package org.graylog2.plugin.inputs.transports;

import com.codahale.metrics.Gauge;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
import io.netty.bootstrap.ServerBootstrap;
import io.netty.buffer.ByteBufAllocator;
import io.netty.buffer.PooledByteBufAllocator;
import io.netty.channel.Channel;
import io.netty.channel.ChannelFuture;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelOption;
import io.netty.channel.EventLoopGroup;
import io.netty.channel.FixedRecvByteBufAllocator;
import io.netty.channel.group.ChannelGroup;
import io.netty.channel.group.DefaultChannelGroup;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.SelfSignedCertificate;
import io.netty.util.concurrent.GlobalEventExecutor;
import java.io.File;
import java.io.IOException;
import java.net.SocketAddress;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.EnumSet;
import java.util.LinkedHashMap;
import java.util.Locale;
import java.util.concurrent.Callable;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.AtomicReference;
import javax.annotation.Nullable;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import org.graylog2.configuration.HttpConfiguration;
import org.graylog2.inputs.transports.AmqpTransport;
import org.graylog2.inputs.transports.NettyTransportConfiguration;
import org.graylog2.inputs.transports.netty.ByteBufMessageAggregationHandler;
import org.graylog2.inputs.transports.netty.ChannelRegistrationHandler;
import org.graylog2.inputs.transports.netty.EventLoopGroupFactory;
import org.graylog2.inputs.transports.netty.ExceptionLoggingChannelHandler;
import org.graylog2.inputs.transports.netty.RawMessageHandler;
import org.graylog2.inputs.transports.netty.ServerSocketChannelFactory;
import org.graylog2.plugin.LocalMetricRegistry;
import org.graylog2.plugin.configuration.Configuration;
import org.graylog2.plugin.configuration.ConfigurationRequest;
import org.graylog2.plugin.configuration.fields.BooleanField;
import org.graylog2.plugin.configuration.fields.ConfigurationField;
import org.graylog2.plugin.configuration.fields.DropdownField;
import org.graylog2.plugin.configuration.fields.TextField;
import org.graylog2.plugin.inputs.MessageInput;
import org.graylog2.plugin.inputs.MisfireException;
import org.graylog2.plugin.inputs.annotations.ConfigClass;
import org.graylog2.plugin.inputs.codecs.CodecAggregator;
import org.graylog2.plugin.inputs.transports.NettyTransport;
import org.graylog2.plugin.inputs.transports.util.KeyUtil;
import org.graylog2.plugin.inputs.util.ConnectionCounter;
import org.graylog2.plugin.inputs.util.ThroughputCounter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog2/plugin/inputs/transports/AbstractTcpTransport.class */
public abstract class AbstractTcpTransport extends NettyTransport {
    private static final String CK_TLS_CERT_FILE = "tls_cert_file";
    private static final String CK_TLS_KEY_FILE = "tls_key_file";
    private static final String CK_TLS_ENABLE = "tls_enable";
    private static final String CK_TLS_KEY_PASSWORD = "tls_key_password";
    private static final String CK_TLS_CLIENT_AUTH = "tls_client_auth";
    private static final String CK_TLS_CLIENT_AUTH_TRUSTED_CERT_FILE = "tls_client_auth_cert_file";
    private static final String CK_TCP_KEEPALIVE = "tcp_keepalive";
    private static final String TLS_CLIENT_AUTH_DISABLED = "disabled";
    private final ConnectionCounter connectionCounter;
    private final AtomicInteger connections;
    private final AtomicLong totalConnections;
    protected final Configuration configuration;
    protected final EventLoopGroup parentEventLoopGroup;
    private final NettyTransportConfiguration nettyTransportConfiguration;
    private final org.graylog2.Configuration graylogConfiguration;
    private final AtomicReference<Channel> channelReference;
    private final boolean tlsEnable;
    private final String tlsKeyPassword;
    private File tlsCertFile;
    private File tlsKeyFile;
    private final File tlsClientAuthCertFile;
    private final String tlsClientAuth;
    private final boolean tcpKeepalive;
    private ChannelGroup childChannels;
    protected EventLoopGroup childEventLoopGroup;
    private ServerBootstrap bootstrap;
    private static final Logger LOG = LoggerFactory.getLogger(AbstractTcpTransport.class);
    private static final String TLS_CLIENT_AUTH_OPTIONAL = "optional";
    private static final String TLS_CLIENT_AUTH_REQUIRED = "required";
    private static final ImmutableMap<String, String> TLS_CLIENT_AUTH_OPTIONS = ImmutableMap.of("disabled", "disabled", TLS_CLIENT_AUTH_OPTIONAL, TLS_CLIENT_AUTH_OPTIONAL, TLS_CLIENT_AUTH_REQUIRED, TLS_CLIENT_AUTH_REQUIRED);

