package org.apache.catalina.filters;

import java.io.IOException;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import javax.servlet.http.HttpSession;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.apache.tomcat.util.res.StringManager;

/* loaded from: input_file:org/apache/catalina/filters/CsrfPreventionFilter.class */
public class CsrfPreventionFilter extends CsrfPreventionFilterBase {
    private static final String DEFAULT_NO_NONCE_URL_PATTERNS = "*.css, *.js, *.gif, *.png, *.jpg, *.svg, *.ico, *.jpeg, *.mjs";
    private ServletContext context;
    private final Log log = LogFactory.getLog((Class<?>) CsrfPreventionFilter.class);
    private final Set<String> entryPoints = new HashSet();
    private int nonceCacheSize = 5;
    private String nonceRequestParameterName = "org.apache.catalina.filters.CSRF_NONCE";
    private boolean enforce = true;
    private String noNoncePatterns = DEFAULT_NO_NONCE_URL_PATTERNS;
    private Collection<Predicate<String>> noNoncePredicates;

    /* loaded from: input_file:org/apache/catalina/filters/CsrfPreventionFilter$CsrfResponseWrapper.class */
    protected static class CsrfResponseWrapper extends HttpServletResponseWrapper {
        private final String nonceRequestParameterName;
        private final String nonce;
        private final Collection<Predicate<String>> noNoncePatterns;

        public CsrfResponseWrapper(HttpServletResponse httpServletResponse, String str, String str2, Collection<Predicate<String>> collection) {
            super(httpServletResponse);
            this.nonceRequestParameterName = str;
            this.nonce = str2;
            this.noNoncePatterns = collection;
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        @Deprecated
        public String encodeRedirectUrl(String str) {
            return encodeRedirectURL(str);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public String encodeRedirectURL(String str) {
            return shouldAddNonce(str) ? addNonce(super.encodeRedirectURL(str)) : str;
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        @Deprecated
        public String encodeUrl(String str) {
            return encodeURL(str);
        }

        @Override // javax.servlet.http.HttpServletResponseWrapper, javax.servlet.http.HttpServletResponse
        public String encodeURL(String str) {
            return shouldAddNonce(str) ? addNonce(super.encodeURL(str)) : str;
        }

        private boolean shouldAddNonce(String str) {
            if (null == this.noNoncePatterns || this.noNoncePatterns.isEmpty()) {
                return true;
            }
            Iterator<Predicate<String>> it = this.noNoncePatterns.iterator();
            while (it.hasNext()) {
                if (it.next().test(str)) {
                    return false;
                }
            }
            return true;
        }

        private String addNonce(String str) {
            if (str == null || this.nonce == null) {
                return str;
            }
            String str2 = str;
            String str3 = "";
            String str4 = "";
            int indexOf = str2.indexOf(35);
            if (indexOf >= 0) {
                str4 = str2.substring(indexOf);
                str2 = str2.substring(0, indexOf);
            }
            int indexOf2 = str2.indexOf(63);
            if (indexOf2 >= 0) {
                str3 = str2.substring(indexOf2);
                str2 = str2.substring(0, indexOf2);
            }
            StringBuilder sb = new StringBuilder(str2);
            if (str3.isEmpty()) {
                sb.append('?');
            } else {
                sb.append(str3);
                sb.append('&');
            }
            sb.append(this.nonceRequestParameterName);
            sb.append('=');
            sb.append(this.nonce);
            sb.append(str4);
            return sb.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/catalina/filters/CsrfPreventionFilter$LruCache.class */
    public static class LruCache<T> implements NonceCache<T> {
        private static final long serialVersionUID = 1;
        private final Map<T, T> cache;

        public LruCache(final int i) {
            this.cache = new LinkedHashMap<T, T>(this) { // from class: org.apache.catalina.filters.CsrfPreventionFilter.LruCache.1
                private static final long serialVersionUID = 1;
                final /* synthetic */ LruCache this$0;

