package prizm.http;

import com.mchange.v2.c3p0.subst.C3P0Substitutions;
import java.io.IOException;
import java.math.BigInteger;
import java.net.Inet4Address;
import java.net.InetAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.UnknownHostException;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.Set;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.MultipartConfigElement;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.client.methods.HttpTrace;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.SecurityHandler;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.server.handler.DefaultHandler;
import org.eclipse.jetty.server.handler.HandlerList;
import org.eclipse.jetty.server.handler.ResourceHandler;
import org.eclipse.jetty.server.handler.gzip.GzipHandler;
import org.eclipse.jetty.servlet.DefaultServlet;
import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.servlets.CrossOriginFilter;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.security.Constraint;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import prizm.Constants;
import prizm.Prizm;
import prizm.crypto.SSLCert;
import prizm.util.Convert;
import prizm.util.Logger;
import prizm.util.ThreadPool;
import prizm.util.UPnP;

/* loaded from: input_file:prizm/http/API.class */
public final class API {
    public static final int TESTNET_API_PORT = 6576;
    public static final int TESTNET_API_SSLPORT = 6577;
    public static final int openAPIPort;
    public static final int openAPISSLPort;
    public static final boolean isOpenAPI;
    public static final List<String> disabledAPIs;
    public static final List<APITag> disabledAPITags;
    private static final Set<String> allowedBotHosts;
    private static final List<NetworkAddress> allowedBotNets;
    static final boolean disableAdminPassword;
    private static final Server apiServer;
    private static URI welcomePageUri;
    private static URI serverRootUri;
    private static final String[] DISABLED_HTTP_METHODS = {HttpTrace.METHOD_NAME, "OPTIONS", "HEAD"};
    private static final Map<String, PasswordCount> incorrectPasswords = new HashMap();
    public static final String adminPassword = Prizm.getStringProperty("prizm.adminPassword", "", true);
    static final int maxRecords = Prizm.getIntProperty("prizm.maxAPIRecords");
    static final boolean enableAPIUPnP = Prizm.getBooleanProperty("prizm.enableAPIUPnP");
    public static final int apiServerIdleTimeout = Prizm.getIntProperty("prizm.apiServerIdleTimeout");
    public static final boolean apiServerCORS = Prizm.getBooleanProperty("prizm.apiServerCORS");
    private static final String forwardedForHeader = Prizm.getStringProperty("prizm.forwardedForHeader");

    /* loaded from: input_file:prizm/http/API$NetworkAddress.class */
    private static class NetworkAddress {
        private BigInteger netAddress;
        private BigInteger netMask;

        private NetworkAddress(String str) throws UnknownHostException {
            String[] split = str.split("/");
            if (split.length != 2) {
                throw new IllegalArgumentException("Invalid address: " + str);
            }
            InetAddress byName = InetAddress.getByName(split[0]);
            this.netAddress = new BigInteger(1, byName.getAddress());
            int intValue = Integer.valueOf(split[1]).intValue();
            int i = byName instanceof Inet4Address ? 32 : 128;
            this.netMask = BigInteger.ZERO.setBit(i).subtract(BigInteger.ONE).subtract(BigInteger.ZERO.setBit(i - intValue).subtract(BigInteger.ONE));
        }

        private boolean contains(BigInteger bigInteger) {
            return bigInteger.and(this.netMask).equals(this.netAddress);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:prizm/http/API$PasswordCount.class */
    public static class PasswordCount {
        private int count;
        private int time;

        private PasswordCount() {
        }
    }

    /* loaded from: input_file:prizm/http/API$XFrameOptionsFilter.class */
    public static final class XFrameOptionsFilter implements Filter {
        @Override // javax.servlet.Filter
        public void init(FilterConfig filterConfig) throws ServletException {
        }

        @Override // javax.servlet.Filter
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            ((HttpServletResponse) servletResponse).setHeader("X-FRAME-OPTIONS", "SAMEORIGIN");
            filterChain.doFilter(servletRequest, servletResponse);
        }