    @ConfigClass
    /* loaded from: input_file:org/graylog2/plugin/inputs/transports/AbstractTcpTransport$Config.class */
    public static class Config extends NettyTransport.Config {
        @Override // org.graylog2.plugin.inputs.transports.NettyTransport.Config, org.graylog2.plugin.inputs.transports.Transport.Config
        public ConfigurationRequest getRequestedConfiguration() {
            ConfigurationRequest requestedConfiguration = super.getRequestedConfiguration();
            requestedConfiguration.addField(new TextField(AbstractTcpTransport.CK_TLS_CERT_FILE, "TLS cert file", HttpConfiguration.PATH_WEB, "Path to the TLS certificate file", ConfigurationField.Optional.OPTIONAL));
            requestedConfiguration.addField(new TextField(AbstractTcpTransport.CK_TLS_KEY_FILE, "TLS private key file", HttpConfiguration.PATH_WEB, "Path to the TLS private key file", ConfigurationField.Optional.OPTIONAL));
            requestedConfiguration.addField(new BooleanField(AbstractTcpTransport.CK_TLS_ENABLE, "Enable TLS", false, "Accept TLS connections"));
            requestedConfiguration.addField(new TextField(AbstractTcpTransport.CK_TLS_KEY_PASSWORD, "TLS key password", HttpConfiguration.PATH_WEB, "The password for the encrypted key file.", ConfigurationField.Optional.OPTIONAL, TextField.Attribute.IS_PASSWORD));
            requestedConfiguration.addField(new DropdownField(AbstractTcpTransport.CK_TLS_CLIENT_AUTH, "TLS client authentication", "disabled", AbstractTcpTransport.TLS_CLIENT_AUTH_OPTIONS, "Whether clients need to authenticate themselves in a TLS connection", ConfigurationField.Optional.OPTIONAL));
            requestedConfiguration.addField(new TextField(AbstractTcpTransport.CK_TLS_CLIENT_AUTH_TRUSTED_CERT_FILE, "TLS Client Auth Trusted Certs", HttpConfiguration.PATH_WEB, "TLS Client Auth Trusted Certs  (File or Directory)", ConfigurationField.Optional.OPTIONAL));
            requestedConfiguration.addField(new BooleanField(AbstractTcpTransport.CK_TCP_KEEPALIVE, "TCP keepalive", false, "Enable TCP keepalive packets"));
            return requestedConfiguration;
        }
    }

    /* loaded from: input_file:org/graylog2/plugin/inputs/transports/AbstractTcpTransport$InputLaunchListener.class */
    private static class InputLaunchListener implements ChannelFutureListener {
        private final AtomicReference<Channel> channelReference;
        private final MessageInput input;
        private final int expectedRecvBufferSize;

        public InputLaunchListener(AtomicReference<Channel> atomicReference, MessageInput messageInput, int i) {
            this.channelReference = atomicReference;
            this.input = messageInput;
            this.expectedRecvBufferSize = i;
        }

