package org.elasticsearch.xpack.security.transport.filter;

import io.netty.handler.ipfilter.IpFilterRule;
import io.netty.handler.ipfilter.IpFilterRuleType;
import io.netty.handler.ipfilter.IpSubnetFilterRule;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.StringJoiner;
import java.util.StringTokenizer;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.collect.Tuple;
import org.elasticsearch.common.network.InetAddresses;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.xpack.ml.job.process.autodetect.writer.RecordWriter;

/* loaded from: input_file:lib/org.elasticsearch.plugin.xpack.api-6.1.3.jar:org/elasticsearch/xpack/security/transport/filter/SecurityIpFilterRule.class */
public class SecurityIpFilterRule implements IpFilterRule {
    public static final SecurityIpFilterRule ACCEPT_ALL = new SecurityIpFilterRule(true, "accept_all") { // from class: org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule.1
        @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule, io.netty.handler.ipfilter.IpFilterRule
        public boolean matches(InetSocketAddress inetSocketAddress) {
            return true;
        }

        @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule, io.netty.handler.ipfilter.IpFilterRule
        public IpFilterRuleType ruleType() {
            return IpFilterRuleType.ACCEPT;
        }
    };
    public static final SecurityIpFilterRule DENY_ALL = new SecurityIpFilterRule(true, "deny_all") { // from class: org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule.2
        @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule, io.netty.handler.ipfilter.IpFilterRule
        public boolean matches(InetSocketAddress inetSocketAddress) {
            return true;
        }

        @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule, io.netty.handler.ipfilter.IpFilterRule
        public IpFilterRuleType ruleType() {
            return IpFilterRuleType.REJECT;
        }
    };
    private final IpFilterRule ipFilterRule;
    private final String ruleSpec;

    public SecurityIpFilterRule(boolean z, String str) {
        this.ipFilterRule = getRule(z, str);
        this.ruleSpec = str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityIpFilterRule(boolean z, TransportAddress... transportAddressArr) {
        this.ruleSpec = getRuleSpec(transportAddressArr);
        this.ipFilterRule = getRule(z, this.ruleSpec);
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        if (ruleType() == IpFilterRuleType.ACCEPT) {
            sb.append("allow ");
        } else {
            sb.append("deny ");
        }
        sb.append(this.ruleSpec);
        return sb.toString();
    }

    static Tuple<InetAddress, Integer> parseSubnetMask(String str) throws UnknownHostException {
        int netMask;
        int indexOf = str.indexOf(47);
        if (indexOf < 0) {
            throw new UnknownHostException("Invalid CIDR notation used: " + str);
        }
        if (indexOf == str.length() - 1) {
            throw new IllegalArgumentException("address must not end with a '/");
        }
        String substring = str.substring(0, indexOf);
        String substring2 = str.substring(indexOf + 1);
        InetAddress byName = InetAddress.getByName(substring);
        if (substring2.indexOf(46) < 0) {
            netMask = parseInt(substring2, -1);
        } else {
            netMask = getNetMask(substring2);
            if (byName instanceof Inet6Address) {
                netMask += 96;
            }
        }
        if (netMask < 0) {
            throw new UnknownHostException("Invalid mask length used: " + substring2);
        }
        return new Tuple<>(byName, Integer.valueOf(netMask));
    }

    private static int getNetMask(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, RecordWriter.CONTROL_FIELD_NAME);
        int i = 0;
        int[] iArr = new int[4];
        while (stringTokenizer.hasMoreTokens()) {
            iArr[i] = Integer.parseInt(stringTokenizer.nextToken());
            i++;
        }
        int i2 = 0;
        for (int i3 = 0; i3 < 4; i3++) {
            i2 += Integer.bitCount(iArr[i3]);
        }
        return i2;
    }

    private static int parseInt(String str, int i) {
        Integer valueOf;
        if (str == null) {
            return i;
        }
        try {
            valueOf = Integer.decode(str);
        } catch (Exception e) {
            valueOf = Integer.valueOf(i);
        }
        return valueOf.intValue();
    }

    static IpFilterRule getRule(boolean z, String str) {
        IpFilterRuleType ipFilterRuleType = z ? IpFilterRuleType.ACCEPT : IpFilterRuleType.REJECT;
        String[] split = str.split(",");
        String str2 = "_all";
        if (Arrays.stream(split).anyMatch((v1) -> {
            return r1.equals(v1);
        })) {
            if (split.length != 1) {
                throw new IllegalArgumentException("rules that specify _all may not have other values!");
            }
            return z ? ACCEPT_ALL : DENY_ALL;
        }
        if (str.contains("/")) {
            if (split.length != 1) {
                throw new IllegalArgumentException("multiple subnet filters cannot be specified in a single rule!");
            }
            try {
                Tuple<InetAddress, Integer> parseSubnetMask = parseSubnetMask(str);
                return new IpSubnetFilterRule(parseSubnetMask.v1(), parseSubnetMask.v2().intValue(), ipFilterRuleType);
            } catch (UnknownHostException e) {
                throw new ElasticsearchException("unable to create ip filter for rule [" + (z ? "allow " : "deny ") + " " + str + "]", e, new Object[0]);
            }
        }
        StringJoiner stringJoiner = new StringJoiner(",");
        for (String str3 : split) {
            stringJoiner.add(InetAddresses.isInetAddress(str3) ? "i:" + NetworkAddress.format(InetAddresses.forString(str3)) : "n:" + str3);
        }
        return new PatternRule(ipFilterRuleType, stringJoiner.toString());
    }

    static String getRuleSpec(TransportAddress... transportAddressArr) {
        StringBuilder sb = new StringBuilder();
        boolean z = false;
        for (TransportAddress transportAddress : transportAddressArr) {
            if (z) {
                sb.append(",");
            } else {
                z = true;
            }
            sb.append(NetworkAddress.format(transportAddress.address().getAddress()));
        }
        return sb.toString();
    }

    @Override // io.netty.handler.ipfilter.IpFilterRule
    public boolean matches(InetSocketAddress inetSocketAddress) {
        return this.ipFilterRule.matches(inetSocketAddress);
    }

    @Override // io.netty.handler.ipfilter.IpFilterRule
    public IpFilterRuleType ruleType() {
        return this.ipFilterRule.ruleType();
    }
}
