package org.geogig.geoserver.security;

import com.google.common.base.Optional;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.geogig.geoserver.config.ConfigStore;
import org.geogig.geoserver.config.WhitelistRule;
import org.geoserver.platform.GeoServerExtensions;
import org.locationtech.geogig.hooks.CannotRunGeogigOperationException;
import org.locationtech.geogig.hooks.CommandHook;
import org.locationtech.geogig.remotes.CloneOp;
import org.locationtech.geogig.remotes.FetchOp;
import org.locationtech.geogig.remotes.LsRemoteOp;
import org.locationtech.geogig.remotes.PushOp;
import org.locationtech.geogig.repository.AbstractGeoGigOp;
import org.locationtech.geogig.repository.Remote;
import org.springframework.security.web.util.matcher.IpAddressMatcher;

/* loaded from: input_file:org/geogig/geoserver/security/NetworkSecurityHook.class */
public final class NetworkSecurityHook implements CommandHook {
    private static final Pattern IP_ADDRESS_OR_CIDR_RANGE = Pattern.compile("^(([:\\p{XDigit}]+)|([\\d\\.]+))(/\\d+)?$");

    public <C extends AbstractGeoGigOp<?>> C pre(C c) throws CannotRunGeogigOperationException {
        if (c instanceof LsRemoteOp) {
            Optional remote = ((LsRemoteOp) c).getRemote();
            if (remote.isPresent()) {
                checkRestricted(((Remote) remote.get()).getFetchURL());
            }
        } else if (c instanceof CloneOp) {
            URI remoteURI = ((CloneOp) c).getRemoteURI();
            if (null != remoteURI) {
                checkRestricted(remoteURI.toString());
            }
        } else if (c instanceof FetchOp) {
            Iterator it = ((FetchOp) c).getRemotes().iterator();
            while (it.hasNext()) {
                checkRestricted(((Remote) it.next()).getFetchURL());
            }
        } else if (c instanceof PushOp) {
            Optional remote2 = ((PushOp) c).getRemote();
            if (remote2.isPresent()) {
                checkRestricted(((Remote) remote2.get()).getPushURL());
            }
        }
        return c;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public <T> T post(AbstractGeoGigOp<T> abstractGeoGigOp, Object obj, RuntimeException runtimeException) throws Exception {
        return obj;
    }

    public boolean appliesTo(Class<? extends AbstractGeoGigOp<?>> cls) {
        return LsRemoteOp.class.equals(cls) || CloneOp.class.equals(cls) || FetchOp.class.equals(cls) || PushOp.class.equals(cls);
    }

    private void checkRestricted(String str) throws CannotRunGeogigOperationException {
        try {
            List<WhitelistRule> whitelist = ((ConfigStore) GeoServerExtensions.bean("geogigConfigStore")).getWhitelist();
            if (whitelist.isEmpty()) {
                return;
            }
            Iterator<WhitelistRule> it = whitelist.iterator();
            while (it.hasNext()) {
                if (!ruleBlocks(it.next(), str)) {
                    return;
                }
            }
            throw new CannotRunGeogigOperationException(String.format("Remote %s does not pass any white list rule: %s", str, new ArrayList(whitelist)));
        } catch (IOException e) {
            throw new CannotRunGeogigOperationException("Unable to obtain the remotes white list: " + e.getMessage(), e);
        }
    }

    private boolean ruleBlocks(WhitelistRule whitelistRule, String str) {
        try {
            URL url = new URL(str);
            String host = url.getHost();
            if (host == null || url.getProtocol() == null || url.getProtocol().equals("file")) {
                return false;
            }
            if (whitelistRule.isRequireSSL() && !url.getProtocol().equals("https")) {
                return true;
            }
            String pattern = whitelistRule.getPattern();
            if (pattern.startsWith("[.*]")) {
                return !host.endsWith(whitelistRule.getPattern().substring("[.*]".length()));
            }
            Matcher matcher = IP_ADDRESS_OR_CIDR_RANGE.matcher(pattern);
            String substring = (host.startsWith("[") && host.endsWith("]")) ? host.substring(1, host.length() - 1) : host;
            if (!matcher.matches()) {
                return !host.equalsIgnoreCase(pattern);
            }
            try {
                return !new IpAddressMatcher(matcher.group()).matches(substring);
            } catch (IllegalArgumentException e) {
                return false;
            }
        } catch (MalformedURLException e2) {
            return false;
        }
    }
}
