package io.quarkus.csrf.reactive.runtime;

import io.vertx.core.http.Cookie;
import io.vertx.core.http.impl.CookieImpl;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.inject.Instance;
import jakarta.inject.Inject;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerResponseContext;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.security.SecureRandom;
import java.util.Base64;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.server.ServerRequestFilter;
import org.jboss.resteasy.reactive.server.ServerResponseFilter;
import org.jboss.resteasy.reactive.server.WithFormRead;
import org.jboss.resteasy.reactive.server.spi.ResteasyReactiveContainerRequestContext;

/* loaded from: input_file:io/quarkus/csrf/reactive/runtime/CsrfRequestResponseReactiveFilter.class */
public class CsrfRequestResponseReactiveFilter {
    private static final Logger LOG = Logger.getLogger(CsrfRequestResponseReactiveFilter.class);
    private static final String CSRF_TOKEN_KEY = "csrf_token";
    private static final String CSRF_TOKEN_BYTES_KEY = "csrf_token_bytes";
    private static final String CSRF_TOKEN_VERIFIED = "csrf_token_verified";
    private final SecureRandom secureRandom = new SecureRandom();

    @Inject
    Instance<CsrfReactiveConfig> configInstance;

    @ServerRequestFilter
    @WithFormRead
    public void filter(ResteasyReactiveContainerRequestContext resteasyReactiveContainerRequestContext, RoutingContext routingContext) {
        CsrfReactiveConfig csrfReactiveConfig = (CsrfReactiveConfig) this.configInstance.get();
        String cookieToken = getCookieToken(routingContext, csrfReactiveConfig);
        if (cookieToken != null) {
            routingContext.put(CSRF_TOKEN_KEY, cookieToken);
            try {
                int length = Base64.getUrlDecoder().decode(cookieToken).length;
                int i = csrfReactiveConfig.tokenSignatureKey.isPresent() ? 32 : csrfReactiveConfig.tokenSize;
                if (length != i) {
                    LOG.debugf("Invalid CSRF token cookie size: expected %d, got %d", i, length);
                    resteasyReactiveContainerRequestContext.abortWith(badClientRequest());
                    return;
                }
            } catch (IllegalArgumentException e) {
                LOG.debugf("Invalid CSRF token cookie: %s", cookieToken);
                resteasyReactiveContainerRequestContext.abortWith(badClientRequest());
                return;
            }
        }
        if (requestMethodIsSafe(resteasyReactiveContainerRequestContext)) {
            if (cookieToken == null && isCsrfTokenRequired(routingContext, csrfReactiveConfig)) {
                byte[] bArr = new byte[csrfReactiveConfig.tokenSize];
                this.secureRandom.nextBytes(bArr);
                routingContext.put(CSRF_TOKEN_BYTES_KEY, bArr);
                routingContext.put(CSRF_TOKEN_KEY, Base64.getUrlEncoder().withoutPadding().encodeToString(bArr));
                return;
            }
            return;
        }
        if (!csrfReactiveConfig.verifyToken) {
            if (cookieToken == null) {
                LOG.debug("CSRF token is not found");
                resteasyReactiveContainerRequestContext.abortWith(badClientRequest());
                return;
            }
            return;
        }
        MediaType mediaType = resteasyReactiveContainerRequestContext.getMediaType();
        if (!isMatchingMediaType(mediaType, MediaType.APPLICATION_FORM_URLENCODED_TYPE) && !isMatchingMediaType(mediaType, MediaType.MULTIPART_FORM_DATA_TYPE)) {
            if (!csrfReactiveConfig.requireFormUrlEncoded) {
                LOG.debugf("Request has the media type: %s, skipping the token verification", mediaType);
                return;
            } else {
                LOG.debugf("Request has the wrong media type: %s", mediaType);
                resteasyReactiveContainerRequestContext.abortWith(badClientRequest());
                return;
            }
        }
        if (!resteasyReactiveContainerRequestContext.hasEntity()) {
            LOG.debug("Request has no entity");
            resteasyReactiveContainerRequestContext.abortWith(badClientRequest());
            return;
        }
        if (cookieToken == null) {
            LOG.debug("CSRF cookie is not found");
            resteasyReactiveContainerRequestContext.abortWith(badClientRequest());
            return;
        }
        String str = (String) resteasyReactiveContainerRequestContext.getServerRequestContext().getFormParameter(csrfReactiveConfig.formFieldName, true, false);
        if (str == null) {
            LOG.debug("CSRF token is not found");
            resteasyReactiveContainerRequestContext.abortWith(badClientRequest());
            return;
        }
        if (cookieToken.equals(csrfReactiveConfig.tokenSignatureKey.isPresent() ? CsrfTokenUtils.signCsrfToken(str, csrfReactiveConfig.tokenSignatureKey.get()) : str)) {
            routingContext.put(CSRF_TOKEN_VERIFIED, true);
        } else {
            LOG.debug("CSRF token value is wrong");
            resteasyReactiveContainerRequestContext.abortWith(badClientRequest());
        }
    }

