package org.neo4j.bolt.protocol.common.handler;

import io.netty.buffer.ByteBuf;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelPipeline;
import io.netty.handler.codec.ByteToMessageDecoder;
import io.netty.handler.codec.http.HttpObjectAggregator;
import io.netty.handler.codec.http.HttpServerCodec;
import io.netty.handler.codec.http.websocketx.WebSocketFrameAggregator;
import io.netty.handler.codec.http.websocketx.WebSocketServerProtocolHandler;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.GenericFutureListener;
import java.util.List;
import org.neo4j.bolt.negotiation.codec.ProtocolNegotiationRequestDecoder;
import org.neo4j.bolt.negotiation.codec.ProtocolNegotiationResponseEncoder;
import org.neo4j.bolt.protocol.common.connector.Connector;
import org.neo4j.bolt.protocol.common.connector.connection.Connection;
import org.neo4j.configuration.Config;
import org.neo4j.configuration.connectors.BoltConnectorInternalSettings;
import org.neo4j.internal.helpers.Exceptions;
import org.neo4j.logging.InternalLog;
import org.neo4j.logging.InternalLogProvider;
import org.neo4j.logging.Log;
import org.neo4j.memory.HeapEstimator;
import org.neo4j.packstream.codec.transport.WebSocketFramePackingEncoder;
import org.neo4j.packstream.codec.transport.WebSocketFrameUnpackingDecoder;
import org.neo4j.util.VisibleForTesting;

/* loaded from: input_file:org/neo4j/bolt/protocol/common/handler/TransportSelectionHandler.class */
public class TransportSelectionHandler extends ByteToMessageDecoder {
    public static final long SHALLOW_SIZE = HeapEstimator.shallowSizeOfInstance(TransportSelectionHandler.class);
    public static final long SSL_HANDLER_SHALLOW_SIZE = HeapEstimator.shallowSizeOfInstance(SslHandler.class);
    public static final long HTTP_SERVER_CODEC_SHALLOW_SIZE = HeapEstimator.shallowSizeOfInstance(HttpServerCodec.class);
    public static final long HTTP_OBJECT_AGGREGATOR_SHALLOW_SIZE = HeapEstimator.shallowSizeOfInstance(HttpObjectAggregator.class);
    public static final long WEB_SOCKET_SERVER_PROTOCOL_HANDLER_SHALLOW_SIZE = HeapEstimator.shallowSizeOfInstance(WebSocketServerProtocolHandler.class);
    public static final long WEB_SOCKET_FRAME_AGGREGATOR_SHALLOW_SIZE = HeapEstimator.shallowSizeOfInstance(WebSocketFrameAggregator.class);
    private static final String WEBSOCKET_MAGIC = "GET ";
    private static final int MAX_WEBSOCKET_HANDSHAKE_SIZE = 65536;
    private static final int MAX_WEBSOCKET_FRAME_SIZE = 65536;
    private final Config config;
    private final SslContext sslContext;
    private final boolean enableProtocolLogging;
    private final BoltConnectorInternalSettings.ProtocolLoggingMode protocolLoggingMode;
    private final InternalLogProvider logging;
    private final InternalLog log;
    private final boolean isEncrypted;
    private Connector connector;
    private Connection connection;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/bolt/protocol/common/handler/TransportSelectionHandler$TransportSecuritySelectionFutureListener.class */
    public static class TransportSecuritySelectionFutureListener implements GenericFutureListener<Future<? super Channel>> {
        private final Channel channel;
        private final Config config;
        private final SslContext sslContext;
        private final Connection connection;
        private final boolean enableProtocolLogging;
        private final BoltConnectorInternalSettings.ProtocolLoggingMode protocolLoggingMode;
        private final InternalLogProvider logging;
        private final Log log;

