package org.wso2.carbon.ui.valve;

import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpSession;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.CarbonConstants;
import org.wso2.carbon.base.ServerConfiguration;
import org.wso2.carbon.utils.CarbonUtils;

/* loaded from: input_file:org/wso2/carbon/ui/valve/CSRFValve.class */
public class CSRFValve extends ValveBase {
    private static final String REFERER_HEADER = "referer";
    private static final String CSRF_VALVE_PROPERTY = "Security.CSRFPreventionConfig.CSRFValve";
    private static final String ENABLED_PROPERTY = "Security.CSRFPreventionConfig.CSRFValve.Enabled";
    private static final String WHITE_LIST_PROPERTY = "Security.CSRFPreventionConfig.CSRFValve.WhiteList.Url";
    private static final String RULE_PATTERN_PROPERTY = "Security.CSRFPreventionConfig.CSRFValve.Patterns.Pattern";
    private static final String RULE_PROPERTY = "Security.CSRFPreventionConfig.CSRFValve.Rule";
    private static final String RULE_ALLOW = "allow";
    private static final String RULE_DENY = "deny";
    private static final String AJAXPROCESSOR_URL_PATTERN = "ajaxprocessor.jsp";
    private static final String FINISHJSP_URL_PATTERN = "finish.jsp";
    private static String[] csrfPatternList;
    private static String[] whiteList;
    private static String csrfRule;
    private static final Log log = LogFactory.getLog(CSRFValve.class);
    private static Log audit = CarbonConstants.AUDIT_LOG;
    private static boolean csrfEnabled = false;

    private void loadConfiguration() {
        ServerConfiguration serverConfiguration = ServerConfiguration.getInstance();
        whiteList = serverConfiguration.getProperties(WHITE_LIST_PROPERTY);
        csrfPatternList = serverConfiguration.getProperties(RULE_PATTERN_PROPERTY);
        csrfRule = serverConfiguration.getFirstProperty(RULE_PROPERTY);
        if (whiteList.length <= 0 || csrfPatternList.length <= 0 || csrfRule == null || serverConfiguration.getFirstProperty(ENABLED_PROPERTY) == null || !Boolean.parseBoolean(serverConfiguration.getFirstProperty(ENABLED_PROPERTY))) {
            return;
        }
        csrfEnabled = true;
    }

    protected void initInternal() throws LifecycleException {
        super.initInternal();
        loadConfiguration();
    }

    public void invoke(Request request, Response response) throws IOException, ServletException {
        if (csrfEnabled) {
            validatePatterns(request, response);
        }
        getNext().invoke(request, response);
    }

    private void validatePatterns(Request request, Response response) throws ServletException {
        String substring = request.getRequestURI().substring(request.getRequestURI().indexOf("/") + 1);
        if (RULE_ALLOW.equals(csrfRule) && !isContextStartWithGivenPatterns(substring)) {
            validateRefererHeader(request, response);
        } else if (RULE_DENY.equals(csrfRule) && isContextStartWithGivenPatterns(substring)) {
            validateRefererHeader(request, response);
        }
    }

    private boolean isContextStartWithGivenPatterns(String str) {
        boolean z = false;
        String[] strArr = csrfPatternList;
        int length = strArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            if (str.startsWith(strArr[i])) {
                z = true;
                break;
            }
            i++;
        }
        return z;
    }

    private void validateRefererHeader(Request request, Response response) throws ServletException {
        HttpSession session;
        String header = request.getHeader(REFERER_HEADER);
        boolean z = false;
        if (header == null) {
            String requestURI = request.getRequestURI();
            if ((requestURI.contains(AJAXPROCESSOR_URL_PATTERN) || requestURI.contains(FINISHJSP_URL_PATTERN)) && (session = request.getSession(false)) != null) {
                session.invalidate();
                String str = "Possible CSRF attack. Request to '" + requestURI + "' does not have a Referer header";
                log.warn(str);
                if (!CarbonUtils.isLegacyAuditLogsDisabled()) {
                    audit.warn(str);
                }
                response.setStatus(403);
                throw new ServletException(str);
            }
            return;
        }
        String[] strArr = whiteList;
        int length = strArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            if (header.startsWith(strArr[i])) {
                z = true;
                break;
            }
            i++;
        }
        if (z) {
            return;
        }
        String str2 = "Possible CSRF attack. Refer header : " + header;
        log.warn(str2);
        if (!CarbonUtils.isLegacyAuditLogsDisabled()) {
            audit.warn(str2);
        }
        response.setStatus(403);
        throw new ServletException(str2);
    }
}
