package org.elasticsearch.shield.transport.netty;

import javax.net.ssl.SSLEngine;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.BigArrays;
import org.elasticsearch.http.netty.NettyHttpServerTransport;
import org.elasticsearch.shield.ssl.ServerSSLService;
import org.elasticsearch.shield.transport.SSLClientAuth;
import org.elasticsearch.shield.transport.SSLExceptionHelper;
import org.elasticsearch.shield.transport.filter.IPFilter;
import org.jboss.netty.channel.ChannelHandlerContext;
import org.jboss.netty.channel.ChannelPipeline;
import org.jboss.netty.channel.ChannelPipelineFactory;
import org.jboss.netty.channel.ExceptionEvent;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:lib/shield-2.4.0.jar:org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport.class */
public class ShieldNettyHttpServerTransport extends NettyHttpServerTransport {
    public static final String HTTP_SSL_SETTING = "shield.http.ssl";
    public static final boolean HTTP_SSL_DEFAULT = false;
    public static final String HTTP_CLIENT_AUTH_SETTING = "shield.http.ssl.client.auth";
    public static final SSLClientAuth HTTP_CLIENT_AUTH_DEFAULT = SSLClientAuth.NO;
    private final IPFilter ipFilter;
    private final ServerSSLService sslService;
    private final boolean ssl;

    /* loaded from: input_file:lib/shield-2.4.0.jar:org/elasticsearch/shield/transport/netty/ShieldNettyHttpServerTransport$HttpSslChannelPipelineFactory.class */
    private class HttpSslChannelPipelineFactory extends NettyHttpServerTransport.HttpChannelPipelineFactory {
        private final SSLClientAuth clientAuth;

        public HttpSslChannelPipelineFactory(NettyHttpServerTransport nettyHttpServerTransport) {
            super(nettyHttpServerTransport, ShieldNettyHttpServerTransport.this.detailedErrorsEnabled);
            this.clientAuth = SSLClientAuth.parse(ShieldNettyHttpServerTransport.this.settings.get(ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_SETTING), ShieldNettyHttpServerTransport.HTTP_CLIENT_AUTH_DEFAULT);
        }

        public ChannelPipeline getPipeline() throws Exception {
            ChannelPipeline pipeline = super.getPipeline();
            if (ShieldNettyHttpServerTransport.this.ssl) {
                SSLEngine createSSLEngine = ShieldNettyHttpServerTransport.this.sslService.createSSLEngine();
                createSSLEngine.setUseClientMode(false);
                this.clientAuth.configure(createSSLEngine);
                pipeline.addFirst("ssl", new SslHandler(createSSLEngine));
            }
            pipeline.addFirst("ipfilter", new IPFilterNettyUpstreamHandler(ShieldNettyHttpServerTransport.this.ipFilter, IPFilter.HTTP_PROFILE_NAME));
            return pipeline;
        }
    }

    @Inject
    public ShieldNettyHttpServerTransport(Settings settings, NetworkService networkService, BigArrays bigArrays, IPFilter iPFilter, ServerSSLService serverSSLService) {
        super(settings, networkService, bigArrays);
        this.ipFilter = iPFilter;
        this.ssl = settings.getAsBoolean(HTTP_SSL_SETTING, false).booleanValue();
        this.sslService = serverSSLService;
    }

    protected void exceptionCaught(ChannelHandlerContext channelHandlerContext, ExceptionEvent exceptionEvent) throws Exception {
        if (this.lifecycle.started()) {
            Throwable cause = exceptionEvent.getCause();
            if (SSLExceptionHelper.isNotSslRecordException(cause)) {
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("received plaintext http traffic on a https channel, closing connection {}", cause, new Object[]{channelHandlerContext.getChannel()});
                } else {
                    this.logger.warn("received plaintext http traffic on a https channel, closing connection {}", new Object[]{channelHandlerContext.getChannel()});
                }
                channelHandlerContext.getChannel().close();
                return;
            }
            if (!SSLExceptionHelper.isCloseDuringHandshakeException(cause)) {
                super.exceptionCaught(channelHandlerContext, exceptionEvent);
                return;
            }
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("connection {} closed during handshake", cause, new Object[]{channelHandlerContext.getChannel()});
            } else {
                this.logger.warn("connection {} closed during handshake", new Object[]{channelHandlerContext.getChannel()});
            }
            channelHandlerContext.getChannel().close();
        }
    }

    public ChannelPipelineFactory configureServerChannelPipelineFactory() {
        return new HttpSslChannelPipelineFactory(this);
    }
}
