package de.tsl2.nano.h5;

import de.tsl2.nano.core.ENV;
import de.tsl2.nano.core.ManagedException;
import de.tsl2.nano.core.secure.Crypt;
import de.tsl2.nano.core.util.DateUtil;
import de.tsl2.nano.core.util.MapUtil;
import de.tsl2.nano.core.util.StringUtil;
import de.tsl2.nano.h5.NanoHTTPD;
import java.net.InetAddress;
import java.util.Arrays;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Properties;
import org.java_websocket.extensions.ExtensionRequestData;

/* loaded from: input_file:de/tsl2/nano/h5/WebSecurity.class */
public class WebSecurity {
    private String antiCSRFKey;
    private static final String ENV_PREF = "app.session.";
    private static final String PREF_ANTICSRF = "app.session.anticsrf";
    public static final String CSRF_TOKEN = "csrftoken";
    public static final String DEF_ALG = "AES";
    private static final String ETAG = "ETag";
    private static final String REQUEST_COOKIE = "cookie";
    private static final String SET_COOKIE = "Set-Cookie";
    private static final String SEP = "---";
    private static final String SESSION_ID = "session-id";
    private static final String STANDARD_HEADER = "\nReferrer-Policy: same-origin\nX-XSS-Protection: 1;mode=block\nX-Permitted-Cross-Domain-Policies: master-only\nX-Frame-Options: sameorigin\nContent-Security-Policy: default-src 'self';\nX-Content-Type-Options: nosniff;\nStrict-Transport-Security: maxage=31536000;\nIncludeSubDomains: true;\nContent-Security-Policy: script-src 'self' 'unsafe-inline' 'XnXoXnXcXe-${requestId}';\nContent-Security-Policy: frame-src 'self';\nContent-Security-Policy: frame-ancestors 'self';\nContent-Security-Policy: form-action 'self';\nContent-Security-Policy: default-src 'self' 'unsafe-inline' filesystem ${service.url} ${websocket.url};\n";

    public static boolean useAntiCSRFToken() {
        return ((Boolean) ENV.get(PREF_ANTICSRF, true)).booleanValue();
    }

    public static boolean useAntiCSRFTokenInContent() {
        return useAntiCSRFToken() && ((Boolean) ENV.get("app.session.anticsrf.incontent", true)).booleanValue();
    }

    public static boolean useAntiCSRFTokenInHeader() {
        return useAntiCSRFToken() && ((Boolean) ENV.get("app.session.anticsrf.inheader", true)).booleanValue();
    }

    public String createAntiCSRFToken(NanoH5Session nanoH5Session) {
        try {
            return Crypt.encrypt(nanoH5Session.getKey() + "---" + String.valueOf(nanoH5Session.getWorkingObject() != null ? nanoH5Session.getWorkingObject().getId() : "NOTHING") + "---" + System.currentTimeMillis(), getAntiCSRFKey(), (String) ENV.get("app.session.anticsrf.algorithm", DEF_ALG));
        } catch (Exception e) {
            if (nanoH5Session != null) {
                nanoH5Session.close();
            }
            ManagedException.forward(e);
            return null;
        }
    }

    private String getAntiCSRFKey() {
        if (this.antiCSRFKey == null) {
            this.antiCSRFKey = Crypt.generatePassword((byte) 16);
        }
        return this.antiCSRFKey;
    }

    private void checkAntCSRFToken(NanoH5Session nanoH5Session, String str) {
        if (useAntiCSRFToken()) {
            if (str == null) {
                throw new IllegalStateException("request is missing anti-csrf token");
            }
            String[] split = Crypt.decrypt(str, getAntiCSRFKey(), (String) ENV.get("app.session.anticsrf.algorithm", DEF_ALG)).split("[-]{3}");
            boolean z = false;
            if (split[0].equals(nanoH5Session.getKey())) {
                if (new Date(Long.valueOf(split[2]).longValue() + ((Integer) ENV.get("app.session.anticsrf.maxage.milliseconds", 3600000)).intValue()).before(new Date())) {
                    z = true;
                } else if (((Boolean) ENV.get("app.session.anticsrf.check.request", true)).booleanValue() && nanoH5Session.getWorkingObject() != null && !split[1].equals(String.valueOf(nanoH5Session.getWorkingObject().getId()))) {
                    z = true;
                }
            } else {
                z = true;
            }
            if (z) {
                nanoH5Session.close();
                throw new IllegalStateException("request outdated or unauthorized! closing session!");
            }
        }
    }

