package io.undertow.server.handlers;

import com.networknt.client.ssl.TLSConfig;
import io.undertow.UndertowLogger;
import io.undertow.UndertowMessages;
import io.undertow.server.HandlerWrapper;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.builder.HandlerBuilder;
import io.undertow.util.NetworkUtils;
import java.io.IOException;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.xnio.Bits;

/* loaded from: input_file:io/undertow/server/handlers/IPAddressAccessControlHandler.class */
public class IPAddressAccessControlHandler implements HttpHandler {
    private static final Pattern IP4_EXACT;
    private static final Pattern IP4_WILDCARD;
    private static final Pattern IP4_SLASH;
    private static final Pattern IP6_EXACT;
    private static final Pattern IP6_WILDCARD;
    private static final Pattern IP6_SLASH;
    private volatile HttpHandler next;
    private volatile boolean defaultAllow;
    private final int denyResponseCode;
    private final List<PeerMatch> ipv6acl;
    private final List<PeerMatch> ipv4acl;
    private static final boolean traceEnabled;
    private static final boolean debugEnabled;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:io/undertow/server/handlers/IPAddressAccessControlHandler$Builder.class */
    public static class Builder implements HandlerBuilder {
        @Override // io.undertow.server.handlers.builder.HandlerBuilder
        public String name() {
            return "ip-access-control";
        }

        @Override // io.undertow.server.handlers.builder.HandlerBuilder
        public Map<String, Class<?>> parameters() {
            HashMap hashMap = new HashMap();
            hashMap.put("acl", String[].class);
            hashMap.put("failure-status", Integer.TYPE);
            hashMap.put("default-allow", Boolean.TYPE);
            return hashMap;
        }

        @Override // io.undertow.server.handlers.builder.HandlerBuilder
        public Set<String> requiredParameters() {
            return Collections.singleton("acl");
        }

        @Override // io.undertow.server.handlers.builder.HandlerBuilder
        public String defaultParameter() {
            return "acl";
        }

        @Override // io.undertow.server.handlers.builder.HandlerBuilder
        public HandlerWrapper build(Map<String, Object> map) {
            String[] strArr = (String[]) map.get("acl");
            Boolean bool = (Boolean) map.get("default-allow");
            Integer num = (Integer) map.get("failure-status");
            ArrayList arrayList = new ArrayList();
            for (String str : strArr) {
                String[] split = str.split(" ");
                if (split.length != 2) {
                    throw UndertowMessages.MESSAGES.invalidAclRule(str);
                }
                if (split[1].trim().equals("allow")) {
                    arrayList.add(new Holder(split[0].trim(), false));
                } else {
                    if (!split[1].trim().equals("deny")) {
                        throw UndertowMessages.MESSAGES.invalidAclRule(str);
                    }
                    arrayList.add(new Holder(split[0].trim(), true));
                }
            }
            return new Wrapper(arrayList, bool == null ? false : bool.booleanValue(), num == null ? 403 : num.intValue());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/undertow/server/handlers/IPAddressAccessControlHandler$ExactIpV4PeerMatch.class */
    public static class ExactIpV4PeerMatch extends PeerMatch {
        private final byte[] address;

        protected ExactIpV4PeerMatch(boolean z, String str, byte[] bArr) {
            super(z, str);
            this.address = bArr;
        }

        @Override // io.undertow.server.handlers.IPAddressAccessControlHandler.PeerMatch
        boolean matches(InetAddress inetAddress) {
            return Arrays.equals(inetAddress.getAddress(), this.address);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/undertow/server/handlers/IPAddressAccessControlHandler$ExactIpV6PeerMatch.class */
    public static class ExactIpV6PeerMatch extends PeerMatch {
        private final byte[] address;

        protected ExactIpV6PeerMatch(boolean z, String str, byte[] bArr) {
            super(z, str);
            this.address = bArr;
        }

        @Override // io.undertow.server.handlers.IPAddressAccessControlHandler.PeerMatch
        boolean matches(InetAddress inetAddress) {
            return Arrays.equals(inetAddress.getAddress(), this.address);
        }
    }

