package org.neo4j.kernel.impl.security;

import inet.ipaddr.IPAddressString;
import java.io.IOException;
import java.io.InputStream;
import java.lang.Runtime;
import java.net.CookieHandler;
import java.net.CookieManager;
import java.net.CookiePolicy;
import java.net.HttpURLConnection;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLConnection;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.util.Iterator;
import java.util.List;
import java.util.zip.GZIPInputStream;
import java.util.zip.InflaterInputStream;
import org.neo4j.configuration.GraphDatabaseInternalSettings;
import org.neo4j.csv.reader.CharReadable;
import org.neo4j.csv.reader.Readables;
import org.neo4j.exceptions.LoadExternalResourceException;
import org.neo4j.graphdb.config.Configuration;
import org.neo4j.graphdb.security.URLAccessValidationError;
import org.neo4j.internal.kernel.api.security.SecurityAuthorizationHandler;
import org.neo4j.internal.kernel.api.security.SecurityContext;

/* loaded from: input_file:org/neo4j/kernel/impl/security/WebURLAccessRule.class */
public class WebURLAccessRule implements AccessRule<URL> {
    public static final String LOAD_CSV_USER_AGENT_PREFIX = "NeoLoadCSV_";
    private static final int REDIRECT_LIMIT = 10;
    private final Configuration config;
    public static final int CONNECTION_TIMEOUT = 2000;
    public static final int READ_TIMOUT = 600000;
    private static final CookieManager cookieManager = new CookieManager();

    public WebURLAccessRule(Configuration configuration) {
        this.config = configuration;
    }

    public static String userAgent() {
        Runtime.Version version = Runtime.version();
        String property = System.getProperty("http.agent");
        return property == null ? "Java/" + String.valueOf(version) : property + " Java/" + String.valueOf(version);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public URL checkNotBlockedAndPinToIP(URL url, SecurityAuthorizationHandler securityAuthorizationHandler, SecurityContext securityContext) throws UnknownHostException, MalformedURLException, URISyntaxException, URLAccessValidationError {
        List list = (List) this.config.get(GraphDatabaseInternalSettings.cypher_ip_blocklist);
        InetAddress byName = InetAddress.getByName(url.getHost());
        Iterator it = list.iterator();
        while (it.hasNext()) {
            if (((IPAddressString) it.next()).contains(new IPAddressString(byName.getHostAddress()))) {
                throw new URLAccessValidationError("access to " + String.valueOf(byName) + " is blocked via the configuration property " + GraphDatabaseInternalSettings.cypher_ip_blocklist.name());
            }
        }
        securityAuthorizationHandler.assertLoadAllowed(securityContext, url.toURI(), byName);
        URL url2 = url;
        if (shouldPinIp(url)) {
            url2 = substituteHostByIP(url, byName instanceof Inet6Address ? "[" + byName.getHostAddress() + "]" : byName.getHostAddress());
        }
        return url2;
    }

    boolean shouldPinIp(URL url) {
        return url.getProtocol().equals("http") || url.getProtocol().equals("ftp");
    }

    protected URL substituteHostByIP(URL url, String str) throws MalformedURLException {
        String protocol = url.getProtocol();
        String userInfo = url.getUserInfo();
        String str2 = (userInfo == null || userInfo.isEmpty()) ? "" : userInfo + "@";
        String host = url.getHost();
        String str3 = (host == null || host.isEmpty()) ? "" : str;
        int port = url.getPort();
        String str4 = (port == url.getDefaultPort() || port <= 0) ? "" : ":" + Integer.toString(port);
        String path = url.getPath();
        String str5 = path != null ? path : "";
        String query = url.getQuery();
        String str6 = query != null ? "?" + query : "";
        String ref = url.getRef();
        return new URL(protocol + "://" + str2 + str3 + str4 + str5 + str6 + (ref != null ? "#" + ref : ""));
    }

