package org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.apache.hadoop.hbase.shaded.io.netty.bootstrap.ServerBootstrap;
import org.apache.hadoop.hbase.shaded.io.netty.buffer.ByteBuf;
import org.apache.hadoop.hbase.shaded.io.netty.buffer.ByteBufAllocator;
import org.apache.hadoop.hbase.shaded.io.netty.channel.Channel;
import org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelDuplexHandler;
import org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelFuture;
import org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelHandler;
import org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelHandlerContext;
import org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInitializer;
import org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelOption;
import org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelPipeline;
import org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelPromise;
import org.apache.hadoop.hbase.shaded.io.netty.channel.EventLoopGroup;
import org.apache.hadoop.hbase.shaded.io.netty.channel.group.ChannelGroup;
import org.apache.hadoop.hbase.shaded.io.netty.channel.group.ChannelGroupFuture;
import org.apache.hadoop.hbase.shaded.io.netty.channel.group.DefaultChannelGroup;
import org.apache.hadoop.hbase.shaded.io.netty.channel.socket.SocketChannel;
import org.apache.hadoop.hbase.shaded.io.netty.handler.ssl.OptionalSslHandler;
import org.apache.hadoop.hbase.shaded.io.netty.handler.ssl.SslContext;
import org.apache.hadoop.hbase.shaded.io.netty.handler.ssl.SslHandler;
import org.apache.hadoop.hbase.shaded.io.netty.util.AttributeKey;
import org.apache.hadoop.hbase.shaded.io.netty.util.ReferenceCountUtil;
import org.apache.hadoop.hbase.shaded.io.netty.util.concurrent.DefaultEventExecutor;
import org.apache.hadoop.hbase.shaded.io.netty.util.concurrent.Future;
import org.apache.hadoop.hbase.shaded.io.netty.util.concurrent.GenericFutureListener;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.KeeperException;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.common.ClientX509Util;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.common.LogUtil;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.common.NettyUtils;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.common.SSLContextAndOptions;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.common.SSLUtil;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.common.X509Exception;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.common.ZKConfig;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.common.random.UsSecureRandom;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.NettyServerCnxn;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxn;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.auth.ProviderRegistry;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.auth.X509AuthenticationProvider;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.quorum.QuorumPeerConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hbase/shaded/org/apache/zookeeper/server/NettyServerCnxnFactory.class */
public class NettyServerCnxnFactory extends ServerCnxnFactory {
    public static final String PORT_UNIFICATION_KEY = "zookeeper.client.portUnification";
    public static final String EARLY_DROP_SECURE_CONNECTION_HANDSHAKES = "zookeeper.netty.server.earlyDropSecureConnectionHandshakes";
    private final boolean shouldUsePortUnification;
    public static final String USE_SERVER_SIDE_CIPHERSUITES_ORDER = "zookeeper.server.cipherorder";
    private static final byte TLS_HANDSHAKE_RECORD_TYPE = 22;
    public static final String OUTSTANDING_HANDSHAKE_LIMIT = "zookeeper.netty.server.outstandingHandshake.limit";
    private int outstandingHandshakeLimit;
    private boolean handshakeThrottlingEnabled;
    private final ServerBootstrap bootstrap;
    private Channel parentChannel;
    private InetSocketAddress localAddress;
    private InetSocketAddress drAddress;
    public static final String NETTY_ADVANCED_FLOW_CONTROL = "zookeeper.netty.advancedFlowControl.enabled";
    private boolean advancedFlowControlEnabled;
    private boolean killed;
    private static final Logger LOG = LoggerFactory.getLogger(NettyServerCnxnFactory.class);
    private static final AttributeKey<NettyServerCnxn> CONNECTION_ATTRIBUTE = AttributeKey.valueOf("NettyServerCnxn");
    private static final AtomicReference<ByteBufAllocator> TEST_ALLOCATOR = new AtomicReference<>(null);
    private final AtomicInteger outstandingHandshake = new AtomicInteger();
    private final ChannelGroup allChannels = new DefaultChannelGroup("zkServerCnxns", new DefaultEventExecutor());
    private final Map<InetAddress, AtomicInteger> ipMap = new ConcurrentHashMap();
    private int maxClientCnxns = 60;
    int listenBacklog = -1;
    CnxnChannelHandler channelHandler = new CnxnChannelHandler();
    ReadIssuedTrackingHandler readIssuedTrackingHandler = new ReadIssuedTrackingHandler();
    private final ClientX509Util x509Util = new ClientX509Util();

    /* loaded from: input_file:org/apache/hadoop/hbase/shaded/org/apache/zookeeper/server/NettyServerCnxnFactory$CertificateVerifier.class */
    final class CertificateVerifier implements GenericFutureListener<Future<Channel>> {
        private final SslHandler sslHandler;
        private final NettyServerCnxn cnxn;

