package com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.csrf;

import com.contrastsecurity.agent.commons.Sets;
import com.contrastsecurity.agent.commons.Throwables;
import com.contrastsecurity.agent.http.HttpRequest;
import com.contrastsecurity.agent.http.HttpResponse;
import com.contrastsecurity.agent.http.MultipartItem;
import com.contrastsecurity.agent.messages.finding.trace.PropertyKey;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.ProviderUtil;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.csrf.g;
import com.contrastsecurity.agent.plugins.security.x;
import com.contrastsecurity.agent.t;
import com.contrastsecurity.agent.util.C0488r;
import com.contrastsecurity.agent.util.L;
import com.contrastsecurity.agent.util.SimplePattern;
import com.contrastsecurity.thirdparty.com.contrastsecurity.secobs.semconv.ContrastSemanticAttributes;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.apache.http.HeaderElement;
import com.contrastsecurity.thirdparty.org.apache.http.ParseException;
import com.contrastsecurity.thirdparty.org.apache.http.client.utils.URLEncodedUtils;
import com.contrastsecurity.thirdparty.org.apache.http.message.BasicHeaderValueParser;
import com.contrastsecurity.thirdparty.org.apache.http.protocol.HTTP;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.util.EnumMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.zip.CRC32;

/* compiled from: CSRFWatcher.java */
/* loaded from: input_file:com/contrastsecurity/agent/plugins/security/policy/rules/providers/internal/csrf/i.class */
public class i implements HttpWatcher {
    private boolean a = false;
    private final g.a b;
    private final List<SimplePattern> c;
    private final ProviderUtil d;
    private final x.e e;
    private static final int h = 8;
    private static final int i = 24;
    private static final String[] f = {"GET", "POST"};
    private static final Set<String> g = Sets.of(HTTP.PLAIN_TEXT_TYPE, "multipart/form-data", URLEncodedUtils.CONTENT_TYPE);
    private static final Logger j = LoggerFactory.getLogger((Class<?>) i.class);

    @Inject
    public i(e eVar, ProviderUtil providerUtil, x xVar) {
        this.b = eVar.a();
        this.c = eVar.b();
        this.d = providerUtil;
        this.e = xVar.g();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v15, types: [java.lang.Object, java.lang.String] */
    /* JADX WARN: Type inference failed for: r0v16 */
    /* JADX WARN: Type inference failed for: r0v17, types: [com.contrastsecurity.thirdparty.org.slf4j.Logger] */
    /* JADX WARN: Type inference failed for: r0v18, types: [com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.csrf.i] */
    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public void onResponseEnd(HttpRequest httpRequest, HttpResponse httpResponse) {
        Map<String, Object> properties = httpRequest.getProperties();
        if (!properties.containsKey(g.c)) {
            this.a = this.a || properties.containsKey(g.b);
        }
        if (this.a) {
            return;
        }
        if (a(httpResponse.getStatus())) {
            this.a = true;
            return;
        }
        if (c(httpRequest) && a.a(httpRequest)) {
            Object normalizedUri = httpRequest.getNormalizedUri();
            try {
                normalizedUri = this;
                normalizedUri.a(httpRequest);
            } catch (Exception e) {
                Throwables.throwIfCritical(e);
                j.error("Problem reporting CSRF rule for {}", normalizedUri, normalizedUri);
            }
        }
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public long getRuleRequestHash(HttpRequest httpRequest, CRC32 crc32) {
        return this.e.a(crc32, g.a, httpRequest);
    }

    @t
    void a(HttpRequest httpRequest) {
        String c = a.c(httpRequest);
        EnumMap enumMap = new EnumMap(PropertyKey.class);
        enumMap.put((EnumMap) PropertyKey.ACTIONS, (PropertyKey) c);
        this.d.reportFinding(g.a, (Map<PropertyKey, String>) enumMap, this.e.a(g.a, httpRequest), true);
    }

    boolean b(HttpRequest httpRequest) {
        return "GET".equalsIgnoreCase(httpRequest.getMethod()) && StringUtils.isEmpty(httpRequest.getQueryString());
    }