    public void checkSession(NanoH5Session nanoH5Session, String str, Map<String, String> map, Map<String, String> map2) {
        if (nanoH5Session.isNew()) {
            return;
        }
        Map<String, String> cookieValues = getCookieValues(map);
        try {
            checkSessionID(nanoH5Session, cookieValues);
            if (nanoH5Session.getUserAuthorization() != null) {
                if (useAntiCSRFTokenInHeader()) {
                    checkAntCSRFToken(nanoH5Session, cookieValues.get(CSRF_TOKEN));
                }
                if (str.equals("POST") && useAntiCSRFTokenInContent()) {
                    checkAntCSRFToken(nanoH5Session, map2.get(CSRF_TOKEN));
                }
            }
        } catch (Exception e) {
            nanoH5Session.close();
            ManagedException.forward(e);
        }
    }

    private Map<String, String> getCookieValues(Map<String, String> map) {
        String[] split = map.get(REQUEST_COOKIE).split("[;]");
        LinkedHashMap linkedHashMap = new LinkedHashMap(split.length);
        Arrays.stream(split).forEach(str -> {
            MapUtil.add(linkedHashMap, str.trim().split("\\s*=\\s*"));
        });
        return linkedHashMap;
    }

    private void checkSessionID(NanoH5Session nanoH5Session, Map<String, String> map) {
        String str = map.get(SESSION_ID);
        if (str == null) {
            throw new IllegalStateException("missing session-id");
        }
        if (!str.equals(nanoH5Session.getKey())) {
            throw new IllegalStateException("bad session-id");
        }
    }

    public NanoHTTPD.Response addSessionHeader(NanoH5Session nanoH5Session, NanoHTTPD.Response response) {
        if (nanoH5Session != null) {
            addSessionID(nanoH5Session, response);
            if (nanoH5Session.getUserAuthorization() != null && useAntiCSRFTokenInHeader()) {
                response.addHeader(getSessionTagName(), "csrftoken=" + createAntiCSRFToken(nanoH5Session));
            }
        }
        Properties provideProperties = provideProperties(nanoH5Session);
        String[] split = getStandardHeader().split("\n");
        Object obj = ExtensionRequestData.EMPTY_VALUE;
        String str = ExtensionRequestData.EMPTY_VALUE;
        for (int i = 0; i < split.length; i++) {
            String trim = StringUtil.substring(split[i], null, ":").trim();
            String insertProperties = StringUtil.insertProperties((trim.equals(obj) ? str + " " : ExtensionRequestData.EMPTY_VALUE) + StringUtil.substring(split[i], ":", null).trim(), provideProperties);
            if (trim.trim().length() > 0 && insertProperties.trim().length() > 0) {
                response.addHeader(trim, insertProperties);
            }
            obj = trim;
            str = insertProperties;
        }
        return response;
    }

    private Properties provideProperties(NanoH5Session nanoH5Session) {
        Properties properties = new Properties(System.getProperties());
        String str = (String) ENV.get("service.url", ExtensionRequestData.EMPTY_VALUE);
        String str2 = nanoH5Session != null ? StringUtil.substring(str.replace("http", "ws"), (String) null, ":", true) + ":" + nanoH5Session.getWebsocketPort() : ExtensionRequestData.EMPTY_VALUE;
        properties.put("service.url", str);
        properties.put("websocket.url", str2);
        properties.put("requestId", (nanoH5Session == null || nanoH5Session.getRequestId() == null) ? ExtensionRequestData.EMPTY_VALUE : nanoH5Session.getRequestId());
        return properties;
    }

    private String getStandardHeader() {
        return (String) ENV.get("app.session.httpheader", STANDARD_HEADER);
    }

    public static Object getSessionID(Map<String, String> map, InetAddress inetAddress) {
        return map.containsKey("if-none-match") ? map.get("if-none-match") : map.containsKey(REQUEST_COOKIE) ? StringUtil.substring(map.get(REQUEST_COOKIE), "session-id=", ";") : inetAddress;
    }

    protected void addSessionID(NanoH5Session nanoH5Session, NanoHTTPD.Response response) {
        String sessionTagName = getSessionTagName();
        String maxAge = getMaxAge();
        if (sessionTagName.equals(SET_COOKIE)) {
            response.addHeader(SET_COOKIE, "session-id=" + nanoH5Session.getKey() + ";" + (((Boolean) ENV.get("app.ssl.activate", false)).booleanValue() ? "secure; " : ";") + maxAge + ((String) ENV.get("app.session.cookie.parameter", "SameSite=Strict; HttpOnly; Path=/")));
        } else if (sessionTagName.equals(ETAG)) {
            addETag(nanoH5Session.getKey(), response, maxAge);
        }
    }

    private String getMaxAge() {
        return "Max-Age=" + (((Long) ENV.get("app.session.timeout.millis", Long.valueOf(30 * DateUtil.T_MINUTE))).longValue() / 1000) + ";";
    }

    private String getSessionTagName() {
        return (String) ENV.get("app.session.tag", SET_COOKIE);
    }

    public void addETag(String str, NanoHTTPD.Response response, String str2) {
        response.addHeader(ETAG, "\"" + str + "\"");
        response.addHeader("Cache-Control", str2);
    }
}
