package com.atlassian.plugins.rest.common.security.jersey;

import com.atlassian.http.method.Methods;
import com.atlassian.http.mime.BrowserUtils;
import com.atlassian.http.mime.UserAgentUtil;
import com.atlassian.http.mime.UserAgentUtilImpl;
import com.atlassian.http.url.SameOrigin;
import com.atlassian.plugin.tracker.PluginModuleTracker;
import com.atlassian.plugins.rest.common.security.CorsHeaders;
import com.atlassian.plugins.rest.common.security.XsrfCheckFailedException;
import com.atlassian.plugins.rest.common.security.descriptor.CorsDefaults;
import com.atlassian.plugins.rest.common.security.descriptor.CorsDefaultsModuleDescriptor;
import com.atlassian.sal.api.web.context.HttpContext;
import com.atlassian.sal.api.xsrf.XsrfRequestValidator;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Predicate;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import com.sun.jersey.spi.container.ContainerResponseFilter;
import com.sun.jersey.spi.container.ResourceFilter;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Locale;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-rest-module-3.4.12.jar:com/atlassian/plugins/rest/common/security/jersey/XsrfResourceFilter.class */
public class XsrfResourceFilter implements ResourceFilter, ContainerRequestFilter {
    public static final String TOKEN_HEADER = "X-Atlassian-Token";
    public static final String NO_CHECK = "no-check";
    private static final ImmutableSet<String> XSRFABLE_TYPES = ImmutableSet.of("application/x-www-form-urlencoded", "multipart/form-data", "text/plain");
    private static final ImmutableSet<String> BROWSER_EXTENSION_ORIGINS = ImmutableSet.of("chrome-extension", "safari-extension");
    private static final Logger log = LoggerFactory.getLogger((Class<?>) XsrfResourceFilter.class);
    private static final Cache<String, Boolean> XSRF_NOT_ENFORCED_RESOURCE_CACHE = CacheBuilder.newBuilder().maximumSize(1000).build();
    private HttpContext httpContext;
    private XsrfRequestValidator xsrfRequestValidator;
    private PluginModuleTracker<CorsDefaults, CorsDefaultsModuleDescriptor> pluginModuleTracker;
    private Response.Status failureStatus = Response.Status.FORBIDDEN;

    public void setHttpContext(HttpContext httpContext) {
        this.httpContext = httpContext;
    }

    public void setXsrfRequestValidator(XsrfRequestValidator xsrfRequestValidator) {
        this.xsrfRequestValidator = xsrfRequestValidator;
    }

    public void setPluginModuleTracker(PluginModuleTracker<CorsDefaults, CorsDefaultsModuleDescriptor> pluginModuleTracker) {
        this.pluginModuleTracker = pluginModuleTracker;
    }

    public void setFailureStatus(Response.Status status) {
        if (status != Response.Status.FORBIDDEN && status != Response.Status.NOT_FOUND) {
            throw new IllegalArgumentException("Only FORBIDDEN and NOT_FOUND status are valid arguments.");
        }
        this.failureStatus = status;
    }

    public ContainerRequest filter(ContainerRequest containerRequest) {
        if (passesAllXsrfChecks(containerRequest)) {
            return containerRequest;
        }
        throw new XsrfCheckFailedException(this.failureStatus);
    }

    private boolean passesAllXsrfChecks(ContainerRequest containerRequest) {
        HttpServletRequest requestOrNull = getRequestOrNull(this.httpContext);
        String method = (requestOrNull == null || requestOrNull.getMethod() == null) ? containerRequest.getMethod() : requestOrNull.getMethod();
        boolean isMutative = Methods.isMutative(method);
        boolean isPostRequest = isPostRequest(method);
        if (isMutative && isLikelyToBeFromBrowser(containerRequest)) {
            boolean passesAdditionalBrowserChecks = passesAdditionalBrowserChecks(containerRequest);
            if (isPostRequest && !passesAdditionalBrowserChecks) {
                return false;
            }
            if (!isPostRequest) {
                if (passesAdditionalBrowserChecks) {
                    return true;
                }
                logXsrfFailureButNotBeingEnforced(containerRequest, log);
                return true;
            }
        }
        if (!isXsrfable(method, containerRequest.getMediaType())) {
            return true;
        }
        if (passesStandardXsrfChecks(requestOrNull) || hasDeprecatedHeaderValue(containerRequest)) {
            return true;
        }
        if (!isMutative || isPostRequest) {
            log.warn("XSRF checks failed for request: {} , origin: {} , referrer: {}", StringUtils.substringBefore(containerRequest.getRequestUri().toString(), "?"), containerRequest.getHeaderValue(CorsHeaders.ORIGIN.value()), getSanitisedReferrer(containerRequest));
            return false;
        }
        logXsrfFailureButNotBeingEnforced(containerRequest, log);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void logXsrfFailureButNotBeingEnforced(ContainerRequest containerRequest, Logger logger) {
        String path = containerRequest.getPath();
        if (path == null || XSRF_NOT_ENFORCED_RESOURCE_CACHE.getIfPresent(path) != null) {
            return;
        }
        logger.warn("XSRF failure not being enforced for request: {} , origin: {} , referrer: {}, method: {}", StringUtils.substringBefore(containerRequest.getRequestUri().toString(), "?"), containerRequest.getHeaderValue(CorsHeaders.ORIGIN.value()), getSanitisedReferrer(containerRequest), containerRequest.getMethod());
        XSRF_NOT_ENFORCED_RESOURCE_CACHE.put(path, Boolean.TRUE);
    }