        @Override // javax.servlet.Filter
        public void destroy() {
        }
    }

    public static void init() {
    }

    public static void shutdown() {
        if (apiServer != null) {
            try {
                apiServer.stop();
                if (enableAPIUPnP) {
                    for (Connector connector : apiServer.getConnectors()) {
                        if (connector instanceof ServerConnector) {
                            UPnP.deletePort(((ServerConnector) connector).getPort());
                        }
                    }
                }
            } catch (Exception e) {
                Logger.logShutdownMessage("Failed to stop API server", e);
            }
        }
    }

    public static void verifyPassword(HttpServletRequest httpServletRequest) throws ParameterException {
        if (disableAdminPassword) {
            return;
        }
        if (adminPassword.isEmpty()) {
            throw new ParameterException(JSONResponses.NO_PASSWORD_IN_CONFIG);
        }
        checkOrLockPassword(httpServletRequest);
    }

    public static boolean checkPassword(HttpServletRequest httpServletRequest) {
        if (disableAdminPassword) {
            return true;
        }
        if (adminPassword.isEmpty() || Convert.emptyToNull(httpServletRequest.getParameter("adminPassword")) == null) {
            return false;
        }
        try {
            checkOrLockPassword(httpServletRequest);
            return true;
        } catch (ParameterException e) {
            return false;
        }
    }

    private static void checkOrLockPassword(HttpServletRequest httpServletRequest) throws ParameterException {
        int epochTime = Prizm.getEpochTime();
        String str = null;
        if (forwardedForHeader != null) {
            str = httpServletRequest.getHeader(forwardedForHeader);
        }
        if (str == null) {
            str = httpServletRequest.getRemoteHost();
        }
        synchronized (incorrectPasswords) {
            PasswordCount passwordCount = incorrectPasswords.get(str);
            if (passwordCount != null && passwordCount.count >= 25 && epochTime - passwordCount.time < 3600) {
                Logger.logWarningMessage("Too many incorrect admin password attempts from " + str);
                throw new ParameterException(JSONResponses.LOCKED_ADMIN_PASSWORD);
            }
            String nullToEmpty = Convert.nullToEmpty(httpServletRequest.getParameter("adminPassword"));
            if (!adminPassword.equals(nullToEmpty)) {
                if (nullToEmpty.length() <= 0) {
                    throw new ParameterException(JSONResponses.MISSING_ADMIN_PASSWORD);
                }
                if (passwordCount == null) {
                    passwordCount = new PasswordCount();
                    incorrectPasswords.put(str, passwordCount);
                    if (incorrectPasswords.size() > 1000) {
                        ArrayList arrayList = new ArrayList(incorrectPasswords.keySet());
                        incorrectPasswords.remove(arrayList.get(new Random().nextInt(arrayList.size())));
                    }
                }
                passwordCount.count++;
                passwordCount.time = epochTime;
                Logger.logWarningMessage("Incorrect adminPassword from " + str);
                throw new ParameterException(JSONResponses.INCORRECT_ADMIN_PASSWORD);
            }
            if (passwordCount != null) {
                incorrectPasswords.remove(str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isAllowed(String str) {
        if (allowedBotHosts == null || allowedBotHosts.contains(str)) {
            return true;
        }
        try {
            BigInteger bigInteger = new BigInteger(InetAddress.getByName(str).getAddress());
            Iterator<NetworkAddress> it = allowedBotNets.iterator();
            while (it.hasNext()) {
                if (it.next().contains(bigInteger)) {
                    return true;
                }
            }
            return false;
        } catch (UnknownHostException e) {
            Logger.logMessage("Unknown remote host " + str);
            return false;
        }
    }

    private static void disableHttpMethods(ServletContextHandler servletContextHandler) {
        SecurityHandler securityHandler = servletContextHandler.getSecurityHandler();
        if (securityHandler == null) {
            securityHandler = new ConstraintSecurityHandler();
            servletContextHandler.setSecurityHandler(securityHandler);
        }
        disableHttpMethods(securityHandler);
    }

    private static void disableHttpMethods(SecurityHandler securityHandler) {
        if (securityHandler instanceof ConstraintSecurityHandler) {
            ConstraintSecurityHandler constraintSecurityHandler = (ConstraintSecurityHandler) securityHandler;
            for (String str : DISABLED_HTTP_METHODS) {
                disableHttpMethod(constraintSecurityHandler, str);
            }
            ConstraintMapping constraintMapping = new ConstraintMapping();
            Constraint constraint = new Constraint();
            constraint.setName("Enable everything but TRACE");
            constraintMapping.setConstraint(constraint);
            constraintMapping.setMethodOmissions(DISABLED_HTTP_METHODS);
            constraintMapping.setPathSpec("/");
            constraintSecurityHandler.addConstraintMapping(constraintMapping);
        }
    }

