package com.contrastsecurity.agent.plugins.security.policy.rules.providers.internal.sessiontimeout;

import com.contrastsecurity.agent.DontObfuscate;
import com.contrastsecurity.agent.ScopedSensor;
import com.contrastsecurity.agent.apps.Application;
import com.contrastsecurity.agent.apps.ApplicationManager;
import com.contrastsecurity.agent.commons.Suppliers;
import com.contrastsecurity.agent.config.ConfigProperty;
import com.contrastsecurity.agent.context.ExecutionContext;
import com.contrastsecurity.agent.plugins.frameworks.j2ee.i;
import com.contrastsecurity.agent.plugins.security.policy.rules.providers.ProviderUtil;
import com.contrastsecurity.agent.plugins.security.x;
import com.contrastsecurity.agent.scope.GlobalScopeProvider;
import com.contrastsecurity.agent.scope.ScopeAggregator;
import com.contrastsecurity.agent.t;
import com.contrastsecurity.thirdparty.javax.inject.Inject;
import com.contrastsecurity.thirdparty.javax.inject.Singleton;
import com.contrastsecurity.thirdparty.net.n3.nanoxml.IXMLElement;
import com.contrastsecurity.thirdparty.net.n3.nanoxml.XMLElement;
import com.contrastsecurity.thirdparty.net.n3.nanoxml.XMLException;
import com.contrastsecurity.thirdparty.org.apache.commons.io.IOUtils;
import com.contrastsecurity.thirdparty.org.apache.commons.lang.StringUtils;
import com.contrastsecurity.thirdparty.org.slf4j.Logger;
import com.contrastsecurity.thirdparty.org.slf4j.LoggerFactory;
import java.io.File;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.function.Supplier;

@Singleton
@DontObfuscate
/* loaded from: input_file:com/contrastsecurity/agent/plugins/security/policy/rules/providers/internal/sessiontimeout/ContrastSessionTimeoutRuleDispatcherImpl.class */
final class ContrastSessionTimeoutRuleDispatcherImpl implements ContrastSessionTimeoutRuleDispatcher {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) ContrastSessionTimeoutRuleDispatcherImpl.class);
    private static final ExecutionContext.b<Supplier> SESSION_TIMEOUT_REPORTER = ExecutionContext.b.a(Supplier.class);
    private final ApplicationManager applicationManager;
    private final ProviderUtil providerUtil;
    private final i reflector;
    private final long maxAllowedTimeoutInSeconds;
    private final x.b configurationHasher;

    @Inject
    public ContrastSessionTimeoutRuleDispatcherImpl(ApplicationManager applicationManager, ProviderUtil providerUtil, i iVar, com.contrastsecurity.agent.config.e eVar, x xVar) {
        this.applicationManager = applicationManager;
        this.providerUtil = providerUtil;
        this.reflector = iVar;
        this.maxAllowedTimeoutInSeconds = e.a(eVar);
        this.configurationHasher = xVar.a();
    }

    @t
    static int timeoutInMinutes(int i) {
        if (i == 0) {
            return 0;
        }
        return i % 60 == 0 ? i / 60 : i < 0 ? (i / 60) - 1 : (i / 60) + 1;
    }

    @t
    static String getEvidenceFromWebXml(i iVar, int i, Object obj, Application application) {
        IXMLElement sessionTimeout = getSessionTimeout(iVar, obj, application);
        if (sessionTimeout == null) {
            return null;
        }
        return validateSessionTimeout(i, sessionTimeout);
    }

    private static IXMLElement getSessionTimeout(i iVar, Object obj, Application application) {
        InputStream a;
        Object d = iVar.d(obj);
        if (d == null || (a = iVar.a(d, "/WEB-INF/web.xml")) == null) {
            return null;
        }
        InputStreamReader inputStreamReader = null;
        try {
            try {
                inputStreamReader = new InputStreamReader(a);
                XMLElement a2 = com.contrastsecurity.agent.y.i.a(inputStreamReader);
                if (a2 == null) {
                    IOUtils.closeQuietly(a, inputStreamReader);
                    return null;
                }
                IXMLElement firstChildNamed = a2.getFirstChildNamed("session-config");
                if (firstChildNamed == null) {
                    IOUtils.closeQuietly(a, inputStreamReader);
                    return null;
                }
                IXMLElement firstChildNamed2 = firstChildNamed.getFirstChildNamed("session-timeout");
                IOUtils.closeQuietly(a, inputStreamReader);
                return firstChildNamed2;
            } catch (XMLException e) {
                logger.debug("Unable to parse /WEB-INF/web.xml for app with name={}.", application, e);
                IOUtils.closeQuietly(a, inputStreamReader);
                return null;
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly(a, inputStreamReader);
            throw th;
        }
    }

