package com.hypersocket.session.json;

import com.hypersocket.auth.json.UnauthorizedException;
import com.hypersocket.config.ConfigurationService;
import com.hypersocket.config.SystemConfigurationService;
import com.hypersocket.permissions.AccessDeniedException;
import com.hypersocket.properties.ResourceUtils;
import com.hypersocket.realm.Principal;
import com.hypersocket.realm.Realm;
import com.hypersocket.realm.RealmService;
import com.hypersocket.session.Session;
import com.hypersocket.session.SessionResourceToken;
import com.hypersocket.session.SessionService;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/hypersocket/session/json/SessionUtils.class */
public class SessionUtils {
    public static String COOKIE_SAME_SITE_DEFAULT = "Lax";
    static Logger log = LoggerFactory.getLogger(SessionUtils.class);
    static boolean debugCSRF = "true".equals(System.getProperty("hypersocket.csrfDebugRequests"));
    public static final String AUTHENTICATED_SESSION = "authenticatedSession";
    public static final String HYPERSOCKET_API_SESSION = "HYPERSOCKET_API_SESSION";
    public static final String HYPERSOCKET_CSRF_TOKEN = "HYPERSOCKET_CSRF_TOKEN";
    public static final String HYPERSOCKET_API_KEY = "apikey";
    public static final String USER_LOCALE = "userLocale";
    public static final String HYPERSOCKET_LOCALE = "HYPERSOCKET_LOCALE";
    public static final String HYPERSOCKET_REBUILD_I18N = "rebuildI18N";

    @Autowired
    private SessionService sessionService;

    @Autowired
    private ConfigurationService configurationService;

    @Autowired
    private SystemConfigurationService systemConfigurationService;

    @Autowired
    private RealmService realmService;

    public Session getActiveSession(HttpServletRequest httpServletRequest) {
        Session session;
        Session session2 = null;
        if (httpServletRequest.getParameterMap().containsKey(HYPERSOCKET_API_KEY)) {
            session2 = this.sessionService.getSession(httpServletRequest.getParameter(HYPERSOCKET_API_KEY));
        } else if (httpServletRequest.getHeader(HYPERSOCKET_API_SESSION) != null) {
            session2 = this.sessionService.getSession(httpServletRequest.getHeader(HYPERSOCKET_API_SESSION));
        }
        if (session2 != null && this.sessionService.isLoggedOn(session2, false)) {
            return session2;
        }
        if (httpServletRequest.getAttribute(AUTHENTICATED_SESSION) != null) {
            Session session3 = (Session) httpServletRequest.getAttribute(AUTHENTICATED_SESSION);
            if (this.sessionService.isLoggedOn(session3, false)) {
                return session3;
            }
        }
        if (Objects.nonNull(httpServletRequest.getSession()) && httpServletRequest.getSession().getAttribute(AUTHENTICATED_SESSION) != null) {
            Session session4 = (Session) httpServletRequest.getSession().getAttribute(AUTHENTICATED_SESSION);
            if (this.sessionService.isLoggedOn(session4, false)) {
                return session4;
            }
        }
        for (Cookie cookie : httpServletRequest.getCookies()) {
            if (cookie.getName().equals(HYPERSOCKET_API_SESSION) && (session = this.sessionService.getSession(cookie.getValue())) != null && this.sessionService.isLoggedOn(session, false)) {
                return session;
            }
        }
        return null;
    }

    public Realm getCurrentRealm(HttpServletRequest httpServletRequest) throws UnauthorizedException {
        Session activeSession = getActiveSession(httpServletRequest);
        if (activeSession == null) {
            throw new UnauthorizedException();
        }
        return activeSession.getCurrentRealm();
    }

    public Realm getCurrentRealmOrDefault(HttpServletRequest httpServletRequest) {
        Session activeSession = getActiveSession(httpServletRequest);
        return activeSession == null ? this.realmService.getRealmByHost(httpServletRequest.getServerName()) : activeSession.getCurrentRealm();
    }

    public Principal getPrincipal(HttpServletRequest httpServletRequest) throws UnauthorizedException {
        Session activeSession = getActiveSession(httpServletRequest);
        if (activeSession == null) {
            throw new UnauthorizedException();
        }
        return activeSession.getCurrentPrincipal();
    }

    public Session touchSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws UnauthorizedException, SessionTimeoutException, AccessDeniedException {
        return touchSession(httpServletRequest, httpServletResponse, true);
    }

    public Session touchSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws UnauthorizedException, SessionTimeoutException, AccessDeniedException {
        Session session;
        if (httpServletRequest.getSession().getAttribute(AUTHENTICATED_SESSION) == null) {
            if (log.isDebugEnabled()) {
                log.debug("Session object not attached to HTTP session");
            }
            session = getActiveSession(httpServletRequest);
            if (session == null) {
                if (log.isDebugEnabled()) {
                    log.debug("No session attached to request");
                }
                throw new UnauthorizedException();
            }
            if (!this.sessionService.isLoggedOn(session, true)) {
                throw new SessionTimeoutException();
            }
        } else {
            session = (Session) httpServletRequest.getSession().getAttribute(AUTHENTICATED_SESSION);
            if (!this.sessionService.isLoggedOn(session, true)) {
                throw new UnauthorizedException();
            }
        }
        if (z) {
            verifySameSiteRequest(httpServletRequest, session);
        }
        httpServletRequest.setAttribute(AUTHENTICATED_SESSION, session);
        httpServletRequest.getSession().setAttribute(AUTHENTICATED_SESSION, session);
        addAPISession(httpServletRequest, httpServletResponse, session);
        return session;
    }

