package org.owasp.csrfguard;

import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import java.util.function.UnaryOperator;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.owasp.csrfguard.action.IAction;
import org.owasp.csrfguard.servlet.JavaScriptServlet;
import org.owasp.csrfguard.session.LogicalSession;
import org.owasp.csrfguard.token.businessobject.TokenBO;
import org.owasp.csrfguard.token.mapper.TokenMapper;
import org.owasp.csrfguard.token.service.TokenService;
import org.owasp.csrfguard.util.CsrfGuardUtils;
import org.owasp.csrfguard.util.MessageConstants;
import org.owasp.csrfguard.util.RegexValidationUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/csrfguard-4.3.0.jar:org/owasp/csrfguard/CsrfValidator.class */
public final class CsrfValidator {
    private final CsrfGuard csrfGuard = CsrfGuard.getInstance();
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CsrfValidator.class);

    public boolean isValid(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z;
        String normalizeResourceURI = CsrfGuardUtils.normalizeResourceURI(httpServletRequest);
        ProtectionResult isProtectedPageAndMethod = isProtectedPageAndMethod(httpServletRequest);
        if (isProtectedPageAndMethod.isProtected()) {
            LOGGER.debug("CSRFGuard analyzing protected resource: '{}'", normalizeResourceURI);
            z = isTokenValidInRequest(httpServletRequest, httpServletResponse, isProtectedPageAndMethod.getResourceIdentifier());
        } else {
            LOGGER.debug("Unprotected page: '{}'", normalizeResourceURI);
            z = true;
        }
        return z;
    }

    public ProtectionResult isProtectedPageAndMethod(String str, String str2) {
        String normalizeResourceURI = CsrfGuardUtils.normalizeResourceURI(str);
        ProtectionResult isProtectedPage = isProtectedPage(normalizeResourceURI);
        return (isProtectedPage.isProtected() && isProtectedMethod(str2)) ? isProtectedPage : new ProtectionResult(false, normalizeResourceURI);
    }

    public ProtectionResult isProtectedPage(String str) {
        return JavaScriptServlet.getJavascriptUris().contains(str) ? new ProtectionResult(false, str) : this.csrfGuard.isProtectEnabled() ? isUriMatch(str, this.csrfGuard.getProtectedPages(), protectionResult -> {
            return protectionResult;
        }, false) : isUriMatch(str, this.csrfGuard.getUnprotectedPages(), protectionResult2 -> {
            return new ProtectionResult(false, protectionResult2.getResourceIdentifier());
        }, true);
    }

    private static boolean isUriPathMatch(String str, String str2) {
        return str.equals("/*") || (str.endsWith("/*") && str.regionMatches(0, str2, 0, str.length() - 2) && (str2.length() == str.length() - 2 || '/' == str2.charAt(str.length() - 2)));
    }

    private static boolean isExtensionMatch(String str, String str2) {
        boolean z;
        if (StringUtils.startsWith(str, "*.")) {
            int lastIndexOf = str2.lastIndexOf(47);
            int lastIndexOf2 = str2.lastIndexOf(46);
            z = (lastIndexOf < 0 || lastIndexOf2 <= lastIndexOf || lastIndexOf2 == str2.length() - 1 || str2.length() - lastIndexOf2 != str.length() - 1) ? false : str.regionMatches(2, str2, lastIndexOf2 + 1, str.length() - 2);
        } else {
            z = false;
        }
        return z;
    }

    private ProtectionResult isUriMatch(String str, Set<String> set, UnaryOperator<ProtectionResult> unaryOperator, boolean z) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            ProtectionResult isUriMatch = isUriMatch(it.next(), str);
            if (isUriMatch.isProtected()) {
                return (ProtectionResult) unaryOperator.apply(isUriMatch);
            }
        }
        return new ProtectionResult(z, str);
    }

    private TokenService getTokenService() {
        return new TokenService(this.csrfGuard);
    }

    private ProtectionResult isProtectedPageAndMethod(HttpServletRequest httpServletRequest) {
        return isProtectedPageAndMethod(httpServletRequest.getRequestURI(), httpServletRequest.getMethod());
    }

    private boolean isProtectedMethod(String str) {
        boolean z = true;
        Set<String> protectedMethods = this.csrfGuard.getProtectedMethods();
        if (!protectedMethods.isEmpty() && !protectedMethods.contains(str)) {
            z = false;
        }
        Set<String> unprotectedMethods = this.csrfGuard.getUnprotectedMethods();
        if (!unprotectedMethods.isEmpty() && unprotectedMethods.contains(str)) {
            z = false;
        }
        return z;
    }

    private ProtectionResult isUriMatch(String str, String str2) {
        return Objects.nonNull(str) ? (str.equals(str2) || isUriPathMatch(str, str2) || isExtensionMatch(str, str2)) ? new ProtectionResult(true, str2) : isUriRegexMatch(str, str2) ? new ProtectionResult(true, str) : new ProtectionResult(false, str2) : new ProtectionResult(false, str2);
    }

    private boolean isUriRegexMatch(String str, String str2) {
        return RegexValidationUtil.isTestPathRegex(str) && this.csrfGuard.getRegexPatternCache().computeIfAbsent(str, str3 -> {
            return Pattern.compile(str);
        }).matcher(str2).matches();
    }

    private boolean isTokenValidInRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        boolean z = false;
        CsrfGuard csrfGuard = CsrfGuard.getInstance();
        LogicalSession extract = csrfGuard.getLogicalSessionExtractor().extract(httpServletRequest);
        if (Objects.nonNull(extract)) {
            TokenService tokenService = getTokenService();
            String key = extract.getKey();
            String masterToken = tokenService.getMasterToken(key);
            if (Objects.nonNull(masterToken)) {
                try {
                    TokenBO verifyToken = tokenService.verifyToken(httpServletRequest, str, key, masterToken);
                    CsrfGuardUtils.addResponseTokenHeader(csrfGuard, httpServletRequest, httpServletResponse, csrfGuard.isRotateEnabled(httpServletRequest) ? tokenService.rotateUsedToken(key, str, verifyToken) : TokenMapper.toTransferObject(verifyToken));
                    z = true;
                } catch (CsrfGuardException e) {
                    callActionsOnError(httpServletRequest, httpServletResponse, e);
                }
            } else {
                callActionsOnError(httpServletRequest, httpServletResponse, new CsrfGuardException(MessageConstants.TOKEN_MISSING_FROM_STORAGE_MSG));
            }
        } else {
            callActionsOnError(httpServletRequest, httpServletResponse, new CsrfGuardException(MessageConstants.TOKEN_MISSING_FROM_STORAGE_MSG));
        }
        return z;
    }

    private void callActionsOnError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, CsrfGuardException csrfGuardException) {
        for (IAction iAction : this.csrfGuard.getActions()) {
            try {
                iAction.execute(httpServletRequest, httpServletResponse, csrfGuardException, this.csrfGuard);
            } catch (CsrfGuardException e) {
                LOGGER.error(String.format("Error while executing action '%s'", iAction.getName()), (Throwable) e);
            }
        }
    }
}
