package com.atlassian.bamboo.ww2.interceptors;

import com.atlassian.bamboo.configuration.AdministrationConfigurationAccessor;
import com.atlassian.bamboo.security.xsrf.XsrfTokenUtils;
import com.atlassian.bamboo.util.BuildUtils;
import com.atlassian.bamboo.util.RequestCacheThreadLocal;
import com.atlassian.bamboo.util.UrlUtils;
import com.atlassian.bamboo.utils.HttpUtils;
import com.atlassian.http.mime.UserAgentUtil;
import com.atlassian.http.mime.UserAgentUtilImpl;
import com.opensymphony.xwork2.ActionInvocation;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

@SecurityRelatedInterceptor
/* loaded from: input_file:com/atlassian/bamboo/ww2/interceptors/BambooXsrfTokenInterceptor.class */
public class BambooXsrfTokenInterceptor extends AbstractBambooInterceptor {
    private static final Logger log = Logger.getLogger(BambooXsrfTokenInterceptor.class);
    public static final String XSRF_FAILURE_NO_REFERRER = "XSRF_FAILURE_NO_REFERRER";
    public static final String XSRF_FAILURE_BAD_REFERRER = "XSRF_FAILURE_BAD_REFERRER";
    public static final String XSRF_FAILURE_BAD_TOKEN = "XSRF_FAILURE_BAD_TOKEN";
    public static final String XSRF_FAILURE_NO_TOKEN_IN_COOKIE = "XSRF_FAILURE_NO_TOKEN_IN_COOKIE";
    public static final String XSRF_FAILURE_NO_TOKEN_IN_PARAMS = "XSRF_FAILURE_NO_TOKEN_IN_PARAMS";
    public static final String XSRF_SUCCESS = "XSRF_SUCCESS";
    private AdministrationConfigurationAccessor administrationConfigurationAccessor;

    @Override // com.atlassian.bamboo.ww2.interceptors.AbstractBambooInterceptor
    public String doIntercept(ActionInvocation actionInvocation) throws Exception {
        HttpServletRequest nonNullRequest = RequestCacheThreadLocal.getNonNullRequest();
        String orCreateXsrfCookie = XsrfTokenUtils.getOrCreateXsrfCookie(nonNullRequest, RequestCacheThreadLocal.getNonNullResponse());
        if (this.administrationConfigurationAccessor != null && !this.administrationConfigurationAccessor.getAdministrationConfiguration().isXsrfProtectionEnabled()) {
            return actionInvocation.invoke();
        }
        Boolean xsrfConfigurationForAction = getXsrfConfigurationForAction(actionInvocation);
        if (Boolean.FALSE.equals(xsrfConfigurationForAction)) {
            return actionInvocation.invoke();
        }
        if (Boolean.TRUE.equals(xsrfConfigurationForAction) || HttpUtils.canMethodMutateState(nonNullRequest.getMethod())) {
            String doesRequestPassXsrfChecks = doesRequestPassXsrfChecks(nonNullRequest, orCreateXsrfCookie);
            if (doesRequestPassXsrfChecks != XSRF_SUCCESS) {
                log.warn("XSRF token validation failed in session:" + nonNullRequest.getRequestedSessionId() + " due to " + doesRequestPassXsrfChecks);
                throw new IllegalArgumentException("XSRF Token Validation failed (" + doesRequestPassXsrfChecks + ").");
            }
            if (BuildUtils.isDevMode() && XsrfTokenUtils.getXsrfTokenSource(nonNullRequest) != null) {
                log.warn("Token for " + nonNullRequest.getRequestURI() + " had to be added by JavaScript fixup code");
            }
        }
        return actionInvocation.invoke();
    }

    @Nullable
    private Boolean getXsrfConfigurationForAction(ActionInvocation actionInvocation) {
        String str = (String) actionInvocation.getProxy().getConfig().getParams().get("RequireSecurityToken");
        if (str == null) {
            return null;
        }
        return Boolean.valueOf(str);
    }

    @NotNull
    private String doesRequestPassXsrfChecks(HttpServletRequest httpServletRequest, @Nullable String str) {
        String header = httpServletRequest.getHeader("Referer");
        if (httpServletRequest.isSecure() && isABrowserUserAgent(httpServletRequest.getHeader("user-agent"))) {
            if (StringUtils.isBlank(header)) {
                return XSRF_FAILURE_NO_REFERRER;
            }
            if (!isReferrerInSameOrigin(header, httpServletRequest.getRequestURL().toString())) {
                if (!log.isEnabledFor(Level.WARN)) {
                    return XSRF_FAILURE_BAD_REFERRER;
                }
                log.warn(String.format("XSRF isReferrerInSameOrigin check failed in session:%s as the referer %s is not in the same origin as %s .", httpServletRequest.getRequestedSessionId(), StringUtils.substringBefore(header, "?"), StringUtils.substringBefore(httpServletRequest.getRequestURL().toString(), "?")));
                return XSRF_FAILURE_BAD_REFERRER;
            }
        }
        if (isOverrideHeaderPresent(httpServletRequest)) {
            return XSRF_SUCCESS;
        }
        if (str == null) {
            return XSRF_FAILURE_NO_TOKEN_IN_COOKIE;
        }
        String tokenFromRequestParameters = XsrfTokenUtils.getTokenFromRequestParameters(httpServletRequest);
        return tokenFromRequestParameters == null ? XSRF_FAILURE_NO_TOKEN_IN_PARAMS : StringUtils.equals(tokenFromRequestParameters, str) ? XSRF_SUCCESS : XSRF_FAILURE_BAD_TOKEN;
    }

    private boolean isReferrerInSameOrigin(String str, String str2) {
        return UrlUtils.isSameOrigin(UrlUtils.createUrl(str), UrlUtils.createUrl(str2));
    }

    private boolean isABrowserUserAgent(String str) {
        return !new UserAgentUtilImpl().getBrowserFamily(str).equals(UserAgentUtil.BrowserFamily.UKNOWN);
    }

    private static boolean isOverrideHeaderPresent(HttpServletRequest httpServletRequest) {
        return "no-check".equals(httpServletRequest.getHeader("X-Atlassian-Token"));
    }

    public void setAdministrationConfigurationAccessor(AdministrationConfigurationAccessor administrationConfigurationAccessor) {
        this.administrationConfigurationAccessor = administrationConfigurationAccessor;
    }
}
