package com.amazon.opendistroforelasticsearch.security.ssl.transport;

import com.amazon.opendistroforelasticsearch.security.ssl.OpenDistroSecurityKeyStore;
import com.amazon.opendistroforelasticsearch.security.ssl.util.SSLConnectionTestUtil;
import com.amazon.opendistroforelasticsearch.security.ssl.util.TLSUtil;
import com.google.common.annotations.VisibleForTesting;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelPipeline;
import io.netty.handler.codec.ByteToMessageDecoder;
import io.netty.handler.ssl.SslHandler;
import java.nio.charset.StandardCharsets;
import java.util.List;
import javax.net.ssl.SSLException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/amazon/opendistroforelasticsearch/security/ssl/transport/DualModeSSLHandler.class */
public class DualModeSSLHandler extends ByteToMessageDecoder {
    private static final Logger logger = LogManager.getLogger(DualModeSSLHandler.class);
    private final OpenDistroSecurityKeyStore openDistroSecurityKeyStore;
    private final SslHandler providedSSLHandler;

    public DualModeSSLHandler(OpenDistroSecurityKeyStore openDistroSecurityKeyStore) {
        this(openDistroSecurityKeyStore, null);
    }

    @VisibleForTesting
    protected DualModeSSLHandler(OpenDistroSecurityKeyStore openDistroSecurityKeyStore, SslHandler sslHandler) {
        this.openDistroSecurityKeyStore = openDistroSecurityKeyStore;
        this.providedSSLHandler = sslHandler;
    }

    protected void decode(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, List<Object> list) throws Exception {
        if (byteBuf.readableBytes() < 6) {
            return;
        }
        if (byteBuf.getCharSequence(byteBuf.readerIndex(), 6, StandardCharsets.UTF_8).equals(SSLConnectionTestUtil.DUAL_MODE_CLIENT_HELLO_MSG)) {
            logger.debug("Received DualSSL Client Hello message");
            ByteBuf buffer = Unpooled.buffer(6);
            buffer.writeCharSequence(SSLConnectionTestUtil.DUAL_MODE_SERVER_HELLO_MSG, StandardCharsets.UTF_8);
            channelHandlerContext.writeAndFlush(buffer).addListener(ChannelFutureListener.CLOSE);
            return;
        }
        if (TLSUtil.isTLS(byteBuf)) {
            logger.debug("Identified request as SSL request");
            enableSsl(channelHandlerContext);
        } else {
            logger.debug("Identified request as non SSL request, running in HTTP mode as dual mode is enabled");
            channelHandlerContext.pipeline().remove(this);
        }
    }

    private void enableSsl(ChannelHandlerContext channelHandlerContext) throws SSLException {
        SslHandler sslHandler = this.providedSSLHandler != null ? this.providedSSLHandler : new SslHandler(this.openDistroSecurityKeyStore.createServerTransportSSLEngine());
        ChannelPipeline pipeline = channelHandlerContext.pipeline();
        pipeline.addAfter("port_unification_handler", "ssl_server", sslHandler);
        pipeline.remove(this);
        logger.debug("Removed port unification handler and added SSL handler as incoming request is SSL");
    }
}
