package org.springframework.security.web.server.csrf;

import java.security.MessageDigest;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import org.reactivestreams.Publisher;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.codec.multipart.FormFieldPart;
import org.springframework.http.codec.multipart.Part;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.crypto.codec.Utf8;
import org.springframework.security.web.server.authorization.HttpStatusServerAccessDeniedHandler;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.util.Assert;
import org.springframework.util.MultiValueMap;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

/* loaded from: classes4.dex */
public class CsrfWebFilter implements WebFilter {
    public static final ServerWebExchangeMatcher DEFAULT_CSRF_MATCHER = new DefaultRequireCsrfProtectionMatcher();
    private static final String SHOULD_NOT_FILTER = "SHOULD_NOT_FILTER" + CsrfWebFilter.class.getName();
    private boolean isTokenFromMultipartDataEnabled;
    private ServerWebExchangeMatcher requireCsrfProtectionMatcher = DEFAULT_CSRF_MATCHER;
    private ServerCsrfTokenRepository csrfTokenRepository = new WebSessionServerCsrfTokenRepository();
    private ServerAccessDeniedHandler accessDeniedHandler = new HttpStatusServerAccessDeniedHandler(HttpStatus.FORBIDDEN);

    /* loaded from: classes4.dex */
    private static class DefaultRequireCsrfProtectionMatcher implements ServerWebExchangeMatcher {
        private static final Set<HttpMethod> ALLOWED_METHODS = new HashSet(Arrays.asList(HttpMethod.GET, HttpMethod.HEAD, HttpMethod.TRACE, HttpMethod.OPTIONS));

        private DefaultRequireCsrfProtectionMatcher() {
        }

        @Override // org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
        public Mono<ServerWebExchangeMatcher.MatchResult> matches(ServerWebExchange serverWebExchange) {
            Mono flatMap = Mono.just(serverWebExchange.getRequest()).flatMap(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$DefaultRequireCsrfProtectionMatcher$Udv0lE6oIqt1AKrVvW822NbL_ZY
                @Override // java.util.function.Function
                public final Object apply(Object obj) {
                    Mono justOrEmpty;
                    justOrEmpty = Mono.justOrEmpty(((ServerHttpRequest) obj).getMethod());
                    return justOrEmpty;
                }
            });
            final Set<HttpMethod> set = ALLOWED_METHODS;
            Objects.requireNonNull(set);
            return flatMap.filter(new Predicate() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$HoY9vaj1mZ1vujcLSLeCfTCJsJ4
                @Override // java.util.function.Predicate
                public final boolean test(Object obj) {
                    return set.contains((HttpMethod) obj);
                }
            }).flatMap(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$DefaultRequireCsrfProtectionMatcher$CKkv5Xhq5D74b58j_IYVo_VMA4w
                @Override // java.util.function.Function
                public final Object apply(Object obj) {
                    Mono notMatch;
                    notMatch = ServerWebExchangeMatcher.MatchResult.notMatch();
                    return notMatch;
                }
            }).switchIfEmpty(ServerWebExchangeMatcher.MatchResult.match());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* renamed from: containsValidCsrfToken, reason: merged with bridge method [inline-methods] */
    public Mono<Boolean> lambda$validateToken$5$CsrfWebFilter(ServerWebExchange serverWebExchange, final CsrfToken csrfToken) {
        return serverWebExchange.getFormData().flatMap(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$n0f5ySbPhz_jWhh4GaPFgpefeXo
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Mono justOrEmpty;
                justOrEmpty = Mono.justOrEmpty((String) ((MultiValueMap) obj).getFirst(CsrfToken.this.getParameterName()));
                return justOrEmpty;
            }
        }).switchIfEmpty(Mono.justOrEmpty(serverWebExchange.getRequest().getHeaders().getFirst(csrfToken.getHeaderName()))).switchIfEmpty(tokenFromMultipartData(serverWebExchange, csrfToken)).map(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$KTJTyc_Erzo7kTgWhWZVN5DSbZY
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Boolean valueOf;
                valueOf = Boolean.valueOf(CsrfWebFilter.equalsConstantTime((String) obj, CsrfToken.this.getToken()));
                return valueOf;
            }
        });
    }

