package org.jenkinsci.plugins.strictcrumbissuer;

import edu.umd.cs.findbugs.annotations.CheckForNull;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import hudson.Extension;
import hudson.RestrictedSince;
import hudson.Util;
import hudson.model.Descriptor;
import hudson.model.ModelObject;
import hudson.security.csrf.CrumbIssuer;
import hudson.security.csrf.CrumbIssuerDescriptor;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Date;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.annotation.concurrent.GuardedBy;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import jenkins.model.Jenkins;
import jenkins.security.HexStringConfidentialKey;
import net.sf.json.JSONObject;
import org.apache.commons.lang.StringUtils;
import org.jenkinsci.Symbol;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;
import org.kohsuke.stapler.DataBoundConstructor;
import org.kohsuke.stapler.DataBoundSetter;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:org/jenkinsci/plugins/strictcrumbissuer/StrictCrumbIssuer.class */
public class StrictCrumbIssuer extends CrumbIssuer {
    static final String HEADER_X_FORWARDED_FOR = "X-Forwarded-For";
    private static final String HEADER_REFERER = "Referer";
    private static final int MAX_HOURS_VALID = 24;
    private static final int TEMPORAL_VALIDATION_DISABLED = 0;
    private static final int MILLIS_PER_HOUR = 3600000;
    private static final int INCREMENTS_PER_HOUR = 12;
    private static final String MD_NAME = "SHA-256";
    private static final int MD_LENGTH = 64;
    private static final SecureRandom RANDOM;

    @GuardedBy("this")
    private transient MessageDigest md;
    private boolean checkClientIP;
    private boolean checkSameSource;
    private boolean checkOnlyLocalPath;
    private boolean checkSessionMatch;
    private boolean xorMasking;

    @SuppressFBWarnings(value = {"IS2_INCONSISTENT_SYNC"}, justification = "The synchronization is done for `md`")
    private int hoursValid;
    private static final Logger LOGGER;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Extension
    @Symbol({"strict"})
    /* loaded from: input_file:org/jenkinsci/plugins/strictcrumbissuer/StrictCrumbIssuer$DescriptorImpl.class */
    public static final class DescriptorImpl extends CrumbIssuerDescriptor<StrictCrumbIssuer> implements ModelObject {
        private static final HexStringConfidentialKey CRUMB_SALT = new HexStringConfidentialKey(StrictCrumbIssuer.class, "strictCrumbSalt", StrictCrumbIssuer.MD_LENGTH);

        public DescriptorImpl() {
            super(CRUMB_SALT.get(), System.getProperty("hudson.security.csrf.requestfield", "Jenkins-Crumb"));
            load();
        }

        public String getDisplayName() {
            return "Strict Crumb Issuer";
        }

        /* renamed from: newInstance, reason: merged with bridge method [inline-methods] */
        public StrictCrumbIssuer m2newInstance(StaplerRequest staplerRequest, JSONObject jSONObject) throws Descriptor.FormException {
            if (staplerRequest == null) {
                throw new IllegalArgumentException("req must not be null");
            }
            return (StrictCrumbIssuer) staplerRequest.bindJSON(StrictCrumbIssuer.class, jSONObject);
        }
    }

    public StrictCrumbIssuer(boolean z, boolean z2, boolean z3, boolean z4, int i, boolean z5) {
        this.checkClientIP = z;
        this.checkSameSource = z2;
        this.checkOnlyLocalPath = z3;
        this.checkSessionMatch = z4;
        this.hoursValid = i;
        this.xorMasking = z5;
        ensureHoursValidIsInBoundaries();
        initMessageDigest();
    }

    @DataBoundConstructor
    public StrictCrumbIssuer() {
        this.checkClientIP = false;
        this.checkSameSource = false;
        this.checkOnlyLocalPath = false;
        this.checkSessionMatch = true;
        this.hoursValid = 2;
        this.xorMasking = true;
    }

    @DataBoundSetter
    public void setCheckClientIP(boolean z) {
        this.checkClientIP = z;
    }

    @DataBoundSetter
    public void setCheckSameSource(boolean z) {
        this.checkSameSource = z;
    }

    @DataBoundSetter
    public void setCheckOnlyLocalPath(boolean z) {
        this.checkOnlyLocalPath = z;
    }

    @DataBoundSetter
    public void setCheckSessionMatch(boolean z) {
        this.checkSessionMatch = z;
    }

    @DataBoundSetter
    public void setHoursValid(int i) {
        this.hoursValid = i;
    }

    @DataBoundSetter
    public void setXorMasking(boolean z) {
        this.xorMasking = z;
    }

