package org.zaproxy.zap.extension.api;

import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.security.SecureRandom;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Random;
import java.util.regex.Pattern;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import net.sf.json.JSONObject;
import org.apache.commons.httpclient.URIException;
import org.apache.commons.lang.time.DateUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.parosproxy.paros.Constant;
import org.parosproxy.paros.core.proxy.ProxyParam;
import org.parosproxy.paros.model.Model;
import org.parosproxy.paros.network.HttpHeader;
import org.parosproxy.paros.network.HttpInputStream;
import org.parosproxy.paros.network.HttpMalformedHeaderException;
import org.parosproxy.paros.network.HttpMessage;
import org.parosproxy.paros.network.HttpOutputStream;
import org.parosproxy.paros.network.HttpRequestHeader;
import org.parosproxy.paros.view.View;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.zaproxy.zap.extension.api.ApiException;
import org.zaproxy.zap.utils.JsonUtil;
import org.zaproxy.zap.utils.Stats;

/* loaded from: input_file:org/zaproxy/zap/extension/api/API.class */
public class API {
    public static final String API_DOMAIN = "zap";
    public static final String API_URL = "http://zap/";
    public static final String API_URL_S = "https://zap/";
    public static final String API_KEY_PARAM = "apikey";
    public static final String API_NONCE_PARAM = "apinonce";
    private static final String CALL_BACK_URL = "/zapCallBackUrl/";
    private static final String STATUS_OK = "200 OK";
    private static final String STATUS_BAD_REQUEST = "400 Bad Request";
    private static final String STATUS_INTERNAL_SERVER_ERROR = "500 Internal Server Error";
    private static final String STATS_PREFIX = "stats.api.";
    private OptionsParamApi optionsParamApi;
    private ProxyParam proxyParam;
    private static Pattern patternParam = Pattern.compile("&", 2);
    private static API api = null;
    private static final Logger LOGGER = LogManager.getLogger(API.class);
    private Map<String, ApiImplementor> implementors = new HashMap();
    private WebUI webUI = new WebUI(this);
    private Map<String, ApiImplementor> callBacks = new HashMap();
    private Map<String, ApiImplementor> shortcuts = new HashMap();
    private Map<String, Nonce> nonces = Collections.synchronizedMap(new HashMap());
    private Random random = new SecureRandom();

    /* loaded from: input_file:org/zaproxy/zap/extension/api/API$Format.class */
    public enum Format {
        XML,
        HTML,
        JSON,
        JSONP,
        UI,
        OTHER
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/zaproxy/zap/extension/api/API$Nonce.class */
    public class Nonce {
        private final String nonceKey;
        private final String apiPath;
        private final boolean oneTime;
        private final Date expires;

        public Nonce(String str, String str2, boolean z) {
            this.nonceKey = str;
            this.apiPath = str2;
            this.oneTime = z;
            this.expires = DateUtils.addSeconds(new Date(), API.this.getOptionsParamApi().getNonceTimeToLiveInSecs());
        }

        public String getNonceKey() {
            return this.nonceKey;
        }

        public String getApiPath() {
            return this.apiPath;
        }

        public boolean isOneTime() {
            return this.oneTime;
        }

        public boolean isValid() {
            return !this.oneTime || this.expires.after(new Date());
        }

        public Date getExpires() {
            return this.expires;
        }
    }

    /* loaded from: input_file:org/zaproxy/zap/extension/api/API$RequestType.class */
    public enum RequestType {
        action,
        view,
        other,
        pconn
    }

    private static synchronized API newInstance() {
        if (api == null) {
            api = new API();
        }
        return api;
    }

    public static API getInstance() {
        if (api == null) {
            newInstance();
        }
        return api;
    }

    public void registerApiImplementor(ApiImplementor apiImplementor) {
        if (this.implementors.get(apiImplementor.getPrefix()) != null) {
            LOGGER.error("Second attempt to register API implementor with prefix of {}", apiImplementor.getPrefix());
            return;
        }
        this.implementors.put(apiImplementor.getPrefix(), apiImplementor);
        for (String str : apiImplementor.getApiShortcuts()) {
            LOGGER.debug("Registering API shortcut: {}", str);
            if (this.shortcuts.containsKey(str)) {
                LOGGER.error("Duplicate API shortcut: {}", str);
            }
            this.shortcuts.put("/" + str, apiImplementor);
        }
    }

