package com.zimbra.cs.servlet.util;

import com.google.common.base.Joiner;
import com.zimbra.common.account.Key;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.BlobMetaData;
import com.zimbra.common.util.BlobMetaDataEncodingException;
import com.zimbra.common.util.HttpUtil;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.Pair;
import com.zimbra.common.util.StringUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AuthToken;
import com.zimbra.cs.account.AuthTokenException;
import com.zimbra.cs.account.CsrfTokenKey;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.TokenUtil;
import com.zimbra.cs.account.ZimbraAuthToken;
import com.zimbra.cs.dav.service.method.Delete;
import com.zimbra.cs.dav.service.method.Post;
import com.zimbra.cs.dav.service.method.Put;
import com.zimbra.cs.ephemeral.EphemeralInput;
import com.zimbra.cs.httpclient.URLUtil;
import com.zimbra.cs.ldap.LdapConstants;
import com.zimbra.cs.service.AuthProvider;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.fileupload.FileItem;

/* loaded from: input_file:com/zimbra/cs/servlet/util/CsrfUtil.class */
public final class CsrfUtil {
    protected static final String C_ID = "id";
    protected static final String C_EXP = "exp";
    protected static final String C_SALT_ID = "sid";
    protected static final String PARAM_CSRF_TOKEN = "csrfToken";

    private CsrfUtil() {
    }

    public static boolean isCsrfRequestBasedOnReferrer(HttpServletRequest httpServletRequest, String[] strArr) throws MalformedURLException {
        List asList = Arrays.asList(strArr);
        if (!httpServletRequest.getMethod().equalsIgnoreCase(Post.POST)) {
            return false;
        }
        String requestHost = getRequestHost(httpServletRequest);
        String header = httpServletRequest.getHeader("Referer");
        String str = null;
        if (!StringUtil.isNullOrEmpty(header)) {
            str = ((header.contains(URLUtil.PROTO_HTTP) || header.contains(URLUtil.PROTO_HTTPS)) ? new URL(header) : new URL("http://" + header)).getHost().toLowerCase();
        }
        boolean z = str == null ? false : str.equalsIgnoreCase(requestHost) ? false : strArr == null || !asList.contains(str);
        if (ZimbraLog.soap.isDebugEnabled()) {
            Log log = ZimbraLog.soap;
            Object[] objArr = new Object[4];
            objArr[0] = requestHost;
            objArr[1] = str;
            objArr[2] = Joiner.on(',').join(asList);
            objArr[3] = z ? " not allowed." : " allowed.";
            log.debug("Host : %s, Referrer host :%s, Allowed Hosts:[%s] Soap req is %s", objArr);
        }
        return z;
    }

    public static String getRequestHost(HttpServletRequest httpServletRequest) {
        String virtualHost = HttpUtil.getVirtualHost(httpServletRequest);
        if (virtualHost == null) {
            return virtualHost;
        }
        String str = virtualHost;
        if (str.indexOf(":") != -1) {
            str = virtualHost.substring(0, str.indexOf(":"));
        }
        if (ZimbraLog.soap.isTraceEnabled()) {
            ZimbraLog.soap.trace("Original host : " + virtualHost + " returning: " + str);
        }
        return str.toLowerCase();
    }

    public static AuthToken getAuthTokenFromReq(HttpServletRequest httpServletRequest) {
        AuthToken authToken = null;
        try {
            authToken = AuthProvider.getAuthToken(httpServletRequest, AuthUtil.isAdminRequest(httpServletRequest));
        } catch (ServiceException | AuthTokenException e) {
            ZimbraLog.security.info("Error extracting auth token from the request. " + e.getMessage());
        }
        return authToken;
    }

    public static boolean doCsrfCheck(HttpServletRequest httpServletRequest, AuthToken authToken) throws MalformedURLException {
        boolean isPostReq = isPostReq(httpServletRequest);
        if (isPostReq) {
            if (authToken == null) {
                isPostReq = false;
            } else if (!authToken.isCsrfTokenEnabled()) {
                isPostReq = isCsrfTokenCreated(authToken);
            }
        }
        if (ZimbraLog.misc.isDebugEnabled()) {
            ZimbraLog.misc.debug("ReqURL : " + httpServletRequest.getRequestURI() + (isPostReq ? " needs to " : " does not need to ") + "pass through CSRF check");
        }
        return isPostReq;
    }

    public static boolean isPostReq(HttpServletRequest httpServletRequest) {
        boolean z = true;
        String method = httpServletRequest.getMethod();
        if (!method.equalsIgnoreCase(Post.POST) && !method.equalsIgnoreCase(Put.PUT) && !method.equalsIgnoreCase(Delete.DELETE)) {
            z = false;
        }
        return z;
    }

