package org.openxma.dsl.platform.security;

import java.io.IOException;
import java.io.Serializable;
import java.security.SecureRandom;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/openxma/dsl/platform/security/CsrfPreventionFilter.class */
public class CsrfPreventionFilter implements Filter {
    public static final String CSRF_NONCE_SESSION_ATTR_NAME = "csrf_nonce";
    public static final String CSRF_NONCE_REQUEST_PARAM = "csrf_nonce";
    public static final String METHOD_GET = "GET";
    private Random randomSource;
    private static final Logger log = LoggerFactory.getLogger(CsrfPreventionFilter.class);
    private static String nonceParameterName = "csrf_nonce";
    private String randomClass = SecureRandom.class.getName();
    private int denyStatus = 403;
    private int nonceCacheSize = 20;
    private final Set<String> unProtectedPagesFullPath = new HashSet();
    private final Set<String> unProtectedPagesWildCard = new HashSet();
    private String nonceSessionAttributeName = "csrf_nonce";

    /* loaded from: input_file:org/openxma/dsl/platform/security/CsrfPreventionFilter$CsrfResponseWrapper.class */
    protected static class CsrfResponseWrapper extends HttpServletResponseWrapper {
        private final String nonce;

        public CsrfResponseWrapper(HttpServletResponse httpServletResponse, String str) {
            super(httpServletResponse);
            this.nonce = str;
        }

        @Deprecated
        public String encodeRedirectUrl(String str) {
            return encodeRedirectURL(str);
        }

        public String encodeRedirectURL(String str) {
            return addNonce(super.encodeRedirectURL(str));
        }

        @Deprecated
        public String encodeUrl(String str) {
            return encodeURL(str);
        }

        public String encodeURL(String str) {
            return addNonce(super.encodeURL(str));
        }

        private String addNonce(String str) {
            if (str == null || this.nonce == null) {
                return str;
            }
            String str2 = str;
            String str3 = "";
            String str4 = "";
            int indexOf = str2.indexOf(35);
            if (indexOf >= 0) {
                str4 = str2.substring(indexOf);
                str2 = str2.substring(0, indexOf);
            }
            int indexOf2 = str2.indexOf(63);
            if (indexOf2 >= 0) {
                str3 = str2.substring(indexOf2);
                str2 = str2.substring(0, indexOf2);
            }
            StringBuilder sb = new StringBuilder(str2);
            if (str3.length() > 0) {
                sb.append(str3);
                sb.append('&');
            } else {
                sb.append('?');
            }
            sb.append(CsrfPreventionFilter.nonceParameterName);
            sb.append('=');
            sb.append(this.nonce);
            sb.append(str4);
            return sb.toString();
        }
    }

    /* loaded from: input_file:org/openxma/dsl/platform/security/CsrfPreventionFilter$LruCache.class */
    protected static class LruCache<T> implements Serializable {
        private static final long serialVersionUID = 1;
        private static final Object BLANK = new Object();
        private final ConcurrentHashMap<T, Object> cache;

        public LruCache(final int i) {
            this.cache = new ConcurrentHashMap<>(new LinkedHashMap<T, Object>() { // from class: org.openxma.dsl.platform.security.CsrfPreventionFilter.LruCache.1
                private static final long serialVersionUID = 1;

                @Override // java.util.LinkedHashMap
                protected boolean removeEldestEntry(Map.Entry<T, Object> entry) {
                    return size() > i;
                }
            });
        }

        public void add(T t) {
            this.cache.put(t, BLANK);
        }

        public boolean contains(T t) {
            return this.cache.containsKey(t);
        }
    }

    public int getDenyStatus() {
        return this.denyStatus;
    }

    public void setDenyStatus(int i) {
        this.denyStatus = i;
    }

    public void setUnProtectedPages(String str) {
        for (String str2 : str.split(",")) {
            if (str2.contains("*")) {
                this.unProtectedPagesWildCard.add(str2.trim());
            } else {
                this.unProtectedPagesFullPath.add(str2.trim());
            }
        }
    }

