package org.apache.archiva.redback.rest.services.interceptors;

import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.apache.archiva.redback.authentication.AuthenticationException;
import org.apache.archiva.redback.authentication.AuthenticationResult;
import org.apache.archiva.redback.authentication.InvalidTokenException;
import org.apache.archiva.redback.authentication.TokenData;
import org.apache.archiva.redback.authentication.TokenManager;
import org.apache.archiva.redback.configuration.UserConfiguration;
import org.apache.archiva.redback.configuration.UserConfigurationKeys;
import org.apache.archiva.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
import org.apache.archiva.redback.policy.AccountLockedException;
import org.apache.archiva.redback.policy.MustChangePasswordException;
import org.apache.archiva.redback.users.User;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Service;

@Provider
@Service("requestValidationInterceptor#rest")
/* loaded from: input_file:WEB-INF/lib/redback-rest-services-2.6.2.jar:org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor.class */
public class RequestValidationInterceptor extends AbstractInterceptor implements ContainerRequestFilter {
    private static final String X_FORWARDED_PROTO = "X-Forwarded-Proto";
    private static final String X_FORWARDED_HOST = "X-Forwarded-Host";
    private static final String X_XSRF_TOKEN = "X-XSRF-TOKEN";
    private static final String ORIGIN = "Origin";
    private static final String REFERER = "Referer";
    private static final int DEFAULT_HTTP = 80;
    private static final int DEFAULT_HTTPS = 443;
    private final Logger log = LoggerFactory.getLogger(getClass());
    private boolean enabled = true;
    private boolean checkToken = true;
    private boolean useStaticUrl = false;
    private boolean denyAbsentHeaders = true;
    private List<URL> baseUrl = new ArrayList();
    private HttpServletRequest httpRequest = null;

    @Inject
    @Named("httpAuthenticator#basic")
    private HttpBasicAuthentication httpAuthenticator;

    @Inject
    @Named("tokenManager#default")
    TokenManager tokenManager;
    private UserConfiguration config;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/redback-rest-services-2.6.2.jar:org/apache/archiva/redback/rest/services/interceptors/RequestValidationInterceptor$HeaderValidationInfo.class */
    public class HeaderValidationInfo {
        static final int UNKNOWN = -1;
        static final int OK = 0;
        static final int F_REFERER_HOST = 1;
        static final int F_REFERER_PORT = 2;
        static final int F_ORIGIN_HOST = 8;
        static final int F_ORIGIN_PORT = 16;
        static final int F_ORIGIN_PROTOCOL = 32;
        URL targetUrl;
        URL originUrl;
        URL refererUrl;
        String targetHost;
        String originHost;
        String refererHost;
        int targetPort;
        int originPort;
        int refererPort;
        boolean headerFound = false;
        int status = -1;

        public HeaderValidationInfo(URL url) {
            setTargetUrl(url);
        }

        public URL getTargetUrl() {
            return this.targetUrl;
        }

        public void setTargetUrl(URL url) {
            this.targetUrl = url;
            this.targetHost = RequestValidationInterceptor.this.getHost(url);
            this.targetPort = RequestValidationInterceptor.this.getPort(url);
        }

        public URL getOriginUrl() {
            return this.originUrl;
        }

        public void setOriginUrl(URL url) {
            this.originUrl = url;
            this.originHost = RequestValidationInterceptor.this.getHost(url);
            this.originPort = RequestValidationInterceptor.this.getPort(url);
            checkOrigin();
            this.headerFound = true;
        }

        public URL getRefererUrl() {
            return this.refererUrl;
        }

        public void setRefererUrl(URL url) {
            this.refererUrl = url;
            this.refererHost = RequestValidationInterceptor.this.getHost(url);
            this.refererPort = RequestValidationInterceptor.this.getPort(url);
            checkReferer();
            this.headerFound = true;
        }

        public String getTargetHost() {
            return this.targetHost;
        }

        public void setTargetHost(String str) {
            this.targetHost = str;
        }

        public String getOriginHost() {
            return this.originHost;
        }

        public void setOriginHost(String str) {
            this.originHost = str;
        }

        public String getRefererHost() {
            return this.refererHost;
        }

        public void setRefererHost(String str) {
            this.refererHost = str;
        }

        public int getTargetPort() {
            return this.targetPort;
        }

        public void setTargetPort(int i) {
            this.targetPort = i;
        }

        public int getOriginPort() {
            return this.originPort;
        }

        public void setOriginPort(int i) {
            this.originPort = i;
        }

        public int getRefererPort() {
            return this.refererPort;
        }

        public void setRefererPort(int i) {
            this.refererPort = i;
        }

        public void setStatus(int i) {
            this.status |= i;
        }

        public int getStatus() {
            return this.status;
        }

        public void checkOrigin() {
            if (getStatus() == -1) {
                this.status = 0;
            }
            if (!this.targetUrl.getProtocol().equals(this.originUrl.getProtocol())) {
                setStatus(32);
            }
            if (!this.targetHost.equals(this.originHost)) {
                setStatus(8);
            }
            if (this.targetPort != this.originPort) {
                setStatus(16);
            }
        }