    public void removeApiImplementor(ApiImplementor apiImplementor) {
        if (!this.implementors.containsKey(apiImplementor.getPrefix())) {
            LOGGER.warn("Attempting to remove an API implementor not registered, with prefix: {}", apiImplementor.getPrefix());
            return;
        }
        this.implementors.remove(apiImplementor.getPrefix());
        for (String str : apiImplementor.getApiShortcuts()) {
            String str2 = "/" + str;
            if (this.shortcuts.containsKey(str2)) {
                LOGGER.debug("Removing registered API shortcut: {}", str);
                this.shortcuts.remove(str2);
            }
        }
        removeCallBackUrls(apiImplementor);
    }

    public boolean isEnabled() {
        return !View.isInitialised() || getOptionsParamApi().isEnabled();
    }

    private OptionsParamApi getOptionsParamApi() {
        if (this.optionsParamApi == null) {
            this.optionsParamApi = Model.getSingleton().getOptionsParam().getApiParam();
        }
        return this.optionsParamApi;
    }

    void setOptionsParamApi(OptionsParamApi optionsParamApi) {
        this.optionsParamApi = optionsParamApi;
    }

    private ProxyParam getProxyParam() {
        if (this.proxyParam == null) {
            this.proxyParam = Model.getSingleton().getOptionsParam().getProxyParam();
        }
        return this.proxyParam;
    }

    void setProxyParam(ProxyParam proxyParam) {
        this.proxyParam = proxyParam;
    }

    public HttpMessage handleApiRequest(HttpRequestHeader httpRequestHeader, HttpInputStream httpInputStream, HttpOutputStream httpOutputStream) throws IOException {
        return handleApiRequest(httpRequestHeader, httpInputStream, httpOutputStream, false);
    }

