package org.owasp.csrfguard.servlet;

import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.regex.Pattern;
import javax.servlet.ServletConfig;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.owasp.csrfguard.CsrfGuard;
import org.owasp.csrfguard.CsrfGuardServletContextListener;
import org.owasp.csrfguard.CsrfValidator;
import org.owasp.csrfguard.config.properties.javascript.JavaScriptConfigParameters;
import org.owasp.csrfguard.session.LogicalSession;
import org.owasp.csrfguard.token.transferobject.TokenTO;
import org.owasp.csrfguard.util.CsrfGuardUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:csrfguard-4.1.4.jar:org/owasp/csrfguard/servlet/JavaScriptServlet.class */
public final class JavaScriptServlet extends HttpServlet {
    private static final long serialVersionUID = -1459584282530150483L;
    private static final String TOKEN_NAME_IDENTIFIER = "%TOKEN_NAME%";
    private static final String TOKEN_VALUE_IDENTIFIER = "%TOKEN_VALUE%";
    private static final String DOMAIN_ORIGIN_IDENTIFIER = "%DOMAIN_ORIGIN%";
    private static final String CONTEXT_PATH_IDENTIFIER = "%CONTEXT_PATH%";
    private static final String SERVLET_PATH_IDENTIFIER = "%SERVLET_PATH%";
    private static final String X_REQUESTED_WITH_IDENTIFIER = "%X_REQUESTED_WITH%";
    private static final String UNPROTECTED_EXTENSIONS_IDENTIFIER = "%UNPROTECTED_EXTENSIONS%";
    private static final String DYNAMIC_NODE_CREATION_EVENT_NAME_IDENTIFIER = "%DYNAMIC_NODE_CREATION_EVENT_NAME%";
    private static final String DOMAIN_STRICT_IDENTIFIER = "'%DOMAIN_STRICT%'";
    private static final String INJECT_INTO_XHR_IDENTIFIER = "'%INJECT_XHR%'";
    private static final String INJECT_INTO_FORMS_IDENTIFIER = "'%INJECT_FORMS%'";
    private static final String INJECT_GET_FORMS_IDENTIFIER = "'%INJECT_GET_FORMS%'";
    private static final String INJECT_FORM_ATTRIBUTES_IDENTIFIER = "'%INJECT_FORM_ATTRIBUTES%'";
    private static final String INJECT_INTO_ATTRIBUTES_IDENTIFIER = "'%INJECT_ATTRIBUTES%'";
    private static final String INJECT_INTO_DYNAMIC_NODES_IDENTIFIER = "'%INJECT_DYNAMIC_NODES%'";
    private static final String TOKENS_PER_PAGE_IDENTIFIER = "'%TOKENS_PER_PAGE%'";
    private static final String ASYNC_XHR = "'%ASYNC_XHR%'";
    private static final Map<String, BiFunction<CsrfGuard, HttpServletRequest, String>> JS_REPLACEMENT_MAP = new HashMap();
    private static final String JSON_MIME_TYPE = "application/json";
    private static final String JAVASCRIPT_MIME_TYPE = "text/javascript; charset=utf-8";
    private static final Set<String> javascriptUris;
    private static final Logger LOGGER;
    private static ServletConfig servletConfig;

    public static ServletConfig getStaticServletConfig() {
        return servletConfig;
    }

    public static Set<String> getJavascriptUris() {
        return javascriptUris;
    }

    public void init(ServletConfig servletConfig2) {
        servletConfig = servletConfig2;
        CsrfGuard.getInstance().initializeJavaScriptConfiguration();
        CsrfGuardServletContextListener.printConfigIfConfigured(servletConfig.getServletContext(), "Printing properties after JavaScript servlet, note, the javascript properties have now been initialized: ");
    }

    public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        CsrfGuard csrfGuard = CsrfGuard.getInstance();
        if (csrfGuard.isEnabled()) {
            writeJavaScript(csrfGuard, httpServletRequest, httpServletResponse);
        } else {
            httpServletResponse.setContentType(JAVASCRIPT_MIME_TYPE);
            httpServletResponse.getWriter().write("console.log('CSRFGuard is disabled');");
        }
    }

