package com.predic8.membrane.core.interceptor.ratelimit;

import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.exceptions.ProblemDetails;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.http.Header;
import com.predic8.membrane.core.interceptor.AbstractInterceptor;
import com.predic8.membrane.core.interceptor.Interceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.interceptor.statistics.util.JDBCUtil;
import com.predic8.membrane.core.lang.spel.ExchangeEvaluationContext;
import com.predic8.membrane.core.util.HttpUtil;
import java.time.Duration;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import org.apache.http.HttpStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.xml.BeanDefinitionParserDelegate;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.Expression;
import org.springframework.expression.spel.SpelEvaluationException;
import org.springframework.expression.spel.standard.SpelExpressionParser;

@MCElement(name = "rateLimiter")
/* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.5.1.jar:com/predic8/membrane/core/interceptor/ratelimit/RateLimitInterceptor.class */
public class RateLimitInterceptor extends AbstractInterceptor {
    private static final Logger log = LoggerFactory.getLogger(RateLimitInterceptor.class.getName());
    public static final String X_RATELIMIT_DURATION = "X-RateLimit-Duration";
    public static final String X_RATELIMIT_LIMIT = "X-RateLimit-Limit";
    public static final String X_RATELIMIT_RESET = "X-RateLimit-Reset";
    private final RateLimitStrategy strategy;
    private String keyExpression;
    private Expression expression;
    private List<String> trustedProxyList;
    private int trustedProxyCount;
    private boolean trustForwardedFor;

    public RateLimitInterceptor() {
        this(Duration.ofHours(1L), 1000);
    }

    public RateLimitInterceptor(Duration duration, int i) {
        this.trustedProxyCount = -1;
        this.strategy = new LazyRateLimit(duration, i);
        this.name = "RateLimiter";
        setFlow(Interceptor.Flow.Set.REQUEST);
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleRequest(Exchange exchange) throws Exception {
        try {
            if (!this.strategy.isRequestLimitReached(getKey(exchange))) {
                return Outcome.CONTINUE;
            }
            log.info(getKey(exchange) + " limit: " + getRequestLimit() + " duration: " + getRequestLimitDuration() + " is exceeded. (clientIp: " + exchange.getRemoteAddrIp() + ")");
            exchange.setResponse(ProblemDetails.user(false).statusCode(HttpStatus.SC_TOO_MANY_REQUESTS).addSubType("rate-limiter").title("Rate limit is exceeded").detail("The quota of the ratelimiter is exceeded. Try again in %s seconds.".formatted(this.strategy.getLimitReset(exchange.getRemoteAddrIp()))).extension("limit", Integer.valueOf(getRequestLimit())).extension(JDBCUtil.DURATION, getRequestLimitDuration()).build());
            setHeaderRateLimitFieldsOnResponse(exchange);
            return Outcome.RETURN;
        } catch (SpelEvaluationException e) {
            exchange.setResponse(ProblemDetails.internal(this.router.isProduction()).addSubType("rate-limiter").detail("Cannot evaluate keyExpression '%s' cause is %s".formatted(this.keyExpression, e.getMessage())).build());
            return Outcome.RETURN;
        }
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor
    public void init() throws Exception {
        super.init();
        if (this.keyExpression == null || this.keyExpression.isBlank()) {
            return;
        }
        this.expression = new SpelExpressionParser().parseExpression(this.keyExpression);
    }

    private String getKey(Exchange exchange) {
        if (this.keyExpression == null) {
            return getClientIp(exchange);
        }
        String str = (String) this.expression.getValue((EvaluationContext) new ExchangeEvaluationContext(exchange, exchange.getRequest()), String.class);
        if (str != null) {
            return str;
        }
        log.warn("The expression {} evaluates to null or there is an error in the expression. This may result in a wrong counting for the ratelimiter.", this.expression);
        return BeanDefinitionParserDelegate.NULL_ELEMENT;
    }

