCacheRecycler, NamedWriteableRegistry namedWriteableRegistry, CircuitBreakerService circuitBreakerService, @Nullable IPFilter iPFilter, SSLService sSLService, NioGroupFactory nioGroupFactory) {
        super(settings, version, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, nioGroupFactory);
        this.exceptionHandler = new SecurityTransportExceptionHandler(logger, this.lifecycle, (tcpChannel, exc) -> {
            super.onException(tcpChannel, exc);
        });
        this.ipFilter = iPFilter;
        this.sslService = sSLService;
        this.sslEnabled = ((Boolean) XPackSettings.TRANSPORT_SSL_ENABLED.get(settings)).booleanValue();
        if (this.sslEnabled) {
            this.profileConfiguration = Collections.unmodifiableMap(ProfileConfigurations.get(settings, sSLService, sSLService.getSSLConfiguration(SecurityField.setting("transport.ssl."))));
        } else {
            this.profileConfiguration = Collections.emptyMap();
        }
    }

    protected void doStart() {
        super.doStart();
        if (this.ipFilter != null) {
            this.ipFilter.setBoundTransportAddress(boundAddress(), profileBoundAddresses());
        }
    }

    public void onException(TcpChannel tcpChannel, Exception exc) {
        this.exceptionHandler.accept(tcpChannel, exc);
    }

    protected NioTransport.TcpChannelFactory serverChannelFactory(TcpTransport.ProfileSettings profileSettings) {
        return new SecurityTcpChannelFactory(profileSettings, false);
    }

    protected Function<DiscoveryNode, NioTransport.TcpChannelFactory> clientChannelFactoryFunction(TcpTransport.ProfileSettings profileSettings) {
        return discoveryNode -> {
            SNIHostName sNIHostName;
            String str = (String) discoveryNode.getAttributes().get("server_name");
            if (str != null) {
                try {
                    sNIHostName = new SNIHostName(str);
                } catch (IllegalArgumentException e) {
                    throw new ConnectTransportException(discoveryNode, "invalid DiscoveryNode server_name [" + str + "]", e);
                }
            } else {
                sNIHostName = null;
            }
            return new SecurityClientTcpChannelFactory(profileSettings, sNIHostName);
        };
    }

    public boolean isSecure() {
        return this.sslEnabled;
    }
}
