package org.apache.ranger.plugin.conditionevaluator;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;

/* loaded from: input_file:org/apache/ranger/plugin/conditionevaluator/RangerIpMatcher.class */
public class RangerIpMatcher extends RangerAbstractConditionEvaluator {
    private List<String> _exactIps = new ArrayList();
    private List<String> _wildCardIps = new ArrayList();
    private boolean _allowAny;
    private static final Log LOG = LogFactory.getLog(RangerIpMatcher.class);
    static final Pattern allWildcards = Pattern.compile("^((\\*(\\.\\*)*)|(\\*(:\\*)*))$");
    static final Pattern trailingWildcardsIp4 = Pattern.compile("(\\.\\*)+$");
    static final Pattern trailingWildcardsIp6 = Pattern.compile("(:\\*)+$");

    @Override // org.apache.ranger.plugin.conditionevaluator.RangerAbstractConditionEvaluator, org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator
    public void init() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerIpMatcher.init(" + this.condition + ")");
        }
        super.init();
        if (this.condition == null) {
            LOG.debug("init: null policy condition! Will match always!");
            this._allowAny = true;
        } else if (CollectionUtils.isEmpty(this.condition.getValues())) {
            LOG.debug("init: empty conditions collection on policy condition!  Will match always!");
            this._allowAny = true;
        } else if (this.condition.getValues().contains("*")) {
            this._allowAny = true;
            LOG.debug("init: wildcard value found.  Will match always.");
        } else {
            for (String str : this.condition.getValues()) {
                String digestPolicyIp = digestPolicyIp(str);
                if (digestPolicyIp.isEmpty()) {
                    LOG.debug("init: digested ip was empty! Will match always");
                    this._allowAny = true;
                } else if (digestPolicyIp.equals(str)) {
                    this._exactIps.add(str);
                } else {
                    this._wildCardIps.add(digestPolicyIp);
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerIpMatcher.init(" + this.condition + "): exact-ips[" + this._exactIps + "], wildcard-ips[" + this._wildCardIps + "]");
        }
    }

    @Override // org.apache.ranger.plugin.conditionevaluator.RangerConditionEvaluator
    public boolean isMatched(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerIpMatcher.isMatched(" + rangerAccessRequest + ")");
        }
        boolean z = true;
        if (this._allowAny) {
            LOG.debug("isMatched: allowAny flag is true.  Matched!");
        } else {
            String extractIp = extractIp(rangerAccessRequest);
            if (extractIp == null) {
                LOG.debug("isMatched: couldn't get ip address from request.  Ok.  Implicitly matched!");
            } else {
                z = isWildcardMatched(this._wildCardIps, extractIp) || isExactlyMatched(this._exactIps, extractIp);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerIpMatcher.isMatched(" + rangerAccessRequest + "): " + z);
        }
        return z;
    }

    String digestPolicyIp(String str) {
        String replaceFirst;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerIpMatcher.digestPolicyIp(" + str + ")");
        }
        if (allWildcards.matcher(str).matches()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("digestPolicyIp: policyIP[" + str + "] all wildcards.");
            }
            replaceFirst = "";
        } else {
            replaceFirst = str.contains(".") ? trailingWildcardsIp4.matcher(str).replaceFirst(".") : trailingWildcardsIp6.matcher(str).replaceFirst(":").toLowerCase();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerIpMatcher.digestPolicyIp(" + str + "): " + str);
        }
        return replaceFirst;
    }

    boolean isWildcardMatched(List<String> list, String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerIpMatcher.isWildcardMatched(" + list + ", " + str + ")");
        }
        boolean z = false;
        Iterator<String> it = list.iterator();
        while (it.hasNext() && !z) {
            String next = it.next();
            if (str.contains(".") && str.startsWith(next)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Wildcard Policy IP[" + next + "] matches request IPv4[" + str + "].");
                }
                z = true;
            } else if (str.toLowerCase().startsWith(next)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Wildcard Policy IP[" + next + "] matches request IPv6[" + str + "].");
                }
                z = true;
            } else {
                LOG.debug("Wildcard policy IP[" + next + "] did not match request IP[" + str + "].");
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerIpMatcher.isWildcardMatched(" + list + ", " + str + "): " + z);
        }
        return z;
    }

    boolean isExactlyMatched(List<String> list, String str) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerIpMatcher.isExactlyMatched(" + list + ", " + str + ")");
        }
        boolean contains = str.contains(".") ? list.contains(str) : list.contains(str.toLowerCase());
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerIpMatcher.isExactlyMatched(" + list + ", " + str + "): " + contains);
        }
        return contains;
    }

    String extractIp(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerIpMatcher.extractIp(" + rangerAccessRequest + ")");
        }
        String str = null;
        if (rangerAccessRequest == null) {
            LOG.debug("isMatched: Unexpected: null request object!");
        } else {
            str = rangerAccessRequest.getClientIPAddress();
            if (str == null) {
                LOG.debug("isMatched: Unexpected: Client ip in request object is null!");
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerIpMatcher.extractIp(" + rangerAccessRequest + "): " + str);
        }
        return str;
    }
}