    private static void disableHttpMethod(ConstraintSecurityHandler constraintSecurityHandler, String str) {
        ConstraintMapping constraintMapping = new ConstraintMapping();
        Constraint constraint = new Constraint();
        constraint.setName("Disable " + str);
        constraint.setAuthenticate(true);
        constraintMapping.setConstraint(constraint);
        constraintMapping.setPathSpec("/");
        constraintMapping.setMethod(str);
        constraintSecurityHandler.addConstraintMapping(constraintMapping);
    }

    public static URI getWelcomePageUri() {
        return welcomePageUri;
    }

    public static URI getServerRootUri() {
        return serverRootUri;
    }

    private API() {
    }

    static {
        boolean z;
        SslContextFactory sslContextFactory;
        ArrayList arrayList = new ArrayList(Prizm.getStringListProperty("prizm.disabledAPIs"));
        Collections.sort(arrayList);
        disabledAPIs = Collections.unmodifiableList(arrayList);
        List<String> stringListProperty = Prizm.getStringListProperty("prizm.disabledAPITags");
        Collections.sort(stringListProperty);
        ArrayList arrayList2 = new ArrayList(stringListProperty.size());
        stringListProperty.forEach(str -> {
            arrayList2.add(APITag.fromDisplayName(str));
        });
        disabledAPITags = Collections.unmodifiableList(arrayList2);
        List<String> stringListProperty2 = Prizm.getStringListProperty("prizm.allowedBotHosts");
        if (stringListProperty2.contains("*")) {
            allowedBotHosts = null;
            allowedBotNets = null;
        } else {
            HashSet hashSet = new HashSet();
            ArrayList arrayList3 = new ArrayList();
            for (String str2 : stringListProperty2) {
                if (str2.contains("/")) {
                    try {
                        arrayList3.add(new NetworkAddress(str2));
                    } catch (UnknownHostException e) {
                        Logger.logErrorMessage("Unknown network " + str2, e);
                        throw new RuntimeException(e.toString(), e);
                    }
                } else {
                    hashSet.add(str2);
                }
            }
            allowedBotHosts = Collections.unmodifiableSet(hashSet);
            allowedBotNets = Collections.unmodifiableList(arrayList3);
        }
        if (!Prizm.getBooleanProperty("prizm.enableAPIServer")) {
            apiServer = null;
            disableAdminPassword = false;
            openAPIPort = 0;
            openAPISSLPort = 0;
            isOpenAPI = false;
            Logger.logMessage("API server not enabled");
            return;
        }
        int intProperty = Constants.isTestnet ? TESTNET_API_PORT : Prizm.getIntProperty("prizm.apiServerPort");
        int intProperty2 = Constants.isTestnet ? TESTNET_API_SSLPORT : Prizm.getIntProperty("prizm.apiServerSSLPort");
        String stringProperty = Prizm.getStringProperty("prizm.apiServerHost");
        disableAdminPassword = Prizm.getBooleanProperty("prizm.disableAdminPassword") || ("127.0.0.1".equals(stringProperty) && adminPassword.isEmpty());
        apiServer = new Server();
        String stringProperty2 = Prizm.getStringProperty("prizm.keyStoreType");
        String stringProperty3 = Prizm.getStringProperty("prizm.keyStorePassword", null, true);
        boolean booleanProperty = Prizm.getBooleanProperty("prizm.apiSSL");
        boolean booleanProperty2 = Prizm.getBooleanProperty("prizm.apiServerEnforceSSL", true);
        boolean equals = stringProperty.equals("127.0.0.1");
        String stringProperty4 = Prizm.getStringProperty("prizm.keyStorePath");
        if (!booleanProperty2 || booleanProperty || equals) {
            z = booleanProperty;
        } else {
            stringProperty3 = adminPassword.length() == 0 ? "DefaultPrizmSSLPassword" : adminPassword;
            SSLCert sSLCert = new SSLCert(stringProperty3);
            String path = Paths.get(Prizm.getUserHomeDir(), new String[0]).resolve(Paths.get("prizm.default.ks", new String[0])).toString();
            if (sSLCert.isValid(path)) {
                Logger.logInfoMessage("SSLEnforce: Default keystore already exists");
            } else {
                Logger.logInfoMessage("SSLEnforce: Creating keystore: " + path);
