package org.appng.core.controller.filter;

import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.servlet.DispatcherType;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebListener;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.fileupload.disk.DiskFileItem;
import org.appng.api.Platform;
import org.appng.api.RequestUtil;
import org.appng.api.Scope;
import org.appng.api.SiteProperties;
import org.appng.api.model.Properties;
import org.appng.api.support.environment.DefaultEnvironment;
import org.appng.forms.FormUpload;
import org.appng.forms.Request;
import org.appng.forms.impl.FormUploadBean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.FileSystemResource;
import org.springframework.core.io.Resource;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.DefaultCsrfToken;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.web.multipart.MultipartException;
import org.springframework.web.multipart.MultipartFile;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.commons.CommonsMultipartFile;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;
import org.springframework.web.multipart.support.MultipartFilter;

@WebListener
/* loaded from: input_file:WEB-INF/lib/appng-core-1.18.0-RC2.jar:org/appng/core/controller/filter/CsrfSetupFilter.class */
public class CsrfSetupFilter implements ServletContextListener {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CsrfSetupFilter.class);
    public static final String CSRF_TOKEN = ".CSRF_TOKEN";
    private static final String CSRF_PARAM = "_csrf";
    private static final String SLASH_ALL = "/*";

    /* loaded from: input_file:WEB-INF/lib/appng-core-1.18.0-RC2.jar:org/appng/core/controller/filter/CsrfSetupFilter$MultipartRequest.class */
    class MultipartRequest implements Request {
        private MultipartHttpServletRequest wrapped;
        private Map<String, String> additionalParams = new HashMap();
        private String host;

        MultipartRequest(MultipartHttpServletRequest multipartHttpServletRequest) {
            this.wrapped = multipartHttpServletRequest;
            this.host = multipartHttpServletRequest.getServerName();
        }

        @Override // org.appng.forms.RequestContainer
        public boolean hasParameter(String str) {
            return getParameter(str) != null;
        }

        @Override // org.appng.forms.RequestContainer
        public Map<String, List<String>> getParametersList() {
            HashMap hashMap = new HashMap();
            for (String str : getParameterNames()) {
                hashMap.put(str, getParameterList(str));
            }
            return Collections.unmodifiableMap(hashMap);
        }

        @Override // org.appng.forms.RequestContainer
        public Map<String, String> getParameters() {
            HashMap hashMap = new HashMap();
            for (String str : getParameterNames()) {
                hashMap.put(str, getParameter(str));
            }
            return Collections.unmodifiableMap(hashMap);
        }

        @Override // org.appng.forms.RequestContainer
        public Set<String> getParameterNames() {
            HashSet hashSet = new HashSet();
            Enumeration parameterNames = this.wrapped.getParameterNames();
            while (parameterNames.hasMoreElements()) {
                hashSet.add(parameterNames.nextElement());
            }
            hashSet.addAll(this.additionalParams.keySet());
            return Collections.unmodifiableSet(hashSet);
        }

        @Override // org.appng.forms.RequestContainer
        public List<String> getParameterList(String str) {
            if (this.additionalParams.containsKey(str)) {
                return Arrays.asList(this.additionalParams.get(str));
            }
            String[] parameterValues = this.wrapped.getParameterValues(str);
            return null != parameterValues ? Arrays.asList(parameterValues) : Collections.emptyList();
        }

        @Override // org.appng.forms.RequestContainer
        public String getParameter(String str) {
            return this.additionalParams.containsKey(str) ? this.additionalParams.get(str) : this.wrapped.getParameter(str);
        }

        @Override // org.appng.forms.RequestContainer
        public String getHost() {
            return this.host;
        }

