package com.netflix.netty.common.proxyprotocol;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Sets;
import com.netflix.config.DynamicStringListProperty;
import com.netflix.netty.common.ssl.SslHandshakeInfo;
import com.netflix.zuul.netty.server.ssl.SslHandshakeInfoHandler;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.ssl.ClientAuth;
import io.netty.util.AsciiString;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;

@ChannelHandler.Sharable
/* loaded from: input_file:com/netflix/netty/common/proxyprotocol/StripUntrustedProxyHeadersHandler.class */
public class StripUntrustedProxyHeadersHandler extends ChannelInboundHandlerAdapter {
    private static final DynamicStringListProperty XFF_BLACKLIST = new DynamicStringListProperty("zuul.proxy.headers.host.blacklist", "");
    private static final Collection<AsciiString> HEADERS_TO_STRIP = Sets.newHashSet(new AsciiString[]{new AsciiString("x-forwarded-for"), new AsciiString("x-forwarded-port"), new AsciiString("x-forwarded-proto"), new AsciiString("x-forwarded-proto-version"), new AsciiString("x-real-ip")});
    private final AllowWhen allowWhen;

    /* loaded from: input_file:com/netflix/netty/common/proxyprotocol/StripUntrustedProxyHeadersHandler$AllowWhen.class */
    public enum AllowWhen {
        ALWAYS,
        MUTUAL_SSL_AUTH,
        NEVER
    }

    public StripUntrustedProxyHeadersHandler(AllowWhen allowWhen) {
        this.allowWhen = allowWhen;
    }

    public void channelRead(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        if (obj instanceof HttpRequest) {
            HttpRequest httpRequest = (HttpRequest) obj;
            switch (this.allowWhen) {
                case ALWAYS:
                    checkBlacklist(httpRequest, XFF_BLACKLIST.get());
                    break;
                case MUTUAL_SSL_AUTH:
                    if (!connectionIsUsingMutualSSLWithAuthEnforced(channelHandlerContext.channel())) {
                        stripXFFHeaders(httpRequest);
                        break;
                    } else {
                        checkBlacklist(httpRequest, XFF_BLACKLIST.get());
                        break;
                    }
                case NEVER:
                    stripXFFHeaders(httpRequest);
                    break;
                default:
                    stripXFFHeaders(httpRequest);
                    break;
            }
        }
        super.channelRead(channelHandlerContext, obj);
    }

    @VisibleForTesting
    boolean connectionIsUsingMutualSSLWithAuthEnforced(Channel channel) {
        boolean z = false;
        SslHandshakeInfo sslHandshakeInfo = (SslHandshakeInfo) channel.attr(SslHandshakeInfoHandler.ATTR_SSL_INFO).get();
        if (sslHandshakeInfo != null && sslHandshakeInfo.getClientAuthRequirement() == ClientAuth.REQUIRE) {
            z = true;
        }
        return z;
    }

    @VisibleForTesting
    void stripXFFHeaders(HttpRequest httpRequest) {
        HttpHeaders headers = httpRequest.headers();
        Iterator<AsciiString> it = HEADERS_TO_STRIP.iterator();
        while (it.hasNext()) {
            headers.remove(it.next());
        }
    }

    @VisibleForTesting
    void checkBlacklist(HttpRequest httpRequest, List<String> list) {
        if (list.stream().anyMatch(str -> {
            return str.equalsIgnoreCase(httpRequest.headers().get(HttpHeaderNames.HOST));
        })) {
            stripXFFHeaders(httpRequest);
        }
    }
}
