package com.mulesoft.composer.connectors.http.abstraction.layer.internal.security;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.AddressMaskingException;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.BlockedSubnetSSRFCheckException;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.CIDRParseException;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.IPNetwork;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.InvalidSchemeSSRFCheckException;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.InvalidURLSSRFCheckException;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.LoopbackAddressSSRFCheckException;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.NetworkFormatException;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.SSRFCheckException;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.UndefinedURLSSRFCheckException;
import com.mulesoft.composer.connectors.http.abstraction.layer.internal.security.net.UnknownHostSSRFCheckException;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.InetAddress;
import java.net.URI;
import java.net.URL;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.TimeUnit;

/* loaded from: input_file:com/mulesoft/composer/connectors/http/abstraction/layer/internal/security/SSRFCheck.class */
public class SSRFCheck {
    private static final String BLOCKLIST_DEFAULTS_FILE = "blocklist.txt";
    private static final String ALLOWLIST_DEFAULTS_FILE = "allowlist.txt";
    private static final String DISABLE_SSRF_PROPERTY = "DISABLE_SSRF_CHECK";
    private boolean enabled;
    private List<IPNetwork> subnets;
    private List<String> allowUrls;
    private Cache<String, SSRFCheckResult> cache;

    /* loaded from: input_file:com/mulesoft/composer/connectors/http/abstraction/layer/internal/security/SSRFCheck$Builder.class */
    public static class Builder {
        private String blocklistFilename = SSRFCheck.BLOCKLIST_DEFAULTS_FILE;
        private List<String> blockEntries = null;
        private String allowListFilename = SSRFCheck.ALLOWLIST_DEFAULTS_FILE;
        private List<String> allowEntries = null;

        List<String> loadUrlList(String str) throws NetworkFormatException {
            ArrayList arrayList = new ArrayList();
            try {
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(((URL) Objects.requireNonNull(SSRFCheck.class.getClassLoader().getResource(str))).openStream()));
                Throwable th = null;
                while (true) {
                    try {
                        try {
                            String readLine = bufferedReader.readLine();
                            String str2 = readLine;
                            if (readLine == null) {
                                break;
                            }
                            if (str2.indexOf(35) >= 0) {
                                str2 = str2.substring(0, str2.indexOf(35));
                            }
                            String trim = str2.trim();
                            if (!trim.equals("")) {
                                arrayList.add(trim);
                            }
                        } finally {
                        }
                    } finally {
                    }
                }
                if (bufferedReader != null) {
                    if (0 != 0) {
                        try {
                            bufferedReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        bufferedReader.close();
                    }
                }
                return arrayList;
            } catch (IOException e) {
                throw new NetworkFormatException("Could not load defaults: " + e.getMessage(), e);
            }
        }

        private List<String> getEntries(List<String> list, String str) throws NetworkFormatException {
            return (list != null || getClass().getClassLoader().getResource(str) == null) ? list : loadUrlList(str);
        }

        public SSRFCheck build() throws AddressMaskingException, CIDRParseException, NetworkFormatException {
            return new SSRFCheck(System.getProperty(SSRFCheck.DISABLE_SSRF_PROPERTY) == null, getEntries(this.blockEntries, this.blocklistFilename), getEntries(this.allowEntries, this.allowListFilename));
        }
    }

    private SSRFCheck(boolean z, List<String> list, List<String> list2) throws CIDRParseException, NetworkFormatException, AddressMaskingException {
        this.enabled = true;
        this.subnets = new ArrayList();
        this.allowUrls = new ArrayList();
        this.cache = CacheBuilder.newBuilder().expireAfterAccess(30L, TimeUnit.SECONDS).build();
        this.enabled = z;
        if (list != null) {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                this.subnets.add(new IPNetwork(it.next()));
            }
        }
        if (list2 != null) {
            Iterator<String> it2 = list2.iterator();
            while (it2.hasNext()) {
                this.allowUrls.add(it2.next());
            }
        }
    }

