package com.predic8.membrane.core.graphql;

import com.google.common.collect.Lists;
import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.http.Request;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.interceptor.AbstractInterceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.interceptor.session.SessionManager;
import com.predic8.membrane.core.util.TextUtil;
import java.security.InvalidParameterException;
import java.util.Arrays;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@MCElement(name = "graphQLProtection")
/* loaded from: input_file:com/predic8/membrane/core/graphql/GraphQLProtectionInterceptor.class */
public class GraphQLProtectionInterceptor extends AbstractInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger(GraphQLProtectionInterceptor.class);
    private boolean allowExtensions = false;
    private List<String> allowedMethods = Lists.newArrayList(new String[]{Request.METHOD_GET, Request.METHOD_POST});
    private int maxRecursion = 3;
    private int maxDepth = 7;
    private int maxMutations = 5;
    private GraphQLoverHttpValidator validator;

    public GraphQLProtectionInterceptor() {
        this.name = "GraphQL protection";
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor
    public void init() throws Exception {
        super.init();
        this.validator = new GraphQLoverHttpValidator(this.allowExtensions, this.allowedMethods, this.maxRecursion, this.maxDepth, this.maxMutations, this.router);
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleRequest(Exchange exchange) throws Exception {
        try {
            this.validator.validate(exchange);
            return Outcome.CONTINUE;
        } catch (GraphQLOverHttpValidationException e) {
            return error(exchange, e);
        }
    }

    private Outcome error(Exchange exchange, GraphQLOverHttpValidationException graphQLOverHttpValidationException) {
        LOG.warn(graphQLOverHttpValidationException.getMessage());
        exchange.setResponse(Response.badRequest().status(graphQLOverHttpValidationException.getStatusCode()).build());
        return Outcome.RETURN;
    }

    @MCAttribute
    public void setMaxMutations(int i) {
        this.maxMutations = i;
    }

    public int getMaxMutations() {
        return this.maxMutations;
    }

    @MCAttribute
    public void setAllowExtensions(boolean z) {
        this.allowExtensions = z;
    }

    public boolean isAllowExtensions() {
        return this.allowExtensions;
    }

    public String getAllowedMethods() {
        return String.join(SessionManager.SESSION_VALUE_SEPARATOR, this.allowedMethods);
    }

    @MCAttribute
    public void setAllowedMethods(String str) {
        this.allowedMethods = Arrays.asList(str.split(SessionManager.SESSION_VALUE_SEPARATOR));
        for (String str2 : this.allowedMethods) {
            if (!Request.METHOD_GET.equals(str2) && !Request.METHOD_POST.equals(str2)) {
                throw new InvalidParameterException("<graphQLProtectionInterceptor allowedMethods=\"...\" /> may only allow GET or POST.");
            }
        }
    }

    public int getMaxRecursion() {
        return this.maxRecursion;
    }

    @MCAttribute
    public void setMaxRecursion(int i) {
        this.maxRecursion = i;
    }

    public int getMaxDepth() {
        return this.maxDepth;
    }

    @MCAttribute
    public void setMaxDepth(int i) {
        this.maxDepth = i;
    }

    public String toString() {
        return "GraphQL protection";
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getShortDescription() {
        return "Let only well-formed GraphQL requests pass. Apply restrictions.";
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getLongDescription() {
        return "<div>Protects against some GraphQL attack classes (checks HTTP request against <a href=\"https://spec.graphql.org/October2021/\">GraphQL</a> and <a href=\"https://github.com/graphql/graphql-over-http/blob/a1e6d8ca248c9a19eb59a2eedd988c204909ee3f/spec/GraphQLOverHTTP.md\">GraphQL-over-HTTP</a> specs).<br/>GraphQL extensions: " + (this.allowExtensions ? "Allowed." : "Forbidden.") + "<br/>Allowed HTTP verbs: " + TextUtil.toEnglishList("and", (String[]) this.allowedMethods.toArray(new String[0])) + ".<br/>Maximum allowed nested query levels: " + this.maxDepth + "<br/>Maximum allowed recursion levels (nested repetitions of the same word): " + this.maxRecursion + ".</div>";
    }
}
