package com.huawei.es.security.ratelimiter;

import com.google.common.collect.Sets;
import com.google.common.util.concurrent.RateLimiter;
import com.huawei.es.security.auth.common.HttpHelper;
import com.huawei.es.security.auth.server.KerberosHandler;
import com.huawei.es.security.cluster.ClusterStateManager;
import io.netty.channel.ChannelDuplexHandler;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.DefaultFullHttpResponse;
import io.netty.handler.codec.http.HttpResponseStatus;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.cluster.ClusterState;
import org.elasticsearch.cluster.block.ClusterBlock;
import org.elasticsearch.cluster.block.ClusterBlockException;
import org.elasticsearch.cluster.block.ClusterBlocks;
import org.elasticsearch.common.breaker.CircuitBreakingException;
import org.elasticsearch.common.settings.ClusterSettings;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.discovery.MasterNotDiscoveredException;
import org.elasticsearch.gateway.GatewayService;
import org.elasticsearch.http.HttpPipelinedRequest;
import org.elasticsearch.http.netty4.Netty4HttpRequest;

@ChannelHandler.Sharable
/* loaded from: input_file:com/huawei/es/security/ratelimiter/RateLimiterHandler.class */
public class RateLimiterHandler extends ChannelDuplexHandler {
    private RateLimiter rateLimiter;
    private ClusterStateManager clusterStateManager;
    private boolean rateLimitEnable;
    private int permitsNodePerSecond;
    private int permitsClientPerClient;
    private static final Logger logger = LogManager.getLogger(RateLimiterHandler.class);
    public static final Setting<Boolean> RATE_LIMITER_SWITCH = Setting.boolSetting("rate.limiter.enable", false, new Setting.Property[]{Setting.Property.Dynamic, Setting.Property.NodeScope});
    public static final Setting<Integer> PERMITS_NODE_PER_SECOND = Setting.intSetting("rate.limiter.node.max_qps", 100, 1, 10000, new Setting.Property[]{Setting.Property.Dynamic, Setting.Property.NodeScope});
    public static final Setting<Integer> PERMITS_CLIENT_PER_SECOND = Setting.intSetting("rate.limiter.client.max_qps", 200, 1, 10000, new Setting.Property[]{Setting.Property.Dynamic, Setting.Property.NodeScope});

    public RateLimiterHandler(ClusterStateManager clusterStateManager, Settings settings, ClusterSettings clusterSettings) {
        this.clusterStateManager = clusterStateManager;
        this.rateLimitEnable = ((Boolean) RATE_LIMITER_SWITCH.get(settings)).booleanValue();
        this.permitsNodePerSecond = ((Integer) PERMITS_NODE_PER_SECOND.get(settings)).intValue();
        this.permitsClientPerClient = ((Integer) PERMITS_CLIENT_PER_SECOND.get(settings)).intValue();
        clusterSettings.addSettingsUpdateConsumer(RATE_LIMITER_SWITCH, (v1) -> {
            setRateLimiterSwitch(v1);
        });
        clusterSettings.addSettingsUpdateConsumer(PERMITS_NODE_PER_SECOND, (v1) -> {
            setPermitsNodePerSecond(v1);
        });
        clusterSettings.addSettingsUpdateConsumer(PERMITS_CLIENT_PER_SECOND, (v1) -> {
            setPermitsClientPerSecond(v1);
        });
        this.rateLimiter = RateLimiter.create(this.permitsNodePerSecond);
    }

    private void setRateLimiterSwitch(boolean z) {
        this.rateLimitEnable = z;
    }

    private void setPermitsNodePerSecond(int i) {
        this.permitsNodePerSecond = i;
    }

    private void setPermitsClientPerSecond(int i) {
        this.permitsClientPerClient = i;
    }

    private int getPermitsPerSecond() {
        int i = this.clusterStateManager.isLocalNodeAsClient() ? this.permitsClientPerClient : this.permitsNodePerSecond;
        if (i <= 0) {
            i = (int) this.rateLimiter.getRate();
        }
        return i;
    }

    public void channelRead(ChannelHandlerContext channelHandlerContext, Object obj) {
        if (!this.rateLimitEnable || !(obj instanceof HttpPipelinedRequest)) {
            channelHandlerContext.fireChannelRead(obj);
            return;
        }
        HttpPipelinedRequest httpPipelinedRequest = (HttpPipelinedRequest) obj;
        Netty4HttpRequest netty4HttpRequest = (Netty4HttpRequest) httpPipelinedRequest.getDelegateRequest();
        try {
            rejectRequestWhenBlock();
            breakerWhenRequestIsHuge();
            channelHandlerContext.fireChannelRead(obj);
        } catch (CircuitBreakingException | ClusterBlockException | MasterNotDiscoveredException e) {
            dealWithRateLimiterException(channelHandlerContext, obj, netty4HttpRequest, httpPipelinedRequest, e);
        }
    }

    private void dealWithRateLimiterException(ChannelHandlerContext channelHandlerContext, Object obj, Netty4HttpRequest netty4HttpRequest, HttpPipelinedRequest httpPipelinedRequest, Exception exc) {
        DefaultFullHttpResponse defaultFullHttpResponse = new DefaultFullHttpResponse(netty4HttpRequest.nettyRequest().protocolVersion(), HttpResponseStatus.SERVICE_UNAVAILABLE);
        if (exc instanceof CircuitBreakingException) {
            HttpHelper.reBuildResponse(defaultFullHttpResponse, HttpResponseStatus.TOO_MANY_REQUESTS, exc.getMessage());
        } else if ((exc instanceof ClusterBlockException) || (exc instanceof MasterNotDiscoveredException)) {
            HttpHelper.reBuildResponse(defaultFullHttpResponse, HttpResponseStatus.SERVICE_UNAVAILABLE, exc.getMessage());
        } else {
            logger.error("RateLimiterHandler has error occurred:", exc);
            HttpHelper.reBuildResponse(defaultFullHttpResponse, HttpResponseStatus.SERVICE_UNAVAILABLE, exc.getMessage());
        }
        KerberosHandler.whenAuthFailureOrException(channelHandlerContext, obj, netty4HttpRequest, HttpHelper.buildHttpPipelinedResponseWithOutJson(httpPipelinedRequest, defaultFullHttpResponse));
    }

    void breakerWhenRequestIsHuge() {
        int permitsPerSecond = getPermitsPerSecond();
        if (permitsPerSecond != this.rateLimiter.getRate()) {
            this.rateLimiter.setRate(permitsPerSecond);
            logger.info("PermitsPerSecond changed, the new value is :{}.", Integer.valueOf(permitsPerSecond));
        }
        logger.debug("Wait {} ms for this request.", Double.valueOf(this.rateLimiter.acquire(1)));
    }

    void rejectRequestWhenBlock() {
        ClusterState clusterState = this.clusterStateManager.getClusterState();
        ClusterBlocks blocks = clusterState.blocks();
        if (clusterState.equals(ClusterState.EMPTY_STATE) || blocks.hasGlobalBlockWithId(2)) {
            throw new MasterNotDiscoveredException("Master not discovered or blocked");
        }
        if (blocks.hasGlobalBlock(GatewayService.STATE_NOT_RECOVERED_BLOCK)) {
            throw new ClusterBlockException(Sets.newHashSet(new ClusterBlock[]{GatewayService.STATE_NOT_RECOVERED_BLOCK}));
        }
    }
}
