package org.apache.sling.security.impl;

import java.io.IOException;
import java.io.PrintWriter;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({Filter.class})
@Component(metatype = true, description = "%referrer.description", label = "%referrer.name")
@Properties({@Property(name = "osgi.http.whiteboard.filter.pattern", value = {"/"}, propertyPrivate = true), @Property(name = "osgi.http.whiteboard.context.select", value = {"(osgi.http.whiteboard.context.name=*)"}, propertyPrivate = true)})
/* loaded from: input_file:org/apache/sling/security/impl/ReferrerFilter.class */
public class ReferrerFilter implements Filter {
    private static final String USER_AGENT = "User-Agent";
    private static final String BROWSER_CLASS_MOZILLA = "Mozilla";
    private static final String BROWSER_CLASS_OPERA = "Opera";
    private final Logger logger = LoggerFactory.getLogger(getClass());

    @Property(boolValue = {false})
    private static final String PROP_ALLOW_EMPTY = "allow.empty";

    @Property(unbounded = PropertyUnbounded.ARRAY)
    private static final String PROP_HOSTS = "allow.hosts";

    @Property(unbounded = PropertyUnbounded.ARRAY)
    private static final String PROP_HOSTS_REGEX = "allow.hosts.regexp";

    @Property(unbounded = PropertyUnbounded.ARRAY, value = {"POST", "PUT", "DELETE"})
    private static final String PROP_METHODS = "filter.methods";

    @Property(unbounded = PropertyUnbounded.ARRAY)
    private static final String PROP_EXCLUDED_AGENTS_REGEX = "exclude.agents.regexp";
    private boolean allowEmpty;
    private URL[] allowedUriReferrers;
    private Pattern[] allowedRegexReferrers;
    private String[] filterMethods;
    private Pattern[] excludedRegexUserAgents;
    private ServiceRegistration<Object> configPrinterRegistration;
    private static final boolean DEFAULT_ALLOW_EMPTY = false;
    private static final String[] DEFAULT_PROP_HOSTS = new String[DEFAULT_ALLOW_EMPTY];
    private static final String[] DEFAULT_PROP_AGENTS = new String[DEFAULT_ALLOW_EMPTY];

    /* loaded from: input_file:org/apache/sling/security/impl/ReferrerFilter$ConfigurationPrinter.class */
    public class ConfigurationPrinter {
        public ConfigurationPrinter() {
        }

        public void printConfiguration(PrintWriter printWriter) {
            printWriter.println("Current Apache Sling Referrer Filter Allowed Referrers:");
            printWriter.println();
            URL[] urlArr = ReferrerFilter.this.allowedUriReferrers;
            int length = urlArr.length;
            for (int i = ReferrerFilter.DEFAULT_ALLOW_EMPTY; i < length; i++) {
                printWriter.println(urlArr[i].toString());
            }
            Pattern[] patternArr = ReferrerFilter.this.allowedRegexReferrers;
            int length2 = patternArr.length;
            for (int i2 = ReferrerFilter.DEFAULT_ALLOW_EMPTY; i2 < length2; i2++) {
                printWriter.println(patternArr[i2].toString());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/sling/security/impl/ReferrerFilter$HostInfo.class */
    public static final class HostInfo {
        public String host;
        public String scheme;
        public int port;

        HostInfo() {
        }

        public String toURI() {
            return this.scheme + "://" + this.host + ":" + this.port;
        }
    }

    private Set<String> getDefaultAllowedReferrers() {
        HashSet hashSet = new HashSet();
        try {
            Enumeration<NetworkInterface> networkInterfaces = NetworkInterface.getNetworkInterfaces();
            while (networkInterfaces.hasMoreElements()) {
                NetworkInterface nextElement = networkInterfaces.nextElement();
                this.logger.info("Adding Allowed referers for Interface:" + nextElement.getDisplayName());
                Enumeration<InetAddress> inetAddresses = nextElement.getInetAddresses();
                while (inetAddresses.hasMoreElements()) {
                    InetAddress nextElement2 = inetAddresses.nextElement();
                    String lowerCase = nextElement2.getHostAddress().trim().toLowerCase();
                    if (nextElement2 instanceof Inet4Address) {
                        hashSet.add("http://" + lowerCase + ":0");
                        hashSet.add("https://" + lowerCase + ":0");
                    }
                    if (nextElement2 instanceof Inet6Address) {
                        hashSet.add("http://[" + lowerCase + "]:0");
                        hashSet.add("https://[" + lowerCase + "]:0");
                    }
                }
            }
        } catch (SocketException e) {
            this.logger.error("Unable to detect network interfaces", e);
        }
        hashSet.add("http://localhost:0");
        hashSet.add("http://127.0.0.1:0");
        hashSet.add("http://[::1]:0");
        hashSet.add("https://localhost:0");
        hashSet.add("https://127.0.0.1:0");
        hashSet.add("https://[::1]:0");
        return hashSet;
    }

