package org.apache.sling.security.impl;

import java.io.IOException;
import java.io.PrintWriter;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.http.whiteboard.Preprocessor;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {Preprocessor.class}, property = {"osgi.http.whiteboard.context.select=(osgi.http.whiteboard.context.name=*)", "felix.webconsole.label=slingreferrerfilter", "felix.webconsole.title=Sling Referrer Filter", "felix.webconsole.configprinter.modes=always"})
/* loaded from: input_file:org/apache/sling/security/impl/ReferrerFilter.class */
public class ReferrerFilter implements Preprocessor {
    private static final String USER_AGENT = "User-Agent";
    private static final String BROWSER_CLASS_MOZILLA = "Mozilla";
    private static final String BROWSER_CLASS_OPERA = "Opera";
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final boolean allowEmpty;
    private final URL[] allowedUriReferrers;
    private final Pattern[] allowedRegexReferrers;
    private final String[] filterMethods;
    private final Pattern[] excludedRegexUserAgents;
    private final String[] excludedPaths;

    @ObjectClassDefinition(name = "Apache Sling Referrer Filter", description = "Request filter checking the referrer of modification requests and denying request with a 403 in case the referrer is not allowed")
    /* loaded from: input_file:org/apache/sling/security/impl/ReferrerFilter$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Allow Empty", description = "Allow an empty or missing referrer")
        boolean allow_empty() default false;

        @AttributeDefinition(name = "Allow Hosts", description = "List of allowed hosts for the referrer which are added to the list of default hosts. It is matched against the full referrer URL in the format \"<scheme>://<host>:<port>\". If port is 0, it is not taken into consideration. The default list contains all host names and IPs bound to all NICs found in the system plus \"localhost\", \"127.0.0.1\", \"[::1]\" for protocols \"http\" and \"https\". If given value does not have a \":\" entries for both http and https are transparently generated.")
        String[] allow_hosts() default {};

        @AttributeDefinition(name = "Allow Regexp Host", description = "List of allowed regular expression for the referrer. It is matched against the full referrer URL in the format \"<scheme>://<host>:<port>\". Evaluated in addition to the default list and the given allowed hosts (see above)!")
        String[] allow_hosts_regexp() default {};

        @AttributeDefinition(name = "Filter Methods", description = "These methods are filtered by the filter")
        String[] filter_methods() default {"POST", "PUT", "DELETE", "COPY", "MOVE"};

        @AttributeDefinition(name = "Exclude Regexp User Agent", description = "List of regexp for user agents not to check the referrer")
        String[] exclude_agents_regexp() default {};

        @AttributeDefinition(name = "Exclude Paths", description = "List of paths for which not to check the referrer")
        String[] exclude_paths() default {};
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/sling/security/impl/ReferrerFilter$HostInfo.class */
    public static final class HostInfo {
        String host;
        String scheme;
        int port;

        HostInfo() {
        }

        String toURI() {
            return this.scheme + "://" + this.host + ":" + this.port;
        }
    }

    private Set<String> getDefaultAllowedReferrers() {
        HashSet hashSet = new HashSet();
        try {
            Enumeration<NetworkInterface> networkInterfaces = NetworkInterface.getNetworkInterfaces();
            while (networkInterfaces.hasMoreElements()) {
                NetworkInterface nextElement = networkInterfaces.nextElement();
                this.logger.info("Adding Allowed referers for Interface: {}", nextElement.getDisplayName());
                Enumeration<InetAddress> inetAddresses = nextElement.getInetAddresses();
                while (inetAddresses.hasMoreElements()) {
                    InetAddress nextElement2 = inetAddresses.nextElement();
                    String lowerCase = nextElement2.getHostAddress().trim().toLowerCase();
                    if (nextElement2 instanceof Inet4Address) {
                        hashSet.add("http://" + lowerCase + ":0");
                        hashSet.add("https://" + lowerCase + ":0");
                    }
                    if (nextElement2 instanceof Inet6Address) {
                        hashSet.add("http://[" + lowerCase + "]:0");
                        hashSet.add("https://[" + lowerCase + "]:0");
                    }
                }
            }
        } catch (SocketException e) {
            this.logger.error("Unable to detect network interfaces", e);
        }
        hashSet.add("http://localhost:0");
        hashSet.add("http://127.0.0.1:0");
        hashSet.add("http://[::1]:0");
        hashSet.add("https://localhost:0");
        hashSet.add("https://127.0.0.1:0");
        hashSet.add("https://[::1]:0");
        return hashSet;
    }

    private void add(List<URL> list, String str) {
        try {
            list.add(new URL(str));
        } catch (MalformedURLException e) {
            this.logger.warn("Unable to create URL from {} : {}", str, e.getMessage());
        }
    }

    private URL[] createReferrerUrls(Set<String> set) {
        ArrayList arrayList = new ArrayList();
        for (String str : set) {
            if (str.indexOf("://") != -1) {
                add(arrayList, str);
            } else {
                add(arrayList, "http://" + str + ":0");
                add(arrayList, "https://" + str + ":0");
            }
        }
        return (URL[]) arrayList.toArray(new URL[0]);
    }

    private Pattern[] createRegexPatterns(String[] strArr) {
        ArrayList arrayList = new ArrayList();
        if (strArr != null) {
            for (String str : strArr) {
                try {
                    arrayList.add(Pattern.compile(str));
                } catch (Exception e) {
                    this.logger.warn("Unable to create Pattern from {} : {}", str, e.getMessage());
                }
            }
        }
        return (Pattern[]) arrayList.toArray(new Pattern[0]);
    }