        public void checkReferer() {
            if (getStatus() == -1) {
                this.status = 0;
            }
            if (!this.targetHost.equals(this.refererHost)) {
                setStatus(1);
            }
            if (this.targetPort != this.refererPort) {
                setStatus(2);
            }
        }

        public boolean hasOriginError() {
            return (this.status & 56) > 0;
        }

        public boolean hasRefererError() {
            return (this.status & 3) > 0;
        }

        public String toString() {
            return "Stat=" + this.status + ", target=" + this.targetUrl + ", origin=" + this.originUrl + ", referer=" + this.refererUrl;
        }
    }

    @Inject
    public RequestValidationInterceptor(@Named("userConfiguration#default") UserConfiguration userConfiguration) {
        this.config = userConfiguration;
    }

    @PostConstruct
    public void init() {
        List<String> list = this.config.getList(UserConfigurationKeys.REST_BASE_URL);
        if (list != null) {
            for (String str : list) {
                if (!"".equals(str.trim())) {
                    try {
                        this.baseUrl.add(new URL(str));
                        this.useStaticUrl = true;
                    } catch (MalformedURLException e) {
                        this.log.error("Configured baseUrl (rest.baseUrl={}) is invalid. Message: {}", str, e.getMessage());
                    }
                }
            }
        }
        this.denyAbsentHeaders = this.config.getBoolean(UserConfigurationKeys.REST_CSRF_ABSENTORIGIN_DENY, true);
        this.enabled = this.config.getBoolean(UserConfigurationKeys.REST_CSRF_ENABLED, true);
        if (this.enabled) {
            this.log.info("CSRF Filter is enable");
        } else {
            this.log.info("CSRF Filter is disabled by configuration");
        }
        this.checkToken = !this.config.getBoolean(UserConfigurationKeys.REST_CSRF_DISABLE_TOKEN_VALIDATION, false);
        if (this.checkToken) {
            this.log.info("CSRF Token validation is enable");
        } else {
            this.log.info("CSRF Token validation is disabled by configuration");
        }
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (this.enabled) {
            HttpServletRequest request = getRequest();
            List<URL> targetUrl = getTargetUrl(request);
            if (targetUrl == null) {
                this.log.error("Could not verify target URL.");
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                return;
            }
            ArrayList<HeaderValidationInfo> arrayList = new ArrayList();
            boolean z = false;
            boolean z2 = true;
            Iterator<URL> it = targetUrl.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                URL next = it.next();
                this.log.trace("Checking against target URL: {}", next);
                HeaderValidationInfo checkSourceRequestHeader = checkSourceRequestHeader(new HeaderValidationInfo(next), request);
                z2 = z2 && checkSourceRequestHeader.getStatus() == -1;
                if (checkSourceRequestHeader.getStatus() == 0) {
                    z = true;
                    break;
                }
                arrayList.add(checkSourceRequestHeader);
            }
            if (z2 && this.denyAbsentHeaders) {
                this.log.warn("Request denied. No Origin or Referer header found and {}=true", UserConfigurationKeys.REST_CSRF_ABSENTORIGIN_DENY);
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                return;
            }
            if (z) {
                if (this.checkToken) {
                    checkValidationToken(containerRequestContext, request);
                    return;
                }
                return;
            }
            this.log.warn("HTTP Header check failed. Assuming CSRF attack.");
            for (HeaderValidationInfo headerValidationInfo : arrayList) {
                if (headerValidationInfo.hasOriginError()) {
                    Logger logger = this.log;
                    Object[] objArr = new Object[5];
                    objArr[0] = headerValidationInfo.originUrl;
                    objArr[1] = headerValidationInfo.targetUrl;
                    objArr[2] = Boolean.valueOf((headerValidationInfo.getStatus() & 8) == 0);
                    objArr[3] = Boolean.valueOf((headerValidationInfo.getStatus() & 16) == 0);
                    objArr[4] = Boolean.valueOf((headerValidationInfo.getStatus() & 32) == 0);
                    logger.warn("Origin Header does not match: originUrl={}, targetUrl={}. Matches: Host={}, Port={}, Protocol={}", objArr);
                }
                if (headerValidationInfo.hasRefererError()) {
                    Logger logger2 = this.log;
                    Object[] objArr2 = new Object[4];
                    objArr2[0] = headerValidationInfo.refererUrl;
                    objArr2[1] = headerValidationInfo.targetUrl;
                    objArr2[2] = Boolean.valueOf((headerValidationInfo.getStatus() & 1) == 0);
                    objArr2[3] = Boolean.valueOf((headerValidationInfo.getStatus() & 2) == 0);
                    logger2.warn("Referer Header does not match: refererUrl={}, targetUrl={}. Matches: Host={}, Port={}", objArr2);
                }
            }
            containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
        }
    }