        public TransportSecuritySelectionFutureListener(Channel channel, Config config, SslContext sslContext, Connection connection, boolean z, BoltConnectorInternalSettings.ProtocolLoggingMode protocolLoggingMode, InternalLogProvider internalLogProvider, Log log) {
            this.channel = channel;
            this.config = config;
            this.sslContext = sslContext;
            this.connection = connection;
            this.enableProtocolLogging = z;
            this.protocolLoggingMode = protocolLoggingMode;
            this.logging = internalLogProvider;
            this.log = log;
        }

        public void operationComplete(Future<? super Channel> future) throws Exception {
            if (future.isSuccess()) {
                this.connection.memoryTracker().allocateHeap(TransportSelectionHandler.SHALLOW_SIZE);
                this.channel.pipeline().addLast(new ChannelHandler[]{new TransportSelectionHandler(this.config, this.sslContext, this.enableProtocolLogging, this.protocolLoggingMode, this.logging, true)});
            } else {
                Throwable cause = future.cause();
                this.log.debug("[%s] TLS handshake has failed: %s", new Object[]{this.channel.remoteAddress(), cause != null ? cause.getMessage() : "Unknown Error"});
                this.channel.close();
            }
        }
    }

    @VisibleForTesting
    TransportSelectionHandler(Config config, SslContext sslContext, boolean z, BoltConnectorInternalSettings.ProtocolLoggingMode protocolLoggingMode, InternalLogProvider internalLogProvider, boolean z2) {
        this.config = config;
        this.sslContext = sslContext;
        this.enableProtocolLogging = z;
        this.protocolLoggingMode = protocolLoggingMode;
        this.logging = internalLogProvider;
        this.log = internalLogProvider.getLog(TransportSelectionHandler.class);
        this.isEncrypted = z2;
    }

    public TransportSelectionHandler(Config config, SslContext sslContext, boolean z, BoltConnectorInternalSettings.ProtocolLoggingMode protocolLoggingMode, InternalLogProvider internalLogProvider) {
        this(config, sslContext, z, protocolLoggingMode, internalLogProvider, false);
    }

    public void handlerAdded(ChannelHandlerContext channelHandlerContext) {
        this.connection = Connection.getConnection(channelHandlerContext.channel());
        this.connector = this.connection.connector();
    }

    protected void handlerRemoved0(ChannelHandlerContext channelHandlerContext) {
        this.connection.memoryTracker().releaseHeap(SHALLOW_SIZE);
    }

    protected void decode(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, List<Object> list) {
        if (byteBuf.readableBytes() < 5) {
            return;
        }
        if (detectSsl(byteBuf)) {
            if (!this.isEncrypted) {
                enableSsl(channelHandlerContext);
                return;
            } else {
                this.log.error("Fatal error: multiple levels of SSL encryption detected. Terminating connection: %s", new Object[]{channelHandlerContext.channel()});
                channelHandlerContext.close();
                return;
            }
        }
        if (isHttp(byteBuf)) {
            switchToWebsocket(channelHandlerContext);
        } else if (isBoltPreamble(byteBuf)) {
            switchToSocket(channelHandlerContext);
        } else {
            byteBuf.clear();
            channelHandlerContext.close();
        }
    }

    public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
        try {
            if (Exceptions.contains(th, th2 -> {
                return th2.getMessage().contains("Connection reset by peer");
            })) {
                this.log.warn("Fatal error occurred when initialising pipeline, remote peer unexpectedly closed connection: %s", new Object[]{channelHandlerContext.channel()});
            } else {
                this.log.error("Fatal error occurred when initialising pipeline: " + channelHandlerContext.channel(), th);
            }
        } finally {
            channelHandlerContext.close();
        }
    }

    private static boolean isBoltPreamble(ByteBuf byteBuf) {
        return byteBuf.getInt(0) == 1616949271;
    }

    private boolean detectSsl(ByteBuf byteBuf) {
        return this.sslContext != null && SslHandler.isEncrypted(byteBuf);
    }

