package org.http4s.server.middleware;

import cats.Applicative;
import cats.Applicative$;
import cats.arrow.FunctionK;
import cats.effect.SyncIO;
import cats.effect.SyncIO$;
import cats.effect.kernel.GenConcurrent;
import cats.effect.kernel.Sync;
import cats.effect.std.SecureRandom;
import cats.effect.std.SecureRandom$;
import cats.syntax.package$all$;
import io.netty.handler.codec.http.HttpHeaders;
import java.time.Clock;
import javax.crypto.SecretKey;
import org.http4s.Header;
import org.http4s.Header$Select$;
import org.http4s.Headers$;
import org.http4s.MediaType;
import org.http4s.MediaType$;
import org.http4s.ParseFailure;
import org.http4s.Request;
import org.http4s.RequestCookie;
import org.http4s.Response$;
import org.http4s.Status$;
import org.http4s.Uri;
import org.http4s.Uri$;
import org.http4s.UrlForm;
import org.http4s.UrlForm$;
import org.http4s.crypto.Hmac$;
import org.http4s.crypto.HmacAlgorithm$SHA1$;
import org.http4s.crypto.HmacKeyGen$;
import org.http4s.crypto.SecureEq$;
import org.http4s.headers.Content$minusType;
import org.http4s.headers.Content$minusType$;
import org.http4s.headers.Cookie$;
import org.http4s.headers.Host;
import org.http4s.headers.Host$;
import org.http4s.headers.Referer;
import org.http4s.headers.Referer$;
import org.http4s.headers.X$minusForwarded$minusFor;
import org.http4s.headers.X$minusForwarded$minusFor$;
import org.http4s.server.middleware.CSRF;
import org.typelevel.ci.package$;
import scala.Function1;
import scala.Function2;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Some;
import scala.StringContext;
import scala.collection.immutable.Map;
import scala.collection.immutable.Nil$;
import scala.runtime.BoxesRunTime;
import scala.runtime.ScalaRunTime$;
import scala.util.Either;
import scala.util.Left;
import scala.util.Right;
import scodec.bits.Bases$Alphabets$HexUppercase$;
import scodec.bits.ByteVector$;

/* compiled from: CSRF.scala */
/* loaded from: input_file:WEB-INF/lib/http4s-server_2.13-0.23.24.jar:org/http4s/server/middleware/CSRF$.class */
public final class CSRF$ {
    public static final CSRF$ MODULE$ = new CSRF$();
    private static final HmacAlgorithm$SHA1$ SigningAlgorithm = HmacAlgorithm$SHA1$.MODULE$;
    private static final String SigningAlgo = "HmacSHA1";
    private static final int SHA1ByteLen = 20;
    private static final int CSRFTokenLength = 32;
    private static final int InitialSeedArraySize = 20;
    private static final SecureRandom<SyncIO> CachedRandom = (SecureRandom) ((SyncIO) package$all$.MODULE$.toFlatMapOps(SecureRandom$.MODULE$.javaSecuritySecureRandom(SyncIO$.MODULE$.syncForSyncIO()), SyncIO$.MODULE$.syncForSyncIO()).flatTap(secureRandom -> {
        return (SyncIO) secureRandom.nextBytes(MODULE$.InitialSeedArraySize());
    })).unsafeRunSync();

    public <F, G> CSRF.CSRFBuilder<F, G> apply(SecretKey secretKey, Function1<Request<G>, Object> function1, Sync<F> sync, Applicative<G> applicative) {
        return new CSRF.CSRFBuilder<>(package$.MODULE$.CIStringSyntax(new StringContext(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{"X-Csrf-Token"}))).ci(Nil$.MODULE$), new CSRF.CookieSettings("csrf-token", false, true, CSRF$CookieSettings$.MODULE$.apply$default$4(), new Some("/"), CSRF$CookieSettings$.MODULE$.apply$default$6(), CSRF$CookieSettings$.MODULE$.apply$default$7()), Clock.systemUTC(), Response$.MODULE$.apply(Status$.MODULE$.Forbidden(), Response$.MODULE$.apply$default$2(), Response$.MODULE$.apply$default$3(), Response$.MODULE$.apply$default$4(), Response$.MODULE$.apply$default$5()), true, (org.http4s.crypto.SecretKey) ((SyncIO) Hmac$.MODULE$.apply(Hmac$.MODULE$.forApplicativeThrow(SyncIO$.MODULE$.syncForSyncIO())).importJavaKey(secretKey)).unsafeRunSync(), function1, checkCSRFDefault(sync), sync, applicative);
    }

