package org.camunda.bpm.webapp.impl.security.filter;

import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.SecureRandom;
import java.util.HashSet;
import java.util.Random;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.ws.rs.core.Response;
import org.camunda.bpm.engine.rest.exception.InvalidRequestException;
import org.camunda.bpm.webapp.impl.security.filter.util.CsrfConstants;

/* JADX WARN: Classes with same name are omitted:
  input_file:BOOT-INF/lib/camunda-webapp-2.9.4-RC.3-classes.jar:org/camunda/bpm/webapp/impl/security/filter/CsrfPreventionFilter.class
 */
/* loaded from: input_file:BOOT-INF/lib/camunda-webapp-7.10.0-classes.jar:org/camunda/bpm/webapp/impl/security/filter/CsrfPreventionFilter.class */
public class CsrfPreventionFilter implements Filter {
    private Random randomSource;
    private URL targetOrigin;
    private String randomClass = SecureRandom.class.getName();
    private int denyStatus = 403;
    private final Set<String> entryPoints = new HashSet();

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        try {
            String initParameter = filterConfig.getInitParameter("randomClass");
            if (!isBlank(initParameter)) {
                setRandomClass(initParameter);
            }
            this.randomSource = (Random) Class.forName(this.randomClass).getConstructor(new Class[0]).newInstance(new Object[0]);
            String initParameter2 = filterConfig.getInitParameter("targetOrigin");
            if (!isBlank(initParameter2)) {
                setTargetOrigin(initParameter2);
            }
            String initParameter3 = filterConfig.getInitParameter("denyStatus");
            if (!isBlank(initParameter3)) {
                setDenyStatus(Integer.valueOf(initParameter3).intValue());
            }
            String initParameter4 = filterConfig.getInitParameter("entryPoints");
            if (!isBlank(initParameter4)) {
                setEntryPoints(initParameter4);
            }
        } catch (ClassNotFoundException e) {
            throw new ServletException("Cannot instantiate CSRF Prevention filter: Random class not found.", e);
        } catch (IllegalAccessException e2) {
            throw new ServletException("Cannot instantiate CSRF Prevention filter: Random class constructor not accessible", e2);
        } catch (InstantiationException e3) {
            throw new ServletException("Cannot instantiate CSRF Prevention filter: cannot instantiate provided Random class", e3);
        } catch (NoSuchMethodException e4) {
            throw new ServletException("Cannot instantiate CSRF Prevention filter: cannot instantiate provided Random class", e4);
        } catch (InvocationTargetException e5) {
            throw new ServletException("Cannot instantiate CSRF Prevention filter: cannot instantiate provided Random class", e5);
        } catch (MalformedURLException e6) {
            throw new ServletException("CSRFPreventionFilter: Could not read target origin URL: " + e6.getMessage());
        }
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (isNonModifyingRequest(httpServletRequest)) {
            setCSRFToken(httpServletRequest, httpServletResponse);
        } else {
            if (!(doSameOriginStandardHeadersVerification(httpServletRequest, httpServletResponse) && doTokenValidation(httpServletRequest, httpServletResponse))) {
                return;
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    protected boolean doTokenValidation(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HttpSession session = httpServletRequest.getSession();
        String cSRFTokenHeader = getCSRFTokenHeader(httpServletRequest);
        String str = (String) getCSRFTokenSession(session);
        boolean z = true;
        if (isBlank(cSRFTokenHeader)) {
            session.invalidate();
            httpServletResponse.setHeader(CsrfConstants.CSRF_TOKEN_HEADER_NAME, "Required");
            httpServletResponse.sendError(getDenyStatus(), "CSRFPreventionFilter: Token provided via HTTP Header is absent/empty.");
            z = false;
        } else if (isBlank(str) || !str.equals(cSRFTokenHeader)) {
            session.invalidate();
            httpServletResponse.sendError(getDenyStatus(), "CSRFPreventionFilter: Invalid HTTP Header Token.");
            z = false;
        }
        return z;
    }

    protected boolean doSameOriginStandardHeadersVerification(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (getTargetOrigin() == null) {
            return true;
        }
        String header = httpServletRequest.getHeader("Origin");
        if (isBlank(header)) {
            header = httpServletRequest.getHeader("Referer");
            if (isBlank(header)) {
                httpServletResponse.sendError(403, "CSRFPreventionFilter: ORIGIN and REFERER request headers are not present.");
                return false;
            }
        }
        URL url = new URL(header);
        if (getTargetOrigin().getProtocol().equals(url.getProtocol()) && getTargetOrigin().getHost().equals(url.getHost()) && getTargetOrigin().getPort() == url.getPort()) {
            return true;
        }
        httpServletResponse.sendError(403, String.format("CSRFPreventionFilter: Protocol/Host/Port does not fully match: (%s != %s) ", getTargetOrigin(), url));
        return false;
    }