    public void setNonceCacheSize(int i) {
        this.nonceCacheSize = i;
    }

    public void setRandomClass(String str) {
        this.randomClass = str;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        try {
            String initParameter = filterConfig.getInitParameter("randomClass");
            if (isNotBlank(initParameter)) {
                setRandomClass(initParameter);
            }
            this.randomSource = (Random) Class.forName(this.randomClass).newInstance();
            String initParameter2 = filterConfig.getInitParameter("nonceParameterName");
            log.info("Nonce request parameter name: " + initParameter2);
            if (isNotBlank(initParameter2)) {
                setNonceParameterName(initParameter2);
            }
            String initParameter3 = filterConfig.getInitParameter("nonceSessionAttributeName");
            log.info("Nonce session attribute name: " + initParameter3);
            if (isNotBlank(initParameter3)) {
                setNonceSessionAttributeName(initParameter3);
            }
            String initParameter4 = filterConfig.getInitParameter("nonceCacheSize");
            if (isNotBlank(initParameter4)) {
                try {
                    setNonceCacheSize(Integer.parseInt(initParameter4));
                } catch (NumberFormatException e) {
                    log.warn("Invalid none cache size: " + initParameter4 + ", using default nonce cache size: " + initParameter4);
                }
            }
            String initParameter5 = filterConfig.getInitParameter("unProtectedUrls");
            log.info("Unprotected Pages: " + initParameter5);
            if (isNotBlank(initParameter5)) {
                setUnProtectedPages(initParameter5);
            }
            String initParameter6 = filterConfig.getInitParameter("denyStatus");
            if (isNotBlank(initParameter6)) {
                try {
                    setDenyStatus(Integer.parseInt(initParameter6));
                } catch (NumberFormatException e2) {
                    log.warn("Invalid Deny Status: " + initParameter6 + ", using default deny status: " + this.denyStatus);
                }
            }
        } catch (ClassNotFoundException e3) {
            throw new ServletException("Invalid Random Class Name" + this.randomClass, e3);
        } catch (IllegalAccessException e4) {
            throw new ServletException("Invalid Random Class Name" + this.randomClass, e4);
        } catch (InstantiationException e5) {
            throw new ServletException("Invalid Random Class Name" + this.randomClass, e5);
        }
    }

    public void setNonceSessionAttributeName(String str) {
        this.nonceSessionAttributeName = str;
    }

    public void setNonceParameterName(String str) {
        nonceParameterName = str;
    }

    private boolean isNotBlank(String str) {
        return str != null && str.length() > 0;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        ServletResponse servletResponse2;
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            boolean z = false;
            String servletPath = httpServletRequest.getServletPath();
            if (httpServletRequest.getPathInfo() != null) {
                servletPath = servletPath + httpServletRequest.getPathInfo();
            }
            if (METHOD_GET.equals(httpServletRequest.getMethod())) {
                if (this.unProtectedPagesFullPath.contains(servletPath)) {
                    z = true;
                } else if (pathMatchesWildCardPattern(servletPath)) {
                    z = true;
                }
            }
            HttpSession session = httpServletRequest.getSession(false);
            LruCache lruCache = session == null ? null : (LruCache) session.getAttribute(this.nonceSessionAttributeName);
            if (!z) {
                String parameter = httpServletRequest.getParameter(nonceParameterName);
                if (lruCache == null || parameter == null || !lruCache.contains(parameter)) {
                    log.warn("CSRF attack foiled from " + servletPath);
                    httpServletResponse.sendError(this.denyStatus);
                    return;
                }
            }
            if (lruCache == null) {
                lruCache = new LruCache(this.nonceCacheSize);
                if (session == null) {
                    session = httpServletRequest.getSession(true);
                }
                session.setAttribute(this.nonceSessionAttributeName, lruCache);
            }
            String generateNonce = generateNonce();
            lruCache.add(generateNonce);
            servletResponse2 = new CsrfResponseWrapper(httpServletResponse, generateNonce);
        } else {
            servletResponse2 = servletResponse;
        }
        filterChain.doFilter(servletRequest, servletResponse2);
    }

    private boolean pathMatchesWildCardPattern(String str) {
        for (String str2 : this.unProtectedPagesWildCard) {
            if (str2.startsWith("*") && str.endsWith(str2.replace("*", ""))) {
                return true;
            }
            if (str2.endsWith("*") && str.startsWith(str2.replace("*", ""))) {
                return true;
            }
        }
        return false;
    }

    protected String generateNonce() {
        byte[] bArr = new byte[16];
        StringBuilder sb = new StringBuilder();
        this.randomSource.nextBytes(bArr);
        for (int i = 0; i < bArr.length; i++) {
            byte b = (byte) ((bArr[i] & 240) >> 4);
            byte b2 = (byte) (bArr[i] & 15);
            if (b < 10) {
                sb.append((char) (48 + b));
            } else {
                sb.append((char) (65 + (b - 10)));
            }
            if (b2 < 10) {
                sb.append((char) (48 + b2));
            } else {
                sb.append((char) (65 + (b2 - 10)));
            }
        }
        return sb.toString();
    }

    public void destroy() {
    }
}
