package org.elasticsearch.xpack.security.transport.netty3;

import java.io.IOException;
import java.net.InetSocketAddress;
import javax.net.ssl.SSLEngine;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.inject.internal.Nullable;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.netty3.Netty3Transport;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.monitoring.exporter.http.HttpExporter;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.transport.SSLExceptionHelper;
import org.elasticsearch.xpack.security.transport.filter.IPFilter;
import org.elasticsearch.xpack.ssl.SSLService;
import org.jboss.netty.channel.Channel;
import org.jboss.netty.channel.ChannelHandlerContext;
import org.jboss.netty.channel.ChannelPipeline;
import org.jboss.netty.channel.ChannelPipelineFactory;
import org.jboss.netty.channel.ChannelStateEvent;
import org.jboss.netty.channel.SimpleChannelHandler;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/transport/netty3/SecurityNetty3Transport.class */
public class SecurityNetty3Transport extends Netty3Transport {
    public static final Setting<Boolean> PROFILE_SSL_SETTING = Setting.boolSetting(Security.setting("ssl.enabled"), false, new Setting.Property[0]);
    private final SSLService sslService;

    @Nullable
    private final IPFilter authenticator;
    private final Settings transportSSLSettings;
    private final boolean ssl;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/transport/netty3/SecurityNetty3Transport$SslClientChannelPipelineFactory.class */
    public class SslClientChannelPipelineFactory extends Netty3Transport.ClientChannelPipelineFactory {
        private final boolean hostnameVerificationEnabled;

        /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/transport/netty3/SecurityNetty3Transport$SslClientChannelPipelineFactory$ClientSslHandlerInitializer.class */
        private class ClientSslHandlerInitializer extends SimpleChannelHandler {
            private ClientSslHandlerInitializer() {
            }

            @Override // org.jboss.netty.channel.SimpleChannelHandler
            public void connectRequested(ChannelHandlerContext channelHandlerContext, ChannelStateEvent channelStateEvent) {
                SSLEngine createSSLEngine;
                if (SslClientChannelPipelineFactory.this.hostnameVerificationEnabled) {
                    InetSocketAddress inetSocketAddress = (InetSocketAddress) channelStateEvent.getValue();
                    createSSLEngine = SecurityNetty3Transport.this.sslService.createSSLEngine(SecurityNetty3Transport.this.transportSSLSettings, Settings.EMPTY, inetSocketAddress.getHostString(), inetSocketAddress.getPort());
                } else {
                    createSSLEngine = SecurityNetty3Transport.this.sslService.createSSLEngine(SecurityNetty3Transport.this.transportSSLSettings, Settings.EMPTY);
                }
                createSSLEngine.setUseClientMode(true);
                channelHandlerContext.getPipeline().replace(this, HttpExporter.SSL_SETTING, new SslHandler(createSSLEngine));
                channelHandlerContext.getPipeline().addAfter(HttpExporter.SSL_SETTING, "handshake", new Netty3HandshakeWaitingHandler(SecurityNetty3Transport.this.logger));
                channelHandlerContext.sendDownstream(channelStateEvent);
            }
        }

        SslClientChannelPipelineFactory(Netty3Transport netty3Transport) {
            super(netty3Transport);
            this.hostnameVerificationEnabled = SecurityNetty3Transport.this.sslService.getVerificationMode(SecurityNetty3Transport.this.transportSSLSettings, Settings.EMPTY).isHostnameVerificationEnabled();
        }

        @Override // org.elasticsearch.transport.netty3.Netty3Transport.ClientChannelPipelineFactory, org.jboss.netty.channel.ChannelPipelineFactory
        public ChannelPipeline getPipeline() throws Exception {
            ChannelPipeline pipeline = super.getPipeline();
            if (SecurityNetty3Transport.this.ssl) {
                pipeline.addFirst("sslInitializer", new ClientSslHandlerInitializer());
            }
            return pipeline;
        }
    }

    /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/transport/netty3/SecurityNetty3Transport$SslServerChannelPipelineFactory.class */
    private class SslServerChannelPipelineFactory extends Netty3Transport.ServerChannelPipelineFactory {
        private final boolean profileSsl;
        private final Settings profileSslSettings;

