package org.owasp.csrfguard;

import java.io.IOException;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.owasp.csrfguard.action.IAction;
import org.owasp.csrfguard.config.ConfigurationProvider;
import org.owasp.csrfguard.config.ConfigurationProviderFactory;
import org.owasp.csrfguard.config.NullConfigurationProvider;
import org.owasp.csrfguard.config.PropertiesConfigurationProvider;
import org.owasp.csrfguard.config.overlay.ExpirableCache;
import org.owasp.csrfguard.log.ILogger;
import org.owasp.csrfguard.log.LogLevel;
import org.owasp.csrfguard.servlet.JavaScriptServlet;
import org.owasp.csrfguard.util.CsrfGuardUtils;
import org.owasp.csrfguard.util.RandomGenerator;
import org.owasp.csrfguard.util.Streams;
import org.owasp.csrfguard.util.Writers;

/* loaded from: input_file:csrfguard-3.1.0.jar:org/owasp/csrfguard/CsrfGuard.class */
public final class CsrfGuard {
    public static final String PAGE_TOKENS_KEY = "Owasp_CsrfGuard_Pages_Tokens_Key";
    private static ExpirableCache<Boolean, ConfigurationProvider> configurationProviderExpirableCache = new ExpirableCache<>(1);
    private Properties properties = null;
    private Map<String, Pattern> regexPatternCache = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:csrfguard-3.1.0.jar:org/owasp/csrfguard/CsrfGuard$SingletonHolder.class */
    public static class SingletonHolder {
        public static final CsrfGuard instance = new CsrfGuard();

        private SingletonHolder() {
        }
    }

    private ConfigurationProvider config() {
        if (this.properties == null) {
            return new NullConfigurationProvider();
        }
        ConfigurationProvider configurationProvider = configurationProviderExpirableCache.get(Boolean.TRUE);
        if (configurationProvider == null) {
            synchronized (CsrfGuard.class) {
                if (configurationProvider == null) {
                    configurationProvider = retrieveNewConfig();
                }
            }
        } else if (!configurationProvider.isCacheable()) {
            configurationProvider = retrieveNewConfig();
        }
        return configurationProvider;
    }

    private ConfigurationProvider retrieveNewConfig() {
        ConfigurationProvider retrieveConfiguration = ((ConfigurationProviderFactory) CsrfGuardUtils.newInstance(CsrfGuardUtils.forName(this.properties.getProperty("org.owasp.csrfguard.configuration.provider.factory", PropertiesConfigurationProvider.class.getName())))).retrieveConfiguration(this.properties);
        configurationProviderExpirableCache.put(Boolean.TRUE, retrieveConfiguration);
        return retrieveConfiguration;
    }

    public static CsrfGuard getInstance() {
        return SingletonHolder.instance;
    }

    public static void load(Properties properties) throws NoSuchAlgorithmException, InstantiationException, IllegalAccessException, ClassNotFoundException, IOException, NoSuchProviderException {
        getInstance().properties = properties;
    }

    public ILogger getLogger() {
        return config().getLogger();
    }

    public String getTokenName() {
        return config().getTokenName();
    }

    public int getTokenLength() {
        return config().getTokenLength();
    }

    public boolean isRotateEnabled() {
        return config().isRotateEnabled();
    }

    public boolean isTokenPerPageEnabled() {
        return config().isTokenPerPageEnabled();
    }

    public boolean isTokenPerPagePrecreate() {
        return config().isTokenPerPagePrecreateEnabled();
    }

    public boolean isValidateWhenNoSessionExists() {
        return config().isValidateWhenNoSessionExists();
    }

    public SecureRandom getPrng() {
        return config().getPrng();
    }

    public String getNewTokenLandingPage() {
        return config().getNewTokenLandingPage();
    }

    public boolean isUseNewTokenLandingPage() {
        return config().isUseNewTokenLandingPage();
    }

    public boolean isAjaxEnabled() {
        return config().isAjaxEnabled();
    }

    public boolean isProtectEnabled() {
        return config().isProtectEnabled();
    }

