package com.floragunn.searchguard.transport;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.auth.BackendRegistry;
import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler;
import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import com.floragunn.searchguard.ssl.util.SSLRequestHelper;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.user.User;
import com.google.common.base.Strings;
import java.net.InetSocketAddress;
import java.security.cert.X509Certificate;
import java.util.Objects;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;

/* loaded from: input_file:com/floragunn/searchguard/transport/SearchGuardRequestHandler.class */
public class SearchGuardRequestHandler<T extends TransportRequest> extends SearchGuardSSLRequestHandler<T> {
    private final BackendRegistry backendRegistry;
    private final AuditLog auditLog;
    private final InterClusterRequestEvaluator requestEvalProvider;
    private final ClusterService cs;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SearchGuardRequestHandler(String str, TransportRequestHandler<T> transportRequestHandler, ThreadPool threadPool, BackendRegistry backendRegistry, AuditLog auditLog, PrincipalExtractor principalExtractor, InterClusterRequestEvaluator interClusterRequestEvaluator, ClusterService clusterService) {
        super(str, transportRequestHandler, threadPool, principalExtractor);
        this.backendRegistry = backendRegistry;
        this.auditLog = auditLog;
        this.requestEvalProvider = interClusterRequestEvaluator;
        this.cs = clusterService;
    }