    private Mono<Void> continueFilterChain(final ServerWebExchange serverWebExchange, final WebFilterChain webFilterChain) {
        return Mono.defer(new Supplier() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$8jCLB-KRVZbz8fOz173nqkLcSXU
            @Override // java.util.function.Supplier
            public final Object get() {
                return CsrfWebFilter.this.lambda$continueFilterChain$10$CsrfWebFilter(serverWebExchange, webFilterChain);
            }
        });
    }

    private Mono<CsrfToken> csrfToken(ServerWebExchange serverWebExchange) {
        return this.csrfTokenRepository.loadToken(serverWebExchange).switchIfEmpty(generateToken(serverWebExchange));
    }

    private static boolean equalsConstantTime(String str, String str2) {
        if (str == str2) {
            return true;
        }
        if (str == null || str2 == null) {
            return false;
        }
        return MessageDigest.isEqual(Utf8.encode(str), Utf8.encode(str2));
    }

    private Mono<CsrfToken> generateToken(final ServerWebExchange serverWebExchange) {
        return this.csrfTokenRepository.generateToken(serverWebExchange).delayUntil(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$HsJ4ZpcICTQKKul6AwGIlsSivLY
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return CsrfWebFilter.this.lambda$generateToken$11$CsrfWebFilter(serverWebExchange, (CsrfToken) obj);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$filter$0(ServerWebExchange serverWebExchange, ServerWebExchangeMatcher.MatchResult matchResult) {
        return !serverWebExchange.getAttributes().containsKey(CsrfToken.class.getName());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ Part lambda$tokenFromMultipartData$9(CsrfToken csrfToken, MultiValueMap multiValueMap) {
        return (Part) multiValueMap.getFirst(csrfToken.getParameterName());
    }

    public static void skipExchange(ServerWebExchange serverWebExchange) {
        serverWebExchange.getAttributes().put(SHOULD_NOT_FILTER, Boolean.TRUE);
    }

    private Mono<String> tokenFromMultipartData(ServerWebExchange serverWebExchange, final CsrfToken csrfToken) {
        if (this.isTokenFromMultipartDataEnabled && serverWebExchange.getRequest().getHeaders().getContentType().includes(MediaType.MULTIPART_FORM_DATA)) {
            return serverWebExchange.getMultipartData().map(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$sa0Gn2G0QvHpCsExXkDdLWKo3Zs
                @Override // java.util.function.Function
                public final Object apply(Object obj) {
                    return CsrfWebFilter.lambda$tokenFromMultipartData$9(CsrfToken.this, (MultiValueMap) obj);
                }
            }).cast(FormFieldPart.class).map(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$PuzsPn9Md67HSSjXKoHvJR7z4SQ
                @Override // java.util.function.Function
                public final Object apply(Object obj) {
                    return ((FormFieldPart) obj).value();
                }
            });
        }
        return Mono.empty();
    }

    private Mono<Void> validateToken(final ServerWebExchange serverWebExchange) {
        return this.csrfTokenRepository.loadToken(serverWebExchange).switchIfEmpty(Mono.defer(new Supplier() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$ZF8EcGy7XGa32hX4uWrqm3rVdwk
            @Override // java.util.function.Supplier
            public final Object get() {
                Mono error;
                error = Mono.error(new CsrfException("An expected CSRF token cannot be found"));
                return error;
            }
        })).filterWhen(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$qDWnk1Mzm1LGasR4_g5jCpH9mm4
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return CsrfWebFilter.this.lambda$validateToken$5$CsrfWebFilter(serverWebExchange, (CsrfToken) obj);
            }
        }).switchIfEmpty(Mono.defer(new Supplier() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$4vBaimlJbVaAr3eyn1ZUKeDdqko
            @Override // java.util.function.Supplier
            public final Object get() {
                Mono error;
                error = Mono.error(new CsrfException("Invalid CSRF Token"));
                return error;
            }
        })).then();
    }

