package org.elasticsearch.shield.transport.netty;

import java.net.InetSocketAddress;
import java.util.Map;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.elasticsearch.Version;
import org.elasticsearch.common.SuppressForbidden;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.inject.internal.Nullable;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.shield.ShieldSettingsFilter;
import org.elasticsearch.shield.ssl.ClientSSLService;
import org.elasticsearch.shield.ssl.ServerSSLService;
import org.elasticsearch.shield.transport.SSLClientAuth;
import org.elasticsearch.shield.transport.SSLExceptionHelper;
import org.elasticsearch.shield.transport.filter.IPFilter;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.netty.NettyTransport;
import org.jboss.netty.channel.ChannelHandlerContext;
import org.jboss.netty.channel.ChannelPipeline;
import org.jboss.netty.channel.ChannelPipelineFactory;
import org.jboss.netty.channel.ChannelStateEvent;
import org.jboss.netty.channel.ExceptionEvent;
import org.jboss.netty.channel.SimpleChannelHandler;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:org/elasticsearch/shield/transport/netty/ShieldNettyTransport.class */
public class ShieldNettyTransport extends NettyTransport {
    public static final String HOSTNAME_VERIFICATION_SETTING = "shield.ssl.hostname_verification";
    public static final String HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING = "shield.ssl.hostname_verification.resolve_name";
    public static final String TRANSPORT_SSL_SETTING = "shield.transport.ssl";
    public static final boolean TRANSPORT_SSL_DEFAULT = false;
    public static final String TRANSPORT_CLIENT_AUTH_SETTING = "shield.transport.ssl.client.auth";
    public static final SSLClientAuth TRANSPORT_CLIENT_AUTH_DEFAULT = SSLClientAuth.REQUIRED;
    public static final String TRANSPORT_PROFILE_SSL_SETTING = "shield.ssl";
    public static final String TRANSPORT_PROFILE_CLIENT_AUTH_SETTING = "shield.ssl.client.auth";
    private final ServerSSLService serverSslService;
    private final ClientSSLService clientSSLService;
    private final ShieldSettingsFilter settingsFilter;

    @Nullable
    private final IPFilter authenticator;
    private final boolean ssl;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/elasticsearch/shield/transport/netty/ShieldNettyTransport$SslClientChannelPipelineFactory.class */
    public class SslClientChannelPipelineFactory extends NettyTransport.ClientChannelPipelineFactory {
        private final Settings sslSettings;

        /* loaded from: input_file:org/elasticsearch/shield/transport/netty/ShieldNettyTransport$SslClientChannelPipelineFactory$ClientSslHandlerInitializer.class */
        private class ClientSslHandlerInitializer extends SimpleChannelHandler {
            private ClientSslHandlerInitializer() {
            }

            public void connectRequested(ChannelHandlerContext channelHandlerContext, ChannelStateEvent channelStateEvent) {
                SSLEngine createSSLEngine;
                if (ShieldNettyTransport.this.settings.getAsBoolean(ShieldNettyTransport.HOSTNAME_VERIFICATION_SETTING, true).booleanValue()) {
                    InetSocketAddress inetSocketAddress = (InetSocketAddress) channelStateEvent.getValue();
                    createSSLEngine = ShieldNettyTransport.this.clientSSLService.createSSLEngine(SslClientChannelPipelineFactory.this.sslSettings, getHostname(inetSocketAddress), inetSocketAddress.getPort());
                    SSLParameters sSLParameters = new SSLParameters();
                    sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
                    createSSLEngine.setSSLParameters(sSLParameters);
                } else {
                    createSSLEngine = ShieldNettyTransport.this.clientSSLService.createSSLEngine(SslClientChannelPipelineFactory.this.sslSettings);
                }
                createSSLEngine.setUseClientMode(true);
                channelHandlerContext.getPipeline().replace(this, "ssl", new SslHandler(createSSLEngine));
                channelHandlerContext.getPipeline().addAfter("ssl", "handshake", new HandshakeWaitingHandler(ShieldNettyTransport.this.logger));
                channelHandlerContext.sendDownstream(channelStateEvent);
            }

            @SuppressForbidden(reason = "need to use getHostName to resolve DNS name for SSL connections and hostname verification")
            private String getHostname(InetSocketAddress inetSocketAddress) {
                String hostName = ShieldNettyTransport.this.settings.getAsBoolean(ShieldNettyTransport.HOSTNAME_VERIFICATION_RESOLVE_NAME_SETTING, true).booleanValue() ? inetSocketAddress.getHostName() : inetSocketAddress.getHostString();
                if (ShieldNettyTransport.this.logger.isTraceEnabled()) {
                    ShieldNettyTransport.this.logger.trace("resolved hostname [{}] for address [{}] to be used in ssl hostname verification", new Object[]{hostName, inetSocketAddress});
                }
                return hostName;
            }
        }

        public SslClientChannelPipelineFactory(NettyTransport nettyTransport) {
            super(nettyTransport);
            Map groups = ShieldNettyTransport.this.settings.getGroups("transport.profiles");
            if (groups.containsKey("default")) {
                this.sslSettings = ((Settings) groups.get("default")).getByPrefix("shield.");
            } else {
                this.sslSettings = Settings.EMPTY;
            }
        }

        public ChannelPipeline getPipeline() throws Exception {
            ChannelPipeline pipeline = super.getPipeline();
            if (ShieldNettyTransport.this.ssl) {
                pipeline.addFirst("sslInitializer", new ClientSslHandlerInitializer());
            }
            return pipeline;
        }
    }