        CertificateVerifier(SslHandler sslHandler, NettyServerCnxn nettyServerCnxn) {
            this.sslHandler = sslHandler;
            this.cnxn = nettyServerCnxn;
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.util.concurrent.GenericFutureListener
        public void operationComplete(Future<Channel> future) {
            NettyServerCnxnFactory.this.updateHandshakeCountIfStarted(this.cnxn);
            if (!future.isSuccess()) {
                NettyServerCnxnFactory.this.zkServer.serverStats().incrementAuthFailedCount();
                NettyServerCnxnFactory.LOG.error("Unsuccessful handshake with connection 0x{}, ip is {}", LogUtil.logSessionId(this.cnxn.getSessionId()), this.cnxn.getHostAddress());
                ServerMetrics.getMetrics().UNSUCCESSFUL_HANDSHAKE.add(1L);
                this.cnxn.close(ServerCnxn.DisconnectReason.FAILED_HANDSHAKE);
                return;
            }
            NettyServerCnxnFactory.LOG.debug("Successful handshake with connection 0x{}", LogUtil.logSessionId(this.cnxn.getSessionId()));
            SSLEngine engine = this.sslHandler.engine();
            ZKConfig zKConfig = new ZKConfig();
            engine.setEnabledProtocols(SSLUtil.getEnabledSSLProtocols(zKConfig, engine.getEnabledProtocols()));
            engine.setEnabledCipherSuites(SSLUtil.getEnabledCiphersSuites(zKConfig, engine.getEnabledCipherSuites()));
            if (engine.getNeedClientAuth() || engine.getWantClientAuth()) {
                try {
                    this.cnxn.setClientCertificateChain(engine.getSession().getPeerCertificates());
                    String property = System.getProperty(NettyServerCnxnFactory.this.x509Util.getSslAuthProviderProperty(), "x509");
                    X509AuthenticationProvider x509AuthenticationProvider = (X509AuthenticationProvider) ProviderRegistry.getProvider(property);
                    if (x509AuthenticationProvider == null) {
                        NettyServerCnxnFactory.LOG.error("X509 Auth provider not found: {}", property);
                        this.cnxn.close(ServerCnxn.DisconnectReason.AUTH_PROVIDER_NOT_FOUND);
                        return;
                    }
                    if (KeeperException.Code.OK != x509AuthenticationProvider.handleAuthentication(this.cnxn, null)) {
                        NettyServerCnxnFactory.this.zkServer.serverStats().incrementAuthFailedCount();
                        NettyServerCnxnFactory.LOG.error("Authentication failed for connection 0x{}, ip is {}", LogUtil.logSessionId(this.cnxn.getSessionId()), this.cnxn.getHostAddress());
                        this.cnxn.close(ServerCnxn.DisconnectReason.SASL_AUTH_FAILURE);
                        return;
                    }
                } catch (SSLPeerUnverifiedException e) {
                    if (engine.getNeedClientAuth()) {
                        NettyServerCnxnFactory.LOG.error("Error getting peer certificates", e);
                        this.cnxn.close();
                        return;
                    } else {
                        NettyServerCnxnFactory.this.allChannels.add(Objects.requireNonNull(future.getNow()));
                        NettyServerCnxnFactory.this.addCnxn(this.cnxn);
                        return;
                    }
                } catch (Exception e2) {
                    NettyServerCnxnFactory.LOG.error("Error getting peer certificates", e2);
                    this.cnxn.close();
                    return;
                }
            }
            NettyServerCnxnFactory.this.allChannels.add(Objects.requireNonNull(future.getNow()));
            NettyServerCnxnFactory.this.addCnxn(this.cnxn);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @ChannelHandler.Sharable
    /* loaded from: input_file:org/apache/hadoop/hbase/shaded/org/apache/zookeeper/server/NettyServerCnxnFactory$CnxnChannelHandler.class */
    public class CnxnChannelHandler extends ChannelDuplexHandler {
        private final GenericFutureListener<Future<Void>> onWriteCompletedTracer = future -> {
            if (NettyServerCnxnFactory.LOG.isTraceEnabled()) {
                NettyServerCnxnFactory.LOG.trace("write success: {}", Boolean.valueOf(future.isSuccess()));
            }
        };