                Logger.logWarningMessage("SSLEnforce: We generated SSL certificate for you. Please remember it's SHA-1 fingerprint: \n ----------- SSL CERTIFICATE SHA1 FINGERPRINT -----------\n" + sSLCert.write(path) + "\n ----------- END OF FINGERPRINT -----------");
            }
            stringProperty2 = "JKS";
            stringProperty4 = "prizm.default.ks";
            z = true;
        }
        if (!z || intProperty != intProperty2) {
            HttpConfiguration httpConfiguration = new HttpConfiguration();
            httpConfiguration.setSendDateHeader(false);
            httpConfiguration.setSendServerVersion(false);
            ServerConnector serverConnector = new ServerConnector(apiServer, new HttpConnectionFactory(httpConfiguration));
            serverConnector.setPort(intProperty);
            serverConnector.setHost(stringProperty);
            serverConnector.setIdleTimeout(apiServerIdleTimeout);
            serverConnector.setReuseAddress(true);
            apiServer.addConnector(serverConnector);
            Logger.logMessage("API server using HTTP port " + intProperty);
        }
        if (z) {
            HttpConfiguration httpConfiguration2 = new HttpConfiguration();
            httpConfiguration2.setSendDateHeader(false);
            httpConfiguration2.setSendServerVersion(false);
            httpConfiguration2.setSecureScheme("https");
            httpConfiguration2.setSecurePort(intProperty2);
            httpConfiguration2.addCustomizer(new SecureRequestCustomizer());
            sslContextFactory = new SslContextFactory();
            String path2 = Paths.get(Prizm.getUserHomeDir(), new String[0]).resolve(Paths.get(stringProperty4, new String[0])).toString();
            Logger.logInfoMessage("Using keystore: " + path2);
            sslContextFactory.setKeyStorePath(path2);
            sslContextFactory.setKeyStorePassword(stringProperty3);
            sslContextFactory.addExcludeCipherSuites("SSL_RSA_WITH_DES_CBC_SHA", "SSL_DHE_RSA_WITH_DES_CBC_SHA", "SSL_DHE_DSS_WITH_DES_CBC_SHA", "SSL_RSA_EXPORT_WITH_RC4_40_MD5", "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
            sslContextFactory.addExcludeProtocols("SSLv3");
            sslContextFactory.setKeyStoreType(stringProperty2);
            List<String> stringListProperty3 = Prizm.getStringListProperty("prizm.apiSSLCiphers");
            if (!stringListProperty3.isEmpty()) {
                sslContextFactory.setIncludeCipherSuites((String[]) stringListProperty3.toArray(new String[stringListProperty3.size()]));
            }
            ServerConnector serverConnector2 = new ServerConnector(apiServer, new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(httpConfiguration2));
            serverConnector2.setPort(intProperty2);
            serverConnector2.setHost(stringProperty);
            serverConnector2.setIdleTimeout(apiServerIdleTimeout);
            serverConnector2.setReuseAddress(true);
            apiServer.addConnector(serverConnector2);
            Logger.logMessage("API server using HTTPS port " + intProperty2);
        } else {
            sslContextFactory = null;
        }
        String str3 = (StringUtil.ALL_INTERFACES.equals(stringProperty) || "127.0.0.1".equals(stringProperty)) ? "localhost" : stringProperty;
        try {
            welcomePageUri = new URI(z ? "https" : "http", null, str3, z ? intProperty2 : intProperty, "/index.html", null, null);
            serverRootUri = new URI(z ? "https" : "http", null, str3, z ? intProperty2 : intProperty, "", null, null);
        } catch (URISyntaxException e2) {
            Logger.logInfoMessage("Cannot resolve browser URI", e2);
        }
        openAPIPort = (Constants.isLightClient || !StringUtil.ALL_INTERFACES.equals(stringProperty) || allowedBotHosts != null || (z && intProperty == intProperty2)) ? 0 : intProperty;
        openAPISSLPort = (!Constants.isLightClient && StringUtil.ALL_INTERFACES.equals(stringProperty) && allowedBotHosts == null && z) ? intProperty2 : 0;
        isOpenAPI = openAPIPort > 0 || openAPISSLPort > 0;
        HandlerList handlerList = new HandlerList();
        ServletContextHandler servletContextHandler = new ServletContextHandler();
        String stringProperty5 = Prizm.getStringProperty("prizm.apiResourceBase");
        if (stringProperty5 != null) {
            ServletHolder servletHolder = new ServletHolder(new DefaultServlet());
            servletHolder.setInitParameter("dirAllowed", "false");
