package hirondelle.web4j.security;

import hirondelle.web4j.BuildImpl;
import hirondelle.web4j.action.Action;
import hirondelle.web4j.action.Operation;
import hirondelle.web4j.model.BadRequestException;
import hirondelle.web4j.model.Id;
import hirondelle.web4j.readconfig.ConfigReader;
import hirondelle.web4j.readconfig.InitParam;
import hirondelle.web4j.request.RequestParameter;
import hirondelle.web4j.request.RequestParser;
import hirondelle.web4j.util.Util;
import java.util.Collection;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.logging.Logger;
import javax.servlet.ServletConfig;
import org.apache.axis.transport.http.HTTPConstants;
import org.eclipse.wst.xml.ui.internal.contentassist.XMLRelevanceConstants;

/* loaded from: input_file:resources/lib/web4j.jar:hirondelle/web4j/security/ApplicationFirewallImpl.class */
public class ApplicationFirewallImpl implements ApplicationFirewall {
    private static int fMaxRequestSize;
    private static int fMaxFileUploadRequestSize;
    private static boolean fFullyValidateFileUploads;
    private static boolean fIsSpamDetectionOn;
    private static final String CURRENT_TOKEN_CSRF = "web4j_key_for_form_source_id";
    private static final String PREVIOUS_TOKEN_CSRF = "web4j_key_for_previous_form_source_id";
    private static Map<Class<Action>, Set<RequestParameter>> fExpectedParams = new LinkedHashMap();
    private static final InitParam fMAX_REQUEST_SIZE = new InitParam("MaxHttpRequestSize", "51200");
    private static final InitParam fMAX_FILE_UPLOAD_REQUEST_SIZE = new InitParam("MaxFileUploadRequestSize", "51200");
    private static final InitParam fFULLY_VALIDATE_FILE_UPLOADS = new InitParam("FullyValidateFileUploads", "OFF");
    private static final InitParam fIS_SPAM_DETECTION_ON = new InitParam("SpamDetectionInFirewall", "OFF");
    private static final RequestParameter fCSRF_REQ_PARAM = RequestParameter.withLengthCheck("web4j_key_for_form_source_id");
    private static final Logger fLogger = Util.getLogger(ApplicationFirewallImpl.class);

    public static void init(ServletConfig servletConfig) {
        fMaxRequestSize = getMaxSize(fMAX_REQUEST_SIZE, servletConfig);
        fMaxFileUploadRequestSize = getMaxSize(fMAX_FILE_UPLOAD_REQUEST_SIZE, servletConfig);
        fFullyValidateFileUploads = getBooleanSetting(fFULLY_VALIDATE_FILE_UPLOADS, servletConfig);
        fIsSpamDetectionOn = getBooleanSetting(fIS_SPAM_DETECTION_ON, servletConfig);
        mapActionsToExpectedParams();
    }

    @Override // hirondelle.web4j.security.ApplicationFirewall
    public void doHardValidation(Action action, RequestParser requestParser) throws BadRequestException {
        if (requestParser.isFileUploadRequest()) {
            fLogger.fine("Validating a file upload request.");
        }
        checkForExtremeSize(requestParser);
        if (requestParser.isFileUploadRequest() && !fFullyValidateFileUploads) {
            fLogger.fine("Unable to parse request in the usual way: file upload request is not wrapped. Cannot read parameter names and values. See FullyValidateFileUploads setting in web.xml.");
            return;
        }
        checkParamNamesAndValues(action, requestParser);
        checkSideEffectOperations(action, requestParser);
        defendAgainstCSRFAttacks(requestParser);
    }

    private static int getMaxSize(InitParam initParam, ServletConfig servletConfig) {
        int parseInt = Integer.parseInt(initParam.fetch(servletConfig).getValue());
        if (parseInt < 1000) {
            throw new IllegalArgumentException("Configured value of " + parseInt + " in web.xml for " + initParam.getName() + " is too low. Please see web.xml for more information.");
        }
        return parseInt;
    }

