package org.elasticsearch.xpack.security.transport;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.Version;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.admin.indices.close.CloseIndexAction;
import org.elasticsearch.action.admin.indices.delete.DeleteIndexAction;
import org.elasticsearch.action.admin.indices.open.OpenIndexAction;
import org.elasticsearch.action.support.DestructiveOperations;
import org.elasticsearch.common.CheckedConsumer;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.transport.DelegatingTransportChannel;
import org.elasticsearch.transport.TcpTransportChannel;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportService;
import org.elasticsearch.xpack.security.SecurityContext;
import org.elasticsearch.xpack.security.action.SecurityActionMapper;
import org.elasticsearch.xpack.security.authc.Authentication;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.pki.PkiRealm;
import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.AuthorizationUtils;
import org.elasticsearch.xpack.security.support.Exceptions;
import org.elasticsearch.xpack.security.user.KibanaUser;
import org.elasticsearch.xpack.security.user.SystemUser;
import org.jboss.netty.channel.Channel;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/transport/ServerTransportFilter.class */
public interface ServerTransportFilter {

    /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/transport/ServerTransportFilter$ClientProfile.class */
    public static class ClientProfile extends NodeProfile {
        /* JADX INFO: Access modifiers changed from: package-private */
        public ClientProfile(AuthenticationService authenticationService, AuthorizationService authorizationService, ThreadContext threadContext, boolean z, DestructiveOperations destructiveOperations, boolean z2, SecurityContext securityContext) {
            super(authenticationService, authorizationService, threadContext, z, destructiveOperations, z2, securityContext);
        }

        @Override // org.elasticsearch.xpack.security.transport.ServerTransportFilter.NodeProfile, org.elasticsearch.xpack.security.transport.ServerTransportFilter
        public void inbound(String str, TransportRequest transportRequest, TransportChannel transportChannel, ActionListener<Void> actionListener) throws IOException {
            if ((str.startsWith("internal:") || str.endsWith("]")) && !TransportService.HANDSHAKE_ACTION_NAME.equals(str)) {
                throw Exceptions.authenticationError("executing internal/shard actions is considered malicious and forbidden", new Object[0]);
            }
            super.inbound(str, transportRequest, transportChannel, actionListener);
        }
    }

    /* loaded from: input_file:x-pack-api-5.4.3.jar:org/elasticsearch/xpack/security/transport/ServerTransportFilter$NodeProfile.class */
    public static class NodeProfile implements ServerTransportFilter {
        private static final Logger logger;
        private final AuthenticationService authcService;
        private final AuthorizationService authzService;
        private final SecurityActionMapper actionMapper = new SecurityActionMapper();
        private final ThreadContext threadContext;
        private final boolean extractClientCert;
        private final DestructiveOperations destructiveOperations;
        private final boolean reservedRealmEnabled;
        private final SecurityContext securityContext;
        static final /* synthetic */ boolean $assertionsDisabled;

