package org.opensearch.transport.netty4.ssl;

import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelPipeline;
import io.netty.handler.codec.ByteToMessageDecoder;
import io.netty.handler.ssl.SslHandler;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.util.List;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.common.settings.Settings;
import org.opensearch.plugins.SecureTransportSettingsProvider;
import org.opensearch.transport.TcpTransport;

/* loaded from: input_file:org/opensearch/transport/netty4/ssl/DualModeSslHandler.class */
public class DualModeSslHandler extends ByteToMessageDecoder {
    private static final Logger logger = LogManager.getLogger(DualModeSslHandler.class);
    private final Settings settings;
    private final SecureTransportSettingsProvider secureTransportSettingsProvider;
    private final TcpTransport transport;
    private final SslHandler providedSSLHandler;

    public DualModeSslHandler(Settings settings, SecureTransportSettingsProvider secureTransportSettingsProvider, TcpTransport tcpTransport) {
        this(settings, secureTransportSettingsProvider, tcpTransport, null);
    }

    protected DualModeSslHandler(Settings settings, SecureTransportSettingsProvider secureTransportSettingsProvider, TcpTransport tcpTransport, SslHandler sslHandler) {
        this.settings = settings;
        this.secureTransportSettingsProvider = secureTransportSettingsProvider;
        this.transport = tcpTransport;
        this.providedSSLHandler = sslHandler;
    }

    protected void decode(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, List<Object> list) throws Exception {
        if (byteBuf.readableBytes() < 6) {
            return;
        }
        if (byteBuf.getCharSequence(byteBuf.readerIndex(), 6, StandardCharsets.UTF_8).equals(SecureConnectionTestUtil.DUAL_MODE_CLIENT_HELLO_MSG)) {
            logger.debug("Received DualSSL Client Hello message");
            ByteBuf buffer = Unpooled.buffer(6);
            buffer.writeCharSequence(SecureConnectionTestUtil.DUAL_MODE_SERVER_HELLO_MSG, StandardCharsets.UTF_8);
            channelHandlerContext.writeAndFlush(buffer).addListener(ChannelFutureListener.CLOSE);
            return;
        }
        if (SslUtils.isTLS(byteBuf)) {
            logger.debug("Identified request as SSL request");
            enableSsl(channelHandlerContext);
        } else {
            logger.debug("Identified request as non SSL request, running in HTTP mode as dual mode is enabled");
            channelHandlerContext.pipeline().remove(this);
        }
    }

    private void enableSsl(ChannelHandlerContext channelHandlerContext) throws SSLException, NoSuchAlgorithmException {
        SslHandler sslHandler = this.providedSSLHandler != null ? this.providedSSLHandler : new SslHandler((SSLEngine) this.secureTransportSettingsProvider.buildSecureServerTransportEngine(this.settings, this.transport).orElseGet(SslUtils::createDefaultServerSSLEngine));
        ChannelPipeline pipeline = channelHandlerContext.pipeline();
        pipeline.addAfter("port_unification_handler", "ssl_server", sslHandler);
        pipeline.remove(this);
        logger.debug("Removed port unification handler and added SSL handler as incoming request is SSL");
    }
}
