package io.vertx.ext.web.handler.impl;

import io.vertx.core.Vertx;
import io.vertx.core.http.Cookie;
import io.vertx.core.http.CookieSameSite;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.ext.auth.VertxContextPRNG;
import io.vertx.ext.auth.impl.Codec;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.Session;
import io.vertx.ext.web.handler.CSRFHandler;
import io.vertx.ext.web.impl.Origin;
import io.vertx.ext.web.impl.RoutingContextInternal;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.jboss.resteasy.spi.HttpResponseCodes;

/* loaded from: input_file:io/vertx/ext/web/handler/impl/CSRFHandlerImpl.class */
public class CSRFHandlerImpl implements CSRFHandler {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CSRFHandlerImpl.class);
    private final VertxContextPRNG random;
    private final Mac mac;
    private boolean nagHttps;
    private String cookieName = "XSRF-TOKEN";
    private String cookiePath = "/";
    private String headerName = "X-XSRF-TOKEN";
    private long timeout = 1800000;
    private Origin origin;
    private boolean httpOnly;

    public CSRFHandlerImpl(Vertx vertx, String str) {
        try {
            if (str.length() <= 8) {
                LOG.warn("CSRF secret is very short (<= 8 bytes)");
            }
            this.random = VertxContextPRNG.current(vertx);
            this.mac = Mac.getInstance("HmacSHA256");
            this.mac.init(new SecretKeySpec(str.getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setOrigin(String str) {
        this.origin = Origin.parse(str);
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setCookieName(String str) {
        this.cookieName = str;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setCookiePath(String str) {
        this.cookiePath = str;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setCookieHttpOnly(boolean z) {
        this.httpOnly = z;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setHeaderName(String str) {
        this.headerName = str;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setTimeout(long j) {
        this.timeout = j;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setNagHttps(boolean z) {
        this.nagHttps = z;
        return this;
    }

    private String generateAndStoreToken(RoutingContext routingContext) {
        byte[] bArr = new byte[32];
        this.random.nextBytes(bArr);
        String str = Codec.base64UrlEncode(bArr) + "." + System.currentTimeMillis();
        String str2 = str + "." + Codec.base64UrlEncode(this.mac.doFinal(str.getBytes(StandardCharsets.US_ASCII)));
        routingContext.response().addCookie(Cookie.cookie(this.cookieName, str2).setPath(this.cookiePath).setHttpOnly(this.httpOnly).setSameSite(CookieSameSite.STRICT));
        Session session = routingContext.session();
        if (session != null) {
            session.put(this.headerName, session.id() + "/" + str2);
        }
        return str2;
    }

    private String getTokenFromSession(RoutingContext routingContext) {
        String str;
        int indexOf;
        Session session = routingContext.session();
        if (session == null || (str = (String) session.get(this.headerName)) == null || (indexOf = str.indexOf(47)) == -1 || session.id() == null || !session.id().equals(str.substring(0, indexOf))) {
            return null;
        }
        return str.substring(indexOf + 1);
    }

    private static boolean isBlank(String str) {
        return str == null || str.trim().isEmpty();
    }

    private static long parseLong(String str) {
        if (isBlank(str)) {
            return -1L;
        }
        try {
            return Long.parseLong(str);
        } catch (NumberFormatException e) {
            LOG.trace("Invalid Token format", e);
            return -1L;
        }
    }