    /* loaded from: input_file:io/undertow/server/handlers/IPAddressAccessControlHandler$Holder.class */
    private static class Holder {
        final String rule;
        final boolean deny;

        private Holder(String str, boolean z) {
            this.rule = str;
            this.deny = z;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/undertow/server/handlers/IPAddressAccessControlHandler$PeerMatch.class */
    public static abstract class PeerMatch {
        private final boolean deny;
        private final String pattern;

        protected PeerMatch(boolean z, String str) {
            this.deny = z;
            this.pattern = str;
        }

        abstract boolean matches(InetAddress inetAddress);

        boolean isDeny() {
            return this.deny;
        }

        public String toString() {
            return getClass().getSimpleName() + "{deny=" + this.deny + ", pattern='" + this.pattern + "'}";
        }

        public String toPredicateString() {
            return this.pattern + " " + (this.deny ? "deny" : "allow");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/undertow/server/handlers/IPAddressAccessControlHandler$PrefixIpV4PeerMatch.class */
    public static class PrefixIpV4PeerMatch extends PeerMatch {
        private final int mask;
        private final int prefix;

        protected PrefixIpV4PeerMatch(boolean z, String str, int i, int i2) {
            super(z, str);
            this.mask = i;
            this.prefix = i2;
        }

        @Override // io.undertow.server.handlers.IPAddressAccessControlHandler.PeerMatch
        boolean matches(InetAddress inetAddress) {
            byte[] address = inetAddress.getAddress();
            return address != null && ((((((address[0] & 255) << 24) | ((address[1] & 255) << 16)) | ((address[2] & 255) << 8)) | (address[3] & 255)) & this.mask) == this.prefix;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/undertow/server/handlers/IPAddressAccessControlHandler$PrefixIpV6PeerMatch.class */
    public static class PrefixIpV6PeerMatch extends PeerMatch {
        private final byte[] mask;
        private final byte[] prefix;
        static final /* synthetic */ boolean $assertionsDisabled;

        protected PrefixIpV6PeerMatch(boolean z, String str, byte[] bArr, byte[] bArr2) {
            super(z, str);
            this.mask = bArr;
            this.prefix = bArr2;
            if (!$assertionsDisabled && bArr.length != bArr2.length) {
                throw new AssertionError();
            }
        }

        @Override // io.undertow.server.handlers.IPAddressAccessControlHandler.PeerMatch
        boolean matches(InetAddress inetAddress) {
            byte[] address = inetAddress.getAddress();
            if (address == null || address.length != this.mask.length) {
                return false;
            }
            for (int i = 0; i < this.mask.length; i++) {
                if ((address[i] & this.mask[i]) != this.prefix[i]) {
                    return false;
                }
            }
            return true;
        }

        static {
            $assertionsDisabled = !IPAddressAccessControlHandler.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:io/undertow/server/handlers/IPAddressAccessControlHandler$Wrapper.class */
    private static class Wrapper implements HandlerWrapper {
        private final List<Holder> peerMatches;
        private final boolean defaultAllow;
        private final int failureStatus;

        private Wrapper(List<Holder> list, boolean z, int i) {
            this.peerMatches = list;
            this.defaultAllow = z;
            this.failureStatus = i;
        }

        @Override // io.undertow.server.HandlerWrapper
        public HttpHandler wrap(HttpHandler httpHandler) {
            IPAddressAccessControlHandler iPAddressAccessControlHandler = new IPAddressAccessControlHandler(httpHandler, this.failureStatus);
            for (Holder holder : this.peerMatches) {
                if (holder.deny) {
                    iPAddressAccessControlHandler.addDeny(holder.rule);
                } else {
                    iPAddressAccessControlHandler.addAllow(holder.rule);
                }
            }
            iPAddressAccessControlHandler.setDefaultAllow(this.defaultAllow);
            return iPAddressAccessControlHandler;
        }
    }

    public IPAddressAccessControlHandler(HttpHandler httpHandler) {
        this(httpHandler, 403);
    }

    public IPAddressAccessControlHandler(HttpHandler httpHandler, int i) {
        this.defaultAllow = false;
        this.ipv6acl = new CopyOnWriteArrayList();
        this.ipv4acl = new CopyOnWriteArrayList();
        this.next = httpHandler;
        this.denyResponseCode = i;
    }

    public IPAddressAccessControlHandler() {
        this.defaultAllow = false;
        this.ipv6acl = new CopyOnWriteArrayList();
        this.ipv4acl = new CopyOnWriteArrayList();
        this.next = ResponseCodeHandler.HANDLE_404;
        this.denyResponseCode = 403;
    }

