package org.apache.sling.security.impl;

import java.io.IOException;
import java.io.PrintWriter;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.List;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sling/security/impl/ReferrerFilter.class */
public class ReferrerFilter implements Filter {
    private static final String USER_AGENT = "User-Agent";
    private static final String BROWSER_CLASS_MOZILLA = "Mozilla";
    private static final String BROWSER_CLASS_OPERA = "Opera";
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private static final boolean DEFAULT_ALLOW_EMPTY = true;
    private static final String PROP_ALLOW_EMPTY = "allow.empty";
    private static final String PROP_HOSTS = "allow.hosts";
    private static final String PROP_METHODS = "filter.methods";
    private boolean allowEmpty;
    private URL[] allowedReferrers;
    private String[] filterMethods;
    private ServiceRegistration configPrinterRegistration;

    /* loaded from: input_file:org/apache/sling/security/impl/ReferrerFilter$ConfigurationPrinter.class */
    public class ConfigurationPrinter {
        public ConfigurationPrinter() {
        }

        public void printConfiguration(PrintWriter printWriter) {
            printWriter.println("Current Apache Sling Referrer Filter Allowed Referrers:");
            printWriter.println();
            URL[] urlArr = ReferrerFilter.this.allowedReferrers;
            int length = urlArr.length;
            for (int i = 0; i < length; i += ReferrerFilter.DEFAULT_ALLOW_EMPTY) {
                printWriter.println(urlArr[i].toString());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/sling/security/impl/ReferrerFilter$HostInfo.class */
    public static final class HostInfo {
        public String host;
        public String scheme;
        public int port;

        HostInfo() {
        }
    }

    private Set<String> getDefaultAllowedReferrers() {
        HashSet hashSet = new HashSet();
        try {
            Enumeration<NetworkInterface> networkInterfaces = NetworkInterface.getNetworkInterfaces();
            while (networkInterfaces.hasMoreElements()) {
                NetworkInterface nextElement = networkInterfaces.nextElement();
                this.logger.info("Adding Allowed referers for Interface:" + nextElement.getDisplayName());
                Enumeration<InetAddress> inetAddresses = nextElement.getInetAddresses();
                while (inetAddresses.hasMoreElements()) {
                    InetAddress nextElement2 = inetAddresses.nextElement();
                    String lowerCase = nextElement2.getHostAddress().trim().toLowerCase();
                    if (nextElement2 instanceof Inet4Address) {
                        hashSet.add("http://" + lowerCase + ":0");
                        hashSet.add("https://" + lowerCase + ":0");
                    }
                    if (nextElement2 instanceof Inet6Address) {
                        hashSet.add("http://[" + lowerCase + "]:0");
                        hashSet.add("https://[" + lowerCase + "]:0");
                    }
                }
            }
        } catch (SocketException e) {
            this.logger.error("Unable to detect network interfaces", e);
        }
        hashSet.add("http://localhost:0");
        hashSet.add("http://127.0.0.1:0");
        hashSet.add("http://[::1]:0");
        hashSet.add("https://localhost:0");
        hashSet.add("https://127.0.0.1:0");
        hashSet.add("https://[::1]:0");
        return hashSet;
    }

    private void add(List<URL> list, String str) {
        try {
            list.add(new URL(str));
        } catch (MalformedURLException e) {
            this.logger.warn("Unable to create URL from " + str + " : " + e.getMessage());
        }
    }

    private URL[] createReferrerUrls(Set<String> set) {
        ArrayList arrayList = new ArrayList();
        for (String str : set) {
            if (str.indexOf("://") != -1) {
                add(arrayList, str);
            } else {
                add(arrayList, "http://" + str + ":0");
                add(arrayList, "https://" + str + ":0");
            }
        }
        return (URL[]) arrayList.toArray(new URL[arrayList.size()]);
    }

    protected void activate(ComponentContext componentContext) {
        this.allowEmpty = PropertiesUtil.toBoolean(componentContext.getProperties().get(PROP_ALLOW_EMPTY), true);
        String[] stringArray = PropertiesUtil.toStringArray(componentContext.getProperties().get(PROP_HOSTS));
        if (stringArray != null) {
            if (stringArray.length == 0) {
                stringArray = null;
            } else if (stringArray.length == DEFAULT_ALLOW_EMPTY && stringArray[0].trim().length() == 0) {
                stringArray = null;
            }
        }
        Set<String> defaultAllowedReferrers = getDefaultAllowedReferrers();
        if (stringArray != null) {
            String[] strArr = stringArray;
            int length = strArr.length;
            for (int i = 0; i < length; i += DEFAULT_ALLOW_EMPTY) {
                defaultAllowedReferrers.add(strArr[i]);
            }
        }
        this.allowedReferrers = createReferrerUrls(defaultAllowedReferrers);
        this.filterMethods = PropertiesUtil.toStringArray(componentContext.getProperties().get(PROP_METHODS));
        if (this.filterMethods != null && this.filterMethods.length == DEFAULT_ALLOW_EMPTY && (this.filterMethods[0] == null || this.filterMethods[0].trim().length() == 0)) {
            this.filterMethods = null;
        }
        if (this.filterMethods != null) {
            for (int i2 = 0; i2 < this.filterMethods.length; i2 += DEFAULT_ALLOW_EMPTY) {
                this.filterMethods[i2] = this.filterMethods[i2].toUpperCase();
            }
        }
        this.configPrinterRegistration = registerConfigPrinter(componentContext.getBundleContext());
    }

