package com.enginframe.server.filter;

import com.enginframe.common.utils.Utils;
import com.enginframe.common.utils.log.Log;
import com.enginframe.common.utils.log.LogFactory;
import com.enginframe.server.DownloadServlet;
import com.enginframe.server.webservices.ActiveSessions;
import com.google.common.net.HttpHeaders;
import java.io.IOException;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

/* JADX WARN: Classes with same name are omitted:
  input_file:kernel/ef_root/WEBAPP/WEB-INF/lib/ef.jar:com/enginframe/server/filter/CsrfFilter.class
  input_file:kernel/ef_root/agent/agent.jar:com/enginframe/server/filter/CsrfFilter.class
 */
/* loaded from: input_file:com/enginframe/server/filter/CsrfFilter.class */
public class CsrfFilter implements Filter {
    private static final String DO_SEND_REDIRECT_ATTR = "ef_csrf_doSendRedirect";
    private static final String _SERVICE_PARAM = "_service";
    private static final String _URI_PARAM = "_uri";
    private static final String SCHEME_SEP = "://";
    private static final char PORT_SEP = ':';
    private static final String[] REQUEST_HEADERS = {"Origin", "Referer", "Host", HttpHeaders.X_FORWARDED_HOST, HttpHeaders.X_FORWARDED_PROTO, HttpHeaders.X_FORWARDED_PORT};
    private final Set<String> excludedPaths = new HashSet();
    private boolean sameOriginCheckEnabled;
    private boolean csrfTokenCheckEnabled;
    private Set<BaseUrlTuple> targetOrigins;
    private boolean allowAccessWithNoOrigin;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:kernel/ef_root/WEBAPP/WEB-INF/lib/ef.jar:com/enginframe/server/filter/CsrfFilter$BaseUrlTuple.class
      input_file:kernel/ef_root/agent/agent.jar:com/enginframe/server/filter/CsrfFilter$BaseUrlTuple.class
     */
    /* loaded from: input_file:com/enginframe/server/filter/CsrfFilter$BaseUrlTuple.class */
    public static class BaseUrlTuple {
        private final String scheme;
        private final String host;
        private final int port;

        BaseUrlTuple(String str, String str2, int i) {
            if (str == null || str2 == null || i <= 0) {
                throw new IllegalArgumentException(String.format("At least one argument is invalid: scheme (%s), host (%s), port (%s)", str, str2, Integer.valueOf(i)));
            }
            this.scheme = str.trim();
            this.host = str2.trim();
            this.port = i;
        }

        static BaseUrlTuple parse(String str) throws URISyntaxException {
            if (str == null) {
                throw new IllegalArgumentException("Invalid null string");
            }
            int indexOf = str.indexOf(CsrfFilter.SCHEME_SEP);
            if (indexOf <= 0) {
                throw new URISyntaxException(str, String.format("Cannot find scheme declaration <scheme>:// in uri (%s)", str), 0);
            }
            int i = indexOf + 3;
            int indexOf2 = str.indexOf(47, i);
            int length = indexOf2 > 0 ? indexOf2 : str.length();
            if (i >= length) {
                throw new URISyntaxException(str, String.format("Cannot find host in uri (%s)", str), i);
            }
            String substring = str.substring(0, length);
            int indexOf3 = substring.indexOf(58, i + 1) + 1;
            boolean z = indexOf3 > 0;
            String substring2 = substring.substring(0, indexOf);
            return new BaseUrlTuple(substring2, substring.substring(i, z ? indexOf3 - 1 : length), z ? Integer.parseInt(substring.substring(indexOf3, length)) : schemeToPort(substring2));
        }

        static int schemeToPort(String str) {
            if ("http".equalsIgnoreCase(str)) {
                return 80;
            }
            return "https".equalsIgnoreCase(str) ? 443 : -1;
        }

        public String toString() {
            return String.format("BaseUrlTuple[ scheme (%s), host (%s), port (%d) ]", this.scheme, this.host, Integer.valueOf(this.port));
        }