        @Override // org.appng.forms.RequestContainer
        public List<FormUpload> getFormUploads(String str) {
            ArrayList arrayList = new ArrayList();
            for (MultipartFile multipartFile : this.wrapped.getFiles(str)) {
                if (!multipartFile.isEmpty()) {
                    arrayList.add(getFormUpload(multipartFile));
                }
            }
            return Collections.unmodifiableList(arrayList);
        }

        private FormUpload getFormUpload(MultipartFile multipartFile) {
            DiskFileItem diskFileItem = (DiskFileItem) ((CommonsMultipartFile) multipartFile).getFileItem();
            File storeLocation = diskFileItem.getStoreLocation();
            if (diskFileItem.isInMemory()) {
                try {
                    diskFileItem.write(storeLocation);
                } catch (Exception e) {
                    CsrfSetupFilter.log.error("error writing " + storeLocation.getAbsolutePath(), (Throwable) e);
                }
            }
            return new FormUploadBean(storeLocation, multipartFile.getOriginalFilename(), multipartFile.getContentType(), new ArrayList(), storeLocation.length());
        }

        @Override // org.appng.forms.RequestContainer
        public Map<String, List<FormUpload>> getFormUploads() {
            HashMap hashMap = new HashMap();
            for (String str : this.wrapped.getFileMap().keySet()) {
                hashMap.put(str, getFormUploads(str));
            }
            return Collections.unmodifiableMap(hashMap);
        }

        @Override // org.appng.forms.Request
        public void setTempDir(File file) {
        }

        @Override // org.appng.forms.Request
        public void setMaxSize(long j, boolean z) {
        }

        @Override // org.appng.forms.Request
        public void setMaxSize(long j) {
        }

        @Override // org.appng.forms.Request
        public void setEncoding(String str) {
        }

        @Override // org.appng.forms.Request
        public void setAcceptedTypes(String str, String... strArr) {
        }

        @Override // org.appng.forms.Request
        public void process(HttpServletRequest httpServletRequest) {
        }

        @Override // org.appng.forms.Request
        public boolean isValid() {
            return true;
        }

        @Override // org.appng.forms.Request
        public boolean isPost() {
            return this.wrapped.getMethod().equalsIgnoreCase("POST");
        }

        @Override // org.appng.forms.Request
        public boolean isMultiPart() {
            return true;
        }

        @Override // org.appng.forms.Request
        public boolean isGet() {
            return this.wrapped.getMethod().equalsIgnoreCase("GET");
        }

        @Override // org.appng.forms.Request
        public HttpServletRequest getHttpServletRequest() {
            return this.wrapped;
        }

        @Override // org.appng.forms.Request
        public String getEncoding() {
            return this.wrapped.getCharacterEncoding();
        }

        @Override // org.appng.forms.Request
        public List<String> getAcceptedTypes(String str) {
            return null;
        }

        @Override // org.appng.forms.Request
        public void addParameters(Map<String, String> map) {
            for (String str : map.keySet()) {
                addParameter(str, map.get(str));
            }
        }

        @Override // org.appng.forms.Request
        public void addParameter(String str, String str2) {
            if (this.wrapped.getParameter(str) == null) {
                this.additionalParams.put(str, str2);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/appng-core-1.18.0-RC2.jar:org/appng/core/controller/filter/CsrfSetupFilter$MultipartResolver.class */
    public class MultipartResolver extends CommonsMultipartResolver {
        MultipartResolver(Resource resource) throws IOException {
            setUploadTempDir(resource);
        }

        @Override // org.springframework.web.multipart.commons.CommonsMultipartResolver, org.springframework.web.multipart.MultipartResolver
        public MultipartHttpServletRequest resolveMultipart(HttpServletRequest httpServletRequest) throws MultipartException {
            MultipartHttpServletRequest resolveMultipart = super.resolveMultipart(httpServletRequest);
            httpServletRequest.setAttribute(Request.REQUEST_PARSED, new MultipartRequest(resolveMultipart));
            return resolveMultipart;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/appng-core-1.18.0-RC2.jar:org/appng/core/controller/filter/CsrfSetupFilter$SiteRequestMatcher.class */
    class SiteRequestMatcher implements RequestMatcher {
        SiteRequestMatcher() {
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            Properties properties = RequestUtil.getSite(DefaultEnvironment.get((ServletRequest) httpServletRequest, (ServletResponse) null), httpServletRequest).getProperties();
            if (!properties.getBoolean(SiteProperties.CSRF_PROTECTION_ENABLED).booleanValue() || !properties.getList(SiteProperties.CSRF_PROTECTED_METHODS, ",").contains(httpServletRequest.getMethod().toUpperCase())) {
                return false;
            }
            Iterator<String> it = properties.getList(SiteProperties.CSRF_PROTECTED_PATHS, ",").iterator();
            while (it.hasNext()) {
                if (httpServletRequest.getServletPath().startsWith(it.next())) {
                    if (!CsrfSetupFilter.log.isDebugEnabled()) {
                        return true;
                    }
                    CsrfSetupFilter.log.debug("CSRF protection enabled for {} {}", httpServletRequest.getMethod(), httpServletRequest.getServletPath());
                    return true;
                }
            }
            return false;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/appng-core-1.18.0-RC2.jar:org/appng/core/controller/filter/CsrfSetupFilter$TokenRepository.class */
    class TokenRepository implements CsrfTokenRepository {
        TokenRepository() {
        }