        public void operationComplete(ChannelFuture channelFuture) throws Exception {
            if (!channelFuture.isSuccess()) {
                AbstractTcpTransport.LOG.warn("Failed to start channel for input {}", this.input, channelFuture.cause());
                return;
            }
            Channel channel = channelFuture.channel();
            this.channelReference.set(channel);
            AbstractTcpTransport.LOG.debug("Started channel {}", channel);
            int receiveBufferSize = channel.config().getReceiveBufferSize();
            if (receiveBufferSize != this.expectedRecvBufferSize) {
                AbstractTcpTransport.LOG.warn("receiveBufferSize (SO_RCVBUF) for input {} (channel {}) should be {} but is {}.", new Object[]{this.input, channel, Integer.valueOf(this.expectedRecvBufferSize), Integer.valueOf(receiveBufferSize)});
            }
        }
    }

    public AbstractTcpTransport(Configuration configuration, ThroughputCounter throughputCounter, LocalMetricRegistry localMetricRegistry, EventLoopGroup eventLoopGroup, EventLoopGroupFactory eventLoopGroupFactory, NettyTransportConfiguration nettyTransportConfiguration, org.graylog2.Configuration configuration2) {
        super(configuration, eventLoopGroupFactory, throughputCounter, localMetricRegistry);
        this.configuration = configuration;
        this.parentEventLoopGroup = eventLoopGroup;
        this.nettyTransportConfiguration = nettyTransportConfiguration;
        this.graylogConfiguration = configuration2;
        this.channelReference = new AtomicReference<>();
        this.childChannels = new DefaultChannelGroup(GlobalEventExecutor.INSTANCE);
        this.tlsEnable = configuration.getBoolean(CK_TLS_ENABLE);
        this.tlsCertFile = getTlsFile(configuration, CK_TLS_CERT_FILE);
        this.tlsKeyFile = getTlsFile(configuration, CK_TLS_KEY_FILE);
        this.tlsKeyPassword = configuration.getString(CK_TLS_KEY_PASSWORD);
        this.tlsClientAuth = configuration.getString(CK_TLS_CLIENT_AUTH, "disabled");
        this.tlsClientAuthCertFile = getTlsFile(configuration, CK_TLS_CLIENT_AUTH_TRUSTED_CERT_FILE);
        this.tcpKeepalive = configuration.getBoolean(CK_TCP_KEEPALIVE);
        this.connections = new AtomicInteger();
        this.totalConnections = new AtomicLong();
        this.connectionCounter = new ConnectionCounter(this.connections, this.totalConnections);
        this.localRegistry.register("open_connections", new Gauge<Integer>() { // from class: org.graylog2.plugin.inputs.transports.AbstractTcpTransport.1
            /* renamed from: getValue, reason: merged with bridge method [inline-methods] */
            public Integer m623getValue() {
                return Integer.valueOf(AbstractTcpTransport.this.connections.get());
            }
        });
        this.localRegistry.register("total_connections", new Gauge<Long>() { // from class: org.graylog2.plugin.inputs.transports.AbstractTcpTransport.2
            /* renamed from: getValue, reason: merged with bridge method [inline-methods] */
            public Long m624getValue() {
                return Long.valueOf(AbstractTcpTransport.this.totalConnections.get());
            }
        });
    }

    private File getTlsFile(Configuration configuration, String str) {
        return new File(configuration.getString(str, HttpConfiguration.PATH_WEB));
    }

    protected ServerBootstrap getBootstrap(MessageInput messageInput) {
        LinkedHashMap<String, Callable<? extends ChannelHandler>> channelHandlers = getChannelHandlers(messageInput);
        LinkedHashMap<String, Callable<? extends ChannelHandler>> childChannelHandlers = getChildChannelHandlers(messageInput);
        this.childEventLoopGroup = this.eventLoopGroupFactory.create(this.workerThreads, this.localRegistry, "workers");
        return new ServerBootstrap().group(this.parentEventLoopGroup, this.childEventLoopGroup).channelFactory(new ServerSocketChannelFactory(this.nettyTransportConfiguration.getType())).option(ChannelOption.ALLOCATOR, PooledByteBufAllocator.DEFAULT).option(ChannelOption.RCVBUF_ALLOCATOR, new FixedRecvByteBufAllocator(8192)).option(ChannelOption.SO_RCVBUF, Integer.valueOf(getRecvBufferSize())).childOption(ChannelOption.SO_RCVBUF, Integer.valueOf(getRecvBufferSize())).childOption(ChannelOption.SO_KEEPALIVE, Boolean.valueOf(this.tcpKeepalive)).handler(getChannelInitializer(channelHandlers)).childHandler(getChannelInitializer(childChannelHandlers));
    }

