package org.apache.wicket.protocol.http;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Locale;
import javax.servlet.http.HttpServletRequest;
import org.apache.wicket.RestartResponseException;
import org.apache.wicket.core.request.handler.IPageRequestHandler;
import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
import org.apache.wicket.feedback.FeedbackMessage;
import org.apache.wicket.request.IRequestHandler;
import org.apache.wicket.request.IRequestHandlerDelegate;
import org.apache.wicket.request.component.IRequestablePage;
import org.apache.wicket.request.cycle.AbstractRequestCycleListener;
import org.apache.wicket.request.cycle.IRequestCycleListener;
import org.apache.wicket.request.cycle.RequestCycle;
import org.apache.wicket.request.http.WebRequest;
import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException;
import org.apache.wicket.util.lang.Checks;
import org.apache.wicket.util.string.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/wicket-core-7.13.0.jar:org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener.class */
public class CsrfPreventionRequestCycleListener extends AbstractRequestCycleListener implements IRequestCycleListener {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CsrfPreventionRequestCycleListener.class);
    private CsrfAction noOriginAction = CsrfAction.ABORT;
    private CsrfAction conflictingOriginAction = CsrfAction.ABORT;
    private int errorCode = FeedbackMessage.ERROR;
    private String errorMessage = "Origin does not correspond to request";
    private Collection<String> acceptedOrigins = new ArrayList();

    /* loaded from: input_file:WEB-INF/lib/wicket-core-7.13.0.jar:org/apache/wicket/protocol/http/CsrfPreventionRequestCycleListener$CsrfAction.class */
    public enum CsrfAction {
        ABORT { // from class: org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener.CsrfAction.1
            @Override // java.lang.Enum
            public String toString() {
                return "aborted";
            }
        },
        SUPPRESS { // from class: org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener.CsrfAction.2
            @Override // java.lang.Enum
            public String toString() {
                return "suppressed";
            }
        },
        ALLOW { // from class: org.apache.wicket.protocol.http.CsrfPreventionRequestCycleListener.CsrfAction.3
            @Override // java.lang.Enum
            public String toString() {
                return "allowed";
            }
        }
    }

    public CsrfPreventionRequestCycleListener setNoOriginAction(CsrfAction csrfAction) {
        this.noOriginAction = csrfAction;
        return this;
    }

    public CsrfPreventionRequestCycleListener setConflictingOriginAction(CsrfAction csrfAction) {
        this.conflictingOriginAction = csrfAction;
        return this;
    }

    public CsrfPreventionRequestCycleListener setErrorCode(int i) {
        this.errorCode = i;
        return this;
    }

    public CsrfPreventionRequestCycleListener setErrorMessage(String str) {
        this.errorMessage = str;
        return this;
    }

    public CsrfPreventionRequestCycleListener addAcceptedOrigin(String str) {
        Checks.notNull("acceptedOrigin", str, new Object[0]);
        int length = str.length();
        int i = 0;
        while (i < length && str.charAt(i) == '.') {
            i++;
        }
        this.acceptedOrigins.add(str.substring(i));
        return this;
    }

    @Override // org.apache.wicket.request.cycle.AbstractRequestCycleListener, org.apache.wicket.request.cycle.IRequestCycleListener
    public void onBeginRequest(RequestCycle requestCycle) {
        if (log.isDebugEnabled()) {
            log.debug("Request Source URI: {}", getSourceUri((HttpServletRequest) requestCycle.getRequest().getContainerRequest()));
        }
    }

    protected boolean isEnabled() {
        return true;
    }

    protected boolean isChecked(IRequestablePage iRequestablePage) {
        return true;
    }

    protected boolean isChecked(IRequestHandler iRequestHandler) {
        return (iRequestHandler instanceof IPageRequestHandler) && !(iRequestHandler instanceof RenderPageRequestHandler);
    }

    protected IRequestHandler unwrap(IRequestHandler iRequestHandler) {
        while (iRequestHandler instanceof IRequestHandlerDelegate) {
            iRequestHandler = ((IRequestHandlerDelegate) iRequestHandler).getDelegateHandler();
        }
        return iRequestHandler;
    }

    @Override // org.apache.wicket.request.cycle.AbstractRequestCycleListener, org.apache.wicket.request.cycle.IRequestCycleListener
    public void onRequestHandlerResolved(RequestCycle requestCycle, IRequestHandler iRequestHandler) {
        if (!isEnabled()) {
            log.trace("CSRF listener is disabled, no checks performed");
            return;
        }
        IRequestHandler unwrap = unwrap(iRequestHandler);
        if (!isChecked(unwrap)) {
            if (log.isTraceEnabled()) {
                log.trace("Resolved handler {} doesn't target an action on a page, no CSRF check performed", unwrap.getClass().getName());
                return;
            }
            return;
        }
        IRequestablePage page = ((IPageRequestHandler) unwrap).getPage();
        HttpServletRequest httpServletRequest = (HttpServletRequest) requestCycle.getRequest().getContainerRequest();
        String sourceUri = getSourceUri(httpServletRequest);
        if (isChecked(page)) {
            checkRequest(httpServletRequest, sourceUri, page);
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Targeted page {} was opted out of the CSRF origin checks, allowed", page.getClass().getName());
        }
        allowHandler(httpServletRequest, sourceUri, page);
    }

    protected String getSourceUri(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(WebRequest.HEADER_ORIGIN);
        if (Strings.isEmpty(header)) {
            header = httpServletRequest.getHeader(WebRequest.HEADER_REFERER);
        }
        return normalizeUri(header);
    }

