package org.elasticsearch.xpack.security.transport.netty4;

import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.handler.ssl.SslHandler;
import javax.net.ssl.SSLEngine;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.ClusterSettings;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.http.HttpChannel;
import org.elasticsearch.http.HttpServerTransport;
import org.elasticsearch.http.netty4.Netty4HttpServerTransport;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.netty4.SharedGroupFactory;
import org.elasticsearch.xcontent.NamedXContentRegistry;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail;
import org.elasticsearch.xpack.security.transport.SecurityHttpExceptionHandler;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransport.class */
public class SecurityNetty4HttpServerTransport extends Netty4HttpServerTransport {
    private static final Logger logger = LogManager.getLogger(SecurityNetty4HttpServerTransport.class);
    private final SecurityHttpExceptionHandler securityExceptionHandler;
    private final IPFilter ipFilter;
    private final SSLService sslService;
    private final SslConfiguration sslConfiguration;

    /* loaded from: input_file:org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransport$HttpSslChannelHandler.class */
    private final class HttpSslChannelHandler extends Netty4HttpServerTransport.HttpChannelHandler {
        HttpSslChannelHandler() {
            super(SecurityNetty4HttpServerTransport.this, SecurityNetty4HttpServerTransport.this.handlingSettings);
        }

        protected void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (SecurityNetty4HttpServerTransport.this.sslConfiguration != null) {
                SSLEngine createSSLEngine = SecurityNetty4HttpServerTransport.this.sslService.createSSLEngine(SecurityNetty4HttpServerTransport.this.sslConfiguration, (String) null, -1);
                createSSLEngine.setUseClientMode(false);
                channel.pipeline().addFirst("ssl", new SslHandler(createSSLEngine));
            }
            channel.pipeline().addFirst(LoggingAuditTrail.IP_FILTER_ORIGIN_FIELD_VALUE, new IpFilterRemoteAddressFilter(SecurityNetty4HttpServerTransport.this.ipFilter, IPFilter.HTTP_PROFILE_NAME));
        }
    }

    public SecurityNetty4HttpServerTransport(Settings settings, NetworkService networkService, BigArrays bigArrays, IPFilter iPFilter, SSLService sSLService, ThreadPool threadPool, NamedXContentRegistry namedXContentRegistry, HttpServerTransport.Dispatcher dispatcher, ClusterSettings clusterSettings, SharedGroupFactory sharedGroupFactory) {
        super(settings, networkService, bigArrays, threadPool, namedXContentRegistry, dispatcher, clusterSettings, sharedGroupFactory);
        this.securityExceptionHandler = new SecurityHttpExceptionHandler(logger, this.lifecycle, (httpChannel, exc) -> {
            super.onException(httpChannel, exc);
        });
        this.ipFilter = iPFilter;
        boolean booleanValue = ((Boolean) XPackSettings.HTTP_SSL_ENABLED.get(settings)).booleanValue();
        this.sslService = sSLService;
        if (!booleanValue) {
            this.sslConfiguration = null;
            return;
        }
        this.sslConfiguration = sSLService.getHttpTransportSSLConfiguration();
        if (!sSLService.isConfigurationValidForServerUsage(this.sslConfiguration)) {
            throw new IllegalArgumentException("a key must be provided to run as a server. the key should be configured using the [xpack.security.http.ssl.key] or [xpack.security.http.ssl.keystore.path] setting");
        }
    }

    public void onException(HttpChannel httpChannel, Exception exc) {
        this.securityExceptionHandler.accept(httpChannel, exc);
    }

    protected void doStart() {
        super.doStart();
        this.ipFilter.setBoundHttpTransportAddress(boundAddress());
    }

    public ChannelHandler configureServerChannelHandler() {
        return new HttpSslChannelHandler();
    }
}