        CnxnChannelHandler() {
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandler
        public void channelActive(ChannelHandlerContext channelHandlerContext) throws Exception {
            if (NettyServerCnxnFactory.LOG.isTraceEnabled()) {
                NettyServerCnxnFactory.LOG.trace("Channel active {}", channelHandlerContext.channel());
            }
            Channel channel = channelHandlerContext.channel();
            if (NettyServerCnxnFactory.this.limitTotalNumberOfCnxns() && !NettyServerCnxnFactory.this.cnxnWhiteListService.isWhiteListAddress(channel)) {
                NettyServerCnxnFactory.LOG.warn("Too many connections " + (NettyServerCnxnFactory.this.getNumAliveConnections() - NettyServerCnxnFactory.this.getNumWhiteListedConnections()) + " - max is " + NettyServerCnxnFactory.this.maxCnxns);
                ServerMetrics.getMetrics().CONNECTION_REJECTED.add(1L);
                channel.close();
                return;
            }
            InetAddress address = ((InetSocketAddress) channel.remoteAddress()).getAddress();
            if (NettyServerCnxnFactory.this.maxClientCnxns > 0 && NettyServerCnxnFactory.this.getClientCnxnCount(address) >= NettyServerCnxnFactory.this.maxClientCnxns && !NettyServerCnxnFactory.this.cnxnWhiteListService.isWhiteListAddress(channel)) {
                ServerMetrics.getMetrics().CONNECTION_REJECTED.add(1L);
                NettyServerCnxnFactory.LOG.warn("Too many connections from {} - max is {}", address, Integer.valueOf(NettyServerCnxnFactory.this.maxClientCnxns));
                channel.close();
                return;
            }
            NettyServerCnxn nettyServerCnxn = new NettyServerCnxn(channel, NettyServerCnxnFactory.this.zkServer, NettyServerCnxnFactory.this);
            channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).set(nettyServerCnxn);
            if (NettyServerCnxnFactory.this.secure && !nettyServerCnxn.isZKServerRunning() && Boolean.getBoolean(NettyServerCnxnFactory.EARLY_DROP_SECURE_CONNECTION_HANDSHAKES)) {
                NettyServerCnxnFactory.LOG.info("Zookeeper server is not running, close the connection to {} before starting the TLS handshake", nettyServerCnxn.getChannel().remoteAddress());
                ServerMetrics.getMetrics().CNXN_CLOSED_WITHOUT_ZK_SERVER_RUNNING.add(1L);
                channel.close();
                return;
            }
            if (NettyServerCnxnFactory.this.handshakeThrottlingEnabled) {
                if (NettyServerCnxnFactory.this.outstandingHandshake.addAndGet(1) > NettyServerCnxnFactory.this.outstandingHandshakeLimit) {
                    NettyServerCnxnFactory.this.outstandingHandshake.addAndGet(-1);
                    channel.close();
                    ServerMetrics.getMetrics().TLS_HANDSHAKE_EXCEEDED.add(1L);
                } else {
                    nettyServerCnxn.setHandshakeState(NettyServerCnxn.HandshakeState.STARTED);
                }
            }
            if (NettyServerCnxnFactory.this.secure) {
                SslHandler sslHandler = (SslHandler) channelHandlerContext.pipeline().get(SslHandler.class);
                String property = System.getProperty(NettyServerCnxnFactory.USE_SERVER_SIDE_CIPHERSUITES_ORDER);
                if (null != property && property.equals("true")) {
                    SSLEngine engine = sslHandler.engine();
                    SSLParameters sSLParameters = engine.getSSLParameters();
                    sSLParameters.setUseCipherSuitesOrder(true);
                    engine.setSSLParameters(sSLParameters);
                    NettyServerCnxnFactory.LOG.info("use server side cipher suites order.");
                }
                sslHandler.handshakeFuture().addListener2(new CertificateVerifier(sslHandler, nettyServerCnxn));
            } else if (!NettyServerCnxnFactory.this.shouldUsePortUnification) {
                NettyServerCnxnFactory.this.allChannels.add(channelHandlerContext.channel());
                NettyServerCnxnFactory.this.addCnxn(nettyServerCnxn);
            }
            if (channelHandlerContext.channel().pipeline().get(SslHandler.class) == null) {
                if (NettyServerCnxnFactory.this.zkServer == null) {
                    NettyServerCnxnFactory.LOG.trace("Opened non-TLS connection from {} but zkServer is not running", nettyServerCnxn.getChannel().remoteAddress());
                    return;
                }
                SocketAddress remoteAddress = nettyServerCnxn.getChannel().remoteAddress();
                if (remoteAddress == null || ((InetSocketAddress) remoteAddress).getAddress().isLoopbackAddress()) {
                    NettyServerCnxnFactory.this.zkServer.serverStats().incrementNonMTLSLocalConnCount();
                } else {
                    NettyServerCnxnFactory.LOG.trace("NettyChannelHandler channelActive: remote={} local={}", remoteAddress, nettyServerCnxn.getChannel().localAddress());
                    NettyServerCnxnFactory.this.zkServer.serverStats().incrementNonMTLSRemoteConnCount();
                }
            }
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandler
        public void channelInactive(ChannelHandlerContext channelHandlerContext) throws Exception {
            if (NettyServerCnxnFactory.LOG.isTraceEnabled()) {
                NettyServerCnxnFactory.LOG.trace("Channel inactive {}", channelHandlerContext.channel());
            }
            NettyServerCnxnFactory.this.allChannels.remove(channelHandlerContext.channel());
            NettyServerCnxn nettyServerCnxn = (NettyServerCnxn) channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).getAndSet(null);
            if (nettyServerCnxn != null) {
                if (NettyServerCnxnFactory.LOG.isTraceEnabled()) {
                    NettyServerCnxnFactory.LOG.trace("Channel inactive caused close {}", nettyServerCnxn);
                }
                NettyServerCnxnFactory.this.updateHandshakeCountIfStarted(nettyServerCnxn);
                nettyServerCnxn.close(ServerCnxn.DisconnectReason.CHANNEL_DISCONNECTED);
            }
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelHandlerAdapter, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelHandler, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandler
        public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            NettyServerCnxnFactory.LOG.warn("Exception caught", th);
            NettyServerCnxn nettyServerCnxn = (NettyServerCnxn) channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).getAndSet(null);
            if (nettyServerCnxn != null) {
                NettyServerCnxnFactory.LOG.debug("Closing {}", nettyServerCnxn);
                NettyServerCnxnFactory.this.updateHandshakeCountIfStarted(nettyServerCnxn);
                nettyServerCnxn.close(ServerCnxn.DisconnectReason.CHANNEL_CLOSED_EXCEPTION);
            }
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandler
        public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
            try {
                if (obj == NettyServerCnxn.ReadEvent.ENABLE) {
                    NettyServerCnxnFactory.LOG.debug("Received ReadEvent.ENABLE");
                    NettyServerCnxn nettyServerCnxn = (NettyServerCnxn) channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).get();
                    if (nettyServerCnxn != null && nettyServerCnxn.getQueuedReadableBytes() > 0) {
                        nettyServerCnxn.processQueuedBuffer();
                        if (NettyServerCnxnFactory.this.advancedFlowControlEnabled && nettyServerCnxn.getQueuedReadableBytes() == 0) {
                            channelHandlerContext.read();
                            NettyServerCnxnFactory.LOG.debug("Issued a read after queuedBuffer drained");
                        }
                    }
                    if (!NettyServerCnxnFactory.this.advancedFlowControlEnabled) {
                        channelHandlerContext.channel().config().setAutoRead(true);
                    }
                } else if (obj == NettyServerCnxn.ReadEvent.DISABLE) {
                    NettyServerCnxnFactory.LOG.debug("Received ReadEvent.DISABLE");
                    channelHandlerContext.channel().config().setAutoRead(false);
                }
            } finally {
                ReferenceCountUtil.release(obj);
            }
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandler
        public void channelRead(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
            try {
                if (NettyServerCnxnFactory.LOG.isTraceEnabled()) {
                    NettyServerCnxnFactory.LOG.trace("message received called {}", obj);
                }
                try {
                    NettyServerCnxnFactory.LOG.debug("New message {} from {}", obj, channelHandlerContext.channel());
                    NettyServerCnxn nettyServerCnxn = (NettyServerCnxn) channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).get();
                    if (nettyServerCnxn == null) {
                        NettyServerCnxnFactory.LOG.error("channelRead() on a closed or closing NettyServerCnxn");
                    } else {
                        nettyServerCnxn.processMessage((ByteBuf) obj);
                    }
                } catch (Exception e) {
                    NettyServerCnxnFactory.LOG.error("Unexpected exception in receive", e);
                    throw e;
                }
            } finally {
                ReferenceCountUtil.release(obj);
            }
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandler
        public void channelReadComplete(ChannelHandlerContext channelHandlerContext) throws Exception {
            NettyServerCnxn nettyServerCnxn;
            if (NettyServerCnxnFactory.this.advancedFlowControlEnabled && (nettyServerCnxn = (NettyServerCnxn) channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).get()) != null && nettyServerCnxn.getQueuedReadableBytes() == 0 && nettyServerCnxn.readIssuedAfterReadComplete == 0) {
                channelHandlerContext.read();
                NettyServerCnxnFactory.LOG.debug("Issued a read since we do not have anything to consume after channelReadComplete");
            }
            channelHandlerContext.fireChannelReadComplete();
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelDuplexHandler, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelOutboundHandler
        public void write(ChannelHandlerContext channelHandlerContext, Object obj, ChannelPromise channelPromise) throws Exception {
            if (NettyServerCnxnFactory.LOG.isTraceEnabled()) {
                channelPromise.addListener2((GenericFutureListener<? extends Future<? super Void>>) this.onWriteCompletedTracer);
            }
            super.write(channelHandlerContext, obj, channelPromise);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/hbase/shaded/org/apache/zookeeper/server/NettyServerCnxnFactory$DualModeSslHandler.class */
    public class DualModeSslHandler extends OptionalSslHandler {
        DualModeSslHandler(SslContext sslContext) {
            super(sslContext);
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.handler.ssl.OptionalSslHandler, org.apache.hadoop.hbase.shaded.io.netty.handler.codec.ByteToMessageDecoder
        protected void decode(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, List<Object> list) throws Exception {
            if (byteBuf.readableBytes() >= 5) {
                super.decode(channelHandlerContext, byteBuf, list);
            } else {
                if (byteBuf.readableBytes() <= 0 || 22 == byteBuf.getByte(0)) {
                    return;
                }
                NettyServerCnxnFactory.LOG.debug("first byte {} does not match TLS handshake, failing to plaintext", Byte.valueOf(byteBuf.getByte(0)));
                handleNonSsl(channelHandlerContext);
            }
        }