    @Override // org.graylog2.plugin.inputs.transports.Transport
    public void launch(MessageInput messageInput) throws MisfireException {
        try {
            this.bootstrap = getBootstrap(messageInput);
            this.bootstrap.bind(this.socketAddress).addListener(new InputLaunchListener(this.channelReference, messageInput, getRecvBufferSize())).syncUninterruptibly();
        } catch (Exception e) {
            throw new MisfireException(e);
        }
    }

    @Override // org.graylog2.plugin.inputs.transports.NettyTransport
    @Nullable
    public SocketAddress getLocalAddress() {
        Channel channel = this.channelReference.get();
        if (channel != null) {
            return channel.localAddress();
        }
        return null;
    }

    @Override // org.graylog2.plugin.inputs.transports.Transport
    public void stop() {
        Channel channel = this.channelReference.get();
        if (channel != null) {
            channel.close();
            channel.closeFuture().syncUninterruptibly();
        }
        this.childChannels.close().syncUninterruptibly();
        if (this.childEventLoopGroup != null) {
            this.childEventLoopGroup.shutdownGracefully();
        }
        this.bootstrap = null;
    }

    @Override // org.graylog2.plugin.inputs.transports.NettyTransport
    protected LinkedHashMap<String, Callable<? extends ChannelHandler>> getChildChannelHandlers(MessageInput messageInput) {
        LinkedHashMap<String, Callable<? extends ChannelHandler>> linkedHashMap = new LinkedHashMap<>();
        CodecAggregator aggregator = getAggregator();
        linkedHashMap.put("channel-registration", () -> {
            return new ChannelRegistrationHandler(this.childChannels);
        });
        linkedHashMap.put("traffic-counter", () -> {
            return this.throughputCounter;
        });
        linkedHashMap.put("connection-counter", () -> {
            return this.connectionCounter;
        });
        if (this.tlsEnable) {
            LOG.info("Enabled TLS for input [{}/{}]. key-file=\"{}\" cert-file=\"{}\"", new Object[]{messageInput.getName(), messageInput.getId(), this.tlsKeyFile, this.tlsCertFile});
            linkedHashMap.put(AmqpTransport.CK_TLS, getSslHandlerCallable(messageInput));
        }
        linkedHashMap.putAll(getCustomChildChannelHandlers(messageInput));
        if (aggregator != null) {
            LOG.debug("Adding codec aggregator {} to channel pipeline", aggregator);
            linkedHashMap.put("codec-aggregator", () -> {
                return new ByteBufMessageAggregationHandler(aggregator, this.localRegistry);
            });
        }
        linkedHashMap.put("rawmessage-handler", () -> {
            return new RawMessageHandler(messageInput);
        });
        linkedHashMap.put("exception-logger", () -> {
            return new ExceptionLoggingChannelHandler(messageInput, LOG, this.tcpKeepalive);
        });
        return linkedHashMap;
    }

