package com.amazon.opendistroforelasticsearch.security.http;

import com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModel;
import com.amazon.opendistroforelasticsearch.security.support.ConfigConstants;
import java.net.InetSocketAddress;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.http.netty4.Netty4HttpChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.threadpool.ThreadPool;
import org.greenrobot.eventbus.Subscribe;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/http/XFFResolver.class */
public class XFFResolver {
    protected final Logger log = LogManager.getLogger(getClass());
    private volatile boolean enabled;
    private volatile RemoteIpDetector detector;
    private final ThreadContext threadContext;

    public XFFResolver(ThreadPool threadPool) {
        this.threadContext = threadPool.getThreadContext();
    }

    public TransportAddress resolve(RestRequest restRequest) throws ElasticsearchSecurityException {
        if (this.log.isTraceEnabled()) {
            this.log.trace("resolve {}", restRequest.getHttpChannel().getRemoteAddress());
        }
        if (!this.enabled || !(restRequest.getHttpChannel().getRemoteAddress() instanceof InetSocketAddress) || !(restRequest.getHttpChannel() instanceof Netty4HttpChannel)) {
            if (!(restRequest.getHttpChannel().getRemoteAddress() instanceof InetSocketAddress)) {
                throw new ElasticsearchSecurityException("Cannot handle this request. Remote address is " + restRequest.getHttpChannel().getRemoteAddress() + " with request class " + restRequest.getClass(), new Object[0]);
            }
            if (this.log.isTraceEnabled()) {
                this.log.trace("no xff done (enabled or no netty request) {},{},{},{}", Boolean.valueOf(this.enabled), restRequest.getClass());
            }
            return new TransportAddress(restRequest.getHttpChannel().getRemoteAddress());
        }
        InetSocketAddress inetSocketAddress = new InetSocketAddress(this.detector.detect(restRequest, this.threadContext), restRequest.getHttpChannel().getRemoteAddress().getPort());
        if (inetSocketAddress.isUnresolved()) {
            throw new ElasticsearchSecurityException("Cannot resolve address " + inetSocketAddress.getHostString(), new Object[0]);
        }
        if (this.log.isTraceEnabled()) {
            if (this.threadContext.getTransient(ConfigConstants.OPENDISTRO_SECURITY_XFF_DONE) == Boolean.TRUE) {
                this.log.trace("xff resolved {} to {}", restRequest.getHttpChannel().getRemoteAddress(), inetSocketAddress);
            } else {
                this.log.trace("no xff done for {}", restRequest.getClass());
            }
        }
        return new TransportAddress(inetSocketAddress);
    }

    @Subscribe
    public void onDynamicConfigModelChanged(DynamicConfigModel dynamicConfigModel) {
        this.enabled = dynamicConfigModel.isXffEnabled();
        if (!this.enabled) {
            this.detector = null;
            return;
        }
        this.detector = new RemoteIpDetector();
        this.detector.setInternalProxies(dynamicConfigModel.getInternalProxies());
        this.detector.setRemoteIpHeader(dynamicConfigModel.getRemoteIpHeader());
    }
}
