package com.vaadin.flow.server.connect.auth;

import com.vaadin.flow.server.VaadinService;
import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/vaadin/flow/server/connect/auth/VaadinConnectAccessChecker.class */
public class VaadinConnectAccessChecker {
    private boolean xsrfProtectionEnabled = true;

    public String check(Method method, HttpServletRequest httpServletRequest) {
        return httpServletRequest.getUserPrincipal() != null ? verifyAuthenticatedUser(method, httpServletRequest) : verifyAnonymousUser(method, httpServletRequest);
    }

    public AnnotatedElement getSecurityTarget(Method method) {
        if (Modifier.isPublic(method.getModifiers())) {
            return hasSecurityAnnotation(method) ? method : method.getDeclaringClass();
        }
        throw new IllegalArgumentException(String.format("The method '%s' is not public hence cannot have a security target", method));
    }

    private String verifyAnonymousUser(Method method, HttpServletRequest httpServletRequest) {
        if (getSecurityTarget(method).isAnnotationPresent(AnonymousAllowed.class) && canAccessMethod(method, httpServletRequest)) {
            return null;
        }
        return "Anonymous access is not allowed";
    }

    private String verifyAuthenticatedUser(Method method, HttpServletRequest httpServletRequest) {
        if (canAccessMethod(method, httpServletRequest)) {
            return null;
        }
        return isDevMode() ? "Unauthorized access to Vaadin endpoint; to enable endpoint access use one of the following annotations: @AnonymousAllowed, @PermitAll, @RolesAllowed" : "Unauthorized access to Vaadin endpoint";
    }

    private boolean isDevMode() {
        VaadinService current = VaadinService.getCurrent();
        return (current == null || current.getDeploymentConfiguration().isProductionMode()) ? false : true;
    }

    private boolean canAccessMethod(Method method, HttpServletRequest httpServletRequest) {
        return validateCsrfTokenInRequest(httpServletRequest) && annotationAllowsAccess(getSecurityTarget(method), httpServletRequest);
    }

    private boolean validateCsrfTokenInRequest(HttpServletRequest httpServletRequest) {
        HttpSession session;
        if (!this.xsrfProtectionEnabled || (session = httpServletRequest.getSession(false)) == null) {
            return true;
        }
        String str = (String) session.getAttribute(VaadinService.getCsrfTokenAttributeName());
        if (str == null) {
            if (!getLogger().isInfoEnabled()) {
                return false;
            }
            getLogger().info("Unable to verify CSRF token for endpoint request, got null token in session");
            return false;
        }
        String header = httpServletRequest.getHeader("X-CSRF-Token");
        if (header != null && MessageDigest.isEqual(str.getBytes(StandardCharsets.UTF_8), header.getBytes(StandardCharsets.UTF_8))) {
            return true;
        }
        if (!getLogger().isInfoEnabled()) {
            return false;
        }
        getLogger().info("Invalid CSRF token in endpoint request");
        return false;
    }

    private boolean annotationAllowsAccess(AnnotatedElement annotatedElement, HttpServletRequest httpServletRequest) {
        if (annotatedElement.isAnnotationPresent(DenyAll.class)) {
            return false;
        }
        if (annotatedElement.isAnnotationPresent(AnonymousAllowed.class)) {
            return true;
        }
        RolesAllowed rolesAllowed = (RolesAllowed) annotatedElement.getAnnotation(RolesAllowed.class);
        return rolesAllowed == null ? annotatedElement.isAnnotationPresent(PermitAll.class) : roleAllowed(rolesAllowed, httpServletRequest);
    }

    private boolean roleAllowed(RolesAllowed rolesAllowed, HttpServletRequest httpServletRequest) {
        for (String str : rolesAllowed.value()) {
            if (httpServletRequest.isUserInRole(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean hasSecurityAnnotation(Method method) {
        return method.isAnnotationPresent(AnonymousAllowed.class) || method.isAnnotationPresent(PermitAll.class) || method.isAnnotationPresent(DenyAll.class) || method.isAnnotationPresent(RolesAllowed.class);
    }

    public void enableCsrf(boolean z) {
        this.xsrfProtectionEnabled = z;
    }

    private static Logger getLogger() {
        return LoggerFactory.getLogger(VaadinConnectAccessChecker.class);
    }
}
