package org.elasticsearch.xpack.security.transport.filter;

import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.stream.Stream;
import org.elasticsearch.ElasticsearchException;
import org.elasticsearch.common.network.InetAddresses;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.transport.InetSocketTransportAddress;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.xpack.watcher.watch.Watch;
import org.jboss.netty.handler.ipfilter.IpFilterRule;
import org.jboss.netty.handler.ipfilter.IpSubnetFilterRule;
import org.jboss.netty.handler.ipfilter.PatternRule;

/* loaded from: input_file:org/elasticsearch/xpack/security/transport/filter/SecurityIpFilterRule.class */
public class SecurityIpFilterRule implements IpFilterRule {
    public static final SecurityIpFilterRule ACCEPT_ALL;
    public static final SecurityIpFilterRule DENY_ALL;
    private final IpFilterRule ipFilterRule;
    private final String ruleSpec;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SecurityIpFilterRule(boolean z, String str) {
        this.ipFilterRule = getRule(z, str);
        this.ruleSpec = str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityIpFilterRule(boolean z, TransportAddress... transportAddressArr) {
        this.ruleSpec = getRuleSpec(transportAddressArr);
        this.ipFilterRule = getRule(z, this.ruleSpec);
    }

    public boolean contains(InetAddress inetAddress) {
        return this.ipFilterRule.contains(inetAddress);
    }

    public boolean isAllowRule() {
        return this.ipFilterRule.isAllowRule();
    }

    public boolean isDenyRule() {
        return this.ipFilterRule.isDenyRule();
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        if (isAllowRule()) {
            sb.append("allow ");
        } else {
            sb.append("deny ");
        }
        sb.append(this.ruleSpec);
        return sb.toString();
    }

    static IpFilterRule getRule(boolean z, String str) {
        String[] split = str.split(",");
        Stream stream = Arrays.stream(split);
        String str2 = Watch.ALL_ACTIONS_ID;
        if (stream.anyMatch((v1) -> {
            return r1.equals(v1);
        })) {
            if (split.length != 1) {
                throw new IllegalArgumentException("rules that specify _all may not have other values!");
            }
            return z ? ACCEPT_ALL : DENY_ALL;
        }
        if (str.contains("/")) {
            if (split.length != 1) {
                throw new IllegalArgumentException("multiple subnet filters cannot be specified in a single rule!");
            }
            try {
                return new IpSubnetFilterRule(z, str);
            } catch (UnknownHostException e) {
                throw new ElasticsearchException("unable to create ip filter for rule [" + (z ? "allow " : "deny ") + " " + str + "]", e, new Object[0]);
            }
        }
        boolean z2 = false;
        StringBuilder sb = new StringBuilder();
        for (String str3 : split) {
            if (z2) {
                sb.append(",");
            } else {
                z2 = true;
            }
            if (InetAddresses.isInetAddress(str3)) {
                sb.append("i:");
            } else {
                sb.append("n:");
            }
            sb.append(str3);
        }
        return new PatternRule(z, sb.toString());
    }

    static String getRuleSpec(TransportAddress... transportAddressArr) {
        StringBuilder sb = new StringBuilder();
        boolean z = false;
        for (TransportAddress transportAddress : transportAddressArr) {
            if (z) {
                sb.append(",");
            } else {
                z = true;
            }
            if (!$assertionsDisabled && !(transportAddress instanceof InetSocketTransportAddress)) {
                throw new AssertionError();
            }
            sb.append(NetworkAddress.format(((InetSocketTransportAddress) transportAddress).address().getAddress()));
        }
        return sb.toString();
    }

    static {
        $assertionsDisabled = !SecurityIpFilterRule.class.desiredAssertionStatus();
        ACCEPT_ALL = new SecurityIpFilterRule(true, "accept_all") { // from class: org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule.1
            @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule
            public boolean contains(InetAddress inetAddress) {
                return true;
            }

            @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule
            public boolean isAllowRule() {
                return true;
            }

            @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule
            public boolean isDenyRule() {
                return false;
            }
        };
        DENY_ALL = new SecurityIpFilterRule(true, "deny_all") { // from class: org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule.2
            @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule
            public boolean contains(InetAddress inetAddress) {
                return true;
            }

            @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule
            public boolean isAllowRule() {
                return false;
            }

            @Override // org.elasticsearch.xpack.security.transport.filter.SecurityIpFilterRule
            public boolean isDenyRule() {
                return true;
            }
        };
    }
}