    public <F, G> CSRF.CSRFBuilder<F, G> withDefaultOriginCheck(SecretKey secretKey, String str, Uri.Scheme scheme, Option<Object> option, Sync<F> sync, Applicative<G> applicative) {
        return apply(secretKey, request -> {
            return BoxesRunTime.boxToBoolean($anonfun$withDefaultOriginCheck$1(str, scheme, option, request));
        }, sync, applicative);
    }

    public <F, G> CSRF.CSRFBuilder<F, G> withDefaultOriginCheckFormAware(String str, FunctionK<G, F> functionK, SecretKey secretKey, String str2, Uri.Scheme scheme, Option<Object> option, Sync<F> sync, GenConcurrent<G, Throwable> genConcurrent) {
        return withDefaultOriginCheck(secretKey, str2, scheme, option, cats.effect.package$.MODULE$.Sync().apply(sync), Applicative$.MODULE$.apply(genConcurrent)).withCSRFCheck(checkCSRFinHeaderAndForm(str, functionK, genConcurrent, sync));
    }

    /* JADX WARN: Multi-variable type inference failed */
    public <F, G> F withGeneratedKey(Function1<Request<G>, Object> function1, Sync<F> sync, Applicative<G> applicative) {
        return (F) package$all$.MODULE$.toFunctorOps(generateSigningKey(sync), sync).map(secretKey -> {
            return MODULE$.apply(secretKey, function1, sync, applicative);
        });
    }

    /* JADX WARN: Multi-variable type inference failed */
    public <F, G> F withKeyBytes(byte[] bArr, Function1<Request<G>, Object> function1, Sync<F> sync, Applicative<G> applicative) {
        return (F) package$all$.MODULE$.toFunctorOps(buildSigningKey(bArr, sync), sync).map(secretKey -> {
            return MODULE$.apply(secretKey, function1, sync, applicative);
        });
    }

    public <F, G> Function1<CSRF<F, G>, Function2<Request<G>, F, F>> checkCSRFDefault(Sync<F> sync) {
        return csrf -> {
            return (request, obj) -> {
                return csrf.getHeaderToken(request).fold(() -> {
                    return csrf.onfailureF();
                }, str -> {
                    return csrf.checkCSRFToken(request, obj, str, sync);
                });
            };
        };
    }

    public <F, G> Function1<CSRF<F, G>, Function2<Request<G>, F, F>> checkCSRFinHeaderAndForm(String str, FunctionK<G, F> functionK, GenConcurrent<G, Throwable> genConcurrent, Sync<F> sync) {
        return csrf -> {
            return (request, obj) -> {
                return package$all$.MODULE$.toFlatMapOps(sync.pure(csrf.getHeaderToken(request)), sync).flatMap(option -> {
                    return package$all$.MODULE$.toFlatMapOps(option.isDefined() ? sync.pure(option) : getFormToken$1(request, genConcurrent, str, functionK, sync), sync).flatMap(option -> {
                        return option.fold(() -> {
                            return csrf.onfailureF();
                        }, str2 -> {
                            return csrf.checkCSRFToken(request, obj, str2, sync);
                        });
                    });
                });
            };
        };
    }

