package com.linkedin.venice.listener;

import com.linkedin.venice.acl.StaticAccessController;
import com.linkedin.venice.acl.VeniceComponent;
import com.linkedin.venice.acl.handler.StoreAclHandler;
import com.linkedin.venice.authentication.AuthenticationService;
import com.linkedin.venice.authorization.AuthorizerService;
import com.linkedin.venice.authorization.Method;
import com.linkedin.venice.authorization.Principal;
import com.linkedin.venice.authorization.Resource;
import com.linkedin.venice.exceptions.VeniceException;
import com.linkedin.venice.utils.NettyUtils;
import com.linkedin.venice.utils.SslUtils;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.SimpleChannelInboundHandler;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.AttributeKey;
import io.netty.util.ReferenceCountUtil;
import java.security.cert.X509Certificate;
import java.util.Optional;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

@ChannelHandler.Sharable
/* loaded from: input_file:com/linkedin/venice/listener/ServerAclHandler.class */
public class ServerAclHandler extends SimpleChannelInboundHandler<HttpRequest> {
    private static final Logger LOGGER = LogManager.getLogger((Class<?>) ServerAclHandler.class);
    public static final AttributeKey<Boolean> SERVER_ACL_APPROVED_ATTRIBUTE_KEY = AttributeKey.valueOf("SERVER_ACL_APPROVED_ATTRIBUTE_KEY");
    private final Optional<StaticAccessController> accessController;
    private final Optional<AuthenticationService> authenticationService;
    private final Optional<AuthorizerService> authorizerService;
    private final boolean failOnAccessRejection;

    public ServerAclHandler(Optional<StaticAccessController> optional, Optional<AuthenticationService> optional2, Optional<AuthorizerService> optional3) {
        this(optional, optional2, optional3, true);
    }

    public ServerAclHandler(Optional<StaticAccessController> optional, Optional<AuthenticationService> optional2, Optional<AuthorizerService> optional3, boolean z) {
        this.accessController = optional;
        this.failOnAccessRejection = z;
        this.authenticationService = optional2;
        this.authorizerService = optional3;
    }

    @Override // io.netty.channel.SimpleChannelInboundHandler
    public void channelRead0(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws SSLPeerUnverifiedException {
        Optional ofNullable = Optional.ofNullable(ServerHandlerUtils.extractSslHandler(channelHandlerContext));
        if (!ofNullable.isPresent() && this.accessController.isPresent()) {
            throw new VeniceException("Failed to extract ssl handler from the incoming request");
        }
        X509Certificate x509Certificate = null;
        if (ofNullable.isPresent()) {
            x509Certificate = SslUtils.getX509Certificate(((SslHandler) ofNullable.get()).engine().getSession().getPeerCertificates()[0]);
        }
        String name = httpRequest.method().name();
        boolean z = false;
        if (this.accessController.isPresent()) {
            z = this.accessController.get().hasAccess(x509Certificate, VeniceComponent.SERVER, name);
        }
        if (this.authenticationService.isPresent()) {
            Principal principal = StoreAclHandler.getPrincipal(channelHandlerContext, httpRequest, x509Certificate, this.authenticationService);
            if (this.authorizerService.isPresent()) {
                z = this.authorizerService.get().canAccess(Method.valueOf(name), new Resource("*"), principal);
            }
            LOGGER.info("Authenticate {} accessApproved: {}", principal, Boolean.valueOf(z));
        }
        channelHandlerContext.channel().attr(SERVER_ACL_APPROVED_ATTRIBUTE_KEY).set(Boolean.valueOf(z));
        if (z || !this.failOnAccessRejection) {
            ReferenceCountUtil.retain(httpRequest);
            channelHandlerContext.fireChannelRead((Object) httpRequest);
        } else {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Unauthorized access rejected: {}", String.format("%s requested %s %s", channelHandlerContext.channel().remoteAddress().toString(), name, httpRequest.uri()));
            }
            NettyUtils.setupResponseAndFlush(HttpResponseStatus.FORBIDDEN, new byte[0], false, channelHandlerContext);
        }
    }
}
