package io.vertx.ext.web.handler.impl;

import io.vertx.core.logging.Logger;
import io.vertx.core.logging.LoggerFactory;
import io.vertx.ext.web.Cookie;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.CSRFHandler;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Random;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;

/* loaded from: input_file:io/vertx/ext/web/handler/impl/CSRFHandlerImpl.class */
public class CSRFHandlerImpl implements CSRFHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CSRFHandlerImpl.class);
    private static final Base64.Encoder BASE64 = Base64.getMimeEncoder();
    private final Mac mac;
    private boolean nagHttps;
    private final Random RAND = new SecureRandom();
    private String cookieName = CSRFHandler.DEFAULT_COOKIE_NAME;
    private String cookiePath = "/";
    private String headerName = CSRFHandler.DEFAULT_HEADER_NAME;
    private String responseBody = DEFAULT_RESPONSE_BODY;
    private long timeout = 1800000;

    public CSRFHandlerImpl(String str) {
        try {
            this.mac = Mac.getInstance("HmacSHA256");
            this.mac.init(new SecretKeySpec(str.getBytes(), "HmacSHA256"));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setCookieName(String str) {
        this.cookieName = str;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setCookiePath(String str) {
        this.cookiePath = str;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setHeaderName(String str) {
        this.headerName = str;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setTimeout(long j) {
        this.timeout = j;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setNagHttps(boolean z) {
        this.nagHttps = z;
        return this;
    }

    @Override // io.vertx.ext.web.handler.CSRFHandler
    public CSRFHandler setResponseBody(String str) {
        this.responseBody = str;
        return this;
    }

    private String generateToken() {
        byte[] bArr = new byte[32];
        this.RAND.nextBytes(bArr);
        String str = BASE64.encodeToString(bArr) + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER + Long.toString(System.currentTimeMillis());
        return str + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER + BASE64.encodeToString(this.mac.doFinal(str.getBytes()));
    }

    private boolean validateToken(String str, Cookie cookie) {
        if (str == null || cookie == null || !str.equals(cookie.getValue())) {
            return false;
        }
        String[] split = str.split("\\.");
        if (split.length != 3) {
            return false;
        }
        if (!BASE64.encodeToString(this.mac.doFinal((split[0] + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER + split[1]).getBytes())).equals(split[2])) {
            return false;
        }
        try {
            return System.currentTimeMillis() <= Long.parseLong(split[1]) + this.timeout;
        } catch (NumberFormatException e) {
            return false;
        }
    }

    protected void forbidden(RoutingContext routingContext) {
        if (this.responseBody != null) {
            routingContext.response().setStatusCode(403).end(this.responseBody);
        } else {
            routingContext.fail(new HttpStatusException(403, CSRFHandler.ERROR_MESSAGE));
        }
    }

    @Override // io.vertx.core.Handler
    public void handle(RoutingContext routingContext) {
        String absoluteURI;
        if (this.nagHttps && (absoluteURI = routingContext.request().absoluteURI()) != null && !absoluteURI.startsWith("https:")) {
            log.warn("Using session cookies without https could make you susceptible to session hijacking: " + absoluteURI);
        }
        switch (routingContext.request().method()) {
            case GET:
                String generateToken = generateToken();
                routingContext.put(this.headerName, generateToken);
                routingContext.addCookie(Cookie.cookie(this.cookieName, generateToken).setPath(this.cookiePath));
                routingContext.next();
                return;
            case POST:
            case PUT:
            case DELETE:
            case PATCH:
                String header = routingContext.request().getHeader(this.headerName);
                if (validateToken(header == null ? routingContext.request().getFormAttribute(this.headerName) : header, routingContext.getCookie(this.cookieName))) {
                    routingContext.next();
                    return;
                } else {
                    forbidden(routingContext);
                    return;
                }
            default:
                routingContext.next();
                return;
        }
    }
}