    public void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        CsrfGuard csrfGuard = CsrfGuard.getInstance();
        if (!new CsrfValidator().isValid(httpServletRequest, httpServletResponse)) {
            httpServletResponse.sendError(403, "Master token missing from the request.");
            return;
        }
        if (!csrfGuard.isTokenPerPageEnabled()) {
            httpServletResponse.sendError(400, "This endpoint should not be invoked if the Token-Per-Page functionality is disabled!");
            return;
        }
        LogicalSession extract = csrfGuard.getLogicalSessionExtractor().extract(httpServletRequest);
        if (Objects.isNull(extract)) {
            httpServletResponse.sendError(400, "Could not create a logical session from the current request.");
        } else {
            writeTokens(httpServletResponse, new TokenTO(csrfGuard.getTokenService().getPageTokens(extract.getKey())));
        }
    }

    private static void writeTokens(HttpServletResponse httpServletResponse, TokenTO tokenTO) throws IOException {
        String tokenTO2 = tokenTO.toString();
        httpServletResponse.setContentType(JSON_MIME_TYPE);
        httpServletResponse.setContentLength(tokenTO2.length());
        httpServletResponse.setCharacterEncoding(Charset.defaultCharset().displayName());
        httpServletResponse.getWriter().write(tokenTO2);
    }

    private static void writeJavaScript(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        CsrfGuard csrfGuard = CsrfGuard.getInstance();
        if (csrfGuard.isRotateEnabled() || csrfGuard.isTokenPerPageEnabled()) {
            httpServletResponse.setHeader("Cache-Control", "no-cache, no-store");
            httpServletResponse.setHeader("Pragma", "no-cache");
            httpServletResponse.setHeader("Expires", "0");
        } else {
            httpServletResponse.setHeader("Cache-Control", csrfGuard.getJavascriptCacheControl());
        }
        httpServletResponse.setContentType(JAVASCRIPT_MIME_TYPE);
        httpServletResponse.getWriter().write(StringUtils.replaceEach(csrfGuard.getJavascriptTemplateCode(), (String[]) JS_REPLACEMENT_MAP.keySet().toArray(new String[0]), (String[]) JS_REPLACEMENT_MAP.values().stream().map(biFunction -> {
            return (String) biFunction.apply(csrfGuard, httpServletRequest);
        }).toArray(i -> {
            return new String[i];
        })));
    }

    private static String getMasterToken(HttpServletRequest httpServletRequest, CsrfGuard csrfGuard) {
        return csrfGuard.getTokenService().getMasterToken(csrfGuard.getLogicalSessionExtractor().extractOrCreate(httpServletRequest).getKey());
    }

    private static String parseDomain(StringBuffer stringBuffer) {
        try {
            return new URL(stringBuffer.toString()).getHost();
        } catch (MalformedURLException e) {
            return "INVALID_URL: " + ((Object) stringBuffer);
        }
    }

    private void writeJavaScript(CsrfGuard csrfGuard, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String header = httpServletRequest.getHeader("referer");
        Pattern javascriptRefererPattern = csrfGuard.getJavascriptRefererPattern();
        String pattern = javascriptRefererPattern.pattern();
        if (header != null) {
            if (!javascriptRefererPattern.matcher(header).matches()) {
                LOGGER.error("Referer domain '{}' does not match regex: '{}'", header, pattern);
                httpServletResponse.sendError(403);
                return;
            } else if (csrfGuard.isJavascriptRefererMatchDomain()) {
                boolean isJavascriptRefererMatchProtocol = csrfGuard.isJavascriptRefererMatchProtocol();
                String stringBuffer = httpServletRequest.getRequestURL().toString();
                if (!CsrfGuardUtils.httpProtocolAndDomain(header, isJavascriptRefererMatchProtocol).equals(CsrfGuardUtils.httpProtocolAndDomain(stringBuffer, isJavascriptRefererMatchProtocol))) {
                    LOGGER.error("Referer domain '{}' does not match request domain: '{}'", header, stringBuffer);
                    httpServletResponse.sendError(403);
                    return;
                }
            }
        } else if (!pattern.equals(JavaScriptConfigParameters.DEFAULT_REFERER_PATTERN)) {
            LOGGER.error("Missing referer headers are not accepted if a non-default referer pattern '{}' is configured!", pattern);
            httpServletResponse.sendError(403);
            return;
        }
        String str = httpServletRequest.getContextPath() + httpServletRequest.getServletPath();
        if (javascriptUris.size() < 100) {
            javascriptUris.add(str);
        }
        writeJavaScript(httpServletRequest, httpServletResponse);
    }