    private boolean isPermittedAddr(HttpRequestHeader httpRequestHeader) {
        if (!getOptionsParamApi().isPermittedAddress(httpRequestHeader.getSenderAddress().getHostAddress())) {
            LOGGER.warn("Request to API URL {} from {} not permitted", httpRequestHeader.getURI(), httpRequestHeader.getSenderAddress().getHostAddress());
            return false;
        }
        if (getOptionsParamApi().isPermittedAddress(httpRequestHeader.getHostName())) {
            return true;
        }
        LOGGER.warn("Request to API URL {} with host header {} not permitted", httpRequestHeader.getURI(), httpRequestHeader.getHostName());
        return false;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:171:0x04c7. Please report as an issue. */
    public HttpMessage handleApiRequest(HttpRequestHeader httpRequestHeader, HttpInputStream httpInputStream, HttpOutputStream httpOutputStream, boolean z) throws IOException {
        String uri = httpRequestHeader.getURI().toString();
        Format format = Format.OTHER;
        ApiImplementor apiImplementor = null;
        ApiImplementor apiImplementor2 = null;
        if (uri.contains(CALL_BACK_URL)) {
            LOGGER.debug("handleApiRequest Callback: {}", uri);
            Iterator<Map.Entry<String, ApiImplementor>> it = this.callBacks.entrySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Map.Entry<String, ApiImplementor> next = it.next();
                if (uri.startsWith(next.getKey())) {
                    apiImplementor = next.getValue();
                    break;
                }
            }
            if (apiImplementor == null) {
                for (Map.Entry<String, String> entry : getOptionsParamApi().getPersistentCallBacks().entrySet()) {
                    if (uri.startsWith(entry.getKey())) {
                        apiImplementor = getImplementors().get(entry.getValue());
                        if (apiImplementor != null) {
                            break;
                        }
                    }
                }
            }
            if (apiImplementor == null) {
                LOGGER.warn("Request to callback URL {} from {} not found - this could be a callback url from a previous session or possibly an attempt to attack ZAP", httpRequestHeader.getURI(), httpRequestHeader.getSenderAddress().getHostAddress());
                return new HttpMessage();
            }
        }
        String path = httpRequestHeader.getURI().getPath();
        if (path != null) {
            Iterator<Map.Entry<String, ApiImplementor>> it2 = this.shortcuts.entrySet().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Map.Entry<String, ApiImplementor> next2 = it2.next();
                if (path.startsWith(next2.getKey())) {
                    apiImplementor2 = next2.getValue();
                    break;
                }
            }
        }
        if (apiImplementor == null && !uri.startsWith("http://zap/") && !uri.startsWith(API_URL_S) && !z) {
            return null;
        }
        if (apiImplementor == null && !isPermittedAddr(httpRequestHeader)) {
            return new HttpMessage();
        }
        if (getOptionsParamApi().isSecureOnly() && !httpRequestHeader.isSecure()) {
            LOGGER.debug("handleApiRequest rejecting insecure request");
            return new HttpMessage();
        }
        LOGGER.debug("handleApiRequest {}", uri);
        HttpMessage httpMessage = new HttpMessage();
        httpMessage.setRequestHeader(httpRequestHeader);
        if (httpRequestHeader.getContentLength() > 0) {
            httpMessage.setRequestBody(httpInputStream.readRequestBody(httpRequestHeader));
        }
        String str = null;
        ApiImplementor apiImplementor3 = null;
        RequestType requestType = null;
        String str2 = "text/plain; charset=UTF-8";
        String str3 = Constant.USER_AGENT;
        String str4 = null;
        boolean z2 = false;
        try {
            if (apiImplementor2 != null) {
                if (!getOptionsParamApi().isDisableKey() && !getOptionsParamApi().isNoKeyForSafeOps() && !hasValidKey(httpRequestHeader, getParams(httpRequestHeader))) {
                    throw new ApiException(ApiException.Type.BAD_API_KEY);
                }
                httpMessage = apiImplementor2.handleShortcut(httpMessage);
                apiImplementor3 = apiImplementor2;
            } else if (apiImplementor != null) {
                str3 = apiImplementor.handleCallBack(httpMessage);
                apiImplementor3 = apiImplementor;
            } else {
                JSONObject params = getParams(httpRequestHeader);
                String[] split = uri.split("/");
                if (split.length > 3 && split[3].equalsIgnoreCase("favicon.ico")) {
                    if (!getOptionsParamApi().isUiEnabled()) {
                        throw new ApiException(ApiException.Type.DISABLED);
                    }
                    InputStream resourceAsStream = API.class.getResourceAsStream("/resource/zap.ico");
                    byte[] bArr = new byte[resourceAsStream.available()];
                    resourceAsStream.read(bArr);
                    resourceAsStream.close();
                    httpMessage.setResponseHeader(getDefaultResponseHeader(str2));
                    httpMessage.getResponseHeader().setContentLength(bArr.length);
                    httpMessage.getResponseBody().setBody(bArr);
                    httpOutputStream.write(httpMessage.getResponseHeader());
                    httpOutputStream.write(bArr);
                    httpOutputStream.flush();
                    httpOutputStream.close();
                    httpInputStream.close();
                    return httpMessage;
                }
                if (split.length > 3) {
                    try {
                        format = Format.valueOf(split[3].toUpperCase());
                        switch (format) {
                            case JSONP:
                                str2 = "application/javascript; charset=UTF-8";
                                break;
                            case XML:
                                str2 = "text/xml; charset=UTF-8";
                                break;
                            case HTML:
                                str2 = "text/html; charset=UTF-8";
                                break;
                            case UI:
                                str2 = "text/html; charset=UTF-8";
                                break;
                            case JSON:
                            default:
                                str2 = "application/json; charset=UTF-8";
                                break;
                        }
                    } catch (IllegalArgumentException e) {
                        Format format2 = Format.HTML;
                        throw new ApiException(ApiException.Type.BAD_FORMAT, e);
                    }
                }
                if (split.length > 4) {
                    str = split[4];
                    apiImplementor3 = this.implementors.get(str);
                    if (apiImplementor3 == null) {
                        throw new ApiException(ApiException.Type.NO_IMPLEMENTOR);
                    }
                }
                if (split.length > 5) {
                    try {
                        requestType = RequestType.valueOf(split[5]);
                    } catch (IllegalArgumentException e2) {
                        throw new ApiException(ApiException.Type.BAD_TYPE, e2);
                    }
                }