        private void handleNonSsl(ChannelHandlerContext channelHandlerContext) {
            ChannelHandler newNonSslHandler = newNonSslHandler(channelHandlerContext);
            if (newNonSslHandler != null) {
                channelHandlerContext.pipeline().replace(this, newNonSslHandlerName(), newNonSslHandler);
            } else {
                channelHandlerContext.pipeline().remove(this);
            }
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.handler.ssl.OptionalSslHandler
        protected SslHandler newSslHandler(ChannelHandlerContext channelHandlerContext, SslContext sslContext) {
            NettyServerCnxn nettyServerCnxn = (NettyServerCnxn) Objects.requireNonNull(channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).get());
            NettyServerCnxnFactory.LOG.debug("creating ssl handler for connection {}", Long.valueOf(nettyServerCnxn.getSessionId()));
            SslHandler newSslHandler = super.newSslHandler(channelHandlerContext, sslContext);
            newSslHandler.handshakeFuture().addListener2(new CertificateVerifier(newSslHandler, nettyServerCnxn));
            return newSslHandler;
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.handler.ssl.OptionalSslHandler
        protected ChannelHandler newNonSslHandler(ChannelHandlerContext channelHandlerContext) {
            NettyServerCnxn nettyServerCnxn = (NettyServerCnxn) Objects.requireNonNull(channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).get());
            NettyServerCnxnFactory.LOG.debug("creating plaintext handler for connection {}", Long.valueOf(nettyServerCnxn.getSessionId()));
            NettyServerCnxnFactory.this.updateHandshakeCountIfStarted(nettyServerCnxn);
            NettyServerCnxnFactory.this.allChannels.add(channelHandlerContext.channel());
            NettyServerCnxnFactory.this.addCnxn(nettyServerCnxn);
            return super.newNonSslHandler(channelHandlerContext);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @ChannelHandler.Sharable
    /* loaded from: input_file:org/apache/hadoop/hbase/shaded/org/apache/zookeeper/server/NettyServerCnxnFactory$ReadIssuedTrackingHandler.class */
    public static class ReadIssuedTrackingHandler extends ChannelDuplexHandler {
        ReadIssuedTrackingHandler() {
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelDuplexHandler, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelOutboundHandler
        public void read(ChannelHandlerContext channelHandlerContext) throws Exception {
            NettyServerCnxn nettyServerCnxn = (NettyServerCnxn) channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).get();
            if (nettyServerCnxn != null) {
                nettyServerCnxn.readIssuedAfterReadComplete++;
            }
            channelHandlerContext.read();
        }