    @Restricted({NoExternalUse.class})
    @PostConstruct
    public void setup() {
        ensureHoursValidIsInBoundaries();
        initMessageDigest();
    }

    private Object readResolve() {
        ensureHoursValidIsInBoundaries();
        initMessageDigest();
        return this;
    }

    private synchronized void initMessageDigest() {
        try {
            this.md = MessageDigest.getInstance(MD_NAME);
        } catch (NoSuchAlgorithmException e) {
            throw new AssertionError("Can't find SHA-256");
        }
    }

    private void ensureHoursValidIsInBoundaries() {
        if (this.hoursValid > MAX_HOURS_VALID) {
            LOGGER.log(Level.WARNING, "The hoursValid (" + this.hoursValid + ") is too big, it will be reduced to 24");
            this.hoursValid = MAX_HOURS_VALID;
        } else if (this.hoursValid < 0) {
            LOGGER.log(Level.WARNING, "The hoursValid (" + this.hoursValid + ") is too small, the duration validation will be deactivated.");
            this.hoursValid = TEMPORAL_VALIDATION_DISABLED;
        }
    }

    @Restricted({NoExternalUse.class})
    @RestrictedSince("2.1.0")
    @Deprecated
    public boolean isCheckingClientIP() {
        return this.checkClientIP;
    }

    @Restricted({NoExternalUse.class})
    @RestrictedSince("2.1.0")
    @Deprecated
    public boolean isCheckingSameSource() {
        return this.checkSameSource;
    }

    @Restricted({NoExternalUse.class})
    @RestrictedSince("2.1.0")
    @Deprecated
    public boolean isCheckingOnlyLocalPath() {
        return this.checkOnlyLocalPath;
    }

    @Restricted({NoExternalUse.class})
    @RestrictedSince("2.1.0")
    @Deprecated
    public boolean isCheckingSessionMatch() {
        return this.checkSessionMatch;
    }

    public boolean isCheckClientIP() {
        return this.checkClientIP;
    }

    public boolean isCheckSameSource() {
        return this.checkSameSource;
    }

    public boolean isCheckOnlyLocalPath() {
        return this.checkOnlyLocalPath;
    }

    public boolean isCheckSessionMatch() {
        return this.checkSessionMatch;
    }

    public int getHoursValid() {
        return this.hoursValid;
    }

    public boolean isXorMasking() {
        return this.xorMasking;
    }

    @CheckForNull
    protected synchronized String issueCrumb(@NonNull ServletRequest servletRequest, @NonNull String str) {
        if (!(servletRequest instanceof HttpServletRequest) || this.md == null) {
            return null;
        }
        return encodeCrumb(createCrumb(servletRequest, str, getCurrentHour(), urlForCreation((HttpServletRequest) servletRequest)));
    }

    public synchronized boolean validateCrumb(@NonNull ServletRequest servletRequest, @NonNull String str, @CheckForNull String str2) {
        if (!(servletRequest instanceof HttpServletRequest)) {
            LOGGER.log(Level.WARNING, "Passed request not a HttpServletRequest");
            return false;
        }
        if (str2 == null) {
            LOGGER.log(Level.FINER, "No crumb available in the request");
            return false;
        }
        byte[] bytes = decodeCrumb(str2).getBytes(StandardCharsets.US_ASCII);
        String urlForValidation = urlForValidation((HttpServletRequest) servletRequest);
        if (this.hoursValid != 0) {
            long currentHour = getCurrentHour();
            int hoursValid = INCREMENTS_PER_HOUR * getHoursValid();
            for (int i = TEMPORAL_VALIDATION_DISABLED; i <= hoursValid; i++) {
                if (isCrumbValid(servletRequest, str, currentHour - i, bytes, urlForValidation)) {
                    return true;
                }
            }
        } else if (isCrumbValid(servletRequest, str, 0L, bytes, urlForValidation)) {
            return true;
        }
        LOGGER.log(Level.INFO, "Invalid crumb found in the request");
        return false;
    }

    private boolean isCrumbValid(@NonNull ServletRequest servletRequest, @NonNull String str, long j, @NonNull byte[] bArr, @CheckForNull String str2) {
        return MessageDigest.isEqual(createCrumb(servletRequest, str, j, str2).getBytes(StandardCharsets.US_ASCII), bArr);
    }

    long getCurrentHour() {
        return new Date().getTime() / 300000;
    }

    @CheckForNull
    private String urlForCreation(@NonNull HttpServletRequest httpServletRequest) {
        if (!isCheckSameSource()) {
            return null;
        }
        if (!isCheckOnlyLocalPath()) {
            String stringBuffer = httpServletRequest.getRequestURL().toString();
            String queryString = httpServletRequest.getQueryString();
            String str = stringBuffer;
            if (queryString != null) {
                str = str + "?" + queryString;
            }
            return str;
        }
        String contextPath = httpServletRequest.getContextPath();
        String requestURI = httpServletRequest.getRequestURI();
        if (!requestURI.startsWith(contextPath)) {
            LOGGER.log(Level.WARNING, "RequestURI {0} does not start with contextPath", requestURI);
        }
        String substring = requestURI.substring(contextPath.length());
        String queryString2 = httpServletRequest.getQueryString();
        if (queryString2 != null) {
            substring = substring + "?" + queryString2;
        }
        return substring;
    }

