package ru.org.openam.xss;

import ch.qos.logback.classic.spi.CallerData;
import java.net.URI;
import java.security.SecureRandom;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.concurrent.AbstractCircuitBreaker;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ru.org.openam.crypt.HMAC;

/* loaded from: input_file:WEB-INF/lib/xss-14.8.1.0.jar:ru/org/openam/xss/CSRFToken.class */
public class CSRFToken {
    public static final String CSRF_TOKEN_NAME = "csrf.sign";
    public static final String CSRF_TOKEN_TS = "csrf.ts";
    static final Logger logger = LoggerFactory.getLogger(CSRFToken.class.getName());
    static String encryptionKey = null;
    static final String encryptionKeyOneStart = new Long(new SecureRandom().nextLong()).toString();
    static Pattern formStartTagPattern = Pattern.compile("(?<open><\\s*form.*?method\\s*=\\s*['\"]post['\"].*?>)(?<inner>.*?)(?<close></\\s*form>)", 42);
    static Pattern formActionPattern = Pattern.compile("<\\s*form[^>]+action\\s*=\\s*['\"]([^'\"]+)['\"][^>]*>", 42);

    public static final String getEncryptionKey() {
        return XSSFilter.CSRF$key;
    }

    public static String insertCSRFToken(String str, HttpServletRequest httpServletRequest) {
        Matcher matcher = formStartTagPattern.matcher(str);
        while (matcher.find()) {
            Matcher matcher2 = formActionPattern.matcher(matcher.group(AbstractCircuitBreaker.PROPERTY_NAME));
            String group = matcher2.find() ? matcher2.group(1) : "";
            if (group == null || group.trim().isEmpty() || group.startsWith(CallerData.NA)) {
                group = getRequestUri(httpServletRequest);
            }
            URI normalizeRequestUri = normalizeRequestUri(httpServletRequest, group);
            long currentTimeMillis = System.currentTimeMillis();
            str = str.replace(matcher.group(0), matcher.group(AbstractCircuitBreaker.PROPERTY_NAME) + matcher.group("inner") + ("<input type=\"hidden\" name=\"csrf.sign\" value=\"" + getTokenValueForResponse(normalizeRequestUri.getRawPath(), httpServletRequest, currentTimeMillis) + "\"/><input type=\"hidden\" name=\"" + CSRF_TOKEN_TS + "\" value=\"" + currentTimeMillis + "\"/>") + matcher.group("close"));
        }
        return str;
    }

    protected static String getTokenValueForResponse(HttpServletRequest httpServletRequest, long j) {
        return getTokenValueForResponse(getRequestUri(httpServletRequest), httpServletRequest, j);
    }

    protected static String getTokenValueForResponse(String str, HttpServletRequest httpServletRequest, long j) {
        try {
            return HMAC.getHMac("" + j + httpServletRequest.getSession().getId().toLowerCase() + str, getEncryptionKey());
        } catch (Exception e) {
            logger.warn(httpServletRequest.toString(), (Throwable) e);
            return "";
        }
    }

    public static String getRequestUri(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getAttribute("javax.servlet.forward.request_uri") != null ? httpServletRequest.getAttribute("javax.servlet.forward.request_uri").toString() : httpServletRequest.getRequestURI();
    }

    public static URI normalizeRequestUri(HttpServletRequest httpServletRequest, String str) {
        URI uri = null;
        try {
            uri = new URI(httpServletRequest.getRequestURL().toString()).resolve(str);
            if (logger.isDebugEnabled()) {
                logger.debug("normalizeRequestUri: {}->{}", str, uri.getRawPath());
            }
            return uri;
        } catch (Exception e) {
            logger.warn(httpServletRequest.toString(), (Throwable) e);
            try {
                uri = new URI(httpServletRequest.getRequestURL().toString()).resolve("");
            } catch (Exception e2) {
            }
            return uri;
        }
    }
}