    protected String getClientIp(Exchange exchange) {
        if (!this.trustForwardedFor || exchange.getRequest().getHeader().getXForwardedFor() == null) {
            return useRemoteIpAddress(exchange);
        }
        List<String> forwardedForList = HttpUtil.getForwardedForList(exchange);
        if (forwardedForList.isEmpty()) {
            return useRemoteIpAddress(exchange);
        }
        log.debug("X-Forwared-For {}", forwardedForList);
        if (this.trustedProxyList != null && !this.trustedProxyList.isEmpty()) {
            log.debug("Checking list of trusted proxies");
            for (int i = 1; i <= this.trustedProxyList.size(); i++) {
                String str = this.trustedProxyList.get(this.trustedProxyList.size() - i);
                String str2 = forwardedForList.get(forwardedForList.size() - i);
                log.debug("Checking proxy {} against {}", str, str2);
                if (!Objects.equals(str, str2)) {
                    log.info("Trusted proxy {} is not in X-Forwarded-For list {}, or not on the right position.", str, forwardedForList);
                    return useRemoteIpAddress(exchange);
                }
            }
            String oneBeforeTrustworthyProxy = getOneBeforeTrustworthyProxy(forwardedForList, this.trustedProxyList.size());
            log.debug("Using {} as client ip.", oneBeforeTrustworthyProxy);
            return oneBeforeTrustworthyProxy;
        }
        if (this.trustedProxyCount != -1) {
            log.debug("Using trustedProxyCount of {}", Integer.valueOf(this.trustedProxyCount));
            if (forwardedForList.size() <= this.trustedProxyCount) {
                log.info("Forwarded-For entries {} do not match trusted proxies {}", forwardedForList, this.trustedProxyList);
                return useRemoteIpAddress(exchange);
            }
            String oneBeforeTrustworthyProxy2 = getOneBeforeTrustworthyProxy(forwardedForList, this.trustedProxyCount);
            log.debug("Client ip is {}", oneBeforeTrustworthyProxy2);
            return oneBeforeTrustworthyProxy2;
        }
        if (this.trustedProxyList != null) {
            return useRemoteIpAddress(exchange);
        }
        log.debug("No trustedProxyCount and no trustedProxyList.");
        if (forwardedForList.size() != 1) {
            String remoteAddrIp = exchange.getRemoteAddrIp();
            log.debug("More than 1 entry in X-Forwarded-For. Using ip address {}", remoteAddrIp);
            return remoteAddrIp;
        }
        String str3 = forwardedForList.get(0);
        log.debug("Using entry {} in X-Forwarded-For", str3);
        return str3;
    }

    private static String useRemoteIpAddress(Exchange exchange) {
        String remoteAddrIp = exchange.getRemoteAddrIp();
        log.debug("Using ip {}", remoteAddrIp);
        return remoteAddrIp;
    }

    protected static String getOneBeforeTrustworthyProxy(List<String> list, int i) {
        return list.get((list.size() - i) - 1).trim();
    }

    private void setHeaderRateLimitFieldsOnResponse(Exchange exchange) {
        Header header = exchange.getResponse().getHeader();
        header.add(X_RATELIMIT_DURATION, this.strategy.getLimitDurationPeriod());
        header.add(X_RATELIMIT_LIMIT, Integer.toString(this.strategy.requestLimit));
        header.add(X_RATELIMIT_RESET, this.strategy.getLimitReset(exchange.getRemoteAddrIp()));
    }

    public int getRequestLimit() {
        return this.strategy.requestLimit;
    }

    @MCAttribute
    public void setRequestLimit(int i) {
        this.strategy.setRequestLimit(i);
    }

    public String getRequestLimitDuration() {
        return this.strategy.requestLimitDuration.toString();
    }

    @MCAttribute
    public void setRequestLimitDuration(String str) {
        setRequestLimitDuration(Duration.parse(str));
    }

    public void setRequestLimitDuration(Duration duration) {
        this.strategy.setRequestLimitDuration(duration);
    }

    @MCAttribute
    public void setKeyExpression(String str) {
        this.keyExpression = str;
    }

    public String getKeyExpression() {
        return this.keyExpression;
    }

    public String getTrustedProxyList() {
        if (this.trustedProxyList == null) {
            return null;
        }
        return String.join(",", this.trustedProxyList);
    }

    @MCAttribute
    public void setTrustedProxyList(String str) {
        this.trustedProxyList = Arrays.stream(str.split(",")).map((v0) -> {
            return v0.trim();
        }).toList();
    }

    public int getTrustedProxyCount() {
        return this.trustedProxyCount;
    }

    @MCAttribute
    public void setTrustedProxyCount(int i) {
        this.trustedProxyCount = i;
    }

    public boolean isTrustForwardedFor() {
        return this.trustForwardedFor;
    }

    @MCAttribute
    public void setTrustForwardedFor(boolean z) {
        this.trustForwardedFor = z;
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getShortDescription() {
        return "Limits incoming requests. It limits to " + this.strategy.getRequestLimit() + " requests every " + this.strategy.getRequestLimitDuration().toString() + ".";
    }
}
