package org.apache.brooklyn.rest.filter;

import com.google.common.base.Predicates;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.apache.brooklyn.core.mgmt.entitlement.Entitlements;
import org.apache.brooklyn.rest.domain.ApiError;
import org.apache.brooklyn.rest.resources.LogoutResource;
import org.apache.brooklyn.rest.util.MultiSessionAttributeAdapter;
import org.apache.brooklyn.util.text.Identifiers;
import org.apache.brooklyn.util.text.Strings;
import org.apache.commons.collections.EnumerationUtils;
import org.eclipse.jetty.http.HttpMethod;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Provider
@Priority(400)
/* loaded from: input_file:org/apache/brooklyn/rest/filter/CsrfTokenFilter.class */
public class CsrfTokenFilter implements ContainerRequestFilter, ContainerResponseFilter {
    private static final Logger log = LoggerFactory.getLogger(CsrfTokenFilter.class);
    private static final String CSRF_TOKEN_VALUE_BASE = "Csrf-Token";
    public static final String CSRF_TOKEN_VALUE_COOKIE = CSRF_TOKEN_VALUE_BASE.toUpperCase();
    public static final String CSRF_TOKEN_VALUE_HEADER = HEADER_OF_COOKIE(CSRF_TOKEN_VALUE_BASE);
    public static final String CSRF_TOKEN_VALUE_BASE_ANGULAR_NAME = "Xsrf-Token";
    public static final String CSRF_TOKEN_VALUE_COOKIE_ANGULAR_NAME = CSRF_TOKEN_VALUE_BASE_ANGULAR_NAME.toUpperCase();
    public static final String CSRF_TOKEN_VALUE_HEADER_ANGULAR_NAME = HEADER_OF_COOKIE(CSRF_TOKEN_VALUE_BASE_ANGULAR_NAME);
    public static final String CSRF_TOKEN_VALUE_ATTR = CsrfTokenFilter.class.getName() + "." + CSRF_TOKEN_VALUE_COOKIE;
    public static final String CSRF_TOKEN_REQUIRED_HEADER = "X-Csrf-Token-Required-For-Requests";
    public static final String CSRF_TOKEN_REQUIRED_ATTR = CsrfTokenFilter.class.getName() + "." + CSRF_TOKEN_REQUIRED_HEADER;
    public static CsrfTokenRequiredForRequests DEFAULT_REQUIRED_FOR_REQUESTS = CsrfTokenRequiredForRequests.WRITE;

    @Context
    private HttpServletRequest request;

    /* loaded from: input_file:org/apache/brooklyn/rest/filter/CsrfTokenFilter$CsrfTokenRequiredForRequests.class */
    public enum CsrfTokenRequiredForRequests {
        ALL,
        WRITE,
        NONE
    }

    public static String HEADER_OF_COOKIE(String str) {
        return "X-" + str;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        boolean z;
        String header = this.request.getHeader(CSRF_TOKEN_REQUIRED_HEADER);
        if (Strings.isNonBlank(header) && getRequiredForRequests(header, null) == null) {
            fail(containerRequestContext, ApiError.builder().errorCode(Response.Status.BAD_REQUEST).message(HEADER_OF_COOKIE(CSRF_TOKEN_REQUIRED_HEADER) + " header if supplied must be one of " + Arrays.asList(CsrfTokenRequiredForRequests.values())).build());
            return;
        }
        if (this.request.isRequestedSessionIdValid()) {
            List list = EnumerationUtils.toList(this.request.getHeaders(CSRF_TOKEN_VALUE_HEADER));
            List list2 = EnumerationUtils.toList(this.request.getHeaders(CSRF_TOKEN_VALUE_HEADER_ANGULAR_NAME));
            ArrayList newArrayList = Lists.newArrayList(list);
            newArrayList.addAll(list2);
            MultiSessionAttributeAdapter of = MultiSessionAttributeAdapter.of(this.request);
            Object attribute = of.getAttribute(CSRF_TOKEN_VALUE_ATTR);
            CsrfTokenRequiredForRequests csrfTokenRequiredForRequests = (CsrfTokenRequiredForRequests) of.getAttribute(CSRF_TOKEN_REQUIRED_ATTR);
            if (csrfTokenRequiredForRequests == null) {
                if (newArrayList.isEmpty()) {
                    log.warn("No CSRF token expected or supplied but a cookie-session is active: client should be updated (in future CSRF tokens or instructions may be required for session-based clients) - " + Entitlements.getEntitlementContext());
                    csrfTokenRequiredForRequests = CsrfTokenRequiredForRequests.NONE;
                } else {
                    csrfTokenRequiredForRequests = DEFAULT_REQUIRED_FOR_REQUESTS;
                }
                of.setAttribute(CSRF_TOKEN_REQUIRED_ATTR, csrfTokenRequiredForRequests);
            }
            switch (csrfTokenRequiredForRequests) {
                case NONE:
                    z = false;
                    break;
                case WRITE:
                    z = !HttpMethod.GET.toString().equals(containerRequestContext.getMethod());
                    break;
                case ALL:
                    z = true;
                    break;
                default:
                    log.warn("Unexpected " + CSRF_TOKEN_REQUIRED_ATTR + " value " + csrfTokenRequiredForRequests);
                    z = true;
                    break;
            }
            if (Iterables.any(newArrayList, Predicates.equalTo(attribute))) {
                return;
            }
            if (!z) {
                if (attribute != null) {
                    log.trace("CSRF optional token mismatch: client did not send valid token, but it isn't required so proceeding");
                }
            } else if (newArrayList.isEmpty()) {
                fail(containerRequestContext, ApiError.builder().errorCode(Response.Status.FORBIDDEN).message(HEADER_OF_COOKIE(CSRF_TOKEN_VALUE_COOKIE) + " header is required, containing token previously returned from server in cookie").build());
            } else {
                fail(containerRequestContext, ApiError.builder().errorCode(Response.Status.FORBIDDEN).message(HEADER_OF_COOKIE(CSRF_TOKEN_VALUE_COOKIE) + " header did not match expected CSRF token").build());
            }
        }
    }