        public int hashCode() {
            return (31 * ((31 * ((31 * 1) + (this.host == null ? 0 : this.host.hashCode()))) + this.port)) + (this.scheme == null ? 0 : this.scheme.hashCode());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || !(obj instanceof BaseUrlTuple)) {
                return false;
            }
            BaseUrlTuple baseUrlTuple = (BaseUrlTuple) obj;
            return this.scheme.equalsIgnoreCase(baseUrlTuple.scheme) && this.host.equalsIgnoreCase(baseUrlTuple.host) && this.port == baseUrlTuple.port;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:kernel/ef_root/WEBAPP/WEB-INF/lib/ef.jar:com/enginframe/server/filter/CsrfFilter$ParseRequestPropertyException.class
      input_file:kernel/ef_root/agent/agent.jar:com/enginframe/server/filter/CsrfFilter$ParseRequestPropertyException.class
     */
    /* loaded from: input_file:com/enginframe/server/filter/CsrfFilter$ParseRequestPropertyException.class */
    public static class ParseRequestPropertyException extends Exception {
        ParseRequestPropertyException(String str, URISyntaxException uRISyntaxException) {
            super(String.format("Error parsing request %s: %s", str, uRISyntaxException.getMessage()), uRISyntaxException);
        }
    }

    @Override // javax.servlet.Filter
    public void init(FilterConfig filterConfig) throws ServletException {
        this.excludedPaths.add("/efws");
        this.sameOriginCheckEnabled = Boolean.valueOf(Utils.getProperty("ef.filter.csrf.sameOriginCheck", "true")).booleanValue();
        this.csrfTokenCheckEnabled = Boolean.valueOf(Utils.getProperty("ef.filter.csrf.csrfTokenCheck", "false")).booleanValue();
        this.allowAccessWithNoOrigin = Boolean.valueOf(Utils.getProperty("ef.filter.csrf.allowAccessWithNoOrigin", "false")).booleanValue();
        this.targetOrigins = Collections.unmodifiableSet(parseTargetOriginList(Utils.getProperty("ef.filter.csrf.targetOrigins")));
        getLog().info(String.format("Initialization parameters: \n\texcluded paths (%s)\n\tef.filter.csrf.sameOriginCheck (%s)\n\tef.filter.csrf.csrfTokenCheck (%s)\n\tef.filter.csrf.targetOrigins (%s)\n\tef.filter.csrf.allowAccessWithNoOrigin (%s)", this.excludedPaths, Boolean.valueOf(this.sameOriginCheckEnabled), Boolean.valueOf(this.csrfTokenCheckEnabled), this.targetOrigins, Boolean.valueOf(this.allowAccessWithNoOrigin)));
    }

    private Set<BaseUrlTuple> parseTargetOriginList(String str) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (!Utils.isVoid(str)) {
            for (String str2 : str.trim().split(" *, *")) {
                if (Utils.isVoid(str2)) {
                    try {
                        linkedHashSet.add(BaseUrlTuple.parse(str2));
                    } catch (URISyntaxException e) {
                        getLog().error("Error parsing the targetOrigins configuration parameter: " + e.getMessage());
                    }
                }
            }
        }
        return linkedHashSet;
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (isCsrfCheckEnabled() && isCsrfCheckRequired(servletRequest)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
            if (!passCsrfCheck(httpServletRequest)) {
                httpServletResponse.sendError(403);
                return;
            } else if (httpServletRequest.getAttribute(DO_SEND_REDIRECT_ATTR) != null) {
                httpServletResponse.sendRedirect(httpServletRequest.getRequestURI());
                return;
            }
        }
        filterChain.doFilter(servletRequest, servletResponse);
    }

    private boolean isCsrfCheckRequired(ServletRequest servletRequest) {
        if (!(servletRequest instanceof HttpServletRequest)) {
            return false;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (isExcludedPath(httpServletRequest) || isWsSession(httpServletRequest)) {
            return false;
        }
        return "POST".equals(httpServletRequest.getMethod()) || isServiceRequired(httpServletRequest) || isDownloadRequired(httpServletRequest);
    }