    public boolean isEnabled() {
        return config().isEnabled();
    }

    public String getSessionKey() {
        return config().getSessionKey();
    }

    public Set<String> getProtectedPages() {
        return config().getProtectedPages();
    }

    public Set<String> getUnprotectedPages() {
        return config().getUnprotectedPages();
    }

    public Set<String> getProtectedMethods() {
        return config().getProtectedMethods();
    }

    public List<IAction> getActions() {
        return config().getActions();
    }

    public String getJavascriptSourceFile() {
        return config().getJavascriptSourceFile();
    }

    public boolean isJavascriptInjectFormAttributes() {
        return config().isJavascriptInjectFormAttributes();
    }

    public boolean isJavascriptInjectGetForms() {
        return config().isJavascriptInjectGetForms();
    }

    public boolean isJavascriptDomainStrict() {
        return config().isJavascriptDomainStrict();
    }

    public boolean isJavascriptRefererMatchDomain() {
        return config().isJavascriptRefererMatchDomain();
    }

    public String getJavascriptCacheControl() {
        return config().getJavascriptCacheControl();
    }

    public Pattern getJavascriptRefererPattern() {
        return config().getJavascriptRefererPattern();
    }

    public boolean isJavascriptInjectIntoForms() {
        return config().isJavascriptInjectIntoForms();
    }

    public boolean isJavascriptInjectIntoAttributes() {
        return config().isJavascriptInjectIntoAttributes();
    }

    public String getJavascriptXrequestedWith() {
        return config().getJavascriptXrequestedWith();
    }

    public String getJavascriptTemplateCode() {
        return config().getJavascriptTemplateCode();
    }

    public String getTokenValue(HttpServletRequest httpServletRequest) {
        return getTokenValue(httpServletRequest, httpServletRequest.getRequestURI());
    }

    public String getTokenValue(HttpServletRequest httpServletRequest, String str) {
        Map<String, String> map;
        String str2 = null;
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            if (isTokenPerPageEnabled() && (map = (Map) session.getAttribute(PAGE_TOKENS_KEY)) != null) {
                if (isTokenPerPagePrecreate()) {
                    createPageToken(map, str);
                }
                str2 = map.get(str);
            }
            if (str2 == null) {
                str2 = (String) session.getAttribute(getSessionKey());
            }
        }
        return str2;
    }

    public boolean isValidRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z = !isProtectedPageAndMethod(httpServletRequest);
        String str = (String) httpServletRequest.getSession(true).getAttribute(getSessionKey());
        if (str != null && !z) {
            try {
                if (isAjaxEnabled() && isAjaxRequest(httpServletRequest)) {
                    verifyAjaxToken(httpServletRequest);
                } else if (isTokenPerPageEnabled()) {
                    verifyPageToken(httpServletRequest);
                } else {
                    verifySessionToken(httpServletRequest);
                }
                z = true;
            } catch (CsrfGuardException e) {
                callActionsOnError(httpServletRequest, httpServletResponse, e);
            }
            if (!isAjaxRequest(httpServletRequest) && isRotateEnabled()) {
                rotateTokens(httpServletRequest);
            }
        } else if (str == null && !z) {
            try {
                throw new CsrfGuardException("CsrfGuard expects the token to exist in session at this point");
            } catch (CsrfGuardException e2) {
                callActionsOnError(httpServletRequest, httpServletResponse, e2);
            }
        }
        return z;
    }

    private void callActionsOnError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, CsrfGuardException csrfGuardException) {
        Iterator<IAction> it = getActions().iterator();
        while (it.hasNext()) {
            try {
                it.next().execute(httpServletRequest, httpServletResponse, csrfGuardException, this);
            } catch (CsrfGuardException e) {
                getLogger().log(LogLevel.Error, e);
            }
        }
    }

    public void updateToken(HttpSession httpSession) {
        if (((String) httpSession.getAttribute(getSessionKey())) == null) {
            try {
                httpSession.setAttribute(getSessionKey(), RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
            } catch (Exception e) {
                throw new RuntimeException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
            }
        }
    }

