package org.seedstack.seed.web.security.internal;

import java.security.SecureRandom;
import javax.inject.Inject;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.seedstack.seed.SeedException;
import org.seedstack.seed.web.security.WebSecurityConfig;
import org.seedstack.seed.web.spi.AntiXsrfService;

/* loaded from: input_file:org/seedstack/seed/web/security/internal/StatelessAntiXsrfService.class */
class StatelessAntiXsrfService implements AntiXsrfService {
    private static final char[] CHARSET = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9'};
    private final WebSecurityConfig.XSRFConfig xsrfConfig;

    @Inject
    public StatelessAntiXsrfService(WebSecurityConfig webSecurityConfig) {
        this.xsrfConfig = webSecurityConfig.xsrf();
    }

    public void applyXsrfProtection(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String cookieName = this.xsrfConfig.getCookieName();
        String headerName = this.xsrfConfig.getHeaderName();
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            if (session.isNew()) {
                Cookie cookie = new Cookie(cookieName, generateToken());
                cookie.setHttpOnly(false);
                cookie.setPath("/");
                cookie.setMaxAge(-1);
                httpServletResponse.addCookie(cookie);
                return;
            }
            String extractCookieToken = extractCookieToken(cookieName, httpServletRequest);
            String header = httpServletRequest.getHeader(headerName);
            if (header == null) {
                throw SeedException.createNew(WebSecurityErrorCode.MISSING_XSRF_HEADER);
            }
            if (extractCookieToken == null) {
                throw SeedException.createNew(WebSecurityErrorCode.MISSING_XSRF_COOKIE);
            }
            int indexOf = header.indexOf(44);
            if (indexOf != -1) {
                header = header.substring(0, indexOf).trim();
            }
            if (!extractCookieToken.equals(header)) {
                throw SeedException.createNew(WebSecurityErrorCode.INVALID_XSRF_TOKEN);
            }
        }
    }

    public void cleanXsrfProtection(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletRequest.getSession(false) == null) {
            Cookie cookie = new Cookie(this.xsrfConfig.getCookieName(), "deleteMe");
            cookie.setHttpOnly(false);
            cookie.setPath("/");
            cookie.setMaxAge(0);
            httpServletResponse.addCookie(cookie);
        }
    }

    private String extractCookieToken(String str, HttpServletRequest httpServletRequest) {
        for (Cookie cookie : httpServletRequest.getCookies()) {
            if (str.equals(cookie.getName())) {
                return cookie.getValue();
            }
        }
        return null;
    }

    private String generateToken() {
        String algorithm = this.xsrfConfig.getAlgorithm();
        int length = this.xsrfConfig.getLength();
        try {
            SecureRandom secureRandom = SecureRandom.getInstance(algorithm);
            StringBuilder sb = new StringBuilder();
            for (int i = 1; i < length + 1; i++) {
                sb.append(CHARSET[secureRandom.nextInt(CHARSET.length)]);
                if (i % 4 == 0 && i != 0 && i < length) {
                    sb.append('-');
                }
            }
            return sb.toString();
        } catch (Exception e) {
            throw new RuntimeException(String.format("Unable to generate the random token - %s", e.getLocalizedMessage()), e);
        }
    }
}
