package org.sonatype.nexus.security.authc;

import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.HttpMethod;
import javax.ws.rs.core.MediaType;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.UnauthorizedException;
import org.apache.shiro.subject.Subject;
import org.sonatype.goodies.common.ComponentSupport;
import org.sonatype.nexus.common.text.Strings2;

@Singleton
@Named
/* loaded from: input_file:org/sonatype/nexus/security/authc/AntiCsrfHelper.class */
public class AntiCsrfHelper extends ComponentSupport {
    public static final String ENABLED = "nexus.security.anticsrftoken.enabled";
    public static final String ERROR_MESSAGE_TOKEN_MISMATCH = "Anti cross-site request forgery token mismatch";
    public static final String ANTI_CSRF_TOKEN_NAME = "NX-ANTI-CSRF-TOKEN";
    private final boolean enabled;
    private final List<CsrfExemption> csrfExemptPaths;

    @Inject
    public AntiCsrfHelper(@Named("${nexus.security.anticsrftoken.enabled:-true}") boolean z, List<CsrfExemption> list) {
        this.enabled = z;
        this.csrfExemptPaths = list;
    }

    public boolean isAccessAllowed(HttpServletRequest httpServletRequest) {
        return !this.enabled || isSafeHttpMethod(httpServletRequest) || isMultiPartFormDataPost(httpServletRequest) || !isSessionAuthentication() || isExemptRequest(httpServletRequest) || isAntiCsrfTokenValid(httpServletRequest, Optional.ofNullable(httpServletRequest.getHeader(ANTI_CSRF_TOKEN_NAME)));
    }

    public void requireValidToken(HttpServletRequest httpServletRequest, @Nullable String str) {
        Optional<String> ofNullable = str == null ? Optional.ofNullable(httpServletRequest.getHeader(ANTI_CSRF_TOKEN_NAME)) : Optional.of(str);
        if (this.enabled && isSessionAuthentication() && !isAntiCsrfTokenValid(httpServletRequest, ofNullable)) {
            throw new UnauthorizedException(ERROR_MESSAGE_TOKEN_MISMATCH);
        }
    }

    private boolean isSafeHttpMethod(HttpServletRequest httpServletRequest) {
        String method = httpServletRequest.getMethod();
        return HttpMethod.GET.equals(method) || HttpMethod.HEAD.equals(method);
    }

    private boolean isMultiPartFormDataPost(HttpServletRequest httpServletRequest) {
        return HttpMethod.POST.equals(httpServletRequest.getMethod()) && !Strings2.isBlank(httpServletRequest.getContentType()) && MediaType.MULTIPART_FORM_DATA_TYPE.isCompatible(MediaType.valueOf(httpServletRequest.getContentType()));
    }

    private boolean isSessionAuthentication() {
        Subject subject = SecurityUtils.getSubject();
        return (subject == null || subject.getSession(false) == null) ? false : true;
    }

    private Optional<String> getCookie(HttpServletRequest httpServletRequest, String str) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (Cookie cookie : cookies) {
                if (str.equals(cookie.getName())) {
                    return Optional.ofNullable(cookie.getValue());
                }
            }
        }
        return Optional.empty();
    }

    private Optional<String> getAntiCsrfTokenCookie(HttpServletRequest httpServletRequest) {
        return getCookie(httpServletRequest, ANTI_CSRF_TOKEN_NAME);
    }

    private boolean isAntiCsrfTokenValid(HttpServletRequest httpServletRequest, Optional<String> optional) {
        return optional.isPresent() && optional.equals(getAntiCsrfTokenCookie(httpServletRequest));
    }

    private boolean isExemptRequest(HttpServletRequest httpServletRequest) {
        String servletPath = httpServletRequest.getServletPath();
        Stream<R> map = this.csrfExemptPaths.stream().map((v0) -> {
            return v0.getPath();
        });
        Objects.requireNonNull(servletPath);
        return map.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }

    public boolean isEnabled() {
        return this.enabled;
    }
}
