package com.appiancorp.security.csrf;

import com.appiancorp.common.net.URI;
import com.appiancorp.suite.Constants;
import com.appiancorp.suite.SuiteConfiguration;
import com.appiancorp.suite.cfg.ConfigurationFactory;
import com.google.common.annotations.VisibleForTesting;
import java.io.Serializable;
import java.net.URISyntaxException;
import java.util.UUID;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/appiancorp/security/csrf/CsrfTokenManager.class */
public class CsrfTokenManager implements Serializable {

    @VisibleForTesting
    public static final String CSRF_TOKEN_MANAGER_SESSION_KEY = "CsrfTokenManager.session.token";
    private final CsrfToken token = new CsrfToken(UUID.randomUUID().toString());
    private final CsrfToken multipartToken = new CsrfToken(UUID.randomUUID().toString());
    private static final Logger LOG = Logger.getLogger(CsrfTokenManager.class);
    public static final String CSP_BASE_CONTEXT_AND_PATH = '/' + Constants.APPLICATION_CONTEXT + "/rest/a/logging/latest/csp/report";
    public static final String CSP_DYNAMIC_BASE_CONTEXT_AND_PATH = '/' + Constants.APPLICATION_CONTEXT + "/rest/a/logging/latest/csp-dynamic/report";
    public static final String CSP_STATIC_BASE_CONTEXT_AND_PATH = '/' + Constants.APPLICATION_CONTEXT + "/rest/a/logging/latest/csp-static/report";

    private CsrfTokenManager(HttpSession httpSession) {
    }

    public static CsrfTokenManager get(HttpSession httpSession) {
        if (httpSession == null) {
            throw new NullPointerException("There is no session available, and thus cannot create a token manager.");
        }
        CsrfTokenManager csrfTokenManager = (CsrfTokenManager) httpSession.getAttribute(CSRF_TOKEN_MANAGER_SESSION_KEY);
        if (csrfTokenManager == null) {
            csrfTokenManager = new CsrfTokenManager(httpSession);
            httpSession.setAttribute(CSRF_TOKEN_MANAGER_SESSION_KEY, csrfTokenManager);
        }
        return csrfTokenManager;
    }

    public static void resetTokens(HttpSession httpSession) {
        if (httpSession == null) {
            throw new NullPointerException("There is no session available, and thus cannot create a token manager.");
        }
        httpSession.setAttribute(CSRF_TOKEN_MANAGER_SESSION_KEY, new CsrfTokenManager(httpSession));
    }

    public static void storeCsrfTokenInResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) {
        Cookie cookie = new Cookie(str, str2);
        cookie.setPath(httpServletRequest.getContextPath());
        cookie.setMaxAge(-1);
        cookie.setSecure(((SuiteConfiguration) ConfigurationFactory.getConfiguration(SuiteConfiguration.class)).isSchemeSecure());
        httpServletResponse.addCookie(cookie);
        httpServletResponse.addHeader(str, str2);
    }

    public CsrfToken generateToken(HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Generating CSRF token [value=" + this.token + "] for request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
        }
        return this.token;
    }

    public CsrfToken generateMultipartToken(HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Generating CSRF multipart-token [value=" + this.multipartToken + "] for request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
        }
        return this.multipartToken;
    }

    public boolean isValid(HttpServletRequest httpServletRequest) {
        if (isWebApiEndpoint(httpServletRequest.getRequestURI())) {
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug("Skipping CSRF token check because request is to Web API endpoint for request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
            return true;
        }
        if (isCspReportEndpoint(httpServletRequest.getRequestURI())) {
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug("Skipping CSRF token check because request is to CSP reporting endpoint for request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
            return true;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking CSRF token for request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
        }
        if (this.token.equals(httpServletRequest.getHeader(CsrfConstants.CSRF_TOKEN_REQUEST_KEY))) {
            return true;
        }
        if (this.token.equals(httpServletRequest.getParameter(CsrfConstants.CSRF_TOKEN_REQUEST_KEY))) {
            return true;
        }
        LOG.warn("There is no valid CSRF token in this request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
        return false;
    }

    public boolean isValidMultipart(HttpServletRequest httpServletRequest) {
        if (isWebApiEndpoint(httpServletRequest.getRequestURI())) {
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug("Skipping CSRF token check because request is to Web API endpoint for request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
            return true;
        }
        if (isUploadServletEndpoint(httpServletRequest.getRequestURI())) {
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug("Skipping CSRF token check because request is to the GWT File Upload endpoint, and validation will occur there for request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
            return true;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking CSRF multipart-token for request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
        }
        if (this.multipartToken.equals(httpServletRequest.getHeader(CsrfConstants.CSRF_TOKEN_MULTIPART_REQUEST_HEADER))) {
            return true;
        }
        if (this.multipartToken.equals(httpServletRequest.getParameter(CsrfConstants.CSRF_TOKEN_MULTIPART_REQUEST_KEY))) {
            return true;
        }
        LOG.warn("There is no valid Multipart CSRF token in this request [URI=" + httpServletRequest.getRequestURI() + "]");
        return false;
    }

    public boolean isValidMultipartFromFileItem(String str, HttpServletRequest httpServletRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking CSRF multipart-token for request [URI=" + httpServletRequest.getRequestURI() + ",method=" + httpServletRequest.getMethod() + ",content-type=" + httpServletRequest.getContentType() + "]");
        }
        if (this.multipartToken.equals(str)) {
            return true;
        }
        LOG.warn("There is no valid Multipart CSRF token in this request [URI=" + httpServletRequest.getRequestURI() + "]");
        return false;
    }

    private boolean isUploadServletEndpoint(String str) {
        try {
            return new URI(str).getPath().startsWith("/" + Constants.APPLICATION_CONTEXT + "/tempo/file-web/");
        } catch (URISyntaxException e) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug(e);
            return false;
        }
    }

    private boolean isWebApiEndpoint(String str) {
        try {
            return new URI(str).getPath().startsWith(new StringBuilder().append("/").append(Constants.APPLICATION_CONTEXT).append("/webapi/").toString());
        } catch (URISyntaxException e) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug(e);
            return false;
        }
    }

    private boolean isCspReportEndpoint(String str) {
        try {
            String path = new URI(str).getPath();
            if (!CSP_BASE_CONTEXT_AND_PATH.equals(path) && !CSP_STATIC_BASE_CONTEXT_AND_PATH.equals(path)) {
                if (!CSP_DYNAMIC_BASE_CONTEXT_AND_PATH.equals(path)) {
                    return false;
                }
            }
            return true;
        } catch (URISyntaxException e) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("Could not get request URI path", e);
            return false;
        }
    }

    public static boolean loginTokensMatch(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(CsrfConstants.CSRF_TOKEN_REQUEST_KEY);
        if (parameter == null) {
            return false;
        }
        for (Cookie cookie : httpServletRequest.getCookies()) {
            if (cookie.getName().equals(CsrfConstants.CSRF_TOKEN_COOKIE)) {
                return parameter.equals(cookie.getValue());
            }
        }
        return false;
    }
}