    protected void deactivate() {
        this.configPrinterRegistration.unregister();
    }

    private ServiceRegistration registerConfigPrinter(BundleContext bundleContext) {
        ConfigurationPrinter configurationPrinter = new ConfigurationPrinter();
        Hashtable hashtable = new Hashtable();
        hashtable.put("service.description", "Apache Sling Referrer Filter Configuration Printer");
        hashtable.put("service.vendor", "The Apache Software Foundation");
        hashtable.put("felix.webconsole.label", "slingreferrerfilter");
        hashtable.put("felix.webconsole.title", "Sling Referrer Filter");
        hashtable.put("felix.webconsole.configprinter.modes", "always");
        return bundleContext.registerService(Object.class.getName(), configurationPrinter, hashtable);
    }

    private boolean isModification(HttpServletRequest httpServletRequest) {
        String method = httpServletRequest.getMethod();
        if (this.filterMethods == null) {
            return false;
        }
        String[] strArr = this.filterMethods;
        int length = strArr.length;
        for (int i = 0; i < length; i += DEFAULT_ALLOW_EMPTY) {
            if (strArr[i].equals(method)) {
                return true;
            }
        }
        return false;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            if (isBrowserRequest(httpServletRequest) && isModification(httpServletRequest) && !isValidRequest(httpServletRequest)) {
                ((HttpServletResponse) servletResponse).sendError(403);
                return;
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    HostInfo getHost(String str) {
        int indexOf = str.indexOf("://") + 3;
        if (indexOf == 2) {
            return null;
        }
        HostInfo hostInfo = new HostInfo();
        hostInfo.scheme = str.substring(0, indexOf - 3);
        int indexOf2 = str.indexOf(63);
        String substring = indexOf2 == -1 ? str : str.substring(0, indexOf2);
        int indexOf3 = substring.indexOf(47, indexOf);
        String substring2 = indexOf3 == -1 ? substring.substring(indexOf) : substring.substring(indexOf, indexOf3);
        int indexOf4 = substring2.indexOf(64) + DEFAULT_ALLOW_EMPTY;
        int lastIndexOf = substring2.lastIndexOf(58);
        if (lastIndexOf < indexOf4) {
            hostInfo.host = substring2.substring(indexOf4);
            if (hostInfo.scheme.equals("http")) {
                hostInfo.port = 80;
            } else if (hostInfo.scheme.equals("https")) {
                hostInfo.port = 443;
            }
        } else {
            hostInfo.host = substring2.substring(indexOf4, lastIndexOf);
            hostInfo.port = Integer.valueOf(substring2.substring(lastIndexOf + DEFAULT_ALLOW_EMPTY)).intValue();
        }
        return hostInfo;
    }

    boolean isValidRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("referer");
        if (header == null || header.trim().length() == 0) {
            if (!this.allowEmpty) {
                this.logger.info("Rejected empty referrer header for {} request to {}", httpServletRequest.getMethod(), httpServletRequest.getRequestURI());
            }
            return this.allowEmpty;
        }
        if (header.indexOf(":/") == -1 || header.startsWith("app:/")) {
            return true;
        }
        HostInfo host = getHost(header);
        if (host == null) {
            this.logger.info("Rejected illegal referrer header for {} request to {} : {}", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), header});
            return false;
        }
        if (host.host.equals(httpServletRequest.getServerName())) {
            return true;
        }
        boolean z = false;
        URL[] urlArr = this.allowedReferrers;
        int length = urlArr.length;
        for (int i = 0; i < length; i += DEFAULT_ALLOW_EMPTY) {
            URL url = urlArr[i];
            if (host.host.equals(url.getHost()) && host.scheme.equals(url.getProtocol()) && (url.getPort() == 0 || host.port == url.getPort())) {
                z = DEFAULT_ALLOW_EMPTY;
                break;
            }
        }
        if (!z) {
            this.logger.info("Rejected referrer header for {} request to {} : {}", new Object[]{httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), header});
        }
        return z;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    private boolean isBrowserRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(USER_AGENT);
        if (header != null) {
            return header.contains(BROWSER_CLASS_MOZILLA) || header.contains(BROWSER_CLASS_OPERA);
        }
        return false;
    }
}
