package cn.omisheep.authz.core.auth.ipf;

import cn.omisheep.authz.annotation.BannedType;
import cn.omisheep.authz.core.Constants;
import cn.omisheep.authz.core.ExceptionStatus;
import cn.omisheep.authz.core.auth.ipf.Httpd;
import cn.omisheep.authz.core.msg.RequestMessage;
import cn.omisheep.authz.core.util.AUtils;
import cn.omisheep.authz.core.util.ExceptionUtils;
import cn.omisheep.authz.core.util.LogUtils;
import cn.omisheep.authz.core.util.RedisUtils;
import cn.omisheep.commons.util.Async;
import cn.omisheep.web.utils.BufferedServletRequestWrapper;
import cn.omisheep.web.utils.HttpUtils;
import java.io.IOException;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import orestes.bloomfilter.CountingBloomFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.logging.LogLevel;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:cn/omisheep/authz/core/auth/ipf/AuthzHttpFilter.class */
public class AuthzHttpFilter extends OncePerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(AuthzHttpFilter.class);
    private final Httpd httpd;
    private final boolean isDashboard;
    private final String mappings;
    private static final String UNKNOWN = "unknown";
    private static final String X_FORWARDED_FOR = "x-forwarded-for";
    private static final String PROXY_CLIENT_IP = "Proxy-Client-IP";
    private static final String WL_PROXY_CLIENT_IP = "WL-Proxy-Client-IP";
    private static final String HTTP_CLIENT_IP = "HTTP_CLIENT_IP";
    private static final String HTTP_X_FORWARDED_FOR = "HTTP_X_FORWARDED_FOR";
    private static final String X_REAL_IP = "X-Real-IP";

    public AuthzHttpFilter(Httpd httpd, boolean z, String str) {
        this.httpd = httpd;
        this.isDashboard = z;
        String substring = str.substring(0, str.indexOf("/*"));
        if (str.startsWith("/")) {
            this.mappings = substring;
        } else {
            this.mappings = "/" + substring;
        }
    }

    public void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        BufferedServletRequestWrapper bufferedServletRequestWrapper = new BufferedServletRequestWrapper(httpServletRequest);
        String ip = getIp(bufferedServletRequestWrapper);
        String requestURI = bufferedServletRequestWrapper.getRequestURI();
        String method = bufferedServletRequestWrapper.getMethod();
        long time = new Date().getTime();
        String servletPath = bufferedServletRequestWrapper.getServletPath();
        HttpUtils.request.set(bufferedServletRequestWrapper);
        if (AUtils.isIgnoreSuffix(requestURI, this.httpd.getIgnoreSuffix()) || (this.isDashboard && requestURI.startsWith(this.mappings))) {
            HttpMeta error = new HttpMeta(bufferedServletRequestWrapper, ip, requestURI, servletPath, method, new Date()).error(ExceptionUtils.pop(bufferedServletRequestWrapper));
            error.setIgnore(true);
            bufferedServletRequestWrapper.setAttribute(Constants.HTTP_META, error);
            error.setServletPath(servletPath);
            filterChain.doFilter(bufferedServletRequestWrapper, httpServletResponse);
            return;
        }
        String str = null;
        try {
            str = execLimit(time, ip, servletPath, method);
        } catch (Exception e) {
            ExceptionUtils.error(ExceptionStatus.UNKNOWN);
        }
        if (str == null) {
            str = servletPath;
        }
        HttpMeta error2 = new HttpMeta(bufferedServletRequestWrapper, ip, requestURI, str, method, new Date()).error(ExceptionUtils.pop(bufferedServletRequestWrapper));
        error2.setServletPath(servletPath);
        bufferedServletRequestWrapper.setAttribute(Constants.HTTP_META, error2);
        Async.run(() -> {
            RedisUtils.publish(RequestMessage.CHANNEL, new RequestMessage(method, error2.getApi(), ip, time, null));
        });
        filterChain.doFilter(bufferedServletRequestWrapper, httpServletResponse);
    }

