package com.zimbra.cs.servlet;

import com.google.common.base.Joiner;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.StringUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.CsrfTokenKey;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.ldap.LdapConstants;
import com.zimbra.cs.service.FileUploadServlet;
import com.zimbra.cs.servlet.util.CsrfUtil;
import com.zimbra.soap.RequestContext;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import java.util.Random;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:com/zimbra/cs/servlet/CsrfFilter.class */
public class CsrfFilter implements Filter {
    public static final String CSRF_SALT = "CSRF_SALT";
    public static final String AUTH_TOKEN = "AuthToken";
    public static final String CSRF_TOKEN_CHECK = "CsrfTokenCheck";
    protected int maxCsrfTokenValidityInMs;
    private String[] allowedRefHosts = null;
    private Random nonceGen = null;

    public void init(FilterConfig filterConfig) throws ServletException {
        try {
            this.allowedRefHosts = Provisioning.getInstance().getConfig().getCsrfAllowedRefererHosts();
            this.nonceGen = new Random();
            CsrfTokenKey.getCurrentKey();
            if (ZimbraLog.misc.isInfoEnabled()) {
                ZimbraLog.misc.info("CSRF filter was initialized: CSRFAllowedRefHost: [" + Joiner.on(", ").join(this.allowedRefHosts) + "]");
            }
        } catch (ServiceException e) {
            throw new ServletException("Error initializing CSRF filter: " + e.getMessage(), e);
        }
    }

    public void destroy() {
        ZimbraLog.filter.info("Destroying CSRF filter.");
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        ZimbraLog.clearContext();
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        httpServletRequest.setAttribute(CSRF_SALT, Integer.valueOf(this.nonceGen.nextInt() + 1));
        if (ZimbraLog.misc.isDebugEnabled()) {
            ZimbraLog.misc.debug("CSRF Request URI: " + httpServletRequest.getRequestURI());
        }
        boolean booleanValue = Boolean.FALSE.booleanValue();
        boolean booleanValue2 = Boolean.FALSE.booleanValue();
        Provisioning provisioning = Provisioning.getInstance();
        try {
            booleanValue = provisioning.getConfig().isCsrfTokenCheckEnabled();
            booleanValue2 = provisioning.getConfig().isCsrfRefererCheckEnabled();
        } catch (ServiceException e) {
            ZimbraLog.misc.info("Error in CSRF filter." + e.getMessage(), e);
        }
        if (ZimbraLog.misc.isDebugEnabled()) {
            ZimbraLog.misc.debug("CSRF filter was initialized : CSRFcheck enabled: " + booleanValue + "CSRF referer check enabled: " + booleanValue2 + ", CSRFAllowedRefHost: [" + Joiner.on(", ").join(this.allowedRefHosts) + "], CSRFTokenValidity " + this.maxCsrfTokenValidityInMs + "ms.");
        }
        if (ZimbraLog.misc.isTraceEnabled()) {
            Enumeration headerNames = httpServletRequest.getHeaderNames();
            ZimbraLog.misc.trace("Soap request headers.");
            while (headerNames.hasMoreElements()) {
                String str = (String) headerNames.nextElement();
                if (!str.contains("Cookie")) {
                    ZimbraLog.misc.trace(str + LdapConstants.FILTER_TYPE_EQUAL + httpServletRequest.getHeader(str));
                }
            }
        }
        if (booleanValue2 && !allowReqBasedOnRefererHeaderCheck(httpServletRequest)) {
            ZimbraLog.misc.info("CSRF referer check failed");
            httpServletResponse.sendError(403);
            return;
        }
        if (booleanValue) {
            httpServletRequest.setAttribute("zimbraCsrfTokenCheckEnabled", Boolean.TRUE);
            if (CsrfUtil.doCsrfCheck(httpServletRequest, CsrfUtil.getAuthTokenFromReq(httpServletRequest))) {
                httpServletRequest.setAttribute(CSRF_TOKEN_CHECK, Boolean.TRUE);
            } else {
                httpServletRequest.setAttribute(CSRF_TOKEN_CHECK, Boolean.FALSE);
                ZimbraLog.misc.debug("CSRF check will not be done for URI : %s", new Object[]{httpServletRequest.getRequestURI()});
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            httpServletRequest.setAttribute(CSRF_TOKEN_CHECK, Boolean.FALSE);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
        try {
            RequestContext requestContext = new RequestContext();
            requestContext.setVirtualHost(CsrfUtil.getRequestHost(httpServletRequest));
            ZThreadLocal.setContext(requestContext);
        } finally {
            ZThreadLocal.unset();
        }
    }

    protected static List<String> convertToList(String str) {
        List<String> list = null;
        if (!StringUtil.isNullOrEmpty(str)) {
            String[] split = str.split(FileUploadServlet.UPLOAD_DELIMITER);
            for (int i = 0; i < split.length; i++) {
                split[i] = split[i].toLowerCase();
            }
            list = Arrays.asList(split);
        }
        return list;
    }

    private boolean allowReqBasedOnRefererHeaderCheck(HttpServletRequest httpServletRequest) {
        try {
            return !CsrfUtil.isCsrfRequestBasedOnReferrer(httpServletRequest, this.allowedRefHosts);
        } catch (MalformedURLException e) {
            ZimbraLog.misc.info("Error while doing referer based check." + e.getMessage());
            return false;
        }
    }
}
