package com.adobe.granite.csrf.impl;

import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.oauth.jwt.JwsBuilderFactory;
import com.adobe.granite.oauth.jwt.JwsValidator;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.oltu.oauth2.jwt.ClaimsSet;
import org.apache.oltu.oauth2.jwt.JWT;
import org.apache.oltu.oauth2.jwt.io.JWTReader;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({Filter.class})
@Component(metatype = true, description = "Request filter checking the CSRF token of modification requests.", label = "Adobe Granite CSRF Filter")
@Properties({@Property(name = "sling.filter.scope", value = {"request", "forward", "include"}, propertyPrivate = true), @Property(name = "service.ranking", intValue = {25000}, propertyPrivate = true)})
/* loaded from: input_file:com/adobe/granite/csrf/impl/CSRFFilter.class */
public class CSRFFilter implements Filter {
    private static final String USER_AGENT = "User-Agent";
    private final Logger logger = LoggerFactory.getLogger(CSRFFilter.class);
    private static final String JWT_HEADER = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.";

    @Property(label = "Filter Methods", description = "These methods are checked by the filter.", unbounded = PropertyUnbounded.ARRAY, value = {"POST", "PUT", "DELETE"})
    private static final String PROP_METHODS = "filter.methods";

    @Property(label = "Filter non-browser User Agents", description = "If this setting is enabled, browser and not browser agents will be checked by the filter. If this setting is disabled, only browsers will be checked, non-browser clients will not be checked by the filter. The Safe User Agents will never be checked regardless of this setting.", boolValue = {true})
    private static final String PROP_ENABLE_SAFE_USER_AGENTS = "filter.enable.safe.user.agents";

    @Property(label = "Safe User Agents", description = "These safe User Agents are not checked by the filter.", unbounded = PropertyUnbounded.ARRAY, value = {})
    private static final String PROP_SAFE_USER_AGENTS = "filter.safe.user.agents";

    @Property(label = "Excluded Paths", description = "These paths are excluded by the filter. Each entry is of the form 'path'. ", unbounded = PropertyUnbounded.ARRAY, value = {""})
    private static final String PROP_EXCLUDED_PATHS = "filter.excluded.paths";
    private static final String[] BuiltinExcludedPaths = {"/bin/unifiedshell/discovery"};
    private Set<String> filterMethodsSet;
    private Set<String> excludedPaths;
    private boolean enableSafeUserAgents;
    private Set<String> safeUserAgentsSet;
    private String[] safeUserAgentsPfx;

    @Reference
    private JwsBuilderFactory jwsBuilderFactory;

    @Reference
    private JwsValidator jwsValidator;

