package org.terasoluna.gfw.web.token.csrf;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.util.WebUtils;
import org.terasoluna.gfw.web.token.TokenStringGenerator;
import org.terasoluna.gfw.web.util.RequestUtils;

@Deprecated
/* loaded from: input_file:WEB-INF/lib/terasoluna-gfw-web-1.0.0-20130917.043459-66.jar:org/terasoluna/gfw/web/token/csrf/CSRFTokenIntercepter.class */
public class CSRFTokenIntercepter extends HandlerInterceptorAdapter {
    private Logger logger;
    public static final String CSRF_REQUEST_PARAMETER = "_CSRF_TOKEN";
    public static final String CSRF_HEADER_NAME = "X-CSRF-Token";
    public static final String CSRF_REQUEST_ATTRIBUTE = CSRFTokenIntercepter.class + ".CSRF_TOKEN";
    public static final HttpMethod[] DEFAULT_METHODS = {HttpMethod.POST, HttpMethod.PUT, HttpMethod.DELETE, HttpMethod.PATCH};
    public static final boolean AJAX = true;
    private final Set<HttpMethod> validateMethod;
    private final boolean validateAjax;
    private final CSRFTokenStore tokenStore;
    private final TokenStringGenerator tokenStringGenerator;

    public CSRFTokenIntercepter() {
        this(DEFAULT_METHODS, true, (CSRFTokenStore) new HttpSessionCSRFTokenStore(), new TokenStringGenerator());
    }

    public CSRFTokenIntercepter(String[] strArr, boolean z, CSRFTokenStore cSRFTokenStore, TokenStringGenerator tokenStringGenerator) {
        this.logger = LoggerFactory.getLogger(CSRFTokenIntercepter.class);
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            try {
                arrayList.add(HttpMethod.valueOf(str.toUpperCase()));
            } catch (IllegalArgumentException e) {
                throw new IllegalArgumentException(str + " is not foud.", e);
            }
        }
        this.validateMethod = new HashSet(arrayList);
        this.validateAjax = z;
        this.tokenStore = cSRFTokenStore;
        this.tokenStringGenerator = tokenStringGenerator;
    }

    public CSRFTokenIntercepter(HttpMethod[] httpMethodArr, boolean z, CSRFTokenStore cSRFTokenStore, TokenStringGenerator tokenStringGenerator) {
        this.logger = LoggerFactory.getLogger(CSRFTokenIntercepter.class);
        this.validateMethod = new HashSet(Arrays.asList(httpMethodArr));
        this.validateAjax = z;
        this.tokenStore = cSRFTokenStore;
        this.tokenStringGenerator = tokenStringGenerator;
    }

    @Override // org.springframework.web.servlet.handler.HandlerInterceptorAdapter, org.springframework.web.servlet.HandlerInterceptor
    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        if (!needValidate(httpServletRequest)) {
            return true;
        }
        CSRFToken createReceivedToken = createReceivedToken(httpServletRequest);
        if (validateToken(createReceivedToken, this.tokenStore.getStoredTokenStr())) {
            httpServletRequest.setAttribute(CSRF_REQUEST_ATTRIBUTE, createReceivedToken);
            return true;
        }
        processCsrfTokenError(httpServletRequest, httpServletResponse);
        return true;
    }

    @Override // org.springframework.web.servlet.handler.HandlerInterceptorAdapter, org.springframework.web.servlet.HandlerInterceptor
    public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj, ModelAndView modelAndView) throws Exception {
        if (httpServletRequest.getAttribute(CSRF_REQUEST_ATTRIBUTE) == null) {
            String storedTokenStr = this.tokenStore.getStoredTokenStr();
            if (storedTokenStr == null || storedTokenStr.isEmpty()) {
                HttpSession session = httpServletRequest.getSession(true);
                synchronized (WebUtils.getSessionMutex(session)) {
                    storedTokenStr = this.tokenStore.getStoredTokenStr();
                    if (storedTokenStr == null || storedTokenStr.isEmpty()) {
                        storedTokenStr = this.tokenStringGenerator.generate(session.getId());
                        this.tokenStore.store(storedTokenStr);
                    }
                }
            }
            httpServletRequest.setAttribute(CSRF_REQUEST_ATTRIBUTE, new CSRFToken(storedTokenStr));
        }
        CSRFToken cSRFToken = (CSRFToken) httpServletRequest.getAttribute(CSRF_REQUEST_ATTRIBUTE);
        if (cSRFToken != null) {
            httpServletResponse.setHeader(CSRF_HEADER_NAME, cSRFToken.getTokenStr());
        }
    }

    protected void processCsrfTokenError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        this.logger.info("CSRF Attack detected");
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            try {
                session.invalidate();
            } catch (IllegalStateException e) {
                this.logger.info("session is already invalidated", (Throwable) e);
            }
        }
        throw new InvalidCSRFTokenException();
    }

    protected boolean needValidate(HttpServletRequest httpServletRequest) {
        if (isAjaxRequest(httpServletRequest) && !this.validateAjax) {
            return false;
        }
        return this.validateMethod.contains(HttpMethod.valueOf(httpServletRequest.getMethod()));
    }

    protected boolean isAjaxRequest(HttpServletRequest httpServletRequest) {
        return RequestUtils.isAjaxRequest(httpServletRequest);
    }

    protected CSRFToken createReceivedToken(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(CSRF_REQUEST_PARAMETER);
        if (parameter == null || parameter.isEmpty()) {
            parameter = httpServletRequest.getHeader(CSRF_HEADER_NAME);
        }
        return new CSRFToken(parameter);
    }

    protected boolean validateToken(CSRFToken cSRFToken, String str) {
        if (cSRFToken == null || cSRFToken.getTokenStr() == null || cSRFToken.getTokenStr().isEmpty() || str == null || str.isEmpty()) {
            return false;
        }
        return str.equals(cSRFToken.getTokenStr());
    }
}
