package com.floragunn.searchguard.transport;

import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.WildcardMatcher;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.opensearch.OpenSearchException;
import org.opensearch.common.settings.Settings;
import org.opensearch.transport.TransportRequest;

/* loaded from: input_file:com/floragunn/searchguard/transport/DefaultInterClusterRequestEvaluator.class */
public final class DefaultInterClusterRequestEvaluator implements InterClusterRequestEvaluator {
    private final Logger log = LogManager.getLogger(getClass());
    private final String certOid;
    private final List<String> nodesDn;

    public DefaultInterClusterRequestEvaluator(Settings settings) {
        this.certOid = settings.get(ConfigConstants.SEARCHGUARD_CERT_OID, "1.2.3.4.5.5");
        this.nodesDn = settings.getAsList(ConfigConstants.SEARCHGUARD_NODES_DN, Collections.emptyList());
    }

    @Override // com.floragunn.searchguard.transport.InterClusterRequestEvaluator
    public boolean isInterClusterRequest(TransportRequest transportRequest, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, String str) {
        String[] strArr = new String[2];
        if (str != null && str.length() > 0) {
            strArr[0] = str;
            strArr[1] = str.replace(" ", "");
        }
        if (strArr[0] != null && WildcardMatcher.matchAny((Collection<String>) this.nodesDn, strArr, true)) {
            if (!this.log.isTraceEnabled()) {
                return true;
            }
            this.log.trace("Treat certificate with principal {} as other node because of it matches one of {}", Arrays.toString(strArr), this.nodesDn);
            return true;
        }
        if (this.log.isTraceEnabled()) {
            this.log.trace("Treat certificate with principal {} NOT as other node because we it does not matches one of {}", Arrays.toString(strArr), this.nodesDn);
        }
        try {
            Collection<List<?>> subjectAlternativeNames = x509CertificateArr2[0].getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                StringBuilder sb = new StringBuilder();
                for (List<?> list : subjectAlternativeNames) {
                    if (list != null) {
                        Iterator<?> it = list.iterator();
                        while (it.hasNext()) {
                            int intValue = ((Integer) it.next()).intValue();
                            if (intValue == 8) {
                                Object next = it.next();
                                if (next != null) {
                                    if (next instanceof String) {
                                        sb.append(intValue + "::" + next);
                                    } else if (next instanceof byte[]) {
                                        this.log.error("Unable to handle OID san {} with value {} of type byte[] (ASN.1 DER not supported here)", Integer.valueOf(intValue), Arrays.toString((byte[]) next));
                                    } else {
                                        this.log.error("Unable to handle OID san {} with value {} of type {}", Integer.valueOf(intValue), next, next.getClass());
                                    }
                                }
                            } else {
                                it.next();
                            }
                        }
                    }
                }
                if (sb.indexOf("8::" + this.certOid) >= 0) {
                    return true;
                }
            } else if (this.log.isTraceEnabled()) {
                this.log.trace("No subject alternative names (san) found");
            }
            return false;
        } catch (CertificateParsingException e) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Exception parsing certificate using {}", e, getClass());
            }
            throw new OpenSearchException(e);
        }
    }
}