        @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInboundHandler
        public void channelReadComplete(ChannelHandlerContext channelHandlerContext) throws Exception {
            NettyServerCnxn nettyServerCnxn = (NettyServerCnxn) channelHandlerContext.channel().attr(NettyServerCnxnFactory.CONNECTION_ATTRIBUTE).get();
            if (nettyServerCnxn != null) {
                nettyServerCnxn.readIssuedAfterReadComplete = 0;
            }
            channelHandlerContext.fireChannelReadComplete();
        }
    }

    public void setOutstandingHandshakeLimit(int i) {
        this.outstandingHandshakeLimit = i;
        this.handshakeThrottlingEnabled = (this.secure || this.shouldUsePortUnification) && this.outstandingHandshakeLimit > 0;
        LOG.info("handshakeThrottlingEnabled = {}, {} = {}", new Object[]{Boolean.valueOf(this.handshakeThrottlingEnabled), OUTSTANDING_HANDSHAKE_LIMIT, Integer.valueOf(this.outstandingHandshakeLimit)});
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void updateHandshakeCountIfStarted(NettyServerCnxn nettyServerCnxn) {
        if (nettyServerCnxn == null || nettyServerCnxn.getHandshakeState() != NettyServerCnxn.HandshakeState.STARTED) {
            return;
        }
        nettyServerCnxn.setHandshakeState(NettyServerCnxn.HandshakeState.FINISHED);
        this.outstandingHandshake.addAndGet(-1);
    }