    private boolean isValidRequest(RoutingContext routingContext) {
        byte[] doFinal;
        Cookie cookie = routingContext.request().getCookie(this.cookieName);
        String header = routingContext.request().getHeader(this.headerName);
        if (header == null) {
            if (!((RoutingContextInternal) routingContext).seenHandler(2)) {
                routingContext.fail(new IllegalStateException("BodyHandler is required to process POST requests"));
                return false;
            }
            header = routingContext.request().getFormAttribute(this.headerName);
        }
        if (header == null || cookie == null || isBlank(header)) {
            routingContext.fail(HttpResponseCodes.SC_FORBIDDEN, new IllegalArgumentException("Token provided via HTTP Header/Form is absent/empty"));
            return false;
        }
        String value = cookie.getValue();
        if (value == null || isBlank(value)) {
            routingContext.fail(HttpResponseCodes.SC_FORBIDDEN, new IllegalArgumentException("Token provided via HTTP Header/Form is absent/empty"));
            return false;
        }
        byte[] bytes = header.getBytes(StandardCharsets.UTF_8);
        if (!MessageDigest.isEqual(bytes, value.getBytes(StandardCharsets.UTF_8))) {
            routingContext.fail(HttpResponseCodes.SC_FORBIDDEN, new IllegalArgumentException("Token provided via HTTP Header and via Cookie are not equal"));
            return false;
        }
        Session session = routingContext.session();
        if (session != null) {
            String str = (String) session.get(this.headerName);
            if (str == null) {
                routingContext.fail(HttpResponseCodes.SC_FORBIDDEN, new IllegalArgumentException("No Token has been added to the session"));
                return false;
            }
            int indexOf = str.indexOf(47);
            if (indexOf == -1 || session.id() == null || !session.id().equals(str.substring(0, indexOf))) {
                routingContext.fail(HttpResponseCodes.SC_FORBIDDEN, new IllegalArgumentException("Token has been issued for a different session"));
                return false;
            }
            if (!MessageDigest.isEqual(str.substring(indexOf + 1).getBytes(StandardCharsets.UTF_8), bytes)) {
                routingContext.fail(HttpResponseCodes.SC_FORBIDDEN, new IllegalArgumentException("Token has been used or is outdated"));
                return false;
            }
        }
        String[] split = header.split("\\.");
        if (split.length != 3) {
            routingContext.fail(HttpResponseCodes.SC_FORBIDDEN);
            return false;
        }
        byte[] bytes2 = (split[0] + "." + split[1]).getBytes(StandardCharsets.US_ASCII);
        synchronized (this.mac) {
            doFinal = this.mac.doFinal(bytes2);
        }
        if (!MessageDigest.isEqual(Codec.base64UrlEncode(doFinal).getBytes(StandardCharsets.US_ASCII), split[2].getBytes(StandardCharsets.US_ASCII))) {
            routingContext.fail(HttpResponseCodes.SC_FORBIDDEN, new IllegalArgumentException("Token signature does not match"));
            return false;
        }
        if (session != null) {
            session.remove(this.headerName);
        }
        long parseLong = parseLong(split[1]);
        if (parseLong == -1) {
            routingContext.fail(HttpResponseCodes.SC_FORBIDDEN);
            return false;
        }
        if (System.currentTimeMillis() <= parseLong + this.timeout) {
            return true;
        }
        routingContext.fail(HttpResponseCodes.SC_FORBIDDEN, new IllegalArgumentException("CSRF validity expired"));
        return false;
    }

    @Override // io.vertx.core.Handler
    public void handle(RoutingContext routingContext) {
        String generateAndStoreToken;
        String absoluteURI;
        if (this.nagHttps && (absoluteURI = routingContext.request().absoluteURI()) != null && !absoluteURI.startsWith("https:")) {
            LOG.trace("Using session cookies without https could make you susceptible to session hijacking: " + absoluteURI);
        }
        HttpMethod method = routingContext.request().method();
        Session session = routingContext.session();
        if (!Origin.check(this.origin, routingContext)) {
            routingContext.fail(HttpResponseCodes.SC_FORBIDDEN, new IllegalStateException("Invalid Origin"));
            return;
        }
        String name = method.name();
        boolean z = -1;
        switch (name.hashCode()) {
            case 70454:
                if (name.equals("GET")) {
                    z = false;
                    break;
                }
                break;
            case 79599:
                if (name.equals(javax.ws.rs.HttpMethod.PUT)) {
                    z = 2;
                    break;
                }
                break;
            case 2461856:
                if (name.equals(javax.ws.rs.HttpMethod.POST)) {
                    z = true;
                    break;
                }
                break;
            case 75900968:
                if (name.equals(javax.ws.rs.HttpMethod.PATCH)) {
                    z = 4;
                    break;
                }
                break;
            case 2012838315:
                if (name.equals(javax.ws.rs.HttpMethod.DELETE)) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (session == null) {
                    generateAndStoreToken = generateAndStoreToken(routingContext);
                } else {
                    String tokenFromSession = getTokenFromSession(routingContext);
                    if (tokenFromSession == null) {
                        generateAndStoreToken = generateAndStoreToken(routingContext);
                    } else {
                        long parseLong = parseLong(tokenFromSession.split("\\.")[1]);
                        generateAndStoreToken = parseLong == -1 ? generateAndStoreToken(routingContext) : System.currentTimeMillis() <= parseLong + this.timeout ? tokenFromSession : generateAndStoreToken(routingContext);
                    }
                }
                routingContext.put(this.headerName, generateAndStoreToken);
                routingContext.next();
                return;
            case true:
            case true:
            case true:
            case true:
                if (isValidRequest(routingContext)) {
                    routingContext.put(this.headerName, generateAndStoreToken(routingContext));
                    routingContext.next();
                    return;
                }
                return;
            default:
                routingContext.next();
                return;
        }
    }
}
