package com.atlassian.plugins.rest.v2.security.xsrf;

import com.atlassian.http.method.Methods;
import com.atlassian.http.mime.BrowserUtils;
import com.atlassian.http.mime.UserAgentUtil;
import com.atlassian.http.mime.UserAgentUtilImpl;
import com.atlassian.http.url.SameOrigin;
import com.atlassian.plugins.rest.api.internal.security.cors.CorsDefaults;
import com.atlassian.plugins.rest.api.internal.security.cors.CorsHeaders;
import com.atlassian.plugins.rest.api.security.exception.XsrfCheckFailedException;
import com.atlassian.sal.api.web.context.HttpContext;
import com.atlassian.sal.api.xsrf.XsrfRequestValidator;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.apache.commons.lang3.StringUtils;
import org.glassfish.jersey.internal.guava.Cache;
import org.glassfish.jersey.internal.guava.CacheBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(2000)
@Provider
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins-setup/com.atlassian.plugins.rest.atlassian-rest-v2-plugin-8.1.2.jar:com/atlassian/plugins/rest/v2/security/xsrf/XsrfResourceFilter.class */
public class XsrfResourceFilter implements ContainerRequestFilter {
    public static final String TOKEN_HEADER = "X-Atlassian-Token";
    public static final String NO_CHECK = "no-check";
    private static final Response.Status FAILURE_STATUS = Response.Status.FORBIDDEN;
    private static final Set<String> XSRFABLE_TYPES = Collections.unmodifiableSet(new HashSet(Arrays.asList("application/x-www-form-urlencoded", "multipart/form-data", "text/plain")));
    private static final Set<String> BROWSER_EXTENSION_ORIGINS = Collections.unmodifiableSet(new HashSet(Arrays.asList("chrome-extension", "safari-extension")));
    private static final Logger log = LoggerFactory.getLogger(XsrfResourceFilter.class);
    private static final Cache<String, Boolean> XSRF_NOT_ENFORCED_RESOURCE_CACHE = CacheBuilder.newBuilder().maximumSize(1000).build();
    private HttpContext httpContext;
    private XsrfRequestValidator xsrfRequestValidator;
    private List<CorsDefaults> corsDefaults;

    public void setHttpContext(HttpContext httpContext) {
        this.httpContext = httpContext;
    }

    public void setXsrfRequestValidator(XsrfRequestValidator xsrfRequestValidator) {
        this.xsrfRequestValidator = xsrfRequestValidator;
    }

    public void setCorsDefaults(List<CorsDefaults> list) {
        this.corsDefaults = list;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (!passesAllXsrfChecks(containerRequestContext)) {
            throw new XsrfCheckFailedException(FAILURE_STATUS);
        }
    }

    private boolean passesAllXsrfChecks(ContainerRequestContext containerRequestContext) {
        HttpServletRequest requestOrNull = getRequestOrNull(this.httpContext);
        String method = (requestOrNull == null || requestOrNull.getMethod() == null) ? containerRequestContext.getMethod() : requestOrNull.getMethod();
        boolean isMutative = Methods.isMutative(method);
        boolean isPostRequest = isPostRequest(method);
        if (isMutative && isLikelyToBeFromBrowser(containerRequestContext)) {
            boolean passesAdditionalBrowserChecks = passesAdditionalBrowserChecks(containerRequestContext);
            if (isPostRequest && !passesAdditionalBrowserChecks) {
                return false;
            }
            if (!isPostRequest) {
                if (passesAdditionalBrowserChecks) {
                    return true;
                }
                logXsrfFailureButNotBeingEnforced(containerRequestContext, log);
                return true;
            }
        }
        if (!isXsrfable(method, containerRequestContext.getMediaType())) {
            return true;
        }
        if (passesStandardXsrfChecks(requestOrNull) || hasDeprecatedHeaderValue(containerRequestContext)) {
            return true;
        }
        if (isMutative && !isPostRequest) {
            logXsrfFailureButNotBeingEnforced(containerRequestContext, log);
            return true;
        }
        Logger logger = log;
        Object[] objArr = new Object[3];
        objArr[0] = containerRequestContext.getUriInfo().getRequestUri().toString().contains("?") ? StringUtils.substringBefore(containerRequestContext.getUriInfo().getRequestUri().toString(), "?") : containerRequestContext.getUriInfo().getRequestUri().toString();
        objArr[1] = containerRequestContext.getHeaderString(CorsHeaders.ORIGIN.value());
        objArr[2] = getSanitisedReferrer(containerRequestContext);
        logger.warn("XSRF checks failed for request: {} , origin: {} , referrer: {}", objArr);
        return false;
    }

    public void logXsrfFailureButNotBeingEnforced(ContainerRequestContext containerRequestContext, Logger logger) {
        String path = containerRequestContext.getUriInfo().getPath();
        if (path == null || XSRF_NOT_ENFORCED_RESOURCE_CACHE.getIfPresent(path) != null) {
            return;
        }
        Object[] objArr = new Object[4];
        objArr[0] = containerRequestContext.getUriInfo().getRequestUri().toString().contains("?") ? StringUtils.substringBefore(containerRequestContext.getUriInfo().getRequestUri().toString(), "?") : containerRequestContext.getUriInfo().getRequestUri().toString();
        objArr[1] = containerRequestContext.getHeaderString(CorsHeaders.ORIGIN.value());
        objArr[2] = getSanitisedReferrer(containerRequestContext);
        objArr[3] = containerRequestContext.getMethod();
        logger.warn("XSRF failure not being enforced for request: {} , origin: {} , referrer: {}, method: {}", objArr);
        XSRF_NOT_ENFORCED_RESOURCE_CACHE.put(path, Boolean.TRUE);
    }