                if (split.length > 6) {
                    str4 = split[6];
                    if (str4 != null && str4.indexOf("?") > 0) {
                        str4 = str4.substring(0, str4.indexOf("?"));
                    }
                }
                if (format.equals(Format.UI)) {
                    if (!isEnabled() || !getOptionsParamApi().isUiEnabled()) {
                        throw new ApiException(ApiException.Type.DISABLED);
                    }
                    str3 = this.webUI.handleRequest(str, apiImplementor3, requestType, str4);
                    str2 = "text/html; charset=UTF-8";
                } else if (str4 != null) {
                    if (!isEnabled()) {
                        throw new ApiException(ApiException.Type.DISABLED);
                    }
                    if (httpRequestHeader.getMethod().equalsIgnoreCase(HttpRequestHeader.POST)) {
                        String header = httpRequestHeader.getHeader(HttpHeader.CONTENT_TYPE);
                        if (header == null || !header.equals("application/x-www-form-urlencoded")) {
                            throw new ApiException(ApiException.Type.CONTENT_TYPE_NOT_SUPPORTED);
                        }
                        params = getParams(httpMessage.getRequestBody().toString());
                    }
                    if (format.equals(Format.JSONP)) {
                        if (!getOptionsParamApi().isEnableJSONP()) {
                            throw new ApiException(ApiException.Type.DISABLED);
                        }
                        if (!hasValidKey(httpRequestHeader, params)) {
                            throw new ApiException(ApiException.Type.BAD_API_KEY);
                        }
                    }
                    if (requestType == null) {
                        throw new ApiException(ApiException.Type.BAD_TYPE, "Request Type was not provided.");
                    }
                    if (apiImplementor3 == null) {
                        throw new ApiException(ApiException.Type.NO_IMPLEMENTOR, "Implementor was not provided.");
                    }
                    incStatistic("call", format, str, requestType, str4);
                    switch (requestType) {
                        case action:
                            if (!getOptionsParamApi().isDisableKey() && !hasValidKey(httpRequestHeader, params)) {
                                throw new ApiException(ApiException.Type.BAD_API_KEY);
                            }
                            validateFormatForViewAction(format);
                            validateMandatoryParams(params, apiImplementor3.getApiAction(str4));
                            ApiResponse handleApiOptionAction = apiImplementor3.handleApiOptionAction(str4, params);
                            if (handleApiOptionAction == null) {
                                handleApiOptionAction = apiImplementor3.handleApiAction(str4, params);
                            }
                            str3 = convertViewActionApiResponse(format, str4, handleApiOptionAction);
                            break;
                        case view:
                            if (!getOptionsParamApi().isDisableKey() && !getOptionsParamApi().isNoKeyForSafeOps() && !hasValidKey(httpRequestHeader, params)) {
                                throw new ApiException(ApiException.Type.BAD_API_KEY);
                            }
                            validateFormatForViewAction(format);
                            validateMandatoryParams(params, apiImplementor3.getApiView(str4));
                            ApiResponse handleApiOptionView = apiImplementor3.handleApiOptionView(str4, params);
                            if (handleApiOptionView == null) {
                                handleApiOptionView = apiImplementor3.handleApiView(str4, params);
                            }
                            str3 = convertViewActionApiResponse(format, str4, handleApiOptionView);
                            break;
                        case other:
                            ApiOther apiOther = apiImplementor3.getApiOther(str4);
                            if (apiOther != null) {
                                if (!getOptionsParamApi().isDisableKey() && ((!getOptionsParamApi().isNoKeyForSafeOps() || apiOther.isRequiresApiKey()) && !hasValidKey(httpRequestHeader, params))) {
                                    throw new ApiException(ApiException.Type.BAD_API_KEY);
                                }
                                validateMandatoryParams(params, apiOther);
                            }
                            httpMessage = apiImplementor3.handleApiOther(httpMessage, str4, params);
                            break;
                        case pconn:
                            ApiElement apiPersistentConnection = apiImplementor3.getApiPersistentConnection(str4);
                            if (apiPersistentConnection != null) {
                                if (!getOptionsParamApi().isDisableKey() && !getOptionsParamApi().isNoKeyForSafeOps() && !hasValidKey(httpRequestHeader, params)) {
                                    throw new ApiException(ApiException.Type.BAD_API_KEY);
                                }
                                validateMandatoryParams(params, apiPersistentConnection);
                            }
                            apiImplementor3.handleApiPersistentConnection(httpMessage, httpInputStream, httpOutputStream, str4, params);
                            return new HttpMessage();
                    }
                } else {
                    if (!isEnabled() || !getOptionsParamApi().isUiEnabled()) {
                        throw new ApiException(ApiException.Type.DISABLED);
                    }
                    str3 = this.webUI.handleRequest(httpRequestHeader.getURI(), isEnabled());
                    format = Format.UI;
                    str2 = "text/html; charset=UTF-8";
                }
            }
        } catch (Exception e3) {
            if (!getOptionsParamApi().isReportPermErrors()) {
                if (str != null && format != null && requestType != null && 0 != 0) {
                    incStatistic("error", format, str, requestType, null);
                }
                if (e3 instanceof ApiException) {
                    ApiException apiException = (ApiException) e3;
                    if (apiException.getType().equals(ApiException.Type.DISABLED) || apiException.getType().equals(ApiException.Type.BAD_API_KEY)) {
                        return new HttpMessage();
                    }
                }
            }
            handleException(httpMessage, requestType, format, str2, e3);
            z2 = true;
        }
        if (!z2 && !format.equals(Format.OTHER) && apiImplementor2 == null && apiImplementor == null) {
            httpMessage.setResponseHeader(getDefaultResponseHeader(str2));
            httpMessage.setResponseBody(str3);
            httpMessage.getResponseHeader().setContentLength(httpMessage.getResponseBody().length());
        }
        if (apiImplementor3 != null) {
            apiImplementor3.addCustomHeaders(str4, requestType, httpMessage);
        }
        httpOutputStream.write(httpMessage.getResponseHeader());
        httpOutputStream.write(httpMessage.getResponseBody().getBytes());
        httpOutputStream.flush();
        if (!httpMessage.isWebSocketUpgrade()) {
            httpOutputStream.close();
            httpInputStream.close();
        }
        return httpMessage;
    }

