package com.linkedin.alpini.netty4.ssl;

import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.util.AttributeKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.function.BiPredicate;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

@ChannelHandler.Sharable
/* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SecureClientHandler.class */
public class SecureClientHandler extends ChannelInboundHandlerAdapter {
    private static final Logger LOG = LogManager.getLogger((Class<?>) SecureClientHandler.class);
    public static final AttributeKey<X509Certificate> CLIENT_CERTIFICATE_ATTRIBUTE_KEY = AttributeKey.valueOf(SecureClientHandler.class, "Principal");
    private final BiPredicate<ChannelHandlerContext, X509Certificate> _clientCertificateValidation;

    public SecureClientHandler() {
        this(null);
    }

    public SecureClientHandler(BiPredicate<ChannelHandlerContext, X509Certificate> biPredicate) {
        this._clientCertificateValidation = biPredicate;
    }

    protected void sslHandshakeComplete(ChannelHandlerContext channelHandlerContext, SslHandshakeCompletionEvent sslHandshakeCompletionEvent) {
        if (channelHandlerContext.channel().hasAttr(CLIENT_CERTIFICATE_ATTRIBUTE_KEY)) {
            return;
        }
        SSLSession session = ((SslHandler) channelHandlerContext.pipeline().get(SslHandler.class)).engine().getSession();
        if (!sslHandshakeCompletionEvent.isSuccess()) {
            LOG.error("SSL handshake failed: {}", channelHandlerContext.channel().remoteAddress(), sslHandshakeCompletionEvent.cause());
            channelHandlerContext.channel().close();
            return;
        }
        try {
            Certificate[] peerCertificates = session.getPeerCertificates();
            if (peerCertificates == null || 0 == peerCertificates.length) {
                throw new SSLPeerUnverifiedException("No peer certificates available");
            }
            if (!(peerCertificates[0] instanceof X509Certificate)) {
                throw new SSLPeerUnverifiedException("Not using an x509 certificate");
            }
            if (this._clientCertificateValidation != null) {
                X509Certificate x509Certificate = (X509Certificate) peerCertificates[0];
                if (!this._clientCertificateValidation.test(channelHandlerContext, x509Certificate)) {
                    throw new SSLPeerUnverifiedException("Client failed principal validation: " + x509Certificate);
                }
                channelHandlerContext.channel().attr(CLIENT_CERTIFICATE_ATTRIBUTE_KEY).set(x509Certificate);
            }
        } catch (Exception e) {
            LOG.error("Peer validation failed: {}", channelHandlerContext.channel().remoteAddress(), e);
            channelHandlerContext.channel().close();
        }
    }

    @Override // io.netty.channel.ChannelInboundHandlerAdapter, io.netty.channel.ChannelInboundHandler
    public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        if (obj instanceof SslHandshakeCompletionEvent) {
            sslHandshakeComplete(channelHandlerContext, (SslHandshakeCompletionEvent) obj);
        }
        super.userEventTriggered(channelHandlerContext, obj);
    }
}
