package org.n52.security.service.authentication.servlet;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.n52.security.authentication.AuthenticationContext;
import org.n52.security.authentication.AuthenticationContextUtil;
import org.n52.security.common.subject.SubjectPrincipalAnalyzer;
import org.n52.security.service.config.SecurityConfig;
import org.n52.security.service.config.ServiceConfig;
import org.n52.security.service.config.support.AbstractSecurityConfigServletFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/n52/security/service/authentication/servlet/IPRestrictionFilter.class */
public class IPRestrictionFilter extends AbstractSecurityConfigServletFilter {
    private static final Logger LOG = LoggerFactory.getLogger(IPRestrictionFilter.class);
    private Pattern m_ipRestrictionRegexp;
    private Set<String> m_allowedHostNames;
    private volatile Map<String, InetAddress[]> m_resolvedIPs;
    private boolean m_authenticatedAccess;
    private Set<String> m_allowedRoles;
    private long m_lastResolved;

    public void destroy() {
        this.m_ipRestrictionRegexp = null;
        this.m_allowedHostNames = null;
        this.m_resolvedIPs = null;
    }

    protected void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String remoteAddr = httpServletRequest.getRemoteAddr();
        if (accessDenied(remoteAddr)) {
            LOG.warn("Access denied for IP <" + remoteAddr + ">");
            httpServletResponse.sendError(403, "ip restricted access");
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("access allowed for ip <" + remoteAddr + ">");
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private boolean accessDenied(String str) {
        AuthenticationContext currentAuthenticationContext;
        if (this.m_authenticatedAccess && (currentAuthenticationContext = AuthenticationContextUtil.getCurrentAuthenticationContext()) != null && currentAuthenticationContext.isAuthenticated()) {
            if (this.m_allowedRoles.size() <= 0) {
                return false;
            }
            Iterator it = new SubjectPrincipalAnalyzer(currentAuthenticationContext.getSubject()).getRoles().iterator();
            while (it.hasNext()) {
                if (this.m_allowedRoles.contains((String) it.next())) {
                    return false;
                }
            }
            return true;
        }
        if (this.m_ipRestrictionRegexp != null && this.m_ipRestrictionRegexp.matcher(str).matches()) {
            return false;
        }
        for (InetAddress[] inetAddressArr : resolveIps().values()) {
            for (InetAddress inetAddress : inetAddressArr) {
                if (str.equals(inetAddress.getHostAddress())) {
                    return false;
                }
            }
        }
        return true;
    }

    protected void init(FilterConfig filterConfig, ServiceConfig serviceConfig, SecurityConfig securityConfig) {
        String str = (String) parameterLookup(filterConfig, serviceConfig, "ipRestrictionRegexp");
        if (str != null && str.length() > 0) {
            try {
                this.m_ipRestrictionRegexp = Pattern.compile(str);
            } catch (PatternSyntaxException e) {
                throw new IllegalStateException("Regular expression pattern <" + str + "> is not correct, please check it. All accesses are denied! ErrorMsg: " + e, e);
            }
        }
        String str2 = (String) parameterLookup(filterConfig, serviceConfig, "hostnameRestrictionSet");
        this.m_allowedHostNames = new HashSet();
        if (str2 == null) {
            str2 = "";
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str2, ",;");
        while (stringTokenizer.hasMoreTokens()) {
            String trim = stringTokenizer.nextToken().trim();
            if (trim.length() > 0) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Add host <" + trim + "> to internal allowed set");
                }
                this.m_allowedHostNames.add(trim);
            }
        }
        if (!"false".equalsIgnoreCase((String) parameterLookup(filterConfig, serviceConfig, "localHostsAllowed"))) {
            this.m_allowedHostNames.add("localhost");
            try {
                InetAddress localHost = InetAddress.getLocalHost();
                if (localHost != null) {
                    String canonicalHostName = localHost.getCanonicalHostName();
                    if (LOG.isInfoEnabled()) {
                        LOG.info("add local host name <" + canonicalHostName + "> to allowed hosts");
                    }
                    this.m_allowedHostNames.add(canonicalHostName);
                }
            } catch (UnknownHostException e2) {
                LOG.warn("can't resolve ip address for the local host name: " + e2);
            }
        }
        this.m_authenticatedAccess = "true".equalsIgnoreCase((String) parameterLookup(filterConfig, serviceConfig, "authenticatedAccessAllowed"));
        this.m_allowedRoles = new HashSet();
        String str3 = (String) parameterLookup(filterConfig, serviceConfig, "roleRestrictionSet");
        if (str3 == null) {
            str3 = "";
        }
        StringTokenizer stringTokenizer2 = new StringTokenizer(str3, ",;");
        while (stringTokenizer2.hasMoreTokens()) {
            String trim2 = stringTokenizer2.nextToken().trim();
            if (trim2.length() > 0) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Add role <" + trim2 + "> to internal allowed set");
                }
                this.m_allowedRoles.add(trim2);
            }
        }
        resolveIps();
    }

    private Map<String, InetAddress[]> resolveIps() {
        long currentTimeMillis = System.currentTimeMillis();
        Map<String, InetAddress[]> map = this.m_resolvedIPs;
        if (map != null && currentTimeMillis - this.m_lastResolved < 1800000) {
            return map;
        }
        HashMap hashMap = new HashMap();
        for (String str : this.m_allowedHostNames) {
            try {
                hashMap.put(str, InetAddress.getAllByName(str));
            } catch (UnknownHostException e) {
                LOG.warn("host <" + str + "> is not known! Error:" + e);
            }
        }
        this.m_lastResolved = currentTimeMillis;
        this.m_resolvedIPs = hashMap;
        return hashMap;
    }
}
