package org.camunda.bpm.webapp.impl.security.filter;

import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.camunda.bpm.webapp.impl.security.filter.util.CsrfConstants;

/* loaded from: input_file:org/camunda/bpm/webapp/impl/security/filter/CsrfPreventionFilter.class */
public class CsrfPreventionFilter extends BaseCsrfPreventionFilter {
    protected static final Pattern NON_MODIFYING_METHODS_PATTERN = Pattern.compile("GET|HEAD|OPTIONS");
    protected static final Pattern DEFAULT_ENTRY_URL_PATTERN = Pattern.compile("^/api/admin/auth/user/.+/login/(cockpit|tasklist|admin|welcome)$");
    private final Set<String> entryPoints = new HashSet();
    private URL targetOrigin;

    @Override // org.camunda.bpm.webapp.impl.security.filter.BaseCsrfPreventionFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        try {
            String initParameter = filterConfig.getInitParameter("targetOrigin");
            if (!isBlank(initParameter)) {
                setTargetOrigin(initParameter);
            }
            String initParameter2 = filterConfig.getInitParameter("entryPoints");
            if (!isBlank(initParameter2)) {
                setEntryPoints(initParameter2);
            }
        } catch (MalformedURLException e) {
            throw new ServletException("CSRFPreventionFilter: Could not read target origin URL: " + e.getMessage());
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (isNonModifyingRequest(httpServletRequest)) {
            fetchToken(httpServletRequest, httpServletResponse);
        } else {
            if (!(doSameOriginStandardHeadersVerification(httpServletRequest, httpServletResponse) && doTokenValidation(httpServletRequest, httpServletResponse))) {
                return;
            }
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    protected boolean doTokenValidation(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String cSRFTokenHeader = getCSRFTokenHeader(httpServletRequest);
        if (isBlank(cSRFTokenHeader)) {
            httpServletResponse.setHeader(CsrfConstants.CSRF_TOKEN_HEADER_NAME, CsrfConstants.CSRF_TOKEN_HEADER_REQUIRED);
            httpServletResponse.sendError(getDenyStatus(), "CSRFPreventionFilter: Token provided via HTTP Header is absent/empty.");
            return false;
        }
        String str = (String) httpServletRequest.getSession().getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME);
        if (!isBlank(str) && str.equals(cSRFTokenHeader)) {
            return true;
        }
        httpServletResponse.sendError(getDenyStatus(), "CSRFPreventionFilter: Invalid HTTP Header Token.");
        return false;
    }

    protected boolean doSameOriginStandardHeadersVerification(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (this.targetOrigin == null) {
            return true;
        }
        String header = httpServletRequest.getHeader("Origin");
        if (isBlank(header)) {
            header = httpServletRequest.getHeader("Referer");
            if (isBlank(header)) {
                httpServletResponse.sendError(403, "CSRFPreventionFilter: ORIGIN and REFERER request headers are not present.");
                return false;
            }
        }
        URL url = new URL(header);
        if (this.targetOrigin.getProtocol().equals(url.getProtocol()) && this.targetOrigin.getHost().equals(url.getHost()) && this.targetOrigin.getPort() == url.getPort()) {
            return true;
        }
        httpServletResponse.sendError(403, String.format("CSRFPreventionFilter: Protocol/Host/Port does not fully match: (%s != %s) ", this.targetOrigin, url));
        return false;
    }

    protected Cookie getCSRFCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (cookie.getName().equals(CsrfConstants.CSRF_TOKEN_COOKIE_NAME)) {
                    return cookie;
                }
            }
        }
        return new Cookie(CsrfConstants.CSRF_TOKEN_COOKIE_NAME, (String) null);
    }

    protected String getCSRFTokenHeader(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getHeader(CsrfConstants.CSRF_TOKEN_HEADER_NAME);
    }

    protected void fetchToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        HttpSession session = httpServletRequest.getSession();
        if (session.getAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME) == null) {
            String generateToken = generateToken();
            Cookie cSRFCookie = getCSRFCookie(httpServletRequest);
            cSRFCookie.setValue(generateToken);
            cSRFCookie.setPath(httpServletRequest.getContextPath());
            session.setAttribute(CsrfConstants.CSRF_TOKEN_SESSION_ATTR_NAME, generateToken);
            httpServletResponse.addCookie(cSRFCookie);
            httpServletResponse.setHeader(CsrfConstants.CSRF_TOKEN_HEADER_NAME, generateToken);
        }
    }

    protected boolean isNonModifyingRequest(HttpServletRequest httpServletRequest) {
        return NON_MODIFYING_METHODS_PATTERN.matcher(httpServletRequest.getMethod()).matches() || DEFAULT_ENTRY_URL_PATTERN.matcher(getRequestedPath(httpServletRequest)).matches() || this.entryPoints.contains(getRequestedPath(httpServletRequest));
    }

    private String getRequestedPath(HttpServletRequest httpServletRequest) {
        String servletPath = httpServletRequest.getServletPath();
        if (httpServletRequest.getPathInfo() != null) {
            servletPath = servletPath + httpServletRequest.getPathInfo();
        }
        return servletPath;
    }

    public URL getTargetOrigin() {
        return this.targetOrigin;
    }

    public void setTargetOrigin(String str) throws MalformedURLException {
        this.targetOrigin = new URL(str);
    }

    public void setEntryPoints(String str) {
        this.entryPoints.addAll(parseURLs(str));
    }

    private Set<String> parseURLs(String str) {
        HashSet hashSet = new HashSet();
        if (str != null && !str.isEmpty()) {
            for (String str2 : str.split(",")) {
                hashSet.add(str2.trim());
            }
        }
        return hashSet;
    }
}
