package de.mhus.cherry.web.util.filter;

import de.mhus.cherry.web.api.InternalCallContext;
import de.mhus.cherry.web.api.VirtualHost;
import de.mhus.cherry.web.api.WebFilter;
import de.mhus.cherry.web.util.CherryWebUtil;
import de.mhus.lib.core.MLog;
import de.mhus.lib.core.MPassword;
import de.mhus.lib.core.MString;
import de.mhus.lib.core.cfg.CfgString;
import de.mhus.lib.core.config.IConfig;
import de.mhus.lib.core.logging.MLogUtil;
import de.mhus.lib.core.net.Subnet;
import de.mhus.lib.core.util.Base64;
import de.mhus.lib.core.util.MUri;
import de.mhus.lib.errors.MException;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.HashMap;
import java.util.UUID;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:de/mhus/cherry/web/util/filter/CloudflareFilter.class */
public class CloudflareFilter extends MLog implements WebFilter {
    private static Subnet[] cloudflareNetworks;
    public static String NAME = "base_auth_filter";
    private static CfgString CFG_IPS = new CfgString(CloudflareFilter.class, "ips", "103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/12,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2405:b500::/32,2606:4700::/32,2803:f800::/32,2c0f:f248::/32,2a06:98c0::/29") { // from class: de.mhus.cherry.web.util.filter.CloudflareFilter.1
        /* JADX INFO: Access modifiers changed from: protected */
        public void onPreUpdate(String str) {
            CloudflareFilter.cloudflareNetworks = null;
        }
    };

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:de/mhus/cherry/web/util/filter/CloudflareFilter$Config.class */
    public class Config {
        private String realm;
        private String message;
        private HashMap<String, String> accounts = new HashMap<>();
        private boolean public_;

        public Config(VirtualHost virtualHost, IConfig iConfig) {
            this.message = iConfig.getString("message", "Access denied");
            this.realm = iConfig.getString("realm", "Access");
            for (IConfig iConfig2 : iConfig.getNode("accounts").getNodes()) {
                try {
                    this.accounts.put(iConfig2.getString("user"), iConfig2.getString("pass"));
                } catch (MException e) {
                    CloudflareFilter.this.log().e(new Object[]{e});
                }
            }
            String string = iConfig.getString("accountsFile", (String) null);
            if (MString.isSet(string)) {
                CherryWebUtil.loadAccounts(virtualHost.findFile(string), this.accounts);
            }
            this.public_ = iConfig.getBoolean("public", true);
        }
    }

    public void doInitialize(UUID uuid, VirtualHost virtualHost, IConfig iConfig) throws MException {
        virtualHost.getProperties().put(NAME + uuid, new Config(virtualHost, iConfig));
    }

    public boolean doFilterBegin(UUID uuid, InternalCallContext internalCallContext) throws MException {
        Config config = (Config) internalCallContext.getVirtualHost().getProperties().get(NAME + uuid);
        String str = "";
        if (config == null) {
            send401(internalCallContext, config);
            return false;
        }
        if (!isCloudflare(internalCallContext.getHttpRequest().getRemoteAddr())) {
            String remoteAddr = internalCallContext.getHttpRequest().getRemoteAddr();
            internalCallContext.setAttribute("__remote_ip", remoteAddr);
            String doAuth = doAuth(internalCallContext, config);
            trace(internalCallContext, doAuth, config, remoteAddr);
            if (doAuth != null) {
                return true;
            }
            send401(internalCallContext, config);
            return false;
        }
        String remoteIp = getRemoteIp(internalCallContext.getHttpRequest());
        internalCallContext.setRemoteIp(remoteIp);
        if (!config.public_) {
            str = doAuth(internalCallContext, config);
            if (str == null) {
                trace(internalCallContext, str, config, remoteIp);
                send401(internalCallContext, config);
                return false;
            }
        }
        trace(internalCallContext, str, config, remoteIp);
        return true;
    }

    public static String getRemoteIp(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader("CF-Connecting-IP");
    }

    private String doAuth(InternalCallContext internalCallContext, Config config) throws MException {
        String header = internalCallContext.getHttpRequest().getHeader("Authorization");
        if (header == null || !header.toUpperCase().startsWith("BASIC ")) {
            return null;
        }
        String[] split = new String(Base64.decode(header.substring(6))).split(":", 2);
        String str = null;
        String str2 = null;
        if (split.length > 0) {
            str = MUri.decode(split[0]);
        }
        if (split.length > 1) {
            str2 = MUri.decode(split[1]);
        }
        String str3 = config.accounts.get(str);
        if (str3 == null) {
            log().d(new Object[]{"user not found", str});
            return null;
        }
        if (MPassword.equals(str3, str2)) {
            return str;
        }
        log().d(new Object[]{"password not accepted", str});
        return null;
    }

    private void trace(InternalCallContext internalCallContext, String str, Config config, String str2) {
        if (internalCallContext.getVirtualHost().isTraceAccess()) {
            log().d(new Object[]{"access", internalCallContext.getVirtualHost().getName(), str, str2, internalCallContext.getHttpMethod(), internalCallContext.getHttpPath()});
        }
    }

    public static boolean isCloudflare(String str) {
        try {
            InetAddress byName = InetAddress.getByName(str);
            for (Subnet subnet : getCloudflareNetworks()) {
                if (subnet != null && subnet.isInNet(byName)) {
                    return true;
                }
            }
            return false;
        } catch (UnknownHostException e) {
            MLogUtil.log().w(new Object[]{e});
            return false;
        }
    }

    private static Subnet[] getCloudflareNetworks() {
        if (cloudflareNetworks == null) {
            String[] split = ((String) CFG_IPS.value()).split(",");
            cloudflareNetworks = new Subnet[split.length];
            for (int i = 0; i < split.length; i++) {
                try {
                    cloudflareNetworks[i] = Subnet.createInstance(split[i]);
                } catch (UnknownHostException e) {
                    MLogUtil.log().e(new Object[]{split[i], e});
                }
            }
        }
        return cloudflareNetworks;
    }

    private void send401(InternalCallContext internalCallContext, Config config) throws MException {
        try {
            internalCallContext.getHttpResponse().setStatus(401);
            internalCallContext.getHttpResponse().setHeader("WWW-Authenticate", "BASIC realm=\"" + config.realm + "\", charset=\"UTF-8\"");
            internalCallContext.getHttpResponse().setContentType("text/html");
            ServletOutputStream outputStream = internalCallContext.getHttpResponse().getOutputStream();
            outputStream.write(config.message.getBytes());
            outputStream.flush();
        } catch (IOException e) {
            throw new MException(new Object[]{e});
        }
    }

    public void doFilterEnd(UUID uuid, InternalCallContext internalCallContext) throws MException {
    }
}
