package org.kuali.kfs.krad.util;

import java.util.Objects;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.http.HttpMethod;

/* loaded from: input_file:WEB-INF/lib/kfs-core-2024-01-25.jar:org/kuali/kfs/krad/util/CsrfValidator.class */
public final class CsrfValidator {
    static final String CSRF_PARAMETER = "csrfToken";
    private static final Logger LOG = LogManager.getLogger();
    private static final String CSRF_SESSION_TOKEN = "csrfSessionToken";

    private CsrfValidator() {
    }

    public static boolean validateCsrf(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String method = httpServletRequest.getMethod();
        if (HttpMethod.GET.matches(method) || HttpMethod.HEAD.matches(method) || HttpMethod.OPTIONS.matches(method)) {
            placeSessionToken(httpServletRequest);
            return true;
        }
        String requestToken = getRequestToken(httpServletRequest);
        String sessionToken = getSessionToken(httpServletRequest);
        if (sessionToken == null) {
            LOG.error("CSRF check failed because no CSRF token has been established on the session");
            httpServletResponse.setStatus(403);
            return false;
        }
        if (StringUtils.equals(requestToken, sessionToken)) {
            return true;
        }
        Logger logger = LOG;
        Objects.requireNonNull(httpServletRequest);
        logger.error("CSRF check failed, actual value was: {}, given value was: {}, requested URL was: {}", () -> {
            return sessionToken;
        }, () -> {
            return requestToken;
        }, httpServletRequest::getRequestURL);
        httpServletResponse.setStatus(403);
        return false;
    }

    public static String getSessionToken(HttpServletRequest httpServletRequest) {
        return (String) httpServletRequest.getSession().getAttribute(CSRF_SESSION_TOKEN);
    }

    public static String getRequestToken(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(CSRF_PARAMETER);
    }

    private static void placeSessionToken(HttpServletRequest httpServletRequest) {
        if (getSessionToken(httpServletRequest) == null) {
            httpServletRequest.getSession().setAttribute(CSRF_SESSION_TOKEN, UUID.randomUUID().toString());
        }
    }
}