    private boolean isWsSession(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(false);
        return (session == null || session.getAttribute(ActiveSessions.SESSION_ATTRIBUTE_WS_SESSION) == null) ? false : true;
    }

    private boolean isServiceRequired(HttpServletRequest httpServletRequest) {
        return (httpServletRequest.getParameter("_uri") == null && httpServletRequest.getParameter("_service") == null) ? false : true;
    }

    private boolean isDownloadRequired(HttpServletRequest httpServletRequest) {
        return DownloadServlet.DEFAULT_DOWNLOAD_SERVLET_PATH.equals(httpServletRequest.getServletPath());
    }

    private boolean passCsrfCheck(HttpServletRequest httpServletRequest) {
        boolean z = true;
        if (this.sameOriginCheckEnabled) {
            z = passSameOriginCheck(httpServletRequest);
        }
        if (z && this.csrfTokenCheckEnabled) {
            z = passCsrfTokenCheck(httpServletRequest);
        }
        return z;
    }

    private boolean isCsrfCheckEnabled() {
        return this.sameOriginCheckEnabled || this.csrfTokenCheckEnabled;
    }

    private boolean passSameOriginCheck(HttpServletRequest httpServletRequest) {
        logDumpRequest(httpServletRequest);
        try {
            BaseUrlTuple sourceOrigin = getSourceOrigin(httpServletRequest);
            if (sourceOrigin == null && "GET".equals(httpServletRequest.getMethod()) && !isDownloadRequired(httpServletRequest)) {
                if (!this.allowAccessWithNoOrigin) {
                    httpServletRequest.setAttribute(DO_SEND_REDIRECT_ATTR, true);
                }
                if (!getLog().isDebugEnabled()) {
                    return true;
                }
                Log log = getLog();
                Object[] objArr = new Object[3];
                objArr[0] = !this.allowAccessWithNoOrigin ? "with no service " : "";
                objArr[1] = commonForLog(httpServletRequest);
                objArr[2] = Boolean.valueOf(!this.allowAccessWithNoOrigin);
                log.debug(String.format("CSRF Filter Ok %s- HttpServletRequest(%s), sourceOrigin (null), redirect (%s)", objArr));
                return true;
            }
            if (sourceOrigin == null) {
                if (!getLog().isWarnEnabled()) {
                    return false;
                }
                getLog().warn(String.format("CSRF Filter Failed - HttpServletRequest(%s), sourceOrigin (null)", commonForLog(httpServletRequest)));
                return false;
            }
            for (BaseUrlTuple baseUrlTuple : this.targetOrigins) {
                if (sourceOrigin.equals(baseUrlTuple)) {
                    if (!getLog().isDebugEnabled()) {
                        return true;
                    }
                    getLog().debug(String.format("CSRF Filter Ok - HttpServletRequest(%s), sourceOrigin matches configured targetOrigin (%s)", commonForLog(httpServletRequest), baseUrlTuple));
                    return true;
                }
            }
            Set<BaseUrlTuple> targetOriginCandidates = getTargetOriginCandidates(httpServletRequest);
            for (BaseUrlTuple baseUrlTuple2 : targetOriginCandidates) {
                if (sourceOrigin.equals(baseUrlTuple2)) {
                    if (!getLog().isDebugEnabled()) {
                        return true;
                    }
                    getLog().debug(String.format("CSRF Filter Ok - HttpServletRequest(%s), sourceOrigin matches request targetOrigin (%s)", commonForLog(httpServletRequest), baseUrlTuple2));
                    return true;
                }
            }
            if (!getLog().isWarnEnabled()) {
                return false;
            }
            getLog().warn(String.format("CSRF Filter Failed - HttpServletRequest(%s), sourceOrigin (%s) doesn't match neither configured targetOrigins (%s) nor targetOrigins from request (%s)", commonForLog(httpServletRequest), sourceOrigin, this.targetOrigins, targetOriginCandidates));
            return false;
        } catch (ParseRequestPropertyException e) {
            getLog().error("Error retrieving sourceOrigin from request. " + e.getMessage());
            return false;
        }
    }