    @Activate
    public ReferrerFilter(Config config) {
        this.allowEmpty = config.allow_empty();
        this.allowedRegexReferrers = createRegexPatterns(config.allow_hosts_regexp());
        this.excludedRegexUserAgents = createRegexPatterns(config.exclude_agents_regexp());
        this.excludedPaths = config.exclude_paths();
        Set<String> defaultAllowedReferrers = getDefaultAllowedReferrers();
        if (config.allow_hosts() != null) {
            defaultAllowedReferrers.addAll(Arrays.asList(config.allow_hosts()));
        }
        this.allowedUriReferrers = createReferrerUrls(defaultAllowedReferrers);
        String[] filter_methods = config.filter_methods();
        if (filter_methods != null) {
            ArrayList arrayList = new ArrayList();
            for (String str : filter_methods) {
                if (str != null && str.trim().length() > 0) {
                    arrayList.add(str.trim().toUpperCase());
                }
            }
            filter_methods = arrayList.isEmpty() ? null : (String[]) arrayList.toArray(new String[arrayList.size()]);
        }
        this.filterMethods = filter_methods;
    }

    private boolean isModification(HttpServletRequest httpServletRequest) {
        String method = httpServletRequest.getMethod();
        if (this.filterMethods == null) {
            return false;
        }
        for (String str : this.filterMethods) {
            if (str.equals(method)) {
                return true;
            }
        }
        return false;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            if (isBrowserRequest(httpServletRequest) && isModification(httpServletRequest) && !isValidRequest(httpServletRequest)) {
                ((HttpServletResponse) servletResponse).sendError(403);
                return;
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    HostInfo getHost(String str) {
        int indexOf = str.indexOf("://") + 3;
        if (indexOf == 2 || indexOf == str.length()) {
            return null;
        }
        HostInfo hostInfo = new HostInfo();
        hostInfo.scheme = str.substring(0, indexOf - 3);
        int indexOf2 = str.indexOf(63);
        String substring = indexOf2 == -1 ? str : str.substring(0, indexOf2);
        int indexOf3 = substring.indexOf(47, indexOf);
        String substring2 = indexOf3 == -1 ? substring.substring(indexOf) : substring.substring(indexOf, indexOf3);
        int indexOf4 = substring2.indexOf(64) + 1;
        int lastIndexOf = substring2.lastIndexOf(58);
        if (lastIndexOf < indexOf4) {
            hostInfo.host = substring2.substring(indexOf4);
            if (hostInfo.scheme.equals("http")) {
                hostInfo.port = 80;
            } else if (hostInfo.scheme.equals("https")) {
                hostInfo.port = 443;
            }
        } else {
            hostInfo.host = substring2.substring(indexOf4, lastIndexOf);
            hostInfo.port = Integer.valueOf(substring2.substring(lastIndexOf + 1)).intValue();
        }
        return hostInfo;
    }

    boolean isValidRequest(HttpServletRequest httpServletRequest) {
        if (isExcludedPath(httpServletRequest)) {
            return true;
        }
        String header = httpServletRequest.getHeader("referer");
        if (header == null || header.trim().length() == 0) {
            if (!this.allowEmpty) {
                this.logger.info("Rejected empty referrer header for {} request to {}", httpServletRequest.getMethod(), httpServletRequest.getRequestURI());
            }
            return this.allowEmpty;
        }
        if (!header.contains(":/")) {
            return true;
        }
        HostInfo host = getHost(header);
        if (host == null) {
            this.logger.info("Rejected illegal referrer header for {} request to {} : {}", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), header});
            return false;
        }
        if (host.host.equals(httpServletRequest.getServerName())) {
            return true;
        }
        boolean z = isValidUriReferrer(host) || isValidRegexReferrer(host);
        if (!z) {
            this.logger.info("Rejected referrer header for {} request to {} : {}", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), header});
        }
        return z;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    private boolean isValidUriReferrer(HostInfo hostInfo) {
        for (URL url : this.allowedUriReferrers) {
            if (hostInfo.host.equals(url.getHost()) && hostInfo.scheme.equals(url.getProtocol()) && (url.getPort() == 0 || hostInfo.port == url.getPort())) {
                return true;
            }
        }
        return false;
    }

    private boolean isValidRegexReferrer(HostInfo hostInfo) {
        for (Pattern pattern : this.allowedRegexReferrers) {
            if (pattern.matcher(hostInfo.toURI()).matches()) {
                return true;
            }
        }
        return false;
    }

    private boolean isExcludedPath(HttpServletRequest httpServletRequest) {
        if (this.excludedPaths == null) {
            return false;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        for (String str : this.excludedPaths) {
            if (str != null && str.equals(pathInfo)) {
                return true;
            }
        }
        return false;
    }

    private boolean isExcludedRegexUserAgent(String str) {
        for (Pattern pattern : this.excludedRegexUserAgents) {
            if (pattern.matcher(str).matches()) {
                return true;
            }
        }
        return false;
    }

    protected boolean isBrowserRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(USER_AGENT);
        return header != null && (header.contains(BROWSER_CLASS_MOZILLA) || header.contains(BROWSER_CLASS_OPERA)) && !isExcludedRegexUserAgent(header);
    }

    public void printConfiguration(PrintWriter printWriter) {
        printWriter.println("Current Apache Sling Referrer Filter Allowed Referrers:");
        printWriter.println();
        for (URL url : this.allowedUriReferrers) {
            printWriter.println(url.toString());
        }
        for (Pattern pattern : this.allowedRegexReferrers) {
            printWriter.println(pattern.toString());
        }
    }
}
