package com.huawei.fusioninsight.elasticsearch.transport.plugin;

import com.huawei.fusioninsight.elasticsearch.transport.common.SecurityConstant;
import com.huawei.fusioninsight.elasticsearch.transport.ssl.ClientSettings;
import com.huawei.fusioninsight.elasticsearch.transport.ssl.HwSSLConfiguration;
import com.huawei.fusioninsight.elasticsearch.transport.ssl.HwSSLService;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelOutboundHandlerAdapter;
import io.netty.channel.ChannelPromise;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.DefaultEventExecutorGroup;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.Version;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.network.CloseableChannel;
import org.elasticsearch.common.network.NetworkService;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.PageCacheRecycler;
import org.elasticsearch.indices.breaker.CircuitBreakerService;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.SharedGroupFactory;
import org.elasticsearch.transport.TcpChannel;
import org.elasticsearch.transport.netty4.ExNetty4MessageChannelHandler;
import org.elasticsearch.transport.netty4.Netty4Transport;

/* loaded from: input_file:com/huawei/fusioninsight/elasticsearch/transport/plugin/HwNettyTransport.class */
public class HwNettyTransport extends Netty4Transport {
    private static final Logger LOG = LogManager.getLogger(HwNettyTransport.class);
    private Settings settings;
    private ThreadPool threadPool;
    private HwSSLService hwSslService;
    private HwSSLConfiguration hwSslConfiguration;
    private Map<String, HwSSLConfiguration> profileConfiguration;
    private boolean sslEnabled;

    @ChannelHandler.Sharable
    /* loaded from: input_file:com/huawei/fusioninsight/elasticsearch/transport/plugin/HwNettyTransport$ClientSSLHandler.class */
    protected static class ClientSSLHandler extends ChannelOutboundHandlerAdapter {
        private final boolean hostnameVerificationEnabled;
        private final HwSSLConfiguration hwSslConfiguration;
        private final HwSSLService hwSslService;
        private final SNIServerName serverName;

        private ClientSSLHandler(HwSSLConfiguration hwSSLConfiguration, HwSSLService hwSSLService, boolean z, SNIServerName sNIServerName) {
            this.hwSslConfiguration = hwSSLConfiguration;
            this.hostnameVerificationEnabled = z;
            this.hwSslService = hwSSLService;
            this.serverName = sNIServerName;
        }

        public void connect(ChannelHandlerContext channelHandlerContext, SocketAddress socketAddress, SocketAddress socketAddress2, ChannelPromise channelPromise) throws Exception {
            SSLEngine createSslEngine;
            if (this.hostnameVerificationEnabled) {
                InetSocketAddress inetSocketAddress = (InetSocketAddress) socketAddress;
                createSslEngine = this.hwSslService.createSslEngine(this.hwSslConfiguration, inetSocketAddress.getHostString(), inetSocketAddress.getPort());
            } else {
                createSslEngine = this.hwSslService.createSslEngine(this.hwSslConfiguration, null, -1);
            }
            createSslEngine.setUseClientMode(true);
            if (this.serverName != null) {
                SSLParameters sSLParameters = createSslEngine.getSSLParameters();
                sSLParameters.setServerNames(Collections.singletonList(this.serverName));
                createSslEngine.setSSLParameters(sSLParameters);
            }
            channelHandlerContext.pipeline().replace(this, "ssl_client", new SslHandler(createSslEngine));
            super.connect(channelHandlerContext, socketAddress, socketAddress2, channelPromise);
        }
    }

    /* loaded from: input_file:com/huawei/fusioninsight/elasticsearch/transport/plugin/HwNettyTransport$KerberosNetty4ClientChannelInitializer.class */
    protected class KerberosNetty4ClientChannelInitializer extends Netty4Transport.ClientChannelInitializer {
        private final boolean hostnameVerificationEnabled;
        private ClientSSLHandler clientSSLHandler;
        private SNIHostName serverName;

        public KerberosNetty4ClientChannelInitializer(DiscoveryNode discoveryNode) {
            super(HwNettyTransport.this);
            this.hostnameVerificationEnabled = HwNettyTransport.this.sslEnabled && HwNettyTransport.this.hwSslConfiguration.verificationMode().isHostnameVerificationEnabled();
            String str = (String) discoveryNode.getAttributes().get("server_name");
            if (str != null) {
                try {
                    this.serverName = new SNIHostName(str);
                } catch (Exception e) {
                    HwNettyTransport.LOG.error("Failed to init KerberosNettyClientHandler because : " + e.getMessage());
                }
            } else {
                this.serverName = null;
            }
            try {
                this.clientSSLHandler = new ClientSSLHandler(HwNettyTransport.this.hwSslConfiguration, HwNettyTransport.this.hwSslService, this.hostnameVerificationEnabled, this.serverName);
            } catch (Exception e2) {
                HwNettyTransport.LOG.error("Failed to init KerberosNettyClientHandler because : " + e2.getMessage());
            }
        }

        protected void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (HwNettyTransport.this.sslEnabled) {
                channel.pipeline().addFirst(new ChannelHandler[]{this.clientSSLHandler});
            }
            channel.pipeline().replace("dispatcher", "new_dispatcher", new ExNetty4MessageChannelHandler(HwNettyTransport.this.pageCacheRecycler, HwNettyTransport.this, ".client", HwNettyTransport.this.threadPool));
        }
    }

