package com.predic8.membrane.core.graphql;

import com.fasterxml.jackson.core.JsonParseException;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.graphql.model.ExecutableDefinition;
import com.predic8.membrane.core.graphql.model.ExecutableDocument;
import com.predic8.membrane.core.graphql.model.Field;
import com.predic8.membrane.core.graphql.model.FragmentDefinition;
import com.predic8.membrane.core.graphql.model.FragmentSpread;
import com.predic8.membrane.core.graphql.model.InlineFragment;
import com.predic8.membrane.core.graphql.model.OperationDefinition;
import com.predic8.membrane.core.graphql.model.Selection;
import com.predic8.membrane.core.http.HeaderField;
import com.predic8.membrane.core.http.HeaderName;
import com.predic8.membrane.core.http.MimeType;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.interceptor.AbstractInterceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.util.TextUtil;
import com.predic8.membrane.core.util.URLParamUtil;
import io.opentelemetry.semconv.SemanticAttributes;
import jakarta.mail.internet.ContentType;
import jakarta.mail.internet.ParseException;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.security.InvalidParameterException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@MCElement(name = "graphQLProtection")
/* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.5.12.jar:com/predic8/membrane/core/graphql/GraphQLProtectionInterceptor.class */
public class GraphQLProtectionInterceptor extends AbstractInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) GraphQLProtectionInterceptor.class);
    private final GraphQLParser graphQLParser = new GraphQLParser();
    private final ObjectMapper om = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_READING_DUP_TREE_KEY, true).configure(JsonParser.Feature.STRICT_DUPLICATE_DETECTION, true);
    private boolean allowExtensions = false;
    private List<String> allowedMethods = Lists.newArrayList("GET", "POST");
    private int maxRecursion = 3;
    private int maxDepth = 7;
    private int maxMutations = 5;