        SslServerChannelPipelineFactory(Netty3Transport netty3Transport, String str, Settings settings, Settings settings2) {
            super(netty3Transport, str, settings);
            this.profileSsl = SecurityNetty3Transport.isProfileSSLEnabled(settings2, SecurityNetty3Transport.this.ssl);
            this.profileSslSettings = SecurityNetty3Transport.profileSslSettings(settings2);
            if (!this.profileSsl || SecurityNetty3Transport.this.sslService.isConfigurationValidForServerUsage(this.profileSslSettings, SecurityNetty3Transport.this.transportSSLSettings)) {
                return;
            }
            if (!"default".equals(str)) {
                throw new IllegalArgumentException("a key must be provided to run as a server. the key should be configured using the [transport.profiles." + str + ".xpack.security.ssl.key] or [transport.profiles." + str + ".xpack.security.ssl.keystore.path] setting");
            }
            throw new IllegalArgumentException("a key must be provided to run as a server. the key should be configured using the [xpack.security.transport.ssl.key] or [xpack.security.transport.ssl.keystore.path] setting");
        }

        @Override // org.elasticsearch.transport.netty3.Netty3Transport.ServerChannelPipelineFactory, org.jboss.netty.channel.ChannelPipelineFactory
        public ChannelPipeline getPipeline() throws Exception {
            ChannelPipeline pipeline = super.getPipeline();
            if (this.profileSsl) {
                SSLEngine createSSLEngine = SecurityNetty3Transport.this.sslService.createSSLEngine(this.profileSslSettings, SecurityNetty3Transport.this.transportSSLSettings);
                createSSLEngine.setUseClientMode(false);
                pipeline.addFirst(HttpExporter.SSL_SETTING, new SslHandler(createSSLEngine));
            }
            if (SecurityNetty3Transport.this.authenticator != null) {
                pipeline.addFirst("ipfilter", new IPFilterNetty3UpstreamHandler(SecurityNetty3Transport.this.authenticator, this.name));
            }
            return pipeline;
        }
    }

    @Inject
    public SecurityNetty3Transport(Settings settings, ThreadPool threadPool, NetworkService networkService, BigArrays bigArrays, @Nullable IPFilter iPFilter, SSLService sSLService, NamedWriteableRegistry namedWriteableRegistry, CircuitBreakerService circuitBreakerService) {
        super(settings, threadPool, networkService, bigArrays, namedWriteableRegistry, circuitBreakerService);
        this.authenticator = iPFilter;
        this.ssl = XPackSettings.TRANSPORT_SSL_ENABLED.get(settings).booleanValue();
        this.sslService = sSLService;
        this.transportSSLSettings = settings.getByPrefix(Security.setting("transport.ssl."));
    }

    @Override // org.elasticsearch.transport.netty3.Netty3Transport
    protected String deprecationMessage() {
        return "transport type [security3] is deprecated";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.elasticsearch.transport.netty3.Netty3Transport, org.elasticsearch.transport.TcpTransport, org.elasticsearch.common.component.AbstractLifecycleComponent
    public void doStart() {
        super.doStart();
        if (this.authenticator != null) {
            this.authenticator.setBoundTransportAddress(boundAddress(), profileBoundAddresses());
        }
    }

    @Override // org.elasticsearch.transport.netty3.Netty3Transport
    public ChannelPipelineFactory configureClientChannelPipelineFactory() {
        return new SslClientChannelPipelineFactory(this);
    }

    @Override // org.elasticsearch.transport.netty3.Netty3Transport
    public ChannelPipelineFactory configureServerChannelPipelineFactory(String str, Settings settings) {
        return new SslServerChannelPipelineFactory(this, str, this.settings, settings);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.elasticsearch.transport.TcpTransport
    public void onException(Channel channel, Exception exc) throws IOException {
        String detailedMessage = ExceptionsHelper.detailedMessage(exc);
        if (SSLExceptionHelper.isNotSslRecordException(exc)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(() -> {
                    return new ParameterizedMessage("received plaintext traffic on a encrypted channel, closing connection {}", channel);
                }, (Throwable) exc);
            } else {
                this.logger.warn("received plaintext traffic on a encrypted channel, closing connection {}", channel);
            }
            disconnectFromNodeChannel(channel, detailedMessage);
            return;
        }
        if (!SSLExceptionHelper.isCloseDuringHandshakeException(exc)) {
            super.onException((SecurityNetty3Transport) channel, exc);
            return;
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(() -> {
                return new ParameterizedMessage("connection {} closed during handshake", channel);
            }, (Throwable) exc);
        } else {
            this.logger.warn("connection {} closed during handshake", channel);
        }
        disconnectFromNodeChannel(channel, detailedMessage);
    }

    public static Settings profileSslSettings(Settings settings) {
        return settings.getByPrefix(Security.setting("ssl."));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isProfileSSLEnabled(Settings settings, boolean z) {
        return PROFILE_SSL_SETTING.exists(settings) ? PROFILE_SSL_SETTING.get(settings).booleanValue() : z;
    }
}
