package com.datadog.appsec.powerwaf;

import com.datadog.appsec.AppSecModule;
import com.datadog.appsec.config.AppSecConfig;
import com.datadog.appsec.config.AppSecConfigService;
import com.datadog.appsec.event.ChangeableFlow;
import com.datadog.appsec.event.EventType;
import com.datadog.appsec.event.OrderedCallback;
import com.datadog.appsec.event.data.Address;
import com.datadog.appsec.event.data.DataBundle;
import com.datadog.appsec.event.data.KnownAddresses;
import com.datadog.appsec.gateway.AppSecRequestContext;
import com.datadog.appsec.powerwaf.PowerWAFResultData;
import com.datadog.appsec.report.raw.events.AppSecEvent100;
import com.datadog.appsec.report.raw.events.Parameter100;
import com.datadog.appsec.report.raw.events.Rule100;
import com.datadog.appsec.report.raw.events.RuleMatch100;
import com.datadog.appsec.util.StandardizedLogging;
import com.google.auto.service.AutoService;
import com.squareup.moshi.JsonAdapter;
import com.squareup.moshi.Moshi;
import com.squareup.moshi.Types;
import datadog.slf4j.Logger;
import datadog.slf4j.LoggerFactory;
import datadog.trace.api.gateway.Flow;
import io.sqreen.powerwaf.Additive;
import io.sqreen.powerwaf.Powerwaf;
import io.sqreen.powerwaf.PowerwafContext;
import io.sqreen.powerwaf.exception.AbstractPowerwafException;
import jakarta.ws.rs.core.Link;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import java.lang.reflect.UndeclaredThrowableException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;

@AutoService({AppSecModule.class})
/* loaded from: input_file:appsec/com/datadog/appsec/powerwaf/PowerWAFModule.classdata */
public class PowerWAFModule implements AppSecModule {
    private static final int MAX_DEPTH = 10;
    private static final int MAX_ELEMENTS = 150;
    private static final int MAX_STRING_SIZE = 4096;
    private static final Constructor<?> PROXY_CLASS_CONSTRUCTOR;
    private static final Set<Address<?>> ADDRESSES_OF_INTEREST;
    private static final Set<EventType> EVENTS_OF_INTEREST;
    private static final JsonAdapter<List<PowerWAFResultData>> RES_JSON_ADAPTER;
    private final AtomicReference<PowerwafContext> ctx = new AtomicReference<>();
    private static final Logger log = LoggerFactory.getLogger((Class<?>) PowerWAFModule.class);
    private static final Powerwaf.Limits LIMITS = new Powerwaf.Limits(10, 150, 4096, 2147483647000L, 2147483647000L);
    private static final Class<?> PROXY_CLASS = Proxy.getProxyClass(PowerWAFModule.class.getClassLoader(), Set.class);
    private static final Map<String, RuleInfo> rulesInfoMap = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:appsec/com/datadog/appsec/powerwaf/PowerWAFModule$DataBundleMapWrapper.classdata */
    public static final class DataBundleMapWrapper implements Map<String, Object> {
        private final DataBundle dataBundle;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:appsec/com/datadog/appsec/powerwaf/PowerWAFModule$DataBundleMapWrapper$SetIteratorInvocationHandler.classdata */
        public class SetIteratorInvocationHandler implements InvocationHandler {
            private SetIteratorInvocationHandler() {
            }

            @Override // java.lang.reflect.InvocationHandler
            public Object invoke(Object obj, Method method, Object[] objArr) {
                if (!method.getName().equals("iterator")) {
                    throw new UnsupportedOperationException("Only supported method is 'iterator'; got " + method.getName());
                }
                final Iterator<Address<?>> it = DataBundleMapWrapper.this.dataBundle.getAllAddresses().iterator();
                final MutableEntry mutableEntry = new MutableEntry();
                return new Iterator<Map.Entry<String, Object>>() { // from class: com.datadog.appsec.powerwaf.PowerWAFModule.DataBundleMapWrapper.SetIteratorInvocationHandler.1
                    private Address<?> next = computeNextAddress();

                    private Address<?> computeNextAddress() {
                        if (it.hasNext()) {
                            return (Address) it.next();
                        }
                        return null;
                    }

