package org.neo4j.kernel.impl.security;

import inet.ipaddr.IPAddressString;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.URL;
import java.util.Iterator;
import java.util.List;
import org.neo4j.graphdb.config.Configuration;
import org.neo4j.graphdb.factory.GraphDatabaseSettings;
import org.neo4j.graphdb.security.URLAccessRule;
import org.neo4j.graphdb.security.URLAccessValidationError;

/* loaded from: input_file:org/neo4j/kernel/impl/security/WebURLAccessRule.class */
public class WebURLAccessRule implements URLAccessRule {
    public static void checkNotBlocked(URL url, List<IPAddressString> list) throws Exception {
        InetAddress byName = InetAddress.getByName(url.getHost());
        Iterator<IPAddressString> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().contains(new IPAddressString(byName.getHostAddress()))) {
                throw new URLAccessValidationError("access to " + byName + " is blocked via the configuration property " + GraphDatabaseSettings.cypher_ip_blocklist.name());
            }
        }
    }

    private static URL checkUrlIncludingHoops(URL url, List<IPAddressString> list) throws Exception {
        boolean z;
        URL url2 = url;
        do {
            checkNotBlocked(url2, list);
            HttpURLConnection httpURLConnection = (HttpURLConnection) url2.openConnection();
            httpURLConnection.setInstanceFollowRedirects(false);
            httpURLConnection.connect();
            httpURLConnection.getInputStream();
            z = httpURLConnection.getResponseCode() >= 300 && httpURLConnection.getResponseCode() < 400;
            if (z) {
                String headerField = httpURLConnection.getHeaderField("Location");
                if (headerField == null) {
                    throw new IOException("URL responded with a redirect but the location header was null");
                }
                if (headerField.startsWith("/")) {
                    headerField = url2.getProtocol() + "://" + url2.getAuthority() + headerField;
                }
                url2 = new URL(headerField);
            }
            httpURLConnection.disconnect();
        } while (z);
        return url2;
    }

    public URL validate(Configuration configuration, URL url) throws URLAccessValidationError {
        List list = (List) configuration.get(GraphDatabaseSettings.cypher_ip_blocklist);
        String host = url.getHost();
        if (!list.isEmpty() && host != null && !host.isEmpty()) {
            try {
                checkUrlIncludingHoops(url, list);
            } catch (Exception e) {
                throw new URLAccessValidationError("Unable to verify access to " + host + ". Cause: " + e.getMessage());
            }
        }
        return url;
    }
}