    public static boolean isCsrfTokenCreated(AuthToken authToken) {
        boolean z = false;
        ZimbraLog.misc.debug("isCsrfTokenCreated()");
        try {
            Account account = getAccount(authToken, Boolean.TRUE.booleanValue());
            if (account != null) {
                z = account.hasCsrfTokenData(authToken.getCrumb());
            }
        } catch (ServiceException | AuthTokenException e) {
            ZimbraLog.ephemeral.info("Error fetching CSRF token data" + e.getMessage());
        }
        return z;
    }

    public static Account getAccount(AuthToken authToken, boolean z) throws ServiceException {
        Account account;
        if (z) {
            Provisioning provisioning = Provisioning.getInstance();
            account = provisioning.get(Key.AccountBy.id, authToken.getAccountId(), Boolean.TRUE.booleanValue());
            if (account != null) {
                provisioning.reload(account);
            }
        } else {
            account = authToken.getAccount();
        }
        return account;
    }

    public static boolean isValidCsrfToken(String str, AuthToken authToken) {
        boolean z;
        String str2;
        String str3;
        String crumb;
        Account account;
        if (StringUtil.isNullOrEmpty(str)) {
            return false;
        }
        try {
            Pair<String, String> parseCsrfToken = parseCsrfToken(str);
            str2 = (String) parseCsrfToken.getFirst();
            str3 = (String) parseCsrfToken.getSecond();
            crumb = authToken.getCrumb();
            account = getAccount(authToken, false);
        } catch (AuthTokenException | ServiceException e) {
            ZimbraLog.misc.info("Error decoding CSRF token, " + e.getMessage());
            z = false;
        }
        if (account == null) {
            return false;
        }
        z = validateCsrfToken(str2, crumb, str3, false, account);
        if (!z) {
            ZimbraLog.misc.info("CSRF token was invalid, rechecking with account object from LDAP.");
            z = validateCsrfToken(str2, crumb, str3, z, getAccount(authToken, true));
            if (ZimbraLog.misc.isDebugEnabled()) {
                ZimbraLog.misc.debug("The csrfToken second check: " + (z ? "is valid." : " is invalid."));
            }
        }
        if (ZimbraLog.misc.isDebugEnabled()) {
            ZimbraLog.misc.debug("The csrfToken: " + (z ? "is valid." : " is invalid."));
        }
        return z;
    }

    private static boolean validateCsrfToken(String str, String str2, String str3, boolean z, Account account) throws ServiceException, AuthTokenException {
        String tokenDataFromLdap = getTokenDataFromLdap(str2, account);
        if (tokenDataFromLdap != null) {
            CsrfTokenKey version = CsrfTokenKey.getVersion(str3);
            if (version == null) {
                throw new AuthTokenException("unknown key version");
            }
            if (TokenUtil.getHmac(tokenDataFromLdap, version.getKey()).equals(str)) {
                if (System.currentTimeMillis() < Long.parseLong((String) getAttrs(tokenDataFromLdap).get(C_EXP))) {
                    z = true;
                }
            }
        }
        return z;
    }

    public static Pair<String, String> parseCsrfToken(String str) throws AuthTokenException {
        int indexOf = str.indexOf(95);
        if (indexOf == -1) {
            throw new AuthTokenException("invalid authtoken format");
        }
        return new Pair<>(str.substring(indexOf + 1), str.substring(0, indexOf));
    }

    private static String getTokenDataFromLdap(String str, Account account) throws ServiceException {
        account.purgeCsrfTokenData();
        return account.getCsrfTokenData(str);
    }

    private static Map<?, ?> getAttrs(String str) throws AuthTokenException {
        try {
            return BlobMetaData.decode(new String(Hex.decodeHex(str.toCharArray())));
        } catch (DecoderException e) {
            throw new AuthTokenException("decoding exception", e);
        } catch (BlobMetaDataEncodingException e2) {
            throw new AuthTokenException("blob decoding exception", e2);
        }
    }