    private URLConnection checkUrlIncludingHops(URL url, SecurityAuthorizationHandler securityAuthorizationHandler, SecurityContext securityContext) throws IOException, URISyntaxException, URLAccessValidationError {
        URLConnection openConnection;
        boolean z;
        URL url2;
        URL url3 = url;
        int i = REDIRECT_LIMIT;
        do {
            url3 = checkNotBlockedAndPinToIP(url3, securityAuthorizationHandler, securityContext);
            openConnection = url3.openConnection();
            if (openConnection instanceof HttpURLConnection) {
                HttpURLConnection httpURLConnection = (HttpURLConnection) openConnection;
                httpURLConnection.setRequestProperty("User-Agent", String.format("%s%s", LOAD_CSV_USER_AGENT_PREFIX, userAgent()));
                if (shouldPinIp(url)) {
                    httpURLConnection.setRequestProperty("Host", url.getHost());
                }
                httpURLConnection.setInstanceFollowRedirects(false);
                httpURLConnection.connect();
                httpURLConnection.getInputStream();
                z = isRedirect(httpURLConnection.getResponseCode());
                if (z) {
                    int i2 = i;
                    i--;
                    if (i2 == 0) {
                        httpURLConnection.disconnect();
                        throw new URLAccessValidationError("Redirect limit exceeded");
                    }
                    String headerField = httpURLConnection.getHeaderField("Location");
                    if (headerField == null) {
                        httpURLConnection.disconnect();
                        throw new IOException("URL responded with a redirect but the location header was null");
                    }
                    try {
                        url2 = new URL(headerField);
                        if (!url2.getProtocol().equalsIgnoreCase(url3.getProtocol())) {
                            return httpURLConnection;
                        }
                    } catch (MalformedURLException e) {
                        url2 = new URL(httpURLConnection.getURL(), headerField);
                    }
                    url3 = url2;
                }
            } else {
                z = false;
            }
        } while (z);
        return openConnection;
    }

    private static boolean isRedirect(int i) {
        return i >= 300 && i <= 307 && i != 306 && i != 304;
    }

    public URLConnection validate(URL url, SecurityAuthorizationHandler securityAuthorizationHandler, SecurityContext securityContext) throws URLAccessValidationError, IOException {
        String host = url.getHost();
        if (host == null || host.isEmpty()) {
            throw new URLAccessValidationError("Unable to verify access to URL" + String.valueOf(url) + ". URL is missing a host.");
        }
        try {
            return checkUrlIncludingHops(url, securityAuthorizationHandler, securityContext);
        } catch (URISyntaxException e) {
            throw new URLAccessValidationError("Unable to verify access to " + host + ". Cause: " + e.getMessage());
        }
    }

    @Override // org.neo4j.kernel.impl.security.AccessRule
    public CharReadable getReader(URL url, SecurityAuthorizationHandler securityAuthorizationHandler, SecurityContext securityContext) throws URLAccessValidationError {
        try {
            return Readables.wrap(openStream(url, securityAuthorizationHandler, securityContext), url.toString(), StandardCharsets.UTF_8, 0L);
        } catch (IOException | URISyntaxException e) {
            throw LoadExternalResourceException.couldNotLoadExternalResource(String.valueOf(url), e);
        }
    }

    private InputStream openStream(URL url, SecurityAuthorizationHandler securityAuthorizationHandler, SecurityContext securityContext) throws IOException, URISyntaxException, URLAccessValidationError {
        URLConnection validate = validate(url, securityAuthorizationHandler, securityContext);
        if ((validate instanceof HttpURLConnection) && isRedirect(((HttpURLConnection) validate).getResponseCode())) {
            throw LoadExternalResourceException.failedToAccessResource(validate.getURL());
        }
        validate.setConnectTimeout(CONNECTION_TIMEOUT);
        validate.setReadTimeout(READ_TIMOUT);
        InputStream inputStream = validate.getInputStream();
        return "gzip".equals(validate.getContentEncoding()) ? new GZIPInputStream(inputStream) : "deflate".equals(validate.getContentEncoding()) ? new InflaterInputStream(inputStream) : inputStream;
    }

    static {
        CookieHandler.setDefault(cookieManager);
        cookieManager.setCookiePolicy(CookiePolicy.ACCEPT_ALL);
    }
}