    boolean c(HttpRequest httpRequest) {
        Map<String, String[]> parameters = httpRequest.getParameters();
        if (parameters != null) {
            for (String str : parameters.keySet()) {
                if (L.c(str, g.a)) {
                    j.debug("Not considering CSRF because possible token value observed {}", str);
                    return false;
                }
                if (L.c(str, ContrastSemanticAttributes.ContrastAuthenticationMechanismValues.TOKEN)) {
                    String[] strArr = parameters.get(str);
                    if (a(strArr)) {
                        j.debug("Not considering CSRF because possible token value observed {}={}", str, strArr[0]);
                        return false;
                    }
                }
            }
        }
        Set<MultipartItem> multipartItems = httpRequest.getMultipartItems();
        if (multipartItems == null) {
            return true;
        }
        for (MultipartItem multipartItem : multipartItems) {
            String fieldName = multipartItem.getFieldName();
            if (L.c(fieldName, g.a)) {
                j.debug("Not considering CSRF because possible token value observed {}", fieldName);
                return false;
            }
            if (L.c(fieldName, ContrastSemanticAttributes.ContrastAuthenticationMechanismValues.TOKEN)) {
                String value = multipartItem.getValue();
                if (a(value)) {
                    j.debug("Not considering CSRF because possible token value observed {}={}", fieldName, value);
                    return false;
                }
            }
        }
        return true;
    }

    boolean a(String[] strArr) {
        if (strArr == null || strArr.length != 1) {
            return false;
        }
        return a(strArr[0]);
    }

    boolean a(String str) {
        if (str == null || str.length() < 8 || str.length() > 24) {
            return false;
        }
        return L.c(str);
    }

    boolean a(int i2) {
        return i2 >= 400;
    }

    @Override // com.contrastsecurity.agent.plugins.security.policy.rules.providers.HttpWatcher
    public boolean supports(HttpRequest httpRequest) {
        String header = httpRequest.getHeader("X-Requested-With");
        if (!StringUtils.isEmpty(header)) {
            j.debug("Ignoring CSRFRule for {} because X-Requested-With={}", httpRequest.getUri(), header);
            this.a = true;
            return false;
        }
        if (StringUtils.isEmpty(httpRequest.getHeader("User-Agent"))) {
            this.a = true;
            j.debug("Ignoring CSRFRule for {} because no User-Agent was supplied -- not a browser interaction", httpRequest.getUri());
            return false;
        }
        if (C0488r.b(httpRequest)) {
            this.a = true;
            j.debug("Ignoring CSRFRule for {} because it looks like its a static resource", httpRequest.getUri());
            return false;
        }
        String header2 = httpRequest.getHeader("Content-Type");
        if (header2 != null) {
            try {
                HeaderElement[] parseElements = BasicHeaderValueParser.parseElements(header2, BasicHeaderValueParser.INSTANCE);
                if (parseElements.length == 0) {
                    this.a = true;
                    j.debug("Ignoring CSRFRule for {} because its content-type header is malformed value {}", httpRequest.getUri(), header2);
                    return false;
                }
                if (!d(parseElements[0].getName())) {
                    this.a = true;
                    j.debug("Ignoring CSRFRule for {} because Content-Type was {}", httpRequest.getUri(), header2);
                    return false;
                }
            } catch (ParseException e) {
                this.a = true;
                j.debug("Ignoring CSRFRule for {} because its content-type header is malformed value {}", httpRequest.getUri(), header2, e);
                return false;
            }
        }
        String method = httpRequest.getMethod();
        if (method != null && !c(method)) {
            this.a = true;
            j.debug("Ignoring CSRFRule for {} because method was {}", httpRequest.getUri(), method);
            return false;
        }
        if (b(httpRequest)) {
            this.a = true;
            j.debug("Ignoring CSRFRule for {} because method was GET and no querystring", httpRequest.getUri());
            return false;
        }
        if (g.a.KNOWN_IDEMPOTENT.equals(this.b) && b(httpRequest.getNormalizedUri())) {
            this.a = true;
            j.debug("Ignoring CSRFRule for {} because URL was known idempotent", httpRequest.getNormalizedUri());
            return false;
        }
        if (!g.a.KNOWN_NEED_PROTECTING.equals(this.b) || b(httpRequest.getNormalizedUri())) {
            return true;
        }
        this.a = true;
        j.debug("Ignoring CSRFRule for {} because URL was not on the need-to-protect list", httpRequest.getNormalizedUri());
        return false;
    }

    boolean b(String str) {
        Iterator<SimplePattern> it = this.c.iterator();
        while (it.hasNext()) {
            if (it.next().matches(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean c(String str) {
        return L.b(f, str);
    }

    private boolean d(String str) {
        return g.contains(str);
    }
}