    protected void messageReceivedDecorate(T t, TransportRequestHandler<T> transportRequestHandler, TransportChannel transportChannel, Task task) throws Exception {
        ThreadContext.StoredContext newStoredContext = getThreadContext().newStoredContext(false);
        try {
            String str = (String) getThreadContext().getTransient(ConfigConstants.SG_CHANNEL_TYPE);
            if (transportChannel.getChannelType() == null) {
                throw new RuntimeException("Can not determine channel type (null)");
            }
            getThreadContext().putTransient(ConfigConstants.SG_ACTION_NAME, transportChannel.action());
            if (str == null) {
                getThreadContext().putTransient(ConfigConstants.SG_CHANNEL_TYPE, transportChannel.getChannelType());
            } else if (!str.equals(transportChannel.getChannelType())) {
                throw new RuntimeException("channel type mismtach " + str + "!=" + transportChannel.getChannelType());
            }
            if (transportChannel.getChannelType().equals("local") || transportChannel.getChannelType().equals("direct")) {
                String header = getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER);
                if (!Strings.isNullOrEmpty(header)) {
                    getThreadContext().putTransient(ConfigConstants.SG_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(header)));
                }
                String header2 = getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER);
                if (!Strings.isNullOrEmpty(header2)) {
                    getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, new InetSocketTransportAddress((InetSocketAddress) Base64Helper.deserializeObject(header2)));
                }
                super.messageReceivedDecorate(t, transportRequestHandler, transportChannel, task);
                if (newStoredContext != null) {
                    newStoredContext.close();
                    return;
                }
                return;
            }
            if (!HeaderHelper.isInterClusterRequest(getThreadContext()) && !HeaderHelper.isTrustedClusterRequest(getThreadContext()) && !transportChannel.action().equals("internal:transport/handshake") && (transportChannel.action().startsWith("internal:") || transportChannel.action().contains("["))) {
                this.auditLog.logMissingPrivileges(transportChannel.action(), t);
                this.log.error("Internal or shard requests (" + transportChannel.action() + ") not allowed from a non-server node for transport type " + transportChannel.getChannelType());
                transportChannel.sendResponse(new ElasticsearchSecurityException("Internal or shard requests not allowed from a non-server node for transport type " + transportChannel.getChannelType(), new Object[0]));
                if (newStoredContext != null) {
                    newStoredContext.close();
                    return;
                }
                return;
            }
            String str2 = (String) getThreadContext().getTransient(ConfigConstants.SG_SSL_TRANSPORT_PRINCIPAL);
            if (str2 == null) {
                ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("No SSL client certificates found for transport type " + transportChannel.getChannelType() + ". Search Guard needs the Search Guard SSL plugin to be installed", new Object[0]);
                this.auditLog.logSSLException((TransportRequest) t, (Throwable) elasticsearchSecurityException, transportChannel.action());
                this.log.error("No SSL client certificates found for transport type " + transportChannel.getChannelType() + ". Search Guard needs the Search Guard SSL plugin to be installed");
                transportChannel.sendResponse(elasticsearchSecurityException);
                if (newStoredContext != null) {
                    newStoredContext.close();
                    return;
                }
                return;
            }
            if (HeaderHelper.isInterClusterRequest(getThreadContext()) || HeaderHelper.isTrustedClusterRequest(getThreadContext())) {
                String header3 = getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER);
                if (Strings.isNullOrEmpty(header3)) {
                    getThreadContext().putTransient(ConfigConstants.SG_USER, User.SG_INTERNAL);
                } else {
                    getThreadContext().putTransient(ConfigConstants.SG_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(header3)));
                }
                String header4 = getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER);
                if (Strings.isNullOrEmpty(header4)) {
                    getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, t.remoteAddress());
                } else {
                    getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, new InetSocketTransportAddress((InetSocketAddress) Base64Helper.deserializeObject(header4)));
                }
            } else {
                if (SSLRequestHelper.containsBadHeader(getThreadContext(), ConfigConstants.SG_CONFIG_PREFIX)) {
                    ElasticsearchException createBadHeaderException = ExceptionUtils.createBadHeaderException();
                    this.auditLog.logBadHeaders(t);
                    this.log.error(createBadHeaderException);
                    transportChannel.sendResponse(createBadHeaderException);
                    if (newStoredContext != null) {
                        newStoredContext.close();
                        return;
                    }
                    return;
                }
                try {
                    User authenticate = this.backendRegistry.authenticate(t, transportChannel, str2);
                    if (authenticate == null) {
                        this.log.error("Cannot authenticate {}", (User) getThreadContext().getTransient(ConfigConstants.SG_USER));
                        transportChannel.sendResponse(new ElasticsearchSecurityException("Cannot authenticate " + getThreadContext().getTransient(ConfigConstants.SG_USER), new Object[0]));
                        if (newStoredContext != null) {
                            newStoredContext.close();
                            return;
                        }
                        return;
                    }
                    getThreadContext().putTransient(ConfigConstants.SG_USER, authenticate);
                    TransportAddress remoteAddress = t.remoteAddress();
                    if (remoteAddress == null || !(remoteAddress instanceof InetSocketTransportAddress)) {
                        this.log.error("Request has no proper remote address {}", remoteAddress);
                        transportChannel.sendResponse(new ElasticsearchException("Request has no proper remote address", new Object[0]));
                        if (newStoredContext != null) {
                            newStoredContext.close();
                            return;
                        }
                        return;
                    }
                    getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, remoteAddress);
                } catch (Exception e) {
                    this.log.error("Error authentication transport user " + e, e);
                    this.auditLog.logFailedLogin(str2, t);
                    transportChannel.sendResponse(ExceptionsHelper.convertToElastic(e));
                    if (newStoredContext != null) {
                        newStoredContext.close();
                        return;
                    }
                    return;
                }
            }
            super.messageReceivedDecorate(t, transportRequestHandler, transportChannel, task);
            if (newStoredContext != null) {
                newStoredContext.close();
            }
        } catch (Throwable th) {
            if (newStoredContext != null) {
                newStoredContext.close();
            }
            throw th;
        }
    }

    protected void addAdditionalContextValues(String str, TransportRequest transportRequest, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, String str2) throws Exception {
        if (this.requestEvalProvider.isInterClusterRequest(transportRequest, x509CertificateArr, x509CertificateArr2, str2)) {
            if (Boolean.parseBoolean(getThreadContext().getHeader("_sg_header_tn")) || this.cs.getClusterName().value().equals(getThreadContext().getHeader("_sg_remotecn"))) {
                if (this.log.isTraceEnabled() && !str.startsWith("internal:")) {
                    this.log.trace("Is inter cluster request ({}/{}/{})", str, transportRequest.getClass(), transportRequest.remoteAddress());
                }
                getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_INTERCLUSTER_REQUEST, Boolean.TRUE);
            } else {
                getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST, Boolean.TRUE);
            }
        } else if (this.log.isTraceEnabled()) {
            this.log.trace("Is not an inter cluster request");
        }
        super.addAdditionalContextValues(str, transportRequest, x509CertificateArr, x509CertificateArr2, str2);
    }

    protected void errorThrown(Throwable th, TransportRequest transportRequest, String str) {
        this.auditLog.logSSLException(transportRequest, th, str);
    }
}
