package com.floragunn.searchguard.transport;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.BackendRegistry;
import com.floragunn.searchguard.configuration.RequestHolder;
import com.floragunn.searchguard.ssl.transport.SearchGuardSSLTransportService;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.support.LogHelper;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.cluster.node.DiscoveryNode;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.inject.Provider;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.Transport;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportMessage;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;
import org.elasticsearch.transport.TransportRequestOptions;
import org.elasticsearch.transport.TransportResponse;
import org.elasticsearch.transport.TransportResponseHandler;

/* loaded from: input_file:com/floragunn/searchguard/transport/SearchGuardTransportService.class */
public class SearchGuardTransportService extends SearchGuardSSLTransportService {
    protected final ESLogger log;
    private final Provider<BackendRegistry> backendRegistry;
    private final AuditLog auditLog;
    private final String certOid;

    @Inject
    public SearchGuardTransportService(Settings settings, Transport transport, ThreadPool threadPool, Provider<BackendRegistry> provider, AuditLog auditLog) {
        super(settings, transport, threadPool);
        this.log = Loggers.getLogger(getClass());
        this.backendRegistry = provider;
        this.auditLog = auditLog;
        this.certOid = settings.get("searchguard.cert.oid", "1.2.3.4.5.5");
    }

    public <T extends TransportResponse> void sendRequest(DiscoveryNode discoveryNode, String str, TransportRequest transportRequest, TransportResponseHandler<T> transportResponseHandler) {
        attachHeaders(str, transportRequest);
        super.sendRequest(discoveryNode, str, transportRequest, transportResponseHandler);
    }

    public <T extends TransportResponse> void sendRequest(DiscoveryNode discoveryNode, String str, TransportRequest transportRequest, TransportRequestOptions transportRequestOptions, TransportResponseHandler<T> transportResponseHandler) {
        attachHeaders(str, transportRequest);
        super.sendRequest(discoveryNode, str, transportRequest, transportRequestOptions, transportResponseHandler);
    }

    private void attachHeaders(String str, TransportRequest transportRequest) {
        Object fromContext = transportRequest.getFromContext(ConfigConstants.SG_REMOTE_ADDRESS);
        if (fromContext != null && (fromContext instanceof InetSocketTransportAddress)) {
            transportRequest.putHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER, Base64Helper.serializeObject(((InetSocketTransportAddress) fromContext).address()));
        }
        User user = (User) transportRequest.getFromContext(ConfigConstants.SG_USER);
        if (user == null && transportRequest.remoteAddress() == null) {
            user = User.SG_INTERNAL;
        }
        if (user == null) {
            throw new ElasticsearchSecurityException("user must not be null here for " + str + " " + LogHelper.toString(transportRequest), new Object[0]);
        }
        transportRequest.putHeader(ConfigConstants.SG_USER_HEADER, Base64Helper.serializeObject(user));
    }

    protected void addAdditionalContextValues(String str, TransportRequest transportRequest, X509Certificate[] x509CertificateArr) throws Exception {
        boolean z = false;
        Collection<List<?>> subjectAlternativeNames = x509CertificateArr[0].getSubjectAlternativeNames();
        if (subjectAlternativeNames != null) {
            StringBuilder sb = new StringBuilder();
            for (List<?> list : subjectAlternativeNames) {
                if (list != null) {
                    Iterator<?> it = list.iterator();
                    while (it.hasNext()) {
                        int intValue = ((Integer) it.next()).intValue();
                        if (intValue == 8) {
                            Object next = it.next();
                            if (next != null) {
                                if (next instanceof String) {
                                    sb.append(intValue + "::" + next);
                                } else if (next instanceof byte[]) {
                                    this.log.error("Unable to handle OID san {} with value {} of type byte[] (ASN.1 DER not supported here)", new Object[]{Integer.valueOf(intValue), Arrays.toString((byte[]) next)});
                                } else {
                                    this.log.error("Unable to handle OID san {} with value {} of type {}", new Object[]{Integer.valueOf(intValue), next, next.getClass()});
                                }
                            }
                        } else {
                            it.next();
                        }
                    }
                }
            }
            if (sb.indexOf("8::" + this.certOid) >= 0) {
                z = true;
            }
        } else if (this.log.isTraceEnabled()) {
            this.log.trace("No subject alternative names (san) found", new Object[0]);
        }
        if (z) {
            if (this.log.isTraceEnabled() && !str.startsWith("internal:")) {
                this.log.trace("Is inter cluster request ({}/{}/{})", new Object[]{str, transportRequest.getClass(), transportRequest.remoteAddress()});
            }
            transportRequest.putInContext(ConfigConstants.SG_SSL_TRANSPORT_INTERCLUSTER_REQUEST, Boolean.TRUE);
        } else if (this.log.isTraceEnabled()) {
            this.log.trace("Is not an inter cluster request", new Object[0]);
        }
        super.addAdditionalContextValues(str, transportRequest, x509CertificateArr);
    }