    @Modified
    @Activate
    private void activate(Map<String, Object> map) {
        String[] stringArray = PropertiesUtil.toStringArray(map.get(PROP_METHODS), new String[0]);
        HashSet hashSet = new HashSet();
        for (String str : stringArray) {
            String upperCase = str.trim().toUpperCase();
            if (upperCase.length() > 0) {
                hashSet.add(upperCase);
            }
        }
        this.filterMethodsSet = hashSet.isEmpty() ? Collections.emptySet() : hashSet;
        this.enableSafeUserAgents = PropertiesUtil.toBoolean(map.get(PROP_ENABLE_SAFE_USER_AGENTS), true);
        String[] stringArray2 = PropertiesUtil.toStringArray(map.get(PROP_SAFE_USER_AGENTS), new String[0]);
        HashSet hashSet2 = new HashSet();
        ArrayList arrayList = new ArrayList();
        for (String str2 : stringArray2) {
            String trim = str2.trim();
            if (trim.length() > 0) {
                int indexOf = trim.indexOf(42);
                if (indexOf < 0) {
                    hashSet2.add(trim);
                } else if (indexOf > 0) {
                    arrayList.add(trim.substring(0, indexOf));
                } else {
                    this.logger.info("catch-all wildcard for safe user agents not allowed.");
                }
            }
        }
        this.safeUserAgentsSet = hashSet2.isEmpty() ? Collections.emptySet() : hashSet2;
        this.safeUserAgentsPfx = (String[]) arrayList.toArray(new String[arrayList.size()]);
        this.excludedPaths = new HashSet(Arrays.asList(PropertiesUtil.toStringArray(map.get(PROP_EXCLUDED_PATHS))));
        this.excludedPaths.addAll(Arrays.asList(BuiltinExcludedPaths));
        this.logger.info("Initialized. methods: {}, user-agents: {}, user-agents-pfx {}, excluded paths: {}", new Object[]{this.filterMethodsSet, this.safeUserAgentsSet, arrayList, this.excludedPaths});
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        if (httpServletRequest.getAuthType() == null || !isFilteredMethod(httpServletRequest) || !doFilterBasedOnUserAgent(httpServletRequest) || isExcludedPath(httpServletRequest) || isValidRequest(httpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
        } else {
            this.logger.info("doFilter: the provided CSRF token is invalid");
            ((HttpServletResponse) servletResponse).sendError(403);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    protected boolean isValidRequest(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(CSRFConstants.CSRF_TOKEN);
        if (StringUtils.isBlank(parameter)) {
            parameter = httpServletRequest.getHeader(CSRFConstants.CSRF_TOKEN_HEADER);
            if (StringUtils.isBlank(parameter)) {
                this.logger.info("isValidRequest: empty CSRF token - rejecting");
                return false;
            }
        }
        String[] split = parameter.split("\\.");
        if (ArrayUtils.getLength(split) != 2) {
            this.logger.info("isValidRequest: not well formed CSRF token - rejecting");
            return false;
        }
        try {
            String remoteUser = httpServletRequest.getRemoteUser();
            ClaimsSet claimsSet = ((JWT) new JWTReader().read(JWT_HEADER + parameter)).getClaimsSet();
            String build = this.jwsBuilderFactory.getInstance("HS256").setSubject(remoteUser).setExpiresIn(claimsSet.getExpirationTime() - claimsSet.getIssuedAt()).setIssuedAt(claimsSet.getIssuedAt()).setCustomClaimsSetField("scope", CSRFConstants.CSRF_TOKEN_VALUE).build();
            if (this.jwsValidator.validate(build)) {
                return ((JWT) new JWTReader().read(build)).getSignature().equals(split[1]);
            }
            this.logger.info("isValidRequest: the CSRF token is expired");
            return false;
        } catch (CryptoException e) {
            this.logger.error("isValidRequest: failed to generate CSRF token on validation", e);
            return false;
        }
    }

    protected boolean isFilteredMethod(HttpServletRequest httpServletRequest) {
        return this.filterMethodsSet.contains(httpServletRequest.getMethod());
    }

    protected boolean isSafeUserAgent(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(USER_AGENT);
        if (header == null) {
            this.logger.info("isSafeUserAgent: empty user agent - rejecting");
            return false;
        }
        if (this.safeUserAgentsSet.contains(header)) {
            return true;
        }
        for (String str : this.safeUserAgentsPfx) {
            if (header.startsWith(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean isExcludedPath(HttpServletRequest httpServletRequest) {
        return this.excludedPaths.contains(((SlingHttpServletRequest) httpServletRequest).getResource().getPath());
    }

    protected boolean doFilterBasedOnUserAgent(HttpServletRequest httpServletRequest) {
        return this.enableSafeUserAgents ? !isSafeUserAgent(httpServletRequest) : AuthUtil.isBrowserRequest(httpServletRequest) && !isSafeUserAgent(httpServletRequest);
    }

    protected void bindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        this.jwsBuilderFactory = jwsBuilderFactory;
    }

    protected void unbindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        if (this.jwsBuilderFactory == jwsBuilderFactory) {
            this.jwsBuilderFactory = null;
        }
    }

    protected void bindJwsValidator(JwsValidator jwsValidator) {
        this.jwsValidator = jwsValidator;
    }

    protected void unbindJwsValidator(JwsValidator jwsValidator) {
        if (this.jwsValidator == jwsValidator) {
            this.jwsValidator = null;
        }
    }
}
