package org.elasticsearch.shield.transport;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.shield.action.ShieldActionMapper;
import org.elasticsearch.shield.authc.AuthenticationService;
import org.elasticsearch.shield.authc.pki.PkiRealm;
import org.elasticsearch.shield.authz.AuthorizationService;
import org.elasticsearch.shield.support.Exceptions;
import org.elasticsearch.transport.DelegatingTransportChannel;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.netty.NettyTransportChannel;
import org.jboss.netty.channel.Channel;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:org/elasticsearch/shield/transport/ServerTransportFilter.class */
public interface ServerTransportFilter {

    /* loaded from: input_file:org/elasticsearch/shield/transport/ServerTransportFilter$ClientProfile.class */
    public static class ClientProfile extends NodeProfile {
        public ClientProfile(AuthenticationService authenticationService, AuthorizationService authorizationService, ShieldActionMapper shieldActionMapper, boolean z) {
            super(authenticationService, authorizationService, shieldActionMapper, z);
        }

        @Override // org.elasticsearch.shield.transport.ServerTransportFilter.NodeProfile, org.elasticsearch.shield.transport.ServerTransportFilter
        public void inbound(String str, TransportRequest transportRequest, TransportChannel transportChannel) throws IOException {
            if (str.startsWith("internal:") || str.endsWith("]")) {
                throw Exceptions.authenticationError("executing internal/shard actions is considered malicious and forbidden", new Object[0]);
            }
            super.inbound(str, transportRequest, transportChannel);
        }
    }

    /* loaded from: input_file:org/elasticsearch/shield/transport/ServerTransportFilter$NodeProfile.class */
    public static class NodeProfile implements ServerTransportFilter {
        private static final ESLogger logger;
        private final AuthenticationService authcService;
        private final AuthorizationService authzService;
        private final ShieldActionMapper actionMapper;
        private final boolean extractClientCert;
        static final /* synthetic */ boolean $assertionsDisabled;

        public NodeProfile(AuthenticationService authenticationService, AuthorizationService authorizationService, ShieldActionMapper shieldActionMapper, boolean z) {
            this.authcService = authenticationService;
            this.authzService = authorizationService;
            this.actionMapper = shieldActionMapper;
            this.extractClientCert = z;
        }

        @Override // org.elasticsearch.shield.transport.ServerTransportFilter
        public void inbound(String str, TransportRequest transportRequest, TransportChannel transportChannel) throws IOException {
            TransportChannel transportChannel2;
            String action = this.actionMapper.action(str, transportRequest);
            TransportChannel transportChannel3 = transportChannel;
            while (true) {
                transportChannel2 = transportChannel3;
                if (!(transportChannel2 instanceof DelegatingTransportChannel)) {
                    break;
                } else {
                    transportChannel3 = ((DelegatingTransportChannel) transportChannel2).getChannel();
                }
            }
            if (this.extractClientCert && (transportChannel2 instanceof NettyTransportChannel)) {
                Channel channel = ((NettyTransportChannel) transportChannel2).getChannel();
                SslHandler sslHandler = channel.getPipeline().get(SslHandler.class);
                if (!$assertionsDisabled && sslHandler == null) {
                    throw new AssertionError();
                }
                try {
                    Certificate[] peerCertificates = sslHandler.getEngine().getSession().getPeerCertificates();
                    if (peerCertificates instanceof X509Certificate[]) {
                        transportRequest.putInContext(PkiRealm.PKI_CERT_HEADER_NAME, peerCertificates);
                    }
                } catch (SSLPeerUnverifiedException e) {
                    if (logger.isTraceEnabled()) {
                        logger.trace("SSL Peer did not present a certificate on channel [{}]", e, new Object[]{channel});
                    } else if (logger.isDebugEnabled()) {
                        logger.debug("SSL Peer did not present a certificate on channel [{}]", new Object[]{channel});
                    }
                }
            }
            this.authzService.authorize(this.authcService.authenticate(action, transportRequest, null), action, transportRequest);
        }

        static {
            $assertionsDisabled = !ServerTransportFilter.class.desiredAssertionStatus();
            logger = Loggers.getLogger(NodeProfile.class);
        }
    }

    void inbound(String str, TransportRequest transportRequest, TransportChannel transportChannel) throws IOException;
}
