package com.floragunn.searchguard.transport;

import com.floragunn.searchguard.auditlog.AuditLog;
import com.floragunn.searchguard.configuration.AdminDNs;
import com.floragunn.searchguard.ssl.SslExceptionHandler;
import com.floragunn.searchguard.ssl.transport.PrincipalExtractor;
import com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler;
import com.floragunn.searchguard.support.Base64Helper;
import com.floragunn.searchguard.support.ConfigConstants;
import com.floragunn.searchguard.support.HeaderHelper;
import com.floragunn.searchguard.user.AuthDomainInfo;
import com.floragunn.searchguard.user.User;
import com.floragunn.searchsupport.diag.DiagnosticContext;
import com.google.common.base.Strings;
import java.net.InetSocketAddress;
import java.security.cert.X509Certificate;
import java.util.Objects;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.bulk.BulkShardRequest;
import org.elasticsearch.action.support.replication.TransportReplicationAction;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.search.internal.ShardSearchRequest;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;

/* loaded from: input_file:com/floragunn/searchguard/transport/SearchGuardRequestHandler.class */
public class SearchGuardRequestHandler<T extends TransportRequest> extends SearchGuardSSLRequestHandler<T> {
    protected final Logger actionTrace;
    private final AuditLog auditLog;
    private final InterClusterRequestEvaluator requestEvalProvider;
    private final ClusterService cs;
    private final AdminDNs adminDns;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SearchGuardRequestHandler(String str, TransportRequestHandler<T> transportRequestHandler, ThreadPool threadPool, AuditLog auditLog, PrincipalExtractor principalExtractor, InterClusterRequestEvaluator interClusterRequestEvaluator, ClusterService clusterService, SslExceptionHandler sslExceptionHandler, AdminDNs adminDNs) {
        super(str, transportRequestHandler, threadPool, principalExtractor, sslExceptionHandler);
        this.actionTrace = LogManager.getLogger("sg_action_trace");
        this.auditLog = auditLog;
        this.requestEvalProvider = interClusterRequestEvaluator;
        this.cs = clusterService;
        this.adminDns = adminDNs;
    }

