package uk.ac.warwick.sso.client;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.Optional;
import java.util.UUID;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import uk.ac.warwick.sso.client.core.Cookie;
import uk.ac.warwick.sso.client.util.cookies.ServerCookieEncoder;
import uk.ac.warwick.userlookup.User;

/* loaded from: input_file:uk/ac/warwick/sso/client/CSRFFilter.class */
public class CSRFFilter extends AbstractShireSkippingFilter {
    public static final String CSRF_HTTP_HEADER = "X-CSRF-Token";
    public static final String CSRF_COOKIE_NAME = "__Host-SSO-CSRF";
    public static final String CSRF_TOKEN_PROPERTY_NAME = "urn:websignon:csrf";
    public static final String CSRF_FORCE_INVALIDATE = "urn:websignon:csrf:invalidate";
    private ServerCookieEncoder encoder = new ServerCookieEncoder(false);
    private static final Logger LOGGER = LoggerFactory.getLogger(CSRFFilter.class);
    public static String CSRF_ERROR = "urn:websignon:csrf:error";
    public static String CSRF_ERROR_TOKEN_ABSENT = "urn:websignon:csrf:error:absent";
    public static String CSRF_ERROR_TOKEN_MISMATCH = "urn:websignon:csrf:error:mismatch";

    @Override // uk.ac.warwick.sso.client.AbstractShireSkippingFilter
    public void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String uuid;
        User userFromRequest = SSOClientFilter.getUserFromRequest(httpServletRequest);
        if (userFromRequest != null && userFromRequest.isFoundUser() && userFromRequest.isLoggedIn()) {
            Optional findFirst = Arrays.stream(getRequestCookiesSafe(httpServletRequest)).filter(cookie -> {
                return cookie.getName().equals(CSRF_COOKIE_NAME);
            }).findFirst();
            boolean z = false;
            if (findFirst.isPresent() && httpServletRequest.getAttribute(CSRF_FORCE_INVALIDATE) == null) {
                uuid = ((Cookie) findFirst.get()).getValue();
            } else {
                LOGGER.debug(findFirst.isPresent() ? "Forcing invalidation of token due to CSRF_FORCE_INVALIDATE" : "Couldn't find cookie with name __Host-SSO-CSRF");
                uuid = UUID.randomUUID().toString();
                addCsrfCookie(httpServletRequest, httpServletResponse, uuid);
                z = true;
            }
            httpServletRequest.setAttribute(CSRF_TOKEN_PROPERTY_NAME, uuid);
            if (httpServletRequest.getMethod().equalsIgnoreCase("post")) {
                if (z) {
                    LOGGER.warn("User didn't have a CSRF token known to the system, and they immediately POST'd.");
                }
                String parameter = httpServletRequest.getParameterMap().containsKey(CSRF_TOKEN_PROPERTY_NAME) ? httpServletRequest.getParameter(CSRF_TOKEN_PROPERTY_NAME) : httpServletRequest.getHeader(CSRF_HTTP_HEADER);
                if (parameter == null || parameter.length() == 0) {
                    LOGGER.info("No CSRF token was provided in the POST; denying request");
                    httpServletResponse.setHeader("X-Error", "No CSRF token");
                    httpServletRequest.setAttribute(CSRF_ERROR, CSRF_ERROR_TOKEN_ABSENT);
                    httpServletResponse.sendError(400);
                    return;
                }
                if (!MessageDigest.isEqual(parameter.getBytes(StandardCharsets.UTF_8), uuid.getBytes(StandardCharsets.UTF_8))) {
                    LOGGER.warn("Provided CSRF token does not match stored CSRF token; denying request");
                    httpServletResponse.setHeader("X-Error", "Wrong CSRF token");
                    httpServletRequest.setAttribute(CSRF_ERROR, CSRF_ERROR_TOKEN_MISMATCH);
                    httpServletResponse.sendError(400);
                    return;
                }
                LOGGER.debug("Allowing CSRF request through as token matches");
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void addCsrfCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        uk.ac.warwick.sso.client.core.Cookie cookie = new uk.ac.warwick.sso.client.core.Cookie(CSRF_COOKIE_NAME, str);
        cookie.setHttpOnly(true);
        cookie.setSameSite(Cookie.SameSiteValue.STRICT);
        cookie.setMaxAge(-1);
        cookie.setPath("/");
        cookie.setSecure(true);
        httpServletResponse.addHeader("Set-Cookie", this.encoder.encode(cookie));
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    private javax.servlet.http.Cookie[] getRequestCookiesSafe(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getCookies() == null ? new javax.servlet.http.Cookie[0] : httpServletRequest.getCookies();
    }
}
