package org.owasp.esapi.waf.rules;

import java.util.List;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.owasp.esapi.waf.actions.Action;
import org.owasp.esapi.waf.actions.DefaultAction;
import org.owasp.esapi.waf.actions.DoNothingAction;
import org.owasp.esapi.waf.internal.InterceptingHTTPServletResponse;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/opensaml-2.6.6.wso2v3.jar:esapi-2.1.0.1.jar:org/owasp/esapi/waf/rules/AuthenticatedRule.class
  input_file:WEB-INF/lib/wss4j-1.5.11-wso2v19.jar:esapi-2.1.0.1.jar:org/owasp/esapi/waf/rules/AuthenticatedRule.class
 */
/* loaded from: input_file:WEB-INF/lib/esapi-2.1.0.1.jar:org/owasp/esapi/waf/rules/AuthenticatedRule.class */
public class AuthenticatedRule extends Rule {
    private String sessionAttribute;
    private Pattern path;
    private List<Object> exceptions;

    public AuthenticatedRule(String str, String str2, Pattern pattern, List<Object> list) {
        this.sessionAttribute = str2;
        this.path = pattern;
        this.exceptions = list;
        setId(str);
    }

    @Override // org.owasp.esapi.waf.rules.Rule
    public Action check(HttpServletRequest httpServletRequest, InterceptingHTTPServletResponse interceptingHTTPServletResponse, HttpServletResponse httpServletResponse) {
        HttpSession session = httpServletRequest.getSession();
        String requestURI = httpServletRequest.getRequestURI();
        if (this.path != null && !this.path.matcher(requestURI).matches()) {
            return new DoNothingAction();
        }
        if (session != null && session.getAttribute(this.sessionAttribute) != null) {
            return new DoNothingAction();
        }
        for (Object obj : this.exceptions) {
            if (obj instanceof Pattern) {
                if (((Pattern) obj).matcher(requestURI).matches()) {
                    return new DoNothingAction();
                }
            } else if ((obj instanceof String) && requestURI.equals((String) obj)) {
                return new DoNothingAction();
            }
        }
        log(httpServletRequest, "User requested unauthenticated access to URI '" + httpServletRequest.getRequestURI() + "' [querystring=" + httpServletRequest.getQueryString() + DefaultExpressionEngine.DEFAULT_ATTRIBUTE_END);
        return new DefaultAction();
    }
}