    @Override // org.springframework.web.server.WebFilter
    public Mono<Void> filter(final ServerWebExchange serverWebExchange, final WebFilterChain webFilterChain) {
        return Boolean.TRUE.equals(serverWebExchange.getAttribute(SHOULD_NOT_FILTER)) ? webFilterChain.filter(serverWebExchange).then(Mono.empty()) : this.requireCsrfProtectionMatcher.matches(serverWebExchange).filter(new Predicate() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$XJxKU7dlh20UO6iiJY8-Ek9QMFc
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return ((ServerWebExchangeMatcher.MatchResult) obj).isMatch();
            }
        }).filter(new Predicate() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$azK00680b1pMD_n62cYlQTjydWY
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return CsrfWebFilter.lambda$filter$0(ServerWebExchange.this, (ServerWebExchangeMatcher.MatchResult) obj);
            }
        }).flatMap(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$a7o-eIjsnTfKg907Z0pNlEYZtpw
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return CsrfWebFilter.this.lambda$filter$1$CsrfWebFilter(serverWebExchange, (ServerWebExchangeMatcher.MatchResult) obj);
            }
        }).flatMap(new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$KBMAXJd1Z0ZTCzHcsBN71KNBhhA
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return CsrfWebFilter.this.lambda$filter$2$CsrfWebFilter(serverWebExchange, webFilterChain, (Void) obj);
            }
        }).switchIfEmpty(continueFilterChain(serverWebExchange, webFilterChain).then(Mono.empty())).onErrorResume(CsrfException.class, new Function() { // from class: org.springframework.security.web.server.csrf.-$$Lambda$CsrfWebFilter$KsrntiuHFDp9J50YaLYwtrDBHHc
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return CsrfWebFilter.this.lambda$filter$3$CsrfWebFilter(serverWebExchange, (CsrfException) obj);
            }
        });
    }

    public /* synthetic */ Mono lambda$continueFilterChain$10$CsrfWebFilter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        serverWebExchange.getAttributes().put(CsrfToken.class.getName(), csrfToken(serverWebExchange));
        return webFilterChain.filter(serverWebExchange);
    }

    public /* synthetic */ Mono lambda$filter$1$CsrfWebFilter(ServerWebExchange serverWebExchange, ServerWebExchangeMatcher.MatchResult matchResult) {
        return validateToken(serverWebExchange);
    }

    public /* synthetic */ Mono lambda$filter$2$CsrfWebFilter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain, Void r3) {
        return continueFilterChain(serverWebExchange, webFilterChain);
    }

    public /* synthetic */ Mono lambda$filter$3$CsrfWebFilter(ServerWebExchange serverWebExchange, CsrfException csrfException) {
        return this.accessDeniedHandler.handle(serverWebExchange, csrfException);
    }

    public /* synthetic */ Publisher lambda$generateToken$11$CsrfWebFilter(ServerWebExchange serverWebExchange, CsrfToken csrfToken) {
        return this.csrfTokenRepository.saveToken(serverWebExchange, csrfToken);
    }

    public void setAccessDeniedHandler(ServerAccessDeniedHandler serverAccessDeniedHandler) {
        Assert.notNull(serverAccessDeniedHandler, "accessDeniedHandler");
        this.accessDeniedHandler = serverAccessDeniedHandler;
    }

    public void setCsrfTokenRepository(ServerCsrfTokenRepository serverCsrfTokenRepository) {
        Assert.notNull(serverCsrfTokenRepository, "csrfTokenRepository cannot be null");
        this.csrfTokenRepository = serverCsrfTokenRepository;
    }

    public void setRequireCsrfProtectionMatcher(ServerWebExchangeMatcher serverWebExchangeMatcher) {
        Assert.notNull(serverWebExchangeMatcher, "requireCsrfProtectionMatcher cannot be null");
        this.requireCsrfProtectionMatcher = serverWebExchangeMatcher;
    }

    public void setTokenFromMultipartDataEnabled(boolean z) {
        this.isTokenFromMultipartDataEnabled = z;
    }
}
