package org.neo4j.kernel.impl.security;

import inet.ipaddr.IPAddressString;
import java.io.IOException;
import java.lang.Runtime;
import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Iterator;
import java.util.List;
import org.neo4j.configuration.GraphDatabaseInternalSettings;
import org.neo4j.graphdb.config.Configuration;
import org.neo4j.graphdb.security.URLAccessRule;
import org.neo4j.graphdb.security.URLAccessValidationError;

/* loaded from: input_file:org/neo4j/kernel/impl/security/WebURLAccessRule.class */
public class WebURLAccessRule implements URLAccessRule {
    public static final String LOAD_CSV_USER_AGENT_PREFIX = "NeoLoadCSV_";
    private static final int REDIRECT_LIMIT = 10;

    public static String userAgent() {
        Runtime.Version version = Runtime.version();
        String property = System.getProperty("http.agent");
        return property == null ? "Java/" + version : property + " Java/" + version;
    }

    public static void checkNotBlocked(URL url, List<IPAddressString> list) throws Exception {
        InetAddress byName = InetAddress.getByName(url.getHost());
        Iterator<IPAddressString> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().contains(new IPAddressString(byName.getHostAddress()))) {
                throw new URLAccessValidationError("access to " + byName + " is blocked via the configuration property " + GraphDatabaseInternalSettings.cypher_ip_blocklist.name());
            }
        }
    }

    public static HttpURLConnection checkUrlIncludingHops(URL url, List<IPAddressString> list) throws Exception {
        HttpURLConnection httpURLConnection;
        boolean isRedirect;
        URL url2;
        URL url3 = url;
        int i = REDIRECT_LIMIT;
        do {
            checkNotBlocked(url3, list);
            httpURLConnection = (HttpURLConnection) url3.openConnection();
            httpURLConnection.setRequestProperty("User-Agent", String.format("%s%s", LOAD_CSV_USER_AGENT_PREFIX, userAgent()));
            httpURLConnection.setInstanceFollowRedirects(false);
            httpURLConnection.connect();
            httpURLConnection.getInputStream();
            isRedirect = isRedirect(httpURLConnection.getResponseCode());
            if (isRedirect) {
                int i2 = i;
                i--;
                if (i2 == 0) {
                    httpURLConnection.disconnect();
                    throw new IOException("Redirect limit exceeded");
                }
                String headerField = httpURLConnection.getHeaderField("Location");
                if (headerField == null) {
                    httpURLConnection.disconnect();
                    throw new IOException("URL responded with a redirect but the location header was null");
                }
                try {
                    url2 = new URL(headerField);
                    if (!url2.getProtocol().equalsIgnoreCase(url3.getProtocol())) {
                        return httpURLConnection;
                    }
                } catch (MalformedURLException e) {
                    url2 = new URL(httpURLConnection.getURL(), headerField);
                }
                url3 = url2;
            }
        } while (isRedirect);
        return httpURLConnection;
    }

    private static boolean isRedirect(int i) {
        return i >= 300 && i <= 307 && i != 306 && i != 304;
    }

    public URL validate(Configuration configuration, URL url) throws URLAccessValidationError {
        List list = (List) configuration.get(GraphDatabaseInternalSettings.cypher_ip_blocklist);
        String host = url.getHost();
        if (!list.isEmpty() && host != null && !host.isEmpty()) {
            try {
                checkUrlIncludingHops(url, list).disconnect();
            } catch (Exception e) {
                throw new URLAccessValidationError("Unable to verify access to " + host + ". Cause: " + e.getMessage());
            }
        }
        return url;
    }
}
