package io.confluent.kafka.clients.plugins.auth.oauth;

import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.List;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.net.util.SubnetUtils;
import org.apache.hc.client5.http.DnsResolver;
import org.apache.hc.client5.http.SystemDefaultDnsResolver;
import org.apache.kafka.common.KafkaException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/oauth/FilteringDnsResolver.class */
public class FilteringDnsResolver implements DnsResolver {
    DnsResolver baseResolver;
    private final boolean filterLocalAddresses;
    private final boolean filterPrivateAddresses;
    private final boolean filterClassEAddresses;
    private final List<SubnetUtils.SubnetInfo> disallowCidrRanges;
    private final List<SubnetUtils.SubnetInfo> allowCidrRanges;
    private static final Logger log = LoggerFactory.getLogger(FilteringDnsResolver.class);
    static final Predicate<InetAddress> LOCAL_ADDRESS_TEST_PREDICATE = inetAddress -> {
        return inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress() || inetAddress.isLinkLocalAddress();
    };
    static final Predicate<InetAddress> PRIVATE_ADDRESS_TEST_PREDICATE = (v0) -> {
        return v0.isSiteLocalAddress();
    };
    private static final SubnetUtils.SubnetInfo CLASS_E_CIDR_RANGE = new SubnetUtils("240.0.0.0/4").getInfo();
    static final Predicate<InetAddress> CLASS_E_ADDRESS_TEST_PREDICATE = inetAddress -> {
        if (inetAddress instanceof Inet4Address) {
            return CLASS_E_CIDR_RANGE.isInRange(inetAddress.getHostAddress()) || CLASS_E_CIDR_RANGE.getNetworkAddress().equals(inetAddress.getHostAddress()) || CLASS_E_CIDR_RANGE.getBroadcastAddress().equals(inetAddress.getHostAddress());
        }
        return false;
    };

    public FilteringDnsResolver(boolean z, boolean z2, boolean z3, List<String> list, List<String> list2) {
        this(new SystemDefaultDnsResolver(), z, z2, z3, list, list2);
    }

    FilteringDnsResolver(DnsResolver dnsResolver, boolean z, boolean z2, boolean z3, List<String> list, List<String> list2) {
        this.baseResolver = dnsResolver;
        this.filterLocalAddresses = z;
        this.filterPrivateAddresses = z2;
        this.filterClassEAddresses = z3;
        this.disallowCidrRanges = (List) list.stream().filter(str -> {
            try {
                new SubnetUtils(str);
                return true;
            } catch (IllegalArgumentException e) {
                log.warn("Ignoring CIDR range {} from blocklist {} because it isn't a valid CIDR range", str, list);
                return false;
            }
        }).map(str2 -> {
            return new SubnetUtils(str2).getInfo();
        }).collect(Collectors.toList());
        this.allowCidrRanges = (List) list2.stream().filter(str3 -> {
            try {
                new SubnetUtils(str3);
                return true;
            } catch (IllegalArgumentException e) {
                log.warn("Ignoring CIDR range {} from allowlist {} because it isn't a valid CIDR range", str3, list2);
                return false;
            }
        }).map(str4 -> {
            return new SubnetUtils(str4).getInfo();
        }).collect(Collectors.toList());
    }

    private boolean noFiltersRestrictions() {
        return (this.filterLocalAddresses || this.filterPrivateAddresses || this.filterClassEAddresses) ? false : true;
    }

    private boolean isAllowedCidrRange(InetAddress inetAddress) {
        return this.allowCidrRanges.stream().anyMatch(subnetInfo -> {
            return subnetInfo.isInRange(inetAddress.getHostAddress()) || subnetInfo.getNetworkAddress().equals(inetAddress.getHostAddress()) || subnetInfo.getBroadcastAddress().equals(inetAddress.getHostAddress());
        });
    }

    private boolean isDisallowedCidrRange(InetAddress inetAddress) {
        return this.disallowCidrRanges.stream().anyMatch(subnetInfo -> {
            return subnetInfo.isInRange(inetAddress.getHostAddress()) || subnetInfo.getNetworkAddress().equals(inetAddress.getHostAddress()) || subnetInfo.getBroadcastAddress().equals(inetAddress.getHostAddress());
        });
    }

    public InetAddress[] resolve(String str) throws UnknownHostException {
        InetAddress[] resolve = this.baseResolver.resolve(str);
        if ((!noFiltersRestrictions() || !this.disallowCidrRanges.isEmpty() || !this.allowCidrRanges.isEmpty()) && resolve.length > 0) {
            return filterAddresses(resolve);
        }
        return resolve;
    }

    public String resolveCanonicalHostname(String str) throws UnknownHostException {
        InetAddress[] resolve = resolve(str);
        return resolve.length > 0 ? resolve[0].getCanonicalHostName() : str;
    }

    private InetAddress[] filterAddresses(InetAddress[] inetAddressArr) {
        InetAddress[] inetAddressArr2 = (InetAddress[]) Stream.of((Object[]) inetAddressArr).filter(inetAddress -> {
            return inetAddress instanceof Inet6Address ? filterV6Address(inetAddress) : filterV4Address(inetAddress);
        }).toArray(i -> {
            return new InetAddress[i];
        });
        if (inetAddressArr2.length == 0) {
            throw new KafkaException(String.format("Unable to connect to the invalid endpoint URL: %s", Arrays.stream(inetAddressArr).map((v0) -> {
                return v0.getHostAddress();
            }).collect(Collectors.joining(", "))));
        }
        return inetAddressArr2;
    }

    private boolean filterV6Address(InetAddress inetAddress) {
        if (this.filterLocalAddresses && LOCAL_ADDRESS_TEST_PREDICATE.test(inetAddress)) {
            log.debug("Filtering out local IPv6 address {}", inetAddress);
            return false;
        }
        if (!this.filterPrivateAddresses || !PRIVATE_ADDRESS_TEST_PREDICATE.test(inetAddress)) {
            return true;
        }
        log.debug("Filtering out private IPv6 address {}", inetAddress);
        return false;
    }

    private boolean filterV4Address(InetAddress inetAddress) {
        if (isAllowedCidrRange(inetAddress)) {
            log.debug("Allowing IP address {} belonging to allow-list CIDR range: {}", inetAddress, this.allowCidrRanges);
            return true;
        }
        if (this.filterLocalAddresses && LOCAL_ADDRESS_TEST_PREDICATE.test(inetAddress)) {
            log.debug("Filtering out local IP address {}", inetAddress);
            return false;
        }
        if (this.filterPrivateAddresses && PRIVATE_ADDRESS_TEST_PREDICATE.test(inetAddress)) {
            log.debug("Filtering out private IP address {}", inetAddress);
            return false;
        }
        if (this.filterClassEAddresses && CLASS_E_ADDRESS_TEST_PREDICATE.test(inetAddress)) {
            log.debug("Filtering out class E IP address {}", inetAddress);
            return false;
        }
        if (!isDisallowedCidrRange(inetAddress)) {
            return true;
        }
        log.debug("Filtering out IP address {} belonging to block-list CIDR range: {}", inetAddress, this.disallowCidrRanges);
        return false;
    }
}