                    @Override // java.util.Iterator
                    public boolean hasNext() {
                        return this.next != null;
                    }

                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.Iterator
                    public Map.Entry<String, Object> next() {
                        if (this.next == null) {
                            throw new NoSuchElementException();
                        }
                        mutableEntry.key = this.next.getKey();
                        mutableEntry.value = PowerWAFModule.ADDRESSES_OF_INTEREST.contains(this.next) ? DataBundleMapWrapper.this.dataBundle.get(this.next) : Collections.emptyMap();
                        this.next = computeNextAddress();
                        return mutableEntry;
                    }
                };
            }
        }

        private DataBundleMapWrapper(DataBundle dataBundle) {
            this.dataBundle = dataBundle;
        }

        @Override // java.util.Map
        @Nonnull
        public Set<Map.Entry<String, Object>> entrySet() {
            try {
                return (Set) PowerWAFModule.PROXY_CLASS_CONSTRUCTOR.newInstance(new SetIteratorInvocationHandler());
            } catch (IllegalAccessException | InstantiationException | InvocationTargetException e) {
                throw new UndeclaredThrowableException(e);
            }
        }

        @Override // java.util.Map
        public int size() {
            return this.dataBundle.size();
        }

        @Override // java.util.Map
        public boolean isEmpty() {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public boolean containsKey(Object obj) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public boolean containsValue(Object obj) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public Object get(Object obj) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public Object put(String str, Object obj) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public Object remove(Object obj) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public void putAll(@Nonnull Map<? extends String, ? extends Object> map) {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public void clear() {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public Set<String> keySet() {
            throw new UnsupportedOperationException();
        }

        @Override // java.util.Map
        public Collection<Object> values() {
            throw new UnsupportedOperationException();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:appsec/com/datadog/appsec/powerwaf/PowerWAFModule$MutableEntry.classdata */
    public static final class MutableEntry implements Map.Entry<String, Object> {
        String key;
        Object value;

        private MutableEntry() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.Map.Entry
        public String getKey() {
            return this.key;
        }

        @Override // java.util.Map.Entry
        public Object getValue() {
            return this.value;
        }

        @Override // java.util.Map.Entry
        public Object setValue(Object obj) {
            throw new UnsupportedOperationException();
        }
    }

    /* loaded from: input_file:appsec/com/datadog/appsec/powerwaf/PowerWAFModule$PowerWAFDataCallback.classdata */
    private class PowerWAFDataCallback extends AppSecModule.DataSubscription {
        public PowerWAFDataCallback() {
            super(PowerWAFModule.ADDRESSES_OF_INTEREST, OrderedCallback.Priority.DEFAULT);
        }