        /* JADX INFO: Access modifiers changed from: package-private */
        public NodeProfile(AuthenticationService authenticationService, AuthorizationService authorizationService, ThreadContext threadContext, boolean z, DestructiveOperations destructiveOperations, boolean z2, SecurityContext securityContext) {
            this.authcService = authenticationService;
            this.authzService = authorizationService;
            this.threadContext = threadContext;
            this.extractClientCert = z;
            this.destructiveOperations = destructiveOperations;
            this.reservedRealmEnabled = z2;
            this.securityContext = securityContext;
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.elasticsearch.xpack.security.transport.ServerTransportFilter
        public void inbound(String str, TransportRequest transportRequest, TransportChannel transportChannel, ActionListener<Void> actionListener) throws IOException {
            TransportChannel transportChannel2;
            if (CloseIndexAction.NAME.equals(str) || OpenIndexAction.NAME.equals(str) || DeleteIndexAction.NAME.equals(str)) {
                try {
                    this.destructiveOperations.failDestructive(((IndicesRequest) transportRequest).indices());
                } catch (IllegalArgumentException e) {
                    actionListener.onFailure(e);
                    return;
                }
            }
            String action = this.actionMapper.action(str, transportRequest);
            TransportChannel transportChannel3 = transportChannel;
            while (true) {
                transportChannel2 = transportChannel3;
                if (!(transportChannel2 instanceof DelegatingTransportChannel)) {
                    break;
                } else {
                    transportChannel3 = ((DelegatingTransportChannel) transportChannel2).getChannel();
                }
            }
            if (this.extractClientCert && (transportChannel2 instanceof TcpTransportChannel)) {
                if (((TcpTransportChannel) transportChannel2).getChannel() instanceof Channel) {
                    Channel channel = (Channel) ((TcpTransportChannel) transportChannel2).getChannel();
                    SslHandler sslHandler = (SslHandler) channel.getPipeline().get(SslHandler.class);
                    if (!$assertionsDisabled && sslHandler == null) {
                        throw new AssertionError();
                    }
                    extactClientCertificates(sslHandler.getEngine(), channel);
                } else if (((TcpTransportChannel) transportChannel2).getChannel() instanceof io.netty.channel.Channel) {
                    io.netty.channel.Channel channel2 = (io.netty.channel.Channel) ((TcpTransportChannel) transportChannel2).getChannel();
                    io.netty.handler.ssl.SslHandler sslHandler2 = (io.netty.handler.ssl.SslHandler) channel2.pipeline().get(io.netty.handler.ssl.SslHandler.class);
                    if (channel2.isOpen()) {
                        if (!$assertionsDisabled && sslHandler2 == null) {
                            throw new AssertionError("channel [" + channel2 + "] did not have a ssl handler. pipeline " + channel2.pipeline());
                        }
                        extactClientCertificates(sslHandler2.engine(), channel2);
                    }
                }
            }
            AuthenticationService authenticationService = this.authcService;
            Version version = transportChannel.getVersion();
            CheckedConsumer checkedConsumer = authentication -> {
                if (this.reservedRealmEnabled && authentication.getVersion().before(Version.V_5_2_0) && KibanaUser.NAME.equals(authentication.getUser().authenticatedUser().principal())) {
                    executeAsCurrentVersionKibanaUser(action, transportRequest, transportChannel, actionListener, authentication);
                } else if (!action.equals(TransportService.HANDSHAKE_ACTION_NAME) || SystemUser.is(authentication.getUser())) {
                    authorizeAsync(authentication, actionListener, action, transportRequest);
                } else {
                    this.securityContext.executeAsUser(SystemUser.INSTANCE, storedContext -> {
                        Authentication authentication = Authentication.getAuthentication(this.threadContext);
                        new AuthorizationUtils.AsyncAuthorizer(authentication, actionListener, (role, role2) -> {
                            this.authzService.authorize(authentication, action, transportRequest, role, role2);
                            actionListener.onResponse(null);
                        }).authorize(this.authzService);
                    }, transportChannel.getVersion());
                }
            };
            actionListener.getClass();
            authenticationService.authenticate(action, transportRequest, null, version, ActionListener.wrap(checkedConsumer, actionListener::onFailure));
        }

        private void executeAsCurrentVersionKibanaUser(String str, TransportRequest transportRequest, TransportChannel transportChannel, ActionListener<Void> actionListener, Authentication authentication) {
            KibanaUser kibanaUser = new KibanaUser(authentication.getUser().enabled());
            if (!kibanaUser.enabled()) {
                throw new IllegalStateException("a disabled user should never be sent. " + kibanaUser);
            }
            this.securityContext.executeAsUser(kibanaUser, storedContext -> {
                Authentication authentication2 = this.securityContext.getAuthentication();
                new AuthorizationUtils.AsyncAuthorizer(authentication2, actionListener, (role, role2) -> {
                    this.authzService.authorize(authentication2, str, transportRequest, role, role2);
                    actionListener.onResponse(null);
                }).authorize(this.authzService);
            }, transportChannel.getVersion());
        }

        private void authorizeAsync(Authentication authentication, ActionListener actionListener, String str, TransportRequest transportRequest) {
            new AuthorizationUtils.AsyncAuthorizer(authentication, actionListener, (role, role2) -> {
                this.authzService.authorize(authentication, str, transportRequest, role, role2);
                actionListener.onResponse(null);
            }).authorize(this.authzService);
        }

        private void extactClientCertificates(SSLEngine sSLEngine, Object obj) {
            try {
                Certificate[] peerCertificates = sSLEngine.getSession().getPeerCertificates();
                if (peerCertificates instanceof X509Certificate[]) {
                    this.threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, peerCertificates);
                }
            } catch (SSLPeerUnverifiedException e) {
                if (!$assertionsDisabled && sSLEngine.getNeedClientAuth()) {
                    throw new AssertionError();
                }
                if (!$assertionsDisabled && !sSLEngine.getWantClientAuth()) {
                    throw new AssertionError();
                }
                if (logger.isTraceEnabled()) {
                    logger.trace(() -> {
                        return new ParameterizedMessage("SSL Peer did not present a certificate on channel [{}]", obj);
                    }, (Throwable) e);
                } else if (logger.isDebugEnabled()) {
                    logger.debug("SSL Peer did not present a certificate on channel [{}]", obj);
                }
            }
        }

        static {
            $assertionsDisabled = !ServerTransportFilter.class.desiredAssertionStatus();
            logger = Loggers.getLogger((Class<?>) NodeProfile.class);
        }
    }

    void inbound(String str, TransportRequest transportRequest, TransportChannel transportChannel, ActionListener<Void> actionListener) throws IOException;
}
