package ai.traceable.agent.filter.opa.evaluator;

import ai.traceable.agent.filter.opa.data.EvaluatorResult;
import ai.traceable.agent.filter.opa.helper.IpAddressMatcher;
import ai.traceable.javaagent.shaded.platform.opa.v1.Status;
import ai.traceable.javaagent.shaded.platform.opa.v1.data.BlockingData;
import ai.traceable.javaagent.shaded.platform.opa.v1.data.BlockingInfo;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:inst/ai/traceable/agent/filter/opa/evaluator/IpAddressPolicyEvaluator.classdata */
public class IpAddressPolicyEvaluator {
    public static final String HTTP_X_REAL_IP_KEY = "http.request.header.x-real-ip";
    public static final String HTTP_X_FORWARDED_FOR_KEY = "http.request.header.x-forwarded-for";
    public static final String HTTP_X_PROXYUSER_IP_KEY = "http.request.header.x-proxyuser-ip";
    public static final String HTTP_FORWARDED_KEY = "http.request.header.forwarded";
    public static final String RPC_X_REAL_IP_KEY = "rpc.request.metadata.x-real-ip";
    public static final String RPC_X_FORWARDED_FOR_KEY = "rpc.request.metadata.x-forwarded-for";
    public static final String RPC_X_PROXYUSER_IP_KEY = "rpc.request.metadata.x-proxyuser-ip";
    public static final String RPC_FORWARDED_KEY = "rpc.request.metadata.forwarded";
    public static final String PROXY_CLIENT_KEY = "proxy.client.addr";
    public static final String NET_PEER_IP_KEY = "net.peer.ip";

    public EvaluatorResult allow(BlockingData blockingData, Map<String, String> map) {
        if (blockingData == null) {
            return new EvaluatorResult(true, new ArrayList(), new ArrayList());
        }
        long currentTimeMillis = System.currentTimeMillis();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        extractIpsFromAttributes(map).forEach(str -> {
            evaluate(str, blockingData, currentTimeMillis, arrayList, arrayList2);
        });
        return new EvaluatorResult(!arrayList.isEmpty() || arrayList2.isEmpty(), arrayList, arrayList2);
    }

    private Set<String> extractIpsFromAttributes(Map<String, String> map) {
        HashSet hashSet = new HashSet();
        extractIps(map, hashSet, HTTP_X_REAL_IP_KEY);
        extractIps(map, hashSet, HTTP_X_PROXYUSER_IP_KEY);
        extractIps(map, hashSet, RPC_X_REAL_IP_KEY);
        extractIps(map, hashSet, RPC_X_PROXYUSER_IP_KEY);
        extractIps(map, hashSet, PROXY_CLIENT_KEY);
        extractIps(map, hashSet, NET_PEER_IP_KEY);
        extractXForwardedForIps(map, hashSet, HTTP_X_FORWARDED_FOR_KEY);
        extractXForwardedForIps(map, hashSet, RPC_X_FORWARDED_FOR_KEY);
        extractForwardedIps(map, hashSet, HTTP_FORWARDED_KEY);
        extractForwardedIps(map, hashSet, RPC_FORWARDED_KEY);
        return hashSet;
    }

    private void evaluate(String str, BlockingData blockingData, long j, List<EvaluatorResult.ExemptionDetails> list, List<EvaluatorResult.ViolationDetails> list2) {
        Iterator<BlockingInfo> it = blockingData.getAllowList().iterator();
        while (it.hasNext()) {
            evaluateAllowList(str, it.next(), list);
        }
        Iterator<BlockingInfo> it2 = blockingData.getSnoozedList().iterator();
        while (it2.hasNext()) {
            evaluateSnoozedList(str, it2.next(), list, j);
        }
        Iterator<BlockingInfo> it3 = blockingData.getDenyList().iterator();
        while (it3.hasNext()) {
            evaluateDenyList(str, it3.next(), list2);
        }
        Iterator<BlockingInfo> it4 = blockingData.getSuspendedList().iterator();
        while (it4.hasNext()) {
            evaluateSuspendedList(str, it4.next(), list2, j);
        }
    }