    @CheckForNull
    private String urlForValidation(@NonNull HttpServletRequest httpServletRequest) {
        if (!isCheckSameSource()) {
            return null;
        }
        String header = httpServletRequest.getHeader(HEADER_REFERER);
        if (header == null) {
            LOGGER.log(Level.WARNING, "No referer present in the request, perhaps it is better to check only local path");
            return null;
        }
        if (!isCheckOnlyLocalPath()) {
            return header;
        }
        try {
            URL url = new URL(header);
            String contextPath = httpServletRequest.getContextPath();
            String file = url.getFile();
            if (file.startsWith(contextPath)) {
                return file.substring(contextPath.length());
            }
            LOGGER.log(Level.WARNING, "Request path {0} does not start with contextPath", file);
            return null;
        } catch (MalformedURLException e) {
            LOGGER.log(Level.WARNING, "The referer value is not parseable as URL", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    @NonNull
    private synchronized String createCrumb(@NonNull ServletRequest servletRequest, @NonNull String str, long j, @CheckForNull String str2) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        StringBuilder sb = new StringBuilder();
        sb.append(Jenkins.getAuthentication2().getName());
        sb.append(';');
        if (isCheckClientIP()) {
            sb.append(getClientIP(httpServletRequest));
            sb.append(';');
        }
        if (str2 != null) {
            sb.append(str2);
            sb.append(';');
        }
        if (isCheckSessionMatch()) {
            sb.append(httpServletRequest.getSession().getId());
            sb.append(';');
        }
        if (this.hoursValid == 0) {
            sb.append("0");
        } else {
            sb.append(j);
        }
        this.md.update(sb.toString().getBytes(StandardCharsets.UTF_8));
        return Util.toHexString(this.md.digest(str.getBytes(StandardCharsets.UTF_8)));
    }

    @NonNull
    private String randomHexString(int i) {
        byte[] bArr = new byte[i / 2];
        RANDOM.nextBytes(bArr);
        return Util.toHexString(bArr);
    }

    private String getClientIP(@NonNull HttpServletRequest httpServletRequest) {
        String remoteAddr = httpServletRequest.getRemoteAddr();
        String header = httpServletRequest.getHeader(HEADER_X_FORWARDED_FOR);
        if (header != null) {
            String[] split = header.split(",");
            if (split.length >= 1) {
                return split[TEMPORAL_VALIDATION_DISABLED];
            }
        }
        return remoteAddr;
    }

    @NonNull
    private String encodeCrumb(@NonNull String str) {
        String str2;
        String str3;
        if (isXorMasking()) {
            str2 = randomHexString(str.length());
            str3 = xor(str, str2);
        } else {
            str2 = "";
            str3 = str;
        }
        return str2 + str3;
    }

    @NonNull
    private String decodeCrumb(@NonNull String str) {
        return isXorMasking() ? unXor(str) : str;
    }

    @NonNull
    private String unXor(@NonNull String str) {
        if (str.length() != 128) {
            return "";
        }
        return xor(str.substring(MD_LENGTH, 128), str.substring(TEMPORAL_VALIDATION_DISABLED, MD_LENGTH));
    }

    @NonNull
    private String xor(@NonNull String str, @NonNull String str2) {
        if ($assertionsDisabled || str.length() == str2.length()) {
            return leftPadWithZeros(new BigInteger(str, 16).xor(new BigInteger(str2, 16)).toString(16), str.length());
        }
        throw new AssertionError();
    }

    @NonNull
    @SuppressFBWarnings(value = {"NP_NONNULL_RETURN_VIOLATION"}, justification = "leftPad returns null only if receiving null, which is not the case here")
    private static String leftPadWithZeros(@NonNull String str, int i) {
        return StringUtils.leftPad(str, i, '0');
    }

    static {
        $assertionsDisabled = !StrictCrumbIssuer.class.desiredAssertionStatus();
        RANDOM = new SecureRandom();
        LOGGER = Logger.getLogger(StrictCrumbIssuer.class.getName());
    }
}