    private boolean passesStandardXsrfChecks(HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null) {
            return false;
        }
        return this.xsrfRequestValidator.validateRequestPassesXsrfChecks(httpServletRequest);
    }

    boolean isOriginABrowserExtension(String str) {
        if (StringUtils.isEmpty(str)) {
            return false;
        }
        try {
            URI uri = new URI(str);
            if (BROWSER_EXTENSION_ORIGINS.contains(uri.getScheme())) {
                if (!uri.isOpaque()) {
                    return true;
                }
            }
            return false;
        } catch (URISyntaxException e) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    public boolean passesAdditionalBrowserChecks(ContainerRequest containerRequest) {
        boolean containsCredentials;
        boolean isAllowedViaCors;
        String headerValue = containerRequest.getHeaderValue(CorsHeaders.ORIGIN.value());
        String sanitisedReferrer = getSanitisedReferrer(containerRequest);
        URI requestUri = containerRequest.getRequestUri();
        if (isSameOrigin(sanitisedReferrer, requestUri) || isSameOrigin(headerValue, requestUri) || isOriginABrowserExtension(headerValue) || (isAllowedViaCors = isAllowedViaCors(headerValue, (containsCredentials = containsCredentials(containerRequest))))) {
            return true;
        }
        if (containerRequest.getMethod() == null || !isPostRequest(containerRequest.getMethod())) {
            return false;
        }
        log.warn("Additional XSRF checks failed for request: {} , origin: {} , referrer: {} , credentials in request: {} , allowed via CORS: {}", StringUtils.substringBefore(requestUri.toString(), "?"), headerValue, sanitisedReferrer, Boolean.valueOf(containsCredentials), Boolean.valueOf(isAllowedViaCors));
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isXsrfable(String str, MediaType mediaType) {
        return str.equals("GET") || (Methods.isMutative(str) && (mediaType == null || XSRFABLE_TYPES.contains(mediaTypeToString(mediaType))));
    }

    private boolean hasDeprecatedHeaderValue(ContainerRequest containerRequest) {
        String headerValue = containerRequest.getHeaderValue("X-Atlassian-Token");
        if (headerValue == null || !headerValue.toLowerCase(Locale.ENGLISH).equals("nocheck")) {
            return false;
        }
        log.warn("Use of the 'nocheck' value for {} has been deprecated since rest 3.0.0. Please use a value of 'no-check' instead.", "X-Atlassian-Token");
        return true;
    }

    private boolean isSameOrigin(String str, URI uri) {
        try {
            if (StringUtils.isNotEmpty(str)) {
                if (SameOrigin.isSameOrigin(new URI(str), uri)) {
                    return true;
                }
            }
            return false;
        } catch (IllegalArgumentException e) {
            return false;
        } catch (MalformedURLException e2) {
            return false;
        } catch (URISyntaxException e3) {
            return false;
        }
    }

    private boolean isAllowedViaCors(final String str, final boolean z) {
        if (str == null) {
            return false;
        }
        return Iterables.any(this.pluginModuleTracker.getModules(), new Predicate<CorsDefaults>() { // from class: com.atlassian.plugins.rest.common.security.jersey.XsrfResourceFilter.1
            @Override // com.google.common.base.Predicate
            public boolean apply(CorsDefaults corsDefaults) {
                if (corsDefaults.allowsOrigin(str)) {
                    return !z || corsDefaults.allowsCredentials(str);
                }
                return false;
            }
        });
    }

    @Override // com.sun.jersey.spi.container.ResourceFilter
    public ContainerRequestFilter getRequestFilter() {
        return this;
    }

    @Override // com.sun.jersey.spi.container.ResourceFilter
    public ContainerResponseFilter getResponseFilter() {
        return null;
    }

    private static boolean containsCredentials(ContainerRequest containerRequest) {
        return containsCookies(containerRequest) || containsHttpAuthHeader(containerRequest);
    }

    private static boolean containsCookies(ContainerRequest containerRequest) {
        return !containerRequest.getCookies().isEmpty();
    }

    private static boolean containsHttpAuthHeader(ContainerRequest containerRequest) {
        return StringUtils.isNotEmpty(containerRequest.getHeaderValue("Authorization"));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isPostRequest(String str) {
        return str.equals("POST");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isLikelyToBeFromBrowser(ContainerRequest containerRequest) {
        String headerValue = containerRequest.getHeaderValue("User-Agent");
        return (((passesStandardXsrfChecks(getRequestOrNull(this.httpContext)) || hasDeprecatedHeaderValue(containerRequest)) && BrowserUtils.isIE(headerValue)) || new UserAgentUtilImpl().getBrowserFamily(headerValue).equals(UserAgentUtil.BrowserFamily.UKNOWN)) ? false : true;
    }

    private static HttpServletRequest getRequestOrNull(HttpContext httpContext) {
        if (httpContext == null) {
            return null;
        }
        return httpContext.getRequest();
    }

    private static String mediaTypeToString(MediaType mediaType) {
        return mediaType.getType().toLowerCase(Locale.ENGLISH) + "/" + mediaType.getSubtype().toLowerCase(Locale.ENGLISH);
    }

    private static String getSanitisedReferrer(ContainerRequest containerRequest) {
        return StringUtils.substringBefore(containerRequest.getHeaderValue("Referer"), "?");
    }
}
