package org.codehaus.plexus.redback.struts2.filter;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Random;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/codehaus/plexus/redback/struts2/filter/RedbackCSRFFilter.class */
public class RedbackCSRFFilter implements Filter {
    private String randomClass;
    private Random randomizer;
    static final String CSRF_NONCE_SESSION_ATTR_NAME = "csrf_nonce_cache";
    static final String CSRF_NONCE_REQUEST_PARAM = "csrf_nonce";
    static final String PARAM_NONCE_CACHE_SIZE = "nonceCacheSize";
    static final String PARAM_RANDOM_CLASS = "randomClass";
    static final String PARAM_EXCLUDED_PATHS = "excludedPaths";
    static final String EXCLUDED_PATHS_SEPARATOR = ",";
    static final String HTTP_GET_METHOD = "GET";
    private static final Pattern extensionPattern = Pattern.compile("(\\.jpg$)|(\\.png$)|(\\.gif$)|(\\.css$)|(\\.js$)|(\\.ftl$)|(\\.ico$)", 2);
    private Logger log = LoggerFactory.getLogger(RedbackCSRFFilter.class);
    private int nonceCacheSize = 6;
    private List<String> excludedPaths = new ArrayList();

    public void init(FilterConfig filterConfig) throws ServletException {
        if (!StringUtils.isBlank(filterConfig.getInitParameter(PARAM_NONCE_CACHE_SIZE))) {
            this.nonceCacheSize = Integer.parseInt(filterConfig.getInitParameter(PARAM_NONCE_CACHE_SIZE));
        }
        if (!StringUtils.isBlank(filterConfig.getInitParameter(PARAM_EXCLUDED_PATHS))) {
            this.excludedPaths = new ArrayList(Arrays.asList(StringUtils.splitByWholeSeparator(filterConfig.getInitParameter(PARAM_EXCLUDED_PATHS), EXCLUDED_PATHS_SEPARATOR)));
        }
        this.randomClass = filterConfig.getInitParameter(PARAM_RANDOM_CLASS);
        if (StringUtils.isBlank(this.randomClass)) {
            this.randomClass = "java.security.SecureRandom";
        }
        try {
            this.randomizer = (Random) Class.forName(this.randomClass).newInstance();
        } catch (ClassNotFoundException e) {
            throw new ServletException("Class '" + this.randomClass + "' for generating random tokens to prevent CSRF attacks not found.", e);
        } catch (IllegalAccessException e2) {
            throw new ServletException("Illegal access error encountered when instantiating class '" + this.randomClass + "' for generating random token to prevent CSRF attacks.", e2);
        } catch (InstantiationException e3) {
            throw new ServletException("Failed to instantiate class '" + this.randomClass + "' for generating random tokens to prevent CSRF attacks.", e3);
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        ServletResponse servletResponse2;
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            boolean z = false;
            boolean z2 = true;
            if (HTTP_GET_METHOD.equals(httpServletRequest.getMethod())) {
                String str = httpServletRequest.getServletPath() + (httpServletRequest.getPathInfo() != null ? httpServletRequest.getPathInfo() : "");
                String[] splitByWholeSeparator = StringUtils.splitByWholeSeparator(str, "/");
                String str2 = "";
                boolean z3 = false;
                int i = 0;
                while (true) {
                    if (i >= splitByWholeSeparator.length) {
                        break;
                    }
                    str2 = str2 + "/" + splitByWholeSeparator[i];
                    if (this.excludedPaths.contains(str2 + "/**")) {
                        if (extensionPattern.matcher(StringUtils.substring(str, str.lastIndexOf("/") + 1)).find()) {
                            this.log.debug("Found a match in extensionPattern.");
                            z = true;
                            z2 = false;
                        }
                        z3 = true;
                    } else {
                        if (this.excludedPaths.contains("/" + str2 + "/**")) {
                            z3 = true;
                            z = true;
                            z2 = false;
                            break;
                        }
                        i++;
                    }
                }
                if (!z3 && this.excludedPaths.contains(str)) {
                    z = true;
                }
            }
            this.log.debug("Skip nonceCheck :: " + z);
            LruCache lruCache = (LruCache) httpServletRequest.getSession(true).getAttribute(CSRF_NONCE_SESSION_ATTR_NAME);
            if (!z) {
                String parameter = httpServletRequest.getParameter(CSRF_NONCE_REQUEST_PARAM);
                this.log.debug("Nonce found in request: " + parameter);
                String str3 = httpServletRequest.getScheme() + "://" + httpServletRequest.getServerName() + (httpServletRequest.getServerPort() > 0 ? ":" + httpServletRequest.getServerPort() : "") + "/" + StringUtils.stripStart(httpServletRequest.getContextPath(), "/");
                this.log.debug("Calculated base URL :: " + str3);
                String stringBuffer = httpServletRequest.getRequestURL().toString();
                this.log.debug("Request URL :: " + stringBuffer);
                if (str3.equalsIgnoreCase(stringBuffer) || (str3 + "/").equalsIgnoreCase(stringBuffer)) {
                    this.log.debug("Requested URL is the base URL. Setting nonceCache to null to reset it.");
                    lruCache = null;
                }
                if (lruCache != null && !lruCache.contains(decodeNonce(parameter))) {
                    this.log.error("Nonce not found in nonceCache! Request forbidden.");
                    this.log.debug("nonceCache keys:");
                    Iterator it = lruCache.getKeys().iterator();
                    while (it.hasNext()) {
                        this.log.debug(Base64.encodeBase64String(((String) it.next()).getBytes()));
                    }
                    httpServletResponse.sendError(403);
                    return;
                }
                if (lruCache == null) {
                    lruCache = new LruCache(this.nonceCacheSize);
                    httpServletRequest.getSession().setAttribute(CSRF_NONCE_SESSION_ATTR_NAME, lruCache);
                }
            }
            String generateEncodedNonce = generateEncodedNonce();
            this.log.debug("Generated encoded nonce: " + generateEncodedNonce);
            if (z2) {
                lruCache.add(decodeNonce(generateEncodedNonce));
            }
            servletResponse2 = new RedbackCSRFResponseWrapper(httpServletResponse, generateEncodedNonce);
        } else {
            servletResponse2 = servletResponse;
        }
        filterChain.doFilter(servletRequest, servletResponse2);
    }

    protected String generateEncodedNonce() {
        byte[] bArr = new byte[16];
        this.randomizer.nextBytes(bArr);
        byte[] bArr2 = new byte[17];
        for (int i = 0; i < bArr.length; i++) {
            bArr2[i] = bArr[i];
        }
        bArr2[16] = (byte) System.currentTimeMillis();
        return Base64.encodeBase64String(bArr2);
    }

    protected String decodeNonce(String str) {
        byte[] decodeBase64 = Base64.decodeBase64(str);
        return decodeBase64 != null ? new String(decodeBase64) : "";
    }

    public void destroy() {
    }

    public String getRandomClass() {
        return this.randomClass;
    }

    public void setRandomClass(String str) {
        this.randomClass = str;
    }

    public int getNonceCacheSize() {
        return this.nonceCacheSize;
    }

    public void setNonceCacheSize(int i) {
        this.nonceCacheSize = i;
    }

    public List<String> getExcludedPaths() {
        return this.excludedPaths;
    }

    public void setExcludedPaths(List<String> list) {
        this.excludedPaths = list;
    }

    public void setRandomizer(Random random) {
        this.randomizer = random;
    }
}