    private void incStatistic(String str, Format format, String str2, RequestType requestType, String str3) {
        Stats.incCounter("stats.api." + str + "." + format.name().toLowerCase(Locale.ROOT) + "." + str2 + "." + requestType.name() + "." + str3);
    }

    private void validateMandatoryParams(JSONObject jSONObject, ApiElement apiElement) throws ApiException {
        if (apiElement == null) {
            return;
        }
        for (ApiParameter apiParameter : apiElement.getParameters()) {
            if (apiParameter.isRequired()) {
                String name = apiParameter.getName();
                if (!jSONObject.has(name) || jSONObject.getString(name).length() == 0) {
                    throw new ApiException(ApiException.Type.MISSING_PARAMETER, name);
                }
            }
        }
    }

    private static String convertViewActionApiResponse(Format format, String str, ApiResponse apiResponse) throws ApiException {
        switch (format) {
            case JSONP:
                return getJsonpWrapper(apiResponse.toJSON().toString());
            case XML:
                return responseToXml(str, apiResponse);
            case HTML:
                return responseToHtml(apiResponse);
            case UI:
            default:
                LOGGER.error("Unhandled format: {}", format);
                throw new ApiException(ApiException.Type.INTERNAL_ERROR);
            case JSON:
                return apiResponse.toJSON().toString();
        }
    }

    private static void validateFormatForViewAction(Format format) throws ApiException {
        switch (format) {
            case JSONP:
            case XML:
            case HTML:
            case JSON:
                return;
            case UI:
            default:
                throw new ApiException(ApiException.Type.BAD_FORMAT, "The format OTHER should not be used with views and actions.");
        }
    }

    public String getBaseURL(Format format, String str, RequestType requestType, String str2, boolean z) {
        String str3 = format.name() + "/" + str + "/" + requestType.name() + "/" + str2 + "/";
        return !RequestType.view.equals(requestType) ? getBaseURL(z) + str3 + "?apinonce=" + getOneTimeNonce("/" + str3) + "&" : getBaseURL(z) + str3;
    }

    public String getBaseURL(boolean z) {
        if (z) {
            return getOptionsParamApi().isSecureOnly() ? API_URL_S : "http://zap/";
        }
        StringBuilder sb = new StringBuilder(50);
        sb.append(HttpHeader.HTTP);
        if (getOptionsParamApi().isSecureOnly()) {
            sb.append('s');
        }
        sb.append("://").append(getProxyParam().getProxyIp()).append(':').append(getProxyParam().getProxyPort()).append('/');
        return sb.toString();
    }