    private void checkValidationToken(ContainerRequestContext containerRequestContext, HttpServletRequest httpServletRequest) {
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        if (!getRedbackAuthorization(currentMessage).noRestriction()) {
            String header = httpServletRequest.getHeader(X_XSRF_TOKEN);
            if (header == null || header.length() == 0) {
                this.log.warn("No validation token header found: {}", X_XSRF_TOKEN);
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                return;
            }
            try {
                TokenData decryptToken = this.tokenManager.decryptToken(header);
                AuthenticationResult authenticationResult = getAuthenticationResult(currentMessage, httpServletRequest);
                if (authenticationResult == null) {
                    this.log.error("Not authentication data found");
                    containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                    return;
                }
                User user = authenticationResult.getUser();
                if (user == null) {
                    this.log.error("User not logged in");
                    containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                    return;
                } else {
                    String username = user.getUsername();
                    if (!decryptToken.isValid() || !decryptToken.getUser().equals(username)) {
                        this.log.error("Invalid data in validation token header {} for user {}: isValid={}, username={}", X_XSRF_TOKEN, username, Boolean.valueOf(decryptToken.isValid()), decryptToken.getUser());
                        containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
                    }
                }
            } catch (InvalidTokenException e) {
                this.log.error("Token validation failed {}", e.getMessage());
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).build());
            }
        }
        this.log.debug("Token validated");
    }

    private HttpServletRequest getRequest() {
        return this.httpRequest != null ? this.httpRequest : getHttpServletRequest(JAXRSUtils.getCurrentMessage());
    }

    private List<URL> getTargetUrl(HttpServletRequest httpServletRequest) {
        if (this.useStaticUrl) {
            return this.baseUrl;
        }
        ArrayList arrayList = new ArrayList();
        try {
            URL url = new URL(httpServletRequest.getRequestURL().toString());
            arrayList.add(url);
            String header = httpServletRequest.getHeader("X-Forwarded-Host");
            String header2 = httpServletRequest.getHeader("X-Forwarded-Proto");
            if (header2 == null) {
                header2 = url.getProtocol();
            }
            if (header != null && !StringUtils.isEmpty(header)) {
                for (String str : header.split("\\s*,\\s*")) {
                    try {
                        arrayList.add(new URL(header2 + "://" + str));
                    } catch (MalformedURLException e) {
                        this.log.warn("X-Forwarded-Host Header is malformed: {}", e.getMessage());
                    }
                }
            }
            return arrayList;
        } catch (MalformedURLException e2) {
            this.log.error("Bad Request URL {}, Message: {}", httpServletRequest.getRequestURL(), e2.getMessage());
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public int getPort(URL url) {
        return url.getPort() > 0 ? url.getPort() : "https".equals(url.getProtocol()) ? 443 : 80;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getHost(URL url) {
        return url.getHost().trim().toLowerCase();
    }

    private HeaderValidationInfo checkSourceRequestHeader(HeaderValidationInfo headerValidationInfo, HttpServletRequest httpServletRequest) {
        String header;
        String header2 = httpServletRequest.getHeader("Origin");
        if (header2 != null) {
            try {
                headerValidationInfo.setOriginUrl(new URL(header2));
            } catch (MalformedURLException e) {
                this.log.warn("Bad origin header found: {}", header2);
            }
        }
        if (headerValidationInfo.getStatus() != 0 && (header = httpServletRequest.getHeader("Referer")) != null) {
            try {
                headerValidationInfo.setRefererUrl(new URL(header));
            } catch (MalformedURLException e2) {
                this.log.warn("Bad URL in Referer HTTP-Header: {}, Message: {}", header, e2.getMessage());
            }
        }
        return headerValidationInfo;
    }

    public void setHttpRequest(HttpServletRequest httpServletRequest) {
        this.httpRequest = httpServletRequest;
    }

    private AuthenticationResult getAuthenticationResult(Message message, HttpServletRequest httpServletRequest) {
        AuthenticationResult authenticationResult = (AuthenticationResult) message.get(AuthenticationResult.class);
        this.log.debug("authenticationResult from message: {}", authenticationResult);
        if (authenticationResult == null) {
            try {
                authenticationResult = this.httpAuthenticator.getAuthenticationResult(httpServletRequest, getHttpServletResponse(message));
                this.log.debug("authenticationResult from request: {}", authenticationResult);
            } catch (AuthenticationException e) {
                this.log.debug("failed to authenticate for path {}", message.get(Message.REQUEST_URI));
            } catch (AccountLockedException e2) {
                this.log.debug("account locked for path {}", message.get(Message.REQUEST_URI));
            } catch (MustChangePasswordException e3) {
                this.log.debug("must change password for path {}", message.get(Message.REQUEST_URI));
            }
        }
        return authenticationResult;
    }
}
