package io.confluent.rest.filters;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import io.confluent.rest.RestConfig;
import java.io.IOException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.BadRequestException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rest/filters/CsrfTokenProtectionFilter.class */
public class CsrfTokenProtectionFilter implements Filter {
    private static final Logger log = LoggerFactory.getLogger(CsrfTokenProtectionFilter.class);
    public static final String INVALID_TOKEN_MESSAGE = "Invalid CSRF token in request header X-Requested-With";
    public static final String MISSING_TOKEN_MESSAGE = "Missing CSRF token in request header X-Requested-With";
    public static final String MISSING_REQUESTER_MESSAGE = "Missing user session identifier in request header X-Requested-By";
    private static final Set<String> METHODS_TO_IGNORE;
    private String csrfTokenEndpoint = RestConfig.CSRF_PREVENTION_TOKEN_FETCH_ENDPOINT_DEFAULT;
    private int csrfTokenExpiration = 30;
    private int csrfTokenMaxEntries = RestConfig.CSRF_PREVENTION_TOKEN_MAX_ENTRIES_DEFAULT;
    private LoadingCache<String, String> tokenSupplier;

    /* loaded from: input_file:io/confluent/rest/filters/CsrfTokenProtectionFilter$Headers.class */
    public static class Headers {
        public static final String REQUESTED_WITH = "X-Requested-With";
        public static final String REQUESTED_BY = "X-Requested-By";
        public static final String CSRF_TOKEN = "X-CONFLUENT-CSRF-TOKEN";
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        if (filterConfig.getInitParameter(RestConfig.CSRF_PREVENTION_TOKEN_FETCH_ENDPOINT) != null) {
            this.csrfTokenEndpoint = filterConfig.getInitParameter(RestConfig.CSRF_PREVENTION_TOKEN_FETCH_ENDPOINT);
        }
        if (filterConfig.getInitParameter(RestConfig.CSRF_PREVENTION_TOKEN_EXPIRATION_MINUTES) != null) {
            this.csrfTokenExpiration = Integer.parseInt(filterConfig.getInitParameter(RestConfig.CSRF_PREVENTION_TOKEN_EXPIRATION_MINUTES));
        }
        if (filterConfig.getInitParameter(RestConfig.CSRF_PREVENTION_TOKEN_MAX_ENTRIES) != null) {
            this.csrfTokenMaxEntries = Integer.parseInt(filterConfig.getInitParameter(RestConfig.CSRF_PREVENTION_TOKEN_MAX_ENTRIES));
        }
        this.tokenSupplier = CacheBuilder.newBuilder().expireAfterWrite(this.csrfTokenExpiration, TimeUnit.MINUTES).maximumSize(this.csrfTokenMaxEntries).build(new CacheLoader<String, String>() { // from class: io.confluent.rest.filters.CsrfTokenProtectionFilter.1
            @Override // com.google.common.cache.CacheLoader
            public String load(String str) throws Exception {
                return UUID.randomUUID().toString();
            }
        });
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String header = httpServletRequest.getHeader("X-Requested-By");
        String header2 = httpServletRequest.getHeader("X-Requested-With");
        if (!METHODS_TO_IGNORE.contains(httpServletRequest.getMethod())) {
            if (Strings.isNullOrEmpty(header)) {
                log.error("(Cross site request forgery): {}", MISSING_REQUESTER_MESSAGE);
                throw new BadRequestException(MISSING_REQUESTER_MESSAGE);
            }
            if (Strings.isNullOrEmpty(header2)) {
                log.error("(Cross site request forgery): {}", MISSING_TOKEN_MESSAGE);
                throw new BadRequestException(MISSING_TOKEN_MESSAGE);
            }
            String ifPresent = this.tokenSupplier.getIfPresent(header);
            if (Strings.isNullOrEmpty(ifPresent) || !ifPresent.equals(header2)) {
                log.error("(Cross site request forgery): {}", INVALID_TOKEN_MESSAGE);
                throw new BadRequestException(INVALID_TOKEN_MESSAGE);
            }
        }
        if (!this.csrfTokenEndpoint.equals(httpServletRequest.getRequestURI())) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        log.debug("(Cross site request forgery): Handling request for CSRF token {}", this.csrfTokenEndpoint);
        if (Strings.isNullOrEmpty(header)) {
            log.error("(Cross site request forgery): {}", MISSING_REQUESTER_MESSAGE);
            throw new BadRequestException(MISSING_REQUESTER_MESSAGE);
        }
        log.debug("(Cross site request forgery): Setting CSRF token on {}", this.csrfTokenEndpoint);
        httpServletResponse.setHeader(Headers.CSRF_TOKEN, this.tokenSupplier.getUnchecked(header));
    }

    public void destroy() {
    }

    @VisibleForTesting
    String getCsrfTokenEndpoint() {
        return this.csrfTokenEndpoint;
    }

    @VisibleForTesting
    int getCsrfTokenExpiration() {
        return this.csrfTokenExpiration;
    }

    @VisibleForTesting
    int getCsrfTokenMaxEntries() {
        return this.csrfTokenMaxEntries;
    }

    static {
        HashSet hashSet = new HashSet();
        hashSet.add("GET");
        hashSet.add("OPTIONS");
        hashSet.add("HEAD");
        METHODS_TO_IGNORE = Collections.unmodifiableSet(hashSet);
    }
}