    private ServerBootstrap configureBootstrapAllocator(ServerBootstrap serverBootstrap) {
        ByteBufAllocator byteBufAllocator = TEST_ALLOCATOR.get();
        return byteBufAllocator != null ? serverBootstrap.option(ChannelOption.ALLOCATOR, byteBufAllocator).childOption(ChannelOption.ALLOCATOR, byteBufAllocator) : serverBootstrap;
    }

    NettyServerCnxnFactory() {
        this.advancedFlowControlEnabled = false;
        boolean z = Boolean.getBoolean(PORT_UNIFICATION_KEY);
        LOG.info("{}={}", PORT_UNIFICATION_KEY, Boolean.valueOf(z));
        if (z) {
            try {
                QuorumPeerConfig.configureSSLAuth();
            } catch (QuorumPeerConfig.ConfigException e) {
                LOG.error("unable to set up SslAuthProvider, turning off client port unification", e);
                z = false;
            }
        }
        this.shouldUsePortUnification = z;
        this.advancedFlowControlEnabled = Boolean.getBoolean(NETTY_ADVANCED_FLOW_CONTROL);
        LOG.info("{} = {}", NETTY_ADVANCED_FLOW_CONTROL, Boolean.valueOf(this.advancedFlowControlEnabled));
        setOutstandingHandshakeLimit(Integer.getInteger(OUTSTANDING_HANDSHAKE_LIMIT, -1).intValue());
        this.bootstrap = configureBootstrapAllocator(new ServerBootstrap().group(NettyUtils.newNioOrEpollEventLoopGroup(NettyUtils.getClientReachableLocalInetAddressCount()), NettyUtils.newNioOrEpollEventLoopGroup()).channel(NettyUtils.nioOrEpollServerSocketChannel()).option(ChannelOption.SO_REUSEADDR, true).childOption(ChannelOption.TCP_NODELAY, true).childOption(ChannelOption.SO_LINGER, -1).childHandler(new ChannelInitializer<SocketChannel>() { // from class: org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.NettyServerCnxnFactory.1
            /* JADX INFO: Access modifiers changed from: protected */
            @Override // org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelInitializer
            public void initChannel(SocketChannel socketChannel) throws Exception {
                ChannelPipeline pipeline = socketChannel.pipeline();
                if (NettyServerCnxnFactory.this.advancedFlowControlEnabled) {
                    pipeline.addLast(NettyServerCnxnFactory.this.readIssuedTrackingHandler);
                }
                if (NettyServerCnxnFactory.this.secure) {
                    NettyServerCnxnFactory.this.initSSL(pipeline, false);
                } else if (NettyServerCnxnFactory.this.shouldUsePortUnification) {
                    NettyServerCnxnFactory.this.initSSL(pipeline, true);
                }
                pipeline.addLast("servercnxnfactory", NettyServerCnxnFactory.this.channelHandler);
            }
        }));
        this.bootstrap.validate();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public synchronized void initSSL(ChannelPipeline channelPipeline, boolean z) throws X509Exception, KeyManagementException, NoSuchAlgorithmException {
        SslContext createNettyJdkSslContext;
        String property = System.getProperty(this.x509Util.getSslAuthProviderProperty());
        if (property == null) {
            SSLContextAndOptions defaultSSLContextAndOptions = this.x509Util.getDefaultSSLContextAndOptions();
            createNettyJdkSslContext = defaultSSLContextAndOptions.createNettyJdkSslContext(defaultSSLContextAndOptions.getSSLContext(), false);
        } else {
            String property2 = System.getProperty(ZKConfig.SSL_CONTEXT);
            if (property2 == null) {
                LOG.debug("SSL context not specified. Setting to default.");
                property2 = System.getProperty(this.x509Util.sslProtocolProperty);
                if (property2 == null) {
                    property2 = "TLSv1.2";
                }
            }
            SSLContext sSLContext = SSLContext.getInstance(property2);
            X509AuthenticationProvider x509AuthenticationProvider = (X509AuthenticationProvider) ProviderRegistry.getProvider(System.getProperty(this.x509Util.getSslAuthProviderProperty(), "x509"));
            if (x509AuthenticationProvider == null) {
                LOG.error("Auth provider not found: {}", property);
                throw new X509Exception.SSLContextException("Could not create SSLContext with specified auth provider: " + property);
            }
            sSLContext.init(new X509KeyManager[]{x509AuthenticationProvider.getKeyManager()}, new X509TrustManager[]{x509AuthenticationProvider.getTrustManager()}, UsSecureRandom.getInstance());
            createNettyJdkSslContext = this.x509Util.getDefaultSSLContextAndOptions().createNettyJdkSslContext(sSLContext, false);
        }
        if (z) {
            channelPipeline.addLast("ssl", new DualModeSslHandler(createNettyJdkSslContext));
            LOG.debug("dual mode SSL handler added for channel: {}", channelPipeline.channel());
        } else {
            channelPipeline.addLast("ssl", createNettyJdkSslContext.newHandler(channelPipeline.channel().alloc()));
            LOG.debug("SSL handler added for channel: {}", channelPipeline.channel());
        }
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void configure(InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2, int i, int i2, boolean z) throws IOException {
        this.drAddress = inetSocketAddress2;
        configure(inetSocketAddress, i, i2, z);
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void closeAll(ServerCnxn.DisconnectReason disconnectReason) {
        LOG.debug("closeAll()");
        int size = this.cnxns.size();
        for (ServerCnxn serverCnxn : this.cnxns) {
            try {
                serverCnxn.close(disconnectReason);
            } catch (Exception e) {
                LOG.warn("Ignoring exception closing cnxn sessionid 0x{}", LogUtil.logSessionId(serverCnxn.getSessionId()), e);
            }
        }
        LOG.debug("allChannels size: {} cnxns size: {}", Integer.valueOf(this.allChannels.size()), Integer.valueOf(size));
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void configure(InetSocketAddress inetSocketAddress, int i, int i2, boolean z) throws IOException {
        configureSaslLogin();
        initMaxCnxns();
        initHelperObjects();
        this.localAddress = inetSocketAddress;
        this.maxClientCnxns = i;
        this.secure = z;
        this.listenBacklog = i2;
        LOG.info("configure {} secure: {} on addr {}", new Object[]{this, Boolean.valueOf(z), inetSocketAddress});
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public int getMaxClientCnxnsPerHost() {
        return this.maxClientCnxns;
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void setMaxClientCnxnsPerHost(int i) {
        this.maxClientCnxns = i;
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public int getSocketListenBacklog() {
        return this.listenBacklog;
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public int getLocalPort() {
        return this.localAddress.getPort();
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void join() throws InterruptedException {
        synchronized (this) {
            while (!this.killed) {
                wait();
            }
        }
    }

