package com.linkedin.venice.router;

import com.linkedin.venice.router.stats.SecurityStats;
import com.linkedin.venice.utils.NettyUtils;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.SimpleChannelInboundHandler;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.util.ReferenceCountUtil;
import java.io.IOException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

@ChannelHandler.Sharable
/* loaded from: input_file:com/linkedin/venice/router/RouterSslVerificationHandler.class */
public class RouterSslVerificationHandler extends SimpleChannelInboundHandler<HttpRequest> {
    private static final Logger LOGGER = LogManager.getLogger((Class<?>) RouterSslVerificationHandler.class);
    private final SecurityStats stats;
    private final boolean requireSsl;

    public RouterSslVerificationHandler(SecurityStats securityStats) {
        this(securityStats, true);
    }

    public RouterSslVerificationHandler(SecurityStats securityStats, boolean z) {
        this.stats = securityStats;
        this.requireSsl = z;
    }

    @Override // io.netty.channel.SimpleChannelInboundHandler
    public void channelRead0(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws IOException {
        SslHandler sslHandler = (SslHandler) channelHandlerContext.pipeline().get(SslHandler.class);
        if (sslHandler == null) {
            sslHandler = (SslHandler) channelHandlerContext.channel().parent().pipeline().get(SslHandler.class);
        }
        if (sslHandler == null) {
            this.stats.recordNonSslRequest();
            if (this.requireSsl) {
                LOGGER.warn("[requireSsl={}] Got an unexpected non-ssl request: {} requested {} {}", Boolean.valueOf(this.requireSsl), channelHandlerContext.channel().remoteAddress(), httpRequest.method().name(), httpRequest.uri());
                NettyUtils.setupResponseAndFlush(HttpResponseStatus.FORBIDDEN, new byte[0], false, channelHandlerContext);
                channelHandlerContext.close();
                return;
            }
        }
        ReferenceCountUtil.retain(httpRequest);
        channelHandlerContext.fireChannelRead((Object) httpRequest);
    }

    @Override // io.netty.channel.ChannelInboundHandlerAdapter, io.netty.channel.ChannelInboundHandler
    public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) {
        if (!(obj instanceof SslHandshakeCompletionEvent)) {
            channelHandlerContext.fireUserEventTriggered(obj);
            return;
        }
        if (((SslHandshakeCompletionEvent) obj).isSuccess()) {
            this.stats.recordSslSuccess();
            channelHandlerContext.fireUserEventTriggered(obj);
            return;
        }
        LOGGER.warn("Could not set up connection from: {}. Event:{}", channelHandlerContext.channel().remoteAddress(), obj);
        this.stats.recordSslError();
        NettyUtils.setupResponseAndFlush(HttpResponseStatus.FORBIDDEN, new byte[0], false, channelHandlerContext);
        channelHandlerContext.pipeline().remove(this);
        channelHandlerContext.close();
    }
}
