package org.eclipse.krazo.security;

import jakarta.annotation.Priority;
import jakarta.inject.Inject;
import jakarta.mvc.Controller;
import jakarta.mvc.security.CsrfProtected;
import jakarta.mvc.security.CsrfValidationException;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.PATCH;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.MediaType;
import java.io.IOException;
import java.lang.reflect.Method;
import java.util.List;
import org.eclipse.krazo.KrazoConfig;
import org.eclipse.krazo.core.Messages;
import org.eclipse.krazo.util.AnnotationUtils;
import org.eclipse.krazo.util.ServiceLoaders;

@Controller
@Priority(3000)
/* loaded from: input_file:org/eclipse/krazo/security/CsrfValidateFilter.class */
public class CsrfValidateFilter implements ContainerRequestFilter {

    @Inject
    private CsrfTokenManager csrfTokenManager;

    @Inject
    private KrazoConfig krazoConfig;

    @Context
    private ResourceInfo resourceInfo;

    @Inject
    private Messages messages;
    private final FormEntityProvider formEntityProvider = (FormEntityProvider) ServiceLoaders.list(FormEntityProvider.class).get(0);

    @Override // jakarta.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (needsValidation(this.resourceInfo.getResourceMethod())) {
            CsrfToken orElseThrow = this.csrfTokenManager.getToken().orElseThrow(() -> {
                return new CsrfValidationException(this.messages.get("CsrfFailed", "missing token"));
            });
            if (orElseThrow.getValue().equals(containerRequestContext.getHeaders().getFirst(orElseThrow.getHeaderName()))) {
                return;
            }
            if (!isSupportedMediaType(containerRequestContext.getMediaType()) || !containerRequestContext.hasEntity()) {
                throw new CsrfValidationException(this.messages.get("UnableValidateCsrf", containerRequestContext.getMediaType()));
            }
            List list = (List) this.formEntityProvider.getForm(containerRequestContext).asMap().get(orElseThrow.getParamName());
            if (list == null || list.isEmpty()) {
                throw new CsrfValidationException(this.messages.get("CsrfFailed", "missing field"));
            }
            if (!orElseThrow.getValue().equals(list.get(0))) {
                throw new CsrfValidationException(this.messages.get("CsrfFailed", "mismatching tokens"));
            }
        }
    }

    protected static boolean isSupportedMediaType(MediaType mediaType) {
        return mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE);
    }

    private boolean needsValidation(Method method) {
        if (method == null || !performsWriteAccess(method)) {
            return false;
        }
        switch (this.krazoConfig.getCsrfOptions()) {
            case OFF:
                return false;
            case IMPLICIT:
                return true;
            case EXPLICIT:
                return AnnotationUtils.hasAnnotation(method, CsrfProtected.class) || AnnotationUtils.hasAnnotation(method.getDeclaringClass(), CsrfProtected.class);
            default:
                return false;
        }
    }

    private boolean performsWriteAccess(Method method) {
        return AnnotationUtils.hasAnnotation(method, POST.class) || AnnotationUtils.hasAnnotation(method, PATCH.class) || AnnotationUtils.hasAnnotation(method, PUT.class) || AnnotationUtils.hasAnnotation(method, DELETE.class);
    }
}