    /* JADX WARN: Type inference failed for: r0v17, types: [org.apache.hadoop.hbase.shaded.io.netty.bootstrap.ServerBootstrapConfig] */
    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void shutdown() {
        synchronized (this) {
            if (this.killed) {
                LOG.info("already shutdown {}", this.localAddress);
                return;
            }
            LOG.info("shutdown called {}", this.localAddress);
            this.x509Util.close();
            if (this.login != null) {
                this.login.shutdown();
            }
            EventLoopGroup group = this.bootstrap.config2().group();
            EventLoopGroup childGroup = this.bootstrap.config2().childGroup();
            if (this.parentChannel != null) {
                ChannelFuture close = this.parentChannel.close();
                if (group != null) {
                    close.addListener2(future -> {
                        group.shutdownGracefully();
                    });
                }
                closeAll(ServerCnxn.DisconnectReason.SERVER_SHUTDOWN);
                ChannelGroupFuture close2 = this.allChannels.close();
                if (childGroup != null) {
                    close2.addListener2(future2 -> {
                        childGroup.shutdownGracefully();
                    });
                }
            } else {
                if (group != null) {
                    group.shutdownGracefully();
                }
                if (childGroup != null) {
                    childGroup.shutdownGracefully();
                }
            }
            if (this.zkServer != null) {
                this.zkServer.shutdown();
            }
            synchronized (this) {
                this.killed = true;
                notifyAll();
            }
        }
    }

    /* JADX WARN: Type inference failed for: r1v23, types: [org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelFuture] */
    /* JADX WARN: Type inference failed for: r1v5, types: [org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelFuture] */
    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void start() {
        if (this.listenBacklog != -1) {
            this.bootstrap.option(ChannelOption.SO_BACKLOG, Integer.valueOf(this.listenBacklog));
        }
        LOG.info("binding to port {}", this.localAddress);
        this.parentChannel = this.bootstrap.bind(this.localAddress).syncUninterruptibly2().channel();
        this.localAddress = (InetSocketAddress) this.parentChannel.localAddress();
        LOG.info("bound to port {}", Integer.valueOf(getLocalPort()));
        if (this.drAddress != null) {
            LOG.warn("bind dr ip: " + this.drAddress);
            if (this.localAddress.getAddress().getHostAddress().equals(this.drAddress.getAddress().getHostAddress())) {
                LOG.warn("dr ip is same with local ip, skip bind.");
            } else {
                this.parentChannel = this.bootstrap.bind(this.drAddress).syncUninterruptibly2().channel();
            }
        }
    }

