package com.floragunn.searchguard.authc.rest;

import com.floragunn.searchguard.authc.rest.RestAuthcConfig;
import com.floragunn.searchguard.support.IPAddressCollection;
import com.google.common.base.Splitter;
import com.google.common.collect.Lists;
import inet.ipaddr.AddressStringException;
import inet.ipaddr.IPAddress;
import inet.ipaddr.IPAddressNetwork;
import inet.ipaddr.IPAddressString;
import inet.ipaddr.IncompatibleAddressException;
import java.net.InetSocketAddress;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchStatusException;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;

/* loaded from: input_file:com/floragunn/searchguard/authc/rest/ClientAddressAscertainer.class */
public abstract class ClientAddressAscertainer {
    private static final IPAddressNetwork.IPAddressGenerator ipAddressGenerator = new IPAddressNetwork.IPAddressGenerator();
    private static final Splitter splitter = Splitter.on(',').trimResults();
    private static final Logger log = LogManager.getLogger(ClientAddressAscertainer.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/authc/rest/ClientAddressAscertainer$CIDRBased.class */
    public static class CIDRBased extends ClientAddressAscertainer {
        private final String remoteIpHeader;
        private final IPAddressCollection trustedProxies;

        CIDRBased(String str, IPAddressCollection iPAddressCollection) {
            this.remoteIpHeader = str;
            this.trustedProxies = iPAddressCollection;
        }

        @Override // com.floragunn.searchguard.authc.rest.ClientAddressAscertainer
        public ClientIpInfo getActualRemoteAddress(RestRequest restRequest) {
            IPAddress from = ClientAddressAscertainer.ipAddressGenerator.from(restRequest.getHttpChannel().getRemoteAddress().getAddress());
            if (!this.trustedProxies.contains(from)) {
                if (ClientAddressAscertainer.log.isDebugEnabled()) {
                    ClientAddressAscertainer.log.debug("Request from untrusted host: " + from);
                }
                return ClientIpInfo.untrusted(from, restRequest.getHttpChannel().getRemoteAddress());
            }
            List list = (List) restRequest.getHeaders().get(this.remoteIpHeader);
            if (list == null || list.isEmpty()) {
                return ClientIpInfo.trusted(from, from, restRequest.getHttpChannel().getRemoteAddress());
            }
            List list2 = (List) list.stream().flatMap(str -> {
                return ClientAddressAscertainer.splitter.splitToStream(str);
            }).map(str2 -> {
                return new IPAddressString(str2);
            }).collect(Collectors.toList());
            Iterator it = Lists.reverse(list2).iterator();
            while (it.hasNext()) {
                try {
                    IPAddress address = ((IPAddressString) it.next()).toAddress();
                    if (!this.trustedProxies.contains(address)) {
                        if (ClientAddressAscertainer.log.isDebugEnabled()) {
                            ClientAddressAscertainer.log.debug("Request from trusted proxy " + from + "; actual client: " + address);
                        }
                        return ClientIpInfo.trusted(from, address, restRequest.getHttpChannel().getRemoteAddress());
                    }
                } catch (AddressStringException | IncompatibleAddressException e) {
                    ClientAddressAscertainer.log.warn("Unparseable IP in XFF headers of request: " + list, e);
                    throw new ElasticsearchStatusException("Invalid " + this.remoteIpHeader + "header", RestStatus.BAD_REQUEST, new Object[0]);
                }
            }
            if (ClientAddressAscertainer.log.isDebugEnabled()) {
                ClientAddressAscertainer.log.debug("Request from trusted proxy " + from + "; actual client: " + list2.get(0) + " (which is also trusted)");
            }
            try {
                return ClientIpInfo.trusted(from, ((IPAddressString) list2.get(0)).toAddress(), restRequest.getHttpChannel().getRemoteAddress());
            } catch (AddressStringException | IncompatibleAddressException e2) {
                ClientAddressAscertainer.log.warn("Unparseable IP in XFF headers of request: " + list, e2);
                throw new ElasticsearchStatusException("Invalid " + this.remoteIpHeader + "header", RestStatus.BAD_REQUEST, new Object[0]);
            }
        }
    }

    /* loaded from: input_file:com/floragunn/searchguard/authc/rest/ClientAddressAscertainer$ClientIpInfo.class */
    public static class ClientIpInfo {
        private final IPAddress directIpAddress;
        private final IPAddress originatingIpAddress;
        private final boolean trustedProxy;
        private final InetSocketAddress originalRemoteAddress;

        ClientIpInfo(IPAddress iPAddress, IPAddress iPAddress2, boolean z, InetSocketAddress inetSocketAddress) {
            this.directIpAddress = iPAddress;
            this.originatingIpAddress = iPAddress2;
            this.trustedProxy = z;
            this.originalRemoteAddress = inetSocketAddress;
        }

        public IPAddress getDirectIpAddress() {
            return this.directIpAddress;
        }

        public IPAddress getOriginatingIpAddress() {
            return this.originatingIpAddress;
        }

        public TransportAddress getOriginatingTransportAddress() {
            return new TransportAddress(new InetSocketAddress(this.originatingIpAddress.toInetAddress(), this.originalRemoteAddress.getPort()));
        }

        public boolean isTrustedProxy() {
            return this.trustedProxy;
        }

