package org.elasticsearch.xpack.core.security.transport.netty4;

import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelOutboundHandlerAdapter;
import io.netty.channel.ChannelPromise;
import io.netty.handler.ssl.SslHandler;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.Collections;
import java.util.Map;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.Version;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.ssl.SslConfiguration;
import org.elasticsearch.common.util.PageCacheRecycler;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.ConnectTransportException;
import org.elasticsearch.transport.SharedGroupFactory;
import org.elasticsearch.transport.TcpChannel;
import org.elasticsearch.transport.netty4.Netty4Transport;
import org.elasticsearch.xpack.core.XPackSettings;
import org.elasticsearch.xpack.core.security.SecurityField;
import org.elasticsearch.xpack.core.security.transport.ProfileConfigurations;
import org.elasticsearch.xpack.core.security.transport.SecurityTransportExceptionHandler;
import org.elasticsearch.xpack.core.ssl.SSLService;

/* loaded from: input_file:org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport.class */
public class SecurityNetty4Transport extends Netty4Transport {
    private static final Logger logger = LogManager.getLogger(SecurityNetty4Transport.class);
    private final SecurityTransportExceptionHandler exceptionHandler;
    private final SSLService sslService;
    private final SslConfiguration sslConfiguration;
    private final Map<String, SslConfiguration> profileConfiguration;
    private final boolean sslEnabled;

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport$ClientSslHandlerInitializer.class */
    private static class ClientSslHandlerInitializer extends ChannelOutboundHandlerAdapter {
        private final boolean hostnameVerificationEnabled;
        private final SslConfiguration sslConfiguration;
        private final SSLService sslService;
        private final SNIServerName serverName;

        private ClientSslHandlerInitializer(SslConfiguration sslConfiguration, SSLService sSLService, boolean z, SNIServerName sNIServerName) {
            this.sslConfiguration = sslConfiguration;
            this.hostnameVerificationEnabled = z;
            this.sslService = sSLService;
            this.serverName = sNIServerName;
        }

        public void connect(ChannelHandlerContext channelHandlerContext, SocketAddress socketAddress, SocketAddress socketAddress2, ChannelPromise channelPromise) throws Exception {
            SSLEngine createSSLEngine;
            if (this.hostnameVerificationEnabled) {
                InetSocketAddress inetSocketAddress = (InetSocketAddress) socketAddress;
                createSSLEngine = this.sslService.createSSLEngine(this.sslConfiguration, inetSocketAddress.getHostString(), inetSocketAddress.getPort());
            } else {
                createSSLEngine = this.sslService.createSSLEngine(this.sslConfiguration, (String) null, -1);
            }
            createSSLEngine.setUseClientMode(true);
            if (this.serverName != null) {
                SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
                sSLParameters.setServerNames(Collections.singletonList(this.serverName));
                createSSLEngine.setSSLParameters(sSLParameters);
            }
            channelHandlerContext.pipeline().replace(this, "ssl", new SslHandler(createSSLEngine));
            super.connect(channelHandlerContext, socketAddress, socketAddress2, channelPromise);
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport$SecurityClientChannelInitializer.class */
    private class SecurityClientChannelInitializer extends Netty4Transport.ClientChannelInitializer {
        private final boolean hostnameVerificationEnabled;
        private final SNIHostName serverName;

        SecurityClientChannelInitializer(DiscoveryNode discoveryNode) {
            super(SecurityNetty4Transport.this);
            this.hostnameVerificationEnabled = SecurityNetty4Transport.this.sslEnabled && SecurityNetty4Transport.this.sslConfiguration.getVerificationMode().isHostnameVerificationEnabled();
            String str = (String) discoveryNode.getAttributes().get("server_name");
            if (str == null) {
                this.serverName = null;
                return;
            }
            try {
                this.serverName = new SNIHostName(str);
            } catch (IllegalArgumentException e) {
                throw new ConnectTransportException(discoveryNode, "invalid DiscoveryNode server_name [" + str + "]", e);
            }
        }