    /* loaded from: input_file:com/huawei/fusioninsight/elasticsearch/transport/plugin/HwNettyTransport$KerberosNetty4ServerChannelInitializer.class */
    protected class KerberosNetty4ServerChannelInitializer extends Netty4Transport.ServerChannelInitializer {
        private final HwSSLConfiguration configuration;

        protected KerberosNetty4ServerChannelInitializer(String str, HwSSLConfiguration hwSSLConfiguration, DefaultEventExecutorGroup defaultEventExecutorGroup) {
            super(HwNettyTransport.this, str, defaultEventExecutorGroup);
            this.configuration = hwSSLConfiguration;
        }

        protected void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (HwNettyTransport.this.sslEnabled) {
                SSLEngine createSslEngine = HwNettyTransport.this.hwSslService.createSslEngine(this.configuration, null, -1);
                createSslEngine.setUseClientMode(false);
                channel.pipeline().addFirst("ssl_server", new SslHandler(createSslEngine));
            }
            channel.pipeline().replace("dispatcher", "new_dispatcher", new ExNetty4MessageChannelHandler(HwNettyTransport.this.pageCacheRecycler, HwNettyTransport.this, this.name, HwNettyTransport.this.threadPool));
        }
    }

    public HwNettyTransport(Settings settings, Version version, ThreadPool threadPool, NetworkService networkService, PageCacheRecycler pageCacheRecycler, NamedWriteableRegistry namedWriteableRegistry, CircuitBreakerService circuitBreakerService, HwSSLService hwSSLService) {
        super(settings, version, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, new SharedGroupFactory(Settings.EMPTY));
        this.settings = settings;
        this.threadPool = threadPool;
        this.hwSslService = hwSSLService;
        this.sslEnabled = settings.getAsBoolean(SecurityConstant.HW_TRANSPORT_SECURITY_SSL_ENABLED, true).booleanValue();
        if (this.sslEnabled) {
            this.hwSslConfiguration = hwSSLService.getSSLConfiguration(ClientSettings.TRANSPORT_SSL_PREFIX);
            this.profileConfiguration = Collections.unmodifiableMap(getTransportProfileConfigurations(settings, hwSSLService, this.hwSslConfiguration));
        } else {
            LOG.info("sslEnabled is false : {}", Boolean.valueOf(this.sslEnabled));
            this.profileConfiguration = Collections.emptyMap();
            this.hwSslConfiguration = null;
        }
    }

    private static Map<String, HwSSLConfiguration> getTransportProfileConfigurations(Settings settings, HwSSLService hwSSLService, HwSSLConfiguration hwSSLConfiguration) {
        Set<String> keySet = settings.getGroups("transport.profiles.", true).keySet();
        HashMap hashMap = new HashMap(keySet.size() + 1);
        for (String str : keySet) {
            hashMap.put(str, hwSSLService.getSSLConfiguration("transport.profiles." + str + "..hw.security.ssl"));
        }
        if (!hashMap.containsKey("default")) {
            hashMap.put("default", hwSSLConfiguration);
        }
        return hashMap;
    }

    protected void doStart() {
        super.doStart();
    }

    public Settings getSettings() {
        return this.settings;
    }

    public ChannelHandler getServerChannelInitializer(String str, DefaultEventExecutorGroup defaultEventExecutorGroup) {
        if (!this.sslEnabled) {
            return getNoSslChannelInitializer(str, defaultEventExecutorGroup);
        }
        HwSSLConfiguration hwSSLConfiguration = this.profileConfiguration.get(str);
        if (hwSSLConfiguration == null) {
            throw new IllegalStateException("unknown profile: " + str);
        }
        return new KerberosNetty4ServerChannelInitializer(str, hwSSLConfiguration, defaultEventExecutorGroup);
    }

    private ChannelHandler getNoSslChannelInitializer(String str, DefaultEventExecutorGroup defaultEventExecutorGroup) {
        return super.getServerChannelInitializer(str, defaultEventExecutorGroup);
    }

    public void onException(TcpChannel tcpChannel, Exception exc) {
        if (!this.lifecycle.started()) {
            CloseableChannel.closeChannel(tcpChannel);
            return;
        }
        if (SSLExceptionHelper.isNotSslRecordException(exc)) {
            if (LOG.isTraceEnabled()) {
                LOG.trace(new ParameterizedMessage("received plaintext traffic on an encrypted channel, closing connection {}", tcpChannel), exc);
            } else {
                LOG.warn("received plaintext traffic on an encrypted channel, closing connection {}", tcpChannel);
            }
            CloseableChannel.closeChannel(tcpChannel);
            return;
        }
        if (SSLExceptionHelper.isCloseDuringHandshakeException(exc)) {
            if (LOG.isTraceEnabled()) {
                LOG.trace(new ParameterizedMessage("connection {} closed during ssl handshake", tcpChannel), exc);
            } else {
                LOG.warn("connection {} closed during handshake", tcpChannel);
            }
            CloseableChannel.closeChannel(tcpChannel);
            return;
        }
        if (!SSLExceptionHelper.isReceivedCertificateUnknownException(exc)) {
            super.onException(tcpChannel, exc);
            return;
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace(new ParameterizedMessage("client did not trust server's certificate, closing connection {}", tcpChannel), exc);
        } else {
            LOG.warn("client did not trust this server's certificate, closing connection {}", tcpChannel);
        }
        CloseableChannel.closeChannel(tcpChannel);
    }

    protected ChannelHandler getClientChannelInitializer(DiscoveryNode discoveryNode) {
        return new KerberosNetty4ClientChannelInitializer(discoveryNode);
    }
}
