package org.apache.atlas.web.filters;

import java.io.IOException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.atlas.ApplicationProperties;
import org.apache.atlas.AtlasException;
import org.apache.commons.configuration.Configuration;
import org.json.simple.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:org/apache/atlas/web/filters/AtlasCSRFPreventionFilter.class */
public class AtlasCSRFPreventionFilter implements Filter {
    private static final Logger LOG = LoggerFactory.getLogger(AtlasCSRFPreventionFilter.class);
    private static Configuration configuration;
    public static final boolean isCSRF_ENABLED;
    public static final String BROWSER_USER_AGENT_PARAM = "atlas.rest-csrf.browser-useragents-regex";
    public static final String BROWSER_USER_AGENTS_DEFAULT = "^Mozilla.*,^Opera.*,^Chrome";
    public static final String CUSTOM_METHODS_TO_IGNORE_PARAM = "atlas.rest-csrf.methods-to-ignore";
    public static final String METHODS_TO_IGNORE_DEFAULT = "GET,OPTIONS,HEAD,TRACE";
    public static final String CUSTOM_HEADER_PARAM = "atlas.rest-csrf.custom-header";
    public static final String HEADER_DEFAULT = "X-XSRF-HEADER";
    public static final String HEADER_USER_AGENT = "User-Agent";
    public static final String CSRF_TOKEN = "_csrfToken";
    private String headerName = HEADER_DEFAULT;
    private Set<String> methodsToIgnore = null;
    private Set<Pattern> browserUserAgents;

    /* loaded from: input_file:org/apache/atlas/web/filters/AtlasCSRFPreventionFilter$HttpInteraction.class */
    public interface HttpInteraction {
        String getHeader(String str);

        String getMethod();

        void proceed() throws IOException, ServletException;

        void sendError(int i, String str) throws IOException;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/atlas/web/filters/AtlasCSRFPreventionFilter$ServletFilterHttpInteraction.class */
    public static final class ServletFilterHttpInteraction implements HttpInteraction {
        private final FilterChain chain;
        private final HttpServletRequest httpRequest;
        private final HttpServletResponse httpResponse;

        public ServletFilterHttpInteraction(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
            this.httpRequest = httpServletRequest;
            this.httpResponse = httpServletResponse;
            this.chain = filterChain;
        }

        @Override // org.apache.atlas.web.filters.AtlasCSRFPreventionFilter.HttpInteraction
        public String getHeader(String str) {
            return this.httpRequest.getHeader(str);
        }

        @Override // org.apache.atlas.web.filters.AtlasCSRFPreventionFilter.HttpInteraction
        public String getMethod() {
            return this.httpRequest.getMethod();
        }

        @Override // org.apache.atlas.web.filters.AtlasCSRFPreventionFilter.HttpInteraction
        public void proceed() throws IOException, ServletException {
            this.chain.doFilter(this.httpRequest, this.httpResponse);
        }

        public HttpSession getSession() {
            return this.httpRequest.getSession();
        }

        @Override // org.apache.atlas.web.filters.AtlasCSRFPreventionFilter.HttpInteraction
        public void sendError(int i, String str) throws IOException {
            JSONObject jSONObject = new JSONObject();
            jSONObject.put("msgDesc", str);
            this.httpResponse.setContentType("application/json");
            this.httpResponse.setStatus(i);
            this.httpResponse.setCharacterEncoding("UTF-8");
            this.httpResponse.getWriter().write(jSONObject.toJSONString());
        }
    }

    public AtlasCSRFPreventionFilter() {
        try {
            if (isCSRF_ENABLED) {
                init(null);
            }
        } catch (Exception e) {
            LOG.error("Error while initializing Filter ", e);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        String string = configuration.getString(CUSTOM_HEADER_PARAM, HEADER_DEFAULT);
        if (string != null) {
            this.headerName = string;
        }
        String string2 = configuration.getString(CUSTOM_METHODS_TO_IGNORE_PARAM, METHODS_TO_IGNORE_DEFAULT);
        if (string2 != null) {
            parseMethodsToIgnore(string2);
        } else {
            parseMethodsToIgnore(METHODS_TO_IGNORE_DEFAULT);
        }
        String string3 = configuration.getString(BROWSER_USER_AGENT_PARAM, BROWSER_USER_AGENTS_DEFAULT);
        if (string3 == null) {
            string3 = BROWSER_USER_AGENTS_DEFAULT;
        }
        parseBrowserUserAgents(string3);
        LOG.info("Adding cross-site request forgery (CSRF) protection");
    }

    void parseMethodsToIgnore(String str) {
        String[] split = str.split(",");
        this.methodsToIgnore = new HashSet();
        Collections.addAll(this.methodsToIgnore, split);
    }

    void parseBrowserUserAgents(String str) {
        String[] split = str.split(",");
        this.browserUserAgents = new HashSet();
        for (String str2 : split) {
            this.browserUserAgents.add(Pattern.compile(str2));
        }
    }

    protected boolean isBrowser(String str) {
        if (str == null || this.browserUserAgents == null) {
            return false;
        }
        Iterator<Pattern> it = this.browserUserAgents.iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).matches()) {
                return true;
            }
        }
        return false;
    }

    public void handleHttpInteraction(HttpInteraction httpInteraction) throws IOException, ServletException {
        HttpSession session = ((ServletFilterHttpInteraction) httpInteraction).getSession();
        String str = "";
        if (session != null) {
            str = (String) session.getAttribute(CSRF_TOKEN);
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("Session is null");
        }
        String header = httpInteraction.getHeader(this.headerName);
        if (!isBrowser(httpInteraction.getHeader("User-Agent")) || this.methodsToIgnore.contains(httpInteraction.getMethod()) || (header != null && header.equals(str))) {
            httpInteraction.proceed();
        } else {
            httpInteraction.sendError(400, "Missing header or invalid Header value for CSRF Vulnerability Protection");
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HeadersUtil.setHeaderMapAttributes(new AtlasResponseRequestWrapper(httpServletResponse), "X-Frame-Options");
        if (isCSRF_ENABLED) {
            handleHttpInteraction(new ServletFilterHttpInteraction(httpServletRequest, httpServletResponse, filterChain));
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    public void destroy() {
    }

    static {
        try {
            configuration = ApplicationProperties.get();
            LOG.info("Configuration obtained :: " + configuration);
        } catch (AtlasException e) {
            LOG.error(e.getMessage(), e);
        }
        isCSRF_ENABLED = configuration.getBoolean("atlas.rest-csrf.enabled", true);
    }
}