    public static String generateCsrfToken(String str, long j, int i, AuthToken authToken) throws ServiceException {
        try {
            String crumb = authToken.getCrumb();
            String existingCsrfTokenForThisAuthToken = getExistingCsrfTokenForThisAuthToken(authToken, crumb);
            if (existingCsrfTokenForThisAuthToken == null) {
                StringBuilder sb = new StringBuilder(64);
                BlobMetaData.encodeMetaData("id", str, sb);
                BlobMetaData.encodeMetaData(C_EXP, Long.toString(j), sb);
                BlobMetaData.encodeMetaData(C_SALT_ID, i, sb);
                existingCsrfTokenForThisAuthToken = new String(Hex.encodeHex(sb.toString().getBytes()));
            }
            CsrfTokenKey currentKey = getCurrentKey();
            String str2 = currentKey.getVersion() + "_" + TokenUtil.getHmac(existingCsrfTokenForThisAuthToken, currentKey.getKey());
            storeTokenData(existingCsrfTokenForThisAuthToken, authToken, j, crumb);
            return str2;
        } catch (AuthTokenException e) {
            throw ServiceException.FAILURE("Error generating Auth Token, " + e.getMessage(), e);
        }
    }

    private static String getExistingCsrfTokenForThisAuthToken(AuthToken authToken, String str) throws ServiceException {
        Account account = getAccount(authToken, Boolean.TRUE.booleanValue());
        if (account != null) {
            return getTokenDataFromLdap(str, account);
        }
        return null;
    }

    protected static CsrfTokenKey getCurrentKey() throws AuthTokenException {
        try {
            return CsrfTokenKey.getCurrentKey();
        } catch (ServiceException e) {
            ZimbraLog.misc.debug("Unable to get latest CsrfTokenKey", e);
            throw new AuthTokenException("unable to get CsrfTokenKey", e);
        }
    }

    private static void storeTokenData(String str, AuthToken authToken, long j, String str2) throws ServiceException {
        Account account = getAccount(authToken, Boolean.TRUE.booleanValue());
        if (account != null) {
            EphemeralInput.AbsoluteExpiration absoluteExpiration = new EphemeralInput.AbsoluteExpiration(j);
            boolean z = true;
            String csrfTokenData = account.getCsrfTokenData(str2);
            if (csrfTokenData != null) {
                if (str.equals(csrfTokenData)) {
                    ZimbraLog.ephemeral.debug("CSRF token already stored in ephemeral storage");
                    z = false;
                } else {
                    account.removeCsrfTokenData(str2, csrfTokenData);
                }
            }
            if (z) {
                account.addCsrfTokenData(str2, str, absoluteExpiration);
            }
        }
    }

    public static CsrfTokenKey getCsrfTokenKey() throws ServiceException {
        return CsrfTokenKey.getCurrentKey();
    }

    public static AuthToken getAuthTokenFromResponse(HttpServletResponse httpServletResponse) throws AuthTokenException {
        AuthToken authToken = null;
        for (String str : (List) httpServletResponse.getHeaders("Set-Cookie")) {
            if (!StringUtil.isNullOrEmpty(str) && str.contains("ZM_AUTH_TOKEN")) {
                String[] split = str.split(LdapConstants.FILTER_TYPE_EQUAL);
                authToken = AuthToken.getAuthToken(split[1].substring(0, split[1].indexOf(";")));
            }
        }
        return authToken;
    }

    public static String generateCsrfTokenTest(String str, long j, int i, String str2) throws AuthTokenException {
        StringBuilder sb = new StringBuilder(64);
        BlobMetaData.encodeMetaData("id", str, sb);
        BlobMetaData.encodeMetaData(C_EXP, Long.toString(j), sb);
        BlobMetaData.encodeMetaData(C_SALT_ID, i, sb);
        String str3 = new String(Hex.encodeHex(sb.toString().getBytes()));
        CsrfTokenKey currentKey = getCurrentKey();
        return currentKey.getVersion() + "_" + TokenUtil.getHmac(str3, currentKey.getKey()) + "_" + str3;
    }

    public static boolean checkCsrfInMultipartFileUpload(List<FileItem> list, AuthToken authToken) {
        for (FileItem fileItem : list) {
            if (fileItem.isFormField() && fileItem.getFieldName().equals(PARAM_CSRF_TOKEN)) {
                if (fileItem.getSize() >= 128) {
                    return false;
                }
                String string = fileItem.getString();
                if (isValidCsrfToken(string, authToken)) {
                    return true;
                }
                ZimbraLog.misc.debug("Csrf token : %s recd in file upload is invalid.", new Object[]{string});
                return false;
            }
        }
        return false;
    }

    public static void main(String[] strArr) {
        try {
            System.out.println(isValidCsrfToken("0_a00d6f6af20bf183ab63911ab648a7869793158e", ZimbraAuthToken.getAuthToken("0_f66f9e23c3d6ec89c0723375489c729b13b108d9_69643d33363a34313537336365352d303035352d343066362d626235372d6264396238663136663666393b6578703d31333a313430333935303235363538323b747970653d363a7a696d6272613b7469643d31303a313837363638363831333b76657273696f6e3d303a3b637372663d313a313b")));
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