    private static boolean getBooleanSetting(InitParam initParam, ServletConfig servletConfig) {
        boolean z = false;
        String trim = initParam.fetch(servletConfig).getValue().trim();
        if ("ON".equalsIgnoreCase(trim)) {
            z = true;
        } else if (!"OFF".equalsIgnoreCase(trim)) {
            throw new IllegalArgumentException("Configured value of " + Util.quote(trim) + " in web.xml for " + initParam.getName() + " is not among the expected values. Please see web.xml for more information.");
        }
        return z;
    }

    private static void mapActionsToExpectedParams() {
        fExpectedParams = ConfigReader.fetchPublicStaticFinalFields(Action.class, RequestParameter.class);
        fLogger.config("Expected Request Parameters per Web Action." + Util.logOnePerLine(fExpectedParams));
    }

    private void checkForExtremeSize(RequestParser requestParser) throws BadRequestException {
        fLogger.fine("Checking for extreme size.");
        if (isRequestExcessivelyLarge(requestParser)) {
            throw new BadRequestException(413);
        }
    }

    private boolean isRequestExcessivelyLarge(RequestParser requestParser) {
        boolean z;
        if (requestParser.isFileUploadRequest()) {
            z = requestParser.getRequest().getContentLength() > fMaxFileUploadRequestSize;
        } else {
            z = requestParser.getRequest().getContentLength() > fMaxRequestSize;
        }
        return z;
    }

    void checkParamNamesAndValues(Action action, RequestParser requestParser) throws BadRequestException {
        if (!fExpectedParams.containsKey(action.getClass())) {
            String str = "Action " + action.getClass() + " not known to ApplicationFirewallImpl.";
            fLogger.severe(str);
            throw new RuntimeException(str);
        }
        Set<RequestParameter> set = fExpectedParams.get(action.getClass());
        Enumeration parameterNames = requestParser.getRequest().getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str2 = (String) parameterNames.nextElement();
            fLogger.fine("Checking parameter named " + Util.quote(str2));
            RequestParameter matchToKnownParam = matchToKnownParam(str2, set);
            if (matchToKnownParam == null) {
                fLogger.severe("*** Unknown Parameter *** : " + Util.quote(str2) + ". Please add public static final RequestParameter field for this item to your Action.");
                throw new BadRequestException(XMLRelevanceConstants.R_CDATA);
            }
            if (matchToKnownParam.isFileUploadParameter()) {
                fLogger.fine("File Upload parameter - value not validatable here: " + matchToKnownParam.getName());
            } else {
                Collection<SafeText> safeTexts = requestParser.toSafeTexts(matchToKnownParam);
                if (!isInternalParam(matchToKnownParam)) {
                    checkParamValues(matchToKnownParam, safeTexts);
                }
            }
        }
    }

    private RequestParameter matchToKnownParam(String str, Collection<RequestParameter> collection) {
        RequestParameter requestParameter = null;
        Iterator<RequestParameter> it = collection.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RequestParameter next = it.next();
            if (next.getName().equals(str)) {
                requestParameter = next;
                break;
            }
        }
        if (requestParameter == null && fCSRF_REQ_PARAM.getName().equals(str)) {
            requestParameter = fCSRF_REQ_PARAM;
        }
        return requestParameter;
    }

    private void checkParamValues(RequestParameter requestParameter, Collection<SafeText> collection) throws BadRequestException {
        for (SafeText safeText : collection) {
            if (Util.textHasContent(safeText)) {
                if (!requestParameter.isValidParamValue(safeText.getRawString())) {
                    fLogger.severe("Request parameter named " + requestParameter.getName() + " has an invalid value. Its size is: " + safeText.getRawString().length());
                    throw new BadRequestException(XMLRelevanceConstants.R_CDATA);
                }
                if (fIsSpamDetectionOn && BuildImpl.forSpamDetector().isSpam(safeText.getRawString())) {
                    fLogger.fine("SPAM detected.");
                    throw new BadRequestException(XMLRelevanceConstants.R_CDATA);
                }
            }
        }
    }

