package org.apache.wicket.protocol.http;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.wicket.RestartResponseException;
import org.apache.wicket.core.request.handler.IPageRequestHandler;
import org.apache.wicket.core.request.handler.RenderPageRequestHandler;
import org.apache.wicket.protocol.http.IResourceIsolationPolicy;
import org.apache.wicket.request.IRequestHandler;
import org.apache.wicket.request.IRequestHandlerDelegate;
import org.apache.wicket.request.component.IRequestablePage;
import org.apache.wicket.request.cycle.IRequestCycleListener;
import org.apache.wicket.request.cycle.RequestCycle;
import org.apache.wicket.request.http.WebResponse;
import org.apache.wicket.request.http.flow.AbortWithHttpErrorCodeException;
import org.apache.wicket.util.lang.Classes;
import org.apache.wicket.util.string.Strings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/wicket-core-9.5.0.jar:org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListener.class */
public class ResourceIsolationRequestCycleListener implements IRequestCycleListener {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ResourceIsolationRequestCycleListener.class);
    public static final String ERROR_MESSAGE = "The request was blocked by a resource isolation policy";
    private CsrfAction unknownOutcomeAction = CsrfAction.ABORT;
    private CsrfAction disallowedOutcomeAction = CsrfAction.ABORT;
    private int errorCode = 403;
    private String errorMessage = ERROR_MESSAGE;
    private final Set<String> exemptedPaths = new HashSet();
    private final List<IResourceIsolationPolicy> resourceIsolationPolicies = new ArrayList();

    /* loaded from: input_file:WEB-INF/lib/wicket-core-9.5.0.jar:org/apache/wicket/protocol/http/ResourceIsolationRequestCycleListener$CsrfAction.class */
    public enum CsrfAction {
        ABORT { // from class: org.apache.wicket.protocol.http.ResourceIsolationRequestCycleListener.CsrfAction.1
            @Override // java.lang.Enum
            public String toString() {
                return "aborted";
            }

            @Override // org.apache.wicket.protocol.http.ResourceIsolationRequestCycleListener.CsrfAction
            void apply(ResourceIsolationRequestCycleListener resourceIsolationRequestCycleListener, HttpServletRequest httpServletRequest, IRequestablePage iRequestablePage) {
                resourceIsolationRequestCycleListener.abortHandler(httpServletRequest, iRequestablePage);
            }
        },
        SUPPRESS { // from class: org.apache.wicket.protocol.http.ResourceIsolationRequestCycleListener.CsrfAction.2
            @Override // java.lang.Enum
            public String toString() {
                return "suppressed";
            }

            @Override // org.apache.wicket.protocol.http.ResourceIsolationRequestCycleListener.CsrfAction
            void apply(ResourceIsolationRequestCycleListener resourceIsolationRequestCycleListener, HttpServletRequest httpServletRequest, IRequestablePage iRequestablePage) {
                resourceIsolationRequestCycleListener.suppressHandler(httpServletRequest, iRequestablePage);
            }
        },
        ALLOW { // from class: org.apache.wicket.protocol.http.ResourceIsolationRequestCycleListener.CsrfAction.3
            @Override // java.lang.Enum
            public String toString() {
                return "allowed";
            }

            @Override // org.apache.wicket.protocol.http.ResourceIsolationRequestCycleListener.CsrfAction
            void apply(ResourceIsolationRequestCycleListener resourceIsolationRequestCycleListener, HttpServletRequest httpServletRequest, IRequestablePage iRequestablePage) {
                resourceIsolationRequestCycleListener.allowHandler(httpServletRequest, iRequestablePage);
            }
        };

        abstract void apply(ResourceIsolationRequestCycleListener resourceIsolationRequestCycleListener, HttpServletRequest httpServletRequest, IRequestablePage iRequestablePage);
    }

    public ResourceIsolationRequestCycleListener(IResourceIsolationPolicy... iResourceIsolationPolicyArr) {
        this.resourceIsolationPolicies.addAll(Arrays.asList(iResourceIsolationPolicyArr));
        if (iResourceIsolationPolicyArr.length == 0) {
            this.resourceIsolationPolicies.addAll(Arrays.asList(new FetchMetadataResourceIsolationPolicy(), new OriginResourceIsolationPolicy()));
        }
    }

    public ResourceIsolationRequestCycleListener setUnknownOutcomeAction(CsrfAction csrfAction) {
        this.unknownOutcomeAction = csrfAction;
        return this;
    }

    public ResourceIsolationRequestCycleListener setDisallowedOutcomeAction(CsrfAction csrfAction) {
        this.disallowedOutcomeAction = csrfAction;
        return this;
    }

    public ResourceIsolationRequestCycleListener setErrorCode(int i) {
        this.errorCode = i;
        return this;
    }

    public ResourceIsolationRequestCycleListener setErrorMessage(String str) {
        this.errorMessage = str;
        return this;
    }

    public void addExemptedPaths(String... strArr) {
        Stream filter = Arrays.stream(strArr).filter(str -> {
            return !Strings.isEmpty(str);
        });
        Set<String> set = this.exemptedPaths;
        Objects.requireNonNull(set);
        filter.forEach((v1) -> {
            r1.add(v1);
        });
    }