    private Callable<ChannelHandler> getSslHandlerCallable(MessageInput messageInput) {
        File certificate;
        File privateKey;
        ClientAuth clientAuth;
        if (this.tlsCertFile.exists() && this.tlsKeyFile.exists()) {
            certificate = this.tlsCertFile;
            privateKey = this.tlsKeyFile;
        } else {
            LOG.warn("TLS key file or certificate file does not exist, creating a self-signed certificate for input [{}/{}].", messageInput.getName(), messageInput.getId());
            String property = System.getProperty("java.io.tmpdir");
            Preconditions.checkState(property != null, "The temporary directory must not be null!");
            Path path = Paths.get(property, new String[0]);
            if (!Files.isDirectory(path, new LinkOption[0]) || !Files.isWritable(path)) {
                throw new IllegalStateException("Couldn't write to temporary directory: " + path.toAbsolutePath());
            }
            try {
                SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate(this.configuration.getString(NettyTransport.CK_BIND_ADDRESS) + ":" + this.configuration.getString("port"));
                certificate = selfSignedCertificate.certificate();
                privateKey = selfSignedCertificate.privateKey();
            } catch (CertificateException e) {
                throw new IllegalStateException(String.format(Locale.ENGLISH, "Problem creating a self-signed certificate for input [%s/%s].", messageInput.getName(), messageInput.getId()), e);
            }
        }
        String str = this.tlsClientAuth;
        boolean z = -1;
        switch (str.hashCode()) {
            case -393139297:
                if (str.equals(TLS_CLIENT_AUTH_REQUIRED)) {
                    z = 2;
                    break;
                }
                break;
            case -79017120:
                if (str.equals(TLS_CLIENT_AUTH_OPTIONAL)) {
                    z = true;
                    break;
                }
                break;
            case 270940796:
                if (str.equals("disabled")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                LOG.debug("Not using TLS client authentication");
                clientAuth = ClientAuth.NONE;
                break;
            case true:
                LOG.debug("Using optional TLS client authentication");
                clientAuth = ClientAuth.OPTIONAL;
                break;
            case true:
                LOG.debug("Using mandatory TLS client authentication");
                clientAuth = ClientAuth.REQUIRE;
                break;
            default:
                throw new IllegalArgumentException("Unknown TLS client authentication mode: " + this.tlsClientAuth);
        }
        return buildSslHandlerCallable(this.nettyTransportConfiguration.getTlsProvider(), certificate, privateKey, this.tlsKeyPassword, clientAuth, this.tlsClientAuthCertFile, messageInput);
    }

    private Callable<ChannelHandler> buildSslHandlerCallable(final SslProvider sslProvider, final File file, final File file2, final String str, final ClientAuth clientAuth, final File file3, final MessageInput messageInput) {
        return new Callable<ChannelHandler>() { // from class: org.graylog2.plugin.inputs.transports.AbstractTcpTransport.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public ChannelHandler call() throws Exception {
                try {
                    return new SslHandler(createSslEngine(messageInput));
                } catch (SSLException e) {
                    AbstractTcpTransport.LOG.error("Error creating SSL context. Make sure the certificate and key are in the correct format: cert=X.509 key=PKCS#8");
                    throw e;
                }
            }

            private SSLEngine createSslEngine(MessageInput messageInput2) throws IOException, CertificateException {
                X509Certificate[] x509CertificateArr;
                if (!EnumSet.of(ClientAuth.OPTIONAL, ClientAuth.REQUIRE).contains(clientAuth)) {
                    x509CertificateArr = null;
                } else if (file3.exists()) {
                    x509CertificateArr = (X509Certificate[]) KeyUtil.loadCertificates(file3.toPath()).stream().filter(certificate -> {
                        return certificate instanceof X509Certificate;
                    }).map(certificate2 -> {
                        return (X509Certificate) certificate2;
                    }).toArray(i -> {
                        return new X509Certificate[i];
                    });
                } else {
                    AbstractTcpTransport.LOG.warn("Client auth configured, but no authorized certificates / certificate authorities configured for input [{}/{}]", messageInput2.getName(), messageInput2.getId());
                    x509CertificateArr = null;
                }
                SslContextBuilder trustManager = SslContextBuilder.forServer(file, file2, Strings.emptyToNull(str)).sslProvider(sslProvider).clientAuth(clientAuth).trustManager(x509CertificateArr);
                if (!AbstractTcpTransport.this.graylogConfiguration.getEnabledTlsProtocols().isEmpty()) {
                    trustManager.protocols(AbstractTcpTransport.this.graylogConfiguration.getEnabledTlsProtocols());
                }
                return trustManager.build().newEngine(ByteBufAllocator.DEFAULT);
            }
        };
    }
}