    private boolean passesStandardXsrfChecks(HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null) {
            return false;
        }
        return this.xsrfRequestValidator.validateRequestPassesXsrfChecks(httpServletRequest);
    }

    private boolean isOriginABrowserExtension(String str) {
        if (StringUtils.isEmpty(str)) {
            return false;
        }
        try {
            URI uri = new URI(str);
            if (BROWSER_EXTENSION_ORIGINS.contains(uri.getScheme())) {
                if (!uri.isOpaque()) {
                    return true;
                }
            }
            return false;
        } catch (URISyntaxException e) {
            return false;
        }
    }

    protected boolean passesAdditionalBrowserChecks(ContainerRequestContext containerRequestContext) {
        boolean containsCredentials;
        boolean isAllowedViaCors;
        String headerString = containerRequestContext.getHeaderString(CorsHeaders.ORIGIN.value());
        String sanitisedReferrer = getSanitisedReferrer(containerRequestContext);
        URI requestUri = containerRequestContext.getUriInfo().getRequestUri();
        if (isSameOrigin(sanitisedReferrer, requestUri) || isSameOrigin(headerString, requestUri) || isOriginABrowserExtension(headerString) || (isAllowedViaCors = isAllowedViaCors(headerString, (containsCredentials = containsCredentials(containerRequestContext))))) {
            return true;
        }
        if (containerRequestContext.getMethod() == null || !isPostRequest(containerRequestContext.getMethod())) {
            return false;
        }
        Logger logger = log;
        Object[] objArr = new Object[5];
        objArr[0] = requestUri.toString().contains("?") ? StringUtils.substringBefore(requestUri.toString(), "?") : requestUri.toString();
        objArr[1] = headerString;
        objArr[2] = sanitisedReferrer;
        objArr[3] = Boolean.valueOf(containsCredentials);
        objArr[4] = Boolean.valueOf(isAllowedViaCors);
        logger.warn("Additional XSRF checks failed for request: {} , origin: {} , referrer: {} , credentials in request: {} , allowed via CORS: {}", objArr);
        return false;
    }

    boolean isXsrfable(String str, MediaType mediaType) {
        return mediaType != null && Methods.isMutative(str) && XSRFABLE_TYPES.contains(mediaTypeToString(mediaType));
    }

    private boolean hasDeprecatedHeaderValue(ContainerRequestContext containerRequestContext) {
        String headerString = containerRequestContext.getHeaderString(TOKEN_HEADER);
        if (headerString == null || !headerString.toLowerCase(Locale.ENGLISH).equals("nocheck")) {
            return false;
        }
        log.warn("Use of the 'nocheck' value for {} has been deprecated since rest 3.0.0. Please use a value of 'no-check' instead.", TOKEN_HEADER);
        return true;
    }

    private boolean isSameOrigin(String str, URI uri) {
        try {
            if (StringUtils.isNotEmpty(str)) {
                if (SameOrigin.isSameOrigin(new URI(str), uri)) {
                    return true;
                }
            }
            return false;
        } catch (IllegalArgumentException | MalformedURLException | URISyntaxException e) {
            return false;
        }
    }

    private boolean isAllowedViaCors(String str, boolean z) {
        if (str == null) {
            return false;
        }
        return this.corsDefaults.stream().anyMatch(corsDefaults -> {
            return corsDefaults.allowsOrigin(str) && (!z || corsDefaults.allowsCredentials(str));
        });
    }

    private static boolean containsCredentials(ContainerRequestContext containerRequestContext) {
        return containsCookies(containerRequestContext) || containsHttpAuthHeader(containerRequestContext);
    }

    private static boolean containsCookies(ContainerRequestContext containerRequestContext) {
        return !containerRequestContext.getCookies().isEmpty();
    }

    private static boolean containsHttpAuthHeader(ContainerRequestContext containerRequestContext) {
        return StringUtils.isNotEmpty(containerRequestContext.getHeaderString("Authorization"));
    }

    private boolean isPostRequest(String str) {
        return str.equals("POST");
    }

    private boolean isLikelyToBeFromBrowser(ContainerRequestContext containerRequestContext) {
        String headerString = containerRequestContext.getHeaderString("User-Agent");
        return (((passesStandardXsrfChecks(getRequestOrNull(this.httpContext)) || hasDeprecatedHeaderValue(containerRequestContext)) && BrowserUtils.isIE(headerString)) || new UserAgentUtilImpl().getBrowserFamily(headerString).equals(UserAgentUtil.BrowserFamily.UKNOWN)) ? false : true;
    }

    private static HttpServletRequest getRequestOrNull(HttpContext httpContext) {
        if (httpContext == null) {
            return null;
        }
        return httpContext.getRequest();
    }

    private static String mediaTypeToString(MediaType mediaType) {
        return mediaType.getType().toLowerCase(Locale.ENGLISH) + "/" + mediaType.getSubtype().toLowerCase(Locale.ENGLISH);
    }

    private static String getSanitisedReferrer(ContainerRequestContext containerRequestContext) {
        return StringUtils.substringBefore(containerRequestContext.getHeaderString("Referer"), "?");
    }
}
