package com.linkedin.davinci.ingestion.isolated;

import com.linkedin.venice.authorization.IdentityParser;
import com.linkedin.venice.exceptions.VeniceException;
import com.linkedin.venice.listener.ServerHandlerUtils;
import com.linkedin.venice.utils.NettyUtils;
import com.linkedin.venice.utils.SslUtils;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.SimpleChannelInboundHandler;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.ReferenceCountUtil;
import java.util.Optional;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

@ChannelHandler.Sharable
/* loaded from: input_file:com/linkedin/davinci/ingestion/isolated/IsolatedIngestionServerAclHandler.class */
public class IsolatedIngestionServerAclHandler extends SimpleChannelInboundHandler<HttpRequest> {
    private static final Logger LOGGER = LogManager.getLogger((Class<?>) IsolatedIngestionServerAclHandler.class);
    private final IdentityParser identityParser;
    private final String allowedPrincipalName;

    public IsolatedIngestionServerAclHandler(IdentityParser identityParser, String str) {
        this.identityParser = identityParser;
        this.allowedPrincipalName = str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.netty.channel.SimpleChannelInboundHandler
    public void channelRead0(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws Exception {
        Optional<SslHandler> extractSslHandler = ServerHandlerUtils.extractSslHandler(channelHandlerContext);
        if (!extractSslHandler.isPresent()) {
            throw new VeniceException("No SSL handler in the incoming request.");
        }
        String parseIdentityFromCert = this.identityParser.parseIdentityFromCert(SslUtils.getX509Certificate(extractSslHandler.get().engine().getSession().getPeerCertificates()[0]));
        if (parseIdentityFromCert.equals(this.allowedPrincipalName)) {
            ReferenceCountUtil.retain(httpRequest);
            channelHandlerContext.fireChannelRead((Object) httpRequest);
        } else {
            LOGGER.error("Unauthorized access rejected: {} requested from {} with identity {}", httpRequest.uri(), channelHandlerContext.channel().remoteAddress().toString(), parseIdentityFromCert);
            NettyUtils.setupResponseAndFlush(HttpResponseStatus.FORBIDDEN, new byte[0], false, channelHandlerContext);
        }
    }
}