        protected void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (SecurityNetty4Transport.this.sslEnabled) {
                channel.pipeline().addFirst(new ChannelHandler[]{new ClientSslHandlerInitializer(SecurityNetty4Transport.this.sslConfiguration, SecurityNetty4Transport.this.sslService, this.hostnameVerificationEnabled, this.serverName)});
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/xpack/core/security/transport/netty4/SecurityNetty4Transport$SslChannelInitializer.class */
    public class SslChannelInitializer extends Netty4Transport.ServerChannelInitializer {
        private final SslConfiguration configuration;
        static final /* synthetic */ boolean $assertionsDisabled;

        public SslChannelInitializer(String str, SslConfiguration sslConfiguration) {
            super(SecurityNetty4Transport.this, str);
            this.configuration = sslConfiguration;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void initChannel(Channel channel) throws Exception {
            SSLEngine createSSLEngine = SecurityNetty4Transport.this.sslService.createSSLEngine(this.configuration, (String) null, -1);
            createSSLEngine.setUseClientMode(false);
            ChannelHandler sslHandler = new SslHandler(createSSLEngine);
            channel.pipeline().addFirst("sslhandler", sslHandler);
            super.initChannel(channel);
            if (!$assertionsDisabled && channel.pipeline().first() != sslHandler) {
                throw new AssertionError("SSL handler must be first handler in pipeline");
            }
        }

        public /* bridge */ /* synthetic */ void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            super.exceptionCaught(channelHandlerContext, th);
        }

        static {
            $assertionsDisabled = !SecurityNetty4Transport.class.desiredAssertionStatus();
        }
    }

    public SecurityNetty4Transport(Settings settings, Version version, ThreadPool threadPool, NetworkService networkService, PageCacheRecycler pageCacheRecycler, NamedWriteableRegistry namedWriteableRegistry, CircuitBreakerService circuitBreakerService, SSLService sSLService, SharedGroupFactory sharedGroupFactory) {
        super(settings, version, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, sharedGroupFactory);
        this.exceptionHandler = new SecurityTransportExceptionHandler(logger, this.lifecycle, (tcpChannel, exc) -> {
            super.onException(tcpChannel, exc);
        });
        this.sslService = sSLService;
        this.sslEnabled = ((Boolean) XPackSettings.TRANSPORT_SSL_ENABLED.get(settings)).booleanValue();
        if (this.sslEnabled) {
            this.sslConfiguration = sSLService.getSSLConfiguration(SecurityField.setting("transport.ssl."));
            this.profileConfiguration = Collections.unmodifiableMap(ProfileConfigurations.get(settings, sSLService, this.sslConfiguration));
        } else {
            this.profileConfiguration = Collections.emptyMap();
            this.sslConfiguration = null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void doStart() {
        super.doStart();
    }

    public final ChannelHandler getServerChannelInitializer(String str) {
        if (!this.sslEnabled) {
            return getNoSslChannelInitializer(str);
        }
        SslConfiguration sslConfiguration = this.profileConfiguration.get(str);
        if (sslConfiguration == null) {
            throw new IllegalStateException("unknown profile: " + str);
        }
        return getSslChannelInitializer(str, sslConfiguration);
    }

    protected ChannelHandler getNoSslChannelInitializer(String str) {
        return super.getServerChannelInitializer(str);
    }

    protected ChannelHandler getClientChannelInitializer(DiscoveryNode discoveryNode) {
        return new SecurityClientChannelInitializer(discoveryNode);
    }

    public void onException(TcpChannel tcpChannel, Exception exc) {
        this.exceptionHandler.accept(tcpChannel, exc);
    }

    protected Netty4Transport.ServerChannelInitializer getSslChannelInitializer(String str, SslConfiguration sslConfiguration) {
        return new SslChannelInitializer(str, this.sslConfiguration);
    }

    public boolean isSecure() {
        return this.sslEnabled;
    }
}