    private void evaluateAllowList(String str, BlockingInfo blockingInfo, List<EvaluatorResult.ExemptionDetails> list) {
        if (blockingInfo.getIpAddresses() == null || !blockingInfo.getIpAddresses().contains(str)) {
            return;
        }
        list.add(new EvaluatorResult.ExemptionDetails(blockingInfo.getInfo(), blockingInfo.getCategory(), Status.ALLOWED));
    }

    private void evaluateSnoozedList(String str, BlockingInfo blockingInfo, List<EvaluatorResult.ExemptionDetails> list, long j) {
        if (blockingInfo.getExpiry() <= j || blockingInfo.getIpAddresses() == null || !blockingInfo.getIpAddresses().contains(str)) {
            return;
        }
        list.add(new EvaluatorResult.ExemptionDetails(blockingInfo.getInfo(), blockingInfo.getCategory(), Status.SNOOZED));
    }

    private void evaluateDenyList(String str, BlockingInfo blockingInfo, List<EvaluatorResult.ViolationDetails> list) {
        if (blockingInfo.getIpAddresses() != null && blockingInfo.getIpAddresses().contains(str)) {
            list.add(new EvaluatorResult.ViolationDetails(blockingInfo.getInfo(), blockingInfo.getCategory(), Status.DENIED));
            return;
        }
        if (blockingInfo.getIpRanges() != null) {
            Iterator<String> it = blockingInfo.getIpRanges().iterator();
            while (it.hasNext()) {
                if (IpAddressMatcher.matches(str, it.next())) {
                    list.add(new EvaluatorResult.ViolationDetails(blockingInfo.getInfo(), blockingInfo.getCategory(), Status.DENIED));
                    return;
                }
            }
        }
    }

    private void evaluateSuspendedList(String str, BlockingInfo blockingInfo, List<EvaluatorResult.ViolationDetails> list, long j) {
        if (blockingInfo.getExpiry() > j) {
            if (blockingInfo.getIpAddresses() != null && blockingInfo.getIpAddresses().contains(str)) {
                list.add(new EvaluatorResult.ViolationDetails(blockingInfo.getInfo(), blockingInfo.getCategory(), Status.SUSPENDED));
                return;
            }
            if (blockingInfo.getIpRanges() != null) {
                Iterator<String> it = blockingInfo.getIpRanges().iterator();
                while (it.hasNext()) {
                    if (IpAddressMatcher.matches(str, it.next())) {
                        list.add(new EvaluatorResult.ViolationDetails(blockingInfo.getInfo(), blockingInfo.getCategory(), Status.SUSPENDED));
                        return;
                    }
                }
            }
        }
    }

    void extractXForwardedForIps(Map<String, String> map, Set<String> set, String str) {
        String str2 = map.get(str);
        String trim = (str2 == null || str2.isEmpty()) ? "" : str2.split(",")[0].trim();
        if (trim.isEmpty()) {
            return;
        }
        set.add(trim);
    }

    void extractForwardedIps(Map<String, String> map, Set<String> set, String str) {
        String str2 = map.get(str);
        if (str2 == null || str2.isEmpty()) {
            return;
        }
        for (String str3 : str2.split(";")) {
            String[] split = str3.split("=");
            if (split.length > 1 && split[0].equals("for")) {
                String trim = split[1].trim();
                if (!trim.isEmpty()) {
                    set.add(trim);
                }
            }
        }
    }

    void extractIps(Map<String, String> map, Set<String> set, String str) {
        String str2 = map.get(str);
        if (str2 != null) {
            String trim = str2.trim();
            if (trim.isEmpty()) {
                return;
            }
            set.add(trim);
        }
    }
}