        static ClientIpInfo trusted(IPAddress iPAddress, IPAddress iPAddress2, InetSocketAddress inetSocketAddress) {
            return new ClientIpInfo(iPAddress, iPAddress2, true, inetSocketAddress);
        }

        static ClientIpInfo untrusted(IPAddress iPAddress, InetSocketAddress inetSocketAddress) {
            return new ClientIpInfo(iPAddress, iPAddress, false, inetSocketAddress);
        }

        public String toString() {
            return "ClientInfo [directIpAddress=" + this.directIpAddress + ", originatingIpAddress=" + this.originatingIpAddress + ", trustedProxy=" + this.trustedProxy + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/authc/rest/ClientAddressAscertainer$Inactive.class */
    public static class Inactive extends ClientAddressAscertainer {
        Inactive() {
        }

        @Override // com.floragunn.searchguard.authc.rest.ClientAddressAscertainer
        public ClientIpInfo getActualRemoteAddress(RestRequest restRequest) {
            return ClientIpInfo.untrusted(ClientAddressAscertainer.ipAddressGenerator.from(restRequest.getHttpChannel().getRemoteAddress().getAddress()), restRequest.getHttpChannel().getRemoteAddress());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Deprecated
    /* loaded from: input_file:com/floragunn/searchguard/authc/rest/ClientAddressAscertainer$PatternBased.class */
    public static class PatternBased extends ClientAddressAscertainer {
        private final String remoteIpHeader;
        private final Pattern trustedProxiesPattern;

        PatternBased(String str, Pattern pattern) {
            this.remoteIpHeader = str;
            this.trustedProxiesPattern = pattern;
        }

        @Override // com.floragunn.searchguard.authc.rest.ClientAddressAscertainer
        public ClientIpInfo getActualRemoteAddress(RestRequest restRequest) {
            IPAddress from = ClientAddressAscertainer.ipAddressGenerator.from(restRequest.getHttpChannel().getRemoteAddress().getAddress());
            if (!this.trustedProxiesPattern.matcher(restRequest.getHttpChannel().getRemoteAddress().getAddress().getHostAddress()).matches()) {
                if (ClientAddressAscertainer.log.isDebugEnabled()) {
                    ClientAddressAscertainer.log.debug("Request from untrusted host: " + from);
                }
                return ClientIpInfo.untrusted(from, restRequest.getHttpChannel().getRemoteAddress());
            }
            List list = (List) restRequest.getHeaders().get(this.remoteIpHeader);
            if (list == null || list.isEmpty()) {
                return ClientIpInfo.trusted(from, from, restRequest.getHttpChannel().getRemoteAddress());
            }
            List list2 = (List) list.stream().flatMap(str -> {
                return ClientAddressAscertainer.splitter.splitToStream(str);
            }).map(str2 -> {
                return new IPAddressString(str2);
            }).collect(Collectors.toList());
            for (IPAddressString iPAddressString : Lists.reverse(list2)) {
                try {
                    IPAddress address = iPAddressString.toAddress();
                    if (!this.trustedProxiesPattern.matcher(iPAddressString.toString()).matches()) {
                        if (ClientAddressAscertainer.log.isDebugEnabled()) {
                            ClientAddressAscertainer.log.debug("Request from trusted proxy " + from + "; actual client: " + address);
                        }
                        return ClientIpInfo.trusted(from, address, restRequest.getHttpChannel().getRemoteAddress());
                    }
                } catch (AddressStringException | IncompatibleAddressException e) {
                    ClientAddressAscertainer.log.warn("Unparseable IP in XFF headers of request: " + list, e);
                    throw new ElasticsearchStatusException("Invalid " + this.remoteIpHeader + "header", RestStatus.BAD_REQUEST, new Object[0]);
                }
            }
            if (ClientAddressAscertainer.log.isDebugEnabled()) {
                ClientAddressAscertainer.log.debug("Request from trusted proxy " + from + "; actual client: " + list2.get(0) + " (which is also trusted)");
            }
            try {
                return ClientIpInfo.trusted(from, ((IPAddressString) list2.get(0)).toAddress(), restRequest.getHttpChannel().getRemoteAddress());
            } catch (AddressStringException | IncompatibleAddressException e2) {
                ClientAddressAscertainer.log.warn("Unparseable IP in XFF headers of request: " + list, e2);
                throw new ElasticsearchStatusException("Invalid " + this.remoteIpHeader + "header", RestStatus.BAD_REQUEST, new Object[0]);
            }
        }
    }

    public static ClientAddressAscertainer create(String str, IPAddressCollection iPAddressCollection) {
        return iPAddressCollection != null ? new CIDRBased(str, iPAddressCollection) : new Inactive();
    }

    @Deprecated
    public static ClientAddressAscertainer create(String str, Pattern pattern) {
        return pattern != null ? new PatternBased(str, pattern) : new Inactive();
    }

    public static ClientAddressAscertainer create(RestAuthcConfig.Network network) {
        return network == null ? new Inactive() : network.getTrustedProxies() != null ? create(network.getRemoteIpHttpHeader(), network.getTrustedProxies()) : create(network.getRemoteIpHttpHeader(), network.getTrustedProxiesPattern());
    }

    public abstract ClientIpInfo getActualRemoteAddress(RestRequest restRequest);
}