    private void fail(ContainerRequestContext containerRequestContext, ApiError apiError) {
        containerRequestContext.abortWith(apiError.asJsonResponse());
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
        CsrfTokenRequiredForRequests csrfTokenRequiredForRequests;
        MultiSessionAttributeAdapter of = MultiSessionAttributeAdapter.of(this.request, false);
        String str = (String) (of == null ? null : of.getAttribute(CSRF_TOKEN_VALUE_ATTR));
        String header = this.request.getHeader(CSRF_TOKEN_REQUIRED_HEADER);
        if (of == null) {
            if (Strings.isBlank(header) || Boolean.TRUE.equals(this.request.getAttribute(LogoutResource.DID_LOGOUT))) {
                return;
            } else {
                of = MultiSessionAttributeAdapter.of(this.request, true);
            }
        }
        if (str == null) {
            str = Identifiers.makeRandomId(16);
            log.trace("Created new token {} for {}", str, of);
        }
        of.setAttribute(CSRF_TOKEN_VALUE_ATTR, str);
        addCookie(containerResponseContext, CSRF_TOKEN_VALUE_COOKIE, str, "Clients should send this value in header " + CSRF_TOKEN_VALUE_HEADER + " for validation");
        addCookie(containerResponseContext, CSRF_TOKEN_VALUE_COOKIE_ANGULAR_NAME, str, "Compatibility cookie for " + CSRF_TOKEN_VALUE_COOKIE + " following AngularJS conventions");
        if (Strings.isNonBlank(header)) {
            csrfTokenRequiredForRequests = getRequiredForRequests(header, DEFAULT_REQUIRED_FOR_REQUESTS);
            of.setAttribute(CSRF_TOKEN_REQUIRED_ATTR, csrfTokenRequiredForRequests);
            if (Strings.isNonBlank(str)) {
                return;
            }
        } else {
            if (Strings.isNonBlank(str)) {
                return;
            }
            csrfTokenRequiredForRequests = (CsrfTokenRequiredForRequests) of.getAttribute(CSRF_TOKEN_REQUIRED_ATTR);
            if (csrfTokenRequiredForRequests == null) {
                csrfTokenRequiredForRequests = DEFAULT_REQUIRED_FOR_REQUESTS;
                of.setAttribute(CSRF_TOKEN_REQUIRED_ATTR, csrfTokenRequiredForRequests);
            }
        }
        if (csrfTokenRequiredForRequests == CsrfTokenRequiredForRequests.NONE) {
        }
    }

    protected NewCookie addCookie(ContainerResponseContext containerResponseContext, String str, String str2, String str3) {
        NewCookie newCookie = new NewCookie(str, str2, "/", (String) null, str3, -1, false);
        containerResponseContext.getHeaders().add("Set-Cookie", newCookie);
        return newCookie;
    }

    protected CsrfTokenRequiredForRequests getRequiredForRequests(String str, CsrfTokenRequiredForRequests csrfTokenRequiredForRequests) {
        CsrfTokenRequiredForRequests csrfTokenRequiredForRequests2 = null;
        if (str != null) {
            csrfTokenRequiredForRequests2 = CsrfTokenRequiredForRequests.valueOf(str.toUpperCase());
        }
        return csrfTokenRequiredForRequests2 != null ? csrfTokenRequiredForRequests2 : csrfTokenRequiredForRequests;
    }
}