    @Override // io.undertow.server.HttpHandler
    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        InetSocketAddress sourceAddress = httpServerExchange.getSourceAddress();
        if (isAllowed(sourceAddress.getAddress())) {
            this.next.handleRequest(httpServerExchange);
            return;
        }
        if (debugEnabled) {
            UndertowLogger.PREDICATE_LOGGER.debugf("Access to [%s] blocked from %s.", httpServerExchange, sourceAddress.getHostString());
        }
        httpServerExchange.setStatusCode(this.denyResponseCode);
        httpServerExchange.endExchange();
    }

    boolean isAllowed(InetAddress inetAddress) {
        if (inetAddress instanceof Inet4Address) {
            for (PeerMatch peerMatch : this.ipv4acl) {
                if (traceEnabled) {
                    UndertowLogger.PREDICATE_LOGGER.tracef("Comparing rule [%s] to IPv4 address %s.", peerMatch.toPredicateString(), inetAddress.getHostAddress());
                }
                if (peerMatch.matches(inetAddress)) {
                    return !peerMatch.isDeny();
                }
            }
        } else if (inetAddress instanceof Inet6Address) {
            for (PeerMatch peerMatch2 : this.ipv6acl) {
                if (traceEnabled) {
                    UndertowLogger.PREDICATE_LOGGER.tracef("Comparing rule [%s] to IPv6 address %s.", peerMatch2.toPredicateString(), inetAddress.getHostAddress());
                }
                if (peerMatch2.matches(inetAddress)) {
                    return !peerMatch2.isDeny();
                }
            }
        }
        return this.defaultAllow;
    }

    public int getDenyResponseCode() {
        return this.denyResponseCode;
    }

    public boolean isDefaultAllow() {
        return this.defaultAllow;
    }

    public IPAddressAccessControlHandler setDefaultAllow(boolean z) {
        this.defaultAllow = z;
        return this;
    }

    public HttpHandler getNext() {
        return this.next;
    }

    public IPAddressAccessControlHandler setNext(HttpHandler httpHandler) {
        this.next = httpHandler;
        return this;
    }

    public IPAddressAccessControlHandler addAllow(String str) {
        return addRule(str, false);
    }

    public IPAddressAccessControlHandler addDeny(String str) {
        return addRule(str, true);
    }

    public IPAddressAccessControlHandler clearRules() {
        this.ipv4acl.clear();
        this.ipv6acl.clear();
        return this;
    }

    private IPAddressAccessControlHandler addRule(String str, boolean z) {
        if (IP4_EXACT.matcher(str).matches()) {
            addIpV4ExactMatch(str, z);
        } else if (IP4_WILDCARD.matcher(str).matches()) {
            addIpV4WildcardMatch(str, z);
        } else if (IP4_SLASH.matcher(str).matches()) {
            addIpV4SlashPrefix(str, z);
        } else if (IP6_EXACT.matcher(str).matches()) {
            addIpV6ExactMatch(str, z);
        } else if (IP6_WILDCARD.matcher(str).matches()) {
            addIpV6WildcardMatch(str, z);
        } else {
            if (!IP6_SLASH.matcher(str).matches()) {
                throw UndertowMessages.MESSAGES.notAValidIpPattern(str);
            }
            addIpV6SlashPrefix(str, z);
        }
        return this;
    }

    private void addIpV6SlashPrefix(String str, boolean z) {
        String[] split = str.split("\\/");
        String[] split2 = split[0].split("\\:");
        int parseInt = Integer.parseInt(split[1]);
        if (!$assertionsDisabled && split2.length != 8) {
            throw new AssertionError();
        }
        byte[] bArr = new byte[16];
        byte[] bArr2 = new byte[16];
        for (int i = 0; i < 8; i++) {
            int parseInt2 = Integer.parseInt(split2[i], 16);
            bArr[i * 2] = (byte) (parseInt2 >> 8);
            bArr[(i * 2) + 1] = (byte) (parseInt2 & 255);
        }
        for (int i2 = 0; i2 < 16; i2++) {
            if (parseInt <= 8) {
                if (parseInt == 0) {
                    break;
                }
                bArr2[i2] = (byte) (Bits.intBitMask(8 - parseInt, 7) & 255);
                parseInt = 0;
            } else {
                bArr2[i2] = -1;
                parseInt -= 8;
            }
        }
        this.ipv6acl.add(new PrefixIpV6PeerMatch(z, str, bArr2, bArr));
    }

