package info.magnolia.cms.security;

import info.magnolia.audit.AuditLoggingUtil;
import info.magnolia.cms.filters.AbstractMgnlFilter;
import info.magnolia.context.Context;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Random;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:info/magnolia/cms/security/CsrfTokenSecurityFilter.class */
public class CsrfTokenSecurityFilter extends AbstractMgnlFilter {
    private static final Logger log = LoggerFactory.getLogger(CsrfTokenSecurityFilter.class);
    static final String CSRF_ATTRIBUTE_NAME = "csrf";
    private static final String EVENT_TYPE = "Possible CSRF Attack";
    private Random random = new SecureRandom();
    private final Provider<Context> contextProvider;

    @Inject
    public CsrfTokenSecurityFilter(Provider<Context> provider) {
        this.contextProvider = provider;
    }

    @Override // info.magnolia.cms.filters.AbstractMgnlFilter
    public void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (httpServletRequest.getMethod().equals("POST")) {
            String parameter = httpServletRequest.getParameter(CSRF_ATTRIBUTE_NAME);
            if (StringUtils.isBlank(parameter)) {
                csrfTokenMissing(httpServletRequest, httpServletResponse, httpServletRequest.getServletPath());
                return;
            } else if (!parameter.equals(httpServletRequest.getSession().getAttribute(CSRF_ATTRIBUTE_NAME))) {
                csrfTokenMismatch(httpServletRequest, httpServletResponse, httpServletRequest.getServletPath());
                return;
            }
        } else if (httpServletRequest.getSession().getAttribute(CSRF_ATTRIBUTE_NAME) == null) {
            httpServletRequest.getSession().setAttribute(CSRF_ATTRIBUTE_NAME, generateSafeToken());
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void csrfTokenMissing(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        handleError(httpServletRequest, httpServletResponse, String.format("CSRF token not set while user '%s' attempted to access url '%s'.", ((Context) this.contextProvider.get()).getUser().getName(), str));
    }

    private void csrfTokenMismatch(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        handleError(httpServletRequest, httpServletResponse, String.format("CSRF token mismatched while user '%s' attempted to access url '%s'.", ((Context) this.contextProvider.get()).getUser().getName(), str));
    }

    protected void handleError(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        auditLogging(httpServletRequest, httpServletResponse, str);
        httpServletResponse.sendError(403, "CSRF token mismatch possibly caused by expired session. Please re-open the page and submit the form again.");
    }

    private void auditLogging(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        log.warn("{}. {}", new Object[]{EVENT_TYPE, str});
        AuditLoggingUtil.logSecurity(httpServletRequest.getRemoteAddr(), EVENT_TYPE, str);
    }

    private String generateSafeToken() {
        byte[] bArr = new byte[20];
        this.random.nextBytes(bArr);
        return Base64.getUrlEncoder().withoutPadding().encodeToString(bArr);
    }
}