    @Override // org.apache.wicket.request.cycle.IRequestCycleListener
    public void onBeginRequest(RequestCycle requestCycle) {
        log.debug("Processing request to: {}", ((HttpServletRequest) requestCycle.getRequest().getContainerRequest()).getPathInfo());
    }

    protected boolean isEnabled() {
        return true;
    }

    protected boolean isChecked(IRequestablePage iRequestablePage) {
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isChecked(IRequestHandler iRequestHandler) {
        return (iRequestHandler instanceof IPageRequestHandler) && !(iRequestHandler instanceof RenderPageRequestHandler);
    }

    @Override // org.apache.wicket.request.cycle.IRequestCycleListener
    public void onRequestHandlerResolved(RequestCycle requestCycle, IRequestHandler iRequestHandler) {
        if (!isEnabled()) {
            log.trace("CSRF listener is disabled, no checks performed");
            return;
        }
        IRequestHandler unwrap = unwrap(iRequestHandler);
        if (!isChecked(unwrap)) {
            if (log.isTraceEnabled()) {
                log.trace("Resolved handler {} is not checked, no CSRF check performed", unwrap.getClass().getName());
                return;
            }
            return;
        }
        IRequestablePage page = ((IPageRequestHandler) unwrap).getPage();
        HttpServletRequest httpServletRequest = (HttpServletRequest) requestCycle.getRequest().getContainerRequest();
        if (!isChecked(page)) {
            if (log.isDebugEnabled()) {
                log.debug("Targeted page {} was opted out of resource isolation, allowed", page.getClass().getName());
                return;
            }
            return;
        }
        String pathInfo = httpServletRequest.getPathInfo();
        if (this.exemptedPaths.contains(pathInfo)) {
            if (log.isDebugEnabled()) {
                log.debug("Allowing request to {} because it matches an exempted path", pathInfo);
                return;
            }
            return;
        }
        for (IResourceIsolationPolicy iResourceIsolationPolicy : this.resourceIsolationPolicies) {
            IResourceIsolationPolicy.ResourceIsolationOutcome isRequestAllowed = iResourceIsolationPolicy.isRequestAllowed(httpServletRequest, page);
            if (IResourceIsolationPolicy.ResourceIsolationOutcome.DISALLOWED.equals(isRequestAllowed)) {
                log.debug("Isolation policy {} has rejected a request to {}", Classes.simpleName(iResourceIsolationPolicy.getClass()), pathInfo);
                this.disallowedOutcomeAction.apply(this, httpServletRequest, page);
                return;
            } else if (IResourceIsolationPolicy.ResourceIsolationOutcome.ALLOWED.equals(isRequestAllowed)) {
                return;
            }
        }
        this.unknownOutcomeAction.apply(this, httpServletRequest, page);
    }

    @Override // org.apache.wicket.request.cycle.IRequestCycleListener
    public void onEndRequest(RequestCycle requestCycle) {
        if (requestCycle.getResponse() instanceof WebResponse) {
            WebResponse webResponse = (WebResponse) requestCycle.getResponse();
            if (webResponse.isHeaderSupported()) {
                Iterator<IResourceIsolationPolicy> it = this.resourceIsolationPolicies.iterator();
                while (it.hasNext()) {
                    it.next().setHeaders((HttpServletResponse) webResponse.getContainerResponse());
                }
            }
        }
    }

    protected void allowHandler(HttpServletRequest httpServletRequest, IRequestablePage iRequestablePage) {
        log.info("Possible CSRF attack, request URL: {}, action: allowed", httpServletRequest.getRequestURL());
    }

    protected void suppressHandler(HttpServletRequest httpServletRequest, IRequestablePage iRequestablePage) {
        log.info("Possible CSRF attack, request URL: {}, action: suppressed", httpServletRequest.getRequestURL());
        throw new RestartResponseException(iRequestablePage);
    }

    protected void abortHandler(HttpServletRequest httpServletRequest, IRequestablePage iRequestablePage) {
        log.info("Possible CSRF attack, request URL: {}, action: aborted with error {} {}", httpServletRequest.getRequestURL(), Integer.valueOf(this.errorCode), this.errorMessage);
        throw new AbortWithHttpErrorCodeException(this.errorCode, this.errorMessage);
    }

    private static IRequestHandler unwrap(IRequestHandler iRequestHandler) {
        while (iRequestHandler instanceof IRequestHandlerDelegate) {
            iRequestHandler = ((IRequestHandlerDelegate) iRequestHandler).getDelegateHandler();
        }
        return iRequestHandler;
    }
}