    private void addIpV4SlashPrefix(String str, boolean z) {
        String[] split = str.split("\\/");
        String[] split2 = split[0].split(TLSConfig.CONFIG_LEVEL_DELIMITER);
        int intBitMask = Bits.intBitMask(32 - Integer.parseInt(split[1]), 31);
        int i = 0;
        for (int i2 = 0; i2 < 4; i2++) {
            i = (i << 8) | Integer.parseInt(split2[i2]);
        }
        this.ipv4acl.add(new PrefixIpV4PeerMatch(z, str, intBitMask, i & intBitMask));
    }

    private void addIpV6WildcardMatch(String str, boolean z) {
        byte[] bArr = new byte[16];
        byte[] bArr2 = new byte[16];
        String[] split = str.split("\\:");
        if (!$assertionsDisabled && split.length != 8) {
            throw new AssertionError();
        }
        for (int i = 0; i < 8; i++) {
            if (!split[i].equals("*")) {
                int parseInt = Integer.parseInt(split[i], 16);
                bArr[i * 2] = (byte) (parseInt >> 8);
                bArr[(i * 2) + 1] = (byte) (parseInt & 255);
                bArr2[i * 2] = -1;
                bArr2[(i * 2) + 1] = -1;
            }
        }
        this.ipv6acl.add(new PrefixIpV6PeerMatch(z, str, bArr2, bArr));
    }

    private void addIpV4WildcardMatch(String str, boolean z) {
        String[] split = str.split(TLSConfig.CONFIG_LEVEL_DELIMITER);
        int i = 0;
        int i2 = 0;
        for (int i3 = 0; i3 < 4; i3++) {
            i <<= 8;
            i2 <<= 8;
            String str2 = split[i3];
            if (!str2.equals("*")) {
                i |= 255;
                i2 |= Integer.parseInt(str2);
            }
        }
        this.ipv4acl.add(new PrefixIpV4PeerMatch(z, str, i, i2));
    }

    private void addIpV6ExactMatch(String str, boolean z) {
        try {
            this.ipv6acl.add(new ExactIpV6PeerMatch(z, str, NetworkUtils.parseIpv6AddressToBytes(str)));
        } catch (IOException e) {
            throw UndertowMessages.MESSAGES.invalidACLAddress(e);
        }
    }

    private void addIpV4ExactMatch(String str, boolean z) {
        String[] split = str.split(TLSConfig.CONFIG_LEVEL_DELIMITER);
        this.ipv4acl.add(new ExactIpV4PeerMatch(z, str, new byte[]{(byte) Integer.parseInt(split[0]), (byte) Integer.parseInt(split[1]), (byte) Integer.parseInt(split[2]), (byte) Integer.parseInt(split[3])}));
    }

    public String toString() {
        String str = "ip-access-control( default-allow=" + this.defaultAllow + ", acl={ ";
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(this.ipv4acl);
        arrayList.addAll(this.ipv6acl);
        String str2 = (str + ((String) arrayList.stream().map(peerMatch -> {
            return "'" + peerMatch.toPredicateString() + "'";
        }).collect(Collectors.joining(", ")))) + " }";
        if (this.denyResponseCode != 403) {
            str2 = str2 + ", failure-status=" + this.denyResponseCode;
        }
        return str2 + " )";
    }

    static {
        $assertionsDisabled = !IPAddressAccessControlHandler.class.desiredAssertionStatus();
        IP4_EXACT = Pattern.compile(NetworkUtils.IP4_EXACT);
        IP4_WILDCARD = Pattern.compile("(?:(?:\\d{1,3}|\\*)\\.){3}(?:\\d{1,3}|\\*)");
        IP4_SLASH = Pattern.compile("(?:\\d{1,3}\\.){3}\\d{1,3}\\/\\d\\d?");
        IP6_EXACT = Pattern.compile(NetworkUtils.IP6_EXACT);
        IP6_WILDCARD = Pattern.compile("(?:(?:[a-zA-Z0-9]{1,4}|\\*):){7}(?:[a-zA-Z0-9]{1,4}|\\*)");
        IP6_SLASH = Pattern.compile("(?:[a-zA-Z0-9]{1,4}:){7}[a-zA-Z0-9]{1,4}\\/\\d{1,3}");
        traceEnabled = UndertowLogger.PREDICATE_LOGGER.isTraceEnabled();
        debugEnabled = UndertowLogger.PREDICATE_LOGGER.isDebugEnabled();
    }
}