    private String execLimit(long j, String str, String str2, String str3) throws IOException {
        RequestMeta requestMeta;
        HashSet<RequestMeta> ipBlacklist = this.httpd.getIpBlacklist();
        CountingBloomFilter<String> ipBlacklistBloomFilter = this.httpd.getIpBlacklistBloomFilter();
        if (ipBlacklistBloomFilter.contains(str) && (requestMeta = (RequestMeta) ipBlacklist.stream().filter(requestMeta2 -> {
            return requestMeta2.getIp().equals(str);
        }).findFirst().orElse(null)) != null && requestMeta.isBan()) {
            if (!requestMeta.enableRelive(j)) {
                LogUtils.pushLogToRequest("「请求频繁ip封锁(拒绝)」 \t距上次访问: [{}] , method: [{}] , ip : [{}] , servletPath: [{}]  ", requestMeta.sinceLastTime(), str3, str, str2);
                ExceptionUtils.error(ExceptionStatus.REQUEST_REPEAT);
                return null;
            }
            LogUtils.pushLogToRequest("「解除ip封禁(解封)」", new Object[0]);
            ipBlacklistBloomFilter.remove(str);
            ipBlacklist.remove(requestMeta);
            requestMeta.relive();
        }
        ConcurrentHashMap<String, Httpd.RequestPool> concurrentHashMap = this.httpd.getRequestPools().get(str3);
        if (concurrentHashMap == null) {
            LogUtils.pushLogToRequest("「普通访问(uri不存在)」 \tmethod: [{}] , ip : [{}] , servletPath: [{}]   ", str3, str, str2);
            ExceptionUtils.error(ExceptionStatus.MISMATCHED_URL);
            return null;
        }
        for (Map.Entry<String, Httpd.RequestPool> entry : concurrentHashMap.entrySet()) {
            if (Httpd.antPathMatcher.match(entry.getKey(), str2)) {
                try {
                    LimitMeta limitMeta = this.httpd.getRateLimitMetadata().get(str3).get(entry.getKey());
                    if (limitMeta == null) {
                        LogUtils.pushLogToRequest("「普通访问」 \tmethod: [{}] , ip : [{}] , servletPath: [{}]   ", str3, str, str2);
                        return entry.getKey();
                    }
                    RequestMeta requestMeta3 = entry.getValue().get(str);
                    if (requestMeta3 == null) {
                        entry.getValue().put(str, new RequestMeta(j, str));
                        LogUtils.pushLogToRequest("「普通访问(首次)」 \tmethod: [{}] , ip : [{}] , servletPath: [{}]  ", str3, str, str2);
                    } else {
                        if (requestMeta3.isBan()) {
                            if (!requestMeta3.enableRelive(j)) {
                                LogUtils.pushLogToRequest(LogLevel.WARN, "「请求频繁(拒绝)」 \t距上次访问: [{}] , method: [{}] , ip : [{}] , servletPath: [{}]  ", requestMeta3.sinceLastTime(), str3, str, str2);
                                ExceptionUtils.error(ExceptionStatus.REQUEST_REPEAT);
                                requestMeta3.setLastRequestTime(j);
                                return null;
                            }
                            LogUtils.pushLogToRequest("「解除封禁(解封)」  \tmethod: [{}] , ip : [{}] , servletPath: [{}]  ", str3, str, str2);
                            this.httpd.relive(requestMeta3, limitMeta);
                        }
                        if (!requestMeta3.request(j, limitMeta.getMaxRequests(), limitMeta.getWindow(), limitMeta.getMinInterval())) {
                            this.httpd.forbid(j, requestMeta3, limitMeta);
                            LogUtils.pushLogToRequest(LogLevel.WARN, "「请求频繁(封禁)」 \t距上次访问: [{}] , method: [{}] , ip : [{}] , servletPath: [{}]  ", requestMeta3.sinceLastTime(), str3, str, str2);
                            ExceptionUtils.error(ExceptionStatus.REQUEST_REPEAT);
                            if (!BannedType.IP.equals(limitMeta.getBannedType())) {
                                return null;
                            }
                            ipBlacklist.add(requestMeta3);
                            ipBlacklistBloomFilter.add(str);
                            return null;
                        }
                        LogUtils.pushLogToRequest("「普通访问(正常)」\t距上次访问: [{}] , method: [{}] , ip : [{}] , servletPath: [{}]  ", requestMeta3.sinceLastTime(), str3, str, str2);
                    }
                    return entry.getKey();
                } catch (NullPointerException e) {
                    LogUtils.pushLogToRequest("「普通访问」 \tmethod: [{}] , ip : [{}] , servletPath: [{}]   ", str3, str, str2);
                    return entry.getKey();
                }
            }
        }
        LogUtils.pushLogToRequest("「普通访问(uri不存在)」 \tmethod: [{}] , ip : [{}] , servletPath: [{}]   ", str3, str, str2);
        ExceptionUtils.error(ExceptionStatus.MISMATCHED_URL);
        return null;
    }

    private String getIp(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(X_FORWARDED_FOR);
        if (header == null || header.length() == 0 || UNKNOWN.equalsIgnoreCase(header)) {
            if (header == null || header.length() == 0 || UNKNOWN.equalsIgnoreCase(header)) {
                header = httpServletRequest.getHeader(PROXY_CLIENT_IP);
            }
            if (header == null || header.length() == 0 || UNKNOWN.equalsIgnoreCase(header)) {
                header = httpServletRequest.getHeader(WL_PROXY_CLIENT_IP);
            }
            if (header == null || header.length() == 0 || UNKNOWN.equalsIgnoreCase(header)) {
                header = httpServletRequest.getHeader(HTTP_CLIENT_IP);
            }
            if (header == null || header.length() == 0 || UNKNOWN.equalsIgnoreCase(header)) {
                header = httpServletRequest.getHeader(HTTP_X_FORWARDED_FOR);
            }
            if (header == null || header.length() == 0 || UNKNOWN.equalsIgnoreCase(header)) {
                header = httpServletRequest.getHeader(X_REAL_IP);
            }
            if (header == null || header.length() == 0 || UNKNOWN.equalsIgnoreCase(header)) {
                header = httpServletRequest.getRemoteAddr();
            }
        } else if (header.length() > 15) {
            String[] split = header.split(Constants.COMMA);
            int length = split.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str = split[i];
                if (!UNKNOWN.equalsIgnoreCase(str)) {
                    header = str;
                    break;
                }
                i++;
            }
        }
        return header.equals("0:0:0:0:0:0:0:1") ? "127.0.0.1" : header;
    }
}
