package io.gravitee.policy.ipfiltering;

import io.gravitee.gateway.api.ExecutionContext;
import io.gravitee.gateway.api.Request;
import io.gravitee.policy.api.PolicyChain;
import io.gravitee.policy.api.PolicyResult;
import io.gravitee.policy.api.annotations.OnRequest;
import io.vertx.core.CompositeFuture;
import io.vertx.core.Promise;
import io.vertx.core.Vertx;
import io.vertx.core.dns.DnsClient;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import org.apache.commons.net.util.SubnetUtils;
import org.apache.commons.validator.routines.InetAddressValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/gravitee/policy/ipfiltering/IPFilteringPolicy.class */
public class IPFilteringPolicy {
    private static final Logger LOGGER = LoggerFactory.getLogger(IPFilteringPolicy.class);
    private final IPFilteringPolicyConfiguration configuration;
    private static DnsClient dnsClient;

    public IPFilteringPolicy(IPFilteringPolicyConfiguration iPFilteringPolicyConfiguration) {
        this.configuration = iPFilteringPolicyConfiguration;
    }

    @OnRequest
    public void onRequest(ExecutionContext executionContext, PolicyChain policyChain) {
        List<String> extractIps = extractIps(executionContext.request());
        ArrayList arrayList = new ArrayList();
        if (this.configuration.getBlacklistIps() != null && !this.configuration.getBlacklistIps().isEmpty()) {
            ArrayList arrayList2 = new ArrayList();
            ArrayList arrayList3 = new ArrayList();
            processFilteredLists(this.configuration.getBlacklistIps(), arrayList2, arrayList3);
            if (!arrayList2.isEmpty() && extractIps.stream().anyMatch(str -> {
                return isFiltered(str, arrayList2);
            })) {
                fail(policyChain, executionContext.request().remoteAddress());
                return;
            } else if (!arrayList3.isEmpty()) {
                DnsClient dnsClient2 = getDnsClient(executionContext);
                arrayList3.forEach(str2 -> {
                    Promise promise = Promise.promise();
                    arrayList.add(promise.future());
                    dnsClient2.lookup(str2, asyncResult -> {
                        if (!asyncResult.succeeded()) {
                            LOGGER.error("Cannot resolve host: '" + str2 + "'", asyncResult.cause());
                            promise.complete();
                        } else if (executionContext.request().remoteAddress().equals(asyncResult.result())) {
                            promise.fail("");
                        } else {
                            promise.complete();
                        }
                    });
                });
            }
        }
        if (this.configuration.getWhitelistIps() != null && !this.configuration.getWhitelistIps().isEmpty()) {
            ArrayList arrayList4 = new ArrayList();
            ArrayList arrayList5 = new ArrayList();
            processFilteredLists(this.configuration.getWhitelistIps(), arrayList4, arrayList5);
            if (!arrayList4.isEmpty() && extractIps.stream().noneMatch(str3 -> {
                return isFiltered(str3, arrayList4);
            })) {
                fail(policyChain, executionContext.request().remoteAddress());
                return;
            } else if (!arrayList5.isEmpty()) {
                DnsClient dnsClient3 = getDnsClient(executionContext);
                arrayList5.forEach(str4 -> {
                    Promise promise = Promise.promise();
                    arrayList.add(promise.future());
                    dnsClient3.lookup(str4, asyncResult -> {
                        if (!asyncResult.succeeded()) {
                            LOGGER.error("Cannot resolve host: '" + str4 + "'", asyncResult.cause());
                            promise.complete();
                        } else if (executionContext.request().remoteAddress().equals(asyncResult.result())) {
                            promise.complete();
                        } else {
                            promise.fail("");
                        }
                    });
                });
            }
        }
        if (arrayList.isEmpty()) {
            policyChain.doNext(executionContext.request(), executionContext.response());
        } else {
            CompositeFuture.all(arrayList).onSuccess(compositeFuture -> {
                policyChain.doNext(executionContext.request(), executionContext.response());
            }).onFailure(th -> {
                fail(policyChain, executionContext.request().remoteAddress());
            });
        }
    }

    private void processFilteredLists(List<String> list, List<String> list2, List<String> list3) {
        list.stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).forEach(str -> {
            int indexOf = str.indexOf(47);
            if (InetAddressValidator.getInstance().isValid(indexOf != -1 ? str.substring(0, indexOf) : str)) {
                list2.add(str);
            } else {
                list3.add(str);
            }
        });
    }

    private void fail(PolicyChain policyChain, String str) {
        policyChain.failWith(PolicyResult.failure(403, "Your IP (" + str + ") or some proxies whereby your request pass through are not allowed to reach this resource."));
    }

    public List<String> extractIps(Request request) {
        return (!this.configuration.isMatchAllFromXForwardedFor() || request.headers() == null || request.headers().get("X-Forwarded-For") == null || request.headers().get("X-Forwarded-For").isEmpty()) ? Collections.singletonList(request.remoteAddress()) : (List) Arrays.stream(request.headers().get("X-Forwarded-For").split(",")).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toList());
    }

    public boolean isFiltered(String str, List<String> list) {
        return (null == str || str.isEmpty() || !list.stream().anyMatch(str2 -> {
            if (str2.equals(str)) {
                return true;
            }
            try {
                return new SubnetUtils(str2).getInfo().isInRange(str);
            } catch (IllegalArgumentException e) {
                return false;
            }
        })) ? false : true;
    }

    private DnsClient getDnsClient(ExecutionContext executionContext) {
        if (dnsClient == null) {
            dnsClient = ((Vertx) executionContext.getComponent(Vertx.class)).createDnsClient();
        }
        return dnsClient;
    }
}