                {
                    this.this$0 = this;
                }

                @Override // java.util.LinkedHashMap
                protected boolean removeEldestEntry(Map.Entry<T, T> entry) {
                    return size() > i;
                }
            };
        }

        @Override // org.apache.catalina.filters.CsrfPreventionFilter.NonceCache
        public void add(T t) {
            synchronized (this.cache) {
                this.cache.put(t, null);
            }
        }

        @Override // org.apache.catalina.filters.CsrfPreventionFilter.NonceCache
        public boolean contains(T t) {
            boolean containsKey;
            synchronized (this.cache) {
                containsKey = this.cache.containsKey(t);
            }
            return containsKey;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/catalina/filters/CsrfPreventionFilter$MimePredicate.class */
    public static class MimePredicate implements Predicate<String> {
        private final ServletContext context;
        private final Predicate<String> predicate;

        public MimePredicate(ServletContext servletContext, Predicate<String> predicate) {
            this.context = servletContext;
            this.predicate = predicate;
        }

        @Override // java.util.function.Predicate
        public boolean test(String str) {
            String mimeType = this.context.getMimeType(str);
            if (mimeType == null) {
                return false;
            }
            return this.predicate.test(mimeType);
        }

        public Predicate<String> getPredicate() {
            return this.predicate;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/catalina/filters/CsrfPreventionFilter$NonceCache.class */
    public interface NonceCache<T> extends Serializable {
        void add(T t);

        boolean contains(T t);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/catalina/filters/CsrfPreventionFilter$PatternPredicate.class */
    public static class PatternPredicate implements Predicate<String> {
        private final Pattern pattern;

        public PatternPredicate(String str) {
            this.pattern = Pattern.compile(str);
        }

        @Override // java.util.function.Predicate
        public boolean test(String str) {
            return this.pattern.matcher(str).matches();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/catalina/filters/CsrfPreventionFilter$PrefixPredicate.class */
    public static class PrefixPredicate implements Predicate<String> {
        private final String prefix;

        public PrefixPredicate(String str) {
            this.prefix = str;
        }

        @Override // java.util.function.Predicate
        public boolean test(String str) {
            return str.startsWith(this.prefix);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/catalina/filters/CsrfPreventionFilter$SuffixPredicate.class */
    public static class SuffixPredicate implements Predicate<String> {
        private final String suffix;

        public SuffixPredicate(String str) {
            this.suffix = str;
        }

        @Override // java.util.function.Predicate
        public boolean test(String str) {
            return str.endsWith(this.suffix);
        }
    }

    public void setEntryPoints(String str) {
        for (String str2 : str.split(",")) {
            this.entryPoints.add(str2.trim());
        }
    }

    public void setNonceCacheSize(int i) {
        this.nonceCacheSize = i;
    }

    public void setNonceRequestParameterName(String str) {
        this.nonceRequestParameterName = str;
    }

    public void setEnforce(boolean z) {
        this.enforce = z;
    }

    public boolean isEnforce() {
        return this.enforce;
    }

    public void setNoNonceURLPatterns(String str) {
        this.noNoncePatterns = str;
        if (null != this.context) {
            this.noNoncePredicates = createNoNoncePredicates(this.context, this.noNoncePatterns);
        }
    }

    protected static Collection<Predicate<String>> createNoNoncePredicates(ServletContext servletContext, String str) {
        if (null == str || str.trim().isEmpty()) {
            return null;
        }
        if (str.startsWith("/") && str.endsWith("/")) {
            return Collections.singleton(new PatternPredicate(str.substring(1, str.length() - 1)));
        }
        String[] split = str.split(",");
        ArrayList arrayList = new ArrayList(split.length);
        for (String str2 : split) {
            Predicate<String> createNoNoncePredicate = createNoNoncePredicate(servletContext, str2.trim());
            if (null != createNoNoncePredicate) {
                arrayList.add(createNoNoncePredicate);
            }
        }
        arrayList.trimToSize();
        return arrayList;
    }