        @Override // com.datadog.appsec.event.DataListener
        public void onDataAvailable(ChangeableFlow changeableFlow, AppSecRequestContext appSecRequestContext, DataBundle dataBundle) {
            PowerwafContext powerwafContext = (PowerwafContext) PowerWAFModule.this.ctx.get();
            if (powerwafContext == null) {
                PowerWAFModule.log.debug("Skipped; the WAF is not configured");
                return;
            }
            try {
                StandardizedLogging.executingWAF(PowerWAFModule.log);
                long j = 0;
                if (PowerWAFModule.log.isDebugEnabled()) {
                    j = System.currentTimeMillis();
                }
                Additive additive = appSecRequestContext.getAdditive();
                if (additive == null) {
                    additive = powerwafContext.openAdditive();
                    appSecRequestContext.setAdditive(additive);
                }
                Powerwaf.ActionWithData run = additive.run(new DataBundleMapWrapper(dataBundle), PowerWAFModule.LIMITS);
                if (PowerWAFModule.log.isDebugEnabled()) {
                    StandardizedLogging.finishedExecutionWAF(PowerWAFModule.log, System.currentTimeMillis() - j);
                }
                StandardizedLogging.inAppWafReturn(PowerWAFModule.log, run);
                if (run.action != Powerwaf.Action.OK) {
                    PowerWAFModule.log.warn("WAF signalled action {}: {}", run.action, run.data);
                    changeableFlow.setAction(new Flow.Action.Throw(new RuntimeException("WAF wants to block")));
                    appSecRequestContext.setBlocked(run.action == Powerwaf.Action.BLOCK);
                    Iterator it = PowerWAFModule.this.buildEvents(run).iterator();
                    while (it.hasNext()) {
                        appSecRequestContext.reportEvent((AppSecEvent100) it.next());
                    }
                }
            } catch (AbstractPowerwafException e) {
                PowerWAFModule.log.error("Error calling WAF", (Throwable) e);
            }
        }
    }

    /* loaded from: input_file:appsec/com/datadog/appsec/powerwaf/PowerWAFModule$PowerWAFEventsCallback.classdata */
    private static class PowerWAFEventsCallback extends AppSecModule.EventSubscription {
        public PowerWAFEventsCallback() {
            super(EventType.REQUEST_END, OrderedCallback.Priority.DEFAULT);
        }

        @Override // com.datadog.appsec.event.EventListener
        public void onEvent(AppSecRequestContext appSecRequestContext, EventType eventType) {
            if (eventType == EventType.REQUEST_END) {
                Additive additive = appSecRequestContext.getAdditive();
                if (additive != null) {
                    additive.close();
                }
                appSecRequestContext.setAdditive(null);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:appsec/com/datadog/appsec/powerwaf/PowerWAFModule$RuleInfo.classdata */
    public static class RuleInfo {
        final String name;
        final String type;
        final Map<String, String> tags;

        RuleInfo(AppSecConfig.Rule rule) {
            this.name = rule.getName();
            this.type = rule.getTags().getOrDefault(Link.TYPE, "waf");
            this.tags = rule.getTags();
        }
    }

    @Override // com.datadog.appsec.AppSecModule
    public void config(AppSecConfigService appSecConfigService) throws AppSecModule.AppSecModuleActivationException {
        Optional<AppSecConfig> addSubConfigListener = appSecConfigService.addSubConfigListener("waf", this::applyConfig);
        if (!addSubConfigListener.isPresent()) {
            throw new AppSecModule.AppSecModuleActivationException("No initial config for WAF");
        }
        try {
            applyConfig(addSubConfigListener.get());
        } catch (ClassCastException e) {
            throw new AppSecModule.AppSecModuleActivationException("Config expected to be AppSecConfig", e);
        }
    }

    private void applyConfig(AppSecConfig appSecConfig) throws AppSecModule.AppSecModuleActivationException {
        log.info("Configuring WAF");
        PowerwafContext powerwafContext = this.ctx.get();
        if (!LibSqreenInitialization.ONLINE) {
            throw new AppSecModule.AppSecModuleActivationException("In-app WAF initialization failed. See previous log entries");
        }
        try {
            PowerwafContext createContext = Powerwaf.createContext(UUID.randomUUID().toString(), appSecConfig.getRawConfig());
            rulesInfoMap.clear();
            appSecConfig.getRules().forEach(rule -> {
                rulesInfoMap.put(rule.getId(), new RuleInfo(rule));
            });
            if (!this.ctx.compareAndSet(powerwafContext, createContext)) {
                throw new AppSecModule.AppSecModuleActivationException("Concurrent update of WAF configuration");
            }
            if (powerwafContext != null) {
                powerwafContext.delReference();
            }
        } catch (AbstractPowerwafException | RuntimeException e) {
            throw new AppSecModule.AppSecModuleActivationException("Error creating WAF rules", e);
        }
    }

