package org.eclipse.hawkbit.security;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.io.IOException;
import java.util.Collection;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.hawkbit.util.IpUtil;
import org.eclipse.persistence.jpa.jpql.parser.UnknownExpressionFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.util.AntPathMatcher;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:BOOT-INF/lib/hawkbit-http-security-0.3.0M7.jar:org/eclipse/hawkbit/security/DosFilter.class */
public class DosFilter extends OncePerRequestFilter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) DosFilter.class);
    private static final Logger LOG_DOS = LoggerFactory.getLogger("server-security.dos");
    private static final Logger LOG_BLACKLIST = LoggerFactory.getLogger("server-security.blacklist");
    private final Collection<String> includeAntPaths;
    private final Pattern ipAdressBlacklist;
    private final int maxRead;
    private final int maxWrite;
    private final Pattern whitelist;
    private final String forwardHeader;
    private final AntPathMatcher antMatcher = new AntPathMatcher();
    private final Cache<String, AtomicInteger> readCountCache = Caffeine.newBuilder().expireAfterWrite(1, TimeUnit.SECONDS).build();
    private final Cache<String, AtomicInteger> writeCountCache = Caffeine.newBuilder().expireAfterWrite(1, TimeUnit.SECONDS).build();

    public DosFilter(Collection<String> collection, int i, int i2, String str, String str2, String str3) {
        this.includeAntPaths = collection;
        this.maxRead = i;
        this.maxWrite = i2;
        this.forwardHeader = str3;
        if (str2 == null || str2.isEmpty()) {
            this.ipAdressBlacklist = null;
        } else {
            this.ipAdressBlacklist = Pattern.compile(str2);
        }
        if (str == null || str.isEmpty()) {
            this.whitelist = null;
        } else {
            this.whitelist = Pattern.compile(str);
        }
    }

    private boolean shouldInclude(HttpServletRequest httpServletRequest) {
        if (this.includeAntPaths == null || this.includeAntPaths.isEmpty()) {
            return true;
        }
        return this.includeAntPaths.stream().anyMatch(str -> {
            return this.antMatcher.match(httpServletRequest.getContextPath() + str, httpServletRequest.getRequestURI());
        });
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        boolean checkAgainstBlacklist;
        if (!shouldInclude(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        String host = IpUtil.getClientIpFromRequest(httpServletRequest, this.forwardHeader).getHost();
        if (checkIpFails(host)) {
            checkAgainstBlacklist = handleMissingIpAddress(httpServletResponse);
        } else {
            checkAgainstBlacklist = checkAgainstBlacklist(httpServletResponse, host);
            if (checkAgainstBlacklist && (this.whitelist == null || !this.whitelist.matcher(host).find())) {
                checkAgainstBlacklist = HttpMethod.valueOf(httpServletRequest.getMethod()) == HttpMethod.GET ? handleReadRequest(httpServletResponse, host) : handleWriteRequest(httpServletResponse, host);
            }
        }
        if (checkAgainstBlacklist) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private boolean checkAgainstBlacklist(HttpServletResponse httpServletResponse, String str) {
        if (this.ipAdressBlacklist == null || !this.ipAdressBlacklist.matcher(str).find()) {
            return true;
        }
        LOG_BLACKLIST.info("Blacklisted client ({}) tries to access the server!", str);
        httpServletResponse.setStatus(HttpStatus.FORBIDDEN.value());
        return false;
    }

    private static boolean checkIpFails(String str) {
        return str == null || str.length() == 0 || UnknownExpressionFactory.ID.equalsIgnoreCase(str);
    }

    private static boolean handleMissingIpAddress(HttpServletResponse httpServletResponse) {
        LOG.error("Failed to get peer IP adress");
        httpServletResponse.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
        return false;
    }

    private boolean handleWriteRequest(HttpServletResponse httpServletResponse, String str) {
        boolean z = true;
        AtomicInteger ifPresent = this.writeCountCache.getIfPresent(str);
        if (ifPresent == null) {
            this.writeCountCache.put(str, new AtomicInteger());
        } else if (ifPresent.getAndIncrement() > this.maxWrite) {
            LOG_DOS.info("Registered DOS attack! Client {} is above configured WRITE request threshold ({})!", str, Integer.valueOf(this.maxWrite));
            httpServletResponse.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
            z = false;
        }
        return z;
    }

    private boolean handleReadRequest(HttpServletResponse httpServletResponse, String str) {
        boolean z = true;
        AtomicInteger ifPresent = this.readCountCache.getIfPresent(str);
        if (ifPresent == null) {
            this.readCountCache.put(str, new AtomicInteger());
        } else if (ifPresent.getAndIncrement() > this.maxRead) {
            LOG_DOS.info("Registered DOS attack! Client {} is above configured READ request threshold ({})!", str, Integer.valueOf(this.maxRead));
            httpServletResponse.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
            z = false;
        }
        return z;
    }
}