    public GraphQLProtectionInterceptor() {
        this.name = "GraphQL protection";
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleRequest(Exchange exchange) throws Exception {
        Map map;
        OperationDefinition operationDefinition;
        if (!this.allowedMethods.contains(exchange.getRequest().getMethod())) {
            return error(exchange, 405, "Invalid method.");
        }
        String rawQuery = this.router.getUriFactory().create(exchange.getRequest().getUri()).getRawQuery();
        if ("GET".equals(exchange.getRequest().getMethod())) {
            if (rawQuery == null) {
                return error(exchange, "No query parameters found.");
            }
            try {
                map = URLParamUtil.parseQueryString(rawQuery, URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR);
                if (map.containsKey("variables")) {
                    map.put("variables", this.om.readValue((String) map.get("variables"), Map.class));
                }
                if (map.containsKey("extensions")) {
                    map.put("extensions", this.om.readValue((String) map.get("extensions"), Map.class));
                }
            } catch (Exception e) {
                return error(exchange, "Error decoding query string.");
            }
        } else {
            if (!"POST".equals(exchange.getRequest().getMethod())) {
                exchange.setResponse(Response.methodNotAllowed().build());
                return Outcome.RETURN;
            }
            if (rawQuery != null) {
                Map<String, String> parseQueryString = URLParamUtil.parseQueryString(rawQuery, URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR);
                for (String str : new String[]{"query", "operationName", "variables", "extensions"}) {
                    if (parseQueryString.containsKey(str)) {
                        return error(exchange, "'" + str + "' is not allowed as query parameter while using POST.");
                    }
                }
            }
            List<HeaderField> values = exchange.getRequest().getHeader().getValues(new HeaderName("Content-Type"));
            if (values.isEmpty()) {
                return error(exchange, "No 'Content-Type' found.");
            }
            if (values.size() > 1) {
                return error(exchange, "Found multiple 'Content-Type' headers.");
            }
            try {
                ContentType contentType = new ContentType(values.get(0).getValue());
                if (contentType.match(MimeType.APPLICATION_GRAPHQL)) {
                    map = ImmutableMap.of("query", exchange.getRequest().getBodyAsStringDecoded());
                } else {
                    if (!contentType.match("application/json")) {
                        return error(exchange, "Expected 'Content-Type: application/json' or 'Content-Type: application/graphql'.");
                    }
                    String parameter = contentType.getParameter("charset");
                    if (parameter != null && !"utf-8".equalsIgnoreCase(parameter)) {
                        return error(exchange, "Invalid charset in 'Content-Type': Expected 'utf-8'.");
                    }
                    try {
                        map = (Map) this.om.readValue(exchange.getRequest().getBodyAsStreamDecoded(), Map.class);
                    } catch (JsonParseException e2) {
                        return error(exchange, "Error decoding JSON object.");
                    }
                }
            } catch (ParseException e3) {
                return error(exchange, "Could not parse 'Content-Type' header.");
            }
        }
        Object obj = map.get("query");
        if (obj == null) {
            return error(exchange, "Parameter 'query' is missing.");
        }
        if (!(obj instanceof String)) {
            return error(exchange, "Expected 'query' to be of type 'String'.");
        }
        if (!this.allowExtensions && map.containsKey("extensions") && map.get("extensions") != null) {
            return error(exchange, "GraphQL 'extensions' are forbidden.");
        }
        Object obj2 = map.get("operationName");
        if (obj2 != null && !(obj2 instanceof String)) {
            return error(exchange, "Expected 'operationName' to be a String.");
        }
        Object obj3 = map.get("variables");
        if (obj3 != null && !(obj3 instanceof Map)) {
            return error(exchange, "Expected 'variables' to be a JSON Object.");
        }
        Object obj4 = map.get("extensions");
        if (obj4 != null && !(obj4 instanceof Map)) {
            return error(exchange, "Expected 'extensions' to be a JSON Object.");
        }
        ExecutableDocument parseRequest = this.graphQLParser.parseRequest(new ByteArrayInputStream(((String) obj).getBytes(StandardCharsets.UTF_8)));
        if (countMutations(parseRequest.getExecutableDefinitions()) > this.maxMutations) {
            return error(exchange, 400, "Too many mutations defined in document.");
        }
        List<String> validate = new GraphQLValidator().validate(parseRequest);
        if (validate != null && !validate.isEmpty()) {
            return error(exchange, validate.get(0));
        }
        if ("GET".equals(exchange.getRequest().getMethod()) && parseRequest.getExecutableDefinitions().stream().filter(executableDefinition -> {
            return executableDefinition instanceof OperationDefinition;
        }).map(executableDefinition2 -> {
            return (OperationDefinition) executableDefinition2;
        }).anyMatch(operationDefinition2 -> {
            return (operationDefinition2.getOperationType() == null || "query".equals(operationDefinition2.getOperationType().getOperation())) ? false : true;
        })) {
            return error(exchange, 405, "'GET' may only be used for GraphQL 'query's.");
        }
        if (obj2 == null || obj2.equals("")) {
            List list = parseRequest.getExecutableDefinitions().stream().filter(executableDefinition3 -> {
                return executableDefinition3 instanceof OperationDefinition;
            }).map(executableDefinition4 -> {
                return (OperationDefinition) executableDefinition4;
            }).toList();
            if (list.isEmpty()) {
                return error(exchange, "Could not find an OperationDefinition in the GraphQL document.");
            }
            operationDefinition = (OperationDefinition) list.get(0);
        } else {
            List list2 = parseRequest.getExecutableDefinitions().stream().filter(executableDefinition5 -> {
                return executableDefinition5 instanceof OperationDefinition;
            }).map(executableDefinition6 -> {
                return (OperationDefinition) executableDefinition6;
            }).filter(operationDefinition3 -> {
                return obj2.equals(operationDefinition3.getName());
            }).toList();
            if (list2.isEmpty()) {
                return error(exchange, "The operation named by 'operationName' could not be found.");
            }
            if (list2.size() > 1) {
                return error(exchange, "Multiple OperationDefinitions with the same name in the GraphQL document.");
            }
            operationDefinition = (OperationDefinition) list2.get(0);
        }
        String depthOrRecursionError = getDepthOrRecursionError(parseRequest, operationDefinition);
        return depthOrRecursionError != null ? error(exchange, depthOrRecursionError) : Outcome.CONTINUE;
    }

    public int countMutations(List<ExecutableDefinition> list) {
        return (int) list.stream().filter(executableDefinition -> {
            return executableDefinition instanceof OperationDefinition;
        }).map(executableDefinition2 -> {
            return (OperationDefinition) executableDefinition2;
        }).filter(operationDefinition -> {
            return operationDefinition.getOperationType() != null;
        }).filter(operationDefinition2 -> {
            return operationDefinition2.getOperationType().getOperation().equals(SemanticAttributes.GraphqlOperationTypeValues.MUTATION);
        }).count();
    }

    private String getDepthOrRecursionError(ExecutableDocument executableDocument, OperationDefinition operationDefinition) {
        return checkSelections(executableDocument, operationDefinition, operationDefinition.getSelections(), new ArrayList(), new HashSet<>());
    }

    private String checkSelections(ExecutableDocument executableDocument, OperationDefinition operationDefinition, List<Selection> list, List<String> list2, HashSet<String> hashSet) {
        if (list == null) {
            return null;
        }
        for (Selection selection : list) {
            if (selection == null) {
                LOG.error("Selection is null.");
                return "See server log.";
            }
            String checkField = selection instanceof Field ? checkField((Field) selection, executableDocument, operationDefinition, list2, hashSet) : selection instanceof FragmentSpread ? checkFragmentSpread((FragmentSpread) selection, executableDocument, operationDefinition, list2, hashSet) : selection instanceof InlineFragment ? checkSelections(executableDocument, operationDefinition, ((InlineFragment) selection).getSelections(), list2, hashSet) : checkUnhandled(selection);
            if (checkField != null) {
                return checkField;
            }
        }
        return null;
    }