    protected void messageReceivedDecorate(TransportRequest transportRequest, TransportRequestHandler transportRequestHandler, TransportChannel transportChannel, Task task) throws Exception {
        String str;
        try {
            RequestHolder.setCurrent(new RequestHolder(transportRequest));
            transportRequest.putInContext(ConfigConstants.SG_CHANNEL_TYPE, transportChannel.getChannelType());
            if (transportChannel.getChannelType().equals("local") || transportChannel.getChannelType().equals("direct")) {
                super.messageReceivedDecorate(transportRequest, transportRequestHandler, transportChannel, task);
                return;
            }
            if (!isInterClusterRequest(transportRequest) && (transportChannel.action().startsWith("internal:") || transportChannel.action().contains("["))) {
                this.auditLog.logMissingPrivileges(transportChannel.action(), transportRequest);
                this.log.error("Internal or shard requests not allowed from a non-server node for transport type " + transportChannel.getChannelType(), new Object[0]);
                transportChannel.sendResponse(new ElasticsearchSecurityException("Internal or shard requests not allowed from a non-server node for transport type " + transportChannel.getChannelType(), new Object[0]));
                return;
            }
            str = (String) transportRequest.getFromContext(ConfigConstants.SG_SSL_TRANSPORT_PRINCIPAL);
            if (str == null) {
                Throwable elasticsearchSecurityException = new ElasticsearchSecurityException("No SSL client certificates found for transport type " + transportChannel.getChannelType() + ". Search Guard needs the Search Guard SSL plugin to be installed", new Object[0]);
                this.auditLog.logSSLException(transportRequest, elasticsearchSecurityException, transportChannel.action());
                this.log.error("No SSL client certificates found for transport type " + transportChannel.getChannelType() + ". Search Guard needs the Search Guard SSL plugin to be installed", new Object[0]);
                transportChannel.sendResponse(elasticsearchSecurityException);
                return;
            }
            if (isInterClusterRequest(transportRequest)) {
                String str2 = (String) transportRequest.getHeader(ConfigConstants.SG_USER_HEADER);
                if (Strings.isNullOrEmpty(str2)) {
                    transportRequest.putInContext(ConfigConstants.SG_USER, User.SG_INTERNAL);
                } else {
                    transportRequest.putInContext(ConfigConstants.SG_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(str2)));
                }
                String str3 = (String) transportRequest.getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER);
                if (!Strings.isNullOrEmpty(str3)) {
                    transportRequest.putInContext(ConfigConstants.SG_REMOTE_ADDRESS, Base64Helper.deserializeObject(str3));
                }
            } else {
                HeaderHelper.checkSGHeader((TransportMessage<?>) transportRequest);
                transportRequest.putInContext(ConfigConstants.SG_USER, new User(str));
                if (!((BackendRegistry) this.backendRegistry.get()).authenticate(transportRequest, transportChannel)) {
                    this.log.error("Cannot authenticate {}", new Object[]{transportRequest.getFromContext(ConfigConstants.SG_USER)});
                    transportChannel.sendResponse(new ElasticsearchSecurityException("Cannot authenticate " + transportRequest.getFromContext(ConfigConstants.SG_USER), new Object[0]));
                    return;
                }
                TransportAddress remoteAddress = transportRequest.remoteAddress();
                if (remoteAddress == null || !(remoteAddress instanceof InetSocketTransportAddress)) {
                    this.log.error("Request has no proper remote address {}", new Object[]{remoteAddress});
                    transportChannel.sendResponse(new ElasticsearchException("Request has no proper remote address", new Object[0]));
                    return;
                }
                transportRequest.putInContext(ConfigConstants.SG_REMOTE_ADDRESS, remoteAddress);
            }
            super.messageReceivedDecorate(transportRequest, transportRequestHandler, transportChannel, task);
        } catch (Exception e) {
            this.auditLog.logBadHeaders(transportRequest);
            this.log.error("Error validating headers " + e, e, new Object[0]);
            transportChannel.sendResponse(ExceptionsHelper.convertToElastic(e));
        } catch (Exception e2) {
            this.log.error("Error authentication transport user " + e2, e2, new Object[0]);
            this.auditLog.logFailedLogin(str, transportRequest);
            transportChannel.sendResponse(ExceptionsHelper.convertToElastic(e2));
        } finally {
            RequestHolder.removeCurrent();
        }
    }

    protected void errorThrown(Throwable th, TransportRequest transportRequest, String str) {
        this.auditLog.logSSLException(transportRequest, th, str);
    }

    private static boolean isInterClusterRequest(TransportRequest transportRequest) {
        return transportRequest.getFromContext(ConfigConstants.SG_SSL_TRANSPORT_INTERCLUSTER_REQUEST) == Boolean.TRUE;
    }
}
