package org.kuali.kfs.krad.util;

import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;

/* loaded from: input_file:WEB-INF/lib/kfs-kns-2017-08-03.jar:org/kuali/kfs/krad/util/CsrfValidator.class */
public class CsrfValidator {
    private static final Logger LOG = Logger.getLogger(CsrfValidator.class);
    public static final String CSRF_PARAMETER = "csrfToken";
    public static final String CSRF_SESSION_TOKEN = "csrfSessionToken";

    public static boolean validateCsrf(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if ("GET".equals(httpServletRequest.getMethod()) || "HEAD".equals(httpServletRequest.getMethod()) || "OPTIONS".equals(httpServletRequest.getMethod())) {
            placeSessionToken(httpServletRequest);
            return true;
        }
        String requestToken = getRequestToken(httpServletRequest);
        String sessionToken = getSessionToken(httpServletRequest);
        if (sessionToken == null) {
            LOG.error("CSRF check failed because no CSRF token has been established on the session");
            httpServletResponse.setStatus(403);
            return false;
        }
        if (StringUtils.equals(requestToken, sessionToken)) {
            return true;
        }
        LOG.error("CSRF check failed, actual value was: " + sessionToken + ", given value was: " + requestToken + ", requested URL was: " + ((Object) httpServletRequest.getRequestURL()));
        httpServletResponse.setStatus(403);
        return false;
    }

    public static String getSessionToken(HttpServletRequest httpServletRequest) {
        return (String) httpServletRequest.getSession().getAttribute("csrfSessionToken");
    }

    public static String getRequestToken(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("csrfToken");
    }

    private static void placeSessionToken(HttpServletRequest httpServletRequest) {
        if (getSessionToken(httpServletRequest) == null) {
            httpServletRequest.getSession().setAttribute("csrfSessionToken", UUID.randomUUID().toString());
        }
    }
}
