package org.yamcs.security;

import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.ipfilter.IpFilterRule;
import io.netty.handler.ipfilter.IpFilterRuleType;
import io.netty.handler.ipfilter.IpSubnetFilterRule;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.yamcs.InitException;
import org.yamcs.Spec;
import org.yamcs.YConfiguration;

/* loaded from: input_file:org/yamcs/security/IPAddressAuthModule.class */
public class IPAddressAuthModule extends AbstractHttpRequestAuthModule {
    protected static final String OPTION_ADDRESS = "address";
    protected static final String OPTION_USERNAME = "username";
    protected static final String OPTION_NAME = "name";
    protected static final String OPTION_EMAIL = "email";
    protected static final String OPTION_SUPERUSER = "superuser";
    protected static final String OPTION_PRIVILEGES = "privileges";
    private List<IpFilterRule> rules = new ArrayList();
    private AuthenticationInfo authenticationInfo;
    private AuthorizationInfo authorizationInfo;

    @Override // org.yamcs.security.AuthModule
    public Spec getSpec() {
        Spec spec = new Spec();
        spec.addOption(OPTION_ADDRESS, Spec.OptionType.LIST_OR_ELEMENT).withElementType(Spec.OptionType.STRING).withRequired(true);
        spec.addOption("username", Spec.OptionType.STRING).withRequired(true);
        spec.addOption("name", Spec.OptionType.STRING);
        spec.addOption(OPTION_EMAIL, Spec.OptionType.STRING);
        spec.addOption(OPTION_SUPERUSER, Spec.OptionType.BOOLEAN).withDefault(false);
        spec.addOption(OPTION_PRIVILEGES, Spec.OptionType.ANY);
        return spec;
    }

    @Override // org.yamcs.security.AuthModule
    public void init(YConfiguration yConfiguration) throws InitException {
        this.authenticationInfo = new AuthenticationInfo(this, yConfiguration.getString("username"));
        this.authenticationInfo.setDisplayName(yConfiguration.getString("name", (String) null));
        this.authenticationInfo.setEmail(yConfiguration.getString(OPTION_EMAIL, (String) null));
        this.authorizationInfo = new AuthorizationInfo();
        if (yConfiguration.getBoolean(OPTION_SUPERUSER)) {
            this.authorizationInfo.grantSuperuser();
        }
        if (yConfiguration.containsKey(OPTION_PRIVILEGES)) {
            YConfiguration config = yConfiguration.getConfig(OPTION_PRIVILEGES);
            for (String str : config.getKeys()) {
                List list = config.getList(str);
                if (str.equals("System")) {
                    Iterator it = list.iterator();
                    while (it.hasNext()) {
                        this.authorizationInfo.addSystemPrivilege(new SystemPrivilege((String) it.next()));
                    }
                } else {
                    ObjectPrivilegeType objectPrivilegeType = new ObjectPrivilegeType(str);
                    Iterator it2 = list.iterator();
                    while (it2.hasNext()) {
                        this.authorizationInfo.addObjectPrivilege(new ObjectPrivilege(objectPrivilegeType, (String) it2.next()));
                    }
                }
            }
        }
        try {
            for (String str2 : yConfiguration.getList(OPTION_ADDRESS)) {
                if (str2.indexOf(47) > 0) {
                    String[] split = str2.split("\\/");
                    this.rules.add(new IpSubnetFilterRule(InetAddress.getByName(split[0]), Integer.parseInt(split[1]), IpFilterRuleType.ACCEPT));
                } else {
                    InetAddress byName = InetAddress.getByName(str2);
                    if (byName instanceof Inet4Address) {
                        this.rules.add(new IpSubnetFilterRule(byName, 32, IpFilterRuleType.ACCEPT));
                    } else {
                        if (!(byName instanceof Inet6Address)) {
                            throw new IllegalArgumentException("Only IPv4 and IPv6 addresses are supported");
                        }
                        this.rules.add(new IpSubnetFilterRule(byName, 128, IpFilterRuleType.ACCEPT));
                    }
                }
            }
        } catch (UnknownHostException e) {
            throw new InitException(e);
        }
    }

    @Override // org.yamcs.security.AbstractHttpRequestAuthModule
    public boolean handles(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) {
        return accept((InetSocketAddress) channelHandlerContext.channel().remoteAddress());
    }

    @Override // org.yamcs.security.AbstractHttpRequestAuthModule
    public AuthenticationInfo getAuthenticationInfo(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws AuthenticationException {
        if (accept((InetSocketAddress) channelHandlerContext.channel().remoteAddress())) {
            return this.authenticationInfo;
        }
        return null;
    }

    @Override // org.yamcs.security.AuthModule
    public AuthorizationInfo getAuthorizationInfo(AuthenticationInfo authenticationInfo) throws AuthorizationException {
        return authenticationInfo.getUsername().equals(this.authenticationInfo.getUsername()) ? this.authorizationInfo : new AuthorizationInfo();
    }

    @Override // org.yamcs.security.AuthModule
    public boolean verifyValidity(AuthenticationInfo authenticationInfo) {
        return authenticationInfo.equals(authenticationInfo);
    }

    private boolean accept(InetSocketAddress inetSocketAddress) {
        for (IpFilterRule ipFilterRule : this.rules) {
            if (ipFilterRule.matches(inetSocketAddress)) {
                return ipFilterRule.ruleType() == IpFilterRuleType.ACCEPT;
            }
        }
        return false;
    }
}
