package org.sonar.server.authentication;

import com.google.common.collect.ImmutableSet;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Set;
import java.util.stream.Stream;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationException;
import org.sonar.server.issue.IssueUpdater;

/* loaded from: input_file:org/sonar/server/authentication/JwtCsrfVerifier.class */
public class JwtCsrfVerifier {
    private static final String CSRF_STATE_COOKIE = "XSRF-TOKEN";
    private static final String CSRF_HEADER = "X-XSRF-TOKEN";
    private static final String API_URL = "/api";
    private static final Set<String> UPDATE_METHODS = ImmutableSet.of("POST", "PUT", "DELETE");
    private static final Set<String> RAILS_UPDATE_API_URLS = ImmutableSet.of("/api/events", "/api/favourites", "/api/issues/add_comment", "/api/issues/delete_comment", "/api/issues/edit_comment", "/api/issues/bulk_change", new String[]{"/api/projects/create", "/api/properties/create", "/api/server", "/api/user_properties"});

    public String generateState(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, int i) {
        String bigInteger = new BigInteger(130, new SecureRandom()).toString(32);
        httpServletResponse.addCookie(CookieUtils.createCookie(CSRF_STATE_COOKIE, bigInteger, false, i, httpServletRequest));
        return bigInteger;
    }

    public void verifyState(HttpServletRequest httpServletRequest, @Nullable String str, @Nullable String str2) {
        String checkCsrf;
        if (shouldRequestBeChecked(httpServletRequest) && (checkCsrf = checkCsrf(str, httpServletRequest.getHeader(CSRF_HEADER))) != null) {
            throw AuthenticationException.newBuilder().setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.JWT)).setLogin(str2).setMessage(checkCsrf).build();
        }
    }

    @CheckForNull
    private static String checkCsrf(@Nullable String str, @Nullable String str2) {
        if (StringUtils.isBlank(str)) {
            return "Missing reference CSRF value";
        }
        if (StringUtils.equals(str, str2)) {
            return null;
        }
        return "Wrong CSFR in request";
    }

    public void refreshState(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, int i) {
        httpServletResponse.addCookie(CookieUtils.createCookie(CSRF_STATE_COOKIE, str, false, i, httpServletRequest));
    }

    public void removeState(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.addCookie(CookieUtils.createCookie(CSRF_STATE_COOKIE, null, false, 0, httpServletRequest));
    }

    private static boolean shouldRequestBeChecked(HttpServletRequest httpServletRequest) {
        if (!UPDATE_METHODS.contains(httpServletRequest.getMethod())) {
            return false;
        }
        String replaceFirst = httpServletRequest.getRequestURI().replaceFirst(httpServletRequest.getContextPath(), IssueUpdater.UNUSED);
        return replaceFirst.startsWith(API_URL) && !isRailsWsUrl(replaceFirst);
    }

    private static boolean isRailsWsUrl(String str) {
        Stream<String> stream = RAILS_UPDATE_API_URLS.stream();
        str.getClass();
        return stream.filter(str::startsWith).findFirst().isPresent();
    }
}
