package org.springframework.security.web.csrf;

import java.io.IOException;
import java.security.MessageDigest;
import java.util.Arrays;
import java.util.HashSet;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.client.methods.HttpOptions;
import org.apache.http.client.methods.HttpTrace;
import org.springframework.core.log.LogMessage;
import org.springframework.security.crypto.codec.Utf8;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.access.AccessDeniedHandlerImpl;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:BOOT-INF/lib/spring-security-web-5.3.13.RELEASE.jar:org/springframework/security/web/csrf/CsrfFilter.class */
public final class CsrfFilter extends OncePerRequestFilter {
    public static final RequestMatcher DEFAULT_CSRF_MATCHER = new DefaultRequiresCsrfMatcher();
    private static final String SHOULD_NOT_FILTER = "SHOULD_NOT_FILTER" + CsrfFilter.class.getName();
    private final CsrfTokenRepository tokenRepository;
    private final Log logger = LogFactory.getLog(getClass());
    private RequestMatcher requireCsrfProtectionMatcher = DEFAULT_CSRF_MATCHER;
    private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl();

    /* loaded from: input_file:BOOT-INF/lib/spring-security-web-5.3.13.RELEASE.jar:org/springframework/security/web/csrf/CsrfFilter$DefaultRequiresCsrfMatcher.class */
    private static final class DefaultRequiresCsrfMatcher implements RequestMatcher {
        private final HashSet<String> allowedMethods;

        private DefaultRequiresCsrfMatcher() {
            this.allowedMethods = new HashSet<>(Arrays.asList("GET", "HEAD", HttpTrace.METHOD_NAME, HttpOptions.METHOD_NAME));
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            return !this.allowedMethods.contains(httpServletRequest.getMethod());
        }

        public String toString() {
            return "CsrfNotRequired " + this.allowedMethods;
        }
    }

    public CsrfFilter(CsrfTokenRepository csrfTokenRepository) {
        Assert.notNull(csrfTokenRepository, "csrfTokenRepository cannot be null");
        this.tokenRepository = csrfTokenRepository;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected boolean shouldNotFilter(HttpServletRequest httpServletRequest) throws ServletException {
        return Boolean.TRUE.equals(httpServletRequest.getAttribute(SHOULD_NOT_FILTER));
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        httpServletRequest.setAttribute(HttpServletResponse.class.getName(), httpServletResponse);
        CsrfToken loadToken = this.tokenRepository.loadToken(httpServletRequest);
        boolean z = loadToken == null;
        if (z) {
            loadToken = this.tokenRepository.generateToken(httpServletRequest);
            this.tokenRepository.saveToken(loadToken, httpServletRequest, httpServletResponse);
        }
        httpServletRequest.setAttribute(CsrfToken.class.getName(), loadToken);
        httpServletRequest.setAttribute(loadToken.getParameterName(), loadToken);
        if (!this.requireCsrfProtectionMatcher.matches(httpServletRequest)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Did not protect against CSRF since request did not match " + this.requireCsrfProtectionMatcher);
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        String header = httpServletRequest.getHeader(loadToken.getHeaderName());
        if (header == null) {
            header = httpServletRequest.getParameter(loadToken.getParameterName());
        }
        if (equalsConstantTime(loadToken.getToken(), header)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            this.logger.debug(LogMessage.of(() -> {
                return "Invalid CSRF token found for " + UrlUtils.buildFullRequestUrl(httpServletRequest);
            }));
            this.accessDeniedHandler.handle(httpServletRequest, httpServletResponse, !z ? new InvalidCsrfTokenException(loadToken, header) : new MissingCsrfTokenException(header));
        }
    }

    public static void skipRequest(HttpServletRequest httpServletRequest) {
        httpServletRequest.setAttribute(SHOULD_NOT_FILTER, Boolean.TRUE);
    }

    public void setRequireCsrfProtectionMatcher(RequestMatcher requestMatcher) {
        Assert.notNull(requestMatcher, "requireCsrfProtectionMatcher cannot be null");
        this.requireCsrfProtectionMatcher = requestMatcher;
    }

    public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler) {
        Assert.notNull(accessDeniedHandler, "accessDeniedHandler cannot be null");
        this.accessDeniedHandler = accessDeniedHandler;
    }

    private static boolean equalsConstantTime(String str, String str2) {
        if (str == str2) {
            return true;
        }
        if (str == null || str2 == null) {
            return false;
        }
        return MessageDigest.isEqual(Utf8.encode(str), Utf8.encode(str2));
    }
}