    private void throwIfUnsafeResult(SSRFCheckResult sSRFCheckResult) throws SSRFCheckException {
        switch (sSRFCheckResult) {
            case UNDEFINED_URL:
                throw new UndefinedURLSSRFCheckException("Undefined URL");
            case INVALID_URL:
                throw new InvalidURLSSRFCheckException("Invalid URL");
            case INVALID_SCHEME:
                throw new InvalidSchemeSSRFCheckException("Invalid HTTP scheme");
            case UNDEFINED_SCHEME:
                throw new UndefinedURLSSRFCheckException("Undefined HTTP scheme");
            case UNKNOWN_HOST:
                throw new UnknownHostSSRFCheckException("Uknown Host");
            case LOOPBACK_ADDRESS:
                throw new LoopbackAddressSSRFCheckException("Loopback not allowed");
            case BLOCKED_SUBNET:
                throw new BlockedSubnetSSRFCheckException("Not Allowed");
            default:
                return;
        }
    }

    public void throwIfUnsafe(String str) throws SSRFCheckException {
        throwIfUnsafeResult(isSafe(str));
    }

    public static SSRFCheckException toException(SSRFCheckResult sSRFCheckResult, String str) {
        switch (sSRFCheckResult) {
            case UNDEFINED_URL:
            case UNDEFINED_SCHEME:
                return new UndefinedURLSSRFCheckException(str);
            case INVALID_URL:
                return new InvalidURLSSRFCheckException(str);
            case INVALID_SCHEME:
                return new InvalidSchemeSSRFCheckException(str);
            case UNKNOWN_HOST:
                return new UnknownHostSSRFCheckException(str);
            case LOOPBACK_ADDRESS:
                return new LoopbackAddressSSRFCheckException(str);
            case BLOCKED_SUBNET:
                return new BlockedSubnetSSRFCheckException(str);
            default:
                return null;
        }
    }

    public SSRFCheckResult isSafe(String str) throws AddressMaskingException {
        if (!this.enabled) {
            return SSRFCheckResult.OK;
        }
        if (str == null) {
            return SSRFCheckResult.UNDEFINED_URL;
        }
        SSRFCheckResult sSRFCheckResult = (SSRFCheckResult) this.cache.getIfPresent(str);
        if (sSRFCheckResult != null) {
            return sSRFCheckResult;
        }
        SSRFCheckResult isSafeHelper = isSafeHelper(str);
        this.cache.put(str, isSafeHelper);
        return isSafeHelper;
    }

    private SSRFCheckResult isSafeHelper(String str) throws AddressMaskingException {
        List asList = Arrays.asList("http", "https");
        try {
            URI uri = new URI(str);
            if (uri.getScheme() == null) {
                return SSRFCheckResult.UNDEFINED_SCHEME;
            }
            if (!asList.contains(uri.getScheme())) {
                return SSRFCheckResult.INVALID_SCHEME;
            }
            try {
                InetAddress[] allByName = InetAddress.getAllByName(uri.getHost());
                if (this.allowUrls.contains(uri.getScheme() + "://" + uri.getHost() + uri.getPath())) {
                    return SSRFCheckResult.OK;
                }
                for (InetAddress inetAddress : allByName) {
                    if (inetAddress.isLoopbackAddress()) {
                        return SSRFCheckResult.LOOPBACK_ADDRESS;
                    }
                    Iterator<IPNetwork> it = this.subnets.iterator();
                    while (it.hasNext()) {
                        if (it.next().contains(inetAddress)) {
                            return SSRFCheckResult.BLOCKED_SUBNET;
                        }
                    }
                }
                return SSRFCheckResult.OK;
            } catch (UnknownHostException e) {
                return SSRFCheckResult.UNKNOWN_HOST;
            }
        } catch (Exception e2) {
            return SSRFCheckResult.INVALID_URL;
        }
    }

    public static Builder builder() {
        return new Builder();
    }
}
