package com.atlassian.jira.security.xsrf;

import com.atlassian.jira.event.issue.IssueEventSource;
import com.atlassian.jira.util.ComponentLocator;
import com.atlassian.jira.util.dbc.Null;
import com.atlassian.jira.web.action.JiraWebActionSupport;
import edu.umd.cs.findbugs.annotations.NonNull;
import java.lang.reflect.Method;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import webwork.action.Action;
import webwork.action.ActionContext;
import webwork.config.Configuration;
import webwork.config.util.ActionInfo;

/* loaded from: input_file:com/atlassian/jira/security/xsrf/DefaultXsrfInvocationChecker.class */
public class DefaultXsrfInvocationChecker implements XsrfInvocationChecker {
    private final ComponentLocator componentLocator;
    private static final String NO_CHECK = "no-check";

    public DefaultXsrfInvocationChecker(ComponentLocator componentLocator) {
        this.componentLocator = componentLocator;
    }

    public XsrfCheckResult checkActionInvocation(Action action, Map<String, ?> map) {
        Null.not(IssueEventSource.ACTION, action);
        Null.not("parameters", map);
        return checkInvocation(action, map, getActionHttpRequest());
    }

    public XsrfCheckResult checkWebRequestInvocation(HttpServletRequest httpServletRequest) {
        Map<String, ?> parameterMap = httpServletRequest.getParameterMap();
        Null.not("httpServletRequest", httpServletRequest);
        Null.not("httpServletRequest.parameters", parameterMap);
        return checkInvocation(null, parameterMap, httpServletRequest);
    }

    private XsrfCheckResult checkInvocation(Action action, Map<String, ?> map, HttpServletRequest httpServletRequest) {
        if (!needsXsrfCheck(action, httpServletRequest)) {
            return createResult(false, true, true);
        }
        String xsrfToken = getXsrfToken(map);
        XsrfTokenGenerator xsrfTokenGenerator = getXsrfTokenGenerator();
        return createResult(true, xsrfTokenGenerator.validateToken(httpServletRequest, xsrfToken), xsrfTokenGenerator.generatedByAuthenticatedUser(xsrfToken));
    }

    private static XsrfCheckResult createResult(final boolean z, final boolean z2, final boolean z3) {
        return new XsrfCheckResult() { // from class: com.atlassian.jira.security.xsrf.DefaultXsrfInvocationChecker.1
            public boolean isRequired() {
                return z;
            }

            public boolean isValid() {
                return z2;
            }

            public boolean isGeneratedForAuthenticatedUser() {
                return z3;
            }

            public String toString() {
                return String.format("required=%b valid=%b authed=%b", Boolean.valueOf(z), Boolean.valueOf(z2), Boolean.valueOf(z3));
            }
        };
    }

    private boolean needsXsrfCheck(Action action, HttpServletRequest httpServletRequest) {
        if (requestHasOptOutHeader(httpServletRequest) || !getXsrfDefaults().isXsrfProtectionEnabled()) {
            return false;
        }
        if (action == null) {
            return true;
        }
        if (action instanceof JiraWebActionSupport) {
            return checkActionAnnotations((JiraWebActionSupport) action);
        }
        return false;
    }

    private boolean requestHasOptOutHeader(HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null) {
            return false;
        }
        String header = httpServletRequest.getHeader("X-Atlassian-Token");
        return StringUtils.isNotBlank(header) && NO_CHECK.equals(header.trim().toLowerCase());
    }

    private boolean checkActionAnnotations(@NonNull JiraWebActionSupport jiraWebActionSupport) {
        String commandName = jiraWebActionSupport.getCommandName();
        if (StringUtils.isBlank(commandName)) {
            commandName = "execute";
        }
        Method method = getMethod(jiraWebActionSupport, commandName);
        if (method != null) {
            return method.isAnnotationPresent(RequiresXsrfCheck.class);
        }
        return false;
    }

    private Method getMethod(JiraWebActionSupport jiraWebActionSupport, String str) {
        return getMethod(jiraWebActionSupport.getClass(), "do" + StringUtils.capitalize(str));
    }

    private Method getMethod(Class cls, String str) {
        try {
            return cls.getDeclaredMethod(str, new Class[0]);
        } catch (NoSuchMethodException e) {
            if (cls.equals(JiraWebActionSupport.class)) {
                return null;
            }
            return getMethod(cls.getSuperclass(), str);
        }
    }

    HttpServletRequest getActionHttpRequest() {
        return ActionContext.getRequest();
    }

    ActionInfo getActionInfo(String str) {
        return (ActionInfo) Configuration.get(str);
    }

    private String getXsrfToken(Map<String, ?> map) {
        Object obj = map.get("atl_token");
        if (!(obj instanceof String[])) {
            return null;
        }
        String[] strArr = (String[]) obj;
        if (strArr.length > 0) {
            return strArr[0];
        }
        return null;
    }

    private XsrfDefaults getXsrfDefaults() {
        return (XsrfDefaults) this.componentLocator.getComponentInstanceOfType(XsrfDefaults.class);
    }

    private XsrfTokenGenerator getXsrfTokenGenerator() {
        return (XsrfTokenGenerator) this.componentLocator.getComponentInstanceOfType(XsrfTokenGenerator.class);
    }
}