    /* JADX WARN: Type inference failed for: r1v5, types: [org.apache.hadoop.hbase.shaded.io.netty.channel.ChannelFuture] */
    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void reconfigure(InetSocketAddress inetSocketAddress) {
        LOG.info("binding to port {}, {}", inetSocketAddress, this.localAddress);
        if (inetSocketAddress != null && this.localAddress != null && (inetSocketAddress.equals(this.localAddress) || (inetSocketAddress.getAddress().isAnyLocalAddress() && this.localAddress.getAddress().isAnyLocalAddress() && inetSocketAddress.getPort() == this.localAddress.getPort()))) {
            LOG.info("address is the same, skip rebinding");
            return;
        }
        Channel channel = this.parentChannel;
        try {
            try {
                this.parentChannel = this.bootstrap.bind(inetSocketAddress).syncUninterruptibly2().channel();
                this.localAddress = (InetSocketAddress) this.parentChannel.localAddress();
                LOG.info("bound to port {}", Integer.valueOf(getLocalPort()));
                channel.close();
            } catch (Exception e) {
                LOG.error("Error while reconfiguring", e);
                channel.close();
            }
        } catch (Throwable th) {
            channel.close();
            throw th;
        }
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void startup(ZooKeeperServer zooKeeperServer, boolean z) throws IOException, InterruptedException {
        start();
        setZooKeeperServer(zooKeeperServer);
        if (z) {
            zooKeeperServer.startdata();
            zooKeeperServer.startup();
        }
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public Iterable<ServerCnxn> getConnections() {
        return this.cnxns;
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public InetSocketAddress getLocalAddress() {
        return this.localAddress;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void addCnxn(NettyServerCnxn nettyServerCnxn) {
        this.cnxns.add(nettyServerCnxn);
        nettyServerCnxn.setWhiteListCnxn(this.cnxnWhiteListService.isWhiteListAddress(nettyServerCnxn.getChannel()));
        if (nettyServerCnxn.isWhiteListCnxn()) {
            this.whiteListedCnxnCount.incrementAndGet();
        } else {
            this.ipMap.compute(((InetSocketAddress) nettyServerCnxn.getChannel().remoteAddress()).getAddress(), (inetAddress, atomicInteger) -> {
                if (atomicInteger == null) {
                    atomicInteger = new AtomicInteger();
                }
                atomicInteger.incrementAndGet();
                return atomicInteger;
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void removeCnxnFromIpMap(NettyServerCnxn nettyServerCnxn, InetAddress inetAddress) {
        if (nettyServerCnxn.isWhiteListCnxn()) {
            this.whiteListedCnxnCount.decrementAndGet();
        } else {
            this.ipMap.compute(inetAddress, (inetAddress2, atomicInteger) -> {
                if (atomicInteger == null) {
                    LOG.error("Unexpected remote address {} when removing cnxn {}", inetAddress, nettyServerCnxn);
                    return null;
                }
                if (atomicInteger.decrementAndGet() == 0) {
                    return null;
                }
                return atomicInteger;
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int getClientCnxnCount(InetAddress inetAddress) {
        AtomicInteger atomicInteger = this.ipMap.get(inetAddress);
        if (atomicInteger == null) {
            return 0;
        }
        return atomicInteger.get();
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public void resetAllConnectionStats() {
        Iterator<ServerCnxn> it = this.cnxns.iterator();
        while (it.hasNext()) {
            it.next().resetStats();
        }
    }

    @Override // org.apache.hadoop.hbase.shaded.org.apache.zookeeper.server.ServerCnxnFactory
    public Iterable<Map<String, Object>> getAllConnectionInfo(boolean z) {
        HashSet hashSet = new HashSet();
        Iterator<ServerCnxn> it = this.cnxns.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getConnectionInfo(z));
        }
        return hashSet;
    }

    static void setTestAllocator(ByteBufAllocator byteBufAllocator) {
        TEST_ALLOCATOR.set(byteBufAllocator);
    }

    static void clearTestAllocator() {
        TEST_ALLOCATOR.set(null);
    }

    public void setAdvancedFlowControlEnabled(boolean z) {
        this.advancedFlowControlEnabled = z;
    }

    public void setSecure(boolean z) {
        this.secure = z;
    }

    public Channel getParentChannel() {
        return this.parentChannel;
    }

    public int getOutstandingHandshakeNum() {
        return this.outstandingHandshake.get();
    }
}
