package uk.ac.warwick.sso.client;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Optional;
import java.util.UUID;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.logstash.logback.argument.StructuredArguments;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.servlet.HandlerMapping;
import uk.ac.warwick.sso.client.util.cookies.ServerCookieEncoder;
import uk.ac.warwick.userlookup.User;

/* loaded from: input_file:uk/ac/warwick/sso/client/CSRFImpl.class */
class CSRFImpl {
    static final String CSRF_HTTP_HEADER = "X-CSRF-Token";
    static final String CSRF_COOKIE_NAME = "__Host-SSO-CSRF";
    static final String CSRF_TOKEN_PROPERTY_NAME = "urn:websignon:csrf";
    static final String CSRF_FORCE_INVALIDATE = "urn:websignon:csrf:invalidate";
    private ServerCookieEncoder encoder = new ServerCookieEncoder(false);
    private boolean reportOnlyMode;
    private static final Logger LOGGER = LoggerFactory.getLogger("uk.ac.warwick.SECURITY_REPORTS");
    static String CSRF_ERROR = "urn:websignon:csrf:error";
    static String CSRF_ERROR_TOKEN_ABSENT = "urn:websignon:csrf:error:absent";
    static String CSRF_ERROR_TOKEN_MISMATCH = "urn:websignon:csrf:error:mismatch";

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setReportOnlyMode(boolean z) {
        this.reportOnlyMode = z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String uuid;
        User userFromRequest = SSOClientFilter.getUserFromRequest(httpServletRequest);
        if (!userFromRequest.isFoundUser() || !userFromRequest.isLoggedIn()) {
            return true;
        }
        String str = this.reportOnlyMode ? "reporting" : "rejecting";
        Optional findFirst = Arrays.stream(getRequestCookiesSafe(httpServletRequest)).filter(cookie -> {
            return cookie.getName().equals("__Host-SSO-CSRF");
        }).findFirst();
        boolean z = false;
        if (findFirst.isPresent() && httpServletRequest.getAttribute("urn:websignon:csrf:invalidate") == null) {
            uuid = ((Cookie) findFirst.get()).getValue();
        } else {
            LOGGER.debug(findFirst.isPresent() ? "Forcing invalidation of token due to CSRF_FORCE_INVALIDATE" : "Couldn't find cookie with name __Host-SSO-CSRF");
            uuid = UUID.randomUUID().toString();
            addCsrfCookie(httpServletRequest, httpServletResponse, uuid);
            z = true;
        }
        httpServletRequest.setAttribute("urn:websignon:csrf", uuid);
        if (!httpServletRequest.getMethod().equalsIgnoreCase("post")) {
            return true;
        }
        if (z) {
            LOGGER.warn("User didn't have a CSRF token known to the system, and they immediately POST'd.");
        }
        String parameter = httpServletRequest.getParameterMap().containsKey("urn:websignon:csrf") ? httpServletRequest.getParameter("urn:websignon:csrf") : httpServletRequest.getHeader("X-CSRF-Token");
        if (parameter == null || parameter.length() == 0) {
            logWithRequest(httpServletRequest, httpServletResponse, String.format("No CSRF token was provided in the POST; %s POST request to %s", str, httpServletRequest.getRequestURL()), uuid, parameter, userFromRequest);
            httpServletResponse.setHeader("X-Error", "No CSRF token");
            if (this.reportOnlyMode) {
                return true;
            }
            httpServletRequest.setAttribute(CSRF_ERROR, CSRF_ERROR_TOKEN_ABSENT);
            httpServletResponse.sendError(400);
            return false;
        }
        if (MessageDigest.isEqual(parameter.getBytes(StandardCharsets.UTF_8), uuid.getBytes(StandardCharsets.UTF_8))) {
            LOGGER.debug("Allowing CSRF request through as token matches");
            return true;
        }
        logWithRequest(httpServletRequest, httpServletResponse, String.format("Provided CSRF token does not match stored CSRF token; %s POST request to %s", str, httpServletRequest.getRequestURL()), uuid, parameter, userFromRequest);
        httpServletResponse.setHeader("X-Error", "Wrong CSRF token");
        if (this.reportOnlyMode) {
            return true;
        }
        httpServletRequest.setAttribute(CSRF_ERROR, CSRF_ERROR_TOKEN_MISMATCH);
        httpServletResponse.sendError(400);
        return false;
    }

    private Cookie[] getRequestCookiesSafe(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getCookies() == null ? new Cookie[0] : httpServletRequest.getCookies();
    }

    private void addCsrfCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        uk.ac.warwick.sso.client.core.Cookie cookie = new uk.ac.warwick.sso.client.core.Cookie("__Host-SSO-CSRF", str);
        cookie.setHttpOnly(true);
        cookie.setMaxAge(-1);
        cookie.setPath("/");
        cookie.setSecure(true);
        httpServletResponse.addHeader("Set-Cookie", this.encoder.encode(cookie));
    }

    private void logWithRequest(final HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, final String str, final String str2, final String str3, User user) {
        final String uuid = UUID.randomUUID().toString();
        HashMap hashMap = new HashMap();
        hashMap.put("request_headers", new HashMap<String, Object>() { // from class: uk.ac.warwick.sso.client.CSRFImpl.1
            {
                put("user-agent", Optional.ofNullable(httpServletRequest.getHeader("User-Agent")).orElse("-"));
                put("x-requested-with", Optional.ofNullable(httpServletRequest.getHeader("X-Requested-With")).orElse("-"));
                put("referer", Optional.ofNullable(httpServletRequest.getHeader("Referer")).orElse("-"));
            }
        });
        hashMap.put("csrf-report", new HashMap<String, Object>() { // from class: uk.ac.warwick.sso.client.CSRFImpl.2
            {
                put("document-uri", httpServletRequest.getRequestURL());
                Optional.ofNullable(httpServletRequest.getAttribute(HandlerMapping.BEST_MATCHING_PATTERN_ATTRIBUTE)).ifPresent(obj -> {
                    put("best-matching-pattern", obj);
                });
                put("method", httpServletRequest.getMethod());
                put("expected-token", str2);
                put("actual-token", str3 == null ? "-" : str3);
                put("error", str);
                put("correlation-id", uuid);
            }
        });
        hashMap.put("username", user.getUserId());
        LOGGER.warn("{}", StructuredArguments.entries(hashMap));
        httpServletResponse.setHeader("X-Correlation-ID", uuid);
    }
}