    private void add(List<URL> list, String str) {
        try {
            list.add(new URL(str));
        } catch (MalformedURLException e) {
            this.logger.warn("Unable to create URL from " + str + " : " + e.getMessage());
        }
    }

    private URL[] createReferrerUrls(Set<String> set) {
        ArrayList arrayList = new ArrayList();
        for (String str : set) {
            if (str.indexOf("://") != -1) {
                add(arrayList, str);
            } else {
                add(arrayList, "http://" + str + ":0");
                add(arrayList, "https://" + str + ":0");
            }
        }
        return (URL[]) arrayList.toArray(new URL[arrayList.size()]);
    }

    private Pattern[] createRegexPatterns(String[] strArr) {
        ArrayList arrayList = new ArrayList();
        int length = strArr.length;
        for (int i = DEFAULT_ALLOW_EMPTY; i < length; i++) {
            String str = strArr[i];
            try {
                arrayList.add(Pattern.compile(str));
            } catch (Exception e) {
                this.logger.warn("Unable to create Pattern from {} : {}", new Object[]{str, e.getMessage()});
            }
        }
        return (Pattern[]) arrayList.toArray(new Pattern[arrayList.size()]);
    }

    @Activate
    protected void activate(BundleContext bundleContext, Map<String, Object> map) {
        this.allowEmpty = PropertiesUtil.toBoolean(map.get(PROP_ALLOW_EMPTY), false);
        this.allowedRegexReferrers = createRegexPatterns(defaultIfEmpty(PropertiesUtil.toStringArray(map.get(PROP_HOSTS_REGEX), DEFAULT_PROP_HOSTS), DEFAULT_PROP_HOSTS));
        this.excludedRegexUserAgents = createRegexPatterns(defaultIfEmpty(PropertiesUtil.toStringArray(map.get(PROP_EXCLUDED_AGENTS_REGEX), DEFAULT_PROP_AGENTS), DEFAULT_PROP_AGENTS));
        Set<String> defaultAllowedReferrers = getDefaultAllowedReferrers();
        defaultAllowedReferrers.addAll(Arrays.asList(defaultIfEmpty(PropertiesUtil.toStringArray(map.get(PROP_HOSTS), DEFAULT_PROP_HOSTS), DEFAULT_PROP_HOSTS)));
        this.allowedUriReferrers = createReferrerUrls(defaultAllowedReferrers);
        this.filterMethods = PropertiesUtil.toStringArray(map.get(PROP_METHODS));
        if (this.filterMethods != null && this.filterMethods.length == 1 && (this.filterMethods[DEFAULT_ALLOW_EMPTY] == null || this.filterMethods[DEFAULT_ALLOW_EMPTY].trim().length() == 0)) {
            this.filterMethods = null;
        }
        if (this.filterMethods != null) {
            for (int i = DEFAULT_ALLOW_EMPTY; i < this.filterMethods.length; i++) {
                this.filterMethods[i] = this.filterMethods[i].toUpperCase();
            }
        }
        this.configPrinterRegistration = registerConfigPrinter(bundleContext);
    }

    @Deactivate
    protected void deactivate() {
        this.configPrinterRegistration.unregister();
    }

    private ServiceRegistration<Object> registerConfigPrinter(BundleContext bundleContext) {
        ConfigurationPrinter configurationPrinter = new ConfigurationPrinter();
        Hashtable hashtable = new Hashtable();
        hashtable.put("service.description", "Apache Sling Referrer Filter Configuration Printer");
        hashtable.put("service.vendor", "The Apache Software Foundation");
        hashtable.put("felix.webconsole.label", "slingreferrerfilter");
        hashtable.put("felix.webconsole.title", "Sling Referrer Filter");
        hashtable.put("felix.webconsole.configprinter.modes", "always");
        return bundleContext.registerService(Object.class, configurationPrinter, hashtable);
    }

