package org.owasp.webgoat.plugin;

import java.util.ArrayList;
import java.util.List;
import org.apache.ecs.Element;
import org.apache.ecs.ElementContainer;
import org.apache.ecs.html.TD;
import org.apache.ecs.html.TR;
import org.apache.ecs.html.Table;
import org.jboss.netty.handler.codec.rtsp.RtspHeaders;
import org.owasp.webgoat.lessons.Category;
import org.owasp.webgoat.lessons.LessonAdapter;
import org.owasp.webgoat.session.ECSFactory;
import org.owasp.webgoat.session.WebSession;

/* loaded from: input_file:WebGoat.war:plugin_lessons/access-control-matrix-1.0.jar:org/owasp/webgoat/plugin/AccessControlMatrix.class */
public class AccessControlMatrix extends LessonAdapter {
    private static final String RESOURCE = "Resource";
    private static final String[] resources = {"Public Share", "Time Card Entry", "Performance Review", "Time Card Approval", "Site Manager", "Account Manager"};
    private static final String USER = "User";
    private static final String[] roles = {RtspHeaders.Names.PUBLIC, USER, "Manager", "Admin"};
    private static final String[] users = {"Moe", "Larry", "Curly", "Shemp"};
    private static final Integer DEFAULT_RANKING = new Integer(10);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.session.Screen
    public Element createContent(WebSession webSession) {
        ElementContainer elementContainer = new ElementContainer();
        try {
            String rawParameter = webSession.getParser().getRawParameter(USER, users[0]);
            String rawParameter2 = webSession.getParser().getRawParameter(RESOURCE, resources[0]);
            String obj = getRoles(rawParameter).toString();
            Table align = new Table().setCellSpacing(0).setCellPadding(2).setBorder(0).setWidth("90%").setAlign("center");
            if (webSession.isColor()) {
                align.setBorder(1);
            }
            TR tr = new TR();
            tr.addElement(new TD().addElement("Change user:"));
            tr.addElement(new TD().addElement(ECSFactory.makePulldown(USER, users, rawParameter, 1)));
            align.addElement(tr);
            TR tr2 = new TR();
            tr2.addElement(new TD().addElement("Select resource: "));
            tr2.addElement(new TD().addElement(ECSFactory.makePulldown(RESOURCE, resources, rawParameter2, 1)));
            align.addElement(tr2);
            TR tr3 = new TR();
            tr3.addElement(new TD("&nbsp;").setColSpan(2).setAlign("center"));
            align.addElement(tr3);
            TR tr4 = new TR();
            tr4.addElement(new TD(ECSFactory.makeButton("Check Access")).setColSpan(2).setAlign("center"));
            align.addElement(tr4);
            elementContainer.addElement(align);
            if (isAllowed(rawParameter, rawParameter2)) {
                if (!getRoles(rawParameter).contains("Admin") && rawParameter2.equals("Account Manager")) {
                    makeSuccess(webSession);
                }
                webSession.setMessage("User " + rawParameter + " " + obj + " was allowed to access resource " + rawParameter2);
            } else {
                webSession.setMessage("User " + rawParameter + " " + obj + " did not have privilege to access resource " + rawParameter2);
            }
        } catch (Exception e) {
            webSession.setMessage("Error generating " + getClass().getName());
            e.printStackTrace();
        }
        return elementContainer;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Category getDefaultCategory() {
        return Category.ACCESS_CONTROL;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected List<String> getHints(WebSession webSession) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("Many sites attempt to restrict access to resources by role.");
        arrayList.add("Developers frequently make mistakes implementing this scheme.");
        arrayList.add("Attempt combinations of users, roles, and resources.");
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson
    protected Integer getDefaultRanking() {
        return DEFAULT_RANKING;
    }

    private List getResources(List list) {
        ArrayList arrayList = new ArrayList();
        if (list.contains(roles[0])) {
            arrayList.add(resources[0]);
        }
        if (list.contains(roles[1])) {
            arrayList.add(resources[1]);
            arrayList.add(resources[5]);
        }
        if (list.contains(roles[2])) {
            arrayList.add(resources[2]);
            arrayList.add(resources[3]);
        }
        if (list.contains(roles[3])) {
            arrayList.add(resources[4]);
            arrayList.add(resources[5]);
        }
        return arrayList;
    }

    private List getRoles(String str) {
        ArrayList arrayList = new ArrayList();
        if (str.equals(users[0])) {
            arrayList.add(roles[0]);
        } else if (str.equals(users[1])) {
            arrayList.add(roles[1]);
            arrayList.add(roles[2]);
        } else if (str.equals(users[2])) {
            arrayList.add(roles[0]);
            arrayList.add(roles[2]);
        } else if (str.equals(users[3])) {
            arrayList.add(roles[3]);
        }
        return arrayList;
    }

    @Override // org.owasp.webgoat.lessons.LessonAdapter, org.owasp.webgoat.lessons.AbstractLesson, org.owasp.webgoat.session.Screen
    public String getTitle() {
        return "Using an Access Control Matrix";
    }

    private boolean isAllowed(String str, String str2) {
        return getResources(getRoles(str)).contains(str2);
    }
}
