package com.predic8.membrane.core.interceptor.ratelimit;

import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.exceptions.ProblemDetails;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.http.Header;
import com.predic8.membrane.core.interceptor.Interceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.interceptor.lang.AbstractExchangeExpressionInterceptor;
import com.predic8.membrane.core.interceptor.statistics.util.JDBCUtil;
import com.predic8.membrane.core.lang.ExchangeExpression;
import com.predic8.membrane.core.util.HttpUtil;
import java.time.Duration;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.expression.spel.SpelEvaluationException;

@MCElement(name = "rateLimiter")
/* loaded from: input_file:WEB-INF/lib/service-proxy-core-6.0.3.jar:com/predic8/membrane/core/interceptor/ratelimit/RateLimitInterceptor.class */
public class RateLimitInterceptor extends AbstractExchangeExpressionInterceptor {
    private static final Logger log = LoggerFactory.getLogger(RateLimitInterceptor.class.getName());
    public static final String X_RATELIMIT_DURATION = "X-RateLimit-Duration";
    public static final String X_RATELIMIT_LIMIT = "X-RateLimit-Limit";
    public static final String X_RATELIMIT_RESET = "X-RateLimit-Reset";
    private final RateLimitStrategy strategy;
    private List<String> trustedProxyList;
    private int trustedProxyCount;
    private boolean trustForwardedFor;

    public RateLimitInterceptor() {
        this(Duration.ofHours(1L), 1000);
    }

    public RateLimitInterceptor(Duration duration, int i) {
        this.trustedProxyCount = -1;
        this.strategy = new LazyRateLimit(duration, i);
        this.name = "rate limiter";
        setFlow(Interceptor.Flow.Set.REQUEST_FLOW);
    }

    @Override // com.predic8.membrane.core.interceptor.lang.AbstractExchangeExpressionInterceptor
    protected ExchangeExpression getExchangeExpression() {
        if (this.expression.isEmpty()) {
            return null;
        }
        return ExchangeExpression.newInstance(this.router, this.language, this.expression);
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleRequest(Exchange exchange) {
        try {
            if (!this.strategy.isRequestLimitReached(getKey(exchange))) {
                return Outcome.CONTINUE;
            }
            log.info("{} limit: {} duration: {} is exceeded. (clientIp: {})", getKey(exchange), Integer.valueOf(getRequestLimit()), getRequestLimitDuration(), exchange.getRemoteAddrIp());
            ProblemDetails.user(false, getDisplayName()).statusCode(429).title("Rate limit is exceeded.").addSubType("rate-limit").detail("The quota of the rate limit is exceeded. Try again in %s seconds.".formatted(this.strategy.getLimitReset(exchange.getRemoteAddrIp()))).internal("limit", Integer.valueOf(getRequestLimit())).internal(JDBCUtil.DURATION, getRequestLimitDuration()).buildAndSetResponse(exchange);
            setHeaderRateLimitFieldsOnResponse(exchange);
            return Outcome.RETURN;
        } catch (SpelEvaluationException e) {
            log.info("Cannot evaluate keyExpression {} cause is {}", this.expression, e.getCause());
            ProblemDetails.internal(this.router.isProduction(), getDisplayName()).addSubType("rate-limit").detail("Cannot evaluate keyExpression '%s' cause is %s".formatted(this.expression, e.getMessage())).buildAndSetResponse(exchange);
            return Outcome.RETURN;
        }
    }

    private String getKey(Exchange exchange) {
        if (this.expression == null || this.expression.isEmpty()) {
            return getClientIp(exchange);
        }
        try {
            String str = (String) this.exchangeExpression.evaluate(exchange, Interceptor.Flow.REQUEST, String.class);
            if (!str.isEmpty()) {
                return str;
            }
            log.warn("The expression {} evaluates to null or there is an error in the expression. This may result in a wrong counting for the ratelimiter.", this.expression);
            return "unknown";
        } catch (Exception e) {
            log.info("Error evaluating expression {} for rate limit. Fallback to 'unknown'", this.expression);
            return "unknown";
        }
    }

    protected String getClientIp(Exchange exchange) {
        String computeClientIpFromForwards = computeClientIpFromForwards(exchange);
        log.debug("Using client ip {}", computeClientIpFromForwards);
        return computeClientIpFromForwards;
    }