    private void checkSideEffectOperations(Action action, RequestParser requestParser) throws BadRequestException {
        fLogger.fine("Checking for side-effect operations.");
        for (RequestParameter requestParameter : fExpectedParams.get(action.getClass())) {
            if ("Operation".equals(requestParameter.getName())) {
                String rawParamValue = requestParser.getRawParamValue(requestParameter);
                if (Util.textHasContent(rawParamValue) && isAttemptingSideEffectOperationWithoutPOST(Operation.valueOf(rawParamValue), requestParser)) {
                    fLogger.severe("Security problem. Attempted operation having side effects outside of a POST. Please use a <FORM> with method='POST'.");
                    throw new BadRequestException(XMLRelevanceConstants.R_CDATA);
                }
            }
        }
    }

    private boolean isAttemptingSideEffectOperationWithoutPOST(Operation operation, RequestParser requestParser) {
        return operation.hasSideEffects() && !requestParser.getRequest().getMethod().equals(HTTPConstants.HEADER_POST);
    }

    private boolean isInternalParam(RequestParameter requestParameter) {
        return requestParameter.getName().equals(fCSRF_REQ_PARAM.getName());
    }

    private void defendAgainstCSRFAttacks(RequestParser requestParser) throws BadRequestException {
        if (requestNeedsDefendingAgainstCSRFAttacks(requestParser)) {
            Id id = requestParser.toId(fCSRF_REQ_PARAM);
            if (false == toIncludeCsrfTokenWithForm(id)) {
                fLogger.severe("CSRF token not included in POSTed request. Rejecting this request, since it is likely an attack.");
                throw new BadRequestException(XMLRelevanceConstants.R_CDATA);
            }
            if (false == matchCurrentCSRFToken(requestParser, id) && false == matchPreviousCSRFToken(requestParser, id)) {
                fLogger.severe("CSRF token does not match the expected value. Rejecting this request, since it is likely an attack.");
                throw new BadRequestException(XMLRelevanceConstants.R_CDATA);
            }
            fLogger.fine("Success: no CSRF problem detected.");
        }
    }

    private boolean requestNeedsDefendingAgainstCSRFAttacks(RequestParser requestParser) {
        boolean equalsIgnoreCase = requestParser.getRequest().getMethod().equalsIgnoreCase(HTTPConstants.HEADER_POST);
        boolean isSessionPresent = isSessionPresent(requestParser);
        boolean z = false;
        if (isSessionPresent) {
            z = getCsrfTokenInSession("web4j_key_for_form_source_id", requestParser) != null;
        }
        if (equalsIgnoreCase && isSessionPresent && !z) {
            fLogger.warning("POST operation, but no CSRF form token present in existing session. This application does not have WEB4J defenses against CSRF attacks configured in the recommended way.");
        }
        boolean z2 = equalsIgnoreCase && isSessionPresent && z;
        fLogger.fine("Session exists, and the CsrfFilter is turned on : " + z);
        fLogger.fine("Does the firewall need to check this request for CSRF attacks? : " + z2);
        return z2;
    }

    private boolean toIncludeCsrfTokenWithForm(Id id) {
        return id != null;
    }

    private boolean matchCurrentCSRFToken(RequestParser requestParser, Id id) {
        return id.equals(getCsrfTokenInSession("web4j_key_for_form_source_id", requestParser));
    }

    private boolean matchPreviousCSRFToken(RequestParser requestParser, Id id) {
        return id.equals(getCsrfTokenInSession("web4j_key_for_previous_form_source_id", requestParser));
    }

    private boolean isSessionPresent(RequestParser requestParser) {
        return requestParser.getRequest().getSession(false) != null;
    }

    private Id getCsrfTokenInSession(String str, RequestParser requestParser) {
        return (Id) requestParser.getRequest().getSession(false).getAttribute(str);
    }
}