    @Override // com.datadog.appsec.AppSecModule
    public String getName() {
        return "powerwaf";
    }

    @Override // com.datadog.appsec.AppSecModule
    public Collection<AppSecModule.EventSubscription> getEventSubscriptions() {
        return Collections.singletonList(new PowerWAFEventsCallback());
    }

    @Override // com.datadog.appsec.AppSecModule
    public Collection<AppSecModule.DataSubscription> getDataSubscriptions() {
        return Collections.singletonList(new PowerWAFDataCallback());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Collection<AppSecEvent100> buildEvents(Powerwaf.ActionWithData actionWithData) {
        try {
            List<PowerWAFResultData> fromJson = RES_JSON_ADAPTER.fromJson(actionWithData.data);
            return (fromJson == null || fromJson.isEmpty()) ? Collections.emptyList() : (Collection) fromJson.stream().map(this::buildEvent).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toList());
        } catch (IOException e) {
            throw new UndeclaredThrowableException(e);
        }
    }

    private AppSecEvent100 buildEvent(PowerWAFResultData powerWAFResultData) {
        if (powerWAFResultData == null || powerWAFResultData.rule == null || powerWAFResultData.rule_matches == null) {
            log.warn("WAF result is empty: {}", powerWAFResultData);
            return null;
        }
        PowerWAFResultData.RuleMatch ruleMatch = powerWAFResultData.rule_matches.get(0);
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (PowerWAFResultData.Parameter parameter : ruleMatch.parameters) {
            arrayList.add(new Parameter100.Parameter100Builder().withAddress(parameter.address).withKeyPath(parameter.key_path).withValue(parameter.value).build());
            arrayList2.addAll(parameter.highlight);
        }
        RuleMatch100 build = new RuleMatch100.RuleMatch100Builder().withOperator(ruleMatch.operator).withOperatorValue(ruleMatch.operator_value).withHighlight(arrayList2).withParameters(arrayList).build();
        RuleInfo ruleInfo = rulesInfoMap.get(powerWAFResultData.rule.id);
        HashMap hashMap = new HashMap();
        hashMap.put(Link.TYPE, ruleInfo.tags.get(Link.TYPE));
        hashMap.put("category", ruleInfo.tags.get("category"));
        return new AppSecEvent100.AppSecEvent100Builder().withRule(new Rule100.Rule100Builder().withId(powerWAFResultData.rule.id).withName(ruleInfo.name).withTags(hashMap).build()).withRuleMatch(build).build();
    }

    static {
        try {
            PROXY_CLASS_CONSTRUCTOR = PROXY_CLASS.getConstructor(InvocationHandler.class);
            ADDRESSES_OF_INTEREST = new HashSet();
            ADDRESSES_OF_INTEREST.add(KnownAddresses.REQUEST_URI_RAW);
            ADDRESSES_OF_INTEREST.add(KnownAddresses.REQUEST_QUERY);
            ADDRESSES_OF_INTEREST.add(KnownAddresses.HEADERS_NO_COOKIES);
            ADDRESSES_OF_INTEREST.add(KnownAddresses.REQUEST_COOKIES);
            ADDRESSES_OF_INTEREST.add(KnownAddresses.REQUEST_PATH_PARAMS);
            ADDRESSES_OF_INTEREST.add(KnownAddresses.REQUEST_BODY_RAW);
            EVENTS_OF_INTEREST = new HashSet();
            EVENTS_OF_INTEREST.add(EventType.REQUEST_START);
            EVENTS_OF_INTEREST.add(EventType.REQUEST_END);
            RES_JSON_ADAPTER = new Moshi.Builder().build().adapter(Types.newParameterizedType(List.class, PowerWAFResultData.class));
        } catch (NoSuchMethodException e) {
            throw new UndeclaredThrowableException(e);
        }
    }
}