    public Session getSession(HttpServletRequest httpServletRequest) throws UnauthorizedException, SessionTimeoutException {
        Session session;
        Session session2 = null;
        if (httpServletRequest.getParameterMap().containsKey(HYPERSOCKET_API_KEY)) {
            session2 = this.sessionService.getSession(httpServletRequest.getParameter(HYPERSOCKET_API_KEY));
        } else if (httpServletRequest.getHeader(HYPERSOCKET_API_SESSION) != null) {
            session2 = this.sessionService.getSession(httpServletRequest.getHeader(HYPERSOCKET_API_SESSION));
        }
        if (session2 != null && this.sessionService.isLoggedOn(session2, false)) {
            return session2;
        }
        if (httpServletRequest.getAttribute(AUTHENTICATED_SESSION) != null) {
            Session session3 = (Session) httpServletRequest.getAttribute(AUTHENTICATED_SESSION);
            if (this.sessionService.isLoggedOn(session3, false)) {
                return session3;
            }
        }
        if (httpServletRequest.getSession().getAttribute(AUTHENTICATED_SESSION) != null) {
            Session session4 = (Session) httpServletRequest.getSession().getAttribute(AUTHENTICATED_SESSION);
            if (this.sessionService.isLoggedOn(session4, false)) {
                return session4;
            }
        }
        for (Cookie cookie : httpServletRequest.getCookies()) {
            if (cookie.getName().equals(HYPERSOCKET_API_SESSION) && (session = this.sessionService.getSession(cookie.getValue())) != null && this.sessionService.isLoggedOn(session, false)) {
                return session;
            }
        }
        throw new UnauthorizedException();
    }

    private void verifySameSiteRequest(HttpServletRequest httpServletRequest, Session session) throws AccessDeniedException, UnauthorizedException {
        if (!isValidCORSRequest(httpServletRequest) && this.systemConfigurationService.getBooleanValue("security.enableCSRFProtection").booleanValue()) {
            String header = httpServletRequest.getHeader("X-Csrf-Token");
            if (header == null) {
                header = httpServletRequest.getParameter("token");
                if (header == null) {
                    log.warn(String.format("CSRF token missing from %s", httpServletRequest.getRemoteAddr()));
                    debugRequest(httpServletRequest);
                    throw new UnauthorizedException();
                }
            }
            if (session.getCsrfToken().equals(header)) {
                return;
            }
            log.warn(String.format("CSRF token mistmatch from %s", httpServletRequest.getRemoteAddr()));
            debugRequest(httpServletRequest);
            throw new UnauthorizedException();
        }
    }

    protected void debugRequest(HttpServletRequest httpServletRequest) {
        if (debugCSRF) {
            log.warn(String.format("The request URI was %s, and contained the following parameters :-", httpServletRequest.getRequestURI()));
            for (Map.Entry entry : httpServletRequest.getParameterMap().entrySet()) {
                log.warn(String.format("  %s = %s", entry.getKey(), String.join(",", (CharSequence[]) entry.getValue())));
            }
            log.warn("And the following headers :-");
            Enumeration headerNames = httpServletRequest.getHeaderNames();
            while (headerNames.hasMoreElements()) {
                String str = (String) headerNames.nextElement();
                log.warn(String.format("  %s = %s", str, httpServletRequest.getHeader(str)));
            }
        }
    }

    public boolean isValidCORSRequest(HttpServletRequest httpServletRequest) {
        Realm currentRealmOrDefault = getCurrentRealmOrDefault(httpServletRequest);
        String header = httpServletRequest.getHeader("Origin");
        if (Objects.isNull(header)) {
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("CORS request for origin {}", header);
        }
        HashSet hashSet = new HashSet();
        hashSet.add("chrome-extension://nbdlpjacpjcngebcjapombjkmjbjnpbc");
        hashSet.add("moz-extension://93d8c2f2-e17c-7d4b-9177-a45d2650c23b");
        if (header.startsWith("moz-extension://")) {
            return true;
        }
        if (this.configurationService.getBooleanValue(currentRealmOrDefault, "cors.enabled").booleanValue()) {
            hashSet.addAll(ResourceUtils.explodeCollectionValues(this.configurationService.getValue(currentRealmOrDefault, "cors.origins")));
        }
        if (hashSet.contains(header)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("CORS request SUCCEEDED for origin {}", header);
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("CORS request FAILED origin {}", header);
        return false;
    }