    protected void messageReceivedDecorate(T t, TransportRequestHandler<T> transportRequestHandler, TransportChannel transportChannel, Task task) throws Exception {
        String simpleName = t.getClass().getSimpleName();
        if ((t instanceof BulkShardRequest) && ((BulkShardRequest) t).items().length == 1) {
            simpleName = ((BulkShardRequest) t).items()[0].request().getClass().getSimpleName();
        }
        if (t instanceof TransportReplicationAction.ConcreteShardRequest) {
            simpleName = ((TransportReplicationAction.ConcreteShardRequest) t).getRequest().getClass().getSimpleName();
        }
        String header = getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER);
        ThreadContext.StoredContext newStoredContext = getThreadContext().newStoredContext(false);
        String header2 = getThreadContext().getHeader(ConfigConstants.SG_ORIGIN_HEADER);
        if (!Strings.isNullOrEmpty(header2)) {
            getThreadContext().putTransient(ConfigConstants.SG_ORIGIN, header2);
        }
        DiagnosticContext.fixupLoggingContext(getThreadContext());
        try {
            if (transportChannel.getChannelType() == null) {
                throw new RuntimeException("Can not determine channel type (null)");
            }
            if (!transportChannel.getChannelType().equals("direct") && !transportChannel.getChannelType().equals("transport")) {
                throw new RuntimeException("Unknown channel type " + transportChannel.getChannelType());
            }
            getThreadContext().putTransient(ConfigConstants.SG_CHANNEL_TYPE, transportChannel.getChannelType());
            getThreadContext().putTransient(ConfigConstants.SG_ACTION_NAME, task.getAction());
            if (t instanceof ShardSearchRequest) {
                ShardSearchRequest shardSearchRequest = (ShardSearchRequest) t;
                if (shardSearchRequest.source() != null && shardSearchRequest.source().suggest() != null) {
                    getThreadContext().putTransient("_sg_issuggest", Boolean.TRUE);
                }
            }
            if (transportChannel.getChannelType().equals("direct")) {
                String header3 = getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER);
                if (!Strings.isNullOrEmpty(header3)) {
                    getThreadContext().putTransient(ConfigConstants.SG_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(header3)));
                }
                String header4 = getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER);
                if (!Strings.isNullOrEmpty(header4)) {
                    getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, new TransportAddress((InetSocketAddress) Base64Helper.deserializeObject(header4)));
                }
                if (this.actionTrace.isTraceEnabled()) {
                    ThreadContext threadContext = getThreadContext();
                    long currentTimeMillis = System.currentTimeMillis();
                    UUID.randomUUID().toString();
                    threadContext.putHeader("_sg_trace" + currentTimeMillis + "#" + threadContext, Thread.currentThread().getName() + " DIR -> " + transportChannel.getChannelType() + " " + getThreadContext().getHeaders());
                }
                putInitialActionClassHeader(header, simpleName);
                super.messageReceivedDecorate(t, transportRequestHandler, transportChannel, task);
                if (this.actionTrace.isTraceEnabled()) {
                    ThreadContext threadContext2 = getThreadContext();
                    long currentTimeMillis2 = System.currentTimeMillis();
                    UUID.randomUUID().toString();
                    threadContext2.putHeader("_sg_trace" + currentTimeMillis2 + "#" + threadContext2, Thread.currentThread().getName() + " FIN -> " + transportChannel.getChannelType() + " " + getThreadContext().getHeaders());
                }
                if (newStoredContext != null) {
                    newStoredContext.close();
                    return;
                }
                return;
            }
            if (!HeaderHelper.isInterClusterRequest(getThreadContext()) && !HeaderHelper.isTrustedClusterRequest(getThreadContext()) && !task.getAction().equals("internal:transport/handshake") && (task.getAction().startsWith("internal:") || task.getAction().contains("["))) {
                this.auditLog.logMissingPrivileges(task.getAction(), t, task);
                this.log.error("Internal or shard requests (" + task.getAction() + ") not allowed from a non-server node for transport type " + transportChannel.getChannelType());
                transportChannel.sendResponse(new ElasticsearchSecurityException("Internal or shard requests not allowed from a non-server node for transport type " + transportChannel.getChannelType(), new Object[0]));
                if (this.actionTrace.isTraceEnabled()) {
                    ThreadContext threadContext3 = getThreadContext();
                    long currentTimeMillis3 = System.currentTimeMillis();
                    UUID.randomUUID().toString();
                    threadContext3.putHeader("_sg_trace" + currentTimeMillis3 + "#" + threadContext3, Thread.currentThread().getName() + " FIN -> " + transportChannel.getChannelType() + " " + getThreadContext().getHeaders());
                }
                if (newStoredContext != null) {
                    newStoredContext.close();
                    return;
                }
                return;
            }
            String str = (String) getThreadContext().getTransient(ConfigConstants.SG_SSL_TRANSPORT_PRINCIPAL);
            if (str == null) {
                ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException("No SSL client certificates found for transport type " + transportChannel.getChannelType() + ". Search Guard needs the Search Guard SSL plugin to be installed", new Object[0]);
                this.auditLog.logSSLException(t, elasticsearchSecurityException, task.getAction(), task);
                this.log.error("No SSL client certificates found for transport type " + transportChannel.getChannelType() + ". Search Guard needs the Search Guard SSL plugin to be installed");
                transportChannel.sendResponse(elasticsearchSecurityException);
                if (this.actionTrace.isTraceEnabled()) {
                    ThreadContext threadContext4 = getThreadContext();
                    long currentTimeMillis4 = System.currentTimeMillis();
                    UUID.randomUUID().toString();
                    threadContext4.putHeader("_sg_trace" + currentTimeMillis4 + "#" + threadContext4, Thread.currentThread().getName() + " FIN -> " + transportChannel.getChannelType() + " " + getThreadContext().getHeaders());
                }
                if (newStoredContext != null) {
                    newStoredContext.close();
                    return;
                }
                return;
            }
            if (getThreadContext().getTransient(ConfigConstants.SG_ORIGIN) == null) {
                getThreadContext().putTransient(ConfigConstants.SG_ORIGIN, AuditLog.Origin.TRANSPORT.toString());
            }
            if (HeaderHelper.isInterClusterRequest(getThreadContext()) || HeaderHelper.isTrustedClusterRequest(getThreadContext())) {
                String header5 = getThreadContext().getHeader(ConfigConstants.SG_USER_HEADER);
                if (!Strings.isNullOrEmpty(header5)) {
                    getThreadContext().putTransient(ConfigConstants.SG_USER, Objects.requireNonNull((User) Base64Helper.deserializeObject(header5)));
                }
                String header6 = getThreadContext().getHeader(ConfigConstants.SG_REMOTE_ADDRESS_HEADER);
                if (Strings.isNullOrEmpty(header6)) {
                    getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, new TransportAddress(t.remoteAddress()));
                } else {
                    getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, new TransportAddress((InetSocketAddress) Base64Helper.deserializeObject(header6)));
                }
            } else {
                User user = new User(str, AuthDomainInfo.TLS_CERT);
                if (!this.adminDns.isAdmin(user)) {
                    ElasticsearchSecurityException elasticsearchSecurityException2 = new ElasticsearchSecurityException("Transport request from untrusted node denied", RestStatus.FORBIDDEN, new Object[0]);
                    this.log.warn("Transport request from untrusted node denied. Check your trusted node configuration.", elasticsearchSecurityException2);
                    this.auditLog.logBadHeaders(t, task.getAction(), task);
                    transportChannel.sendResponse(elasticsearchSecurityException2);
                    if (this.actionTrace.isTraceEnabled()) {
                        ThreadContext threadContext5 = getThreadContext();
                        long currentTimeMillis5 = System.currentTimeMillis();
                        UUID.randomUUID().toString();
                        threadContext5.putHeader("_sg_trace" + currentTimeMillis5 + "#" + threadContext5, Thread.currentThread().getName() + " FIN -> " + transportChannel.getChannelType() + " " + getThreadContext().getHeaders());
                    }
                    if (newStoredContext != null) {
                        newStoredContext.close();
                        return;
                    }
                    return;
                }
                this.auditLog.logSucceededLogin(user, true, null, t, task.getAction(), task);
                org.apache.logging.log4j.ThreadContext.put("user", user.getName());
                getThreadContext().putTransient(ConfigConstants.SG_USER, user);
                getThreadContext().putTransient(ConfigConstants.SG_REMOTE_ADDRESS, new TransportAddress(t.remoteAddress()));
            }
            if (this.actionTrace.isTraceEnabled()) {
                ThreadContext threadContext6 = getThreadContext();
                long currentTimeMillis6 = System.currentTimeMillis();
                UUID.randomUUID().toString();
                threadContext6.putHeader("_sg_trace" + currentTimeMillis6 + "#" + threadContext6, Thread.currentThread().getName() + " NETTI -> " + transportChannel.getChannelType() + " " + getThreadContext().getHeaders().entrySet().stream().filter(entry -> {
                    return !((String) entry.getKey()).startsWith("_sg_trace");
                }).collect(Collectors.toMap(entry2 -> {
                    return (String) entry2.getKey();
                }, entry3 -> {
                    return (String) entry3.getValue();
                })));
            }
            putInitialActionClassHeader(header, simpleName);
            super.messageReceivedDecorate(t, transportRequestHandler, transportChannel, task);
            if (this.actionTrace.isTraceEnabled()) {
                ThreadContext threadContext7 = getThreadContext();
                long currentTimeMillis7 = System.currentTimeMillis();
                UUID.randomUUID().toString();
                threadContext7.putHeader("_sg_trace" + currentTimeMillis7 + "#" + threadContext7, Thread.currentThread().getName() + " FIN -> " + transportChannel.getChannelType() + " " + getThreadContext().getHeaders());
            }
            if (newStoredContext != null) {
                newStoredContext.close();
            }
        } catch (Throwable th) {
            if (this.actionTrace.isTraceEnabled()) {
                ThreadContext threadContext8 = getThreadContext();
                long currentTimeMillis8 = System.currentTimeMillis();
                UUID.randomUUID().toString();
                threadContext8.putHeader("_sg_trace" + currentTimeMillis8 + "#" + threadContext8, Thread.currentThread().getName() + " FIN -> " + transportChannel.getChannelType() + " " + getThreadContext().getHeaders());
            }
            if (newStoredContext != null) {
                newStoredContext.close();
            }
            throw th;
        }
    }