        @Override // org.springframework.security.web.csrf.CsrfTokenRepository
        public CsrfToken generateToken(HttpServletRequest httpServletRequest) {
            DefaultCsrfToken defaultCsrfToken = new DefaultCsrfToken(CsrfSetupFilter.CSRF_TOKEN, CsrfSetupFilter.CSRF_PARAM, UUID.randomUUID().toString());
            saveToken(defaultCsrfToken, httpServletRequest, null);
            return defaultCsrfToken;
        }

        @Override // org.springframework.security.web.csrf.CsrfTokenRepository
        public void saveToken(CsrfToken csrfToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            DefaultEnvironment.get(httpServletRequest.getSession()).setAttribute(Scope.SESSION, CsrfSetupFilter.CSRF_TOKEN, csrfToken);
        }

        @Override // org.springframework.security.web.csrf.CsrfTokenRepository
        public CsrfToken loadToken(HttpServletRequest httpServletRequest) {
            return (CsrfToken) DefaultEnvironment.get(httpServletRequest.getSession()).getAttribute(Scope.SESSION, CsrfSetupFilter.CSRF_TOKEN);
        }
    }

    public void contextInitialized(ServletContextEvent servletContextEvent) {
        ServletContext servletContext = servletContextEvent.getServletContext();
        Properties properties = (Properties) DefaultEnvironment.get(servletContext).getAttribute(Scope.PLATFORM, Platform.Environment.PLATFORM_CONFIG);
        if (!properties.getBoolean(Platform.Property.CSRF_FILTER_ENABLED).booleanValue()) {
            log.info("'{}' is false, CSRF protection is disabled", Platform.Property.CSRF_FILTER_ENABLED);
            return;
        }
        try {
            log.info("initializing CSRF protection");
            String string = properties.getString(Platform.Property.UPLOAD_DIR);
            final MultipartResolver multipartResolver = new MultipartResolver(new FileSystemResource(servletContext.getRealPath(string.startsWith("/") ? string : "/" + string)));
            MultipartFilter multipartFilter = new MultipartFilter() { // from class: org.appng.core.controller.filter.CsrfSetupFilter.1
                /* JADX INFO: Access modifiers changed from: protected */
                @Override // org.springframework.web.multipart.support.MultipartFilter
                public MultipartResolver lookupMultipartResolver(HttpServletRequest httpServletRequest) {
                    return multipartResolver;
                }
            };
            EnumSet of = EnumSet.of(DispatcherType.REQUEST, DispatcherType.FORWARD);
            servletContext.addFilter("multipartFilter", multipartFilter).addMappingForUrlPatterns(of, false, new String[]{"/*"});
            CsrfFilter csrfFilter = new CsrfFilter(new TokenRepository());
            csrfFilter.setRequireCsrfProtectionMatcher(new SiteRequestMatcher());
            servletContext.addFilter("csrfFilter", csrfFilter).addMappingForUrlPatterns(of, false, new String[]{"/*"});
        } catch (IOException e) {
            throw new RuntimeException("error while initializing", e);
        }
    }

    public void contextDestroyed(ServletContextEvent servletContextEvent) {
    }
}