    protected void checkRequest(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
        if (str == null || str.isEmpty()) {
            log.debug("Source URI not present in request, {}", this.noOriginAction);
            switch (this.noOriginAction) {
                case ALLOW:
                    allowHandler(httpServletRequest, str, iRequestablePage);
                    return;
                case SUPPRESS:
                    suppressHandler(httpServletRequest, str, iRequestablePage);
                    return;
                case ABORT:
                    abortHandler(httpServletRequest, str, iRequestablePage);
                    return;
                default:
                    return;
            }
        }
        String lowerCase = str.toLowerCase(Locale.ROOT);
        if (isWhitelistedHost(lowerCase)) {
            whitelistedHandler(httpServletRequest, lowerCase, iRequestablePage);
            return;
        }
        if (isLocalOrigin(httpServletRequest, lowerCase)) {
            matchingOrigin(httpServletRequest, lowerCase, iRequestablePage);
            return;
        }
        log.debug("Source URI conflicts with request origin, {}", this.conflictingOriginAction);
        switch (this.conflictingOriginAction) {
            case ALLOW:
                allowHandler(httpServletRequest, lowerCase, iRequestablePage);
                return;
            case SUPPRESS:
                suppressHandler(httpServletRequest, lowerCase, iRequestablePage);
                return;
            case ABORT:
                abortHandler(httpServletRequest, lowerCase, iRequestablePage);
                return;
            default:
                return;
        }
    }

    protected boolean isWhitelistedHost(String str) {
        try {
            String host = new URI(str).getHost();
            if (Strings.isEmpty(host)) {
                return false;
            }
            for (String str2 : this.acceptedOrigins) {
                if (host.equalsIgnoreCase(str2) || host.endsWith("." + str2)) {
                    log.trace("Origin {} matched whitelisted origin {}, request accepted", str, str2);
                    return true;
                }
            }
            return false;
        } catch (URISyntaxException e) {
            log.debug("Origin: {} not parseable as an URI. Whitelisted-origin check skipped.", str);
            return false;
        }
    }

    protected boolean isLocalOrigin(HttpServletRequest httpServletRequest, String str) {
        String targetUriFromRequest;
        String normalizeUri = normalizeUri(str);
        if (normalizeUri == null || (targetUriFromRequest = getTargetUriFromRequest(httpServletRequest)) == null) {
            return false;
        }
        return normalizeUri.equalsIgnoreCase(targetUriFromRequest);
    }

    protected final String normalizeUri(String str) {
        if (Strings.isEmpty(str) || "null".equals(str)) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        try {
            URI uri = new URI(str);
            String scheme = uri.getScheme();
            if (scheme == null) {
                return null;
            }
            String lowerCase = scheme.toLowerCase(Locale.ROOT);
            sb.append(lowerCase);
            sb.append("://");
            String host = uri.getHost();
            if (host == null) {
                return null;
            }
            sb.append(host);
            int port = uri.getPort();
            boolean z = port != -1;
            boolean z2 = "http".equals(lowerCase) && port != 80;
            boolean z3 = "https".equals(lowerCase) && port != 443;
            if (z && (z2 || z3)) {
                sb.append(':');
                sb.append(port);
            }
            return sb.toString();
        } catch (URISyntaxException e) {
            log.debug("Invalid URI provided: {}, marked conflicting", str);
            return null;
        }
    }

    protected final String getTargetUriFromRequest(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        String scheme = httpServletRequest.getScheme();
        if (scheme == null) {
            return null;
        }
        String lowerCase = scheme.toLowerCase(Locale.ROOT);
        sb.append(lowerCase);
        sb.append("://");
        String serverName = httpServletRequest.getServerName();
        if (serverName == null) {
            return null;
        }
        sb.append(serverName);
        int serverPort = httpServletRequest.getServerPort();
        if (("http".equals(lowerCase) && serverPort != 80) || ("https".equals(lowerCase) && serverPort != 443)) {
            sb.append(':');
            sb.append(serverPort);
        }
        return sb.toString();
    }

    protected void whitelistedHandler(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
        onWhitelisted(httpServletRequest, str, iRequestablePage);
        if (log.isDebugEnabled()) {
            log.debug("CSRF Origin {} was whitelisted, allowed for page {}", str, iRequestablePage.getClass().getName());
        }
    }

    protected void onWhitelisted(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
    }

    protected void matchingOrigin(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
        onMatchingOrigin(httpServletRequest, str, iRequestablePage);
        if (log.isDebugEnabled()) {
            log.debug("CSRF Origin {} matched requested resource, allowed for page {}", str, iRequestablePage.getClass().getName());
        }
    }

    protected void onMatchingOrigin(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
    }

    protected void allowHandler(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
        onAllowed(httpServletRequest, str, iRequestablePage);
        log.info("Possible CSRF attack, request URL: {}, Origin: {}, action: allowed", httpServletRequest.getRequestURL(), str);
    }

    protected void onAllowed(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
    }

    protected void suppressHandler(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
        onSuppressed(httpServletRequest, str, iRequestablePage);
        log.info("Possible CSRF attack, request URL: {}, Origin: {}, action: suppressed", httpServletRequest.getRequestURL(), str);
        throw new RestartResponseException(iRequestablePage);
    }

    protected void onSuppressed(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
    }

    protected void abortHandler(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
        onAborted(httpServletRequest, str, iRequestablePage);
        log.info("Possible CSRF attack, request URL: {}, Origin: {}, action: aborted with error {} {}", httpServletRequest.getRequestURL(), str, Integer.valueOf(this.errorCode), this.errorMessage);
        throw new AbortWithHttpErrorCodeException(this.errorCode, this.errorMessage);
    }

    protected void onAborted(HttpServletRequest httpServletRequest, String str, IRequestablePage iRequestablePage) {
    }
}
