package com.netflix.zuul.netty.server.ssl;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.netflix.netty.common.SourceAddressChannelHandler;
import com.netflix.netty.common.ssl.SslHandshakeInfo;
import com.netflix.spectator.api.NoopRegistry;
import com.netflix.spectator.api.Registry;
import com.netflix.zuul.netty.ChannelUtils;
import com.netflix.zuul.netty.server.psk.ClientPSKIdentityInfo;
import com.netflix.zuul.netty.server.psk.TlsPskHandler;
import com.netflix.zuul.netty.server.psk.ZuulPskServer;
import com.netflix.zuul.passport.CurrentPassport;
import com.netflix.zuul.passport.PassportState;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SniCompletionEvent;
import io.netty.handler.ssl.SslCloseCompletionEvent;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.util.AttributeKey;
import java.nio.channels.ClosedChannelException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/netflix/zuul/netty/server/ssl/SslHandshakeInfoHandler.class */
public class SslHandshakeInfoHandler extends ChannelInboundHandlerAdapter {
    public static final AttributeKey<SslHandshakeInfo> ATTR_SSL_INFO = AttributeKey.newInstance("_ssl_handshake_info");
    private static final Logger logger = LoggerFactory.getLogger(SslHandshakeInfoHandler.class);
    private static final Pattern OPEN_SSL_PATTERN = Pattern.compile("OPENSSL_internal:(.+)");
    private final Registry spectatorRegistry;
    private final boolean isSSlFromIntermediary;

    public SslHandshakeInfoHandler(Registry registry, boolean z) {
        this.spectatorRegistry = (Registry) Preconditions.checkNotNull(registry);
        this.isSSlFromIntermediary = z;
    }

    @VisibleForTesting
    SslHandshakeInfoHandler() {
        this.spectatorRegistry = new NoopRegistry();
        this.isSSlFromIntermediary = false;
    }

    public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        try {
            if (obj instanceof SslHandshakeCompletionEvent) {
                try {
                    SslHandshakeCompletionEvent sslHandshakeCompletionEvent = (SslHandshakeCompletionEvent) obj;
                    if (sslHandshakeCompletionEvent.isSuccess()) {
                        CurrentPassport.fromChannel(channelHandlerContext.channel()).add(PassportState.SERVER_CH_SSL_HANDSHAKE_COMPLETE);
                        SSLSession sSLSession = getSSLSession(channelHandlerContext);
                        if (sSLSession == null) {
                            logger.warn("Error getting the SSL handshake info. SSLSession is null");
                            channelHandlerContext.pipeline().remove(this);
                            return;
                        }
                        ClientAuth whichClientAuthEnum = whichClientAuthEnum(channelHandlerContext);
                        Certificate certificate = null;
                        X509Certificate x509Certificate = null;
                        if ((whichClientAuthEnum == ClientAuth.REQUIRE || whichClientAuthEnum == ClientAuth.OPTIONAL) && sSLSession.getPeerCertificates() != null && sSLSession.getPeerCertificates().length > 0) {
                            x509Certificate = (X509Certificate) sSLSession.getPeerCertificates()[0];
                        }
                        if (sSLSession.getLocalCertificates() != null && sSLSession.getLocalCertificates().length > 0) {
                            certificate = sSLSession.getLocalCertificates()[0];
                        }
                        SslHandshakeInfo sslHandshakeInfo = new SslHandshakeInfo(this.isSSlFromIntermediary, sSLSession.getProtocol(), sSLSession.getCipherSuite(), whichClientAuthEnum, certificate, x509Certificate, Objects.equals(channelHandlerContext.channel().attr(ZuulPskServer.TLS_HANDSHAKE_USING_EXTERNAL_PSK).get(), Boolean.TRUE), (ClientPSKIdentityInfo) channelHandlerContext.channel().attr(TlsPskHandler.CLIENT_PSK_IDENTITY_ATTRIBUTE_KEY).get());
                        channelHandlerContext.channel().attr(ATTR_SSL_INFO).set(sslHandshakeInfo);
                        incrementCounters(sslHandshakeCompletionEvent, sslHandshakeInfo);
                        logger.debug("Successful SSL Handshake: {}", sslHandshakeInfo);
                    } else {
                        String str = (String) channelHandlerContext.channel().attr(SourceAddressChannelHandler.ATTR_SOURCE_ADDRESS).get();
                        Throwable cause = sslHandshakeCompletionEvent.cause();
                        PassportState state = CurrentPassport.fromChannel(channelHandlerContext.channel()).getState();
                        if ((cause instanceof ClosedChannelException) && (state == PassportState.SERVER_CH_INACTIVE || state == PassportState.SERVER_CH_IDLE_TIMEOUT)) {
                            logger.debug("Client closed connection or it idle timed-out without doing an ssl handshake. , client_ip = {}, channel_info = {}", str, ChannelUtils.channelInfoForLogging(channelHandlerContext.channel()));
                        } else if ((cause instanceof SSLException) && cause.getMessage().contains("handshake timed out")) {
                            logger.debug("Client timed-out doing the ssl handshake. , client_ip = {}, channel_info = {}", str, ChannelUtils.channelInfoForLogging(channelHandlerContext.channel()));
                        } else if ((cause instanceof SSLException) && cause.getMessage().contains("failure when writing TLS control frames")) {
                            logger.debug("Client terminated handshake early., client_ip = {}, channel_info = {}", str, ChannelUtils.channelInfoForLogging(channelHandlerContext.channel()));
                        } else {
                            if (logger.isDebugEnabled()) {
                                String str2 = "Unsuccessful SSL Handshake: " + String.valueOf(sslHandshakeCompletionEvent) + ", client_ip = " + str + ", channel_info = " + ChannelUtils.channelInfoForLogging(channelHandlerContext.channel()) + ", error = " + String.valueOf(cause);
                                if (cause instanceof ClosedChannelException) {
                                    logger.debug(str2);
                                } else {
                                    logger.debug(str2, cause);
                                }
                            }
                            incrementCounters(sslHandshakeCompletionEvent, null);
                        }
                    }
                    channelHandlerContext.pipeline().remove(this);
                } catch (Throwable th) {
                    logger.warn("Error getting the SSL handshake info.", th);
                    channelHandlerContext.pipeline().remove(this);
                }
            } else if (!(obj instanceof SslCloseCompletionEvent) && (obj instanceof SniCompletionEvent)) {
                logger.debug("SNI Parsing Complete: {}", obj);
                SniCompletionEvent sniCompletionEvent = (SniCompletionEvent) obj;
                if (sniCompletionEvent.isSuccess()) {
                    this.spectatorRegistry.counter("zuul.sni.parse.success").increment();
                } else {
                    Throwable cause2 = sniCompletionEvent.cause();
                    Registry registry = this.spectatorRegistry;
                    String[] strArr = new String[2];
                    strArr[0] = "cause";
                    strArr[1] = cause2 != null ? cause2.getMessage() : "UNKNOWN";
                    registry.counter("zuul.sni.parse.failure", strArr).increment();
                }
            }
            super.userEventTriggered(channelHandlerContext, obj);
        } catch (Throwable th2) {
            channelHandlerContext.pipeline().remove(this);
            throw th2;
        }
    }

