package org.opensearch.transport.netty4.ssl;

import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelOutboundHandlerAdapter;
import io.netty.channel.ChannelPromise;
import io.netty.handler.codec.DecoderException;
import io.netty.handler.ssl.SslHandler;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.AccessController;
import java.util.Objects;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.ExceptionsHelper;
import org.opensearch.OpenSearchSecurityException;
import org.opensearch.Version;
import org.opensearch.cluster.node.DiscoveryNode;
import org.opensearch.common.SuppressForbidden;
import org.opensearch.common.network.NetworkModule;
import org.opensearch.common.network.NetworkService;
import org.opensearch.common.settings.Settings;
import org.opensearch.common.util.PageCacheRecycler;
import org.opensearch.core.common.io.stream.NamedWriteableRegistry;
import org.opensearch.core.indices.breaker.CircuitBreakerService;
import org.opensearch.plugins.SecureTransportSettingsProvider;
import org.opensearch.plugins.TransportExceptionHandler;
import org.opensearch.telemetry.tracing.Tracer;
import org.opensearch.threadpool.ThreadPool;
import org.opensearch.transport.SharedGroupFactory;
import org.opensearch.transport.TcpChannel;
import org.opensearch.transport.netty4.Netty4Transport;
import org.opensearch.transport.netty4.ssl.SecureConnectionTestUtil;

/* loaded from: input_file:org/opensearch/transport/netty4/ssl/SecureNetty4Transport.class */
public class SecureNetty4Transport extends Netty4Transport {
    private static final Logger logger = LogManager.getLogger(SecureNetty4Transport.class);
    private final SecureTransportSettingsProvider secureTransportSettingsProvider;
    private final TransportExceptionHandler exceptionHandler;

    /* loaded from: input_file:org/opensearch/transport/netty4/ssl/SecureNetty4Transport$ClientSSLHandler.class */
    protected static class ClientSSLHandler extends ChannelOutboundHandlerAdapter {
        private final Logger log = LogManager.getLogger(getClass());
        private final Settings settings;
        private final SecureTransportSettingsProvider secureTransportSettingsProvider;
        private final boolean hostnameVerificationEnabled;
        private final boolean hostnameVerificationResovleHostName;

        private ClientSSLHandler(Settings settings, SecureTransportSettingsProvider secureTransportSettingsProvider, boolean z, boolean z2) {
            this.settings = settings;
            this.secureTransportSettingsProvider = secureTransportSettingsProvider;
            this.hostnameVerificationEnabled = z;
            this.hostnameVerificationResovleHostName = z2;
        }

        public final void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            if ((th instanceof DecoderException) && th != null) {
                th = th.getCause();
            }
            SecureNetty4Transport.logger.error("Exception during establishing a SSL connection: " + String.valueOf(th), th);
            super.exceptionCaught(channelHandlerContext, th);
        }

        @SuppressForbidden(reason = "The java.net.InetSocketAddress#getHostName() needs to be used")
        public void connect(ChannelHandlerContext channelHandlerContext, SocketAddress socketAddress, SocketAddress socketAddress2, ChannelPromise channelPromise) throws Exception {
            SSLEngine sSLEngine;
            try {
                if (this.hostnameVerificationEnabled) {
                    InetSocketAddress inetSocketAddress = (InetSocketAddress) socketAddress;
                    String hostName = this.hostnameVerificationResovleHostName ? inetSocketAddress.getHostName() : inetSocketAddress.getHostString();
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Hostname of peer is {} ({}/{}) with hostnameVerificationResolveHostName: {}", hostName, inetSocketAddress.getHostName(), inetSocketAddress.getHostString(), Boolean.valueOf(this.hostnameVerificationResovleHostName));
                    }
                    sSLEngine = (SSLEngine) this.secureTransportSettingsProvider.buildSecureClientTransportEngine(this.settings, hostName, inetSocketAddress.getPort()).orElse(null);
                } else {
                    sSLEngine = (SSLEngine) this.secureTransportSettingsProvider.buildSecureClientTransportEngine(this.settings, (String) null, -1).orElse(null);
                }
                if (sSLEngine == null) {
                    sSLEngine = SslUtils.createDefaultClientSSLEngine();
                }
                channelHandlerContext.pipeline().replace(this, "ssl_client", new SslHandler(sSLEngine));
                super.connect(channelHandlerContext, socketAddress, socketAddress2, channelPromise);
            } catch (SSLException e) {
                throw ExceptionsHelper.convertToOpenSearchException(e);
            }
        }
    }

    /* loaded from: input_file:org/opensearch/transport/netty4/ssl/SecureNetty4Transport$SSLClientChannelInitializer.class */
    protected class SSLClientChannelInitializer extends Netty4Transport.ClientChannelInitializer {
        private final boolean hostnameVerificationEnabled;
        private final boolean hostnameVerificationResolveHostName;
        private final DiscoveryNode node;
        private SecureConnectionTestUtil.SSLConnectionTestResult connectionTestResult;