    private static boolean isMatchingMediaType(MediaType mediaType, MediaType mediaType2) {
        return mediaType == null ? mediaType2 == null : mediaType.getType().equals(mediaType2.getType()) && mediaType.getSubtype().equals(mediaType2.getSubtype());
    }

    private static Response badClientRequest() {
        return Response.status(400).build();
    }

    @ServerResponseFilter
    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext, RoutingContext routingContext) {
        String str;
        CsrfReactiveConfig csrfReactiveConfig = (CsrfReactiveConfig) this.configInstance.get();
        if (containerRequestContext.getMethod().equals("GET") && isCsrfTokenRequired(routingContext, csrfReactiveConfig) && getCookieToken(routingContext, csrfReactiveConfig) == null) {
            if (csrfReactiveConfig.tokenSignatureKey.isPresent()) {
                byte[] bArr = (byte[]) routingContext.get(CSRF_TOKEN_BYTES_KEY);
                if (bArr == null) {
                    LOG.debug("CSRF Request Filter did not set the property csrf_token_bytes, no CSRF cookie will be created");
                    return;
                }
                str = CsrfTokenUtils.signCsrfToken(bArr, csrfReactiveConfig.tokenSignatureKey.get());
            } else {
                String str2 = (String) routingContext.get(CSRF_TOKEN_KEY);
                if (str2 == null) {
                    LOG.debug("CSRF Request Filter did not set the property csrf_token, no CSRF cookie will be created");
                    return;
                }
                str = str2;
            }
            createCookie(str, routingContext, csrfReactiveConfig);
        }
    }

    private String getCookieToken(RoutingContext routingContext, CsrfReactiveConfig csrfReactiveConfig) {
        Cookie cookie = routingContext.getCookie(csrfReactiveConfig.cookieName);
        if (cookie != null) {
            return cookie.getValue();
        }
        LOG.debug("CSRF token cookie is not set");
        return null;
    }

    private boolean isCsrfTokenRequired(RoutingContext routingContext, CsrfReactiveConfig csrfReactiveConfig) {
        if (csrfReactiveConfig.createTokenPath.isPresent()) {
            return csrfReactiveConfig.createTokenPath.get().contains(routingContext.request().path());
        }
        return true;
    }

    private void createCookie(String str, RoutingContext routingContext, CsrfReactiveConfig csrfReactiveConfig) {
        CookieImpl cookieImpl = new CookieImpl(csrfReactiveConfig.cookieName, str);
        cookieImpl.setHttpOnly(true);
        cookieImpl.setSecure(csrfReactiveConfig.cookieForceSecure || routingContext.request().isSSL());
        cookieImpl.setMaxAge(csrfReactiveConfig.cookieMaxAge.toSeconds());
        cookieImpl.setPath(csrfReactiveConfig.cookiePath);
        if (csrfReactiveConfig.cookieDomain.isPresent()) {
            cookieImpl.setDomain(csrfReactiveConfig.cookieDomain.get());
        }
        routingContext.response().addCookie(cookieImpl);
    }

    private static boolean requestMethodIsSafe(ContainerRequestContext containerRequestContext) {
        String method = containerRequestContext.getMethod();
        boolean z = -1;
        switch (method.hashCode()) {
            case -531492226:
                if (method.equals("OPTIONS")) {
                    z = 2;
                    break;
                }
                break;
            case 70454:
                if (method.equals("GET")) {
                    z = false;
                    break;
                }
                break;
            case 2213344:
                if (method.equals("HEAD")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
                return true;
            default:
                return false;
        }
    }
}