    private boolean isModification(HttpServletRequest httpServletRequest) {
        String method = httpServletRequest.getMethod();
        if (this.filterMethods == null) {
            return false;
        }
        String[] strArr = this.filterMethods;
        int length = strArr.length;
        for (int i = DEFAULT_ALLOW_EMPTY; i < length; i++) {
            if (strArr[i].equals(method)) {
                return true;
            }
        }
        return false;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            if (isBrowserRequest(httpServletRequest) && isModification(httpServletRequest) && !isValidRequest(httpServletRequest)) {
                ((HttpServletResponse) servletResponse).sendError(403);
                return;
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    HostInfo getHost(String str) {
        int indexOf = str.indexOf("://") + 3;
        if (indexOf == 2) {
            return null;
        }
        HostInfo hostInfo = new HostInfo();
        hostInfo.scheme = str.substring(DEFAULT_ALLOW_EMPTY, indexOf - 3);
        int indexOf2 = str.indexOf(63);
        String substring = indexOf2 == -1 ? str : str.substring(DEFAULT_ALLOW_EMPTY, indexOf2);
        int indexOf3 = substring.indexOf(47, indexOf);
        String substring2 = indexOf3 == -1 ? substring.substring(indexOf) : substring.substring(indexOf, indexOf3);
        int indexOf4 = substring2.indexOf(64) + 1;
        int lastIndexOf = substring2.lastIndexOf(58);
        if (lastIndexOf < indexOf4) {
            hostInfo.host = substring2.substring(indexOf4);
            if (hostInfo.scheme.equals("http")) {
                hostInfo.port = 80;
            } else if (hostInfo.scheme.equals("https")) {
                hostInfo.port = 443;
            }
        } else {
            hostInfo.host = substring2.substring(indexOf4, lastIndexOf);
            hostInfo.port = Integer.valueOf(substring2.substring(lastIndexOf + 1)).intValue();
        }
        return hostInfo;
    }

    boolean isValidRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("referer");
        if (header == null || header.trim().length() == 0) {
            if (!this.allowEmpty) {
                this.logger.info("Rejected empty referrer header for {} request to {}", httpServletRequest.getMethod(), httpServletRequest.getRequestURI());
            }
            return this.allowEmpty;
        }
        if (header.indexOf(":/") == -1 || header.startsWith("app:/")) {
            return true;
        }
        HostInfo host = getHost(header);
        if (host == null) {
            this.logger.info("Rejected illegal referrer header for {} request to {} : {}", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), header});
            return false;
        }
        if (host.host.equals(httpServletRequest.getServerName())) {
            return true;
        }
        boolean z = isValidUriReferrer(host) || isValidRegexReferrer(host);
        if (!z) {
            this.logger.info("Rejected referrer header for {} request to {} : {}", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), header});
        }
        return z;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    private boolean isValidUriReferrer(HostInfo hostInfo) {
        URL[] urlArr = this.allowedUriReferrers;
        int length = urlArr.length;
        for (int i = DEFAULT_ALLOW_EMPTY; i < length; i++) {
            URL url = urlArr[i];
            if (hostInfo.host.equals(url.getHost()) && hostInfo.scheme.equals(url.getProtocol()) && (url.getPort() == 0 || hostInfo.port == url.getPort())) {
                return true;
            }
        }
        return false;
    }

    private boolean isValidRegexReferrer(HostInfo hostInfo) {
        Pattern[] patternArr = this.allowedRegexReferrers;
        int length = patternArr.length;
        for (int i = DEFAULT_ALLOW_EMPTY; i < length; i++) {
            if (patternArr[i].matcher(hostInfo.toURI()).matches()) {
                return true;
            }
        }
        return false;
    }

    private boolean isExcludedRegexUserAgent(String str) {
        Pattern[] patternArr = this.excludedRegexUserAgents;
        int length = patternArr.length;
        for (int i = DEFAULT_ALLOW_EMPTY; i < length; i++) {
            if (patternArr[i].matcher(str).matches()) {
                return true;
            }
        }
        return false;
    }

    private String[] defaultIfEmpty(String[] strArr, String[] strArr2) {
        return (strArr.length == 1 && strArr[DEFAULT_ALLOW_EMPTY].trim().length() == 0) ? strArr2 : strArr;
    }

    protected boolean isBrowserRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(USER_AGENT);
        return header != null && (header.contains(BROWSER_CLASS_MOZILLA) || header.contains(BROWSER_CLASS_OPERA)) && !isExcludedRegexUserAgent(header);
    }
}