    public void updateTokens(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            updateToken(session);
            if (isTokenPerPageEnabled()) {
                Map<String, String> map = (Map) session.getAttribute(PAGE_TOKENS_KEY);
                if (map == null) {
                    map = new HashMap();
                    session.setAttribute(PAGE_TOKENS_KEY, map);
                }
                if (isProtectedPageAndMethod(httpServletRequest)) {
                    createPageToken(map, httpServletRequest.getRequestURI());
                }
            }
        }
    }

    private void createPageToken(Map<String, String> map, String str) {
        if (map == null || map.containsKey(str)) {
            return;
        }
        try {
            map.put(str, RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
        } catch (Exception e) {
            throw new RuntimeException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
        }
    }

    public void writeLandingPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String newTokenLandingPage = getNewTokenLandingPage();
        if (newTokenLandingPage == null) {
            newTokenLandingPage = httpServletRequest.getContextPath() + httpServletRequest.getServletPath();
        }
        StringBuilder sb = new StringBuilder();
        sb.append("<html>\r\n");
        sb.append("<head>\r\n");
        sb.append("<title>OWASP CSRFGuard Project - New Token Landing Page</title>\r\n");
        sb.append("</head>\r\n");
        sb.append("<body>\r\n");
        sb.append("<script type=\"text/javascript\">\r\n");
        sb.append("var form = document.createElement(\"form\");\r\n");
        sb.append("form.setAttribute(\"method\", \"post\");\r\n");
        sb.append("form.setAttribute(\"action\", \"");
        sb.append(newTokenLandingPage);
        sb.append("\");\r\n");
        if (isProtectedPage(newTokenLandingPage)) {
            sb.append("var hiddenField = document.createElement(\"input\");\r\n");
            sb.append("hiddenField.setAttribute(\"type\", \"hidden\");\r\n");
            sb.append("hiddenField.setAttribute(\"name\", \"");
            sb.append(getTokenName());
            sb.append("\");\r\n");
            sb.append("hiddenField.setAttribute(\"value\", \"");
            sb.append(getTokenValue(httpServletRequest, newTokenLandingPage));
            sb.append("\");\r\n");
            sb.append("form.appendChild(hiddenField);\r\n");
        }
        sb.append("document.body.appendChild(form);\r\n");
        sb.append("form.submit();\r\n");
        sb.append("</script>\r\n");
        sb.append("</body>\r\n");
        sb.append("</html>\r\n");
        String sb2 = sb.toString();
        httpServletResponse.setContentType("text/html");
        httpServletResponse.setContentLength(sb2.length());
        OutputStream outputStream = null;
        PrintWriter printWriter = null;
        try {
            outputStream = httpServletResponse.getOutputStream();
            printWriter = new PrintWriter(outputStream);
            printWriter.write(sb2);
            printWriter.flush();
            Writers.close(printWriter);
            Streams.close(outputStream);
        } catch (Throwable th) {
            Writers.close(printWriter);
            Streams.close(outputStream);
            throw th;
        }
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("\r\n*****************************************************\r\n");
        sb.append("* Owasp.CsrfGuard Properties\r\n");
        sb.append("*\r\n");
        sb.append(String.format("* Logger: %s\r\n", getLogger().getClass().getName()));
        sb.append(String.format("* NewTokenLandingPage: %s\r\n", getNewTokenLandingPage()));
        sb.append(String.format("* PRNG: %s\r\n", getPrng().getAlgorithm()));
        sb.append(String.format("* SessionKey: %s\r\n", getSessionKey()));
        sb.append(String.format("* TokenLength: %s\r\n", Integer.valueOf(getTokenLength())));
        sb.append(String.format("* TokenName: %s\r\n", getTokenName()));
        sb.append(String.format("* Ajax: %s\r\n", Boolean.valueOf(isAjaxEnabled())));
        sb.append(String.format("* Rotate: %s\r\n", Boolean.valueOf(isRotateEnabled())));
        sb.append(String.format("* Javascript cache control: %s\r\n", getJavascriptCacheControl()));
        sb.append(String.format("* Javascript domain strict: %s\r\n", Boolean.valueOf(isJavascriptDomainStrict())));
        sb.append(String.format("* Javascript inject attributes: %s\r\n", Boolean.valueOf(isJavascriptInjectIntoAttributes())));
        sb.append(String.format("* Javascript inject forms: %s\r\n", Boolean.valueOf(isJavascriptInjectIntoForms())));
        sb.append(String.format("* Javascript referer pattern: %s\r\n", getJavascriptRefererPattern()));
        sb.append(String.format("* Javascript referer match domain: %s\r\n", Boolean.valueOf(isJavascriptRefererMatchDomain())));
        sb.append(String.format("* Javascript source file: %s\r\n", getJavascriptSourceFile()));
        sb.append(String.format("* Javascript X requested with: %s\r\n", getJavascriptXrequestedWith()));
        sb.append(String.format("* Protected methods: %s\r\n", CsrfGuardUtils.toStringForLog(getProtectedMethods())));
        sb.append(String.format("* Protected pages size: %s\r\n", Integer.valueOf(CsrfGuardUtils.length(getProtectedPages()))));
        sb.append(String.format("* Unprotected methods: %s\r\n", CsrfGuardUtils.toStringForLog(getUnprotectedMethods())));
        sb.append(String.format("* Unprotected pages size: %s\r\n", Integer.valueOf(CsrfGuardUtils.length(getUnprotectedPages()))));
        sb.append(String.format("* TokenPerPage: %s\r\n", Boolean.valueOf(isTokenPerPageEnabled())));
        sb.append(String.format("* Enabled: %s\r\n", Boolean.valueOf(isEnabled())));
        sb.append(String.format("* ValidateWhenNoSessionExists: %s\r\n", Boolean.valueOf(isValidateWhenNoSessionExists())));
        for (IAction iAction : getActions()) {
            sb.append(String.format("* Action: %s\r\n", iAction.getClass().getName()));
            for (String str : iAction.getParameterMap().keySet()) {
                sb.append(String.format("*\tParameter: %s = %s\r\n", str, iAction.getParameter(str)));
            }
        }
        sb.append("*****************************************************\r\n");
        return sb.toString();
    }