    private static String validateSessionTimeout(int i, IXMLElement iXMLElement) {
        String trimToNull = StringUtils.trimToNull(iXMLElement.getContent());
        if (trimToNull == null) {
            return null;
        }
        try {
            int parseInt = Integer.parseInt(trimToNull);
            if (i == parseInt) {
                return generateLineSnippet(iXMLElement);
            }
            if (i != 0 && i != -1) {
                return null;
            }
            if (parseInt == 0 || parseInt == -1) {
                return generateLineSnippet(iXMLElement);
            }
            return null;
        } catch (NumberFormatException e) {
            return null;
        }
    }

    private static String generateLineSnippet(IXMLElement iXMLElement) {
        return iXMLElement.getLineNr() + ": <" + iXMLElement.getName() + ">" + StringUtils.trimToEmpty(iXMLElement.getContent()) + "</" + iXMLElement.getName() + ">\n";
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v0, types: [java.lang.Throwable, com.contrastsecurity.agent.scope.ScopeAggregator] */
    @Override // java.lang.ContrastSessionTimeoutRuleDispatcher
    @ScopedSensor
    public void onSessionObtained(Object obj) {
        ScopeAggregator enterScope = GlobalScopeProvider.enterScope();
        try {
            if (obj == 0) {
                logger.debug("Session provided to {} was null. Skipping checks for overly-long session timeout.", ContrastSessionTimeoutRuleDispatcherImpl.class.getName());
                enterScope.leaveScope();
                return;
            }
            Application current = this.applicationManager.current();
            if (current == null) {
                logger.debug("Current application provided to {} was null. Skipping checks for overly-long session timeout.", ContrastSessionTimeoutRuleDispatcherImpl.class.getName());
                enterScope.leaveScope();
                return;
            }
            if (!current.getState().b()) {
                logger.debug("Current application {} provided to {} was not resolved. Skipping checks for overly-long session timeout.", current, ContrastSessionTimeoutRuleDispatcherImpl.class.getName());
                enterScope.leaveScope();
                return;
            }
            com.contrastsecurity.agent.context.b context = current.context();
            if (context.get(SESSION_TIMEOUT_REPORTER) != null) {
                enterScope.leaveScope();
                return;
            }
            Integer c = this.reflector.c(obj);
            if (c == null) {
                logger.debug("HttpSession.getMaxInactiveInterval() threw an error or returned null. Skipping checks for overly-long session timeout.");
                enterScope.leaveScope();
            } else {
                context.putIfAbsent(SESSION_TIMEOUT_REPORTER, Suppliers.memoize(() -> {
                    if (!(c.intValue() < 1) && c.intValue() <= this.maxAllowedTimeoutInSeconds) {
                        logger.debug("Found safe session timeout value {} for application: {}. Session timeout values must be less than configured value of {} from {}.", c, current, Long.valueOf(this.maxAllowedTimeoutInSeconds), ConfigProperty.WEB_SESSION_TIMEOUT);
                        return null;
                    }
                    long a = this.configurationHasher.a("session-timeout", current.getResolvedFilePath() + File.separatorChar + "WEB-INF" + File.separatorChar + "web.xml");
                    int timeoutInMinutes = timeoutInMinutes(c.intValue());
                    String evidenceFromWebXml = getEvidenceFromWebXml(this.reflector, timeoutInMinutes, obj, current);
                    this.providerUtil.reportFinding(current, "session-timeout", evidenceFromWebXml == null ? "servletContext.setSessionTimeout(" + timeoutInMinutes + ")" : evidenceFromWebXml, a, null, false, null);
                    logger.debug("Found vulnerable session timeout value {} (a timeout of zero or less indicates an unlimited timeout) for application: {}. Session timeout values must be less than configured value of {} from {}.", c, current, Long.valueOf(this.maxAllowedTimeoutInSeconds), ConfigProperty.WEB_SESSION_TIMEOUT);
                    return null;
                }));
                ((Supplier) context.get(SESSION_TIMEOUT_REPORTER)).get();
                enterScope.leaveScope();
            }
        } catch (Throwable th) {
            th.leaveScope();
            throw obj;
        }
    }
}