    static String responseToHtml(ApiResponse apiResponse) {
        StringBuilder sb = new StringBuilder();
        sb.append("<head>\n");
        sb.append("</head>\n");
        sb.append("<body>\n");
        apiResponse.toHTML(sb);
        sb.append("</body>\n");
        return sb.toString();
    }

    static String responseToXml(String str, ApiResponse apiResponse) throws ApiException {
        try {
            Document newDocument = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
            Element createElement = newDocument.createElement(str);
            newDocument.appendChild(createElement);
            apiResponse.toXML(newDocument, createElement);
            Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
            DOMSource dOMSource = new DOMSource(newDocument);
            StringWriter stringWriter = new StringWriter();
            newTransformer.transform(dOMSource, new StreamResult(stringWriter));
            return stringWriter.toString();
        } catch (Exception e) {
            LOGGER.error("Failed to convert API response to XML: {}", e.getMessage(), e);
            throw new ApiException(ApiException.Type.INTERNAL_ERROR, e);
        }
    }

    private static JSONObject getParams(HttpRequestHeader httpRequestHeader) throws ApiException {
        return getParams(httpRequestHeader.getURI().getEscapedQuery());
    }

    public static JSONObject getParams(String str) throws ApiException {
        JSONObject jSONObject = new JSONObject();
        if (str == null || str.length() == 0) {
            return jSONObject;
        }
        String[] split = patternParam.split(str);
        for (int i = 0; i < split.length; i++) {
            int indexOf = split[i].indexOf(61);
            if (indexOf > 0) {
                try {
                    jSONObject.put(URLDecoder.decode(split[i].substring(0, indexOf), "UTF-8"), JsonUtil.getJsonFriendlyString(URLDecoder.decode(split[i].substring(indexOf + 1), "UTF-8")));
                } catch (UnsupportedEncodingException | IllegalArgumentException e) {
                    ApiException apiException = new ApiException(ApiException.Type.ILLEGAL_PARAMETER, str, e);
                    LOGGER.error(apiException.getMessage(), apiException);
                }
            } else {
                ApiException apiException2 = new ApiException(ApiException.Type.ILLEGAL_PARAMETER, str);
                LOGGER.error(apiException2.getMessage(), apiException2);
            }
        }
        return jSONObject;
    }

    private static String getJsonpWrapper(String str) {
        return "zapJsonpResult (" + str + " )";
    }

    public Map<String, ApiImplementor> getImplementors() {
        return Collections.unmodifiableMap(this.implementors);
    }

    public String getCallBackUrl(ApiImplementor apiImplementor, String str) {
        String str2 = str + "/zapCallBackUrl/" + this.random.nextLong();
        this.callBacks.put(str2, apiImplementor);
        LOGGER.debug("Callback {} registered for {}", str2, apiImplementor.getClass().getCanonicalName());
        return str2;
    }

    public void removeCallBackUrl(String str) {
        LOGGER.debug("Callback {} removed", str);
        this.callBacks.remove(str);
    }

    public void removeCallBackUrls(ApiImplementor apiImplementor) {
        if (apiImplementor == null) {
            throw new IllegalArgumentException("Parameter impl must not be null.");
        }
        LOGGER.debug("All callbacks removed for {}", apiImplementor.getClass().getCanonicalName());
        Collection<ApiImplementor> values = this.callBacks.values();
        Objects.requireNonNull(apiImplementor);
        values.removeIf((v1) -> {
            return r1.equals(v1);
        });
    }

    public String getPersistentCallBackUrl(ApiImplementor apiImplementor, String str) {
        for (Map.Entry<String, String> entry : getOptionsParamApi().getPersistentCallBacks().entrySet()) {
            String key = entry.getKey();
            if (key.startsWith(str) && entry.getValue().equals(apiImplementor.getPrefix())) {
                return key;
            }
        }
        String str2 = str + "/zapCallBackUrl/" + this.random.nextLong();
        getOptionsParamApi().addPersistantCallBack(str2, apiImplementor.getPrefix());
        return str2;
    }

    public boolean removePersistentCallBackUrl(String str) {
        return getOptionsParamApi().removePersistantCallBack(str) != null;
    }