    protected static Predicate<String> createNoNoncePredicate(ServletContext servletContext, String str) {
        if (null == str || str.trim().isEmpty()) {
            return null;
        }
        if (str.startsWith("mime:")) {
            return new MimePredicate(servletContext, createNoNoncePredicate(servletContext, str.substring(5)));
        }
        if (str.startsWith(SecurityConstraint.ROLE_ALL_ROLES)) {
            return new SuffixPredicate(str.substring(1));
        }
        if (str.endsWith(SecurityConstraint.ROLE_ALL_ROLES)) {
            return new PrefixPredicate(str.substring(0, str.length() - 1));
        }
        if (str.startsWith("/") && str.endsWith("/")) {
            return new PatternPredicate(str.substring(1, str.length() - 1));
        }
        throw new IllegalArgumentException(sm.getString("csrfPrevention.unsupportedPattern", str));
    }

    @Override // org.apache.catalina.filters.CsrfPreventionFilterBase, org.apache.catalina.filters.FilterBase, javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        this.context = filterConfig.getServletContext();
        this.noNoncePredicates = createNoNoncePredicates(this.context, this.noNoncePatterns);
        filterConfig.getServletContext().setAttribute(Constants.CSRF_NONCE_REQUEST_PARAM_NAME_KEY, this.nonceRequestParameterName);
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        CsrfResponseWrapper csrfResponseWrapper = null;
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            HttpSession session = httpServletRequest.getSession(false);
            String requestedPath = getRequestedPath(httpServletRequest);
            boolean skipNonceCheck = skipNonceCheck(httpServletRequest);
            NonceCache<String> nonceCache = null;
            if (!skipNonceCheck) {
                String parameter = httpServletRequest.getParameter(this.nonceRequestParameterName);
                if (parameter != null) {
                    nonceCache = getNonceCache(httpServletRequest, session);
                    if (nonceCache == null) {
                        if (enforce(httpServletRequest, requestedPath)) {
                            if (this.log.isDebugEnabled()) {
                                Log log = this.log;
                                StringManager stringManager = sm;
                                Object[] objArr = new Object[2];
                                objArr[0] = getRequestedPath(httpServletRequest);
                                objArr[1] = null == session ? "(null)" : session.getId();
                                log.debug(stringManager.getString("csrfPrevention.rejectNoCache", objArr));
                            }
                            httpServletResponse.sendError(getDenyStatus());
                            return;
                        }
                        if (this.log.isTraceEnabled()) {
                            this.log.trace("Would have rejecting request for " + getRequestedPath(httpServletRequest) + ", session " + (null == session ? "(null)" : session.getId()) + " due to empty / missing nonce cache");
                        }
                    } else if (nonceCache.contains(parameter)) {
                        if (this.log.isTraceEnabled()) {
                            this.log.trace("Allowing request to " + getRequestedPath(httpServletRequest) + " with valid CSRF nonce " + parameter);
                        }
                    } else {
                        if (enforce(httpServletRequest, requestedPath)) {
                            if (this.log.isDebugEnabled()) {
                                Log log2 = this.log;
                                StringManager stringManager2 = sm;
                                Object[] objArr2 = new Object[3];
                                objArr2[0] = getRequestedPath(httpServletRequest);
                                objArr2[1] = null == session ? "(null)" : session.getId();
                                objArr2[2] = parameter;
                                log2.debug(stringManager2.getString("csrfPrevention.rejectInvalidNonce", objArr2));
                            }
                            httpServletResponse.sendError(getDenyStatus());
                            return;
                        }
                        if (this.log.isTraceEnabled()) {
                            this.log.trace("Would have rejecting request for " + getRequestedPath(httpServletRequest) + ", session " + (null == session ? "(null)" : session.getId()) + " due to invalid nonce " + parameter);
                        }
                    }
                } else {
                    if (enforce(httpServletRequest, requestedPath)) {
                        if (this.log.isDebugEnabled()) {
                            Log log3 = this.log;
                            StringManager stringManager3 = sm;
                            Object[] objArr3 = new Object[2];
                            objArr3[0] = getRequestedPath(httpServletRequest);
                            objArr3[1] = null == session ? "(null)" : session.getId();
                            log3.debug(stringManager3.getString("csrfPrevention.rejectNoNonce", objArr3));
                        }
                        httpServletResponse.sendError(getDenyStatus());
                        return;
                    }
                    if (this.log.isTraceEnabled()) {
                        this.log.trace("Would have rejected request for " + getRequestedPath(httpServletRequest) + ", session " + (null == session ? "(null)" : session.getId()) + " with no CSRF nonce found in request");
                    }
                }
            }
            if (!skipNonceGeneration(httpServletRequest)) {
                if (skipNonceCheck) {
                    nonceCache = getNonceCache(httpServletRequest, session);
                }
                if (nonceCache == null) {
                    if (this.log.isDebugEnabled()) {
                        Log log4 = this.log;
                        StringManager stringManager4 = sm;
                        Object[] objArr4 = new Object[2];
                        objArr4[0] = Integer.valueOf(this.nonceCacheSize);
                        objArr4[1] = null == session ? "(null)" : session.getId();
                        log4.debug(stringManager4.getString("csrfPrevention.createCache", objArr4));
                    }
                    if (session == null) {
                        if (this.log.isTraceEnabled()) {
                            this.log.trace("Creating new session to store CSRF nonce cache");
                        }
                        session = httpServletRequest.getSession(true);
                    }
                    nonceCache = createNonceCache(httpServletRequest, session);
                }
                String generateNonce = generateNonce(httpServletRequest);
                nonceCache.add(generateNonce);
                servletRequest.setAttribute(Constants.CSRF_NONCE_REQUEST_ATTR_NAME, generateNonce);
                csrfResponseWrapper = new CsrfResponseWrapper(httpServletResponse, this.nonceRequestParameterName, generateNonce, this.noNoncePredicates);
            }
        }
        filterChain.doFilter(servletRequest, csrfResponseWrapper == null ? servletResponse : csrfResponseWrapper);
    }

