package com.huawei.es.security.auth.server.transport;

import com.huawei.es.security.audit.AuditLog;
import com.huawei.es.security.auth.common.AuthConstants;
import com.huawei.es.security.auth.server.transport.bean.KerberosNettyTransport4NormalBean;
import com.huawei.es.security.author.tool.AuthorityConstants;
import com.huawei.es.security.author.tool.AuthorityUtil;
import com.huawei.es.security.index.SecurityIndexManager;
import com.huawei.es.security.plugin.KerberosPlugin;
import com.huawei.es.security.ssl.HwSecurityConstants;
import com.huawei.es.security.ssl.HwSslKeyStore;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelOutboundHandlerAdapter;
import io.netty.channel.ChannelPromise;
import io.netty.handler.codec.DecoderException;
import io.netty.handler.ssl.NotSslRecordException;
import io.netty.handler.ssl.SslHandler;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.solr.common.cloud.SolrZkClient;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.network.CloseableChannel;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.transport.SharedGroupFactory;
import org.elasticsearch.transport.TcpChannel;
import org.elasticsearch.transport.netty4.KerberosUpdateInfo2HiddenIndexHandler;
import org.elasticsearch.transport.netty4.KerberosUpdateInfoHandler;
import org.elasticsearch.transport.netty4.Netty4Transport;

/* loaded from: input_file:com/huawei/es/security/auth/server/transport/KerberosNettyTransport.class */
public class KerberosNettyTransport extends Netty4Transport {
    private static final Logger LOG = Loggers.getLogger(KerberosNettyTransport.class, new String[]{"KerberosNettyTransportSecurity"});
    private Settings settings;
    private final ThreadContext threadContext;
    private final NamedWriteableRegistry namedWriteableRegistry;
    private HwSslKeyStore hwSslKeyStore;
    private SolrZkClient zkClient;
    private AuditLog auditlog;
    private final ClusterService cs;
    private boolean sslEnabled;
    private SecurityIndexManager securityIndexManager;

    /* loaded from: input_file:com/huawei/es/security/auth/server/transport/KerberosNettyTransport$ClientSSLHandler.class */
    protected static class ClientSSLHandler extends ChannelOutboundHandlerAdapter {
        private static final Logger LOG = Loggers.getLogger(ClientSSLHandler.class, new String[]{"ClientSSLHandler"});
        private final HwSslKeyStore hwSslKeyStore;
        private final boolean hostnameVerificationEnabled;
        private final boolean hostnameVerificationResovleHostName;

        private ClientSSLHandler(HwSslKeyStore hwSslKeyStore, boolean z, boolean z2) {
            this.hwSslKeyStore = hwSslKeyStore;
            this.hostnameVerificationEnabled = z;
            this.hostnameVerificationResovleHostName = z2;
        }

        public final void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            if (th instanceof DecoderException) {
                th = th.getCause();
            }
            if (th instanceof NotSslRecordException) {
                LOG.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channelHandlerContext.channel().remoteAddress());
                channelHandlerContext.channel().close();
            } else if (th instanceof SSLException) {
                LOG.error("SSL Problem " + th.getMessage(), th);
                channelHandlerContext.channel().close();
            } else if (!(th instanceof SSLHandshakeException)) {
                super.exceptionCaught(channelHandlerContext, th);
            } else {
                LOG.error("Problem during handshake " + th.getMessage());
                channelHandlerContext.channel().close();
            }
        }

        public void connect(ChannelHandlerContext channelHandlerContext, SocketAddress socketAddress, SocketAddress socketAddress2, ChannelPromise channelPromise) throws Exception {
            SSLEngine createClientTransportSslEngine;
            try {
                if (this.hostnameVerificationEnabled) {
                    InetSocketAddress inetSocketAddress = (InetSocketAddress) socketAddress;
                    String hostName = this.hostnameVerificationResovleHostName ? inetSocketAddress.getHostName() : inetSocketAddress.getHostString();
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Hostname of peer is {} ({}/{}) with hostnameVerificationResovleHostName: {}", hostName, inetSocketAddress.getHostName(), inetSocketAddress.getHostString(), Boolean.valueOf(this.hostnameVerificationResovleHostName));
                    }
                    createClientTransportSslEngine = this.hwSslKeyStore.createClientTransportSslEngine(hostName, inetSocketAddress.getPort());
                } else {
                    createClientTransportSslEngine = this.hwSslKeyStore.createClientTransportSslEngine(null, -1);
                }
                createClientTransportSslEngine.setUseClientMode(true);
                channelHandlerContext.pipeline().replace(this, "ssl_client", new SslHandler(createClientTransportSslEngine));
                super.connect(channelHandlerContext, socketAddress, socketAddress2, channelPromise);
            } catch (SSLException e) {
                throw ExceptionsHelper.convertToElastic(e);
            }
        }
    }

