package org.elasticsearch.xpack.security.rest;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.elasticsearch.client.node.NodeClient;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.http.netty3.Netty3HttpRequest;
import org.elasticsearch.http.netty4.Netty4HttpRequest;
import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestController;
import org.elasticsearch.rest.RestFilter;
import org.elasticsearch.rest.RestFilterChain;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.xpack.XPackSettings;
import org.elasticsearch.xpack.security.authc.AuthenticationService;
import org.elasticsearch.xpack.security.authc.pki.PkiRealm;
import org.elasticsearch.xpack.ssl.SSLService;
import org.jboss.netty.handler.ssl.SslHandler;

/* loaded from: input_file:org/elasticsearch/xpack/security/rest/SecurityRestFilter.class */
public class SecurityRestFilter extends RestFilter {
    private final AuthenticationService service;
    private final Logger logger;
    private final XPackLicenseState licenseState;
    private final ThreadContext threadContext;
    private final boolean extractClientCertificate;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Inject
    public SecurityRestFilter(AuthenticationService authenticationService, RestController restController, Settings settings, ThreadPool threadPool, XPackLicenseState xPackLicenseState, SSLService sSLService) {
        this.service = authenticationService;
        this.licenseState = xPackLicenseState;
        this.threadContext = threadPool.getThreadContext();
        this.logger = Loggers.getLogger(getClass(), settings, new String[0]);
        this.extractClientCertificate = ((Boolean) XPackSettings.HTTP_SSL_ENABLED.get(settings)).booleanValue() && sSLService.isSSLClientAuthEnabled(SSLService.getHttpTransportSSLSettings(settings));
        restController.registerFilter(this);
    }

    public int order() {
        return Integer.MIN_VALUE;
    }

    public void process(RestRequest restRequest, RestChannel restChannel, NodeClient nodeClient, RestFilterChain restFilterChain) throws Exception {
        if (this.licenseState.isAuthAllowed()) {
            if (restRequest.method() != RestRequest.Method.OPTIONS) {
                if (this.extractClientCertificate) {
                    putClientCertificateInContext(restRequest, this.threadContext, this.logger);
                }
                this.service.authenticate(restRequest).getUser();
            }
            RemoteHostHeader.process(restRequest, this.threadContext);
        }
        restFilterChain.continueProcessing(restRequest, restChannel, nodeClient);
    }

    static void putClientCertificateInContext(RestRequest restRequest, ThreadContext threadContext, Logger logger) throws Exception {
        if (!$assertionsDisabled && !(restRequest instanceof Netty3HttpRequest) && !(restRequest instanceof Netty4HttpRequest)) {
            throw new AssertionError();
        }
        if (restRequest instanceof Netty3HttpRequest) {
            Netty3HttpRequest netty3HttpRequest = (Netty3HttpRequest) restRequest;
            SslHandler sslHandler = netty3HttpRequest.getChannel().getPipeline().get(SslHandler.class);
            if (!$assertionsDisabled && sslHandler == null) {
                throw new AssertionError();
            }
            extractClientCerts(sslHandler.getEngine(), netty3HttpRequest.getChannel(), threadContext, logger);
            return;
        }
        if (restRequest instanceof Netty4HttpRequest) {
            Netty4HttpRequest netty4HttpRequest = (Netty4HttpRequest) restRequest;
            io.netty.handler.ssl.SslHandler sslHandler2 = netty4HttpRequest.getChannel().pipeline().get(io.netty.handler.ssl.SslHandler.class);
            if (!$assertionsDisabled && sslHandler2 == null) {
                throw new AssertionError();
            }
            extractClientCerts(sslHandler2.engine(), netty4HttpRequest.getChannel(), threadContext, logger);
        }
    }

    private static void extractClientCerts(SSLEngine sSLEngine, Object obj, ThreadContext threadContext, Logger logger) {
        try {
            Certificate[] peerCertificates = sSLEngine.getSession().getPeerCertificates();
            if (peerCertificates instanceof X509Certificate[]) {
                threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, peerCertificates);
            }
        } catch (SSLPeerUnverifiedException e) {
            if (!$assertionsDisabled && sSLEngine.getNeedClientAuth()) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && !sSLEngine.getWantClientAuth()) {
                throw new AssertionError();
            }
            if (logger.isTraceEnabled()) {
                logger.trace(() -> {
                    return new ParameterizedMessage("SSL Peer did not present a certificate on channel [{}]", obj);
                }, e);
            } else if (logger.isDebugEnabled()) {
                logger.debug("SSL Peer did not present a certificate on channel [{}]", obj);
            }
        }
    }

    static {
        $assertionsDisabled = !SecurityRestFilter.class.desiredAssertionStatus();
    }
}
