package com.atlassian.bamboo.websudo;

import com.atlassian.bamboo.setup.BootstrapManager;
import com.atlassian.ip.IPMatcher;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:com/atlassian/bamboo/websudo/WebSudoIpAllowlistServiceImpl.class */
public class WebSudoIpAllowlistServiceImpl implements WebSudoIpAllowlistService {
    private static final Logger log = LogManager.getLogger(WebSudoIpAllowlistServiceImpl.class);
    private final IPMatcher ipMatcher;
    private final String remoteIpHeader;

    public WebSudoIpAllowlistServiceImpl(BootstrapManager bootstrapManager) {
        this.remoteIpHeader = bootstrapManager.getBambooSharedProperties().getWebSudoRemoteIpHeader();
        String webSudoIpAllowlist = bootstrapManager.getBambooSharedProperties().getWebSudoIpAllowlist();
        if (!StringUtils.isNotBlank(webSudoIpAllowlist)) {
            this.ipMatcher = null;
            return;
        }
        IPMatcher.Builder builder = IPMatcher.builder();
        for (String str : webSudoIpAllowlist.split(",")) {
            try {
                if (StringUtils.isNotBlank(str)) {
                    builder.addPattern(str.trim());
                }
            } catch (IllegalArgumentException e) {
                log.error("Error adding pattern to web sudo allowlist: '{}'", str.trim(), e);
            }
        }
        this.ipMatcher = builder.build();
    }

    @Override // com.atlassian.bamboo.websudo.WebSudoIpAllowlistService
    public boolean isIpAddressAllowlisted(@Nullable HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null || this.ipMatcher == null) {
            return true;
        }
        List<String> remoteHosts = getRemoteHosts(httpServletRequest);
        try {
            Stream<String> stream = remoteHosts.stream();
            IPMatcher iPMatcher = this.ipMatcher;
            Objects.requireNonNull(iPMatcher);
            boolean allMatch = stream.allMatch(iPMatcher::matches);
            if (!allMatch) {
                log.info("Denying web sudo for client address '{}', not on IP address allowlist", String.join(",", remoteHosts));
            }
            return allMatch;
        } catch (IllegalArgumentException e) {
            log.error("Error checking IP address against allowlist for values '{}'", String.join(", ", remoteHosts));
            return false;
        }
    }

    private List<String> getRemoteHosts(HttpServletRequest httpServletRequest) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(httpServletRequest.getRemoteAddr());
        Enumeration headers = httpServletRequest.getHeaders(this.remoteIpHeader);
        if (headers != null) {
            Stream filter = Collections.list(headers).stream().filter((v0) -> {
                return StringUtils.isNotEmpty(v0);
            }).flatMap(str -> {
                return Stream.of((Object[]) str.split(","));
            }).map((v0) -> {
                return v0.trim();
            }).filter((v0) -> {
                return StringUtils.isNotEmpty(v0);
            });
            Objects.requireNonNull(arrayList);
            filter.forEach((v1) -> {
                r1.add(v1);
            });
        }
        return arrayList;
    }
}