    /* loaded from: input_file:com/huawei/es/security/auth/server/transport/KerberosNettyTransport$SSLClientChannelInitializer.class */
    protected class SSLClientChannelInitializer extends Netty4Transport.ClientChannelInitializer {
        private final boolean hostnameVerificationEnabled;
        private final boolean hostnameVerificationResovleHostName;

        public SSLClientChannelInitializer() {
            super(KerberosNettyTransport.this);
            this.hostnameVerificationEnabled = KerberosNettyTransport.this.sslEnabled && KerberosNettyTransport.this.settings.getAsBoolean(HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, true).booleanValue();
            this.hostnameVerificationResovleHostName = KerberosNettyTransport.this.sslEnabled && KerberosNettyTransport.this.settings.getAsBoolean(HwSecurityConstants.SECURITY_SSL_TRANSPORT_RESOLVE_HOSTNAME, true).booleanValue();
        }

        protected void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (KerberosNettyTransport.this.sslEnabled) {
                channel.pipeline().addFirst("client_ssl_handler", new ClientSSLHandler(KerberosNettyTransport.this.hwSslKeyStore, this.hostnameVerificationEnabled, this.hostnameVerificationResovleHostName));
            }
        }

        public final void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            if (KerberosNettyTransport.this.lifecycle.started()) {
                if (th instanceof DecoderException) {
                    th = th.getCause();
                }
                if (th instanceof NotSslRecordException) {
                    KerberosNettyTransport.LOG.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channelHandlerContext.channel().remoteAddress());
                    channelHandlerContext.channel().close();
                    return;
                } else if (th instanceof SSLException) {
                    KerberosNettyTransport.LOG.error("SSL Problem " + th.getMessage(), th);
                    channelHandlerContext.channel().close();
                    return;
                } else if (th instanceof SSLHandshakeException) {
                    KerberosNettyTransport.LOG.error("Problem during handshake " + th.getMessage());
                    channelHandlerContext.channel().close();
                    return;
                }
            }
            super.exceptionCaught(channelHandlerContext, th);
        }
    }

    /* loaded from: input_file:com/huawei/es/security/auth/server/transport/KerberosNettyTransport$SSLServerChannelInitializer.class */
    protected class SSLServerChannelInitializer extends Netty4Transport.ServerChannelInitializer {
        public SSLServerChannelInitializer(String str) {
            super(KerberosNettyTransport.this, str);
        }

        protected void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (KerberosNettyTransport.this.sslEnabled) {
                channel.pipeline().addFirst("ssl_server", new SslHandler(KerberosNettyTransport.this.hwSslKeyStore.createServerTransportSslEngine()));
            }
            if (!AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
                channel.pipeline().addBefore(AuthConstants.HANDLER_NAME_LOGGING, AuthConstants.UPDATE_ZK_INFO_HANDLER_NAME_TRANSPORT, new KerberosUpdateInfoHandler(KerberosNettyTransport.this.threadContext, KerberosNettyTransport.this.zkClient, KerberosNettyTransport.this.auditlog, KerberosNettyTransport.this.cs));
            }
            if (((Boolean) KerberosPlugin.STORE_SECURITY_INFO.get(KerberosNettyTransport.this.settings)).booleanValue()) {
                KerberosNettyTransport.this.addHiddenIndexPipeline(channel);
            }
        }

        public final void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            if (KerberosNettyTransport.this.lifecycle.started()) {
                if (th instanceof DecoderException) {
                    th = th.getCause();
                }
                if (th instanceof NotSslRecordException) {
                    KerberosNettyTransport.LOG.warn("Someone ({}) speaks transport plaintext instead of ssl, will close the channel", channelHandlerContext.channel().remoteAddress());
                    channelHandlerContext.channel().close();
                    return;
                } else if (th instanceof SSLException) {
                    KerberosNettyTransport.LOG.error("SSL Problem " + th.getMessage(), th);
                    channelHandlerContext.channel().close();
                    return;
                } else if (th instanceof SSLHandshakeException) {
                    KerberosNettyTransport.LOG.error("Problem during handshake " + th.getMessage());
                    channelHandlerContext.channel().close();
                    return;
                }
            }
            super.exceptionCaught(channelHandlerContext, th);
        }
    }