    public Object lift(String str) {
        return str;
    }

    public String unlift(Object obj) {
        return (String) obj;
    }

    public <F> boolean defaultOriginCheck(Request<F> request, String str, Uri.Scheme scheme, Option<Object> option) {
        return Headers$.MODULE$.get$extension(request.headers(), package$.MODULE$.CIStringSyntax(new StringContext(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{HttpHeaders.Names.ORIGIN}))).ci(Nil$.MODULE$)).flatMap(nonEmptyList -> {
            Either<ParseFailure, Uri> fromString = Uri$.MODULE$.fromString(((Header.Raw) nonEmptyList.head()).value());
            if (fromString instanceof Right) {
                return new Some((Uri) ((Right) fromString).value());
            }
            if (fromString instanceof Left) {
                return None$.MODULE$;
            }
            throw new MatchError(fromString);
        }).exists(uri -> {
            return BoxesRunTime.boxToBoolean($anonfun$defaultOriginCheck$2(str, scheme, option, uri));
        }) || Headers$.MODULE$.get$extension(request.headers(), Header$Select$.MODULE$.singleHeaders(Referer$.MODULE$.headerInstance())).exists(referer -> {
            return BoxesRunTime.boxToBoolean($anonfun$defaultOriginCheck$4(str, scheme, option, referer));
        });
    }

    public <F> boolean proxyOriginCheck(Request<F> request, Host host, X$minusForwarded$minusFor x$minusForwarded$minusFor) {
        return Headers$.MODULE$.get$extension(request.headers(), Header$Select$.MODULE$.singleHeaders(Host$.MODULE$.headerInstance())).contains(host) || Headers$.MODULE$.get$extension(request.headers(), Header$Select$.MODULE$.singleHeaders(X$minusForwarded$minusFor$.MODULE$.headerInstance())).contains(x$minusForwarded$minusFor);
    }

    private HmacAlgorithm$SHA1$ SigningAlgorithm() {
        return SigningAlgorithm;
    }

    public String SigningAlgo() {
        return SigningAlgo;
    }

    public int SHA1ByteLen() {
        return SHA1ByteLen;
    }

    public int CSRFTokenLength() {
        return CSRFTokenLength;
    }

    private int InitialSeedArraySize() {
        return InitialSeedArraySize;
    }

    private SecureRandom<SyncIO> CachedRandom() {
        return CachedRandom;
    }

    public <F, G> F cookieFromHeadersF(Request<G> request, String str, Sync<F> sync) {
        Option<RequestCookie> cookieFromHeaders = cookieFromHeaders(request, str);
        if (cookieFromHeaders instanceof Some) {
            return sync.pure((RequestCookie) ((Some) cookieFromHeaders).value());
        }
        if (None$.MODULE$.equals(cookieFromHeaders)) {
            return sync.raiseError(CSRF$CSRFCheckFailed$.MODULE$);
        }
        throw new MatchError(cookieFromHeaders);
    }

    public <F> Option<RequestCookie> cookieFromHeaders(Request<F> request, String str) {
        return Headers$.MODULE$.get$extension(request.headers(), Header$Select$.MODULE$.recurringHeadersWithMerge(Cookie$.MODULE$.headerSemigroupInstance(), Cookie$.MODULE$.headerInstance())).flatMap(cookie -> {
            return cookie.values().find(requestCookie -> {
                return BoxesRunTime.boxToBoolean($anonfun$cookieFromHeaders$2(str, requestCookie));
            });
        });
    }

    public boolean tokensEqual(Object obj, Object obj2) {
        return isEqual(unlift(obj), unlift(obj2));
    }

    public boolean isEqual(String str, String str2) {
        return SecureEq$.MODULE$.apply(SecureEq$.MODULE$.secureEqForByteVector()).eqv(SyncIO$.MODULE$.fromEither(ByteVector$.MODULE$.encodeUtf8(str)).unsafeRunSync(), SyncIO$.MODULE$.fromEither(ByteVector$.MODULE$.encodeUtf8(str2)).unsafeRunSync());
    }

    public <F> F genTokenString(Sync<F> sync) {
        return (F) CachedRandom().nextBytes(CSRFTokenLength()).map(bArr -> {
            return ByteVector$.MODULE$.view(bArr).toHex(Bases$Alphabets$HexUppercase$.MODULE$);
        }).to(sync);
    }

    public <F> F generateSigningKey(Sync<F> sync) {
        return (F) package$all$.MODULE$.toFunctorOps(HmacKeyGen$.MODULE$.apply(HmacKeyGen$.MODULE$.forSync(sync)).generateKey(SigningAlgorithm()), sync).map(secretKey -> {
            return secretKey.toJava();
        });
    }

