package org.owasp.webgoat.plugin;

import com.google.common.net.HttpHeaders;
import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.StringElement;
import org.apache.ecs.html.B;
import org.apache.ecs.html.H1;
import org.apache.ecs.html.Input;
import org.apache.ecs.html.P;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TH;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.plugin.GoatHillsFinancial.GoatHillsFinancial;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/fail-open-authentication-1.0.jar:org/owasp/webgoat/plugin/FailOpenAuthentication.class */
public class FailOpenAuthentication extends LessonAdapter {
    protected static final String LOGOUT = "WACLogout";
    protected static final String PASSWORD = "Password";
    protected static final String USERNAME = "Username";
    private static final Integer DEFAULT_RANKING = new Integer(20);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        if (webSession.getParser().getBooleanParameter(LOGOUT, false)) {
            webSession.setMessage("Goodbye!");
            webSession.eatCookies();
            return makeLogin(webSession);
        }
        String str = "";
        String str2 = "";
        try {
            try {
                str = webSession.getParser().getRawParameter(USERNAME);
                str2 = webSession.getParser().getRawParameter("Password");
            } catch (Exception e) {
                if (str.length() > 0 && e.getMessage().indexOf("not found") != -1 && str != null && str.length() > 0) {
                    makeSuccess(webSession);
                    return makeUser(webSession, str, "Fail Open Error Handling");
                }
            }
        } catch (Exception e2) {
            webSession.setMessage("Error generating " + getClass().getName());
        }
        if (!"webgoat".equals(str) || !str2.equals("webgoat")) {
            webSession.setMessage("Invalid username and password entered.");
            return makeLogin(webSession);
        }
        if (str2.length() == 0) {
            if (str.length() != 0) {
                webSession.setMessage("Invalid username and password entered.");
            }
            return makeLogin(webSession);
        }
        if (str != null && str.length() > 0) {
            return makeUser(webSession, str, "Parameters.  You did not exploit the fail open.");
        }
        return makeLogin(webSession);
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public Category getDefaultCategory() {
        return Category.ERROR_HANDLING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("You can force errors during the authentication process.");
        arrayList.add("You can change length, existance, or values of authentication parameters.");
        arrayList.add("Try removing a parameter ENTIRELY with <A href=\"https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project\">OWASP ZAP</A>.");
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    public String getInstructions(WebSession webSession) {
        return "Due to an error handling problem in the authentication mechanism, it is possible to authenticate as the 'webgoat' user without entering a password.  Try to login as the webgoat user without specifying a password.";
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Fail Open Authentication Scheme";
    }

    protected Element makeLogin(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(new H1().addElement(getLabelManager().get("SignIn")));
        Table align = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
        if (webSession.isColor()) {
            align.setBorder(1);
        }
        TR tr = new TR();
        tr.addElement(new TH().addElement(getLabelManager().get("WeakAuthenticationCookiePleaseSignIn")).setColSpan(2).setAlign("left"));
        align.addElement(tr);
        TR tr2 = new TR();
        tr2.addElement(new TD().addElement("*" + getLabelManager().get("RequiredFields")).setWidth("30%"));
        align.addElement(tr2);
        TR tr3 = new TR();
        tr3.addElement(new TD().addElement("&nbsp;").setColSpan(2));
        align.addElement(tr3);
        TR tr4 = new TR();
        TR tr5 = new TR();
        tr4.addElement(new TD(new B(new StringElement("*" + getLabelManager().get("UserName")))));
        tr5.addElement(new TD(new B(new StringElement("*" + getLabelManager().get("Password")))));
        Input input = new Input("TEXT", USERNAME, "");
        Input input2 = new Input(Input.PASSWORD, "Password", "");
        tr4.addElement(new TD(input));
        tr5.addElement(new TD(input2));
        align.addElement(tr4);
        align.addElement(tr5);
        align.addElement(new TR(new TD(ECSFactory.makeButton(getLabelManager().get(GoatHillsFinancial.LOGIN_ACTION)))));
        elementContainer.addElement(align);
        return elementContainer;
    }

    protected Element makeUser(WebSession webSession, String str, String str2) throws Exception {
        ElementContainer elementContainer = new ElementContainer();
        elementContainer.addElement(new P().addElement(getLabelManager().get("WelcomeUser") + str));
        elementContainer.addElement(new P().addElement(getLabelManager().get("YouHaveBeenAuthenticatedWith") + str2));
        elementContainer.addElement(new P().addElement(ECSFactory.makeLink(getLabelManager().get("Logout"), LOGOUT, true)));
        elementContainer.addElement(new P().addElement(ECSFactory.makeLink(getLabelManager().get(HttpHeaders.REFRESH), "", "")));
        return elementContainer;
    }
}
