package com.atlassian.elasticsearch.buckler;

import com.atlassian.elasticsearch.buckler.config.AuthConfig;
import com.atlassian.elasticsearch.buckler.config.BucklerConfig;
import com.atlassian.elasticsearch.buckler.security.AuthRateLimiter;
import com.atlassian.elasticsearch.buckler.security.RequestIdentifier;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.tasks.Task;
import org.elasticsearch.transport.TransportChannel;
import org.elasticsearch.transport.TransportRequest;
import org.elasticsearch.transport.TransportRequestHandler;

/* loaded from: input_file:com/atlassian/elasticsearch/buckler/AuthTransportRequestHandler.class */
class AuthTransportRequestHandler<T extends TransportRequest> implements TransportRequestHandler<T> {
    private final AuthRateLimiter authRateLimiter;
    private final ThreadContext threadContext;
    private final BucklerConfig config;
    private final TransportRequestHandler<T> delegate;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthTransportRequestHandler(TransportRequestHandler<T> transportRequestHandler, BucklerConfig bucklerConfig, AuthRateLimiter authRateLimiter, ThreadContext threadContext) {
        this.delegate = transportRequestHandler;
        this.config = bucklerConfig;
        this.authRateLimiter = authRateLimiter;
        this.threadContext = threadContext;
    }

    public void messageReceived(T t, TransportChannel transportChannel, Task task) throws Exception {
        if (!allow(t)) {
            throw new IllegalStateException("Authentication error");
        }
        this.delegate.messageReceived(t, transportChannel, task);
    }

    public void messageReceived(T t, TransportChannel transportChannel) throws Exception {
        if (!allow(t)) {
            throw new IllegalStateException("Authentication error");
        }
        this.delegate.messageReceived(t, transportChannel);
    }

    private boolean allow(T t) {
        String header;
        AuthConfig authConfig = this.config.getAuthConfig();
        if (!authConfig.isEnabledForTcp()) {
            return true;
        }
        RequestIdentifier from = RequestIdentifier.from(t);
        if (!this.authRateLimiter.isRequestAllowed(from) || (header = this.threadContext.getHeader("Authorization")) == null) {
            return false;
        }
        if (authConfig.isAuthorized(header)) {
            return true;
        }
        this.authRateLimiter.registerFailure(from);
        return false;
    }
}
