package io.gravitee.am.management.handlers.management.api.authentication.csrf;

import io.gravitee.am.common.jwt.JWT;
import io.gravitee.am.common.utils.SecureRandomString;
import io.gravitee.am.jwt.JWTBuilder;
import io.gravitee.am.jwt.JWTParser;
import io.gravitee.am.management.handlers.management.api.authentication.provider.generator.JWTGenerator;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.time.Instant;
import java.util.UUID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.DefaultCsrfToken;
import org.springframework.util.StringUtils;
import org.springframework.web.util.WebUtils;

/* loaded from: input_file:io/gravitee/am/management/handlers/management/api/authentication/csrf/CookieCsrfSignedTokenRepository.class */
public class CookieCsrfSignedTokenRepository implements CsrfTokenRepository {
    private final Logger LOGGER = LoggerFactory.getLogger(CookieCsrfSignedTokenRepository.class);
    public static final String TOKEN_CLAIM = "token";
    private static final String DEFAULT_CSRF_COOKIE_NAME = "XSRF-Graviteeio-AM-API-TOKEN";
    private static final String DEFAULT_CSRF_PARAMETER_NAME = "_csrf";
    public static final String DEFAULT_CSRF_HEADER_NAME = "X-Xsrf-Token";

    @Autowired
    private JWTGenerator jwtGenerator;

    @Autowired
    @Qualifier("managementJwtBuilder")
    private JWTBuilder jwtBuilder;

    @Autowired
    @Qualifier("managementJwtParser")
    private JWTParser jwtParser;

    public CsrfToken generateToken(HttpServletRequest httpServletRequest) {
        CsrfToken loadToken = loadToken(httpServletRequest);
        return loadToken != null ? loadToken : new DefaultCsrfToken(DEFAULT_CSRF_HEADER_NAME, DEFAULT_CSRF_PARAMETER_NAME, UUID.randomUUID().toString());
    }

    public void saveToken(CsrfToken csrfToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletRequest.getAttribute(DEFAULT_CSRF_COOKIE_NAME) != null) {
            return;
        }
        if (csrfToken == null) {
            httpServletResponse.addCookie(this.jwtGenerator.generateCookie(DEFAULT_CSRF_COOKIE_NAME, null, true));
            return;
        }
        String token = csrfToken.getToken();
        try {
            JWT jwt = new JWT();
            jwt.setJti(SecureRandomString.generate());
            jwt.setIat(Instant.now().getEpochSecond());
            jwt.put(TOKEN_CLAIM, token);
            httpServletResponse.addCookie(this.jwtGenerator.generateCookie(DEFAULT_CSRF_COOKIE_NAME, this.jwtBuilder.sign(jwt), true));
            httpServletRequest.setAttribute(DEFAULT_CSRF_COOKIE_NAME, true);
        } catch (Exception e) {
            this.LOGGER.error("Unable to generate CSRF token", e);
        }
    }

    public CsrfToken loadToken(HttpServletRequest httpServletRequest) {
        Cookie cookie = WebUtils.getCookie(httpServletRequest, DEFAULT_CSRF_COOKIE_NAME);
        if (cookie == null) {
            return null;
        }
        String value = cookie.getValue();
        if (!StringUtils.hasLength(value)) {
            return null;
        }
        try {
            String obj = this.jwtParser.parse(value).get(TOKEN_CLAIM).toString();
            if (StringUtils.hasLength(obj)) {
                return new DefaultCsrfToken(DEFAULT_CSRF_HEADER_NAME, DEFAULT_CSRF_PARAMETER_NAME, obj);
            }
            return null;
        } catch (Exception e) {
            this.LOGGER.error("Unable to verify CSRF token", e);
            return null;
        }
    }
}