    protected boolean enforce(HttpServletRequest httpServletRequest, String str) {
        return isEnforce();
    }

    protected boolean skipNonceCheck(HttpServletRequest httpServletRequest) {
        if (!Constants.METHOD_GET.equals(httpServletRequest.getMethod())) {
            return false;
        }
        String requestedPath = getRequestedPath(httpServletRequest);
        if (this.entryPoints.contains(requestedPath)) {
            if (!this.log.isTraceEnabled()) {
                return true;
            }
            this.log.trace("Skipping CSRF nonce-check for GET request to entry point " + requestedPath);
            return true;
        }
        if (null == this.noNoncePredicates || this.noNoncePredicates.isEmpty()) {
            return false;
        }
        Iterator<Predicate<String>> it = this.noNoncePredicates.iterator();
        while (it.hasNext()) {
            if (it.next().test(requestedPath)) {
                if (!this.log.isTraceEnabled()) {
                    return true;
                }
                this.log.trace("Skipping CSRF nonce-check for GET request to no-nonce path " + requestedPath);
                return true;
            }
        }
        return false;
    }

    protected boolean skipNonceGeneration(HttpServletRequest httpServletRequest) {
        return false;
    }

    protected NonceCache<String> createNonceCache(HttpServletRequest httpServletRequest, HttpSession httpSession) {
        LruCache lruCache = new LruCache(this.nonceCacheSize);
        httpSession.setAttribute("org.apache.catalina.filters.CSRF_NONCE", lruCache);
        return lruCache;
    }

    protected NonceCache<String> getNonceCache(HttpServletRequest httpServletRequest, HttpSession httpSession) {
        if (httpSession == null) {
            return null;
        }
        return (NonceCache) httpSession.getAttribute("org.apache.catalina.filters.CSRF_NONCE");
    }
}