    private void putInitialActionClassHeader(String str, String str2) {
        if (str == null) {
            if (getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER) == null) {
                getThreadContext().putHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER, str2);
            }
        } else if (getThreadContext().getHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER) == null) {
            getThreadContext().putHeader(ConfigConstants.SG_INITIAL_ACTION_CLASS_HEADER, str);
        }
    }

    protected void addAdditionalContextValues(String str, TransportRequest transportRequest, X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2, String str2) throws Exception {
        if (this.requestEvalProvider.isInterClusterRequest(transportRequest, x509CertificateArr, x509CertificateArr2, str2)) {
            if (this.cs.getClusterName().value().equals(getThreadContext().getHeader("_sg_remotecn"))) {
                if (this.log.isTraceEnabled() && !str.startsWith("internal:")) {
                    this.log.trace("Is inter cluster request ({}/{}/{})", str, transportRequest.getClass(), transportRequest.remoteAddress());
                }
                getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_INTERCLUSTER_REQUEST, Boolean.TRUE);
            } else {
                getThreadContext().putTransient(ConfigConstants.SG_SSL_TRANSPORT_TRUSTED_CLUSTER_REQUEST, Boolean.TRUE);
            }
        } else if (this.log.isTraceEnabled()) {
            this.log.trace("Is not an inter cluster request");
        }
        super.addAdditionalContextValues(str, transportRequest, x509CertificateArr, x509CertificateArr2, str2);
    }
}
