package org.apache.dubbo.rpc.protocol.rest.netty.ssl;

import io.netty.buffer.ByteBuf;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelPipeline;
import io.netty.handler.codec.ByteToMessageDecoder;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import java.util.List;
import org.apache.dubbo.common.URL;
import org.apache.dubbo.common.constants.LoggerCodeConstants;
import org.apache.dubbo.common.logger.ErrorTypeAwareLogger;
import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.common.ssl.AuthPolicy;
import org.apache.dubbo.common.ssl.CertManager;
import org.apache.dubbo.common.ssl.ProviderCert;

/* loaded from: input_file:org/apache/dubbo/rpc/protocol/rest/netty/ssl/SslServerTlsHandler.class */
public class SslServerTlsHandler extends ByteToMessageDecoder {
    private static final ErrorTypeAwareLogger logger = LoggerFactory.getErrorTypeAwareLogger((Class<?>) SslServerTlsHandler.class);
    private final URL url;
    private final boolean sslDetected;

    public SslServerTlsHandler(URL url) {
        this.url = url;
        this.sslDetected = false;
    }

    public SslServerTlsHandler(URL url, boolean z) {
        this.url = url;
        this.sslDetected = z;
    }

    public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
        logger.error(LoggerCodeConstants.INTERNAL_ERROR, "unknown error in remoting module", "", "TLS negotiation failed when trying to accept new connection.", th);
    }

    public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        if (obj instanceof SslHandshakeCompletionEvent) {
            SslHandshakeCompletionEvent sslHandshakeCompletionEvent = (SslHandshakeCompletionEvent) obj;
            if (sslHandshakeCompletionEvent.isSuccess()) {
                logger.info("TLS negotiation succeed with: " + channelHandlerContext.pipeline().get(SslHandler.class).engine().getSession().getPeerHost());
                channelHandlerContext.pipeline().remove(this);
            } else {
                logger.error(LoggerCodeConstants.INTERNAL_ERROR, "", "", "TLS negotiation failed when trying to accept new connection.", sslHandshakeCompletionEvent.cause());
                channelHandlerContext.close();
            }
        }
        super.userEventTriggered(channelHandlerContext, obj);
    }

    protected void decode(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, List<Object> list) throws Exception {
        if (byteBuf.readableBytes() >= 5 && !this.sslDetected) {
            ProviderCert providerConnectionConfig = ((CertManager) this.url.getOrDefaultFrameworkModel().getBeanFactory().getBean(CertManager.class)).getProviderConnectionConfig(this.url, channelHandlerContext.channel().remoteAddress());
            if (providerConnectionConfig == null) {
                channelHandlerContext.pipeline().remove(this);
                return;
            }
            if (isSsl(byteBuf)) {
                enableSsl(channelHandlerContext, SslContexts.buildServerSslContext(providerConnectionConfig));
            } else if (providerConnectionConfig.getAuthPolicy() == AuthPolicy.NONE) {
                channelHandlerContext.pipeline().remove(this);
            } else {
                logger.error(LoggerCodeConstants.INTERNAL_ERROR, "", "", "TLS negotiation failed when trying to accept new connection.");
                channelHandlerContext.close();
            }
        }
    }

    private boolean isSsl(ByteBuf byteBuf) {
        return SslHandler.isEncrypted(byteBuf);
    }

    private void enableSsl(ChannelHandlerContext channelHandlerContext, SslContext sslContext) {
        ChannelPipeline pipeline = channelHandlerContext.pipeline();
        channelHandlerContext.pipeline().addAfter(channelHandlerContext.name(), (String) null, sslContext.newHandler(channelHandlerContext.alloc()));
        pipeline.addLast("unificationA", new SslServerTlsHandler(this.url, true));
        pipeline.remove(this);
    }
}