    private SSLSession getSSLSession(ChannelHandlerContext channelHandlerContext) {
        SslHandler sslHandler = channelHandlerContext.channel().pipeline().get(SslHandler.class);
        if (sslHandler != null) {
            return sslHandler.engine().getSession();
        }
        TlsPskHandler tlsPskHandler = channelHandlerContext.channel().pipeline().get(TlsPskHandler.class);
        if (tlsPskHandler != null) {
            return tlsPskHandler.getSession();
        }
        return null;
    }

    private ClientAuth whichClientAuthEnum(ChannelHandlerContext channelHandlerContext) {
        SslHandler sslHandler = channelHandlerContext.channel().pipeline().get(SslHandler.class);
        if (sslHandler == null) {
            return ClientAuth.NONE;
        }
        return sslHandler.engine().getNeedClientAuth() ? ClientAuth.REQUIRE : sslHandler.engine().getWantClientAuth() ? ClientAuth.OPTIONAL : ClientAuth.NONE;
    }

    private void incrementCounters(SslHandshakeCompletionEvent sslHandshakeCompletionEvent, SslHandshakeInfo sslHandshakeInfo) {
        try {
            if (sslHandshakeCompletionEvent.isSuccess()) {
                this.spectatorRegistry.counter("server.ssl.handshake", new String[]{"success", "true", "protocol", sslHandshakeInfo.getProtocol().length() > 0 ? sslHandshakeInfo.getProtocol() : "unknown", "ciphersuite", sslHandshakeInfo.getCipherSuite().length() > 0 ? sslHandshakeInfo.getCipherSuite() : "unknown", "clientauth", String.valueOf(sslHandshakeInfo.getClientAuthRequirement())}).increment();
            } else {
                this.spectatorRegistry.counter("server.ssl.handshake", new String[]{"success", "false", "failure_cause", getFailureCause(sslHandshakeCompletionEvent.cause())}).increment();
            }
        } catch (Exception e) {
            logger.error("Error incrementing counters for SSL handshake!", e);
        }
    }

    @VisibleForTesting
    String getFailureCause(Throwable th) {
        String message = th.getMessage();
        if (message == null) {
            return th.toString();
        }
        Matcher matcher = OPEN_SSL_PATTERN.matcher(message);
        return matcher.find() ? matcher.group(1) : message;
    }
}