    public boolean isValidWebsocketRequest(HttpServletRequest httpServletRequest) {
        Realm currentRealmOrDefault = getCurrentRealmOrDefault(httpServletRequest);
        String header = httpServletRequest.getHeader("Origin");
        if (Objects.isNull(header)) {
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Websocket request for origin {}", header);
        }
        if (!this.configurationService.getBooleanValue(currentRealmOrDefault, "websocket.enabled").booleanValue()) {
            return true;
        }
        HashSet hashSet = new HashSet();
        hashSet.addAll(ResourceUtils.explodeCollectionValues(this.configurationService.getValue(currentRealmOrDefault, "websocket.origins")));
        return hashSet.contains(header);
    }

    public int calccSessionTimeoutSeconds(Session session) {
        if (session.getTimeout() > 0) {
            return 60 * session.getTimeout();
        }
        return Integer.MAX_VALUE;
    }

    public void addAPISession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Session session) {
        Cookie cookie = new Cookie(HYPERSOCKET_API_SESSION, session.getId());
        cookie.setMaxAge(calccSessionTimeoutSeconds(session));
        cookie.setSecure(httpServletRequest.getProtocol().equalsIgnoreCase("https"));
        cookie.setHttpOnly(true);
        cookie.setDomain(httpServletRequest.getServerName());
        cookie.setPath("/");
        String property = System.getProperty("hypersocket.cookie.sameSite", COOKIE_SAME_SITE_DEFAULT);
        if (!property.equalsIgnoreCase("Omit")) {
            cookie.setComment("; SameSite=" + property);
        }
        httpServletResponse.addCookie(cookie);
        Cookie cookie2 = new Cookie(HYPERSOCKET_CSRF_TOKEN, session.getCsrfToken());
        cookie2.setMaxAge(calccSessionTimeoutSeconds(session));
        cookie2.setSecure(httpServletRequest.getProtocol().equalsIgnoreCase("https"));
        cookie2.setPath("/");
        cookie2.setHttpOnly(false);
        cookie2.setDomain(httpServletRequest.getServerName());
        if (!property.equalsIgnoreCase("Omit")) {
            cookie2.setComment("; SameSite=" + property);
        }
        httpServletResponse.addCookie(cookie2);
    }

    public Locale getLocale(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getSession().getAttribute(USER_LOCALE) != null) {
            return new Locale((String) httpServletRequest.getSession().getAttribute(USER_LOCALE));
        }
        for (Cookie cookie : httpServletRequest.getCookies()) {
            if (cookie.getName().equals(HYPERSOCKET_LOCALE)) {
                return new Locale(cookie.getValue());
            }
        }
        try {
            return (Locale) this.configurationService.callAsSystemContext(() -> {
                return this.configurationService.getDefaultLocale();
            });
        } catch (Exception e) {
            throw new IllegalStateException("Failed to get default locale.", e);
        }
    }

    public void setLocale(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        httpServletRequest.getSession().setAttribute(USER_LOCALE, str);
        httpServletRequest.getSession().setAttribute(HYPERSOCKET_REBUILD_I18N, true);
        Cookie cookie = new Cookie(HYPERSOCKET_LOCALE, str);
        cookie.setMaxAge(Integer.MAX_VALUE);
        cookie.setPath("/");
        cookie.setSecure(httpServletRequest.getProtocol().equalsIgnoreCase("https"));
        cookie.setHttpOnly(true);
        cookie.setDomain(httpServletRequest.getServerName());
        String property = System.getProperty("hypersocket.cookie.sameSite", COOKIE_SAME_SITE_DEFAULT);
        if (!property.equalsIgnoreCase("Omit")) {
            cookie.setComment("; SameSite=" + property);
        }
        httpServletResponse.addCookie(cookie);
    }

    public void touchSession(Session session) throws SessionTimeoutException {
        if (!this.sessionService.isLoggedOn(session, true)) {
            throw new SessionTimeoutException();
        }
    }

    public <T> SessionResourceToken<T> authenticateSessionToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, Class<T> cls) throws UnauthorizedException, SessionTimeoutException {
        SessionResourceToken<T> sessionToken = this.sessionService.getSessionToken(str, cls);
        if (sessionToken == null) {
            if (log.isInfoEnabled()) {
                log.info(String.format("Session token %s is invalid", str));
            }
            throw new UnauthorizedException();
        }
        if (!httpServletRequest.getRemoteAddr().equals(sessionToken.getSession().getRemoteAddress())) {
            if (log.isInfoEnabled()) {
                log.info(String.format("Session token %s for %s does not belong to %s", str, httpServletRequest.getRemoteAddr(), sessionToken.getSession().getRemoteAddress()));
            }
            throw new UnauthorizedException();
        }
        if (log.isInfoEnabled()) {
            log.info(String.format("Session token %s is valid", str));
        }
        httpServletRequest.setAttribute(AUTHENTICATED_SESSION, sessionToken.getSession());
        httpServletRequest.getSession().setAttribute(AUTHENTICATED_SESSION, sessionToken.getSession());
        addAPISession(httpServletRequest, httpServletResponse, sessionToken.getSession());
        return sessionToken;
    }

    public boolean hasActiveSession(HttpServletRequest httpServletRequest) {
        try {
            return getSession(httpServletRequest) != null;
        } catch (UnauthorizedException | SessionTimeoutException e) {
            return false;
        }
    }
}