    public String getOneTimeNonce(String str) {
        String hexString = Long.toHexString(this.random.nextLong());
        this.nonces.put(hexString, new Nonce(hexString, str, true));
        return hexString;
    }

    public String getLongLivedNonce(String str) {
        String hexString = Long.toHexString(this.random.nextLong());
        this.nonces.put(hexString, new Nonce(hexString, str, false));
        return hexString;
    }

    public boolean hasValidKey(HttpMessage httpMessage) {
        try {
            HttpRequestHeader requestHeader = httpMessage.getRequestHeader();
            return hasValidKey(requestHeader, getParams(requestHeader));
        } catch (ApiException e) {
            LOGGER.error(e.getMessage(), e);
            return false;
        }
    }

    public boolean hasValidKey(HttpRequestHeader httpRequestHeader, JSONObject jSONObject) {
        try {
            try {
                String path = httpRequestHeader.getURI().getPath();
                String header = httpRequestHeader.getHeader(HttpHeader.X_ZAP_API_NONCE);
                if (header == null && jSONObject.has(API_NONCE_PARAM)) {
                    header = jSONObject.getString(API_NONCE_PARAM);
                }
                if (header != null) {
                    Nonce nonce = this.nonces.get(header);
                    if (nonce == null) {
                        LOGGER.warn("API nonce {} not found in request from {}", header, httpRequestHeader.getSenderAddress().getHostAddress());
                        synchronized (this.nonces) {
                            Iterator<Nonce> it = this.nonces.values().iterator();
                            while (it.hasNext()) {
                                if (!it.next().isValid()) {
                                    it.remove();
                                }
                            }
                        }
                        return false;
                    }
                    if (nonce.isOneTime()) {
                        this.nonces.remove(header);
                    }
                    if (!nonce.isValid()) {
                        LOGGER.warn("API nonce {} expired at {} in request from {}", nonce.getNonceKey(), nonce.getExpires(), httpRequestHeader.getSenderAddress().getHostAddress());
                        synchronized (this.nonces) {
                            Iterator<Nonce> it2 = this.nonces.values().iterator();
                            while (it2.hasNext()) {
                                if (!it2.next().isValid()) {
                                    it2.remove();
                                }
                            }
                        }
                        return false;
                    }
                    if (!path.equals(nonce.getApiPath())) {
                        LOGGER.warn("API nonce path was {} but call was for {} in request from {}", nonce.getApiPath(), path, httpRequestHeader.getSenderAddress().getHostAddress());
                        synchronized (this.nonces) {
                            Iterator<Nonce> it3 = this.nonces.values().iterator();
                            while (it3.hasNext()) {
                                if (!it3.next().isValid()) {
                                    it3.remove();
                                }
                            }
                        }
                        return false;
                    }
                } else {
                    String header2 = httpRequestHeader.getHeader(HttpHeader.X_ZAP_API_KEY);
                    if (header2 == null && jSONObject.has(API_KEY_PARAM)) {
                        header2 = jSONObject.getString(API_KEY_PARAM);
                    }
                    if (!getOptionsParamApi().getKey().equals(header2)) {
                        LOGGER.warn("API key incorrect or not supplied: {} in request from {}", header2, httpRequestHeader.getSenderAddress().getHostAddress());
                        synchronized (this.nonces) {
                            Iterator<Nonce> it4 = this.nonces.values().iterator();
                            while (it4.hasNext()) {
                                if (!it4.next().isValid()) {
                                    it4.remove();
                                }
                            }
                        }
                        return false;
                    }
                }
                synchronized (this.nonces) {
                    Iterator<Nonce> it5 = this.nonces.values().iterator();
                    while (it5.hasNext()) {
                        if (!it5.next().isValid()) {
                            it5.remove();
                        }
                    }
                }
                return true;
            } catch (URIException e) {
                LOGGER.error(e.getMessage(), e);
                synchronized (this.nonces) {
                    Iterator<Nonce> it6 = this.nonces.values().iterator();
                    while (it6.hasNext()) {
                        if (!it6.next().isValid()) {
                            it6.remove();
                        }
                    }
                    return false;
                }
            }
        } catch (Throwable th) {
            synchronized (this.nonces) {
                Iterator<Nonce> it7 = this.nonces.values().iterator();
                while (it7.hasNext()) {
                    if (!it7.next().isValid()) {
                        it7.remove();
                    }
                }
                throw th;
            }
        }
    }

