package org.apache.nifi.cluster.firewall.impl;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import org.apache.commons.net.util.SubnetUtils;
import org.apache.nifi.cluster.firewall.ClusterNodeFirewall;
import org.apache.nifi.logging.NiFiLog;
import org.apache.nifi.util.file.FileUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/cluster/firewall/impl/FileBasedClusterNodeFirewall.class */
public class FileBasedClusterNodeFirewall implements ClusterNodeFirewall {
    private final File config;
    private final File restoreDirectory;
    private final Collection<SubnetUtils.SubnetInfo> subnetInfos;
    private static final Logger logger = new NiFiLog(LoggerFactory.getLogger(FileBasedClusterNodeFirewall.class));

    public FileBasedClusterNodeFirewall(File file) throws IOException {
        this(file, null);
    }

    public FileBasedClusterNodeFirewall(File file, File file2) throws IOException {
        this.subnetInfos = new ArrayList();
        if (file == null) {
            throw new IllegalArgumentException("Firewall configuration file may not be null.");
        }
        this.config = file;
        this.restoreDirectory = file2;
        if (file2 != null) {
            try {
                syncWithRestoreDirectory();
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
        if (!file.exists() && !file.createNewFile()) {
            throw new IOException("Firewall configuration file did not exist and could not be created: " + file.getAbsolutePath());
        }
        logger.info("Loading cluster firewall configuration.");
        parseConfig(file);
        logger.info("Cluster firewall configuration loaded.");
    }

    @Override // org.apache.nifi.cluster.firewall.ClusterNodeFirewall
    public boolean isPermissible(String str) {
        try {
            if (this.subnetInfos.isEmpty()) {
                return true;
            }
            try {
                String hostAddress = InetAddress.getByName(str).getHostAddress();
                Iterator<SubnetUtils.SubnetInfo> it = this.subnetInfos.iterator();
                while (it.hasNext()) {
                    if (it.next().isInRange(hostAddress)) {
                        return true;
                    }
                }
                logger.debug("Blocking host '{}' because it does not match our allowed list.", str);
                return false;
            } catch (UnknownHostException e) {
                logger.warn("Blocking unknown host '{}'", str, e);
                return false;
            }
        } catch (IllegalArgumentException e2) {
            logger.debug("Blocking requested host, '{}', because it is malformed.", str, e2);
            return false;
        }
    }

    private void syncWithRestoreDirectory() throws IOException {
        FileUtils.ensureDirectoryExistAndCanAccess(this.restoreDirectory);
        if (this.config.getParentFile().getAbsolutePath().equals(this.restoreDirectory.getAbsolutePath())) {
            throw new IllegalStateException(String.format("Cluster firewall configuration file '%s' cannot be in the restore directory '%s' ", this.config.getAbsolutePath(), this.restoreDirectory.getAbsolutePath()));
        }
        FileUtils.syncWithRestore(this.config, new File(this.restoreDirectory, this.config.getName()), logger);
    }

    private void parseConfig(File file) throws IOException {
        String str;
        this.subnetInfos.clear();
        BufferedReader bufferedReader = new BufferedReader(new FileReader(file));
        int i = 0;
        while (true) {
            try {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    break;
                }
                String trim = readLine.trim();
                if (!trim.isEmpty() && !trim.startsWith("#")) {
                    if (trim.contains("#")) {
                        trim = trim.substring(0, trim.indexOf("#")).trim();
                    }
                    if (trim.contains("/")) {
                        str = trim;
                    } else if (trim.contains("\\")) {
                        logger.warn("CIDR IP notation uses forward slashes '/'.  Replacing backslash '\\' with forward slash'/' for '{}'", trim);
                        str = trim.replace("\\", "/");
                    } else {
                        try {
                            String hostAddress = InetAddress.getByName(trim).getHostAddress();
                            if (!trim.equals(hostAddress)) {
                                logger.debug("Resolved host '{}' to ip '{}'", trim, hostAddress);
                            }
                            str = hostAddress + "/32";
                            logger.debug("Adding CIDR to exact IP: '{}'", str);
                        } catch (UnknownHostException e) {
                            logger.warn("Firewall is skipping unknown host address: '{}'", trim);
                        }
                    }
                    try {
                        logger.debug("Adding CIDR IP to firewall: '{}'", str);
                        SubnetUtils subnetUtils = new SubnetUtils(str);
                        subnetUtils.setInclusiveHostCount(true);
                        this.subnetInfos.add(subnetUtils.getInfo());
                        i++;
                    } catch (IllegalArgumentException e2) {
                        logger.warn("Firewall is skipping invalid CIDR address: '{}'", trim);
                    }
                }
            } catch (Throwable th) {
                try {
                    bufferedReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        if (i == 0) {
            logger.info("No IPs added to firewall.  Firewall will accept all requests.");
        } else {
            logger.info("Added {} IP(s) to firewall.  Only requests originating from the configured IPs will be accepted.", Integer.valueOf(i));
        }
        bufferedReader.close();
    }
}
