package org.eclipse.orion.server.servlets;

import java.io.IOException;
import java.security.SecureRandom;
import java.text.MessageFormat;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.eclipse.orion.server.core.PreferenceHelper;
import org.eclipse.orion.server.core.ServerStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/orion/server/servlets/XSRFPreventionFilter.class */
public class XSRFPreventionFilter implements Filter {
    private static final String NONCES_DO_NOT_MATCH = "{0} {1} on behalf of user ''{2}'': CSRF tokens do not match: ''{3}'' does not equal ''{4}''";
    private static final String NO_NONCE_IN_HEADER = "{0} {1} on behalf of user ''{2}'': missing CSRF token in header.";
    private static final String NO_NONCE_IN_COOKIES = "{0} {1} on behalf of user ''{2}'': missing CSRF token in cookies.";
    private static final Logger LOG = LoggerFactory.getLogger(XSRFPreventionFilter.class);
    private static final String XSRF_TOKEN = "x-csrf-token";
    private SecureRandom secureRandom;
    private final Set<String> entryPointList = new HashSet();
    private final Set<String> exceptionList = new HashSet();
    private boolean xsrfPreventionFilterDisabled = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/eclipse/orion/server/servlets/XSRFPreventionFilter$CookieHandler.class */
    public static class CookieHandler {
        private Cookie cookie;

        public CookieHandler(Cookie[] cookieArr, String str) {
            if (cookieArr == null) {
                return;
            }
            for (Cookie cookie : cookieArr) {
                if (str.equals(cookie.getName())) {
                    this.cookie = cookie;
                    return;
                }
            }
        }

        public String getValue() {
            return this.cookie.getValue();
        }

        public boolean hasNonceCookie() {
            return this.cookie != null;
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        this.entryPointList.add("/login");
        this.exceptionList.add("/login");
        this.exceptionList.add("/login/canaddusers");
        this.exceptionList.add("/login/form");
        this.exceptionList.add("/useremailconfirmation/cansendemails");
        this.secureRandom = new SecureRandom();
        this.secureRandom.nextBytes(new byte[1]);
        this.xsrfPreventionFilterDisabled = !Boolean.parseBoolean(PreferenceHelper.getString("orion.XSRFPreventionFilterEnabled"));
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.xsrfPreventionFilterDisabled) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String method = httpServletRequest.getMethod();
        String servletPath = httpServletRequest.getServletPath();
        if (httpServletRequest.getPathInfo() != null) {
            servletPath = String.valueOf(servletPath) + httpServletRequest.getPathInfo();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(MessageFormat.format("Filter called for {0} {1}. ", method, servletPath));
        }
        CookieHandler cookieHandler = new CookieHandler(httpServletRequest.getCookies(), XSRF_TOKEN);
        if (isEntryPoint(servletRequest, servletPath) && !cookieHandler.hasNonceCookie()) {
            httpServletResponse.addCookie(new Cookie(XSRF_TOKEN, generateNonce(method, servletPath)));
        }
        if (("get".equalsIgnoreCase(method) || isException(servletRequest, servletPath)) ? false : true) {
            String header = httpServletRequest.getHeader(XSRF_TOKEN);
            if (!checkNonce(method, servletPath, cookieHandler, header)) {
                logReasonForInvalidNonce(httpServletRequest, method, servletPath, cookieHandler, header);
                prepareResponseForInvalidNonce(httpServletResponse);
                return;
            }
        } else if (LOG.isDebugEnabled()) {
            LOG.debug(MessageFormat.format("Skipping nonce check for {0} {1}", method, servletPath));
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean isEntryPoint(ServletRequest servletRequest, String str) {
        if (this.entryPointList.contains(str)) {
            return true;
        }
        return this.entryPointList.contains((String) servletRequest.getAttribute("javax.servlet.forward.path_info"));
    }

    private boolean isException(ServletRequest servletRequest, String str) {
        if (this.exceptionList.contains(str)) {
            return true;
        }
        return this.exceptionList.contains((String) servletRequest.getAttribute("javax.servlet.forward.path_info"));
    }

    public void destroy() {
    }

    private void prepareResponseForInvalidNonce(HttpServletResponse httpServletResponse) throws IOException {
        httpServletResponse.setHeader(XSRF_TOKEN, "required");
        ServerStatus serverStatus = new ServerStatus(4, 403, "Access Denied", (Throwable) null);
        httpServletResponse.setHeader("Cache-Control", "no-cache");
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setStatus(serverStatus.getHttpCode());
        httpServletResponse.getWriter().print(serverStatus.toJSON().toString());
    }

    private void logReasonForInvalidNonce(HttpServletRequest httpServletRequest, String str, String str2, CookieHandler cookieHandler, String str3) {
        if (cookieHandler.hasNonceCookie() && str3 != null) {
            LOG.error(MessageFormat.format(NONCES_DO_NOT_MATCH, str, str2, httpServletRequest.getRemoteUser(), str3, cookieHandler.getValue()));
            return;
        }
        if (!cookieHandler.hasNonceCookie()) {
            LOG.error(MessageFormat.format(NO_NONCE_IN_COOKIES, str, str2, httpServletRequest.getRemoteUser()));
        }
        if (str3 == null) {
            LOG.error(MessageFormat.format(NO_NONCE_IN_HEADER, str, str2, httpServletRequest.getRemoteUser()));
        }
    }

    private boolean checkNonce(String str, String str2, CookieHandler cookieHandler, String str3) {
        boolean z = false;
        if (cookieHandler.hasNonceCookie()) {
            z = cookieHandler.getValue().equals(str3);
        }
        return z;
    }

    private String generateNonce(String str, String str2) {
        byte[] bArr = new byte[24];
        this.secureRandom.nextBytes(bArr);
        String encodeBase64URLSafeString = Base64.encodeBase64URLSafeString(bArr);
        if (LOG.isDebugEnabled()) {
            LOG.debug(MessageFormat.format("Creating nonce  for {0} {1}: ''{2}''", str, str2, encodeBase64URLSafeString));
        }
        return encodeBase64URLSafeString;
    }
}