    private boolean isAjaxRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader("X-Requested-With") != null;
    }

    private void verifyAjaxToken(HttpServletRequest httpServletRequest) throws CsrfGuardException {
        String str = (String) httpServletRequest.getSession(true).getAttribute(getSessionKey());
        String header = httpServletRequest.getHeader(getTokenName());
        if (header == null) {
            throw new CsrfGuardException("required token is missing from the request");
        }
        if (str.equals(header)) {
            return;
        }
        if (header.contains(",")) {
            header = header.substring(0, header.indexOf(44)).trim();
        }
        if (!str.equals(header)) {
            throw new CsrfGuardException("request token does not match session token");
        }
    }

    private void verifyPageToken(HttpServletRequest httpServletRequest) throws CsrfGuardException {
        HttpSession session = httpServletRequest.getSession(true);
        Map map = (Map) session.getAttribute(PAGE_TOKENS_KEY);
        String str = map != null ? (String) map.get(httpServletRequest.getRequestURI()) : null;
        String str2 = (String) session.getAttribute(getSessionKey());
        String parameter = httpServletRequest.getParameter(getTokenName());
        if (parameter == null) {
            throw new CsrfGuardException("required token is missing from the request");
        }
        if (str != null) {
            if (!str.equals(parameter)) {
                throw new CsrfGuardException("request token does not match page token");
            }
        } else if (!str2.equals(parameter)) {
            throw new CsrfGuardException("request token does not match session token");
        }
    }

    private void verifySessionToken(HttpServletRequest httpServletRequest) throws CsrfGuardException {
        String str = (String) httpServletRequest.getSession(true).getAttribute(getSessionKey());
        String parameter = httpServletRequest.getParameter(getTokenName());
        if (parameter == null) {
            throw new CsrfGuardException("required token is missing from the request");
        }
        if (!str.equals(parameter)) {
            throw new CsrfGuardException("request token does not match session token");
        }
    }