    static {
        JS_REPLACEMENT_MAP.put(TOKEN_NAME_IDENTIFIER, (csrfGuard, httpServletRequest) -> {
            return StringUtils.defaultString(csrfGuard.getTokenName());
        });
        JS_REPLACEMENT_MAP.put(TOKEN_VALUE_IDENTIFIER, (csrfGuard2, httpServletRequest2) -> {
            return StringUtils.defaultString(getMasterToken(httpServletRequest2, csrfGuard2));
        });
        JS_REPLACEMENT_MAP.put(UNPROTECTED_EXTENSIONS_IDENTIFIER, (csrfGuard3, httpServletRequest3) -> {
            return String.valueOf(csrfGuard3.getJavascriptUnprotectedExtensions());
        });
        JS_REPLACEMENT_MAP.put(CONTEXT_PATH_IDENTIFIER, (csrfGuard4, httpServletRequest4) -> {
            return StringUtils.defaultString(httpServletRequest4.getContextPath());
        });
        JS_REPLACEMENT_MAP.put(SERVLET_PATH_IDENTIFIER, (csrfGuard5, httpServletRequest5) -> {
            return StringUtils.defaultString(httpServletRequest5.getContextPath() + httpServletRequest5.getServletPath());
        });
        JS_REPLACEMENT_MAP.put(X_REQUESTED_WITH_IDENTIFIER, (csrfGuard6, httpServletRequest6) -> {
            return StringUtils.defaultString(csrfGuard6.getJavascriptXrequestedWith());
        });
        JS_REPLACEMENT_MAP.put(DYNAMIC_NODE_CREATION_EVENT_NAME_IDENTIFIER, (csrfGuard7, httpServletRequest7) -> {
            return StringUtils.defaultString(csrfGuard7.getJavascriptDynamicNodeCreationEventName());
        });
        JS_REPLACEMENT_MAP.put(DOMAIN_ORIGIN_IDENTIFIER, (csrfGuard8, httpServletRequest8) -> {
            return (String) ObjectUtils.defaultIfNull(csrfGuard8.getDomainOrigin(), StringUtils.defaultString(parseDomain(httpServletRequest8.getRequestURL())));
        });
        JS_REPLACEMENT_MAP.put(INJECT_INTO_FORMS_IDENTIFIER, (csrfGuard9, httpServletRequest9) -> {
            return Boolean.toString(csrfGuard9.isJavascriptInjectIntoForms());
        });
        JS_REPLACEMENT_MAP.put(INJECT_GET_FORMS_IDENTIFIER, (csrfGuard10, httpServletRequest10) -> {
            return Boolean.toString(csrfGuard10.isJavascriptInjectGetForms());
        });
        JS_REPLACEMENT_MAP.put(INJECT_FORM_ATTRIBUTES_IDENTIFIER, (csrfGuard11, httpServletRequest11) -> {
            return Boolean.toString(csrfGuard11.isJavascriptInjectFormAttributes());
        });
        JS_REPLACEMENT_MAP.put(INJECT_INTO_ATTRIBUTES_IDENTIFIER, (csrfGuard12, httpServletRequest12) -> {
            return Boolean.toString(csrfGuard12.isJavascriptInjectIntoAttributes());
        });
        JS_REPLACEMENT_MAP.put(INJECT_INTO_DYNAMIC_NODES_IDENTIFIER, (csrfGuard13, httpServletRequest13) -> {
            return Boolean.toString(csrfGuard13.isJavascriptInjectIntoDynamicallyCreatedNodes());
        });
        JS_REPLACEMENT_MAP.put(INJECT_INTO_XHR_IDENTIFIER, (csrfGuard14, httpServletRequest14) -> {
            return Boolean.toString(csrfGuard14.isAjaxEnabled());
        });
        JS_REPLACEMENT_MAP.put(TOKENS_PER_PAGE_IDENTIFIER, (csrfGuard15, httpServletRequest15) -> {
            return Boolean.toString(csrfGuard15.isTokenPerPageEnabled());
        });
        JS_REPLACEMENT_MAP.put(DOMAIN_STRICT_IDENTIFIER, (csrfGuard16, httpServletRequest16) -> {
            return Boolean.toString(csrfGuard16.isJavascriptDomainStrict());
        });
        JS_REPLACEMENT_MAP.put(ASYNC_XHR, (csrfGuard17, httpServletRequest17) -> {
            return Boolean.toString(!csrfGuard17.isForceSynchronousAjax());
        });
        javascriptUris = new HashSet();
        LOGGER = LoggerFactory.getLogger(JavaScriptServlet.class);
        servletConfig = null;
    }
}