    private static boolean isHttp(ByteBuf byteBuf) {
        for (int i = 0; i < WEBSOCKET_MAGIC.length(); i++) {
            if (byteBuf.getUnsignedByte(byteBuf.readerIndex() + i) != WEBSOCKET_MAGIC.charAt(i)) {
                return false;
            }
        }
        return true;
    }

    private void enableSsl(ChannelHandlerContext channelHandlerContext) {
        this.connection.memoryTracker().allocateHeap(SSL_HANDLER_SHALLOW_SIZE);
        ChannelHandler newHandler = this.sslContext.newHandler(channelHandlerContext.alloc());
        newHandler.handshakeFuture().addListener(new TransportSecuritySelectionFutureListener(channelHandlerContext.channel(), this.config, this.sslContext, this.connection, this.enableProtocolLogging, this.protocolLoggingMode, this.logging, this.log));
        channelHandlerContext.pipeline().addLast(new ChannelHandler[]{newHandler}).remove(this);
    }

    private void switchToSocket(ChannelHandlerContext channelHandlerContext) {
        if (this.connector.isEncryptionRequired() && !this.isEncrypted) {
            throw new SecurityException("An unencrypted connection attempt was made where encryption is required.");
        }
        switchToHandshake(channelHandlerContext);
    }

    private void switchToWebsocket(ChannelHandlerContext channelHandlerContext) {
        ChannelPipeline pipeline = channelHandlerContext.pipeline();
        this.connection.memoryTracker().allocateHeap(HTTP_SERVER_CODEC_SHALLOW_SIZE + HTTP_OBJECT_AGGREGATOR_SHALLOW_SIZE + DiscoveryResponseHandler.SHALLOW_SIZE + WEB_SOCKET_SERVER_PROTOCOL_HANDLER_SHALLOW_SIZE + WEB_SOCKET_FRAME_AGGREGATOR_SHALLOW_SIZE + WebSocketFramePackingEncoder.SHALLOW_SIZE + WebSocketFrameUnpackingDecoder.SHALLOW_SIZE);
        pipeline.addLast(new ChannelHandler[]{new HttpServerCodec(), new HttpObjectAggregator(65536), new DiscoveryResponseHandler(this.connector.authConfigProvider()), new WebSocketServerProtocolHandler("/", (String) null, false, 65536), new WebSocketFrameAggregator(65536), new WebSocketFramePackingEncoder(), new WebSocketFrameUnpackingDecoder()});
        switchToHandshake(channelHandlerContext);
    }

    private void switchToHandshake(ChannelHandlerContext channelHandlerContext) {
        if (this.enableProtocolLogging && this.protocolLoggingMode.isLoggingRawTraffic()) {
            this.connection.memoryTracker().allocateHeap(ProtocolLoggingHandler.SHALLOW_SIZE);
            channelHandlerContext.pipeline().addLast(ProtocolLoggingHandler.RAW_NAME, new ProtocolLoggingHandler(this.logging));
        }
        this.connection.memoryTracker().allocateHeap(ProtocolNegotiationResponseEncoder.SHALLOW_SIZE + ProtocolNegotiationRequestDecoder.SHALLOW_SIZE + ProtocolHandshakeHandler.SHALLOW_SIZE);
        channelHandlerContext.pipeline().addLast("protocolNegotiationRequestEncoder", new ProtocolNegotiationResponseEncoder()).addLast("protocolNegotiationRequestDecoder", new ProtocolNegotiationRequestDecoder());
        if (this.enableProtocolLogging && this.protocolLoggingMode.isLoggingDecodedTraffic()) {
            this.connection.memoryTracker().allocateHeap(ProtocolLoggingHandler.SHALLOW_SIZE);
            channelHandlerContext.pipeline().addLast(ProtocolLoggingHandler.DECODED_NAME, new ProtocolLoggingHandler(this.logging));
        }
        channelHandlerContext.pipeline().addLast("protocolHandshakeHandler", new ProtocolHandshakeHandler(this.config, this.enableProtocolLogging, this.protocolLoggingMode, this.logging));
        channelHandlerContext.pipeline().remove(this);
    }
}
