package org.elasticsearch.shield.rest;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.http.netty.NettyHttpRequest;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestFilter;
import org.elasticsearch.rest.RestFilterChain;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.shield.authc.AuthenticationService;
import org.elasticsearch.shield.authc.pki.PkiRealm;
import org.elasticsearch.shield.license.ShieldLicenseState;
import org.elasticsearch.shield.transport.SSLClientAuth;
import org.elasticsearch.shield.transport.netty.ShieldNettyHttpServerTransport;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:lib/shield.jar:org/elasticsearch/shield/rest/ShieldRestFilter.class */
public class ShieldRestFilter extends RestFilter {
    private final AuthenticationService service;
    private final ESLogger logger;
    private final ShieldLicenseState licenseState;
    private final boolean extractClientCertificate;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public ShieldRestFilter(AuthenticationService authenticationService, RestController restController, Settings settings, ShieldLicenseState shieldLicenseState) {
        this.service = authenticationService;
        this.licenseState = shieldLicenseState;
        restController.registerFilter(this);
        this.extractClientCertificate = settings.getAsBoolean(ShieldNettyHttpServerTransport.HTTP_SSL_SETTING, false).booleanValue() && SSLClientAuth.parse(settings.get(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING), ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_DEFAULT).enabled();
        this.logger = Loggers.getLogger(getClass(), settings, new String[0]);
    }

    public int order() {
        return Integer.MIN_VALUE;
    }

    public void process(RestRequest restRequest, RestChannel restChannel, RestFilterChain restFilterChain) throws Exception {
        if (this.licenseState.securityEnabled()) {
            if (restRequest.method() != RestRequest.Method.OPTIONS) {
                if (this.extractClientCertificate) {
                    putClientCertificateInContext(restRequest, this.logger);
                }
                this.service.authenticate(restRequest);
            }
            RemoteHostHeader.process(restRequest);
        }
        restFilterChain.continueProcessing(restRequest, restChannel);
    }

    static void putClientCertificateInContext(RestRequest restRequest, ESLogger eSLogger) throws Exception {
        if (!$assertionsDisabled && !(restRequest instanceof NettyHttpRequest)) {
            throw new AssertionError();
        }
        NettyHttpRequest nettyHttpRequest = (NettyHttpRequest) restRequest;
        SslHandler sslHandler = nettyHttpRequest.getChannel().getPipeline().get(SslHandler.class);
        if (!$assertionsDisabled && sslHandler == null) {
            throw new AssertionError();
        }
        try {
            Certificate[] peerCertificates = sslHandler.getEngine().getSession().getPeerCertificates();
            if (peerCertificates instanceof X509Certificate[]) {
                restRequest.putInContext(PkiRealm.PKI_CERT_HEADER_NAME, peerCertificates);
            }
        } catch (SSLPeerUnverifiedException e) {
            if (eSLogger.isTraceEnabled()) {
                eSLogger.trace("SSL Peer did not present a certificate on channel [{}]", e, new Object[]{nettyHttpRequest.getChannel()});
            } else if (eSLogger.isDebugEnabled()) {
                eSLogger.debug("SSL Peer did not present a certificate on channel [{}]", new Object[]{nettyHttpRequest.getChannel()});
            }
        }
    }

    static {
        $assertionsDisabled = !ShieldRestFilter.class.desiredAssertionStatus();
    }
}