    public static String getDefaultResponseHeader(String str) {
        return getDefaultResponseHeader(str, 0);
    }

    public static String getDefaultResponseHeader(String str, int i) {
        return getDefaultResponseHeader(STATUS_OK, str, i, false);
    }

    public static String getDefaultResponseHeader(String str, int i, boolean z) {
        return getDefaultResponseHeader(STATUS_OK, str, i, z);
    }

    public static String getDefaultResponseHeader(String str, String str2, int i) {
        return getDefaultResponseHeader(str, str2, i, false);
    }

    public static String getDefaultResponseHeader(String str, String str2, int i, boolean z) {
        StringBuilder sb = new StringBuilder(250);
        sb.append("HTTP/1.1 ").append(str).append(HttpHeader.CRLF);
        if (!z) {
            sb.append("Pragma: no-cache\r\n");
            sb.append("Cache-Control: no-cache, no-store, must-revalidate\r\n");
        }
        sb.append("Content-Security-Policy: default-src 'none'; script-src 'self'; connect-src 'self'; child-src 'self'; img-src 'self' data:; font-src 'self' data:; style-src 'self'\r\n");
        sb.append("Referrer-Policy: no-referrer\r\n");
        sb.append("Access-Control-Allow-Methods: GET,POST,OPTIONS\r\n");
        sb.append("Access-Control-Allow-Headers: ZAP-Header\r\n");
        sb.append("X-Frame-Options: DENY\r\n");
        sb.append("X-XSS-Protection: 1; mode=block\r\n");
        sb.append("X-Content-Type-Options: nosniff\r\n");
        sb.append("X-Clacks-Overhead: GNU Terry Pratchett\r\n");
        sb.append("Content-Length: ").append(i).append(HttpHeader.CRLF);
        sb.append("Content-Type: ").append(str2).append(HttpHeader.CRLF);
        return sb.toString();
    }

    private void handleException(HttpMessage httpMessage, RequestType requestType, Format format, String str, Exception exc) {
        ApiException apiException;
        String str2 = STATUS_INTERNAL_SERVER_ERROR;
        if (requestType == RequestType.other) {
            boolean z = true;
            if (exc instanceof ApiException) {
                switch (((ApiException) exc).getType()) {
                    case DISABLED:
                    case BAD_TYPE:
                    case NO_IMPLEMENTOR:
                    case BAD_API_KEY:
                    case MISSING_PARAMETER:
                    case BAD_ACTION:
                    case BAD_VIEW:
                    case BAD_OTHER:
                        str2 = STATUS_BAD_REQUEST;
                        logBadRequest(httpMessage, exc);
                        z = false;
                        break;
                }
            }
            if (z) {
                LOGGER.error("API 'other' endpoint didn't handle exception:", exc);
            }
        } else {
            if (exc instanceof ApiException) {
                apiException = (ApiException) exc;
                if (!ApiException.Type.INTERNAL_ERROR.equals(apiException.getType())) {
                    str2 = STATUS_BAD_REQUEST;
                    logBadRequest(httpMessage, exc);
                }
            } else {
                apiException = new ApiException(ApiException.Type.INTERNAL_ERROR, exc);
                LOGGER.error("Exception while handling API request:", exc);
            }
            String apiException2 = apiException.toString(format != Format.OTHER ? format : Format.JSON, getOptionsParamApi().isIncErrorDetails());
            httpMessage.getResponseBody().setCharset(getCharset(str));
            httpMessage.getResponseBody().setBody(apiException2);
        }
        try {
            httpMessage.setResponseHeader(getDefaultResponseHeader(str2, str, httpMessage.getResponseBody().length()));
        } catch (HttpMalformedHeaderException e) {
            LOGGER.warn("Failed to build API error response:", e);
        }
    }

    private static void logBadRequest(HttpMessage httpMessage, Exception exc) {
        LOGGER.warn("Bad request to API endpoint [{}] from [{}]:", httpMessage.getRequestHeader().getURI().getEscapedPath(), httpMessage.getRequestHeader().getSenderAddress().getHostAddress(), exc);
    }

    private static String getCharset(String str) {
        int indexOf = str.indexOf("charset=");
        return indexOf == -1 ? "UTF-8" : str.substring(indexOf + 8);
    }
}