            servletHolder.setInitParameter("resourceBase", stringProperty5);
            servletHolder.setInitParameter("welcomeServlets", C3P0Substitutions.DEBUG);
            servletHolder.setInitParameter("redirectWelcome", C3P0Substitutions.DEBUG);
            servletHolder.setInitParameter(GzipHandler.GZIP, C3P0Substitutions.DEBUG);
            servletHolder.setInitParameter("etags", C3P0Substitutions.DEBUG);
            servletContextHandler.addServlet(servletHolder, "/*");
            servletContextHandler.setWelcomeFiles(new String[]{Prizm.getStringProperty("prizm.apiWelcomeFile")});
        }
        String stringProperty6 = Prizm.getStringProperty("prizm.javadocResourceBase");
        if (stringProperty6 != null) {
            ContextHandler contextHandler = new ContextHandler("/doc");
            ResourceHandler resourceHandler = new ResourceHandler();
            resourceHandler.setDirectoriesListed(false);
            resourceHandler.setWelcomeFiles(new String[]{"index.html"});
            resourceHandler.setResourceBase(stringProperty6);
            contextHandler.setHandler(resourceHandler);
            handlerList.addHandler(contextHandler);
        }
        servletContextHandler.addServlet(APIServlet.class, "/prizm").getRegistration().setMultipartConfig(new MultipartConfigElement(null, 0L, -1L, 0));
        ServletHolder addServlet = servletContextHandler.addServlet(APIProxyServlet.class, "/prizm-proxy");
        addServlet.setInitParameters(Collections.singletonMap("idleTimeout", Math.max(apiServerIdleTimeout - 5000, 0)));
        addServlet.getRegistration().setMultipartConfig(new MultipartConfigElement(null, 0L, -1L, 0));
        GzipHandler gzipHandler = new GzipHandler();
        if (!Prizm.getBooleanProperty("prizm.enableAPIServerGZIPFilter", isOpenAPI)) {
            gzipHandler.setExcludedPaths("/prizm", "/prizm-proxy");
        }
        gzipHandler.setIncludedMethods("GET", "POST");
        gzipHandler.setMinGzipSize(256);
        servletContextHandler.setGzipHandler(gzipHandler);
        servletContextHandler.addServlet(APITestServlet.class, "/test");
        servletContextHandler.addServlet(APITestServlet.class, "/test-proxy");
        servletContextHandler.addServlet(DbShellServlet.class, "/dbshell");
        if (apiServerCORS) {
            FilterHolder addFilter = servletContextHandler.addFilter(CrossOriginFilter.class, "/*", (EnumSet<DispatcherType>) null);
            addFilter.setInitParameter(CrossOriginFilter.ALLOWED_HEADERS_PARAM, "*");
            addFilter.setAsyncSupported(true);
        }
        if (Prizm.getBooleanProperty("prizm.apiFrameOptionsSameOrigin")) {
            servletContextHandler.addFilter(XFrameOptionsFilter.class, "/*", (EnumSet<DispatcherType>) null).setAsyncSupported(true);
        }
        disableHttpMethods(servletContextHandler);
        handlerList.addHandler(servletContextHandler);
        handlerList.addHandler(new DefaultHandler());
        apiServer.setHandler(handlerList);
        apiServer.setStopAtShutdown(true);
        SslContextFactory sslContextFactory2 = sslContextFactory;
        boolean z2 = z;
        ThreadPool.runBeforeStart(() -> {
            try {
                if (enableAPIUPnP) {
                    for (Connector connector : apiServer.getConnectors()) {
                        if (connector instanceof ServerConnector) {
                            UPnP.addPort(((ServerConnector) connector).getPort());
                        }
                    }
                }
                APIServlet.initClass();
                APIProxyServlet.initClass();
                APITestServlet.initClass();
                apiServer.start();
                if (sslContextFactory2 != null) {
                    Logger.logDebugMessage("API SSL Protocols: " + Arrays.toString(sslContextFactory2.getSelectedProtocols()));
                    Logger.logDebugMessage("API SSL Ciphers: " + Arrays.toString(sslContextFactory2.getSelectedCipherSuites()));
                }
                Logger.logMessage("Started API server at " + stringProperty + ":" + intProperty + ((!z2 || intProperty == intProperty2) ? "" : ", " + stringProperty + ":" + intProperty2));
            } catch (Exception e3) {
                Logger.logErrorMessage("Failed to start API server", e3);
                throw new RuntimeException(e3.toString(), e3);
            }
        }, true);
    }
}
