package com.vaadin.flow.server.connect.auth;

import com.vaadin.flow.server.VaadinService;
import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/flow-server-6.0-SNAPSHOT.jar:com/vaadin/flow/server/connect/auth/VaadinConnectAccessChecker.class */
public class VaadinConnectAccessChecker {
    private boolean xsrfProtectionEnabled = true;

    public String check(Method method, HttpServletRequest httpServletRequest) {
        return httpServletRequest.getUserPrincipal() != null ? verifyAuthenticatedUser(method, httpServletRequest) : verifyAnonymousUser(method, httpServletRequest);
    }

    public AnnotatedElement getSecurityTarget(Method method) {
        if (Modifier.isPublic(method.getModifiers())) {
            return hasSecurityAnnotation(method) ? method : method.getDeclaringClass();
        }
        throw new IllegalArgumentException(String.format("The method '%s' is not public hence cannot have a security target", method));
    }

    private String verifyAnonymousUser(Method method, HttpServletRequest httpServletRequest) {
        if (!getSecurityTarget(method).isAnnotationPresent(AnonymousAllowed.class) || cannotAccessMethod(method, httpServletRequest)) {
            return "Anonymous access is not allowed";
        }
        return null;
    }

    private String verifyAuthenticatedUser(Method method, HttpServletRequest httpServletRequest) {
        if (cannotAccessMethod(method, httpServletRequest)) {
            return "Unauthorized access to Vaadin endpoint";
        }
        return null;
    }

    private boolean cannotAccessMethod(Method method, HttpServletRequest httpServletRequest) {
        return requestForbidden(httpServletRequest) || entityForbidden(getSecurityTarget(method), httpServletRequest);
    }

    private boolean requestForbidden(HttpServletRequest httpServletRequest) {
        HttpSession session;
        if (!this.xsrfProtectionEnabled || (session = httpServletRequest.getSession(false)) == null) {
            return false;
        }
        String str = (String) session.getAttribute(VaadinService.getCsrfTokenAttributeName());
        if (str == null) {
            if (!getLogger().isInfoEnabled()) {
                return true;
            }
            getLogger().info("Unable to verify CSRF token for endpoint request, got null token in session");
            return true;
        }
        if (str.equals(httpServletRequest.getHeader("X-CSRF-Token"))) {
            return false;
        }
        if (!getLogger().isInfoEnabled()) {
            return true;
        }
        getLogger().info("Invalid CSRF token in endpoint request");
        return true;
    }

    private boolean entityForbidden(AnnotatedElement annotatedElement, HttpServletRequest httpServletRequest) {
        return annotatedElement.isAnnotationPresent(DenyAll.class) || !(annotatedElement.isAnnotationPresent(AnonymousAllowed.class) || roleAllowed((RolesAllowed) annotatedElement.getAnnotation(RolesAllowed.class), httpServletRequest));
    }

    private boolean roleAllowed(RolesAllowed rolesAllowed, HttpServletRequest httpServletRequest) {
        if (rolesAllowed == null) {
            return true;
        }
        for (String str : rolesAllowed.value()) {
            if (httpServletRequest.isUserInRole(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean hasSecurityAnnotation(Method method) {
        return method.isAnnotationPresent(AnonymousAllowed.class) || method.isAnnotationPresent(PermitAll.class) || method.isAnnotationPresent(DenyAll.class) || method.isAnnotationPresent(RolesAllowed.class);
    }

    public void enableCsrf(boolean z) {
        this.xsrfProtectionEnabled = z;
    }

    private static Logger getLogger() {
        return LoggerFactory.getLogger((Class<?>) VaadinConnectAccessChecker.class);
    }
}