        public SSLClientChannelInitializer(DiscoveryNode discoveryNode) {
            super(SecureNetty4Transport.this);
            this.node = discoveryNode;
            boolean booleanValue = ((Boolean) SecureNetty4Transport.this.secureTransportSettingsProvider.parameters(SecureNetty4Transport.this.settings).map((v0) -> {
                return v0.dualModeEnabled();
            }).orElse(false)).booleanValue();
            this.hostnameVerificationEnabled = ((Boolean) NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION.get(SecureNetty4Transport.this.settings)).booleanValue();
            this.hostnameVerificationResolveHostName = ((Boolean) NetworkModule.TRANSPORT_SSL_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME.get(SecureNetty4Transport.this.settings)).booleanValue();
            this.connectionTestResult = SecureConnectionTestUtil.SSLConnectionTestResult.SSL_AVAILABLE;
            if (booleanValue) {
                SecureConnectionTestUtil secureConnectionTestUtil = new SecureConnectionTestUtil(discoveryNode.getAddress().getAddress(), discoveryNode.getAddress().getPort());
                Objects.requireNonNull(secureConnectionTestUtil);
                this.connectionTestResult = (SecureConnectionTestUtil.SSLConnectionTestResult) AccessController.doPrivileged(secureConnectionTestUtil::testConnection);
            }
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.opensearch.transport.netty4.Netty4Transport.ClientChannelInitializer
        public void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (this.connectionTestResult == SecureConnectionTestUtil.SSLConnectionTestResult.OPENSEARCH_PING_FAILED) {
                SecureNetty4Transport.logger.error("SSL dual mode is enabled but dual mode handshake and OpenSearch ping has failed during client connection setup, closing channel");
                channel.close();
            } else if (this.connectionTestResult != SecureConnectionTestUtil.SSLConnectionTestResult.SSL_AVAILABLE) {
                SecureNetty4Transport.logger.debug("Connection to {} needs to be non ssl", this.node.getHostName());
            } else {
                SecureNetty4Transport.logger.debug("Connection to {} needs to be ssl, adding ssl handler to the client channel ", this.node.getHostName());
                channel.pipeline().addFirst("client_ssl_handler", new ClientSSLHandler(SecureNetty4Transport.this.settings, SecureNetty4Transport.this.secureTransportSettingsProvider, this.hostnameVerificationEnabled, this.hostnameVerificationResolveHostName));
            }
        }

        @Override // org.opensearch.transport.netty4.Netty4Transport.ClientChannelInitializer
        public final void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            if ((th instanceof DecoderException) && th != null) {
                th = th.getCause();
            }
            SecureNetty4Transport.logger.error("Exception during establishing a SSL connection: " + String.valueOf(th), th);
            super.exceptionCaught(channelHandlerContext, th);
        }
    }

    /* loaded from: input_file:org/opensearch/transport/netty4/ssl/SecureNetty4Transport$SSLServerChannelInitializer.class */
    protected class SSLServerChannelInitializer extends Netty4Transport.ServerChannelInitializer {
        public SSLServerChannelInitializer(String str) {
            super(SecureNetty4Transport.this, str);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.opensearch.transport.netty4.Netty4Transport.ServerChannelInitializer
        public void initChannel(Channel channel) throws Exception {
            super.initChannel(channel);
            if (!((Boolean) SecureNetty4Transport.this.secureTransportSettingsProvider.parameters(SecureNetty4Transport.this.settings).map((v0) -> {
                return v0.dualModeEnabled();
            }).orElse(false)).booleanValue()) {
                channel.pipeline().addFirst("ssl_server", new SslHandler((SSLEngine) SecureNetty4Transport.this.secureTransportSettingsProvider.buildSecureServerTransportEngine(SecureNetty4Transport.this.settings, SecureNetty4Transport.this).orElseGet(SslUtils::createDefaultServerSSLEngine)));
            } else {
                SecureNetty4Transport.logger.info("SSL Dual mode enabled, using port unification handler");
                channel.pipeline().addFirst("port_unification_handler", new DualModeSslHandler(SecureNetty4Transport.this.settings, SecureNetty4Transport.this.secureTransportSettingsProvider, SecureNetty4Transport.this));
            }
        }

        @Override // org.opensearch.transport.netty4.Netty4Transport.ServerChannelInitializer
        public final void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            if ((th instanceof DecoderException) && th != null) {
                th = th.getCause();
            }
            SecureNetty4Transport.logger.error("Exception during establishing a SSL connection: " + String.valueOf(th), th);
            super.exceptionCaught(channelHandlerContext, th);
        }
    }

    public SecureNetty4Transport(Settings settings, Version version, ThreadPool threadPool, NetworkService networkService, PageCacheRecycler pageCacheRecycler, NamedWriteableRegistry namedWriteableRegistry, CircuitBreakerService circuitBreakerService, SharedGroupFactory sharedGroupFactory, SecureTransportSettingsProvider secureTransportSettingsProvider, Tracer tracer) {
        super(settings, version, threadPool, networkService, pageCacheRecycler, namedWriteableRegistry, circuitBreakerService, sharedGroupFactory, tracer);
        this.secureTransportSettingsProvider = secureTransportSettingsProvider;
        this.exceptionHandler = (TransportExceptionHandler) secureTransportSettingsProvider.buildServerTransportExceptionHandler(settings, this).orElse(TransportExceptionHandler.NOOP);
    }

    public void onException(TcpChannel tcpChannel, Exception exc) {
        Exception exc2 = exc;
        if ((exc instanceof DecoderException) && exc != null) {
            exc2 = exc.getCause();
        }
        this.exceptionHandler.onError(exc2);
        logger.error("Exception during establishing a SSL connection: " + String.valueOf(exc2), exc2);
        if (tcpChannel == null || !tcpChannel.isOpen()) {
            throw new OpenSearchSecurityException("The provided TCP channel is invalid.", exc, new Object[0]);
        }
        super.onException(tcpChannel, exc);
    }

    @Override // org.opensearch.transport.netty4.Netty4Transport
    protected ChannelHandler getServerChannelInitializer(String str) {
        return new SSLServerChannelInitializer(str);
    }

    @Override // org.opensearch.transport.netty4.Netty4Transport
    protected ChannelHandler getClientChannelInitializer(DiscoveryNode discoveryNode) {
        return new SSLClientChannelInitializer(discoveryNode);
    }
}