    private String checkUnhandled(Selection selection) {
        LOG.error("Unhandled class: " + selection.getClass().getName());
        return "See server log.";
    }

    private String checkFragmentSpread(FragmentSpread fragmentSpread, ExecutableDocument executableDocument, OperationDefinition operationDefinition, List<String> list, HashSet<String> hashSet) {
        String fragmentName = fragmentSpread.getFragmentName();
        Optional findAny = executableDocument.getExecutableDefinitions().stream().filter(executableDefinition -> {
            return executableDefinition instanceof FragmentDefinition;
        }).map(executableDefinition2 -> {
            return (FragmentDefinition) executableDefinition2;
        }).filter(fragmentDefinition -> {
            return fragmentName.equals(fragmentDefinition.getName());
        }).findAny();
        if (findAny.isEmpty()) {
            return "Did not find fragment '" + fragmentName + "'.";
        }
        if (!hashSet.add(fragmentName)) {
            return "Fragment spreads form cycle ('" + fragmentName + "').";
        }
        String checkSelections = checkSelections(executableDocument, operationDefinition, ((FragmentDefinition) findAny.get()).getSelections(), list, hashSet);
        if (checkSelections != null) {
            return checkSelections;
        }
        hashSet.remove(fragmentName);
        return null;
    }

    private String checkField(Field field, ExecutableDocument executableDocument, OperationDefinition operationDefinition, List<String> list, HashSet<String> hashSet) {
        String name = field.getName();
        list.add(name);
        if (list.size() > this.maxDepth) {
            return "Max depth exceeded.";
        }
        if (list.stream().filter(str -> {
            return str.equals(name);
        }).count() > this.maxRecursion) {
            return "Max recursion exceeded.";
        }
        String checkSelections = checkSelections(executableDocument, operationDefinition, field.getSelections(), list, hashSet);
        if (checkSelections != null) {
            return checkSelections;
        }
        list.remove(list.size() - 1);
        return null;
    }

    private Outcome error(Exchange exchange, String str) {
        LOG.warn(str);
        exchange.setResponse(Response.badRequest().build());
        return Outcome.RETURN;
    }

    private Outcome error(Exchange exchange, int i, String str) {
        LOG.warn(str);
        exchange.setResponse(Response.badRequest().status(i).build());
        return Outcome.RETURN;
    }

    @MCAttribute
    public void setMaxMutations(int i) {
        this.maxMutations = i;
    }

    public int getMaxMutations() {
        return this.maxMutations;
    }

    @MCAttribute
    public void setAllowExtensions(boolean z) {
        this.allowExtensions = z;
    }

    public boolean isAllowExtensions() {
        return this.allowExtensions;
    }

    public String getAllowedMethods() {
        return String.join(",", this.allowedMethods);
    }

    @MCAttribute
    public void setAllowedMethods(String str) {
        this.allowedMethods = Arrays.asList(str.split(","));
        for (String str2 : this.allowedMethods) {
            if (!"GET".equals(str2) && !"POST".equals(str2)) {
                throw new InvalidParameterException("<graphQLProtectionInterceptor allowedMethods=\"...\" /> may only allow GET or POST.");
            }
        }
    }

    public int getMaxRecursion() {
        return this.maxRecursion;
    }

    @MCAttribute
    public void setMaxRecursion(int i) {
        this.maxRecursion = i;
    }

    public int getMaxDepth() {
        return this.maxDepth;
    }

    @MCAttribute
    public void setMaxDepth(int i) {
        this.maxDepth = i;
    }

    public String toString() {
        return "GraphQL protection";
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getShortDescription() {
        return "Let only well-formed GraphQL requests pass. Apply restrictions.";
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getLongDescription() {
        return "<div>Protects against some GraphQL attack classes (checks HTTP request against <a href=\"https://spec.graphql.org/October2021/\">GraphQL</a> and <a href=\"https://github.com/graphql/graphql-over-http/blob/a1e6d8ca248c9a19eb59a2eedd988c204909ee3f/spec/GraphQLOverHTTP.md\">GraphQL-over-HTTP</a> specs).<br/>GraphQL extensions: " + (this.allowExtensions ? "Allowed." : "Forbidden.") + "<br/>Allowed HTTP verbs: " + TextUtil.toEnglishList("and", (String[]) this.allowedMethods.toArray(new String[0])) + ".<br/>Maximum allowed nested query levels: " + this.maxDepth + "<br/>Maximum allowed recursion levels (nested repetitions of the same word): " + this.maxRecursion + ".</div>";
    }
}