    /* loaded from: input_file:org/elasticsearch/shield/transport/netty/ShieldNettyTransport$SslServerChannelPipelineFactory.class */
    private class SslServerChannelPipelineFactory extends NettyTransport.ServerChannelPipelineFactory {
        private final Settings shieldProfileSettings;
        private final boolean profileSsl;
        private final SSLClientAuth clientAuth;

        public SslServerChannelPipelineFactory(NettyTransport nettyTransport, String str, Settings settings, Settings settings2) {
            super(nettyTransport, str, settings);
            ShieldNettyTransport.this.settingsFilter.filterOut("transport.profiles." + str + ".shield.*");
            this.profileSsl = settings2.getAsBoolean(ShieldNettyTransport.TRANSPORT_PROFILE_SSL_SETTING, Boolean.valueOf(ShieldNettyTransport.this.ssl)).booleanValue();
            this.clientAuth = SSLClientAuth.parse(settings2.get(ShieldNettyTransport.TRANSPORT_PROFILE_CLIENT_AUTH_SETTING, settings.get(ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_SETTING)), ShieldNettyTransport.TRANSPORT_CLIENT_AUTH_DEFAULT);
            this.shieldProfileSettings = settings2.getByPrefix("shield.");
        }

        public ChannelPipeline getPipeline() throws Exception {
            ChannelPipeline pipeline = super.getPipeline();
            if (this.profileSsl) {
                SSLEngine createSSLEngine = ShieldNettyTransport.this.serverSslService.createSSLEngine(this.shieldProfileSettings);
                createSSLEngine.setUseClientMode(false);
                this.clientAuth.configure(createSSLEngine);
                pipeline.addFirst("ssl", new SslHandler(createSSLEngine));
            }
            if (ShieldNettyTransport.this.authenticator != null) {
                pipeline.addFirst("ipfilter", new IPFilterNettyUpstreamHandler(ShieldNettyTransport.this.authenticator, this.name));
            }
            return pipeline;
        }
    }

    @Inject
    public ShieldNettyTransport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays, Version version, @Nullable IPFilter iPFilter, @Nullable ServerSSLService serverSSLService, ClientSSLService clientSSLService, ShieldSettingsFilter shieldSettingsFilter, NamedWriteableRegistry namedWriteableRegistry, CircuitBreakerService circuitBreakerService) {
        super(settings, threadPool, networkService, bigArrays, version, namedWriteableRegistry, circuitBreakerService);
        this.authenticator = iPFilter;
        this.ssl = settings.getAsBoolean(TRANSPORT_SSL_SETTING, false).booleanValue();
        this.serverSslService = serverSSLService;
        this.clientSSLService = clientSSLService;
        this.settingsFilter = shieldSettingsFilter;
    }

    public ChannelPipelineFactory configureClientChannelPipelineFactory() {
        return new SslClientChannelPipelineFactory(this);
    }

    public ChannelPipelineFactory configureServerChannelPipelineFactory(String str, Settings settings) {
        return new SslServerChannelPipelineFactory(this, str, this.settings, settings);
    }

    protected void exceptionCaught(ChannelHandlerContext channelHandlerContext, ExceptionEvent exceptionEvent) throws Exception {
        if (this.lifecycle.started()) {
            Throwable cause = exceptionEvent.getCause();
            if (SSLExceptionHelper.isNotSslRecordException(cause)) {
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("received plaintext traffic on a encrypted channel, closing connection {}", cause, new Object[]{channelHandlerContext.getChannel()});
                } else {
                    this.logger.warn("received plaintext traffic on a encrypted channel, closing connection {}", new Object[]{channelHandlerContext.getChannel()});
                }
                channelHandlerContext.getChannel().close();
                disconnectFromNodeChannel(channelHandlerContext.getChannel(), exceptionEvent.getCause());
                return;
            }
            if (!SSLExceptionHelper.isCloseDuringHandshakeException(cause)) {
                super.exceptionCaught(channelHandlerContext, exceptionEvent);
                return;
            }
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("connection {} closed during handshake", cause, new Object[]{channelHandlerContext.getChannel()});
            } else {
                this.logger.warn("connection {} closed during handshake", new Object[]{channelHandlerContext.getChannel()});
            }
            channelHandlerContext.getChannel().close();
            disconnectFromNodeChannel(channelHandlerContext.getChannel(), exceptionEvent.getCause());
        }
    }
}