    private String computeClientIpFromForwards(Exchange exchange) {
        if (!this.trustForwardedFor || exchange.getRequest().getHeader().getXForwardedFor() == null) {
            return useRemoteIpAddress(exchange);
        }
        List<String> forwardedForList = HttpUtil.getForwardedForList(exchange);
        if (forwardedForList.isEmpty()) {
            return useRemoteIpAddress(exchange);
        }
        log.debug("X-Forwared-For {}", forwardedForList);
        if (this.trustedProxyList != null && !this.trustedProxyList.isEmpty()) {
            return getClientIPfromTrustedProxyList(exchange, forwardedForList);
        }
        if (this.trustedProxyCount != -1) {
            return getClientIPFromTrustedProxyCount(exchange, forwardedForList);
        }
        log.debug("No trustedProxyCount and no trustedProxyList.");
        if (forwardedForList.size() != 1) {
            log.debug("More than 1 entry in X-Forwarded-For.");
            return exchange.getRemoteAddrIp();
        }
        log.debug("Using entry in X-Forwarded-For");
        return (String) forwardedForList.getFirst();
    }

    private String getClientIPFromTrustedProxyCount(Exchange exchange, List<String> list) {
        log.debug("Using trustedProxyCount of {}", Integer.valueOf(this.trustedProxyCount));
        if (list.size() > this.trustedProxyCount) {
            return getOneBeforeTrustworthyProxy(list, this.trustedProxyCount);
        }
        log.info("Forwarded-For entries {} do not match trusted proxies {}", list, this.trustedProxyList);
        return useRemoteIpAddress(exchange);
    }

    private String getClientIPfromTrustedProxyList(Exchange exchange, List<String> list) {
        log.debug("Checking list of trusted proxies");
        for (int i = 1; i <= this.trustedProxyList.size(); i++) {
            String str = this.trustedProxyList.get(this.trustedProxyList.size() - i);
            String str2 = list.get(list.size() - i);
            log.debug("Checking proxy {} against {}", str, str2);
            if (!Objects.equals(str, str2)) {
                log.info("Trusted proxy {} is not in X-Forwarded-For list {}, or not on the right position.", str, list);
                return useRemoteIpAddress(exchange);
            }
        }
        return getOneBeforeTrustworthyProxy(list, this.trustedProxyList.size());
    }

    private static String useRemoteIpAddress(Exchange exchange) {
        return exchange.getRemoteAddrIp();
    }

    protected static String getOneBeforeTrustworthyProxy(List<String> list, int i) {
        return list.get((list.size() - i) - 1).trim();
    }

    private void setHeaderRateLimitFieldsOnResponse(Exchange exchange) {
        Header header = exchange.getResponse().getHeader();
        header.add(X_RATELIMIT_DURATION, this.strategy.getLimitDurationPeriod());
        header.add(X_RATELIMIT_LIMIT, Integer.toString(this.strategy.requestLimit));
        header.add(X_RATELIMIT_RESET, this.strategy.getLimitReset(exchange.getRemoteAddrIp()));
    }

    public int getRequestLimit() {
        return this.strategy.requestLimit;
    }

    @MCAttribute
    public void setRequestLimit(int i) {
        this.strategy.setRequestLimit(i);
    }

    public String getRequestLimitDuration() {
        return this.strategy.requestLimitDuration.toString();
    }

    @MCAttribute
    public void setRequestLimitDuration(String str) {
        setRequestLimitDuration(Duration.parse(str));
    }

    public void setRequestLimitDuration(Duration duration) {
        this.strategy.setRequestLimitDuration(duration);
    }

    @MCAttribute
    public void setKeyExpression(String str) {
        this.expression = str;
    }

    public String getKeyExpression() {
        return this.expression;
    }

    public String getTrustedProxyList() {
        if (this.trustedProxyList == null) {
            return null;
        }
        return String.join(",", this.trustedProxyList);
    }

    @MCAttribute
    public void setTrustedProxyList(String str) {
        this.trustedProxyList = Arrays.stream(str.split(",")).map((v0) -> {
            return v0.trim();
        }).toList();
    }

    public int getTrustedProxyCount() {
        return this.trustedProxyCount;
    }

    @MCAttribute
    public void setTrustedProxyCount(int i) {
        this.trustedProxyCount = i;
    }

    public boolean isTrustForwardedFor() {
        return this.trustForwardedFor;
    }

    @MCAttribute
    public void setTrustForwardedFor(boolean z) {
        this.trustForwardedFor = z;
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getShortDescription() {
        return "Limits incoming requests to %s requests every %s.".formatted(Integer.valueOf(this.strategy.getRequestLimit()), this.strategy.getRequestLimitDuration());
    }
}