    protected void setCSRFToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpSession session = httpServletRequest.getSession();
        Object sessionMutex = getSessionMutex(session);
        if (session.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME) == null) {
            synchronized (sessionMutex) {
                if (session.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME) == null) {
                    String generateCSRFToken = generateCSRFToken();
                    Cookie cSRFCookie = getCSRFCookie(httpServletRequest);
                    cSRFCookie.setValue(generateCSRFToken);
                    cSRFCookie.setPath(httpServletRequest.getContextPath());
                    session.setAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME, generateCSRFToken);
                    httpServletResponse.addCookie(cSRFCookie);
                    httpServletResponse.setHeader(CsrfConstants.CSRF_TOKEN_HEADER_NAME, generateCSRFToken);
                }
            }
        }
    }

    public URL getTargetOrigin() {
        return this.targetOrigin;
    }

    public void setTargetOrigin(String str) throws MalformedURLException {
        this.targetOrigin = new URL(str);
    }

    public void setEntryPoints(String str) {
        this.entryPoints.addAll(parseURLs(str));
    }

    public int getDenyStatus() {
        return this.denyStatus;
    }

    public void setDenyStatus(int i) {
        this.denyStatus = i;
    }

    public String getRandomClass() {
        return this.randomClass;
    }

    public void setRandomClass(String str) {
        this.randomClass = str;
    }

    @Override // javax.servlet.Filter
    public void destroy() {
    }

    protected boolean isNonModifyingRequest(HttpServletRequest httpServletRequest) {
        return CsrfConstants.CSRF_NON_MODIFYING_METHODS_PATTERN.matcher(httpServletRequest.getMethod()).matches() || CsrfConstants.CSRF_DEFAULT_ENTRY_URL_PATTERN.matcher(getRequestedPath(httpServletRequest)).matches() || this.entryPoints.contains(getRequestedPath(httpServletRequest));
    }

    protected String generateCSRFToken() {
        byte[] bArr = new byte[16];
        StringBuilder sb = new StringBuilder();
        this.randomSource.nextBytes(bArr);
        for (int i = 0; i < bArr.length; i++) {
            byte b = (byte) ((bArr[i] & 240) >> 4);
            byte b2 = (byte) (bArr[i] & 15);
            if (b < 10) {
                sb.append((char) (48 + b));
            } else {
                sb.append((char) (65 + (b - 10)));
            }
            if (b2 < 10) {
                sb.append((char) (48 + b2));
            } else {
                sb.append((char) (65 + (b2 - 10)));
            }
        }
        return sb.toString();
    }

    private Object getCSRFTokenSession(HttpSession httpSession) {
        return httpSession.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME);
    }

    private String getCSRFTokenHeader(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader(CsrfConstants.CSRF_TOKEN_HEADER_NAME);
    }

    private Cookie getCSRFCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (cookie.getName().equals(CsrfConstants.CSRF_TOKEN_COOKIE_NAME)) {
                    return cookie;
                }
            }
        }
        return new Cookie(CsrfConstants.CSRF_TOKEN_COOKIE_NAME, null);
    }

    private Object getSessionMutex(HttpSession httpSession) {
        if (httpSession == null) {
            throw new InvalidRequestException(Response.Status.BAD_REQUEST, "HttpSession is missing");
        }
        Object attribute = httpSession.getAttribute(CsrfConstants.CSRF_SESSION_MUTEX);
        if (attribute == null) {
            attribute = httpSession;
        }
        return attribute;
    }

    private boolean isBlank(String str) {
        return str == null || str.trim().isEmpty();
    }

    private String getRequestedPath(HttpServletRequest httpServletRequest) {
        String servletPath = httpServletRequest.getServletPath();
        if (httpServletRequest.getPathInfo() != null) {
            servletPath = servletPath + httpServletRequest.getPathInfo();
        }
        return servletPath;
    }

    private Set<String> parseURLs(String str) {
        HashSet hashSet = new HashSet();
        if (str != null && !str.isEmpty()) {
            for (String str2 : str.split(",")) {
                hashSet.add(str2.trim());
            }
        }
        return hashSet;
    }
}