    public <F> F buildSigningKey(byte[] bArr, Sync<F> sync) {
        return (F) package$all$.MODULE$.toFunctorOps(Hmac$.MODULE$.apply(Hmac$.MODULE$.forApplicativeThrow(sync)).importKey(ByteVector$.MODULE$.view(bArr), SigningAlgorithm()), sync).map(secretKey -> {
            return secretKey.toJava();
        });
    }

    public static final /* synthetic */ boolean $anonfun$withDefaultOriginCheck$1(String str, Uri.Scheme scheme, Option option, Request request) {
        return MODULE$.defaultOriginCheck(request, str, scheme, option);
    }

    public static final /* synthetic */ Option $anonfun$checkCSRFinHeaderAndForm$5(String str, Map map) {
        return map.get(str).flatMap(chain -> {
            return chain.uncons().map(tuple2 -> {
                return (String) tuple2.mo6189_1();
            });
        });
    }

    private static final Object extractToken$1(Request request, GenConcurrent genConcurrent, String str) {
        return package$all$.MODULE$.toFunctorOps(request.attemptAs(UrlForm$.MODULE$.entityDecoder(genConcurrent, UrlForm$.MODULE$.entityDecoder$default$2())).value(), genConcurrent).map(either -> {
            return (Option) either.fold(decodeFailure -> {
                return package$all$.MODULE$.none();
            }, obj -> {
                return $anonfun$checkCSRFinHeaderAndForm$5(str, ((UrlForm) obj).values());
            });
        });
    }

    private static final Object getFormToken$1(Request request, GenConcurrent genConcurrent, String str, FunctionK functionK, Sync sync) {
        Content$minusType content$minusType;
        Option<Object> option = Headers$.MODULE$.get$extension(request.headers(), Header$Select$.MODULE$.singleHeaders(Content$minusType$.MODULE$.headerInstance()));
        if ((option instanceof Some) && (content$minusType = (Content$minusType) ((Some) option).value()) != null) {
            MediaType mediaType = content$minusType.mediaType();
            MediaType x$minuswww$minusform$minusurlencoded = MediaType$.MODULE$.application().x$minuswww$minusform$minusurlencoded();
            if (x$minuswww$minusform$minusurlencoded != null ? x$minuswww$minusform$minusurlencoded.equals(mediaType) : mediaType == null) {
                return functionK.apply2(extractToken$1(request, genConcurrent, str));
            }
        }
        return sync.pure(package$all$.MODULE$.none());
    }

    public static final /* synthetic */ boolean $anonfun$defaultOriginCheck$3(String str, Uri.Host host) {
        String value = host.value();
        return value != null ? value.equals(str) : str == null;
    }

    public static final /* synthetic */ boolean $anonfun$defaultOriginCheck$2(String str, Uri.Scheme scheme, Option option, Uri uri) {
        if (uri.host().exists(host -> {
            return BoxesRunTime.boxToBoolean($anonfun$defaultOriginCheck$3(str, host));
        }) && uri.scheme().contains(scheme)) {
            Option<Object> port = uri.port();
            if (port != null ? port.equals(option) : option == null) {
                return true;
            }
        }
        return false;
    }

    public static final /* synthetic */ boolean $anonfun$defaultOriginCheck$5(String str, Uri.Host host) {
        String value = host.value();
        return value != null ? value.equals(str) : str == null;
    }

    public static final /* synthetic */ boolean $anonfun$defaultOriginCheck$4(String str, Uri.Scheme scheme, Option option, Referer referer) {
        if (referer.uri().host().exists(host -> {
            return BoxesRunTime.boxToBoolean($anonfun$defaultOriginCheck$5(str, host));
        }) && referer.uri().scheme().contains(scheme)) {
            Option<Object> port = referer.uri().port();
            if (port != null ? port.equals(option) : option == null) {
                return true;
            }
        }
        return false;
    }

    public static final /* synthetic */ boolean $anonfun$cookieFromHeaders$2(String str, RequestCookie requestCookie) {
        String name = requestCookie.name();
        return name != null ? name.equals(str) : str == null;
    }

    private CSRF$() {
    }
}