    public KerberosNettyTransport(KerberosNettyTransport4NormalBean kerberosNettyTransport4NormalBean, HwSslKeyStore hwSslKeyStore, SolrZkClient solrZkClient, AuditLog auditLog, ClusterService clusterService, SecurityIndexManager securityIndexManager) {
        super(kerberosNettyTransport4NormalBean.getSettings(), kerberosNettyTransport4NormalBean.getVersion(), kerberosNettyTransport4NormalBean.getThreadPool(), kerberosNettyTransport4NormalBean.getNetworkService(), kerberosNettyTransport4NormalBean.getPageCacheRecycler(), kerberosNettyTransport4NormalBean.getNamedWriteableRegistry(), kerberosNettyTransport4NormalBean.getCircuitBreakerService(), new SharedGroupFactory(Settings.EMPTY));
        this.settings = kerberosNettyTransport4NormalBean.getSettings();
        this.threadContext = kerberosNettyTransport4NormalBean.getThreadPool().getThreadContext();
        this.namedWriteableRegistry = kerberosNettyTransport4NormalBean.getNamedWriteableRegistry();
        this.hwSslKeyStore = hwSslKeyStore;
        this.zkClient = solrZkClient;
        this.auditlog = auditLog;
        this.cs = clusterService;
        this.sslEnabled = this.settings.getAsBoolean(HwSecurityConstants.SECURITY_SSL_TRANSPORT_ENABLED, true).booleanValue();
        this.securityIndexManager = securityIndexManager;
    }

    public void setSettings(Settings settings) {
        this.settings = settings;
    }

    public Settings getSettings() {
        return this.settings;
    }

    protected ChannelHandler getServerChannelInitializer(String str) {
        return new SSLServerChannelInitializer(str);
    }

    protected ChannelHandler getClientChannelInitializer(DiscoveryNode discoveryNode) {
        return new SSLClientChannelInitializer();
    }

    public void onException(TcpChannel tcpChannel, Exception exc) {
        if (!this.lifecycle.started()) {
            CloseableChannel.closeChannel(tcpChannel);
            return;
        }
        if (SSLExceptionHelper.isNotSslRecordException(exc)) {
            if (LOG.isTraceEnabled()) {
                LOG.trace(new ParameterizedMessage("received plaintext traffic on an encrypted channel, closing connection {}", tcpChannel), exc);
            } else {
                LOG.warn("received plaintext traffic on an encrypted channel, closing connection {}", tcpChannel);
            }
            CloseableChannel.closeChannel(tcpChannel);
            return;
        }
        if (SSLExceptionHelper.isCloseDuringHandshakeException(exc)) {
            if (LOG.isTraceEnabled()) {
                LOG.trace(new ParameterizedMessage("connection {} closed during ssl handshake", tcpChannel), exc);
            } else {
                LOG.warn("connection {} closed during handshake", tcpChannel);
            }
            CloseableChannel.closeChannel(tcpChannel);
            return;
        }
        if (!SSLExceptionHelper.isReceivedCertificateUnknownException(exc)) {
            super.onException(tcpChannel, exc);
            return;
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace(new ParameterizedMessage("client did not trust server's certificate, closing connection {}", tcpChannel), exc);
        } else {
            LOG.warn("client did not trust this server's certificate, closing connection {}", tcpChannel);
        }
        CloseableChannel.closeChannel(tcpChannel);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void addHiddenIndexPipeline(Channel channel) {
        if (AuthorityUtil.isRangerAuthzEnable(AuthorityConstants.getSetting())) {
            channel.pipeline().addBefore(AuthConstants.HANDLER_NAME_LOGGING, AuthConstants.UPDATE_INDEX_SECURITY_INFO_HANDLER_NAME_TRANSPORT, new KerberosUpdateInfo2HiddenIndexHandler(this.threadContext, this.zkClient, this.auditlog, this.cs, this.securityIndexManager));
        } else {
            channel.pipeline().addAfter(AuthConstants.UPDATE_ZK_INFO_HANDLER_NAME_TRANSPORT, AuthConstants.UPDATE_INDEX_SECURITY_INFO_HANDLER_NAME_TRANSPORT, new KerberosUpdateInfo2HiddenIndexHandler(this.threadContext, this.zkClient, this.auditlog, this.cs, this.securityIndexManager));
        }
    }
}