    private void rotateTokens(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(true);
        try {
            session.setAttribute(getSessionKey(), RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
            if (isTokenPerPageEnabled()) {
                try {
                    ((Map) session.getAttribute(PAGE_TOKENS_KEY)).put(httpServletRequest.getRequestURI(), RandomGenerator.generateRandomId(getPrng(), getTokenLength()));
                } catch (Exception e) {
                    throw new RuntimeException(String.format("unable to generate the random token - %s", e.getLocalizedMessage()), e);
                }
            }
        } catch (Exception e2) {
            throw new RuntimeException(String.format("unable to generate the random token - %s", e2.getLocalizedMessage()), e2);
        }
    }

    public boolean isProtectedPage(String str) {
        if (JavaScriptServlet.getJavascriptUris().contains(str)) {
            return false;
        }
        boolean z = !isProtectEnabled();
        for (String str2 : getProtectedPages()) {
            if (isUriExactMatch(str2, str)) {
                return true;
            }
            if (isUriMatch(str2, str)) {
                z = true;
            }
        }
        for (String str3 : getUnprotectedPages()) {
            if (isUriExactMatch(str3, str)) {
                return false;
            }
            if (isUriMatch(str3, str)) {
                z = false;
            }
        }
        return z;
    }

    public boolean isProtectedMethod(String str) {
        boolean z = true;
        Set<String> protectedMethods = getProtectedMethods();
        if (!protectedMethods.isEmpty() && !protectedMethods.contains(str)) {
            z = false;
        }
        Set<String> unprotectedMethods = getUnprotectedMethods();
        if (!unprotectedMethods.isEmpty() && unprotectedMethods.contains(str)) {
            z = false;
        }
        return z;
    }

    public boolean isProtectedPageAndMethod(String str, String str2) {
        return isProtectedPage(str) && isProtectedMethod(str2);
    }

    public boolean isProtectedPageAndMethod(HttpServletRequest httpServletRequest) {
        return isProtectedPageAndMethod(httpServletRequest.getRequestURI(), httpServletRequest.getMethod());
    }

    public boolean isPrintConfig() {
        return config().isPrintConfig();
    }

    private boolean isUriMatch(String str, String str2) {
        if (isTestPathRegex(str)) {
            Pattern pattern = this.regexPatternCache.get(str);
            if (pattern == null) {
                pattern = Pattern.compile(str);
                this.regexPatternCache.put(str, pattern);
            }
            return pattern.matcher(str2).matches();
        }
        boolean z = false;
        if (str.equals(str2)) {
            z = true;
        }
        if (str.equals("/*")) {
            z = true;
        }
        if (str.endsWith("/*") && str.regionMatches(0, str2, 0, str.length() - 2)) {
            if (str2.length() == str.length() - 2) {
                z = true;
            } else if ('/' == str2.charAt(str.length() - 2)) {
                z = true;
            }
        }
        if (str.startsWith("*.")) {
            int lastIndexOf = str2.lastIndexOf(47);
            int lastIndexOf2 = str2.lastIndexOf(46);
            if (lastIndexOf >= 0 && lastIndexOf2 > lastIndexOf && lastIndexOf2 != str2.length() - 1 && str2.length() - lastIndexOf2 == str.length() - 1) {
                z = str.regionMatches(2, str2, lastIndexOf2 + 1, str.length() - 2);
            }
        }
        return z;
    }

    private static boolean isTestPathRegex(String str) {
        return str != null && str.startsWith("^") && str.endsWith("$");
    }

    private boolean isUriExactMatch(String str, String str2) {
        if (isTestPathRegex(str)) {
            return false;
        }
        boolean z = false;
        if (str.equals(str2)) {
            z = true;
        }
        return z;
    }

    public Set<String> getUnprotectedMethods() {
        return config().getUnprotectedMethods();
    }
}
