package com.agapsys.security.web;

import java.util.Objects;
import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

/* loaded from: input_file:com/agapsys/security/web/SessionCsrfSecurityManager.class */
public class SessionCsrfSecurityManager extends SessionSecurityManager {
    private static final String SESSION_ATTR_CSRF_TOKEN = SessionCsrfSecurityManager.class.getName() + ".csrfToken";
    private static final int CSRF_TOKEN_LENGTH = 128;
    public static final String CSRF_HEADER = "X-Csrf-Token";

    private static String getRandomString(int i) throws IllegalArgumentException {
        return getRandomString(i, "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ".toCharArray());
    }

    private static String getRandomString(int i, char[] cArr) throws IllegalArgumentException {
        if (i < 1) {
            throw new IllegalArgumentException("Invalid length: " + i);
        }
        if (cArr == null || cArr.length == 0) {
            throw new IllegalArgumentException("Null/Empty chars");
        }
        StringBuilder sb = new StringBuilder();
        Random random = new Random();
        for (int i2 = 0; i2 < i; i2++) {
            sb.append(cArr[random.nextInt(cArr.length)]);
        }
        return sb.toString();
    }

    @Override // com.agapsys.security.web.WebSecurityManager
    protected boolean isAllowed(HttpServletRequest httpServletRequest) {
        HttpSession session = getRequest().getSession(false);
        if (session == null) {
            return false;
        }
        return Objects.equals((String) session.getAttribute(SESSION_ATTR_CSRF_TOKEN), httpServletRequest.getHeader(CSRF_HEADER));
    }

    @Override // com.agapsys.security.web.SessionSecurityManager, com.agapsys.security.web.WebSecurityManager
    public void setCurrentUser(User user) {
        super.setCurrentUser(user);
        HttpSession session = getRequest().getSession(true);
        String randomString = getRandomString(CSRF_TOKEN_LENGTH);
        session.setAttribute(SESSION_ATTR_CSRF_TOKEN, randomString);
        getResponse().setHeader(CSRF_HEADER, randomString);
    }

    @Override // com.agapsys.security.web.SessionSecurityManager, com.agapsys.security.web.WebSecurityManager
    public void unregisterCurrentUser() {
        super.unregisterCurrentUser();
        HttpSession session = getRequest().getSession(false);
        if (session != null) {
            session.removeAttribute(SESSION_ATTR_CSRF_TOKEN);
        }
    }
}