    private void logDumpRequest(HttpServletRequest httpServletRequest) {
        if (getLog().isDebugEnabled()) {
            getLog().debug(String.format("HttpServletRequest( %s\nscheme (%s), servletPath (%s)\nHeaders(%s) )", commonForLog(httpServletRequest), httpServletRequest.getScheme(), httpServletRequest.getServletPath(), headers2String(httpServletRequest)));
        }
    }

    private String commonForLog(HttpServletRequest httpServletRequest) {
        return String.format("%s %s%s", httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), httpServletRequest.getQueryString() != null ? " ? " + httpServletRequest.getQueryString() : "");
    }

    private String headers2String(HttpServletRequest httpServletRequest) {
        StringBuffer stringBuffer = new StringBuffer();
        for (String str : REQUEST_HEADERS) {
            stringBuffer.append(String.format(" %s (%s),", str, httpServletRequest.getHeader(str)));
        }
        stringBuffer.setCharAt(stringBuffer.length() - 1, ' ');
        return stringBuffer.toString();
    }

    private Set<BaseUrlTuple> getTargetOriginCandidates(HttpServletRequest httpServletRequest) {
        String str;
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        String header = httpServletRequest.getHeader("host");
        String header2 = httpServletRequest.getHeader("x-forwarded-host");
        String scheme = httpServletRequest.getScheme();
        String header3 = httpServletRequest.getHeader("x-forwarded-proto");
        String header4 = httpServletRequest.getHeader("x-forwarded-port");
        if (header != null) {
            try {
                linkedHashSet.add(parseUrlTuple(String.valueOf(scheme) + SCHEME_SEP + header, "scheme + Host header"));
                if (header2 == null && header3 != null) {
                    if (header4 != null) {
                        int indexOf = header.indexOf(58);
                        str = String.valueOf(indexOf > 0 ? header.substring(0, indexOf) : header) + ':' + header4;
                    } else {
                        str = header;
                    }
                    linkedHashSet.add(parseUrlTuple(String.valueOf(header3) + SCHEME_SEP + str, "headers X-Forwarded-Proto + Host" + (header4 != null ? " + X-Forwarded-Port" : "")));
                }
            } catch (ParseRequestPropertyException e) {
                getLog().error("Error retrieving targetOrigins from request. " + e.getMessage());
            }
        }
        if (header2 != null && header3 != null) {
            linkedHashSet.add(parseUrlTuple(String.valueOf(header3) + SCHEME_SEP + header2, "headers X-Forwarded-Proto + X-Forwarded-Host"));
        }
        return linkedHashSet;
    }

    private BaseUrlTuple getSourceOrigin(HttpServletRequest httpServletRequest) throws ParseRequestPropertyException {
        String header = httpServletRequest.getHeader(HttpHeaders.ReferrerPolicyValues.ORIGIN);
        String header2 = httpServletRequest.getHeader("referer");
        return !Utils.isVoid(header) ? parseUrlTuple(header, "header Origin") : !Utils.isVoid(header2) ? parseUrlTuple(header2, "header Referer") : null;
    }

    private BaseUrlTuple parseUrlTuple(String str, String str2) throws ParseRequestPropertyException {
        try {
            return BaseUrlTuple.parse(str);
        } catch (URISyntaxException e) {
            throw new ParseRequestPropertyException(str2, e);
        }
    }

    private boolean passCsrfTokenCheck(ServletRequest servletRequest) {
        getLog().error("CSRF token check hasn't been implemented yet!");
        return false;
    }

    private boolean isExcludedPath(HttpServletRequest httpServletRequest) {
        String servletPath = httpServletRequest.getServletPath();
        Iterator<String> it = this.excludedPaths.iterator();
        while (it.hasNext()) {
            if (servletPath.equals(it.next())) {
                return true;
            }
        }
        return false;
    }

    @Override // javax.servlet.Filter
    public void destroy() {
        this.excludedPaths.clear();
    }

    private Log getLog() {
        return LogFactory.getLog(getClass());
    }
}
