package org.springframework.security.web.server.csrf;

import java.security.MessageDigest;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.crypto.codec.Utf8;
import org.springframework.security.web.server.authorization.HttpStatusServerAccessDeniedHandler;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/* loaded from: input_file:WEB-INF/lib/spring-security-web-6.4.2.jar:org/springframework/security/web/server/csrf/CsrfWebFilter.class */
public class CsrfWebFilter implements WebFilter {
    public static final ServerWebExchangeMatcher DEFAULT_CSRF_MATCHER = new DefaultRequireCsrfProtectionMatcher();
    private static final String SHOULD_NOT_FILTER = "SHOULD_NOT_FILTER" + CsrfWebFilter.class.getName();
    private ServerWebExchangeMatcher requireCsrfProtectionMatcher = DEFAULT_CSRF_MATCHER;
    private ServerCsrfTokenRepository csrfTokenRepository = new WebSessionServerCsrfTokenRepository();
    private ServerAccessDeniedHandler accessDeniedHandler = new HttpStatusServerAccessDeniedHandler(HttpStatus.FORBIDDEN);
    private ServerCsrfTokenRequestHandler requestHandler = new XorServerCsrfTokenRequestAttributeHandler();

    /* loaded from: input_file:WEB-INF/lib/spring-security-web-6.4.2.jar:org/springframework/security/web/server/csrf/CsrfWebFilter$DefaultRequireCsrfProtectionMatcher.class */
    private static class DefaultRequireCsrfProtectionMatcher implements ServerWebExchangeMatcher {
        private static final Set<HttpMethod> ALLOWED_METHODS = new HashSet(Arrays.asList(HttpMethod.GET, HttpMethod.HEAD, HttpMethod.TRACE, HttpMethod.OPTIONS));

        private DefaultRequireCsrfProtectionMatcher() {
        }

        @Override // org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
        public Mono<ServerWebExchangeMatcher.MatchResult> matches(ServerWebExchange serverWebExchange) {
            Mono flatMap = Mono.just(serverWebExchange.getRequest()).flatMap(serverHttpRequest -> {
                return Mono.justOrEmpty(serverHttpRequest.getMethod());
            });
            Set<HttpMethod> set = ALLOWED_METHODS;
            Objects.requireNonNull(set);
            return flatMap.filter((v1) -> {
                return r1.contains(v1);
            }).flatMap(httpMethod -> {
                return ServerWebExchangeMatcher.MatchResult.notMatch();
            }).switchIfEmpty(ServerWebExchangeMatcher.MatchResult.match());
        }
    }

    public void setAccessDeniedHandler(ServerAccessDeniedHandler serverAccessDeniedHandler) {
        Assert.notNull(serverAccessDeniedHandler, "accessDeniedHandler");
        this.accessDeniedHandler = serverAccessDeniedHandler;
    }

    public void setCsrfTokenRepository(ServerCsrfTokenRepository serverCsrfTokenRepository) {
        Assert.notNull(serverCsrfTokenRepository, "csrfTokenRepository cannot be null");
        this.csrfTokenRepository = serverCsrfTokenRepository;
    }

    public void setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher serverWebExchangeMatcher) {
        Assert.notNull(serverWebExchangeMatcher, "requireCsrfProtectionMatcher cannot be null");
        this.requireCsrfProtectionMatcher = serverWebExchangeMatcher;
    }

    public void setRequestHandler(ServerCsrfTokenRequestHandler serverCsrfTokenRequestHandler) {
        Assert.notNull(serverCsrfTokenRequestHandler, "requestHandler cannot be null");
        this.requestHandler = serverCsrfTokenRequestHandler;
    }

    @Override // org.springframework.web.server.WebFilter
    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        return Boolean.TRUE.equals(serverWebExchange.getAttribute(SHOULD_NOT_FILTER)) ? webFilterChain.filter(serverWebExchange).then(Mono.empty()) : this.requireCsrfProtectionMatcher.matches(serverWebExchange).filter((v0) -> {
            return v0.isMatch();
        }).filter(matchResult -> {
            return !serverWebExchange.getAttributes().containsKey(CsrfToken.class.getName());
        }).flatMap(matchResult2 -> {
            return validateToken(serverWebExchange);
        }).flatMap(r7 -> {
            return continueFilterChain(serverWebExchange, webFilterChain);
        }).switchIfEmpty(continueFilterChain(serverWebExchange, webFilterChain).then(Mono.empty())).onErrorResume(CsrfException.class, csrfException -> {
            return this.accessDeniedHandler.handle(serverWebExchange, csrfException);
        });
    }

    public static void skipExchange(ServerWebExchange serverWebExchange) {
        serverWebExchange.getAttributes().put(SHOULD_NOT_FILTER, Boolean.TRUE);
    }

    private Mono<Void> validateToken(ServerWebExchange serverWebExchange) {
        return this.csrfTokenRepository.loadToken(serverWebExchange).switchIfEmpty(Mono.defer(() -> {
            return Mono.error(new CsrfException("An expected CSRF token cannot be found"));
        })).filterWhen(csrfToken -> {
            return containsValidCsrfToken(serverWebExchange, csrfToken);
        }).switchIfEmpty(Mono.defer(() -> {
            return Mono.error(new CsrfException("Invalid CSRF Token"));
        })).then();
    }

    private Mono<Boolean> containsValidCsrfToken(ServerWebExchange serverWebExchange, CsrfToken csrfToken) {
        return this.requestHandler.resolveCsrfTokenValue(serverWebExchange, csrfToken).map(str -> {
            return Boolean.valueOf(equalsConstantTime(str, csrfToken.getToken()));
        });
    }

    private Mono<Void> continueFilterChain(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        return Mono.defer(() -> {
            this.requestHandler.handle(serverWebExchange, csrfToken(serverWebExchange));
            return webFilterChain.filter(serverWebExchange);
        });
    }

    private Mono<CsrfToken> csrfToken(ServerWebExchange serverWebExchange) {
        return this.csrfTokenRepository.loadToken(serverWebExchange).switchIfEmpty(generateToken(serverWebExchange));
    }

    private static boolean equalsConstantTime(String str, String str2) {
        if (str == str2) {
            return true;
        }
        if (str == null || str2 == null) {
            return false;
        }
        return MessageDigest.isEqual(Utf8.encode(str), Utf8.encode(str2));
    }

    private Mono<CsrfToken> generateToken(ServerWebExchange serverWebExchange) {
        return this.csrfTokenRepository.generateToken(serverWebExchange).delayUntil(csrfToken -> {
            return this.csrfTokenRepository.saveToken(serverWebExchange, csrfToken);
        }).cache();
    }
}
